At most, someone who intentionally or repeatedly shares information on their social platform that’s misleading or downright false may have their account blocked, suspended or deleted.

Thursday, April 18, 2024 14:00

If you’re a regular reader of this newsletter, you already know about how strongly I feel about the dangers of spreading fake news, disinformation and misinformation. 

And honestly, if you’re reading this newsletter, I probably shouldn’t have to tell you about that either. But one of the things that always frustrates me about this seemingly never-ending battle against disinformation on the internet, is that there aren’t any real consequences for the worst offenders. 

At most, someone who intentionally or repeatedly shares information on their social platform that’s misleading or downright false may have their account blocked, suspended or deleted, or just that one individual post might be removed.  

Twitter, which has become one of the worst offenders for spreading disinformation, has gotten even worse about this over the past few years and at this point doesn’t do anything to these accounts, and in fact, even promotes them in many ways and gives them a larger platform. 

Meta, for its part, is now hiding more political posts on its platforms in some countries, but at most, an account that shares fake news is only going to be restricted if enough people report it to Meta’s team and they choose to take action.  

Now, I’m hoping that Brazil’s Supreme Court may start imposing some real-world consequences on individuals and companies that support, endorse or sit idly by while disinformation spreads. Specifically, I’m talking about a newly launched investigation by the court into Twitter/X and its owner, Elon Musk.  

Brazil’s Supreme Court says users on the platform are part of a massive misinformation campaign against the court’s justices, sharing intentionally false or harmful information about them. Musk is also facing a related investigation into alleged obstruction.  

The court had previously asked Twitter to block certain far-right accounts that were spreading fake news on Twitter, seemingly one of the only true permanent bans on a social media platform targeting the worst misinformation offenders. Recently, Twitter has declined to block those accounts. 

This isn’t some new initiative, though. Brazil’s government has long looked for concrete ways to implement real-world punishments for spreading disinformation. In 2022, the Supreme Court signed an agreement with the equivalent of Brazil’s national election commission “to combat fake news involving the judiciary and to disseminate information about the 2022 general elections.” 

Brazil’s president (much like the U.S.) has been battling fake news and disinformation for years now, making any political conversation there incredibly divisive, and in many ways, physically dangerous. I’m certainly not an authority enough on the subject to comment on that and the ways in which the term “fake news” has been weaponized to literally challenge what is “fact” in our modern society.  

And I could certainly see a world in which a high court uses the term “fake news” to charge and prosecute people who are, in fact, spreading \*correct\* and verifiable information.  

But, even just forcing Musk or anyone at Twitter to answer questions about their blocking policies could bring an additional layer of transparency to this process. Suppose we want to really get people to stop sharing misleading information on social media. In that case, it needs to eventually come with real consequences, not just a simple block when they can launch a new account two seconds later using a different email address. 

**The one big thing **

Talos recently discovered a new threat actor we're calling “Starry Addax” targeting mostly human rights activists associated with the Sahrawi Arab Democratic Republic (SADR) cause. Starry Addax primarily uses a new mobile malware that it infects users with via phishing attack, tricking their targets into installing malicious Android applications we’re calling “FlexStarling.” The malicious mobile application (APK), “FlexStarling,” analyzed by Talos recently masquerades as a variant of the Sahara Press Service (SPSRASD) App. 

**Why do I care? **

The targets in this campaign's case are considered high-risk individuals, advocating for human rights in the Western Sahara. While that is a highly focused particular demographic, FlexStarling is still a highly capable implant that could be dangerous if used in other campaigns. Once infected, Starry Addax can use their malware to steal important login credentials, execute remote code or infect the device with other malware.  

**So now what? **

This campaign's infection chain begins with a spear-phishing email sent to targets, consisting of individuals of interest to the attackers, especially human rights activists in Morocco and the Western Sahara region. If you are a user who feels you could be targeted by these emails, please pay close attention to any URLs or attachments used in emails with these themes and ensure you’re only visiting trusted sites. The timelines connected to various artifacts used in the attacks indicate that this campaign is just starting and may be in its nascent stages with more infrastructure and Starry Addax working on additional malware variants. 

**Top security headlines of the week **

**A threat actor with ties to Russia is suspected of infecting the network belonging to a rural water facility in Texas earlier this year.** The hack in the small town of Muleshoe, Texas in January caused a water tower to overflow. The suspect attack coincided with network intrusions against networks belonging to two other nearby towns. While the attack did not disrupt drinking water in the town, it would mark an escalation in Russian APTs’ efforts to spy on and disrupt American critical infrastructure. Security researchers this week linked a Telegram channel that took credit for the activity with a group connected to Russia’s GRU military intelligence agency. The adversaries broke into a remote login system used in ICS, which allowed the actors to interact with the water tank. It overflowed for about 30 to 45 minutes before officials took the machine offline and switched to manual operations. According to reporting from CNN, a nearby town called Lockney detected “suspicious activity” on the town’s SCADA system. And in Hale Center, adversaries also tried to breach the town network’s firewall, which prompted them to disable remote access to its SCADA system. (CNN, Wired) 

**Meanwhile, Russia’s Sandworm APT is also accused of being the primary threat actor carrying out Russia’s goals in Ukraine.** New research indicates that the group is responsible for nearly all disruptive and destructive cyberattacks in Ukraine since Russia's invasion in February 2022. One attack involved Sandworm, aka APT44, disrupting a Ukrainian power facility during Russia’s winter offensive and a series of drone strikes targeting Ukraine’s energy grid. Recently, the group’s attacks have increasingly focused on espionage activity to gather information for Russia’s military to use to its advantage on the battlefield. The U.S. indicated several individuals for their roles with Sandworm in 2020, but the group has been active for more than 10 years. Researchers also unmasked a Telegram channel the group appears to be using, called “CyberArmyofRussia\_Reborn.” They typically use the channel to post evidence from their sabotage activities. (Dark Reading, Recorded Future) 

