The attackers were in thousands of corporate and government networks. They might still be there now. Behind the scenes of the SolarWinds investigation.

SolarWinds: The Untold Story of the Boldest Supply-Chain Hack

Firefox gets a needed tune-up, SolarWinds squashes two high-severity bugs, Oracle patches 433 vulnerabilities, and more updates you should make now.

Given the number and seriousness of the issues, Chrome users should prioritize checking that their current version is up to date.

Mozilla Firefox

Chrome rival Firefox has fixed issues in Firefox 112, Firefox for Android 112, and Focus for Android 112. Among the flaws is CVE-2023-29531, an out-of-bound memory access in WebGL on macOS rated as having a high impact. Meanwhile, CVE-2023-29532 is a bypass flaw affecting Windows, which requires local system access.

CVE-2023-1999 is a double-free in libwebp that could result in memory corruption and a potentially exploitable crash, Firefox owner Mozilla wrote in an advisory.

Mozilla also fixed two memory safety bugs, CVE-2023-29550 and CVE-2023-29551. “Some of these bugs showed evidence of memory corruption, and we presume that with enough effort, some of these could have been exploited to run arbitrary code,” the browser maker said.

SolarWinds

IT giant SolarWinds has patched two high-severity issues in its platform that could lead to command execution and privilege escalation. Tracked as CVE-2022-36963, the first issue is a command-injection flaw in SolarWinds’ infrastructure monitoring and management product, the firm wrote in a security advisory. If exploited, the bug could allow a remote adversary with a valid SolarWinds Platform admin account to execute arbitrary commands.

Another high-severity issue is CVE-2022-47505, a local privilege escalation vulnerability that a local adversary with a valid system user account could use to escalate privileges.

The latest SolarWinds patch fixes several more issues rated as having a medium impact. None have been used in attacks, but if you are impacted by the flaws, it makes sense to update as soon as possible.

Oracle

April has been a big month for enterprise software maker Oracle, which has issued fixes for 433 vulnerabilities, 70 of which are rated as having a critical severity. These include issues in the Oracle GoldenGate Risk Matrix, including CVE-2022-23457, which has a CVSS base score of 9.8. The issue may be remotely exploitable without authentication, Oracle said in its advisory.

The April fixes also contain six new patches for Oracle Commerce. “All of these vulnerabilities may be remotely exploitable without authentication,” Oracle warned.

Due to the threat posed by a successful attack, Oracle “strongly recommends” that customers apply Critical Patch Update security fixes as soon as possible.

Cisco

Software firm Cisco has released fixes for vulnerabilities that could allow an authenticated, local attacker to escape the restricted shell and gain root privileges on the underlying operating system.

CVE-2023-20121, which affects Cisco EPNM, Cisco ISE, and Cisco Prime Infrastructure, is a  command-injection vulnerability. An attacker could exploit the flaw by logging in to the device and issuing a crafted CLI command. “A successful exploit could allow the attacker to escape the restricted shell and gain root privileges on the underlying operating system of the affected device,” Cisco said, adding that the attacker must be an authenticated shell user to exploit the flaw.

Meanwhile, CVE-2023-20122 is a command-injection vulnerability in the restricted shell of Cisco ISE that could allow an authenticated, local attacker to escape the restricted shell and gain root privileges on the underlying operating system.

SAP

It’s been another busy Patch Day for SAP, which saw the release of 19 new Security Notes. Among the fixes are CVE-2023-27497, comprising multiple vulnerabilities in SAP Diagnostics Agent. Another notable patch is CVE-2023-28765, an information disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform. A missing password protection enforcement allows an attacker to access the lcmbiar file, according to security firm Onapsis. “After successful decryption of its content, the attacker could gain access to a user’s passwords,” the firm explained. “Depending on the authorizations of the impersonated user, an attacker could completely compromise the system’s confidentiality, integrity, and availability.”

Apple, Google, and Microsoft Just Fixed Zero-Day Security Flaws

Plus: Cyber Command’s disruption of Iranian election hacking, an exposé on child sex trafficking on Meta’s platforms, and more.

Ransomware gangs have long sought pain points where their extortion demands have the greatest leverage. Now an investigation from NBC News has made clear what that merciless business model looks like when it targets kids: One ransomware group's giant leak of sensitive files from the Minneapolis school system exposes thousands of children at their most vulnerable, complete with behavioral and psychological reports on individual students and highly sensitive documentation of cases where they've allegedly been abused by teachers and staff.

We'll get to that. But first, WIRED contributor Kim Zetter broke the news this week that the Russian hackers who carried out the notorious SolarWinds espionage operation were detected in the US Department of Justice's network six months earlier than previously reported—but the DOJ didn't realize the full scale of the hacking campaign that would later be revealed. 

Meanwhile, WIRED reporter Lily Hay Newman was at the RSA cybersecurity conference in San Francisco, where she brought us stories of how security researchers disrupted the operators of the Gootloader malware who sold access to victims' networks to ransomware groups and other cybercriminals, and how Google Cloud partnered with Intel to hunt for and fix serious security vulnerabilities that underlie critical cloud servers. She also captured a warning in a talk from NSA cybersecurity director Rob Joyce, who told the cybersecurity industry to "buckle up" and prepare for big changes to come from AI tools like ChatGPT, which will no doubt be wielded by both attackers and defenders alike.

On that same looming AI issue, we looked at how the deepfakes enabled by tools like ChatGPT, Midjourney, DALL-E, and StableDiffusion will have far-reaching political consequences. We examined a newly introduced US bill that would ban kids under the age of 13 from joining social media. We tried out the new feature in Google's Authenticator App that allows you to back up your two-factor codes to a Google account in case you lose your 2FA device. And we opined—well, ranted—on the ever-growing sprawl of silly names that the cybersecurity industry gives to hacker groups.

But that’s not all. Each week, we round up the news we didn’t report in-depth ourselves. Click on the headlines to read the full stories. And stay safe out there.

What happens when a school system is targeted by a ransomware group, refuses to pay, and thus gets their stolen data dumped wholesale onto the dark web? Well, it's even worse than it sounds, as NBC's Kevin Collier found this week when he dug through portions of a trove of 200,000 files leaked online after the Minneapolis public school system was hit by hackers earlier this year. 

