A third-party telephony service provider for Cisco Duo falls prey to social engineering, and the company advises customer vigilance against subsequent phishing attacks.

Source: olga Yastremska via Alamy Stock Photo

A third-party provider that handles telephony for Cisco's Duo multifactor authentication (MFA) service has been compromised by a social engineering cyberattack. Now Cisco Duo customers have been warned to be on alert for follow-on phishing schemes.

Customers were sent a notice explaining that the company handling SMS and VOIP multifactor authentication messaging traffic for Cisco Duo was breached on April 1. The threat actors reportedly used compromised employee credentials. Once inside the service provider's systems, the unauthorized user downloaded SMS logs for specific users within a certain timeframe, the company said.

Cisco Duo did not identify the compromised telephony provider in its advisory.

"More specifically, the threat actor downloaded message logs for SMS messages that were sent to certain users under your Duo account between March 1, 2024 and March 31, 2024," Cisco said in its customer advisory. "The message logs did not contain any message content but did contain the phone number, phone carrier, country, and state to which each message was sent, as well as other metadata (e.g., date and time of the message, type of message, etc.)."

Cisco advised impacted users to notify anyone whose information was exposed, and to remain vigilant against additional phishing attacks using the stolen data.

This breach follows two specific trends, according to Jeff Margolies, chief product and strategy officer at Saviynt — social engineering cyberattack success, and a focus on identity security providers.

“There have been a number of public attacks on identity security providers, such as Okta and Microsoft, over the past few years," Margolies says. "You can also go back as far as the RSA SecurID Token attack back in 2011 to see how far back these sorts of attacks go."

In addition to the critical need for identity security providers to do more to secure their systems, Margolies adds enterprise teams need to assess what a breach of these services could mean to their own cybersecurity posture.

"It is also important for companies to understand the reliance they have on third-party identity security companies, how an attack on those companies would impact them, and what mitigating controls are in place to detect and respond to events with their Identity security providers," he explains.

Cisco Duo's Multifactor Authentication Service Breached

A sophisticated threat actor is leveraging the bug to deploy a Python backdoor for stealing data and executing other malicious actions.

Source: Tada Images via Shutterstock

Palo Alto Networks (PAN) on April 14 released hotfixes to address a maximum severity zero-day bug in multiple versions of its PAN-OS software that a threat actor is using to deploy a novel Python backdoor on affected firewalls.

The flaw — tracked as CVE-2024-3400 — is present in PAN-OS 10.2, 11.0, and 11.1 firewalls when the GlobalProtect Gateway and device telemetry features are both enabled. PAN disclosed the flaw April 12 after researchers at Volexity found the bug when investigating suspicious activity on a customer's firewall.  

**Limited Attack**

PAN described the attacks targeting the flaw as limited in volume and attributed the attack activity to a single threat cluster that the company is tracking as "Operation Midnight Eclipse." However, the vendor did not rule out the potential for other attackers to exploit the flaw as well.   

When PAN disclosed the flaw last week, it recommended temporary measures that customers could take to mitigate the threat — including disabling device telemetry. On April 14, the company made available hotfix releases of PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and all later PAN-OS versions. The security vendor urged customers to apply the updates and promised similar hotfixes for other maintenance releases of the software.

Reports of attackers targeting the flaw before a patch was available prompted the US Cybersecurity and Infrastructure Agency (CISA) last week to quickly add CVE-2024-3400 to its catalog of known exploited vulnerabilities. All civilian federal agencies have until April 19 to address the flaw. CISA has previously warned organizations on multiple occasions about high threat-actor interest in VPNs and other remote access technologies from vendors such as Pulse Secure, Cisco, and PAN because of the privileged access these devices provide to enterprise networks and data.

**Max Severity Command Injection Flaw**

In a blog post last week, Volexity described the flaw it discovered as a command injection vulnerability in PAN-OS GlobalProtect that gave unauthenticated remote attackers a way to execute arbitrary code on affected systems. The security vendor said it had observed an attacker — which it's tracking as UTA0218 — leveraging the flaw to create a reverse shell and download additional malware on compromised systems.

"The attacker focused on exporting configuration data from the devices, and then leveraging it as an entry point to move laterally within the victim organizations," Volexity said.

One of the additional tools that the threat actor deployed on compromised systems was a novel Python backdoor that Volexity has named Upstyle. The security vendor said it found the threat actor using the Upstyle backdoor to execute a variety of additional commands including those for lateral movement within a target network and to steal credentials and other sensitive data from it.

"The tradecraft and speed employed by the attacker suggests a highly capable threat actor with a clear playbook of what to access to further their objectives," Volexity warned. Volexity said it was not able to determine the exact scale of the exploit activity but surmised it was likely limited and targeted. The company said it had found evidence of UTA0218 attempting to exploit the vulnerability at multiple organizations on March 26 and March 27.

PAN said its analysis showed the threat actor using the backdoor to run a handful of commands on vulnerable firewalls. The commands included one for copying configuration files and exfiltrating them via HTTP requests and another that set up the firewall to receive even more commands, this time from a different URL. "Lastly, the threat actor cleaned up after themselves by removing all files associated with the backdoors and clearing their cronjobs," PAN said.

**Complete Control**

Karl Sigler, senior security research manager at Trustwave's SpiderLabs, says exploiting CVE-2024-3400 would give an attacker complete control over the PAN device. "This could allow the attacker a foothold to pivot further into the organization," he says. "It could also allow the attacker to disable protections provided by the device, including disabling access control lists and VPN connections."

