Fake Facebook ads seem to be the flavor of the month for scammers.

Thursday, November 30, 2023 14:00

I know I’m a little late to the party to hit the prime SEO for Black Friday, Cyber Monday and holiday shopping. But if I know the readers of this newsletter, everyone is far from done with their holiday shopping already after a few days. 

I also know I’m far from the only person to warn consumers about scams during this season, so I’m trying to split the difference and highlight a few specific scams and spam campaigns that are already circulating in the wild, some of which popped up right on Black Friday, so you don’t get caught in the remaining days leading up to the winter holidays. 

Fake Facebook ads seem to be the flavor of the month for scammers. This is completely anecdotal, but my mom almost got “got” with a fake Facebook post in a group she belongs to claiming to have some great deals on Nintendo Switch games on Amazon that were not actually real (thankfully she hadn’t clicked the link before she asked me if “Mario Odyssey” was a good deal at $15).  

Still, several other reports have shown that scammers are using Facebook ads to advertise a deal for a $19 Stanley cup — these are the water bottles all the influencers are using nowadays and, even when they are on sale, don’t go for any less than about $35. In this case, it looks like the actors are just looking to take your money or credit card information with a fake ordering process and no plans to send you anything. 

Adversaries have also set up fake Facebook pages and web pages disguising themselves as the retailer Big Lots. These fake ads and posts offer vague deals and sales on various products but instead point to typo-squatted Big Lots websites (or URLs that vaguely seem like they could be connected to Big Lots).  

Scammers are also sending mass emails to subscribers of various streaming services like Amazon Prime, Paramount+ and Peacock claiming that their subscription has lapsed, but they can resubscribe for a deeply discounted price, or even free, as part of a Black Friday special.  

Amazon also issued a warning recently that attackers have been sending emails with malicious attachments asking for users' personal information in exchange for having their “accounts” unlocked. 

This is just a sampling of the likely hundreds of different scams and spam campaigns attackers are deploying right now, so in general, when shopping online, here are a few tips: 

*   Only download apps from trusted and official app stores like the Google Play store and iOS App Store. 
*   Look out for apps that ask for suspicious permissions, such as access to your text messages, contacts, stored passwords and administrative features. 
*   Some malicious apps will try to masquerade as a legitimate version of the one you could be searching for. Signs of these apps include poor spelling and grammar in app descriptions and interfaces, lack of high-quality performance and a developer contact that uses a free email service (such as @gmail.com). 
*   Avoid clicking on unsolicited emails. Make sure you purposefully subscribed to any marketing emails you receive from retailers before opening it. 
*   Use an ad blocker locally on your browser. These will often block any malvertising campaigns that aim to capitalize on shoppers looking for deals. 
*   Try to use payment services such as Google Pay, Samsung Pay and Apple Pay. These services use tokenization instead of the “Primary Account Number” (your credit card number), making your transaction more secure. 
*   Use unique, complex passwords, per site. Attackers commonly reuse passwords to compromise multiple accounts with the same username. Use a password locker if you have a hard time creating and remembering secure passwords. 
*   Manually type in URLs to sites you want to visit rather than clicking on links. 
*   Use multi-factor authentication, such as Cisco Duo, to log into your email account to avoid unauthorized access. 

Next week, Talos will have a holiday special of our own! On Dec. 5, we’ll be launching our second-ever Year in Review report, complete with all new data and insights about the attacks and malware we’ve seen in 2023. Stay tuned to our social media channels or blog for that release.  

**The one big thing **

Cisco Talos recently discovered a malicious campaign that likely started as early as August 2023, delivering a new remote access trojan (RAT) we dubbed “SugarGh0st.” We assess with high confidence that the SugarGh0st RAT is a new customized variant of Gh0st RAT, an infamous trojan that’s been active for more than a decade, with customized commands to facilitate the remote administration tasks as directed by the C2 and modified communication protocol based on the similarity of the command structure and the strings used in the code. 

**Why do I care? **

If infected, SugarGh0st serves as a fully functional backdoor for the adversary that can execute most remote-control functionalities. It can launch the reverse shell and run the arbitrary commands sent from C2 as strings using the command shell. SugarGh0st can collect the victim’s machine hostname, filesystem, logical drive, and operating system information. It can access the running process information of the victim’s machine and control the environment by accessing the process information and terminating the process as directed by the C2 server. It can also manage the machine’s service manager by accessing the configuration files of the running services and can start, terminate or delete the services. 

**So now what? **

Since this seems to be an offshoot of GhostRAT, we certainly can’t rule out any other variants that may be floating out there. Talos also has new ClamAV signatures, Snort rules and other Cisco Secure protection to specifically detect and stop SugarGh0st.  

**Top security headlines of the week **

**Cisco Talos and other teams across Cisco recently worked with multiple government partners to help protect the Ukrainian power grid and ensure it runs appropriately.** The effort, spearheaded by Talos’ Joe Marshall, involved creating bespoke hardware for Ukraine’s energy supplier, Ukrenergo, to operate in place of traditional GPS devices that the Ukrainian power grid relies on to keep running on time. GPS satellites and Ukrainian substations have constantly been the target of kinetic and cyber threats during Russia’s invasion of Ukraine. Officials from multiple U.S. government agencies assisted in the project.  The Pentagon set up flights to physically deliver the manipulated switches, the Department of Energy helped coordinate the equipment’s delivery, and, as Ukrenergo told CNN, the Department of Commerce was a part of critical meetings that first outlined this project. Taras Vasyliv, who oversees power dispatching for Ukrenergo, told CNN that the custom-built switches were the equivalent of a “flashlight” for a surgeon who is trying to operate in the dark. (CNN, Business Insider) 

**Leaked government documents show that some local, federal and state law enforcement officers have been able to view the phone records of millions of Americans,** even those who have not been accused or suspected of a crime. The little-known Pentagon program was partially uncovered because of a letter sent from U.S. Sen. Ron Wyden of Oregon to U.S. Attorney General Merrick Garland, in Wyden’s office requested more information on the project and encouraged the federal government to publicly disclose this knowledge. The letter states the White House pays wireless company AT&T to give all federal, state, local, and Tribal law enforcement agencies “the ability to request often-warrantless searches.” Known as the “Hemisphere Project,” this program has apparently been around since 2007 and reported on by the New York Times in 2013 but has largely gone unnoticed since. Wyden is attempting to challenge the legality of the Hemisphere Project. (Wired) 

**Security researchers have found a way to bypass the Microsoft Hello login authentication system** used in many fingerprint readers and face ID scanners on devices from Dell, Lenovo and Microsoft. Researchers hired by Microsoft to test the security of the readers have since informed the company of these vulnerabilities. The attack the researchers outlined could provide access to a stolen laptop or carry out what's called an “evil maid” attack on an unattended device. Microsoft introduced Hello with its Windows 10 operating system, and since then has included fingerprint scanners on all its devices (though in some cases, Microsoft’s own hardware like the Surface tablet did not use Hello). Though the manufacturers are now aware of these vulnerabilities, the variety of attacks means it can be difficult to patch for these issues. However, all the attacks ultimately required physical access to a device. (Ars Technica, The Verge) 

**Can’t get enough Talos? **

*   Tech giant Cisco built special device to help Kyiv ward off cyberattacks on power grid 
*   Cisco whips up modded switch to secure Ukraine grid against Russian cyberattacks 
*   Talos Takes Ep. #163: Why has the Phobos ransomware been working for so long? 
*   The Need to Know: What is threat hunting? 
*   Vulnerability Roundup: Vulnerabilities in Adobe Acrobat, Microsoft Excel could lead to arbitrary code execution 

**Upcoming events where you can find Talos **

**"Power of the Platform” by Cisco** **(Dec. 5 & 7)** 

Virtual (Please note: This presentation will only be given in German) 

> _The annual IT event at the end of the year where Cisco experts, including Gergana Karadzhova-Dangela from Cisco Talos Incident Response, discuss the future-oriented topics in the implementation of digitalization together with you._  