The leaked files include detailed dossiers linking children by name, birth date, and address to a laundry list of highly private information: their special needs, their psychological profiles and behavioral analyses, their medications, the results of intelligence tests, and which kids' parents have divorced, among many other sensitive secrets. In some cases, the files even note which children have been victims of alleged abuse by school teachers or staff. The hackers also took special pains to publicly promote their toxic dump of children's information, with links posted to social media sites and a video showing off the files and instructing viewers how to download them.

The Minneapolis school system is offering free credit monitoring to parents and children affected by the data dump. But given the radioactive nature of the personal information released by the hackers, identity fraud may be the least of their victims' worries.

In a rare declassified disclosure at a panel at this week's RSA Conference, General William Hartman revealed that US Cyber Command had disrupted an Iranian hacking operation that targeted a local elections website ahead of the 2020 election. According to Hartman, who leads Cyber Command's National Mission Force, the intrusion couldn't have affected actual vote counts or voting machines, but—had Cyber Command's own hackers not kiboshed the operation—might have potentially been used to post false results as part of a disinformation effort. 

Hartman named the Iranian hackers as a group known as Pioneer Kitten, also sometimes referred to as UNC757 or Parisite, but didn't name the specific elections website that they targeted. Hartman added that the hacking operation was found thanks to Cyber Command's Hunt Forward operations, in which it hacks foreign networks to preemptively discover and disrupt adversaries who target the US.

Following a two-year investigation, _The Guardian_ this week published a harrowing exposé on Facebook and Instagram's use as hunting grounds for child predators, many of whom traffic in children as sexual abuse victims for money on the two social media services. Despite the claims of the services' parent company Meta that it's closely monitoring its services for child sexual abuse materials or sexual trafficking, _The_ _Guardian_ found horrific cases of children whose accounts were hijacked by traffickers and used to advertise them for sexual victimization. 

One prosecutor who spoke to _The Guardian_ said that he'd seen child trafficking crimes on social media sites increase by about 30 percent each year from 2019 to 2022. Many of the victims were as young as 11 or 12 years old, and most were Black, Latinx, or LGBTQ+.

A group of hackers has been taking over AT&T email accounts—the telecom provider runs email domains including att.net, sbcglobal.net, bellsouth.net—to hack their cryptocurrency wallets, TechCrunch reports. 

A tipster tells TechCrunch that the hackers have access to a part of AT&T's internal network that allows them to generate "mail keys" that are used to offer access to an email inbox via email applications like Thunderbird or Outlook. The hackers then use that access to reset the victims' passwords on cryptocurrency wallet services like Gemini and Coinbase, and, according to TechCrunch's source, have already amassed between $10 million and $15 million in stolen crypto, though TechCrunch couldn't verify those numbers.

The Tragic Fallout From a School District’s Ransomware Breach

In May 2020, the US Department of Justice noticed Russian hackers in its network but did not realize the significance of what it had found for six months.

The US Department of Justice, Mandiant, and Microsoft stumbled upon the SolarWinds breach six months earlier than previously reported, WIRED has learned, but were unaware of the significance of what they had found.

The breach, publicly announced in December 2020, involved Russian hackers compromising the software maker SolarWinds and inserting a backdoor into software served to about 18,000 of its customers. That tainted software went on to infect at least nine US federal agencies, among them the Department of Justice (DOJ), the Department of Defense, Department of Homeland Security, and the Treasury Department, as well as top tech and security firms including Microsoft, Mandiant, Intel, Cisco, and Palo Alto Networks. The hackers had been in these various networks for between four and nine months before the campaign was exposed by Mandiant. 

WIRED can now confirm that the operation was actually discovered by the DOJ six months earlier, in late May 2020—but the scale and significance of the breach wasn’t immediately apparent. Suspicions were triggered when the department detected unusual traffic emanating from one of its servers that was running a trial version of the Orion software suite made by SolarWinds, according to sources familiar with the incident. The software, used by system administrators to manage and configure networks, was communicating externally with an unfamiliar system on the internet. The DOJ asked the security firm Mandiant to help determine whether the server had been hacked. It also engaged Microsoft, though it’s not clear why the software maker was also brought onto the investigation.

It’s not known what division of the DOJ experienced the breach, but representatives from the Justice Management Division and the US Trustee Program participated in discussions about the incident. The Trustee Program oversees the administration of bankruptcy cases and private trustees. The Management Division advises DOJ managers on budget and personnel management, ethics, procurement, and security.

Investigators suspected the hackers had breached the DOJ server directly, possibly by exploiting a vulnerability in the Orion software. They reached out to SolarWinds to assist with the inquiry, but the company’s engineers were unable to find a vulnerability in their code. In July 2020, with the mystery still unresolved, communication between investigators and SolarWinds stopped. A month later, the DOJ purchased the Orion system, suggesting that the department was satisfied that there was no further threat posed by the Orion suite, the sources say.

A DOJ spokesperson confirmed that the incident and investigation occurred but wouldn’t provide any details about what investigators concluded. “While the incident response and mitigation effort was completed, the FBI’s criminal investigation remained open throughout,” the spokesperson wrote in an email. WIRED confirmed with sources that Mandiant, Microsoft, and SolarWinds were involved in discussions about the incident and investigation. All three companies declined to discuss the matter.

The DOJ told WIRED that it notified the US Cybersecurity and Infrastructure Agency (CISA) about the breach at the time it occurred—though a US National Security Agency spokesperson expressed frustration that the agency was not also notified. But in December 2020, when the public learned that a number of  federal agencies were compromised in the SolarWinds campaign—the DOJ among them—neither the DOJ nor CISA revealed to the public that the operation had unknowingly been found months earlier. The DOJ initially said its chief information officer had discovered the breach on December 24.

In November 2020, months after the DOJ completed the mitigation of its breach, Mandiant discovered that it had been hacked, and traced its breach to the Orion software on one of its servers the following month. An investigation of the software revealed that it contained a backdoor that the hackers had embedded in the Orion software while it was being compiled by SolarWinds in February 2020. The tainted software went out to about 18,000 SolarWinds customers, who downloaded it between March and June, right around the time the DOJ discovered the anomalous traffic exiting its Orion server. The hackers chose only a small subset of these to target for their espionage operation, however. They burrowed further into the infected federal agencies and about 100 other organizations, including technology firms, government agencies, defense contractors, and think tanks.