Sigler says the vulnerability exploit in this case works by getting an affected device to log OS commands in an error log. These commands are then processed and executed with root-level permissions, he says. "Disabling device telemetry disables the log file, short-circuiting the attack," Sigler notes. "The main risk in doing so is that network admins often rely on this telemetry to troubleshoot problems with the device. Additionally, monitoring for abnormal network behavior may be evidence of an ongoing attack. Disabling telemetry may hinder those efforts."

Palo Alto itself has recommended that organizations that are unable to immediately update their software for any reason should disable device telemetry till they are able to update. According to the company, "Once upgraded, device telemetry should be re-enabled on the device."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Palo Alto Network Issues Hotfixes for Zero-Day Bug in Its Firewall OS

By Deeba Ahmed
Firewall on fire!
This is a post from HackRead.com Read the original post: Palo Alto Patches 0-Day (CVE-2024-3400) Exploited by Python Backdoor

Palo Alto Networks issues critical patches for a zero-day vulnerability (CVE-2024-3400) in their PAN-OS firewalls. Exploited by attackers to deploy Python backdoors, this flaw grants root access. Update immediately!

In a race against time, Palo Alto Networks has released patches for a critical 0-day (or zero-day) vulnerability (CVE-2024-3400) that threatened to leave firewalls exposed to cyberattacks.

According to Palo Alto Networks’ security advisory, the vulnerability was found in its PAN-OS operating system’s GlobalProtect functionality, related to the way it handled device telemetry data. 

An attacker could exploit this flaw by crafting a malicious payload disguised as telemetry data.  Once processed by the firewall, the payload could execute arbitrary code with root privileges, essentially giving the attacker complete control over the device. 

****Which Devices Are Vulnerable?****

Appliances with GlobalProtect and device telemetry enabled are declared vulnerable. The Shodan search engine for exposed Internet of Things (IoT) devices reveals approximately 41,336 potentially impacted internet-exposed appliances of Palo Alto Networks.

SecurityWeek reports that several organizations have already fallen victim to targeting, with certain attackers endeavouring to deploy Upstyle, a fresh Python backdoor.

****Possible Dangers****

Like any other security vulnerability, this one also lets hackers exploit and establish backdoors, launch lateral attacks, steal sensitive data, and disrupt network operations. Threat actors can also create persistent access points, use the compromised firewall as a springboard, and gain access to confidential information.

Additionally, it may allow hackers to take full control of the firewall’s functionality, potentially leading to network outages or traffic manipulation.

****Detection and Patching:****

The good news is that the vulnerability was identified and patched relatively quickly. Security firm Volexity first detected the exploit in use in late March 2024, observing a threat actor UTA0218 remotely exploiting a firewall device.

The researchers also observed how the threat actor created a reverse shell, downloading additional tools, and exporting configuration data to use it as an entry point for lateral movement. Volexity swiftly alerted Palo Alto Networks, which issued security alerts and hotfixes to address the vulnerability for PAN-OS versions 10.2, 11.0, and 11.1.

Palo Alto Networks suggests that if customers can’t implement the Threat Prevention-based mitigation immediately, you can still reduce the impact of the vulnerability by temporarily turning off device telemetry until the device is updated to a PAN-OS version that addresses the issue.

> _“If you are unable to apply the Threat Prevention based mitigation at this time, you can still mitigate the impact of this vulnerability by temporarily disabling device telemetry until the device is upgraded to a fixed PAN-OS version. Once upgraded, device telemetry should be re-enabled on the device. If the firewalls are managed by Panorama, ensure that device telemetry is disabled in relevant templates (Panorama > Templates).”_
> 
> Palo Alto Networks

****Who Was Behind the Attacks?****

As per Volexity’s blog post, the zero-day exploit was highly sophisticated and targeted specific configurations, suggesting a well-resourced state-sponsored attacker with a clear target in mind could be involved.

Initial attribution attempts point towards Lazarus Group, a notorious hacking group believed to be affiliated with North Korea and BianLian, which targets critical infrastructure organizations. Nevertheless, Palo Alto Networks has urged all users to update their PAN-OS software immediately.

1.  Hackers dump login data of Fortinet VPN users in plain-text
2.  Private details of Palo Alto Networks employees leaked online
3.  Cisco Fixes High-Severity Code Execution, VPN Hijacking Flaws

Palo Alto Patches 0-Day (CVE-2024-3400) Exploited by Python Backdoor

A Russian-language cyberattack campaign impersonates legitimate game operations to spread various cross-platform infostealers.

Source: Stockphoto Graph via Shutterstock

A Russian threat actor is peppering game developers with fraudulent Web3 gaming projects that drop multiple variants of infostealers on both MacOS and Windows devices.

The ultimate goal of the campaign appears to be defrauding victims and stealing their cryptocurrency wallets, according to Recorded Future's Insikt Group, which discovered the malicious activity.

The extensive Russian-language campaign mimics legitimate projects by using slight alterations in project names and branding — even going so far as to have multiple fake social-media accounts impersonating the projects to make them seem authentic, according to a report published online.

In the attack, the main webpage of a project offers or links to installation files for the purported "game" software, ostensibly for use by developers. However, these files instead deliver either Atomic macOS Stealer for Intel- or ARM-based devices; Rhadamanthys; or RisePro, depending on the victim's operating system.

"The targeted nature of this campaign suggests that threat actors may perceive Web3 gamers as having a more acute vulnerability to social engineering, due to an assumed trade-off in cyber hygiene — meaning that Web3 gamers may have fewer protections in place against cybercrime — in the pursuit of profit," according to the report.

That profit comes in the form of cryptocurrency, as the actor is primarily targeting developers' crypto wallets with the intent of compromising those wallets. Web3 gaming refers to online games such as Axie Infinity and MixMob that are built on blockchain technology, which can result in financial gain for players who earn various cryptocurrencies.