**What Threats Kept Us Up in 2023: A Year in Review and a Look Ahead** **(Dec. 13, 11 a.m. PT)** 

Virtual 

> _Each year brings new threats that take advantage of increasingly complex security environments. Whether it’s Volt Typhoon targeting critical infrastructure organizations across the United States or ALPHV launching an attack against casino giant MGM, threat actors are becoming bolder and more evasive. That’s why it’s never been more important to leverage broad telemetry sources, deep network insights and threat intelligence to respond effectively and recover faster from sophisticated attacks. Join Amy Henderson, Director of Strategic Planning and Communications at Cisco Talos and Briana Farro, Director of XDR Product Management at Cisco, as they discuss some of the top threat trends and threats we have seen this past year and how to leverage security technology like XDR and network insights to fight against them._ 

**NIS2 Directive: Why Organizations Must Act Now to Ensure Compliance and Security** **(Jan. 11, 2024, 10 a.m. GMT)** 

Virtual 

> _The NIS2 Directive is a crucial step toward securing Europe’s critical infrastructure and essential services in an increasingly interconnected world. Organizations must act now to prepare for the new requirements, safeguard their operations, and maintain a robust cybersecurity posture. Gergana Karadzhova-Dangela from Cisco Talos Incident Response and other Cisco experts will talk about how organizations can best prepare for the coming regulations._  

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 8664e2f59077c58ac12e747da09d2810fd5ca611f56c0c900578bf750cab56b7    
**MD5:** 0e4c49327e3be816022a233f844a5731    
**Typical Filename:** aact.exe    
**Claimed Product:** AAct x86    
**Detection Name:** PUA.Win.Tool.Kmsauto::in03.talos 

**SHA 256:** 77c2372364b6dd56bc787fda46e6f4240aaa0353ead1e3071224d454038a545e   
**MD5:** 040cd888e971f2872d6d5dafd52e6194   
**Typical Filename:** streamer.exe   
**Claimed Product:** Ultra Virus Killer   
**Detection Name:** PUA.Win.Virus.Ultra::95.sbx.tg 

**SHA 256:** abaa1b89dca9655410f61d64de25990972db95d28738fc93bb7a8a69b347a6a6   
**MD5:** 22ae85259273bc4ea419584293eda886   
**Typical Filename:** KMSAuto++ x64.exe   
**Claimed Product:** KMSAuto++   
**Detection Name:** Hacktool:PUP.26ld.in14.Talos 

**SHA 256:** 77c2372364b6dd56bc787fda46e6f4240aaa0353ead1e3071224d454038a545e   
**MD5:** 040cd888e971f2872d6d5dafd52e6194   
**Typical Filename:** tmp000c3787   
**Claimed Product:** Ultra Virus Killer   
**Detection Name:** PUA.Win.Virus.Ultra::95.sbx.tg 

**SHA 256:** 975517668a3fe020f1dbb1caafde7180fd9216dcbf0ea147675ec287287f86aa   
**MD5:** 9403425a34e0c78a919681a09e5c16da   
**Typical Filename:** vincpsarzh.exe   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::tpd

$19 Stanely cups, fake Amazon Prime memberships all part of holiday shopping scams circulating

The prolific threat actor has laundered hundreds of millions of dollars in stolen virtual currency through the service.

Source: Yogesh More via Alamy Stock Photo

In its continued efforts to crack down on North Korea's most formidable state-sponsored threat group, the US government has seized a virtual currency mixer that has been serving as the principal way the group launders money stolen from its cybercriminal activity.

The US Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned Sinbad.io, or just Sinbad, a crypto-mixing service that the feds said has processed millions of dollars worth of virtual currency from crypto heists by the Lazarus Group, according to a press release from OFAC.

As a result of the action, all Sinbad property and interests in property in the US or controlled by anyone in the US must be blocked and reported to OFAC, and people in the US are prohibited from having any involvement with the service. Further, anyone who engages in transactions with the service also may be exposed to sanctions.  

Crypto mixing — a technique that uses pools of cryptocurrency to complicate the tracking of electronic transactions — is a popular service tapped by cybercriminals to obscure their illegal transactions. In the case of Lazarus, the group used Sinbad to launder crypto from various malicious incidents, including the Horizon Bridge and Axie Infinity heist, the government said.

The prolific threat actor is well known for conducting cyberattacks on behalf of the regime of North Korea's leader, Kim Jong Un, engaging in widespread crypto theft through various cyberattacks — including targeting crypto engineers or using compromised systems to mine crypto — to fund government activities, among other endeavors. The US government officially sanctioned Lazarus in 2019, effectively making it a crime to do any kind of business with the group or its associates.

**Crackdown on Crypto Mixing**

Other cybercriminal groups also use Sinbad to keep various illegal financial activities such as drug trafficking, buying child pornography, and other Dark Web transactions away from the prying eyes of law enforcement. However, global authorities have caught on to the use of crypto mixers and are now starting to monitor and block the activity.

In March, an international law enforcement effort led by the US Department of Justice (DoJ) led to the shuttering another known crypto-mixing service, ChipMixer. Then in May and earlier this month, respectively, the feds also seized one crypto mixer, Blender.io (Blender), and redesignated another, Tornado Cash — both known to be used by Lazarus, they said.

OFAC in April also sanctioned two over-the-counter virtual currency traders who facilitated the conversion of stolen virtual currency to fiat currency for North Korean actors associated with Lazarus.

“While we encourage responsible innovation in the digital asset ecosystem, we will not hesitate to take action against illicit actors," said Deputy Secretary of the Treasury Wally Adeyemo, in a statement. "Mixing services that enable criminal actors, such as the Lazarus Group, to launder stolen assets will face serious consequences.”

**Crypto Mixer of Choice**

All told, Lazarus, which has been active for more than 10 years, is believed to have stolen more than $2 billion worth of digital assets across multiple cryptocurrency heists, according to the US government.

Sinbad, which operates on the Bitcoin blockchain, has been one of the primary facilitators of the trafficking of these funds as the group's preferred mixing service. The service, which some security experts believe is the successor to Blender, aids cybercriminal transactions by obfuscating their origin, destination, and counterparties, so they are difficult to track.

Some of the larger sums that Lazarus has laundered through the crypto mixer include "a significant portion" of the following crypto heists: $100 million stolen in June from customers of Atomic Wallet; $620 million stolen from Axie Infinity in March 2022; and $100 million nabbed from Horizon Bridge in June 2022. 

Despite being sanctioned and constantly monitored by security researchers and global authorities alike, Lazarus remains undaunted and shows little sign of slowing down. Some of the group's most recent activity includes posing as Meta to deploy a complex backdoor at an aerospace organization, and aiming to lure crypto pros with fake job postings — the latter a common tactic of the group.

There are signs that the mounting pressure on the group has affected them, though. Lazarus recently aligned with other North Korean state-sponsored threat actors to make them collectively harder to track. However, this collaboration also sets the stage for more aggressive and complex cyberattacks that will demand strategic defense and response on the part of targets.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Feds Seize 'Sinbad' Crypto Mixer Used by North Korea's Lazarus

Plus: Major security patches from Microsoft, Mozilla, Atlassian, Cisco, and more.

The holiday season is here, but software firms are still busy issuing fixes for major security flaws. Microsoft, Google, and enterprise software firm Atlassian have released patches for vulnerabilities already being used in attacks. Cisco also patched a bug deemed so serious, it was given a near-maximum CVSS score of 9.9.

Here’s everything you need to know about the patches released in November.

Google Chrome

Google ended November with a bang after issuing seven security fixes for Chrome, including an emergency patch for an issue already being used in real-life attacks. Tracked as CVE-2023-6345, the already exploited flaw is an integer overflow issue in Skia, an open source 2D graphics library. “Google is aware that an exploit for CVE-2023-6345 exists in the wild,” the browser maker said in an advisory.