Mandiant itself got infected with the Orion software on July 28, 2020, the company told WIRED, which would have coincided with the period that the company was helping the DOJ investigate its breach.

When asked why, when the company announced the supply-chain hack in December, it didn’t publicly disclose that it had been tracking an incident related to the SolarWinds campaign in a government network months earlier, a spokesperson noted only that “when we went public, we had identified other compromised customers.”

The incident underscores the importance of information-sharing among agencies and industry, something the Biden administration has emphasized. Although the DOJ had notified CISA, a spokesperson for the National Security Agency told WIRED that it didn’t learn of the early DOJ breach until January 2021, when the information was shared in a call among employees of several federal agencies.

That was the same month the DOJ—whose 100,000-plus employees span multiple agencies including the FBI, Drug Enforcement Agency, and US Marshals Service—publicly revealed that the hackers behind the SolarWinds campaign had possibly accessed about 3 percent of its Office 365 mailboxes. There are conflicting reports about whether this attack was part of the SolarWinds campaign or carried out by the same actors. Six months later, the department expanded on this and announced that the hackers had managed to breach email accounts of employees at 27 US Attorneys' offices, including ones in California, New York, and Washington, DC. 

In its latter statement, the DOJ said that to “encourage transparency and strengthen homeland resilience,” it wanted to provide new details, including that the hackers were believed to have had access to compromised accounts from about May 7 to December 27, 2020. And the compromised data included “all sent, received, and stored emails and attachments found within those accounts during that time.”

The investigators of the DOJ incident weren’t the only ones to stumble upon early evidence of the breach. Around the same time of the department’s investigation, security firm Volexity, as the company previously reported, was also investigating a breach at a US think tank and traced it to the organization’s Orion server. Later in September, the security firm Palo Alto Networks also discovered anomalous activity in connection with its Orion server. Volexity suspected there might be a backdoor on its customer’s server but ended the investigation without finding one. Palo Alto Networks contacted SolarWinds, as the DOJ had, but in that case as well, they failed to pinpoint the problem.

Senator Ron Wyden, an Oregon Democrat who has been critical of the government’s failure to prevent and detect the campaign in its early stages, says the revelation illustrates the need for an investigation into how the US government responded to the attacks and missed opportunities to halt it.

“Russia’s SolarWinds hacking campaign was only successful because of a series of cascading failures by the US government and its industry partners,” he wrote in an email. “I haven’t seen any evidence that the executive branch has thoroughly investigated and addressed these failures. The federal government urgently needs to get to the bottom of what went wrong so that in the future, backdoors in other software used by the government are promptly discovered and neutralized.“

DOJ Detected SolarWinds Breach Months Before Public Disclosure

AI-generated spam comments on Amazon, the latest on the 3CX supply chain attack and more security headlines from the past week.

Thursday, April 27, 2023 14:04

Welcome to this week’s edition of the Threat Source newsletter.

I’m writing this earlier in the week as I get ready for some personal travel (everyone is lucky I passed on writing another Cybersecurity Mock Draft), so apologies if I miss anything major that happens at RSA.

But Cisco beat everyone to the punch Monday morning anyway, making a slew of major announcements on RSA travel day. By the time you’re reading this, it’s still not too late to track down someone from our team if you want to learn more. (Read last week’s newsletter for more on that.)

Cisco Duo announced that all paid customers of its service can now use Trusted Endpoints to block access from unknown devices.

Duo is also re-introducing three editions of the product: Duo Essentials, Duo Advantage and Duo Premier. Even with the added security features announced Monday, the price-per-user is not rising, giving customers strong security at an unmatched value.

Cisco also announced its new extended detection and response (XDR) platform – Cisco XDR. This new offering combines users’ endpoint, network and application telemetry with customized detection based on their environment. This platform will detect threats in an environment that many other point products can’t see on their own.

Hazel Burton from Talos has a new episode of ThreatWise TV out this week discussing XDR, including an interview with a current enterprise XDR user. Nick Biasini, Talos’ head of outreach, is also on that episode to discuss how Cisco XDR is adapting to current attacker tactics, techniques and procedures.

**The one big thing**

More information and research is still coming out around the 3CX supply chain attack. A new report indicates that it was actually two supply chain attacks linked together. The adversaries involved in the 3CX compromise first backdoored another application, which it then used to infiltrate 3CX and send out a malicious, fake update there. Additional reporting indicates that these same state-sponsored actors also infiltrated several critical infrastructure networks with a backdoor during this same campaign.

**Why do I care?**

This news further highlights why it’s so important to plan for and defend against supply chain attacks. These are increasingly popular attacks that state-sponsored, well-funded adversaries are clearly using in the wild to target multiple sectors and industries.

**So now what?**

I already outlined several important steps to take that any organization can take to prepare for a supply chain attack. This recent Talos Takes episode with Craig Jackson of Cisco Talos Incident Response also provides valuable advice for organizations of all sizes.

**Top security headlines of the week**

**AI-generated spam is already hitting email inboxes, Amazon reviews and social media posts.** Security researchers and reporters have already spotted several instances where AI chat bots like ChatGPT are used to write fake reviews for popular Amazon products or even post tweets. Many of these reviews have a dead giveaway because they include the phrase “I cannot generate inappropriate content,” a message ChatGPT usually sends back when explicitly asked to generate spam or something with hateful content. Other AI models are learning to scan targets’ social media profiles to quickly learn and assume things such as political affiliation and employment status to create hyper-targeted spam and phishing. Experts warn this could lead to the further proliferation of fake news, misinformation and scams. (Vice, Gizmodo)

**Exploit code for a 9.8-severity vulnerability in the PaperCut printer management software went online this week,** potentially increasing the likelihood that attackers will try to exploit it in the wild. Although Cut disclosed this vulnerability and released a patch in March, many instances remain unpatched. CVE-2023-27350 is an improper access control issue in the SetupCompleted class of PaperCut MF/NG. An adversary could exploit this vulnerability to bypass authentication and execute arbitrary code with System-level privileges. Security researchers found attackers using this vulnerability to install two pieces of malicious remote management software. PaperCut users should ensure they are using PaperCut MF and NG versions 20.1.7, 21.2.11, and 22.0.9. (Ars Technica, SecurityWeek)