"As wallet compromise continues to be the biggest threat in both Web3 and cryptocurrency security … we assess that wallet compromise is likely the end goal of this campaign," according to Insikt Group. Attackers also can use credentials harvested from the malicious activity "for an array of unauthorized account accesses," according to the report.

Indeed, the report outlines several social media reports of game developers falling victim to the scam and having their crypto wallets drained, including one who lost about 2.5 Ethereum, or about $8,000.

**Setting a Trap Through Impersonation**

The attack campaign comes in the form of what's called "trap phishing," whereby malicious actors duplicate and deploy Web3 project lookalikes.

Insikt researchers began investigating the malicious activity after Web3 smart contract auditor CertiK described a project in January called Astration that used fake job openings and non-fungible token NFT offerings to lure game developers into a trap-phishing campaign that spread infostealers.

The fraudulent project duplicated and recreated nearly all of the social media accounts associated with a legit project called Alteration, including reposting social-media content from legitimate accounts, establishing a direct copy of the project's Discord server, and delivering two types of malware.

Upon further research, Insikt found five additional fraudulent gaming projects, three of which were serving malicious files communicating with the same command-and-control (C2) server as those obtained from the Astration project, as well as two that were no longer active but were found to be similar to the active scams. Purported game names associated with the active projects were ArgonGame, DustFighter, and CosmicWay Reboot, while games associated with the inactive projects were Crypterium World and Myth Island.

Overall, the threat actors are delivering the campaign via "a resilient infrastructure, allowing them to quickly adapt by rebranding or shifting focus upon detection," according to Insikt.

**Maintain Vigilance to Mitigate Risk**

Insikt highlighted the necessity for both individuals and organizations to maintain continuous vigilance against threats and adopt mitigation strategies against campaigns that use phishing as an initial entry point. To that end, the group offered a number of mitigations in its report as well as included a list of indicators of compromise.

One is to provide comprehensive training to users — especially those involved in Web3 gaming or related industries — to recognize social engineering tactics associated with trap phishing. Game developers in particular should "scrutinize the legitimacy of Web3 projects advertised on social media," according to the report.

Organizations also should educate users on the well-known risks associated with downloading software from unverified sources and the importance of verifying the authenticity of project websites before installation.

Endpoint protection solutions updated with the latest threat intelligence — such as antivirus software that are capable of detecting and blocking known infostealer variants like Atomic, Stealc, Rhadamanthys, and RisePro — also can help organizations avoid compromise.

Organizations should also deploy multi-platform security measures to protect against malware infections across both macOS and Windows devices, including firewalls, intrusion detection systems, and endpoint detection and response (EDR) solutions, according to Insikt.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Web3 Game Developers Targeted in Crypto Theft Scheme

Our collection of the most relevant reporting and industry perspectives for those guiding cybersecurity strategies and focused on SecOps. Also included: facing hard truths in software security, and the latest guidance from the NSA.

Source: Chroma Craft Media Group via Alamy Stock Photo

Welcome to CISO Corner, Dark Reading's weekly digest of articles tailored specifically to security operations readers and security leaders. Every week, we offer articles gleaned from across our news operation, The Edge, DR Technology, DR Global, and our Commentary section. We're committed to bringing you a diverse set of perspectives to support the job of operationalizing cybersecurity strategies, for leaders at organizations of all shapes and sizes.

**In this issue of CISO Corner**

*   The Race for AI-Powered Security Platforms Heats Up
    
*   Why MLBOMs Are Useful for Securing the AI/ML Supply Chain
    
*   The Fight for Cybersecurity Awareness
    
*   Ambitious Training Initiative Taps Talents of Blind and Visually Impaired
    
*   Vietnamese Cybercrime Group CoralRaider Nets Financial Data
    
*   XZ Utils Scare Exposes Hard Truths About Software Security
    
*   NSA Updates Zero-Trust Advice to Reduce Attack Surfaces
    

**The Race for AI-Powered Security Platforms Heats Up**

By Robert Lemos, Contributing Writer, Dark Reading

Microsoft, Google, and Simbian each offers generative AI systems that allow security operations teams to use natural language to automate cybersecurity tasks.

Both Google and Microsoft have committed massive resources to developing generative artificial intelligence (AI) tools for cybersecurity. Security Copilot from Microsoft can find breaches, gather, and analyze data with help from generative AI. Google's Gemini in Security is a similar rival service.

Now a startup has entered the fray, Simbian, with its own system that leverages generative AI as well as large language models (LLMs) to help security teams by automating configuring event management systems (SIEM) or security orchestration, automation, and response (SOAR).

While each offering has its own set of benefits, they all strive to streamline processes for strained cybersecurity teams. The question that has yet to be answered is whether teams will ultimately trust the automated systems to operate as intended.

Read more: The Race for AI-Powered Security Platforms Heats Up

Related: How AI and Automation Can Help Bridge the Cybersecurity Talent Gap

**Why MLBOMs Are Useful for Securing the AI/ML Supply Chain**

Commentary By Diana Kelley, CISO, Protect AI

A machine learning bill of materials (MLBOM) framework can bring transparency, auditability, control, and forensic insight into AI and ML supply chains.

The software bill of materials (SBOM) has become an essential tool for identifying the code that makes up an application, but in the age of artificial intelligence (AI) the SBOM has some limitations in machine learning frameworks.

A machine learning software bill of materials, or MLBOM, could fill the gaps left in a traditional SBOM and add protections to data and assets.

Read More: Why MLBOMs Are Useful for Securing the AI/ML Supply Chain

Related: Where SBOMs Stand Today

**  
The Fight for Cybersecurity Awareness**

Commentary By Erik Gross, CISO, QAD

Investing in cybersecurity skills creates a safer digital world for everyone.