**Security experts and government officials are bracing for an uptick in offensive cyber attacks between Israel and Iran** after Iran launched a barrage of drones and missiles at Israel. Both countries have dealt with increased tensions recently, eventually leading to the attack Saturday night. Israel’s leaders have already been considering various responses to the attack, among which could be cyber attacks targeting Iran in addition to any new kinetic warfare. Israel and Iran have long had a tense relationship that included covert operations and destructive cyberattacks. Experts say both countries have the ability to launch wiper malware, ransomware and cyber attacks against each other, some of which could interrupt critical infrastructure or military operations. The increased tensions have also opened the door to many threat actors taking claims for various cyber attacks or intrusions that didn’t happen. (Axios, Foreign Policy) 

**Can’t get enough Talos? **

*   Cisco Warns of Global Surge in Brute-Force Attacks Targeting VPN and SSH Services 
*   Decade-old malware haunts Ukrainian police 
*   Attackers are pummeling networks around the world with millions of login attempts 
*   OfflRouter virus causes Ukrainian users to upload confidential documents to VirusTotal 
*   Large-scale brute-force activity targeting VPNs, SSH services with commonly used login credentials 
*   Talos Takes Ep. #179: Why we need to stop calling as-a-service group takedowns "takedowns" 

**Upcoming events where you can find Talos **

 **Botconf** **(April 23 - 26)** 

_Nice, Côte d'Azur, France_

> _This presentation from Chetan Raghuprasad details the Supershell C2 framework. Threat actors are using this framework massively and creating botnets with the Supershell implants._

**CARO Workshop 2024** **(May 1 - 3)** 

_Arlington, Virginia_

> Over the past year, we’ve observed a substantial uptick in attacks by YoroTrooper, a relatively nascent espionage-oriented threat actor operating against the Commonwealth of Independent Countries (CIS) since at least 2022. Asheer Malhotra's presentation at CARO 2024 will provide an overview of their various campaigns detailing the commodity and custom-built malware employed by the actor, their discovery and evolution in tactics. He will present a timeline of successful intrusions carried out by YoroTrooper targeting high-value individuals associated with CIS government agencies over the last two years.

**RSA** **(May 6 - 9)** 

_San Francisco, California_    

**Most prevalent malware files from Talos telemetry over the past week **

_This section will be on a brief hiatus while we work through some technical difficulties._

Could the Brazilian Supreme Court finally hold people accountable for sharing disinformation?

Select Ukrainian government networks have remained infected with a malware called OfflRouter since 2015.
Cisco Talos said its findings are based on an analysis of over 100 confidential documents that were infected with the VBA macro virus and uploaded to the VirusTotal malware scanning platform.
"The documents contained VBA code to drop and run an executable with the name 'ctrlpanel.exe,'"

OfflRouter Malware Evades Detection in Ukraine for Almost a Decade

Industry leaders aim to solve the threat to both the mental health of workers and security of organizations with solutions that recognize the enormous pressures facing cybersecurity professionals.

Source: Roman Samborskyi via Alamy Stock Photo

It's no secret that burnout is an epidemic among cybersecurity professionals that threatens not only the mental health of workers in the field, but also the security of organizations. But how to solve the growing crisis is still something with which the industry is grappling.

Peter Coroneos, founder of Cybermindz, and Kayla Williams, CISO of Devo, have different perspectives on cybersecurity burnout given their distinct roles and perspectives as industry leaders, but together they have a shared vision to find solutions to help break the current cycle of burnout that faces the cybersecurity profession.

Coroneos is founder of Cybermindz, a not-for-profit that offers resilience training for cyber teams, among others; and Williams is chief information security officer (CISO) of Devo, a cloud-native security analytics company.

The two — whose companies already are partners in fighting burnout — will come together at the upcoming RSA Conference to host a session called "Burnout in Cyber: The Intersection of Neuroscience, Gender, and Wellbeing." Their session will present some reasons why cybersecurity burnout has become a vicious cycle, as well as how a combination of empathetic leadership and neuroscience-based training can help break it.

**Security Staff Burnout: A Wake-Up Call**

The "wake-up call" for Coroneos on how serious the burnout problem came when a survey of 200 cybersecurity professionals conducted by Wakefield Research on behalf of Devo released its results last September. The study found that a hefty 83% of those surveyed admit that stress has led them and peers to make errors that have caused data breaches.   

The COVID-19 pandemic-related workplace changes as well as the increased cyberattacks taking advantage of organizations' hasty and often insecure shift to accommodate a remote workforce really threw cybersecurity burnout into high gear, he said.

"COVID brought together a number of factors that have been brewing in the background for a number of years," Coroneos says in a recent interview.

Working remotely, cybersecurity professionals felt even less of a separation between their work and home lives and felt as if they quite literally always took their work home with them. And with cyberattackers exploiting the vulnerable security situation with which many companies were faced at the time, there was even more work for them to do, and thus more pressure than ever, he says.

It was a "perfect storm" of conditions to foster burnout, Coroneos says. "We started to see many more reports of the degradation in the mental health status of cybersecurity teams," he says. "They feel this relentless pressure with no end in sight."

**The Blame Game**

Some of that pressure comes with the often-unfair burden of blame that CISOs and chief security officers (CSOs) in particular shoulder when a data breach or attack goes horribly wrong for a company, says Williams, who in her position as CISO knows all too well.