**U.S. law enforcement and intelligence agencies are increasingly prioritizing disrupting dark web networks** and forums versus arresting admins and users. U.S. Deputy Attorney General Lisa Monaco said during a talk at the RSA conference this week that prosecutors and investigators are being directed to have a “bias toward action to disrupt and prevent, to minimize that harm if it’s ongoing” and to “take that action to prevent that next victim.” That being said, the recent seizure of Genesis Market, a popular dark web forum, highlights how law enforcement is becoming better at unmasking many of these sites’ creators and making users’ activities less anonymous. (CyberScoop, SC Media)

**Can’t get enough Talos?**

*   Beers with Talos Ep. #133: The one where they talk a lot about wireless routers
*   Talos Takes Ep. #135: What does the future of MFA look like?
*   Cisco urges users to keep its network hardware up-to-date
*   Threat Roundup for April 14 - 21
*   Vulnerability Spotlight: Vulnerabilities in IBM AIX could lead to command injection with elevated privileges

**Upcoming events where you can find Talos**

**Cisco Live U.S.** **(June 4 - 8)**

Las Vegas, NV

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** e248b01e3ccde76b4d8e8077d4fcb4d0b70e5200bf4e738b45a0bd28fbc2cae6  
**MD5:** 1e2a99ae43d6365148d412b5dfee0e1c  
**Typical Filename:** PDFpower.exe  
**Claimed Product:** PdfPower  
**Detection Name:** Win32.Adware.Generic.SSO.TALOS

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

**SHA 256:** 4ad8893f8c7cab6396e187a5d5156f04d80220dd386b0b6941251188104b2e53  
**MD5:** cdd331078279960a1073b03e0bb6fce4  
**Typical Filename:** mediaget.exe  
**Claimed Product:** MediaGet  
**Detection Name:** W32.DFC.MalParent

Threat Source newsletter (April 27, 2023) — New Cisco Secure offerings and extra security from Duo

The security issues raised by ChatGPT and similar tech are just beginning to emerge, but Rob Joyce says it’s time to prepare for what comes next.

At the RSA security conference in San Francisco this week, there's been a feeling of inevitability in the air. At talks and panels across the sprawling Moscone convention center, at every vendor booth on the show floor, and in casual conversations in the halls, you just know that someone is going to bring up generative AI and its potential impact on digital security and malicious hacking. NSA cybersecurity director Rob Joyce has been feeling it too. 

“You can’t walk around RSA without talking about AI and malware,” he said on Wednesday afternoon during his now annual “State of the Hack” presentation. “I think we’ve all seen the explosion. I won’t say it’s delivered yet, but this truly is some game-changing technology."

In recent months, chatbots powered by large language models, like OpenAI's ChatGPT, have made years of machine-learning development and research feel more concrete and accessible to people all over the world. But there are practical questions about how these novel tools will be manipulated and abused by bad actors to develop and spread malware, fuel the creation of misinformation and inauthentic content, and expand attackers' abilities to automate their hacks. At the same time, the security community is eager to harness generative AI to defend systems and gain a protective edge. In these early days, though, it's difficult to break down exactly what will happen next.

Joyce said the National Security Agency expects generative AI to fuel already effective scams like phishing. Such attacks rely on convincing and compelling content to trick victims into unwittingly helping attackers, so generative AI has obvious uses for quickly creating tailored communications and materials.

“That Russian-native hacker who doesn’t speak English well is no longer going to craft a crappy email to your employees,” Joyce said. “It’s going to be native-language English, it’s going to make sense, it’s going to pass the sniff test … So that right there is here today, and we are seeing adversaries, both nation-state and criminals, starting to experiment with the ChatGPT-type generation to give them English language opportunities.”

Meanwhile, although AI chatbots may not be able to develop perfectly weaponized novel malware from scratch, Joyce noted that attackers can use the coding skills the platforms do have to make smaller changes that could have a big effect. The idea would be to modify existing malware with generative AI to change its characteristics and behavior enough that scanning tools like antivirus software may not recognize and flag the new iteration.

“It is going to help rewrite code and make it in ways that will change the signature and the attributes of it,” Joyce said. “That \[is\] going to be challenging for us in the near term.”

In terms of defense, Joyce seemed hopeful about the potential for generative AI to aid in big data analysis and automation. He cited three areas where the technology is “showing real promise” as an “accelerant for defense”: scanning digital logs, finding patterns in vulnerability exploitation, and helping organizations prioritize security issues. He cautioned, though, that before defenders and communities more broadly come to depend on these tools in daily life, they must first study how generative AI systems can be manipulated and exploited.

Mostly, Joyce emphasized the murky and unpredictable nature of the current moment for AI and security, cautioning the security community to “buckle up” for what's likely yet to come.

“I don’t expect some magical technical capability that is AI-generated that will exploit all the things,” he said. But “next year, if we’re here talking a similar year in review, I think we’ll have a bunch of examples of where it’s been weaponized, where it’s been used, and where it’s succeeded.”

NSA Cybersecurity Director Says ‘Buckle Up’ for Generative AI

Law enforcement will likely find it much harder to take down criminal activities on the "deepverse."

RSA CONFERENCE 2023 – San Francisco – As the metaverse takes shape over the coming years, many of the security issues afflicting cyberspace will begin to spill over into virtual space as well.

One of the biggest of these threats will be the emergence of a new "darkverse," where criminals will be able to operate with greater impunity and more dangerously than they are able to do now on the Dark Web, two researchers from Trend Micro said at an RSA Conference 2023 session in San Francisco, April 26.

The metaverse is a somewhat loosely used term to describe a virtual space where people can interact with other individuals and organizations in a computer-generated version of the physical world. Just like how massive multiplayer online games allow individuals to create digital avatars of themselves and interact with other gamers in fantasy worlds, a full-fledged metaverse will allow individuals to shop, work, socialize and do other activities in a virtual replica of the physical world.