Little is known about the fix at the time of writing; however, it was reported by Benoît Sevens and Clément Lecigne of Google's Threat Analysis Group, indicating the exploit could be spyware-related.

The six other flaws fixed by Google and rated as having a high impact include CVE-2023-6348, a type-confusion bug in Spellcheck, and CVE-2023-6351, a use-after-free issue in libavif.

Earlier in the month, Google released fixes for 15 security issues in its widely used browser. Among the bugs fixed by the software giant are three rated as having a high severity. Tracked as CVE-2023-5480, the first is an inappropriate implementation issue in Payments, while the second, CVE-2023-5482, is an insufficient data validation flaw in USB with a CVSS score of 8.8. The third high-severity bug, CVE-2023-5849, is an integer overflow issue in USB.

Mozilla Firefox

Chrome competitor Firefox has fixed 10 vulnerabilities in the browser, six of which are rated as having a high impact. CVE-2023-6204 is an out-of-bound memory access flaw in WebGL2 blitFramebuffer, while CVE-2023-6205 is a use-after-free issue in MessagePort.

Meanwhile, CVE-2023-6206 could allow clickjacking permission prompts using the full-screen transition. “The black fade animation when exiting full screen is roughly the length of the anti-clickjacking delay on permission prompts,” Firefox owner Mozilla said. “It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear.”

CVE-2023-6212 and CVE-2023-6212 are Memory safety bugs, both with a CVSS score of 8.8, in Firefox 120, Firefox ESR 115.5, and Thunderbird 115.5.

Google Android

Google's November Android Security Bulletin details fixes patched in this month, including eight in the Framework, six of which are elevation of privilege bugs. The worst flaw could lead to local escalation of privilege with no additional execution privileges needed, Google said in an advisory.

Google also fixed seven issues in the System, six of which are rated as having a high severity and one marked as critical. Tracked as CVE-2023-40113, the critical bug could lead to local information disclosure with no additional execution privileges needed.

Google's Pixel devices have already received the November update, along with some additional fixes. The November Android Security Bulletin has also started to roll out to some of Samsung’s Galaxy line.

Microsoft

Microsoft has a Patch Tuesday every month, but November's is worth notice. The update fixes 59 vulnerabilities, two of which are already being exploited in real-life attacks. Tracked as CVE-2023-36033, the first is an elevation of privilege vulnerability in Windows DWM Core Library marked as important, with a CVSS score of 7.8. “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” Microsoft said.

Meanwhile, CVE-2023-36036 is an elevation of privilege vulnerability in Windows Cloud Files Mini Filter Driver with a CVSS score of 7.8. Also fixed in November’s update cycle is the already exploited libWep flaw previously fixed in Chrome and other browsers, which also impacts Microsoft’s Edge, tracked as CVE-2023-4863.

Another notable flaw is CVE-2023-36397, a remote code execution vulnerability in Windows Pragmatic General Multicast marked as critical with a CVSS score of 9.8. “When Windows message queuing service is running in a PGM Server environment, an attacker could send a specially crafted file over the network to achieve remote code execution and attempt to trigger malicious code,” Microsoft said.

Cisco

Enterprise software firm Cisco has issued fixes for 27 security flaws, including one rated as critical with a near maximum CVSS score of 9.9. Tracked as CVE-2023-20048, the vulnerability in the web services interface of Cisco Firepower Management Center Software could allow an authenticated, remote attacker to execute unauthorized configuration commands on a Firepower Threat Defense device managed by the FMC Software.

However, to successfully exploit the vulnerability, an attacker would need valid credentials on the FMC Software, Cisco said.

A further seven of the flaws fixed by Cisco are rated as having a high impact, including CVE-2023-20086—a denial-of-service flaw with a CVSS score of 8.6—and CVE-2023-20063, a code-injection vulnerability with a CVSS score of 8.2.

Atlassian

Atlassian has released a patch to fix a serious flaw already being used in real-life attacks. Tracked as CVE-2023-22518, the improper-authorization vulnerability issue in Confluence Data Center and Server is being used in ransomware attacks. “As part of Atlassian's ongoing monitoring and investigation of this CVE, we observed several active exploits and reports of threat actors using ransomware,” it said.

Security outfit Trend Micro reported the Cerber ransomware group is using the flaw in attacks. “This is not the first time that Cerber has targeted Atlassian—in 2021, the malware re-emerged after a period of inactivity and focused on exploiting remote code execution vulnerabilities in Atlassian's GitLab servers,” Trend Micro said.

All versions of Confluence Data Center and Server are affected by the flaw, which allows an unauthenticated attacker to reset Confluence and create an administrator account. “Using this account, an attacker can perform all administrative actions available to a Confluence instance administrator, leading to a full loss of confidentiality, integrity and availability,” Atlassian said.

SAP

Enterprise software giant SAP has released its November Security Patch Day, fixing three new flaws. Tracked as CVE-2023-31403 and with a CVSS score of 9.6, the most serious issue is an improper access control vulnerability flaw in SAP Business One. As a result of exploiting the issue, a malicious user could read and write to the SMB shared folder, the software giant said.

Google Fixes a Seventh Zero-Day Flaw in Chrome—Update Now

Cisco Talos recently discovered a malicious campaign that likely started as early as August 2023, delivering a new remote access trojan (RAT) we dubbed “SugarGh0st.”

*   Cisco Talos recently discovered a malicious campaign that likely started as early as August 2023, delivering a new remote access trojan (RAT) we dubbed “SugarGh0st.” 
*   We found evidence suggesting the threat actor is targeting the Uzbekistan Ministry of Foreign Affairs and users in South Korea. 
*   We assess with high confidence that the SugarGh0st RAT is a new customized variant of Gh0st RAT, an infamous trojan that’s been active for more than a decade, with customized commands to facilitate the remote administration tasks as directed by the C2 and modified communication protocol based on the similarity of the command structure and the strings used in the code.
*   We observed two infection chains leveraging Windows Shortcut embedded with malicious JavaScript to deliver the components to drop and launch the SugarGh0st payload.
*   In one infection chain, the actor leverages the DynamixWrapperX tool to enable Windows API function calls in malicious JavaScript for running the shellcode.
*   Talos assesses with low confidence that a Chinese-speaking threat actor is operating this campaign based on the artifacts we found in the attack samples.

**Suspected Chinese Actor targeting Uzbekistan and South Korea**

Talos discovered four samples deployed in this campaign that are likely targeting users in Uzbekistan and South Korea based on the language of the decoy documents, the lure content, and distribution indicators Talos found in the wild. 

One of the samples is sent to users in the Ministry of Foreign Affairs of Uzbekistan. The sample is an archive embedded with a Windows ShortCut LNK file which, upon opening, drops the decoy document “Investment project details.docx'' with Uzbek content about a presidential decree in Uzbekistan focused on enhancing state administration in technical regulation. The lure content of the decoy document was published in multiple Uzbekistan sources in 2021. The initial vector of the campaign is likely a phishing email with an attached malicious RAR archive file sent to an employee of the Ministry of Foreign Affairs.  

Decoy document in Uzbek language.

Besides Uzbekistan, we also observed indications of targets in South Korea. We found three other decoy documents written in Korean dropped by the malicious JavaScript file embedded in the Windows Shortcut, seemingly distributed in South Korea. The decoy document named “Account.pdf” was forged as a Microsoft account security notification for confirming an account registration with a generated password. Another decoy named “MakerDAO MKR approaches highest since August.docx'' uses the copied content from 코인데스크코리아 (CoinDesk Korea, a Korean news outlet that covers the blockchain). The third decoy document, named “Equipment\_Repair\_Guide.docx,” has the lure information with instructions for computer maintenance in an organization. To reinforce our assessment of South Korean targets, we also observed C2 domain requests from IPs originating from South Korea. 

The decoy documents found in the samples collected by Talos.