A key source of stress these executives experience is that they often don't control their budgets and the overall security roadmap at their respective organizations, and thus don't typically get the sufficient funding to execute their vision for a company's security. However, they still will be held accountable if something goes wrong, Williams says.

She cited notable high-profile lawsuits brought against top security executives from Uber and SolarWinds in which they took the brunt of the blame for security incidents at their respective companies as scenarios that are scaring top professionals out of the industry.

"From what I'm seeing and hearing, turnover is incredibly high," Williams says. "Speaking to my peers, they don't want to be CSOs anymore."

Indeed, the Devo survey found that 85% of professionals surveys will leave their role in the next year, while 25% will leave the industry entirely.

The current situation that many security professionals find themselves in is a burnout cycle that keeps those who stay in the profession feeling stressed out and hopeless about their jobs, while creating unprecedented numbers of turnover in a position that already faces job shortages. This circular cycle creates even more burnout for those who stay in cybersecurity roles, Coroneos and Williams say.

**Breaking the Security Fatigue Cycle**

To break this cycle, the two professionals pose a combination of empathetic leadership strategies and a neuroscience-based solution to help retrain people's minds to deal with high levels of stress.

As a CISO herself, Williams says she knows how important it is to communicate effectively with people in various cybersecurity roles within the organization to ensure that their individual needs both professionally and emotionally are being met. This is especially true as a new generation of cyber professionals with different emotional needs is entering the workforce, she says.

"As a people leader, it is my responsibility to ensure that I am communicating to my teams in a way that resonates with them," Williams says. It's important for leaders to take time to understand the needs of individuals on a team and to check in with them as they would with family or friends to ensure they are not feeling overwhelmed by stress or the demands of their responsibilities, she says.

Meanwhile, Cybermindz is taking a page out of the playbook of international armed forces with a training solution called Integrative Restoration (iRest) that has been implemented by the US and Australian military since 2006 and 2016, respectively.

iRest — the result of more than 40 years of observation, research and development by clinical psychologist Richard Miller and his team at an institute of the same name California — is an attention-training technique to help the brain's limbic system return to a restful state after an intense period of high stress.

The problem for cybersecurity pros is that they often get stuck in a constant state of psychological fight-or-flight response pattern due to the constant stress cycle of their jobs, Coroneos explains. iRest is a training that helps them switch out of this cycle to bring them to a deeper state of relaxation to reset that fight-or-flight response. This will help the brain switch off, so it is not constantly creating stress not only in the workplace but throughout their everyday lives, thus creating burnout, he says.

"We need to get them into a position where they can come into a proper relationship into their subconscious," Coroneos says, adding that so far cybersecurity professionals who have experienced the training — which Cybermindz is currently piloting— report they are sleeping better and making clearer decisions after only a few sessions of the program.

Indeed, while burnout remains a serious problem, the message Coroneos and Williams ultimately want to convey is one of hope that there are solutions to solve the burnout problem currently facing cybersecurity professionals, and that the enormous pressures these dedicated professionals face is not being overlooked.

"We want to show them that their mental health need not be the price of their career," Coroneos says.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Break Security Burnout: Combining Leadership With Neuroscience

Moobot, Miori, AGoent, and a Gafgyt variant have joined the infamous Mirai botnet in attacking unpatched versions of vulnerable Wi-Fi routers.

Source: Stuart Miles via Alamy Stock Photo

A number of botnets are pummeling a nearly year-old command-injection vulnerability in TP-Link routers to compromise the devices for IoT-driven distributed denial of service (DDoS) attacks.

There already is a patch for the flaw, tracked as CVE-2023-1389, found in the Web management interface of the TP-Link Archer AX21 (AX1800) Wi-Fi router and affecting devices Version 1.1.4 Build 20230219 or prior.

However, threat actors are taking advantage of unpatched devices to dispatch various botnets — include Moobot, Miori, AGoent, a Gafgyt variant, and variants of the infamous Mirai botnet — that can compromise the devices for DDoS and further nefarious activity, according to a blog post from Fortiguard Labs Threat Research.

"Recently, we observed multiple attacks focusing on this year-old vulnerability," which already was previously exploited by the in Mirai botnet, according to the post by Fortiguard researchers Cara Lin and Vincent Li. Fortiguard's IPS telemetry has detected significant traffic peaks, which alerted the researchers to the malicious activity, they said.

**Exploiting the TP-Link Flaw**

The flaw creates a scenario in which there is no sanitization of the "Country" field of the router's management interface, "so an attacker can exploit it for malicious activities and gain foothold," according to TP-Link's security advisory for the flaw.

"This is an unauthenticated command-injection vulnerability in the 'locale' API available via the web management interface," Lin and Li explained.

To exploit it, users can query the specified form "country" and conduct a "write" operation, which is handled by the "set\_country" function, the researchers explained. That function calls the "merge\_config\_by\_country" function and concatenates the argument of the specified form "country" into a command string. This string is then executed by the "popen" function.

"Since the 'country' field won't be emptied, the attacker can achieve command injection," the researchers wrote.

**Botnets to the Siege**

TP-Link's advisory when the flaw was revealed last year included acknowledgement of exploitation by the Mirai botnet. But since then other botnets as well as various Mirai variants also have taken siege against vulnerable devices.

One is Agoent, a Golang-based agent bot that attacks by first fetching the script file "exec.sh" from an attacker-controlled website, which then retrieves the Executable and Linkable Format (ELF) files of different Linux-based architectures.

The bot then executes two primary behaviors: the first is to create the host username and password using random characters, and the second is to establish connection with command and control (C2) to pass on the credentials just created by the malware for device takeover, the researchers said.