Spreading awareness of risk is the best way to mitigate cybersecurity risk, but the task of constantly training and re-training people on the latest threats can be daunting. The age of artificial intelligence is making it even more difficult.

Building a culture of security is paramount, and it can be achieved with thoughtful cybersecurity training with a focus on a personal approach, storytelling, and helping people feel comfortable talking openly about cybersecurity. Humans are unpredictable, and a cybersecurity training process that accepts that humans are complex creatures have had the most success.

Read More: The Fight for Cybersecurity Awareness

Related: Q&A: The Cybersecurity Training Gap in Industrial Networks

**Ambitious Training Initiative Taps Talents of Blind and Visually Impaired**

By Jennifer Lawinski, Contributing Writer, Dark Reading

Novacoast's Apex Program prepares individuals with visual impairments for cybersecurity careers.

Blind and visually impaired (BVI) people are an untapped talent resource for cybersecurity companies struggling to attract talent. With just a computer outfitted with a screen reader and Braille keyboard, BVI people can become valuable contributors. Two cyber CEOs have launched Apex Program, an online, on-demand course for BVI people who want to break into cybersecurity.

So far, four students have completed the course and one has already landed a job as a SOC 1 Analyst. Now the White House is getting involved, and there's even a short film in the works featuring the Apex Program.

Read More: Ambitious Training Initiative Taps Talents of Blind and Visually Impaired

Related: 3 Ways Businesses Can Overcome the Cybersecurity Skills Shortage

**Vietnamese Cybercrime Group CoralRaider Nets Financial Data**

By Robert Lemos, Contributing Writer, Dark Reading

With a complex attack chain and using Telegram for its command and control, CoralRaider targets victims in Asian countries — and appears to have accidentally infected itself as well.

A newcomer on the Vietnamese cybercrime scene, a group called CoralRaider is making moves — and rookie mistakes like infecting their own systems — along the way.

Security researchers at Cisco Talos have been tracking CoralRaider's activities and found they are motivated by profit, even though the group is having trouble getting their operation off the ground. So far, Cisco Talos analysts haven't seen any indication CoralRaider has yet successfully delivered a payload, but the group is actively working to improve their cybercrime skills.

Read More: Vietnamese Cybercrime Group CoralRaider Nets Financial Data

Related: Ransomware, Junk Bank Accounts: Cyber Threats Proliferate in Vietnam

**  
XZ Utils Scare Exposes Hard Truths About Software Security**

By Jai Vijayan, Contributing Writer, Dark Reading

Much of the open source code embedded in enterprise software stacks comes from small, under-resourced, volunteer-run projects.

The backdoor recently discovered in the XZ Utils tool should be a wake-up call for cyber teams that open source repositories are riddled with vulnerabilities.

These projects are volunteer-run, under-resourced, and unable to keep up with the latest threats. XZ Utils is itself a one-person operation. Enterprises using code from these open sources do so at their own risk.

Organizations are advised to vet their use of code from public repositories and determine whether they have appropriate security controls. Experts also recommend having engineering and cybersecurity teams define processes and roles for onboarding open source code.

Read More: XZ Utils Scare Exposes Hard Truths About Software Security

**NSA Updates Zero-Trust Advice to Reduce Attack Surfaces**

By Dark Reading Staff

Agency encourages broader use of encryption, data-loss prevention, as well as data rights management to safeguard data, networks, and users.

In its ongoing effort to provide both the public, as well as the private, sectors with support in getting on a path to zero trust, the National Security Administration has issued guidance related to data protection, or as NSA categorizes it, the "data pillar." Recommendations from the agency include the use of encryption, tagging, labeling, and more.

Prior to this data security guidance, NSA provided a detailed guide to network macro- and micro-segmentation and its role in building up a zero-trust framework.

Read More: NSA Updates Zero-Trust Advice to Reduce Attack Surfaces

Related: NSA's Zero-Trust Guidelines Focus on Segmentation

CISO Corner: Securing the AI Supply Chain; AI-Powered Security Platforms; Fighting for Cyber Awareness

Attackers have compromised an 8-year-old version of the cloud platform to distribute various malware that can take over infected systems.

Source: Age Foto Stock via Alamy Stock Photo

Attackers are using an 8-year-old version of the Redis open-source database server to maliciously use Metasploit's Meterpreter module to expose exploits within a system, potentially allowing for takeover and distribution of a host of other malware.

Researchers from AhnLab Security Intelligence Center (ASEC) said in a blog post that attackers likely are exploiting inappropriate settings or a vulnerability present in an implementation of Redis to distribute Meterpreter for nefarious use.

"Such malware strains attack Redis servers open to the public on the Internet with the authentication feature disabled," ASEC researcher Sanseo wrote in the post. "After gaining access to Redis, threat actors can install malware through known attack methods."

Meterpreter is an aspect of the legitimate Metasploit pen-testing tool that allows threat actors to fetch various Metasploit modules, or working exploits for known bugs, and then use them on the targeted system, according to ASEC. Metasploit is a tool similar to Cobalt Strike that also is oft-abused by threat actors to execute attacks.

"When Metasploit is installed, the threat actor can take control of the infected system and also dominate the internal network of an organization using the various features offered by the malware," Senseo explained.

**How It's Done**

Redis is an open source, in-memory data structure storage service that is increasingly being used in various ways in cloud environments; its primary purpose is typically for session management, message broker, and queues, according to ASEC. This increased prevalence also is making it a more popular target for attackers, who have abused vulnerable Redis servers to spread a host of malware, including Kinsing, P2PInfect, Skidmap, Migo, and HeadCrab.