During our analysis, we observed a couple of artifacts that suggested the actor might be Chinese-speaking. Two of the decoy files we found have the “last modified by” names shown as “浅唱丶低吟” (Sing lightly, croon) and “琴玖辞” (seems to be the name of a Chinese novel author), which are both Simplified Chinese. 

The author and last editor’s information on decoy documents.

Besides the decoy document metadata, the actor prefers using SugarGh0st, a Gh0st RAT variant. The Gh0st RAT malware is a mainstay in the Chinese threat actors’ arsenal and has been active since at least 2008. Chinese actors also have a history of targeting Uzbekistan. The targeting of the Uzbekistan Ministry of Foreign Affairs also aligns with the scope of Chinese intelligence activity abroad. 

**SugarGh0st is a new Gh0st RAT variant**

Talos discovered a RAT that we call SugarGh0st delivered as a payload in this campaign. Talos assesses with high confidence that SugarGh0st is a customized variant of the Gh0st RAT. Gh0st RAT was developed by a Chinese group called 红狼小组 (C.Rufus Security Team), and its source code was publicly released in 2008. The public release of the source code has made it easy for threat actors to get access to it and tailor it to fulfill their malicious intentions. There are several variants of Gh0st RAT in the threat landscape, and it remains a preferred tool for many Chinese-speaking actors, allowing them to conduct surveillance and espionage attacks.

Compared with the original Gh0st malware, SugarGh0st is equipped with some customized features in its reconnaissance capability in looking for specific Open Database Connectivity (ODBC) registry keys, loading library files with specific file extensions and function name, customized commands to facilitate the remote administration tasks directed by the C2, and to evade earlier detections. The C2 communication protocol is also modified. The first eight bytes of the network packet header are reserved as magic bytes versus the first five in the earlier Gh0st RAT variants. The remaining features, including taking full remote control of the infected machine, providing real-time and offline keylogging, hooks to the webcam of an infected machine, and downloading and running other arbitrary binaries on the infected host are aligned with the features of earlier Gh0st RAT variants. 

**A multi-stage infection chain **

Talos discovered two different infection chains employed by the threat actor to target the victims in this campaign. One of the infection chains decrypts and executes the SugarGh0st RAT payload, the customized variant of the Gh0st RAT. Another infection chain leverages the DynamicWrapperX loader to inject and run the shellcode that decrypts and executes SugarGh0st. 

**Infection Chain No. 1**

The first infection chain starts with a malicious RAR file containing a Windows Shortcut file with a double extension. When a victim opens the shortcut file, it runs a command to drop and execute an embedded JavaScript file. The JavaScript eventually drops a decoy, an encrypted SugarGh0st payload, DLL loader and batch script. Then, the JavaScript executes the batch script to run the dropped DLL loader by sideloading it with a copied rundll32. The DLL loader will decrypt the encrypted SugarGh0st payload in memory and run it reflectively. 

**Shortcut file embedded with malicious JavaScript dropper**

The Windows shortcut file discovered in this attack is embedded with JavaScript and has command line arguments to drop and execute it. Upon the victim opening the LNK file, the command line argument of the LNK file runs to locate and load the JavaScript with the string start of “var onm=” which is the beginning of the JavaScript dropper and drops the JavaScript into the %temp% location. After that, the dropped JavaScript is executed using the living-off-the-land binary (LoLBin) cscript. 

Sample of malicious LNK file.

**JavaScript dropper **

The JavaScript dropper is a heavily obfuscated script embedded with base64 encoded data of the other components of the attack. The JavaScript decodes and drops the embedded files into the %TEMP% folder, including a batch script, a customized DLL loader, an encrypted SugarGh0st payload, and a decoy document. It first opens the decoy document to masquerade as legitimate action, then copies the legitimate rundll32 executable from the “Windows\\SysWow64” folder into the %TEMP% folder. Finally, it executes the batch script loader from the %TEMP% location and runs the customized DLL loader. The JavaScript deleted itself from the file system afterward. 

The JavaScript dropper.

**Batch script loader**

The batch script, in this instance, is named “ctfmon.bat” and has the commands to run the dropped customized DLL loader. When executed, it sideloads the DLL loader with rundll32.exe and executes the function which is DllUnregisterServer, typically used by COM (Component Object Model) DLLs.

The batch script loader.

**DLL Loader decrypts and reflectively loads the SugarGh0st payload**

The customized DLL loader named “MSADOCG.DLL” (name of the DLL associated with Microsoft's ActiveX Data Objects (ADO) technology) is a 32-bit DLL written in C++ and implemented as a COM object component. The loader includes packed code that is unpacked with custom unpacking code. When the DLL is run, it unpacks the code to read the dropped encrypted SugarGh0st payload file named “DPLAY.LIB '' from the %TEMP% location, decrypts it and runs it in the memory. 

Stub code to unpack code.

Function to load the encrypted payload.

**Infection chain No. 2**

Similar to the first infection chain, this attack also starts with a RAR archive file containing a malicious Windows Shortcut file forged as the decoy document. The Windows shortcut file, by executing the embedded commands, drops the JavaScript dropper file into the %TEMP% location and executes it with cscript. The JavaScript in this attack drops a decoy document, a legitimate DynamicWrapperX DLL, and the encrypted SugarGh0st. The JavaScript uses the legitimate DLL to enable running the embedded shellcode for running the SugarGh0st payload. 

**JavaScript leverages DynamicWrapperX to run shellcode that launches SugarGh0st**

The JavaScript used in this infection chain is also heavily obfuscated and is embedded with base64-encoded data of other components of the attack, including a shellcode. When the JavaScript is executed, it drops an encrypted SugarGh0st, a DLL called “libeay32.dll” and the decoy document. The JavaScript opens the decoy document and copies Wscript.exe to the %TEMP% folder as dllhost.exe. It runs the dropped JavaScript again using the dllhost.exe and creates a registry subkey called “CTFMON.exe” in the Run registry key to establish persistence. 

Registry Key

HKEY\_CURRENT\_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run

Subkey

CTFMON.exe

Value

“cmd /c start C:\\Users\\user\\AppData\\Local\\Temp\\dllhost.exe C:\\Users\\user\\AppData\\Local\\Temp\\~204158968.js”

The file “libeay32.dll” is a tool called DynamicWrapperX (originally named “dynwrapx.dll”) developed by Yuri Popov. This tool is an ActiveX component that enables Windows API function calls in scripts (JScript, VBScript, etc.). The attacker can use this to run shellcode via the JavaScript dropper. But, they must first run regsvr.exe to install the component. 

C:\\Windows\\system32\\regsvr32 /i /s C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\libeay32.dll

The DynamicWrapperX DLL registers its member functions in the victim’s machine by creating a registry subkey CLSID with the value “89565275-A714-4a43-912E-978B935EDCCC” in Software\\Classes\\DynamicWrapperX registry key. The JavaScript containing the ActiveX components executes the embedded shellcode using the DynamixWrapperX DLL. 

The shellcode has the API hashes and instructions to load and map to the functions necessary for process injection from Kernel32.dll. It also loads two other DLLs, User32.dll and shlwapi.dll. Then, it loads the encrypted SugarGh0st “libeay32.lib” from the %TEMP% location, decrypts it, and reflectively loads it into the memory space allocated in the dllhost.exe process. 

Shellcode that loads and decrypts the encrypted SugarGh0st. 

**Analysis of SugarGh0st   **

The SugarGh0st sample analyzed by Cisco Talos is a 32-bit dynamic link library in C++ compiled on Aug. 23, 2023. During its initial execution, SugarGh0st creates a mutex on the victim’s machine using the hard-coded C2 domain as an infection marker and starts the keylogging function. The keylogger module creates a folder “WinRAR'' in the location %Program Files% and writes the keylogger file “WinLog.txt.” 

The Keylogging function of SugarGh0st.

SugarGh0st uses “WSAStartup” functions, a hardcoded C2 domain and port to establish the connection to the C2 server. Talos discovered two C2 domains, login\[.\]drive-google-com\[.\]tk and account\[.\]drive-google-com\[.\]tk, used by the threat actor in this campaign.