A botnet that creates denial of service (DoS) in Linux architectures called the Gafgyt variant also is attacking the TP-Link flaw by downloading and executing a script file and then retrieving Linux architecture execution files with the prefix filename "rebirth." The botnet then gets the compromised target IP and architecture information, which it concatenates into a string that is part of its initial connection message, the researchers explained.

"After establishing a connection with its C2 server, the malware receives a continuous 'PING' command from the server to ensure persistence on the compromised target," the researchers wrote. It then waits for various C2 commands to create DoS attacks.

The botnet called Moobot also is attacking the flaw to conduct DDoS attacks on remote IPs via a command from the attacker's C2 server, the researchers said. While the botnet targets various IoT hardware architectures, Fortiguard researchers analyzed the botnet's execution file designed for the "x86\_64" architecture to determine its exploitation activity, they said.

A variant of Mirai also is conducting DDoS attacks in its exploitation of the flaw by sending a packet from the C&C server to direct the endpoint to initiate the attack, the researchers noted.

"The command specified is 0x01 for a Valve Source Engine (VSE) flood, with a duration of 60 seconds (0x3C), targeting a randomly selected victim's IP address and the port number 30129," they explained.

Miori, another Mirai variant, also has joined the fray to conduct brute-force attacks on compromised devices, the researchers noted. And they also observed attacks by Condi that remains consistent with a version of the botnet that was active last year.

The attack retains the function to prevent reboots by deleting binaries responsible for shutting down or rebooting the system, and scans active processes and cross-references with predefined strings to terminate processes with matching names, the researchers said.

**Patch & Protect to Avoid DDoS**

Botnet attacks that exploit device flaws to target IoT environments are "relentless," and thus users should be vigilant against DDoS botnets," the researchers noted. Indeed, IoT adversaries are advancing their attacks by pouncing on unpatched device flaws to further their sophisticated attack agendas.

Attacks against TP-Link devices can be mitigated by applying the available patch for affected devices, and this practice should be followed for any other IoT devices "to safeguard their network environments from infection, preventing them from becoming bots for malicious threat actors," the researchers wrote.

Fortiguard also included in its post various indicators of compromise (IoCs) for the different botnet attacks, including C2 servers, URLs, and files that can help server administrators identify an attack.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Various Botnets Pummel Year-Old TP-Link Flaw in IoT Attacks

The documents contained malicious VBA code, indicating they may be used as lures to infect organizations.

*   During a threat-hunting exercise, Cisco Talos discovered documents with potentially confidential information originating from Ukraine. The documents contained malicious VBA code, indicating they may be used as lures to infect organizations. 
*   The results of the investigation have shown that the presence of the malicious code is due to the activity of a rare multi-module virus that's delivered via the .NET interop functionality to infect Word documents. 
*   The virus, named OfflRouter, has been active in Ukraine since 2015 and remains active on some Ukrainian organizations’ networks, based on over 100 original infected documents uploaded to VirusTotal from Ukraine and the documents’ upload dates. 
*   We assess that OfflRouter is the work of an inventive but relatively inexperienced developer, based on the unusual choice of the infection mechanism, the apparent lack of testing and mistakes in the code. 
*   The author’s design choices may have limited the spread of the virus to very few organizations while allowing it to remain active and undetected for a long period of time. 

As a part of a regular threat hunting exercise, Cisco Talos monitors files uploaded to open-source repositories for potential lures that may target government and military organizations. Lures are created from legitimate documents by adding content that will trigger malicious behavior and are often used by threat actors. 

For example, malicious document lures with externally referenced templates written in Ukrainian language are used by the Gamaredon group as an initial infection vector. Talos has previously discovered military theme lures in Ukrainian and Polish, mimicking the official PowerPoint and Excel files, to launch the so-called “Picasso loader,” which installs remote access trojans (RATs) onto victims' systems. 

In July 2023, threat actors attempted to use lures related to the NATO summit in Vilnius to install the Romcom remote access trojan. These are just some of the reasons why hunting for document lures is vital to any threat intelligence operation.  

In February 2024, Talos discovered several documents with content that seems to originate from Ukrainian local government organizations and the Ukrainian National Police uploaded to VirusTotal. The documents contained VBA code to drop and run an executable with the name \`ctrlpanel.exe\`, which raised our suspicion and prompted us to investigate further.   

Eventually, we discovered over 100 uploaded documents with potentially confidential information about government and police activities in Ukraine. The analysis of the code showed unexpected results – instead of lures used by advanced actors, the uploaded documents were infected with a multi-component VBA macro virus OfflRouter, created in 2015. The virus is still active in Ukraine and is causing potentially confidential documents to be uploaded to publicly accessible document repositories.   

**Attribution **

Although the virus is active in Ukraine, there are no indications that it was created by an author from that region. Even the debugging database string used to name the virus “E:\\Projects\\OfflRouter2\\OfflRouter2\\obj\\Release\\ctrlpanel.pdb” present in the ctrlpanel.exe does not point to a non-English speaker. 

From the choice of the infection mechanism, VBA code generation, several mistakes in the code, and the apparent lack of testing, we estimate that the author is an inexperienced but inventive programmer.  

The choices made during the development limited the virus to a specific geographic location and allowed it to remain active for almost 10 years. 

**OfflRouter has been confined to Ukraine **

According to earlier research by the Slovakian government CSIRT (Computer Security Incident Response Team) team, some infected documents were already publicly available on the Ukrainian National Police website in 2018.  

The newly discovered infected documents are written in Ukrainian, which may have contributed to the fact that the virus is rarely seen outside Ukraine. Since the malware has no capabilities to spread by email, it can only be spread by sharing documents and removable media, such as USB memory sticks with infected documents. The inability to spread by email and the initial documents in Ukrainian are additional likely reasons the virus stayed confined to Ukraine.  