By using Metasploit Meterpreter, there are two main attacks methods that actors can employ to spread malware once they've gained access to Redis. One is to register the malware-executing command as a Cron task, and the other is using the SLAVEOF command to set the command as the Slave server of the Redis server that has the malware.

ASEC witnessed an attack targeting a system that used Windows, along with version Redis 3.x, which was developed in 2016. The age of the abused platform means "it was likely vulnerable to attacks that abuse misconfiguration or attacks on known vulnerabilities," Senseo noted.

In the attack, the threat actor first downloaded PrintSpoofer, a privilege escalation tool, in the installation path for Redis. Attackers often use this tool against vulnerable services that are not managed properly or have not been patched to the recent version; in fact, ASEC has witnessed a flurry of these attacks against Redis since the second half of last year.

"The difference between the cases from the past and the cases now is that PrintSpoofer is installed using the CertUtil tool instead of PowerShell," Senseo explained.

**Meterpreter As Malicious Backdoor**

After installing PrintSpoofer, the threat actor installed Meterpreter Stager — one of two types of the module, the difference between which depends on the way it is installed. Meterpreter is to the Metasploit tool as Beacon is to Cobalt Strike.

When an attacker uses Stager, it means the installation is via the staged version, which downloads Meterpreter directly from the attacker's command-and-control (C2) server. This decreases its footprint version downloading it in a "stageless" way within a payload, according to ASEC.

Once this process is complete, Meterpreter is executed in the memory, which allows the threat actor to take control over the infected system and "also dominate the internal network of an organization using the various features offered by the malware," Senseo wrote.

**Update Now**

ASEC included a list of files, behaviors, and indicators of compromise of the attack in its post to help network administrators identify evidence of the threat on a system.

To avoid being compromised by the attack vector, ASEC advised that administrators of environments with Redis 3.x installed should, at the very least, update the server immediately with available patches to ensure that known vulnerabilities can't be exploited. The best-case scenario, however, would be to update V3 to the latest version of the server.

Administrators should also install security-protection software that restricts external access to Redis servers open to the Internet so they can't be identified and abused, ASEC advised.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Expired Redis Service Abused to Use Metasploit Meterpreter Maliciously

The security community is still reflecting on the “What If” of the XZ backdoor.

Thursday, April 11, 2024 14:00

I feel like over the past several years, the “holiday” that is April Fool’s Day has really died down. At this point, there are few headlines you can write that would be more ridiculous than something you’d find on a news site any day of the week. 

And there are so many more serious issues that are developing, too, that making a joke about a fake news story is just in bad taste, even if it’s in “celebration” of a “holiday.” 

Thankfully in the security world, I think we’ve all gotten the hint at this point that we can’t just post whatever we want on April 1 of each calendar year and expect people to get the joke. I’ve put my guard down so much at this point that I actually did legitimately fall for one April Fool’s joke from Nintendo, because I could definitely see a world in which they release a Virtual Boy box for the Switch that would allow you to play virtual reality games. 

But at least from what I saw on April 1 of this year, no one tried to “get” anyone with an April Fool’s joke about a ransomware actor requesting payment in the form of “Fortnite” in-game currency, or an internet-connected household object that in no universe needs to be connected to the internet (which, as it turns out, smart pillows exist!).  

We’re already dealing with digitally manipulated photos of “Satanic McDonalds,” Twitter’s AI generating fake news about the solar eclipse, and an upcoming presidential election that is sure to generate a slew of misinformation, AI-generated photos and more that I hesitate to even make up. 

So, all that is to say, good on you, security community, for just letting go of April Fool’s. Our lives are too stressful without bogus headlines that we, ourselves, generate.  

**The one big thing **

Talos discovered a new threat actor we’re calling “CoralRaider” that we believe is of Vietnamese origin and financially motivated. CoralRaider has been operating since at least 2023, targeting victims in several Asian and Southeast Asian countries. This group focuses on stealing victims’ credentials, financial data, and social media accounts, including business and advertisement accounts. CoralRaider appears to use RotBot, a customized variant of QuasarRAT, and XClient stealer as payloads. The actor uses the dead drop technique, abusing a legitimate service to host the C2 configuration file and uncommon living-off-the-land binaries (LoLBins), including Windows Forfiles.exe and FoDHelper.exe 

**Why do I care? **

This is a brand new actor that we believe is acting out of Vietnam, traditionally not a country who is associated with high-profile state-sponsored actors. CoralRaider appears to be after targets’ social media logins, which can later be leveraged to spread scams, misinformation, or all sorts of malicious messages using the victimized account. 

**So now what? **

CoralRaider primarily uses malicious LNK files to spread their malware, though we currently don’t know how those files are spread, exactly. Threat actors have started shifting toward using LNK files as an initial infection vector after Microsoft disabled macros by default — macros used to be a primary delivery system. For more on how the info in malicious LNK files can allow defenders to learn more about infection chains, read our previous research here. 