The C2 communication function of SugarGh0st.

After launching, SugarGh0st attempts to establish the connection to C2 every 10 seconds. If successful, the first outgoing packet always consists of the same eight bytes “0x000011A40100” as a heartbeat. After the heartbeat is successfully sent, SugarGh0st sends the buffer data, which includes the following:

*   Computer name
*   Operating system version 
*   Root and other drive information of victim machine
*   Registry key “HKEY\_LOCAL\_MACHINE\\Software\\ODBC\\H” if exist
*   Campaign codes 1 (Month and Year) and code 2 (in our samples are “default”)
*   Windows version number
*   Root drive’s volume serial number

A sample packet that was sent by SugarGh0st to C2.

SugarGh0st is a fully functional backdoor that can execute most remote control functionalities. It can launch the reverse shell and run the arbitrary commands sent from C2 as strings using the command shell.

The Reverse shell function.

SugarGh0st can collect the victim’s machine hostname, filesystem, logical drive and operating system information. It can access the running process information of the victim’s machine and control the environment by accessing the process information and terminating the process as directed by the C2 server. 

It can also manage the machine’s service manager by accessing the configuration files of the running services and can start, terminate or delete the services.

Function to operate services.

SugarGh0st can take screenshots of the victim machine’s current desktop and switch to multiple windows. It can access the victim’s machine camera to capture the screen and compress the captured data before sending it to the C2 server. SugarGh0st can perform various file operations, including searching, copying, moving and deleting the files on the victim’s machine.

It also clears the machine’s Application, Security and System event logs to hide the malicious operations logged to evade detection. 

Function to clean event logs.

SugarGh0st performs the remote control functionalities, including those discussed earlier, as directed by the C2 server with the four-byte hex commands and accompanying data. 

**Command**

**Action**

0x20000001

Adjust process privilege to “SeShutdownPrivilege” and force shut down the host.

0x20000002

Adjust process privilege to “SeShutdownPrivilege” and force reboot the host.

0x20000003

Adjust process privilege to “SeShutdownPrivilege” and force terminate the processes.

0x20000004

Clear event log

0x20000005

Create register key HKEY\_LOCAL\_MACHINE\\Software\\ODBC\\H

0x20000011

Press a key in the default window 

0x20000012

Release a key in the default window 

0x20000013

Set mouse cursor position

0x20000014

Click mouse left button

0x20000015

Release mouse left button

0x20000016

Double click the mouse left button

0x20000017

Click mouse right button

0x20000018

Release mouse right button

0x20000019

Double click the mouse left button

0x21000002

Get the logical drive information of the victim's machine. 

  

0x21000003

Search files on the victims machine filesystem

0x21000004

Delete files on the victim's machine file system

0x21000005

Moves files to the %TEMP% location 

0x21000006

Runs arbitrary shell commands

0x21000007

Copies files on the victim machine 

0x21000008

Move files on the victim's machine

0x21000009

Sends files to the C2 server 

0x2100000A

Sends the data to the windows socket

0x2100000B

Receives files from the C2 server

0x22000001

Sends the screenshot to the C2 server

0x24000001

Read file %ProgramFiles%/WinRAR/~temp.dat (which is encoded with XOR 0x62)

0x24000002

Delete file %ProgramFiles%/WinRAR/~temp.dat

0x23000000

Provides the reverse shell access to the C2 server 

0x25000000

Gets the process information and terminates the process 

0x25000001

Enumerate process information

0x25000002

Terminate Process

0x25000003

Access the victims machine service manager 

0x25000004

Access the configuration files of the running services

0x25000005

Starting service

0x25000006

Terminating and deleting the services. 

0x25000010

Performs the Windows operations

0x25000011

Get window list

0x25000012

Get message from Window

0x28000000

Capture window and perform a series of Window operations based on the command with SendMessage API.

0x28000002

Find a . OLE file under “%PROGRAMFILES%\\\\Common Files\\\\DESIGNER'' and launch

**Coverage**

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat is 62647.

ClamAV detections available for this threat:

Win.Trojan.SugarGh0stRAT-10014937-0

Win.Tool.DynamicWrapperX-10014938-0

Txt.Loader.SugarGh0st\_Bat-10014939-0

Win.Trojan.SugarGh0stRAT-10014940-0

Lnk.Dropper.SugarGh0stRAT-10014941-0

Js.Trojan.SugarGh0stRAT-10014942-1

Win.Loader.Ramnit-10014943-1

Win.Backdoor.SugarGh0stRAT-10014944-0

**Orbital Queries**

Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries related to this threat, please follow the links:

*   SugarGh0st RAT file detected
*   SugarGh0st RAT Registry key 

**Indicators of Compromise**

Indicators of Compromise associated with this threat can be found here.

New SugarGh0st RAT targets Uzbekistan government and South Korea

Melissa Hathaway, a former White House cybersecurity adviser, says Biden is pushing through more regulatory reforms than previous administrations.

Lack of transparency with third-party suppliers is companies' biggest cyberthreat, says CIGI's Melissa Hathaway.Source: Harvard Kennedy School Belfer Center

Melissa Hathaway hasn't shied away from advising corporate boards and government leaders on cybersecurity policy since leaving the White House a decade ago. Hathaway, a former National Security Council Cybersecurity Chief, served in two administrations, leading the Comprehensive National Cybersecurity Initiative for President George W. Bush, and launching President Barack Obama's Cyberspace Policy Review.

Currently a member of the Centre for International Governance Innovation's board of directors, Hathaway recently spoke about current digital risks at a CIGI conference last month. Hathaway also provides consulting services as president of Hathaway Global Strategies, and most recently, was tapped by data protection vendor Commvault to chair its newly formed Cyber Resilience Council. During a meeting in New York City, Hathaway shared her views on the latest global cybersecurity threats from China and Russia, and the impact of the war in Israel.

Dark Reading: How would you compare today's threat landscape to when you were working for the White House over a decade ago?

Hathaway: Ransomware is on the rise, and it has become very sophisticated. Now you can encrypt 50 terabytes of data in less than five minutes, and all an intruder needs is one path in. A lot of really destructive, malicious software is being developed, and proof pointed over in Ukraine, such as the wiper virus attacks that we saw against Viasat. You're also starting to see the infections of low-level botnets capable of high-volume distributed denial service attacks. I'd say, though, the biggest problem is that companies don't have enough transparency into the dependencies of their third-party suppliers. The path into most of the companies right now, if it's not an unpatched system, is through their third-party suppliers.

DR: Such as software supply chain vulnerabilities?

Hathaway: Yes, but it doesn't have to be just that. It could be the trusted supplier who didn't patch their own infrastructure and they're the pathway in not just the product that was bad, like what we're dealing right now with Cisco IOS.

DR: What's your take on President Biden's approach to cybersecurity?

Hathaway: The new White House strategy is focused a lot on making companies more responsible for not only their product and introducing secure development lifecycle, but also making them more responsible for their governance and enterprise risk management. And that's been needed for more than a decade. I think that this administration is really focused on making corporates responsible.

DR: Would you say this White House is doing more than previous administrations?

Hathaway: They're just taking a different approach. The Biden administration is focused on a regulatory approach which previous administrations never took.

DR: And do you think that's a good thing?

Hathaway: In 2010 I wrote that there was an important moment for the SEC, FCC, and FTC to own their authorities to get to resilience. But I think that there's a challenge when you have all the regulators going in different directions. It puts an undue cost on industry. And so there has to be some harmonization of the regulatory frameworks that the administration is pushing. But that's difficult to do. One, it requires strong leadership and understanding of how the government works. Two, it requires getting those regulators to potentially cooperate and coordinate, and they don't necessarily have it within their remit to do that. And then third, you have to decide which problem you want to solve first, second, and third.

DR: With the current policies that are being laid out and proposed, to what effect do you think the outcome of the next presidential election could change those policies if there is a change in administrations?