The same phenomenon will happen in the cybercrime underground, the researchers warned. Just like the Dark Web exists on an unindexed deep Web, the darkverse will operate within an unindexed "deepverse" that law enforcement will find hard to penetrate, they noted: The space will offer a safe haven for criminal spaces, extremist spaces, purveyors of child pornography, and those seeking to harass others.

Numaan Huq and Philippe Lin, senior threat researchers at Trend Micro, were two authors of a report last year on how security and privacy threats will likely emerge and evolve in the metaverse as more people begin to use it. Among the threats they identified in the report were amplified versions of some existing issues such as social engineering, financial fraud, and privacy risks, and some new ones such as risks related to NFTs, cyber-physical threats, and more.

**A Nearly Impenetrable 'Darkverse'**

The threats are a distance away from materializing, Huq and Linn said in a conversation with Dark Reading before their talk. "But the bad guys are already talking about how to make a profit in the metaverse," cautions Lin. "If \[organizations\] just ignore the threat and don't invest in trying to address them soon, they could lose more in future," he notes.

Trend Micro itself describes the metaverse as a "cloud distributed, multi-vendor, immersive, interactive operating environment that users can access through different categories of connected device." The metaverse will leverage Web 2.0 and Web 3.0 technologies to provide an interactive layer on top of the current Internet. "As proposed, it's an open platform for working and playing inside an extended reality environment, and it will also be a communications layer for smart city devices," according to Trend Micro.

The darkverse is a space that will exist within this world that, like today's Dark Web, will offer a safe space for free speech and expression against oppressive entities and governments. It will equally be a place for illegal and criminal activities with marketplaces that cater to a wide criminal audience. 

What will make the darkverse a distinctly more dangerous place is the difficulty law enforcement entities will have in trying to infiltrate the criminal activities taking place on it, Huq says. He expects criminals will use authentication tokens to control access to their spaces on the metaverse. They could make it almost impossible for defenders to get these tokens by requiring that users be inside a designated physical location in a specific time frame to receive a token. 

Criminals could also implement location based and proximity-based restrictions for accessing metaverse spaces. Such measures could make it significantly harder for law-enforcement authorities to take these activities down, compared to sinkholing a server or blocking URLs, Huq says.

**New Technologies & Protocols Introduce New Threats**

The darkverse will be a major threat, but not the only one that organizations will need to deal with in the metaverse. Huq and Lin expect that companies over the next several years will begin leveraging the metaverse for different use cases. As one example, Huq points to an operator of critical infrastructure that might create a digital twin of an OT or ICS environment. This would allow an engineer working for that company in New York to troubleshoot and address support issues at an ICS facility in Arizona almost like that engineer was physically present at that facility, he says. Similarly, a retailer could create digital stores where customers could shop in an immersive manner like they were at a physical location.

As such use cases proliferate, so too will the threats. Huq and Lin expect that attackers will look for and find ways to infiltrate and poison these environments to spy, steal, and create other havoc. They expect some of the attacks to target the servers, endpoints, and infrastructure on which the metaverse will run, while others will target metaverse-specific elements like the headsets people will use to access the virtual world, or the objects that exist within.

Huq and Lin, like other researchers also are concerned about the massive harvesting of personal data that is almost inevitably going to happen as more people begin using the metaverse in their personal and work lives.

"The metaverse will introduce in a very short span of time, a lot of new technologies," Huq says. Users will find themselves having to constantly interact with digital objects from a Facebook metaverse, a Google metaverse, a Microsoft metaverse, and other multiple other metaverses. That means having to deal with code being transported from one environment to the other in a very fluid manner. "When you execute a radical new technology, you are definitely going to start having security issues whether cyber, or procedural."

Metaverse Version of the Dark Web Could be Nearly Impenetrable

Last year, 71% of enterprise breaches were pulled off quietly, with legitimate tools, research shows.

RSA CONFERENCE 2023 – San Francisco – With little more than smart reconnaissance and existing tools, adversaries are increasingly capable of compromising an enterprise network without making any noise or leaving a trace behind.

In fact, according to CrowdStrike CEO Jeff Hurtz and president Michael Sentonas, 71% of enterprise cyberattacks in calendar year 2022 were done without malware.

At this year's RSA Conference, Hurtz and Sentonas returned to the keynote stage to walk the audience through a case study of just how easily a threat actor can not just penetrate a network but also move laterally and persist without making a ripple, illustrating in stark terms the kind of challenge cybersecurity teams face trying to detect, much less mitigate, malwareless compromises.

The legendary cybersecurity duo profiled the "Spider" cybercrime group from the stage as a perfect example of the phenomenon.

"They're very well prepared, and they are very well resourced," Sentonas explained. "And they really like to leverage existing tools; there's no need to get fancy if you can just blend in."

**Spider: Anatomy of a Malwareless Attack**

First, Spider initiates an in-depth intelligence gathering effort. Hurtz said his team was able to establish the threat actor spent more than an hour on the phone with the victim company's help desk trying to get any insights that could fuel the next phase of social engineering. 

Once they had a specific user in their sights, Spider initiates a voice call informing the user their credentials had been compromised. Victims are then sent a malicious link and prompted to enter in not just their login details, but also their multifactor authentication (MFA) data. Once the user is tricked into handing those over, Spider is off and running.

"We call that the layer A problem," Hurtz joked, about the user handing over the goods. "It's between the chair and the keyboard."

Spider then uses the Tails operating system and Evilginx2 to compromise the user's credentials to set up an AnyDesk account controlled by the cyberattackers. AnyDesk remains a popular remote desktop tool among threat actors, Hurtz added.

Spider also uses dedicated machines that hide their identity, and run their code on hardware as much as possible to avoid detection. "It could be from anywhere," Sentonas said. "It blends in because its not going to come from some crazy domain."

Other tools, like DigitalOcean Droplet, used as a virtual machine, fill out the attack chain. Ultimately, Hurtz and Sentonas explained, the Spider attack ends with the persistent actor set up with their own users on the network, free and able to exfiltrate data at will. And importantly, Sentonas noted, if the threat actor can get into the on-premises network, the cloud is likely going to sync and become compromised as well.