One of the documents was recently uploaded to VirusTotal from Ukraine. 

The virus targets only documents with the filename extension .doc, the default extension for the OLE2 documents, and it will not try to infect other filename extensions. The default Word document filename extension for the more recent Word versions is .docx, so few documents will be infected as a result.  

This is a possible mistake by the author, although there is a small probability that the malware was specifically created to target a few organizations in Ukraine that still use the .doc extension, even if the documents are internally structured as Office Open XML documents.  

Other issues prevented the virus from spreading more successfully and most of them are found in the executable module, ctrlpanel.exe, dropped and executed by the VBA part of the code.  

When the virus is run, it attempts to set the value Ctrlpanel of the registry key HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run so that it runs on the Windows boot. An internal global string \_RootDir is used as the value, however, the string only contains the folder where the ctrlpanel.exe is found and not its full path, which makes this auto-start measure fail.  

One interesting concept in the .NET module is the entire process of infecting documents. As a part of the infection process, the VBA code is generated by combining the code taken from the hard-coded strings in the module with the encoded bytes of the ctrlpanel.exe binary. This makes the generated code the same for every infection cycle and rather easy to detect. Having a VBA code generator in the .NET code has more potential to make the infected documents more difficult to detect.  

Once launched, the executable module stays active in memory and uses threading timers to execute two background worker objects, the first one tasked with the infection of documents and the second one with checking for the existence of the potential plugin modules for the .NET module.  

The infection background worker enumerates the mounted drives and attempts to find documents to infect by using the Directory.Getfiles function with the string search pattern “\*.doc” as a parameter.  

One of the parameters of the function is the SearchOption parameter which specifies the option to search in subdirectories or only the in the root folder. For fixed drives, the module chooses to search only the root folder, which is an unusual choice, as it is quite unlikely that the root folder will hold any documents to infect.  

For removable drives, the module also searches all subfolders, which likely makes it more successful. Finally, it checks the list of recent documents in Word and attempts to infect them, which contributes to the success of the virus spreading to other documents on fixed drives.  

__The choice of document filename extensions is limited to .doc.__

**OfflRouter VBA code drops and executes the main executable module **

The VBA part of the virus runs when a document is opened, provided macros are enabled, and it contains code to drop and run the executable module ctrlpanel.exe.

__The VBA part creates and executes the executable module of the virus.__

 The beginning of the macro code defines a function that checks if the file already exists and if it does not, it opens it for writing and calls functions CheckHashX, which at first glance looks like containing junk code to reset the value of the variable \`Y\`. However, the variable Y is defined as a private property with an overridden setter function, which converts the variable value assignment into appending the supplied value to the end of the opened executable module C:\\Users\\Public\\ctrlpanel.exe. Every code line that looks like an assignment appends the assigned value to the end of the file, and that is how the executable module is written.  

This technique is likely implemented to make the detection of the embedded module a bit more difficult, as the executable mode is not stored as a contiguous block, but as a sequence of integer values that look like being assigned to a variable.  

To a more experienced analyst, this code looks like garbage code generated by polymorphic engines, and it raises the question of why the author has not extended the code generation to pseudo-randomize the code.  

__Infected Word documents drop the .NET component that infects other documents__. 

The virus is unique, as it consists of VBA and executable modules with the infection logic contained in the PE executable .NET module.  

__The property Y has an overridden setter function to write into a file.__

**Ctrlpanel.exe .NET module **

The unique infection method used by ctrlpanel.exe is through the Office Interop classes of .NET VBProject interface Microsoft.Vbe.Interop and the Microsoft.Office.Interop.Word class that exposes the functionality of the Word application.  

The Interop.Word class is used to instantiate a Document class which allows access to the VBA macro code and the addition of the code to the target document file using the standard Word VBA functions.  

When the .NET module ctrlpanel.exe is launched, it attempts to open a mutex ctrlpanelapppppp to check if another module instance is already running on the system. If the mutex already exists, the process will terminate.  

Suppose no other module instances are running. In that case, ctrlpanel.exe creates the mutex named “ctrlpanelapppppp”, attempts to set the registry run key so the module runs on system startup, and finally initializes two timers to run associated background timer callbacks – VBAClass\_Timer\_Callback and PluginClass\_TimerCallback, implemented to start the Run function of the classes VBAClass and PluginClass, respectively. 

__Ctrlpanel.exe has two threads of execution.__

The VBAClass\_Timer\_Callback will be called one second after the creation of VBAClass\_Timer timer and the PluginClass\_Timer\_Callback three seconds after the creation of the PluginClass\_Timer.  

The full functionality of the executable module is implemented by two classes, VBAClass and PluginClass, specifically within their respective functions Backgroundworker\_DoWork. 

**_VBAClass is tasked with generating VBA code and infecting other Word documents_ **

 The background worker function runs in an infinite loop and contains two major parts, the first is tasked with the document infection and the second with finding the documents to infect, the logic we already described above.  

The infection iterates through a list of the document candidates to infect and uses an innovative method to check the document infection marker to avoid multiple infection processes – the function checks the document creation metadata, adds the creation times, and checks the value of the sum. If the sum is zero, the document is considered already infected.  

__The file system time of creation is used as an infection marker.__

If the document to be infected is created in the Word 97-2003 binary format (OLE2), the document will be saved with the same name in Microsoft Office Open XML format with enabled macros (DOCX).  

The infection uses the traditional VBA class infection routine. It accesses the Visual Basic code module of the first VBComponent and then adds the code generated by the function MyScript to the document’s code module. After that, the infected document is saved.  