Hathaway: You have the new SEC Rule and it took almost 13 years to get that rule in place. If another administration were to come in, regardless of party, and wanted to change direction, it would be very difficult to change the regulations and the laws in this country. A new president could come up with another executive order or policy, but those are very difficult. I mean, it's easy to write, but then it's all about the execution. And there's really no penalties associated with those, even within the government.

DR: What are your concerns about China as a threat?

Hathaway: They are a leading cyber power and probably have more manpower of meeting their overall national objectives than we do in the US or anywhere. Part of that is a percentage of the population, but they have made it a strategic priority as part of their five-year plan, and as part of their overall strategies.

Among their strategies, they are using one industrial espionage \[element\] that was featured on 60 Minutes just two weeks ago, with the Five Eyes. Industrial espionage has been going on for more than a decade, and they're continuing to move that path forward.

Through the Belt and Road Initiative, they are positioning their national champions for the delivery of telecom, data services, and other things. And they are one of the leading providers in the Global South. And that's all part of their economic strategy and changing some of the global, I would say world order of things.

They're also leading in central bank digital currencies. They saw Bitcoin as an opportunity, and they started their policy development and experimentation with it more than about a decade ago. And now they've since rolled out a CBDC \[central bank digital currency\], and they have more than 300 million people using it. If you start to think about that \[as\] a transition in the financial services systems around the world, they've got an interbank digital currency exchange that's outside of the US dollar through the CBDCs. And so, they have a longer-term strategy.

DR: What can policymakers do about that?

Hathaway: We have to look at Russia, China, Iran, \[and\] North Korea in different lenses. They are worthy opponents. And it's not like they're second rate, they're actually all first rate in different categories. And that requires us to think about things differently. Some of the initiatives of the Biden administration are important, like secure development lifecycle, which means your code better be good. We've got too many bad products in the market that are easily exploitable. We need to really be thinking about the next generation standards — we lost on 5G, are we going to lose on 6G too? And that requires us to really think about international standards differently.

I think we also need to be thinking about what are some of the cases that we're going to have to be thinking about — when you move to 5G and you're moving to the cloud, and you've got autonomous everything, you're going to have edge compute — that's going to have a whole very different set of policies on that data movement, from my driverless car to your driverless car, and what's processing them at the edge, so neither of us will have a problem. We're not really addressing that security, the data security, data privacy, the data movement, and this edge processing that's going to go forward. That requires us to really think about a different architecture about resilience, safety, privacy, and security. And that conversation I don't really think has started in our country, and we need to start it now.

DR: Has the war in Israel already changed the equation of the threat landscape?

Hathaway: Absolutely. I think things are unstable. It adds three things: First, you're starting to see new malicious software being developed and I would say swift synthetic media, deep fakes, and other things. It's causing a lot of confusion, but there's a lot of experimentation happening from a lot of groups, not just Hamas or Hezbollah — there's a lot of experimentation happening with, I would say, the malicious activities' disinformation as well as malicious software.

I think second, we're going to see a supply chain disruption of the Israeli IT and cyber industry that I don't think we've thought through what's going to happen. As you mobilize 300,000 reservists, some of which are in that industry, some of these industry providers are going to have a slowdown or a disruption. So, we have to think through that.

Israel is a leading innovator in some of these things; I think that there's going to be a supply chain disruption coming because they are a leader in IT.

Third, I just worry about the overall stability of the region; we've got a lot of geopolitical instability \[and\] too much around the world right now.

DR: Obviously, there are a lot of Israeli cybersecurity companies or even companies like Microsoft, Check Point, Google, and many others.

Hathaway: Well, you have the tech innovation center at Beersheba, but then you have a very large IT tech cyber industry in Israel that serves and works and partners with all Silicon Valley, and Seattle, Boston, and such. So, I think that there's going to be a disruption that we need to anticipate because this war is not going to be done anytime soon.

**About the Author(s)**

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Ex-Cybersecurity Adviser to Bush, Obama Weighs in On Current Admin

A vulnerability in the file server and collaboration platform earned a 10 in severity on the CVSS, allowing access to admin passwords, mail server credentials, and license keys.

Source: John Williams RF via Alamy Stock Photo

Hackers are actively exploiting a critical flaw in the open source ownCloud platform that allows access to access admin passwords, mail server credentials, and license keys, exposing their enterprise to data breaches or other types of malicious activity.

The flaw, tracked as CVE-2023-49103 and disclosed by ownCloud on Nov. 21, earned the top score of 10 out of 10 on the CVSS severity rating due to its ease of exploitation. It arises from a flaw in the "graphapi" app used in ownCloud, a file server and collaboration platform that enables secure storage, sharing, and synchronization of commonly sensitive files.

Researchers from GreyNoise observed what they characterized as "mass exploitation" of the flaw in the wild starting as early as Nov. 25, with at least 40 unique IP addresses seen trying to exploit the flaw so far, according to the current data shown on its tracker.

Glenn Thorpe, senior director of security research and detection engineering at GreyNoise, characterized the initial exploitation observed by GreyNoise as attackers "pretty much spraying it across the Internet to see what hits," in an online discussion on Tuesday.

The Shadowserver Foundation also is tracking exploitation of the flaw, having observed more than 11,000 exposed instances, with most of those located in Germany, the US, France, and Russia.

The app affected by the flaw is present in ownCloud versions 0.2.0 to 0.3.0. "This app utilizes a third-party library that will reveal sensitive PHP environment configurations, including passwords and keys," Thorpe wrote in the post.

It's important to note that only by patching can those affected mitigate the issue, as even disabling the app does not entirely resolve it, according to GreyNoise. The flaw affects both containerized and non-containerized ownCloud instances, although Docker containers from before February 2023 are not vulnerable to the credential disclosure, the researchers noted.

Moreover, the vulnerability is just one of three that ownCloud revealed last week, all of which allow attackers to breach data in deployments of the platform, the researchers noted. The other two are an authentication bypass flaw tracked as CVE-2023-49105 and a critical flaw related to the oauth2 app tracked as CVE-2023-49104.

"Organizations using ownCloud should address these vulnerabilities immediately," GreyNoise recommended.

**Top CVSS Rating**

OwnCloud is used by nearly 1 million organizations worldwide to manage and share data through a self-hosted platform, replacing the use of online services such as Dropbox to share files throughout an organization. Theoretically this makes enterprise file transfers more secure than sending them over a public cloud, except of course if the deployment of ownCloud is being exploited.

That's the current case of the critical flaw in graphapi, which relies on a third-party library that provides a URL which, when accessed, reveals the configuration details of the PHP environment, according to ownCloud.

These details include all the environment variables of the Web server, which in containerized deployments "may include sensitive data such as the ownCloud admin password, mail server credentials, and license key," according to ownCloud.

In its fix, ownCloud deleted the file owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php and disabled the phpinfo function docker-containers to remedy the flaw. The company also plans to harden various aspects in future core releases to mitigate similar vulnerabilities.

In addition to applying the fix, ownCloud also recommended that companies change the following secrets in their deployments: ownCloud admin password, mail server credentials, database credentials, and object-Store/S3 access-key.

**Other Flaws to Consider**

While not quite as severe as the graphapi flaw, the two other flaws recently discovered by ownCloud also are rated as critical and deserve attention, the company said.

CVE-2023-49105, rated as 9.8 on the CVSS, allows for attackers to access, modify, or delete any file without authentication if the username of the victim is known and the victim has no signing key configured, which is the platform's default configuration.

The flaw affects the ownCloud "core" app versions 10.6.0 – 10.13.0 and can be fixed by denying the use of pre-signed URLs if no signing key is configured for the owner of the files.

CVE-2023-49104, meanwhile, affects the ownCloud oauth2 app versions before 0.6.1 and allows someone to pass in a specially crafted redirect URL that bypasses the validation code. This, in turn, allows the attacker to redirect callbacks to an attacker-controlled top-level domain.