Importantly, Sentonas and Hurtz wanted to disabuse the audience of the notion that threat actors need full admin access to set up new users. They don't, and Sentonas showed exactly how just delegated permissions could allow him to move freely about the company's customer relationship management system, as well as add themselves as a SQL server admin.

In the past couple of quarters, CrowdStrike has been dealing with about one enterprise per week reeling from this type of malware-free cyberattack, Sentonas said.

**How to Defend Against Malware-Free Cyberattacks**

When it comes to defending the enterprise, endpoint detection and response (EDR) and other malware detection tools aren't terribly useful against malware-free cyberattacks. There's simply no malicious code to detect.

Instead, Hurtz and Sentonas urged enterprises to focus on gathering as much telemetry as possible from the endpoint to the cloud and managing identity down to the tiniest details.

But gathering all that telemetry and identity data leaves teams with vast oceans of information that's not particularly useable for threat hunting. That's where artificial intelligence (AI) and machine learning (ML) can be meaningfully deployed to look for anomalous activity, like added user accounts, to detect malicious activity, without malicious code.

It's also important to protect the enterprise MFA service from compromise, they added.

"Maintain good identity store hygiene, Sentonas said. "And protect the services you use for MFA."

Malware-Free Cyberattacks Are On the Rise; Here's How to Detect Them

In 45 percent of engagements, attackers exploited public-facing applications to establish initial access, a significant increase from 15 percent the previous quarter.

Wednesday, April 26, 2023 08:04

**Web shell usage spikes in Q1 compared to previous quarters, correlating with higher instances of exploitation of public-facing applications.**

In a novel increase compared to previous quarters, Cisco Talos Incident Response (Talos IR) reports that web shells were the most-observed threat in the first quarter of 2023, comprising nearly a fourth of the incidents Talos IR engaged in. The functionality of these web shells and the specific vulnerabilities and weaknesses in the platforms they targeted varied. Although each web shell had its own sets of basic functions, when there were multiple web shells present in a single engagement, threat actors chained them together to provide a more flexible toolkit for spreading access across the network. This demonstrates the skills actors have in combining multiple means of accesses and tools and increases the liklihood that they will be able to deploy additional malware or obtain sensitive and private information.

Ransomware made up a smaller portion of threats observed this quarter than in the past, from 20% to around 10%. Given that Talos IR observed a recent surge of ransomware incidents at the end of the quarter that did not close off, this decrease does not necessarily signify a decline in general ransomware activity as much as it is a reflection of activity seen against Talos IR’s customer base. However, ransomware and pre-ransomware incidents combined made up more than 20 percent of threats observed. While it can be difficult to determine what constitutes a pre-ransomware attack if ransomware never executes and encryption does not take place, many of the pre-ransomware engagements featured activity associated with prominent ransomware groups, such as Vice Society. We note that in this quarter, particularly in an aforementioned Vice Society engagement, swift action from defenders at victim organizations as well as Talos IR helped mitigate malicious activity before encryption could occur.

This quarter also featured previously seen commodity loaders, such as Qakbot. In engagements this quarter, Qakbot leveraged malicious OneNote documents, consistent with an uptick in various malware distributing weaponized Microsoft Office OneNote attachments. This is evidence of an ongoing trend of threat actors experimenting with file types that do not rely on macros to deliver malicious payloads following Microsoft’s move to start disabling macros by default in its applications in July 2022.

In 45 percent of engagements, attackers exploited public-facing applications to establish initial access, a significant increase from 15 percent the previous quarter. In many of these engagements, web shell usage contributed to this uptick where adversaries were attempting to compromise web-based servers exposed to the internet.

**Targeting**

Health care and public health was the most targeted vertical this quarter, closely followed by the retail and trade, real estate and food services/accommodation sectors, including hospitality.

**Web shell usage spike, featuring activity from FIN13**

Since January 2023, Talos IR observed an increase in web shell usage from 6% of all threats last quarter to now comprising nearly 25% of all threats. Web shells are malicious scripts that enable threat actors to compromise web-based servers exposed to the internet. This quarter, Talos observed threat actors using publicly available or modified web shells coded in various languages, including PHP, ASP.NET and Perl. After leveraging web shells to establish a foothold and gain persistent access to a system, adversaries remotely executed arbitrary code or commands, moved laterally within the network, or delivered additional malicious payloads. In many of these web shell incidents, adversaries relied heavily on web shell code sourced from publicly available GitHub repositories. This finding is also in line with a trend observed from Talos IR engagements from July to September 2022 (Q3 2022), where adversaries used a variety of open-source tools and scripts hosted on GitHub repositories to support operations across multiple stages of the attack lifecycle.

In one cluster of web shell activity, Talos observed targeting patterns and tactics, techniques and procedures (TTPs) potentially associated with the FIN13 cybercriminal threat actor, a significant finding in Talos IR engagements given FIN13’s targeted behavior. The web shells with known FIN13 TTPs have varying levels of functionality which include allowing queries to Microsoft SQL (MS-SQL) instances, creating reverse shell connection(s) to external IP addresses, and executing PHP scripts which can be used as a proxy to connect to other services. Consistent with public reporting on FIN13, Talos IR observed a PHP-based web shell (“404.php”) that took an IP or DNS entry and a port and attempted to create a proxy connection. The second web shell (“ms3.aspx”) was Windows-based and allowed SQL connections to an internal server and, if successful, results would be rendered in the browser. The third was another PHP-based web shell (“re.php”) that conducted port scans and created an outbound socket to respond/exfiltrate data to the attacker. This specific web shell contained a hardcoded IP address which resolved to cloud service provider DigitalOcean. The final web shell (“tx.asp”) was a Windows-based web shell that used “wscript.shell” and exec() to run commands rendered to the screen via an HTML document. While each web shell on its own had basic functionality, by chaining them together, the actor created a flexible toolkit for spreading their access across the network, while providing a proxy for exfiltrating sensitive data.

While the exact reason for this quarter’s increased appearance of web shells is unknown, their recent increased popularity may potentially be related to the ease of obtaining their code through open-source repositories. The availability of and easy access to open-source web shell code, paired with systems that may be publicly exposed or have poorly managed patching, make the use of web shells a lucrative option.