__The target document is converted to .docx and then infected.__

The code generation function MyScript contains static strings and instructions to dynamically generate code that will be added to infected documents. It opens its own executable ctrlpanel.exe for reading and reads the file 32-bit by 32-bit value which gets converted to decimal strings that can be saved as VBA code. For every repeating 32-bit value, most commonly for zero, the function creates a for loop to write the repeating value to the dropped file. The purpose is unclear, but it is likely to achieve a small saving in the size of the code and compress it.  

__Repeating 32-bit values are “compressed.”__

For every 4,096 bytes, the code generates a new CheckHashX subroutine to break the code into chunks. The purpose of this is not clear.  

__The VBA code infecting files is dynamically created.__

 After the file is infected, the background worker adds the infection marker file by setting the values of hour, minute, second, and millisecond creation times to zero.

__The infection market is set after the infected file has been copied to its original location.__

**_PluginClass is tasked with discovering and loading plugins_ **

Ctrlpanel.exe can also search for potential plugins present on removable media, which is very unusual for simple viruses that infect documents. This may indicate that the author’s aims were a bit more ambitious than the simple VBA infection. 

Searching for the plugins in removable drives is unusual as it requires the plugins to be delivered to the system on a physical media, such as a USB drive or a CD-ROM. The plugin loader searches for any files with the filename extension .orp, decodes its name using Base64 decoding function, decodes the file content using Base64 decoding, copies the file into the c:\\users\\public\\tools folder with the previously decoded name and the extension .exe and finally executes the plugin. 

__Any plugins found on a removable drive are decoded, copied to drive C: and launched.__

If the plugins are already present on an infected machine, ctrlpanel.exe will try to encode them using Base64 encoding, copy them to the root of the attached removable media with the filename extension “.orp” and set the newly created file attributes to the values system and hidden so that they are not displayed by default by Windows File Explorer. 

**It is unclear if the initial vector is a document or the executable module ctrlpanel.exe **

The advantage of the two-module virus is that it can be spread as a standalone executable or as an infected document. It may even be advantageous to initially spread as an executable as the module can run standalone and set the registry keys to allow execution of the VBA code and changing of the default saved file formats to doc before infecting documents. That way, the infection may be a bit stealthier.  

The following registry keys are set: 
HKEY\_CURRENT\_USER\\Software\\Microsoft\\Office\\14.0\\Word\\Security\\AccessVBOM (to allow access to Visual Basic Object Model by the external applications) 
  
HKEY\_CURRENT\_USER\\Software\\Microsoft\\Office\\14.0\\Word\\Security\\VBAWarnings (to disable warnings about potential Macro code in the infected documents) 
  
HKEY\_CURRENT\_USER\\Software\\Microsoft\\Office\\14.0\\Word\\Options\\DefaultFormat (to set the default format to DOC) 

**Coverage **

Ways our customers can detect and block this threat are listed below. 

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.  

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.  

Cisco Secure Malware Analytics (formerly Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. 

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.  

Additional protection with context to your specific environment and threat data are available from the Firewall Management Center.  

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.  

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are  

The following ClamAV signatures detect malware artifacts related to this threat: 

Doc.Malware.Valyria-6714124-0 

Win.Virus.OfflRouter-10025942-0 

**IOCs **

IOCs for this research can also be found at our GitHub repository here. 

10e720fbcf797a2f40fbaa214b3402df14b7637404e5e91d7651bd13d28a69d8 - .NET module ctrlpanel.exe  

**Infected documents  **

2260989b5b723b0ccd1293e1ffcc7c0173c171963dfc03e9f6cd2649da8d0d2c 

2b0927de637d11d957610dd9a60d11d46eaa3f15770fb474067fb86d93a41912 

802342de0448d5c3b3aa6256e1650240ea53c77f8f762968c1abd8c967f9efd0 

016d90f337bd55dfcfbba8465a50e2261f0369cd448b4f020215f952a2a06bce 

**Mutex **

ctrlpanelapppppp

OfflRouter virus causes Ukrainian users to upload confidential documents to VirusTotal

Cisco is warning about a global surge in brute-force attacks targeting various devices, including Virtual Private Network (VPN) services, web application authentication interfaces, and SSH services, since at least March 18, 2024.
"These attacks all appear to be originating from TOR exit nodes and a range of other anonymizing tunnels and proxies," Cisco Talos said.
Successful attacks could

Cisco Warns of Global Surge in Brute-Force Attacks Targeting VPN and SSH Services

The scam is spreading across the US and impersonates the specific toll-collection services of each state in malicious SMS messages.

Source: Mira via Alamy Stock Photo

The FBI is warning people about widespread SMS phishing (smishing) campaign spreading "state to state" that's luring people with messages informing them that they have unpaid tolls to resolve. The scam is aimed at stealing their credentials and defrauding them.

There also is evidence that that the campaign — which has been reported by people in three states so far, according to a public service announcement by the FBI Internet Crime Complaint Center (IC3)—affected other parts of the world before it reached US shores.

The campaign, active in the US since at least early March and reported by more than 2,000 people, sends users a text message that appears to come from the road-toll collection service of their specific states, claiming they owe money for unpaid highway tolls.

"We've noticed an outstanding toll amount of $12.51 on your record," the text of one such message reads. "To avoid a late fee of $50.00, visit https://myturnpiketollservices.com to settle your balance."

**Old Social Engineering Trick Remains Effective**

While smishing scams are by no means new, they continue to be used by attackers because they still have the potential to fool users into giving up the valuable credentials that allow for cybercriminals to profit. The FBI's warning alone is a sign that the unpaid-toll campaign is likely to escalate, and is worrying enough to warrant vigilance from potential victims.