**Top security headlines of the week **

**The security community is still reflecting on the “What If” of the XZ backdoor** that was discovered and patched before threat actors could exploit it. A single Microsoft developer, who works on a different open-source project, found the backdoor in xz Utils for Linux distributions several weeks ago seemingly on accident, and is now being hailed as a hero by security researchers and professionals. Little is known about the user who had been building the backdoor in the open-source utility for at least two years. Had it been exploited, the vulnerability would have allowed its creator to hijack a user’s SSH connection and secretly run their own code on that user’s machine. The incident is highlighting networking’s reliance on open-source projects, which are often provided little resource and usually only maintained as a hobby, for free, by individuals who have no connection to the end users. The original creator of xz Utils worked alone for many years, before they had to open the project because of outside stressors and other work. Government officials have also been alarmed by the near-miss, and are now considering new ways to protect open-source software. (New York Times, Reuters) 

**AT&T now says that more than 51 million users were affected by a data breach** that exposed their personal information on a hacking forum. The cable, internet and cell service provider has still not said how the information was stolen. The incident dates back to 2021, when threat actor ShinyHunters initially offered the data for sale for $1 million. However, that data leaked last month on a hacking forum belonging to an actor known as “MajorNelson.” AT&T’s notification to affected customers stated that, "The \[exposed\] information varied by individual and account, but may have included full name, email address, mailing address, phone number, social security number, date of birth, AT&T account number and AT&T passcode." The company has also started filing required formal notifications with U.S. state authorities and regulators. While AT&T initially denied that the data belonged to them, reporters and researchers soon found that the information were related to AT&T and DirecTV (a subsidiary of AT&T) accounts. (BleepingComputer, TechCrunch) 

**Another ransomware group claims they’ve stolen data from United HealthCare, though there is little evidence yet to prove their claim.** Change Health, a subsidiary of United, was recently hit with a massive data breach, pausing millions of dollars of payments to doctors and healthcare facilities to be paused for more than a month. Now, the ransomware gang RansomHub claims it has 4TB of data, requesting an extortion payment from United, or it says it will start selling the data to the highest bidder 12 days from Monday. RansomHub claims the stolen information contains the sensitive data of U.S. military personnel and patients, as well as medical records and financial information. Blackcat initially stated they had stolen the data, but the group quickly deleted the post from their leak site. A person representing RansomHub told Reuters that a disgruntled affiliate of Blackcat gave the data to RansomHub after a previous planned payment fell through. (DarkReading, Reuters) 

**Can’t get enough Talos? **

*   Talos Takes Ep. #178: Turla has been around for 20-plus years at this point, but they're still mixing things up 
*   Vulnerability in some TP-Link routers could lead to factory reset 
*   April’s Patch Tuesday includes 150 vulnerabilities, 60 which could lead to remote code execution 
*   Vietnamese Cybercrime Group CoralRaider Nets Financial Data 
*   Safeguarding Against CoralRaider: Protecting Your Data from Vietnamese Hackers 

**Upcoming events where you can find Talos **

**Botconf** **(April 23 - 26)** 

_Nice, Côte d'Azur, France_

> _This presentation from Chetan Raghuprasad details the Supershell C2 framework. Threat actors are using this framework massively and creating botnets with the Supershell implants._

**CARO Workshop 2024** **(May 1 - 3)** 

_Arlington, Virginia_

> Over the past year, we’ve observed a substantial uptick in attacks by YoroTrooper, a relatively nascent espionage-oriented threat actor operating against the Commonwealth of Independent Countries (CIS) since at least 2022. Asheer Malhotra's presentation at CARO 2024 will provide an overview of their various campaigns detailing the commodity and custom-built malware employed by the actor, their discovery and evolution in tactics. He will present a timeline of successful intrusions carried out by YoroTrooper targeting high-value individuals associated with CIS government agencies over the last two years.

**RSA** **(May 6 - 9)** 

_San Francisco, California_    

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0  
**MD5:** 8c69830a50fb85d8a794fa46643493b2  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Dropper.Generic::1201

**SHA 256:** abaa1b89dca9655410f61d64de25990972db95d28738fc93bb7a8a69b347a6a6  
**MD5:** 22ae85259273bc4ea419584293eda886  
**Typical Filename:** KMSAuto++ x64.exe  
**Claimed Product:** KMSAuto++  
**Detection Name:** W32.File.MalParent

**SHA 256:** 161937ed1502c491748d055287898dd37af96405aeff48c2500b834f6739e72d  
**MD5:** fd743b55d530e0468805de0e83758fe9  
**Typical Filename:** KMSAuto Net.exe  
**Claimed Product:** KMSAuto Net  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

**SHA 256:** b8aec57f7e9c193fcd9796cf22997605624b8b5f9bf5f0c6190e1090d426ee31  
**MD5:** 2fb86be791b4bb4389e55df0fec04eb7  
**Typical Filename:** KMSAuto Net.exe  
**Claimed Product:** KMSAuto Net  
**Detection Name:** W32.File.MalParent

**SHA 256:** 58d6fec4ba24c32d38c9a0c7c39df3cb0e91f500b323e841121d703c7b718681  
**MD5:** f1fe671bcefd4630e5ed8b87c9283534  
**Typical Filename:** KMSAuto Net.exe  
**Claimed Product:** KMSAuto Net  
**Detection Name:** PUA.Win.Tool.Hackkms::1201

The internet is already scary enough without April Fool’s jokes

PRESS RELEASE

NEW YORK, April 10, 2024 – Cloud security leader Wiz has announced the acquisition of New York-based startup Gem Security. With a valuation of $10 billion and $900 million raised to date, Wiz aims to add to its Cloud Native Application Protection Platform (CNAPP) with Gem's technology. The acquisition advances Wiz’s Cloud Detection and Response (CDR) capabilities, and also demonstrates Wiz’s commitment to consolidation: as organizations push to combat tool sprawl, siloes, and visibility gaps, Wiz is building the world’s go-to platform for protecting everything organizations build and run in the cloud.  