The flaw is rated as 9 on the CVSS and can be mitigated by hardening the validation code in the oauth2 app. A workaround that also fixes the flaw is to disable the "Allow Subdomains" option, according to ownCloud.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Patch Now: Attackers Pummel Critical, Easy-to-Exploit OwnCloud Flaw

By Deeba Ahmed
The vulnerability is tracked as CVE-2023-49103 and declared critical with a CVSS v3 Base Score 10.
This is a post from HackRead.com Read the original post: OwnCloud “graphapi” App Vulnerability Exposes Sensitive Data

OwnCloud has fixed the issue in version 10.9.01 but urges customers to change their OwnCloud admin password, database and mail server credentials.

A critical vulnerability has been identified in the OwnCloud “graphapi” app, enabling threat actors to gain access to sensitive information in containerized deployments. This includes admin passwords, mail server credentials, and license keys.

According to a security advisory released by OwnCloud, the vulnerability affects versions 0.2.0 to 0.3.0. The company publicly disclosed this issue on 21 November 2023.

For your information, OwnCloud is a file server/collaboration platform offering safe storage, sharing, and synchronization of sensitive files.

The vulnerability is tracked as CVE-2023-49103 and declared critical with a CVSS v3 Base Score 10. It was assigned the identifier oC-SA-2023-0011. 

On the other hand, data security firm GreyNoise has observed mass exploitation of this flaw in the wild starting from 25 November, raising serious concerns within the cybersecurity community.

What happens is that attackers can exploit this vulnerability to access a URL that can reveal the configuration details of the PHP environment (phpinfo). 

It is worth noting that the vulnerability was detected in the OwnCloud server and caused by a third-party library, which provides the URL, that reveals the configuration details, including all the environment variables like mail server credentials or admin passwords of the webserver. 

OwnCloud has fixed the issue in version 10.9.01. The company noted that Docker-Containers from before February 2023 aren’t vulnerable to credential exposure.

Nevertheless, the company suggests users must act promptly to mitigate the threat. This involves deleting the file OwnCloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php and disabling the phpinfo function in Docker containers. 

The advisory explained that simply disabling the graphapi app cannot eliminate the issue because phpinfo can expose sensitive configuration data that attackers can exploit to collect system-related information. This means even if OwnCloud isn’t running in a containerized environment, the threat will persist.

Therefore, users should change their OwnCloud admin password, mail server credentials, database credentials, and Object-Store/S3 access key. These steps will help mitigate the risk of attackers exploiting the vulnerability to access sensitive information.

Casey Ellis, Founder and Chief Strategy Officer at San Francisco, Calif.-based crowdsourced cybersecurity firm Bugcrowd shared a comment with Hackread on the disclosure, calling it “concerning.” 

“This one is concerning because OwnCloud is the type of software that home users and small businesses tend to set up and then forget,” explained Ellis. “The combination of the impact of this vulnerability and the type of personal/valuable data stored in ownCloud instances provides a wide variety of options for attackers looking to exploit it – I’d be very surprised if we don’t start hearing about ransomed ownCloud instances in the coming days.”

****_RELATED ARTICLES_****

1.  **Google Workspace Vulnerable to Takeover**
2.  **Outdated Wallets Threatening Billions in Crypto Assets**
3.  **OracleIV DDoS Botnet Malware Targets Docker Engine API Instances**
4.  **Domain Squatting, Brand Hijacking: A Silent Threat to Digital Enterprises**
5.  **Kinsing Crypto Malware Targets Linux Systems via Apache ActiveMQ Flaw**

OwnCloud “graphapi” App Vulnerability Exposes Sensitive Data

By Owais Sultan
Dubbed "DeleFriend," the vulnerability enables attackers to manipulate GCP and Google Workspace delegations without needing the high-privilege Super Admin role on Workspace.
This is a post from HackRead.com Read the original post: Google Workspace Vulnerable to Takeover Due to Domain-Wide Delegation Flaw, Warns Cybersecurity Firm Hunters

Cybersecurity researchers at Hunters have created a proof-of-concept tool to assist organizations in detecting DWD misconfigurations, increasing awareness, and reducing DeleFriend’s exploitation risks.

BOSTON, MASS. and TEL AVIV, ISRAEL, November 28, 2023 – A severe design flaw in Google Workspace’s domain-wide delegation feature discovered by threat-hunting experts from Hunters’ Team Axon, can allow attackers to misuse existing delegations, enabling privilege escalation and unauthorized access to Workspace APIs without Super Admin privileges.

Such exploitation could result in the theft of emails from Gmail, data exfiltration from Google Drive, or other unauthorized actions within Google Workspace APIs on all of the identities in the target domain. Hunters have responsibly disclosed this to Google and worked closely with them prior to publishing this research.

Domain-wide delegation permits a comprehensive delegation between Google Cloud Platform (GCP) identity objects and Google Workspace applications. In other words, it enables GCP identities to execute tasks on Google SaaS applications, such as Gmail, Google Calendar, Google Drive, and more, on behalf of other Workspace users.

The design flaw, which the team at Hunters has dubbed “DeleFriend,” allows potential attackers to manipulate existing delegations in GCP and Google Workspace without possessing the high-privilege Super Admin role on Workspace, which is essential for creating new delegations.

Instead, with less privileged access to a target GCP project, they can create numerous JSON web tokens (JWTs) composed of different OAuth scopes, aiming to pinpoint successful combinations of private key pairs and authorized OAuth scopes which indicate that the service account has domain-wide delegation enabled.

The root cause lies in the fact that the domain delegation configuration is determined by the service account resource identifier (OAuth ID), and not the specific private keys associated with the service account identity object.

Additionally, no restrictions for fuzzing of JWT combinations were implemented on the API level, which does not restrict the option of enumerating numerous options for finding and taking over existing delegations.

  
This flaw poses a special risk due to the potential impact described above and is amplified by the following:

*   **Long Life**: By default, GCP Service account keys are created without an expiry date. This feature makes them ideal for establishing backdoors and ensuring long-term persistence.
*   **Easy to hide:** The creation of new service account keys for existing IAMs or, alternatively, the setting of a delegation rule within the API authorization page is easy to conceal. This is because these pages typically host a wide array of legitimate entries, which are not examined thoroughly enough.
*   **Awareness:** IT and Security departments may not always be cognizant of the domain-wide delegation feature. They might especially be unaware of its potential for malicious abuse.
*   **Hard to detect:** Since delegated API calls are created on behalf of the target identity, the API calls will be logged with the victim details in the corresponding GWS audit logs. This makes it challenging to identify such activities.

“The potential consequences of malicious actors misusing domain-wide delegation are severe. Instead of affecting just a single identity, as with individual OAuth consent, exploiting DWD with existing delegation can impact every identity within the Workspace domain,” says Yonatan Khanashvili of Hunters’ Team Axon.

The range of possible actions varies based on the OAuth scopes of the delegation. For instance, email theft from Gmail, data exfiltration from the drive, or monitoring meetings from Google Calendar.

To execute the attack method, a particular GCP permission is needed on the target Service Accounts. However, Hunters observed that such permission is not an uncommon practice in organizations making this attack technique highly prevalent in organizations that don’t maintain a security posture in their GCP resources.

“By adhering to best practices, and managing permissions and resources smartly, organizations can dramatically minimize the impact of the attack method” Khanashvili continued.

Hunters has created a proof-of-concept tool (full details are included in the full research) to assist organizations in detecting DWD misconfigurations, increasing awareness, and reducing DeleFriend’s exploitation risks. Using this tool, red teams, pen testers, and security researchers can simulate attacks and locate vulnerable attack paths of GCP IAM users to existing delegations in their GCP Projects to evaluate (and then improve) the security risk and posture of their Workspace and GCP environments.

Hunters’ Team Axon has also compiled comprehensive research that lays out exactly how the vulnerability works as well as recommendations for thorough threat hunting, detection techniques, and best practices for countering domain-wide delegation attacks.