The texts "contain almost identical language" and use similar amounts for so-called outstanding tolls. What changes from state to state is that the malicious link provided within the text is created to impersonate the state's toll service name, "and phone numbers appear to change between states," according to the IC3.

The link takes users to what looks very much like the toll services' legitimate websites, asking them to enter information on the pretense of paying the toll. Instead the attackers collect the victim's payment credentials and other sensitive data that potentially could be shared with other cybercriminals and/or used in future social engineering attacks.

**Toll Scam Spreads Across US**

The FBI didn't specify which states are currently being affected by the wave of toll-related attacks, but a quick perusal of social-media platform X, formerly Twitter, found evidence that the scam has at least affected users in Pennsylvania.

The Pennsylvania Turnpike (@PA\_Turnpike), the toll road, and related services that spans the state, posted a warning on social platform X to let users know about the campaign, and encouraged them to report any scam messages to the IC3.

"Some customers have received phishing-attempt text messages claiming to be from the PA Turnpike’s toll services," according to the post. "If you receive such a text, providing you with a link to pay an outstanding toll, do not click on the link, and delete the text."

The scam may be related to a similar one that previously swept across Australia, as people in states in both the eastern and western parts of the country in 2022 and 2023, respectively, also reported on X that they received driving toll-related smishing messages.

Back in August 2022, X user Anthony Campisini posted about a toll scam associated with City Link, a toll freeway service in the southeastern Aussie city of Melbourne, that also tried to lure users in the region with a message about unpaid tolls. Less than a year later, another X user in the state of Western Australia (WA) observed in March 2023 that he had been receiving "a lot of scam" SMS messages informing him that he owes money on road tolls.

"How do I know they are scams?" the user, @EMacskasy, who goes by the X name of "Evan Stop the Killing," posted. "Over here in WA = we do not have tolls on our roads."

**Stay Vigilant**

EMacskasy's observation is a good example of how people being targeted by the scam can avoid being compromised by it — by taking a moment to rationalize if it's even possible that they owe money on tolls before having a knee-jerk reaction and immediately engaging with the message.

The IC3 is advising people to file a complaint with the IC3 on the agency's website if they receive one of the messages and include the following information: the phone number from where the text originated and the website listed within the text.

People also should check any toll-service account that they have by going separately and directly to the service's legitimate website, to ensure that their accounts are in order, and/or contact the legitimate service's customer service phone number to check the account and let them know of the scam. As previously mentioned, people also should delete the texts.

In case someone has already engaged with the link or given information, they should make an effort to secure their personal information and financial accounts, and dispute any unfamiliar charges that may show evidence of cybercriminal activity.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

FBI: Smishing Campaign Lures Victims With Unpaid-Toll Notices

Cisco Talos would like to acknowledge Brandon White of Cisco Talos and Phillip Schafer, Mike Moran, and Becca Lynch of the Duo Security Research team for their research that led to the ,identification of these attacks.
Cisco Talos is actively monitoring a global increase in brute-force attacks against a variety

Tuesday, April 16, 2024 08:00

_Cisco Talos would like to acknowledge Brandon White of Cisco Talos and Phillip Schafer, Mike Moran, and Becca Lynch of the Duo Security Research team for their research that led to the_ ,_identification of these attacks._

Cisco Talos is actively monitoring a global increase in brute-force attacks against a variety of targets, including Virtual Private Network (VPN) services, web application authentication interfaces and SSH services since at least March 18, 2024.  

These attacks all appear to be originating from TOR exit nodes and a range of other anonymizing tunnels and proxies.  

Depending on the target environment, successful attacks of this type may lead to unauthorized network access, account lockouts, or denial-of-service conditions. The traffic related to these attacks has increased with time and is likely to continue to rise. Known affected services are listed below. However, additional services may be impacted by these attacks. 

*   Cisco Secure Firewall VPN 
*   Checkpoint VPN  
*   Fortinet VPN  
*   SonicWall VPN  
*   RD Web Services 
*   Miktrotik 
*   Draytek 
*   Ubiquiti 

The brute-forcing attempts use generic usernames and valid usernames for specific organizations. The targeting of these attacks appears to be indiscriminate and not directed at a particular region or industry. The source IP addresses for this traffic are commonly associated with proxy services, which include, but are not limited to:  

*   TOR   
*   VPN Gate  
*   IPIDEA Proxy  
*   BigMama Proxy  
*   Space Proxies  
*   Nexus Proxy  
*   Proxy Rack 

The list provided above is non-exhaustive, as additional services may be utilized by threat actors.  

Due to the significant increase and high volume of traffic, we have added the known associated IP addresses to our blocklist. It is important to note that the source IP addresses for this traffic are likely to change.

**Guidance **

As these attacks target a variety of VPN services, mitigations will vary depending on the affected service. For Cisco remote access VPN services, guidance and recommendation can be found in a recent Cisco support blog:  

Best Practices Against Password Spray Attacks Impacting Remote Access VPN Services 

**IOCs **

We are including the usernames and passwords used in these attacks in the IOCs for awareness. IP addresses and credentials associated with these attacks can be found in our GitHub repository here.

Large-scale brute-force activity targeting VPNs, SSH services with commonly used login credentials

A third-party telephony service provider for Cisco Duo falls prey to social engineering, and the company advises customer vigilance against subsequent phishing attacks.

Source: olga Yastremska via Alamy Stock Photo

A third-party provider that handles telephony for Cisco's Duo multifactor authentication (MFA) service has been compromised by a social engineering cyberattack. Now Cisco Duo customers have been warned to be on alert for follow-on phishing schemes.