**Ransomware**

Ransomware made up a much smaller portion of threats this quarter, from 20% of threats to 10%. Looking ahead, there was a recent spike in ransomware engagements which we expect to level out again next quarter. Combined, ransomware and pre-ransomware incidents made up over 20 percent of threats observed.

In a Phobos ransomware engagement, a threat that Talos IR has responded to since 2020, the initial access likely involved remote desktop protocol (RDP). The adversary deployed a file named “mimidrv.sys," which is a signed Windows kernel mode software driver meant to be used with the Mimikatz executable. Talos IR also identified seven startup items that included downloading the ransomware executable, “Fast.exe.” This is a common persistence technique that followed activity where the adversary made modifications to the registry on the customer’s Amazon Relational Database Service (RDS) server. Upon encryption, attackers encrypted the files, appending them with the “.faust” extension and dropped a ransom note on the targeted systems.

This quarter also featured the Daixin ransomware, a newer ransomware-as-a-service (RaaS) family that Talos IR had never seen before in an engagement. Daixin, which first emerged in June 2022, typically involves affiliates gaining access to victim systems through virtual private networks (VPN) servers or by exploiting unpatched vulnerabilities, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA). In a Daixin ransomware engagement, the affiliate modified registry values, mapped network shares, and ran randomly named BAT files as services on the system. Talos IR also identified the Impacket toolset, a collection of Python classes for working with different network protocols, and a PowerShell script loading a Cobalt Strike payload which subsequently launched a Cobalt Strike shellcode listening on port 4444.

We assess that the recent law enforcement efforts to disrupt ransomware actors will create space for new groups to emerge, consistent with a pattern that has been ongoing for years. In January 2023, the U.S. Department of Justice announced a months-long disruption campaign against the Hive ransomware group. The FBI, along with foreign law enforcement partners, seized Hive servers after entering its networks and capturing keys to decrypt its software, effectively disrupting operations. We have not observed Hive ransomware in Talos IR engagements since August 2022, a likely indication that Hive operations have ceased while former members possibly look to join other groups or rebrand under new names.

**Malicious OneNote documents continue to be leveraged in engagements this quarter**

The Qakbot commodity loader was observed across engagements this quarter leveraging ZIP files containing malicious OneNote documents, consistent with endpoint telemetry and public reporting on threats leveraging OneNote documents in phishing emails starting at the end of 2022 and early 2023. In one Qakbot engagement, a ZIP file ("Inv\_02\_02\_#3.zip") was detected as Qakbot and contained a malicious OneNote document which attempted to lure a user to click “open” containing a malicious embedded URL.

While Talos IR did not respond to any Emotet incidents this quarter, Emotet reemerged in March 2023, resuming its spam operations after a months-long hiatus. In a relatively short period, Emotet modified its infection chain several times to maximize the likelihood of successfully infecting victims. By mid-March, Emotet had switched to distributing malicious OneNote documents, highlighting the ways in which threat actors will continue to identify and quickly implement updated delivery methods to infect victims.

**Initial vectors**

This quarter featured 45 percent of engagements where attackers exploited public-facing applications to establish initial access, a significant increase from 15 percent the previous quarter. In many of these engagements, web shell usage contributed to this uptick where adversaries were attempting to compromise web-based servers exposed to the internet. Valid accounts and/or accounts with weak passwords or single-factor authentication also helped facilitate initial access where an adversary was leveraging compromised credentials.

Several known vulnerabilities contributed to adversaries gaining initial access via exploiting public-facing applications. In one incident, Talos IR identified activity consistent with exploitation of the WordPress vulnerability, tracked as CVE-2021-24867, in AccessPress Plugin and Theme. As a result, Talos IR identified approximately 20 different web shells and/or website defacements, likely from multiple threat actors identifying and exploiting this older flaw.

In another web shell engagement, Talos IR identified a vulnerable version of Magento (Adobe Commerce) version 2.4.2 that was operating in the Kubernetes deployment at the time of exploitation. Talos IR identified a total of nine known vulnerabilities for this version of the software, not including extensions. Talos IR recommends upgrading all instances of Magento to the latest available version, and routinely checking for vulnerable outdated extension versions that need patching or removed completely to reduce the available attack surface.

**Security weaknesses**

The lack of multi-factor authentication (MFA) remains one of the biggest impediments for enterprise security. Nearly 30 percent of engagements involved organizations that either had no MFA or only had it enabled on a handful of accounts and critical services. Talos IR frequently observes ransomware and phishing incidents that could have been prevented if MFA had been properly enabled on critical services, such as endpoint detection response (EDR) solutions or VPNs. To help minimize initial access vectors, Talos IR recommends disabling VPN access for all accounts that are not using MFA.

The increase in web shell engagements highlights the need for more vigilance in helping to prevent web shells. Talos provides the following recommendations:

*   Routinely update and patch all software and operating systems to identify and remediate vulnerabilities or misconfigurations in web applications and web servers.
*   In addition to patching, perform general system hardening, including removing services or protocols where they are unnecessary and being aware of all systems exposed directly to the internet.
*   Disable unnecessary php functions in your “php.ini”, such as eval(), exec(), peopen(), proc\_open() and passthru().
*   Frequently audit and review logs from web servers for unusual or anomalous activity.

**Top-observed MITRE ATT&CK techniques**

The table below represents the MITRE ATT&CK techniques observed in this quarter’s Talos IR engagements. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic in which they were leveraged. Please note, this is not an exhaustive list.

Key findings from the MITRE ATT&CK framework include:

*   Exploitation of public-facing applications was the top observed initial access technique, with the increased web shell activity likely contributing to this significant observation.
*   PowerShell is routinely used by adversaries to support a multitude of threats. We continued to observe high usage of PowerShell, in addition to a number of other scripting languages, including Python, Unix shell, and Windows command shell, which enabled web shell execution.
*   The open source red-teaming security toolkit Mimikatz was used to support nearly 60 percent of ransomware and pre-ransomware engagements this quarter. Consistently observed across previous quarters, Mimikatz is a widely used post-exploitation tool used to steal login IDs, passwords, and authentication tokens from compromised Windows systems.