Hunters responsibly reported DeleFriend to Google as part of Google’s “Bug Hunters” program in August, and are collaborating closely with Google’s security and product teams to explore appropriate mitigation strategies. Currently, Google has yet to resolve the design flaw.

****About Hunters****

Hunters deliver a Security Operations Center (SOC) Platform that reduces risk, complexity, and cost for security teams. An SIEM alternative, Hunters SOC Platform provides data ingestion, built-in and always up-to-date threat detection, and automated correlation and investigation capabilities, minimizing the time to understand and respond to real threats.

Organizations like Booking.com, ChargePoint, Yext, Upwork and Cimpress leverage Hunters SOC Platform to empower their security teams. Hunters is backed by leading VCs and strategic investors including Stripes, YL Ventures, DTCP, Cisco Investments, Bessemer Venture Partners, U.S. Venture Partners (USVP), Microsoft’s venture fund M12, Blumberg Capital, Snowflake, Databricks, and Okta.

****Contact****

Yael Macias at \[email protected\]

Google Workspace Vulnerable to Takeover Due to Domain-Wide Delegation Flaw, Warns Cybersecurity Firm Hunters

By Owais Sultan
Dubbed "DeleFriend," the vulnerability enables attackers to manipulate GCP and Google Workspace delegations without needing the high-privilege Super Admin role on Workspace.
This is a post from HackRead.com Read the original post: Hunters Security: Google Workspace Vulnerable to Takeover Due to Domain-Wide Delegation Flaw

Cybersecurity researchers at Hunters have created a proof-of-concept tool to assist organizations in detecting DWD misconfigurations, increasing awareness, and reducing DeleFriend’s exploitation risks.

BOSTON, MASS. and TEL AVIV, ISRAEL, November 28, 2023 – A severe design flaw in Google Workspace’s domain-wide delegation feature discovered by threat-hunting experts from Hunters’ Team Axon, can allow attackers to misuse existing delegations, enabling privilege escalation and unauthorized access to Workspace APIs without Super Admin privileges.

Such exploitation could result in the theft of emails from Gmail, data exfiltration from Google Drive, or other unauthorized actions within Google Workspace APIs on all of the identities in the target domain. Hunters have responsibly disclosed this to Google and worked closely with them prior to publishing this research.

Domain-wide delegation permits a comprehensive delegation between Google Cloud Platform (GCP) identity objects and Google Workspace applications. In other words, it enables GCP identities to execute tasks on Google SaaS applications, such as Gmail, Google Calendar, Google Drive, and more, on behalf of other Workspace users.

The design flaw, which the team at Hunters has dubbed “DeleFriend,” allows potential attackers to manipulate existing delegations in GCP and Google Workspace without possessing the high-privilege Super Admin role on Workspace, which is essential for creating new delegations.

Instead, with less privileged access to a target GCP project, they can create numerous JSON web tokens (JWTs) composed of different OAuth scopes, aiming to pinpoint successful combinations of private key pairs and authorized OAuth scopes which indicate that the service account has domain-wide delegation enabled.

The root cause lies in the fact that the domain delegation configuration is determined by the service account resource identifier (OAuth ID), and not the specific private keys associated with the service account identity object.

Additionally, no restrictions for fuzzing of JWT combinations were implemented on the API level, which does not restrict the option of enumerating numerous options for finding and taking over existing delegations.

  
This flaw poses a special risk due to the potential impact described above and is amplified by the following:

*   **Long Life**: By default, GCP Service account keys are created without an expiry date. This feature makes them ideal for establishing backdoors and ensuring long-term persistence.
*   **Easy to hide:** The creation of new service account keys for existing IAMs or, alternatively, the setting of a delegation rule within the API authorization page is easy to conceal. This is because these pages typically host a wide array of legitimate entries, which are not examined thoroughly enough.
*   **Awareness:** IT and Security departments may not always be cognizant of the domain-wide delegation feature. They might especially be unaware of its potential for malicious abuse.
*   **Hard to detect:** Since delegated API calls are created on behalf of the target identity, the API calls will be logged with the victim details in the corresponding GWS audit logs. This makes it challenging to identify such activities.

“The potential consequences of malicious actors misusing domain-wide delegation are severe. Instead of affecting just a single identity, as with individual OAuth consent, exploiting DWD with existing delegation can impact every identity within the Workspace domain,” says Yonatan Khanashvili of Hunters’ Team Axon.

The range of possible actions varies based on the OAuth scopes of the delegation. For instance, email theft from Gmail, data exfiltration from the drive, or monitoring meetings from Google Calendar.

To execute the attack method, a particular GCP permission is needed on the target Service Accounts. However, Hunters observed that such permission is not an uncommon practice in organizations making this attack technique highly prevalent in organizations that don’t maintain a security posture in their GCP resources.

“By adhering to best practices, and managing permissions and resources smartly, organizations can dramatically minimize the impact of the attack method” Khanashvili continued.

Hunters has created a proof-of-concept tool (full details are included in the full research) to assist organizations in detecting DWD misconfigurations, increasing awareness, and reducing DeleFriend’s exploitation risks. Using this tool, red teams, pen testers, and security researchers can simulate attacks and locate vulnerable attack paths of GCP IAM users to existing delegations in their GCP Projects to evaluate (and then improve) the security risk and posture of their Workspace and GCP environments.

Hunters’ Team Axon has also compiled comprehensive research that lays out exactly how the vulnerability works as well as recommendations for thorough threat hunting, detection techniques, and best practices for countering domain-wide delegation attacks.

Hunters responsibly reported DeleFriend to Google as part of Google’s “Bug Hunters” program in August, and are collaborating closely with Google’s security and product teams to explore appropriate mitigation strategies. Currently, Google has yet to resolve the design flaw.

****About Hunters****

Hunters deliver a Security Operations Center (SOC) Platform that reduces risk, complexity, and cost for security teams. An SIEM alternative, Hunters SOC Platform provides data ingestion, built-in and always up-to-date threat detection, and automated correlation and investigation capabilities, minimizing the time to understand and respond to real threats.

Organizations like Booking.com, ChargePoint, Yext, Upwork and Cimpress leverage Hunters SOC Platform to empower their security teams. Hunters is backed by leading VCs and strategic investors including Stripes, YL Ventures, DTCP, Cisco Investments, Bessemer Venture Partners, U.S. Venture Partners (USVP), Microsoft’s venture fund M12, Blumberg Capital, Snowflake, Databricks, and Okta.

**_RELATED ARTICLES_**

1.  **APTs Exploiting WinRAR 0day Flaw Despite Patch Availability**
2.  **15 Best SaaS SEO Experts That Will Help You Dominate Online**
3.  **Google Reveals ‘Reptar’ Vulnerability Threatening Intel Processors**

Hunters Security: Google Workspace Vulnerable to Takeover Due to Domain-Wide Delegation Flaw

Many organizations are curious about the idea of threat hunting, but what does this really entail? In this video, four experienced security professionals from across Cisco recently sat down to discuss the basics of threat hunting, and how to go about searching for the unknown.

Tuesday, November 28, 2023 08:00

Many organizations are curious about the idea of threat hunting, but what does this really entail?  

What should you be hunting for? And what do you need to put in place to threat hunt properly? 

Four experienced security professionals from across Cisco recently sat down to discuss the basics of threat hunting, and how to go about “searching for the unknown.” In this video, we cover: 

*   The core principles of threat hunting. 
*   What are attackers looking for? And therefore, what should defenders be putting in place? 
*   Stories and experiences of threat hunting. 
*   How to approach failure.  

Talos Incident Response can help organizations review specific areas of your network and its systems for indicators of potential compromise. Threat hunting is hypothesis-driven and backed by the most current threat intelligence available from Talos. 

If you are interested in how Talos Incident Response can help you with your threat hunting goals, or even help you plan a compromise assessment, take a look at the various services our team can help you with.

Tag

#cisco