Customers were sent a notice explaining that the company handling SMS and VOIP multifactor authentication messaging traffic for Cisco Duo was breached on April 1. The threat actors reportedly used compromised employee credentials. Once inside the service provider's systems, the unauthorized user downloaded SMS logs for specific users within a certain timeframe, the company said.

Cisco Duo did not identify the compromised telephony provider in its advisory.

"More specifically, the threat actor downloaded message logs for SMS messages that were sent to certain users under your Duo account between March 1, 2024 and March 31, 2024," Cisco said in its customer advisory. "The message logs did not contain any message content but did contain the phone number, phone carrier, country, and state to which each message was sent, as well as other metadata (e.g., date and time of the message, type of message, etc.)."

Cisco advised impacted users to notify anyone whose information was exposed, and to remain vigilant against additional phishing attacks using the stolen data.

This breach follows two specific trends, according to Jeff Margolies, chief product and strategy officer at Saviynt — social engineering cyberattack success, and a focus on identity security providers.

“There have been a number of public attacks on identity security providers, such as Okta and Microsoft, over the past few years," Margolies says. "You can also go back as far as the RSA SecurID Token attack back in 2011 to see how far back these sorts of attacks go."

In addition to the critical need for identity security providers to do more to secure their systems, Margolies adds enterprise teams need to assess what a breach of these services could mean to their own cybersecurity posture.

"It is also important for companies to understand the reliance they have on third-party identity security companies, how an attack on those companies would impact them, and what mitigating controls are in place to detect and respond to events with their Identity security providers," he explains.

Cisco Duo's Multifactor Authentication Service Breached

A sophisticated threat actor is leveraging the bug to deploy a Python backdoor for stealing data and executing other malicious actions.

Source: Tada Images via Shutterstock

Palo Alto Networks (PAN) on April 14 released hotfixes to address a maximum severity zero-day bug in multiple versions of its PAN-OS software that a threat actor is using to deploy a novel Python backdoor on affected firewalls.

The flaw — tracked as CVE-2024-3400 — is present in PAN-OS 10.2, 11.0, and 11.1 firewalls when the GlobalProtect Gateway and device telemetry features are both enabled. PAN disclosed the flaw April 12 after researchers at Volexity found the bug when investigating suspicious activity on a customer's firewall.  

**Limited Attack**

PAN described the attacks targeting the flaw as limited in volume and attributed the attack activity to a single threat cluster that the company is tracking as "Operation Midnight Eclipse." However, the vendor did not rule out the potential for other attackers to exploit the flaw as well.   

When PAN disclosed the flaw last week, it recommended temporary measures that customers could take to mitigate the threat — including disabling device telemetry. On April 14, the company made available hotfix releases of PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and all later PAN-OS versions. The security vendor urged customers to apply the updates and promised similar hotfixes for other maintenance releases of the software.

Reports of attackers targeting the flaw before a patch was available prompted the US Cybersecurity and Infrastructure Agency (CISA) last week to quickly add CVE-2024-3400 to its catalog of known exploited vulnerabilities. All civilian federal agencies have until April 19 to address the flaw. CISA has previously warned organizations on multiple occasions about high threat-actor interest in VPNs and other remote access technologies from vendors such as Pulse Secure, Cisco, and PAN because of the privileged access these devices provide to enterprise networks and data.

**Max Severity Command Injection Flaw**

In a blog post last week, Volexity described the flaw it discovered as a command injection vulnerability in PAN-OS GlobalProtect that gave unauthenticated remote attackers a way to execute arbitrary code on affected systems. The security vendor said it had observed an attacker — which it's tracking as UTA0218 — leveraging the flaw to create a reverse shell and download additional malware on compromised systems.

"The attacker focused on exporting configuration data from the devices, and then leveraging it as an entry point to move laterally within the victim organizations," Volexity said.

One of the additional tools that the threat actor deployed on compromised systems was a novel Python backdoor that Volexity has named Upstyle. The security vendor said it found the threat actor using the Upstyle backdoor to execute a variety of additional commands including those for lateral movement within a target network and to steal credentials and other sensitive data from it.

"The tradecraft and speed employed by the attacker suggests a highly capable threat actor with a clear playbook of what to access to further their objectives," Volexity warned. Volexity said it was not able to determine the exact scale of the exploit activity but surmised it was likely limited and targeted. The company said it had found evidence of UTA0218 attempting to exploit the vulnerability at multiple organizations on March 26 and March 27.

PAN said its analysis showed the threat actor using the backdoor to run a handful of commands on vulnerable firewalls. The commands included one for copying configuration files and exfiltrating them via HTTP requests and another that set up the firewall to receive even more commands, this time from a different URL. "Lastly, the threat actor cleaned up after themselves by removing all files associated with the backdoors and clearing their cronjobs," PAN said.

**Complete Control**

Karl Sigler, senior security research manager at Trustwave's SpiderLabs, says exploiting CVE-2024-3400 would give an attacker complete control over the PAN device. "This could allow the attacker a foothold to pivot further into the organization," he says. "It could also allow the attacker to disable protections provided by the device, including disabling access control lists and VPN connections."

Sigler says the vulnerability exploit in this case works by getting an affected device to log OS commands in an error log. These commands are then processed and executed with root-level permissions, he says. "Disabling device telemetry disables the log file, short-circuiting the attack," Sigler notes. "The main risk in doing so is that network admins often rely on this telemetry to troubleshoot problems with the device. Additionally, monitoring for abnormal network behavior may be evidence of an ongoing attack. Disabling telemetry may hinder those efforts."

Palo Alto itself has recommended that organizations that are unable to immediately update their software for any reason should disable device telemetry till they are able to update. According to the company, "Once upgraded, device telemetry should be re-enabled on the device."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Tag

#cisco