Tactic 

Technique 

Example 

Initial Access (TA0001) 

T1190 Exploit Public-Facing Application  

Attackers successfully exploited a vulnerable application that was publicly exposed to the internet 

Reconnaissance (TA0043) 

T1592 Gather Victim Host Information 

Text file contains details about host 

Persistence (TA0003) 

T1505.003 Server Software Component: Web Shell  

Adversaries deployed web shells against web-based servers 

Execution (TA0002) 

T1059.001 Command and Scripting Interpreter: PowerShell  

Executes PowerShell code to retrieve information about the client's Active Directory environment 

Discovery (TA0007) 

T1046 Network Service Scanning   

Use a network or port scanner utility  

Credential Access (TA0006) 

T1003 OS Credential Dumping 

Deploy Mimikatz and publicly available password lookup utilities 

Privilege Escalation (TA0004)  

1484 Domain Policy Modification

Modify GPOs to execute malicious files  

Lateral Movement (TA0008) 

T1021.001 Remote Desktop Protocol  

Adversary made attempts to move laterally using Windows Remote Desktop 

Defense Evasion (TA0005) 

T1027 Obfuscated Files or Information 

Use base64-encoded PowerShell scripts 

Command and Control (TA0011) 

T1105 Ingress Tool Transfer  

Adversaries transfer/download tools from an external system 

Impact (TA0040) 

T1486 Data Encrypted for Impact  

Deploy Hive ransomware and encrypt critical systems 

Exfiltration (TA0010) 

T1567 Exfiltration Over Web Service 

Use legitimate external web service to  system information  

Collection (TA0009) 

T1560.001 Archive Collected Data 

Adversary leveraged xcopy on Windows to copy files  

Software/Tool 

S0002 Mimikatz 

Use Mimikatz to obtain account logins and passwords

Quarterly Report: Incident Response Trends in Q1 2023

The Data Security Maturity Model ditches application, network, and device silos when it comes to architecting a data security strategy.

RSA CONFERENCE 2023 – San Francisco – The coalition behind the Data Security Maturity Model has issued a second iteration of the framework, aimed at making it easier for businesses to protect data from leaks.

The coalition, created by Cyberhaven last summer, is led by Sounil Yu, CISO at JupiterOne and includes a range of security leaders from a range of companies, including Boston Scientific, Caterpillar Financial, Fleet, Flexport, Motorola Mobility, Twilio, VillageMD, and others.

During a panel at RSA Conference 2023, entitled Comprehensive Cyber Capabilities Framework: A Tech Tree for Cybersecurity, coalition members laid out a vision for the next generation of data security.

"The ability to protect any type of data across devices, applications, and cloud assets is essential if organizations are to take advantage of the power of modern collaboration and digital transformation without exposing their data to external threats, insider threats, or simple mistakes by well-intentioned users," the coalition said in a statement.

The DSMM aligns to the NIST Cybersecurity Framework and the Cyber Defense Matrix, and to enable a data-centric view, it defines five key functions:

*   **Identify & Classify:** Find and classify all data covered by the data security program.
*   **Protect:** Minimize the exposure of sensitive data by controlling how it is accessed, used, and retained.
*   **Detect:** Collect and analyze data risk to identify data-related security events or policy violations that were not stopped by the "Protect" function.
*   **Respond:** Establish immediate, short-term actions to be taken upon detection of a potential incident.
*   **Recover & Improve**: Determine actions needed to not only restore normal operations (as they pertain specifically to data), but also to build back stronger.

In its second iteration released this week, the maturity model refines each of these pillars to take into account more granular context, such as what server infrastructure is being used, how much is in the cloud, privacy regulations, how employees and others use the data, and how applications, APIs, and non-human endpoints use it, and more — in order to gain a fuller picture of an organization's data footprint.

**The Data & Digital Transformation Problem**

Richard Rushing, panelist and CISO of Motorola Mobility, tells Dark Reading that a new framework approach was needed given that, in the age of digital transformation, getting arms around all of the data being generated at any given point within an organization simply can't be accomplished by looking at protection in a siloed way. The old concept of seeing data in the context of devices, applications, or the network, needed to be traded for a focus on the data itself, wherever it goes within an organization.

"If you think about what security is enabling, it's the use of data, and ubiquitous access to it," he says. "It's necessary to connect to the network to use the data that's in the network to make better decisions for the business or make better decisions for your customers. But data is found in different places, sometimes it's at rest, and sometimes it's in transit."

He adds that the problem is — quite literally — growing, also necessitating a rethink of protection architecture.

"Data is on a logarithmic curve; for every amount of data that I have next year, it's probably 2.5 times more than the amount of data I had this year," he says. "We're data hoarders, for lack of a better term; no one wants to get rid of people's information who have signed up to websites and forums and everything else, so we have this enormous data sprawl. That, in turn, leaves behind security blind spots."

Further adding to the challenge is the fact that some data is of course more sensitive than other information, and some information doesn't need protecting at all, Rushing points out. And there's dynamism in terms of defining appropriate security levels as data ages.

He uses a product launch to illustrate his point. "With a product release, we start off with a situation where no one knows about it, everything's embargoed, and you're protecting this important intellectual property," he explains. "And the next thing you know, it's released for public consumption. And it's suddenly not top secret anymore, in fact, you want the whole world to know about it."

Rushing says that the framework is meant to tame some of this chaos, and that it can be tailored to large enterprises and small-to-midsized businesses alike. It allows organizations to focus in on a number of practice areas, too — including risk-based decision prioritization, collaboration, continuous education, risk management for vendors and third parties, compliance, being transparent, and incident response and how to recover data.

"I don't want to say it's one size fits all, but it's very close to one size fits all," he explains. "The controls are going to be different depending on the environments, but the approach is meant to be flexible enough to accommodate that."

He says that the framework is a living architecture that the coalition plans to refine and evolve over time. However, the time to make the switch to thinking about things in a data-centric kind of way should start now.

"If you don't start \[or\] you don't think about this, you're going to get hit in the next 6, 12, 18 months in some way, shape, or form," he warns. "It's not like the Internet is becoming a safer neighborhood and data is the new oil that's going to drive business and attackers alike."

Tag

#cisco