Founded in 2022, Gem transforms how organizations approach detection and response in the cloud with a real-time CDR (Cloud Detection and Response) solution that shortens the time to investigate and contain cloud-native threats. In contrast to static industry solutions lacking real-time monitoring capabilities, the company’s technology centralizes real-time visibility into multi-cloud environments and provides automated incident timelines to understand the root causes of cloud breaches. With $34 million raised to date from Team8, Notable Capital (formerly GGV Capital), IBM Ventures, Cisco Investments and Silicon Valley CISO Investments (SVCI) Gem's employees will be joining Wiz, and the company's co-founders (CEO Arie Zilberstein, CTO Ron Konigsberg, and VP Product Ofir Brukner) will join the Wiz executive team. 

This is Wiz's second acquisition since its inception in 2020, after the company acquired Raftt, a cloud-based developer collaboration platform, in December. New York-based Wiz is considered the world's fastest-growing startup, recently announcing that it has reached $350 million in ARR, with over 40% of the Fortune 100 as customers. The company previously expressed interest in pursuing M&A opportunities as part of its mission to build a holistic cloud security platform catering to a wide array of industry needs. Wiz is now targeting $1 billion in revenue, ahead of a potential Wall Street IPO. 

“Consolidation is the future of the security industry. With cloud infrastructure growing at an accelerated pace, not to mention the broad adoption of AI applications, the world’s largest organizations require consolidated, cloud-native security platforms to effectively address a wide and ever-changing range of security needs,” said Assaf Rappaport, Co-Founder and CEO, Wiz. “The acquisition of Gem brings the industry’s leading CDR to Wiz. Coupled with our CNAPP, which customers have ranked number one, we’re creating a powerful real-time solution for SOC and Cyber Defense teams to combat emerging threats and building the world’s leading cloud security platform.” 

"Since our inception two years ago, Gem has been revolutionizing the way organizations approach security operations in the cloud," said Arie Zilberstein, Co-Founder & CEO of Gem Security. "Together with Wiz, we're thrilled to deliver even more value to security operations teams around the world as part of Wiz's industry-leading platform. We look forward to joining the team and embarking on a new chapter of Gem's growth journey with Wiz." 

For more information, visit https://www.wiz.io/blog.

About Wiz

Wiz secures everything organizations build and run in the cloud. Founded in 2020, Wiz is the fastest-growing software company in the world. Wiz enables hundreds of organizations worldwide, including 40 percent of the Fortune 100, to rapidly identify and remove critical risks in cloud environments. Its customers include Salesforce, Slack, Mars, BMW, Avery Dennison, Priceline, Cushman & Wakefield, DocuSign, Plaid, and Agoda, among others. Wiz is backed by Sequoia, Index Ventures, Insight Partners, Salesforce, Blackstone, Advent, Greenoaks, Lightspeed and Aglaé. Visit https://www.wiz.io for more information.

Wiz Acquires Gem Security to Expand Cloud Detection and Response Offering

There are also two out-of-bounds write vulnerabilities in the AMD Radeon user mode driver for DirectX 11.

Wednesday, April 10, 2024 12:56

Cisco Talos’ Vulnerability Research team has disclosed 10 vulnerabilities over the past three weeks, including four in a line of TP-Link routers, one of which could allow an attacker to reset the devices’ settings back to the factory default. 

A popular open-source software for internet-of-things (IoT) and industrial control systems (ICS) networks also contains multiple vulnerabilities that could be used to arbitrarily create new files on the affected systems or overwrite existing ones. 

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.  

**Denial-of-service, remote code execution vulnerabilities in TP-Link AC1350 router **

Talos researchers recently discovered four vulnerabilities in the TP-Link AC1350 wireless router. The AC1350 is one of many routers TP-Link produces and is designed to be used on home networks. 

TALOS-2023-1861 (CVE-2023-49074) is a denial-of-service vulnerability in the TP-Link Device Debug Protocol (TDDP). An attacker could exploit this vulnerability by sending a series of unauthenticated packets to the router, potentially causing a denial of service and forcing the device to reset to its factory settings.  

However, the TDDP protocol is only denial of serviceavailable for roughly 15 minutes after a device reboot.  

The TDDP protocol is also vulnerable to TALOS-2023-1862 (CVE-2023-49134 and CVE-2023-49133), a command execution vulnerability that could allow an attacker to execute arbitrary code on the targeted device. 

There is another remote code execution vulnerability, TALOS-2023-1888 (CVE-2023-49912, CVE-2023-49909, CVE-2023-49907, CVE-2023-49908, CVE-2023-49910, CVE-2023-49906, CVE-2023-49913, CVE-2023-49911) that is triggered if an attacker sends an authenticated HTTP request to the targeted device. This exploit includes multiple CVEs because an attacker could overflow multiple buffers to cause this condition. 

TALOS-2023-1864 (CVE-2023-48724) also exists in the device’s web interface functionality. An adversary could exploit this vulnerability by sending an unauthenticated HTTP request to the targeted device, thus causing a denial of service. 

**Multiple vulnerabilities in OAS Platform **

_Discovered by Jared Rittle._ 

Open Automation Software’s OAS Platform is an IoT gateway and protocol bus. It allows administrators to connect PLCs, devices, databases and custom apps. 

There are two vulnerabilities — TALOS-2024-1950 (CVE-2024-21870) and TALOS-2024-1951 (CVE-2024-22178) — that exist in the platform that can lead to arbitrary file creation or overwrite. An attacker can send a sequence of requests to trigger these vulnerabilities.  

An adversary could also send a series of requests to exploit TALOS-2024-1948 (CVE-2024-24976), but in this case, the vulnerability leads to a denial of service. 

An improper input validation vulnerability (TALOS-2024-1949/CVE-2024-27201) also exists in the OAS Engine User Configuration functionality that could lead to unexpected data in the configuration, including possible decoy usernames that contain characters not usually allowed by the software’s configuration. 

**Arbitrary write vulnerabilities in AMD graphics driver **

_Discovered by Piotr Bania._ 

There are two out-of-bounds write vulnerabilities in the AMD Radeon user mode driver for DirectX 11. TALOS-2023-1847 and TALOS-2023-1848 could allow an attacker with access to a malformed shader to potentially achieve arbitrary code execution after causing an out-of-bounds write. 

AMD graphics drivers are software that allows graphics processing units (GPUs) to communicate with the operating system.  

These vulnerabilities could be triggered from guest machines running virtualization environments to perform guest-to-host escape. Theoretically, an adversary could also exploit these issues from a web browser. Talos has demonstrated with past, similar, vulnerabilities that they could be triggered from HYPER-V guest using the RemoteFX feature, leading to executing the vulnerable code on the HYPER-V host.

Vulnerability in some TP-Link routers could lead to factory reset

Various anti-detection features, including the use of the ScrubCrypt antivirus-evasion tool, fuel an attack that aims to take over Microsoft Windows machines.

Source: Shane in Sweden via Shutterstock

A newly exposed corporate phishing campaign targeting Microsoft Windows users is delivering a flurry of remote access Trojans (RATs) and other malware under the cover of multiple detection-evasion techniques.

The attackers behind the campaign try to lure users into clicking on an attachment that ultimately employs the tool ScrubCrypt to deliver primarily the VenomRAT version 6, although various other oft-used malware also are associated with the campaign, researchers from Fortinet's FortiGuard Labs Threat Research revealed in a blog post.

While the RAT maintains a connection with attackers' command-and-control (C2) server, the attack drops plug-ins including Remcos RAT, XWorm, NanoCore RAT, and a stealer designed for specific crypto wallets, according to the researchers.

Ultimately the campaign is aimed at stealing critical data from targeted systems — ostensibly to be used in future attacks — as well achieving persistence on a victim's network, according to the post.

"The attackers employ a variety of methods, including phishing emails with malicious attachments, obfuscated script files, and Guloader PowerShell, to infiltrate and compromise victim systems," wrote Cara Lin, senior antivirus analyst at Fortinet. "Furthermore, deploying plugins through different payloads highlights the versatility and adaptability of the attack campaign."

VenomRAT is a tool used previously by the 8220 Gang, a cybercriminal group that uses a powerful botnet as its weapon of choice. ScrubCrypt, meanwhile, converts executables into undetectable batch files, providing "several options to manipulate malware, making it more challenging for antivirus products to detect," Lin noted.

**Phony Invoice Phish**

The campaign typically starts with a phishing email stating that a shipment has been delivered with an attached "invoice" that is actually an SVG file named "INV0ICE\_#TBSBVS0Y3BDSMMX.svg" and contains embedded base64-encoded data.

If a targeted user opens the SVG file, the ECMAScript creates a new blob and utilizes "window.URL.createObjectURL" to drop the decoded data as a ZIP file named "INV0ICE\_#TBSBVS0Y3BDSMMX.zip." The decompressed file reveals an obfuscated batch file with an embedded payload that appears to be created by the BatCloak tool, which distributes malware while effectively evading detection by antivirus program, Lin explained.

The embedded script initially copies a PowerShell execution file to "C:\\Users\\Public\\xkn.exe" and utilizes the copied file in later commands, using parameters that conceal its activity. It then decodes the malicious data and saves it as "pointer.png," which is later executed as "pointer.cmd" and deletes all the previously executed files.

**ScrubCrypt Delivers VenomRAT**

The "pointer.cmd" file serves as the ScrubCrypt batch file, and it's "deliberately cluttered with numerous junk strings to obscure readability," Lin wrote. The file incorporates two payloads, the first of which serves two primary purposes: establishing persistence and loading the targeted malware, VenomRAT. The second payload from the ScrubCrypt batch file is for AMSI bypass and ETW bypass, she noted.

VenomRAT was first identified in 2020 and uses a modified version of the well-known Quasar RAT. It allows attackers to gain unauthorized access and control over targeted systems. "As with other RATs, VenomRAT enables attackers to manipulate compromised devices remotely, allowing them to execute various malicious activities without the victim's knowledge or consent," Lin wrote.

Once deployed, VenomRAT initiates communication with its C2 server to send information about the victim, such as hardware specifications, username, operating system details, camera availability, execution path, foreground window name, and the name of the antivirus product installed. It then maintains communication channels with the C2 server to acquire the aforementioned additional plugins for related and other malicious activities as the attack continues from there, Lin wrote.

Notable among those plugins are three RATs often used for various nefarious purposes, including the Remcos RAT, which gives attackers complete system control to capture keystrokes, screenshots, credentials, and other sensitive information; NanoCore RAT, which can remotely access and control a victim's computer; and Xworm, which can load ransomware or act as a persistent backdoor.

**Vigilance Required**

Because this cyberattack campaign uses multiple layers of obfuscation and evasion techniques, it's important for enterprises to stay vigilant.

"The attackers' ability to persist in the system, evade detection, and execute malicious payloads underscores the importance of robust cybersecurity measures and vigilant monitoring to mitigate such threats effectively," Lin noted.

Organizations should educate users about the hallmark signs of phishing campaigns and encourage them to report suspicious activity to IT departments, as well as avoid downloading files or clicking on links from untrusted sources.

Despite its evasive tactics, a strong antivirus-detection system should pick up the malware entering a network, and one that includes a content disarm-and-reconstruction service also is helpful to disable the malicious macros in the document before they can do any harm, Lin wrote.

Fortiguard included a list of indicators of compromise for the specific VenomRAT campaign in the post, including associated C2 domains, URLs associated with the attack, and files the attack distributes.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Tag

#cisco