Popular titles on both Google Play and Apple's App Store include hardcoded and unencrypted AWS and Azure credentials in their codebases or binaries, making them vulnerable to misuse by threat actors.

Source: Aleksia via Alamy Stock Photo

Several widely used mobile apps, some with millions of downloads, expose hardcoded and unencrypted credentials to cloud services within their code bases, researchers from Symantec have found. This potentially allows anyone with access to the app’s binary or source code to extract the credentials to exploit cloud infrastructure for misuse.

Popular apps for both Android and iPhone devices include credentials for either Amazon Web Services (AWS) and Microsoft Azure Blog Storage within their code, Symantec revealed in a blog post this week. And they're found on each device platform’s respective official mobile app store: Google Play and Apple's App Store.

"This dangerous practice means that anyone with access to the app's binary or source code could potentially extract these credentials and misuse them to manipulate or exfiltrate data, leading to severe security breaches," Symantec engineers wrote in the post.

Further, the "widespread nature" of the vulnerabilities across apps for both iOS and Android platforms "underscores the urgent need for a shift towards more secure development practices" when it comes to mobile applications, they added.

Symantec’s research zeroed in on a number of widely distributed mobile applications that included either AWS or Azure credentials in their codebases. In terms of the former, both Android and iOS apps are guilty of credential exposure, while several Android apps expose Azure storage credentials.

Related:SoftwareOne Launches Cloud Competency Centre in Malaysia

For example, an app called The Pic Stitch: Collage Maker found on the Google Play store contains hardcoded AWS production credentials — including the production Amazon S3 bucket name, the read and write access keys, and secret keys — in its codebase, the researchers found. It also reveals staging credentials in some cases.

**iOS Apps With Serious Security Risks**

Meanwhile, three iOS apps examined by Symantec also were found to expose AWS credentials. One called Crumbl, which has more than 3.9 million user ratings and is ranked No. 5 in the Food & Drink category on the Apple App Store, initializes an AWSStaticCredentialsProvider with plaintext credentials. The credentials, which are used to configure AWS services, include both an access key and secret key.

Furthermore, the app also includes another "significant security oversight" by including a WebSocket Secure (WSS) endpoint within its code. This endpoint, part of the Amazon API URL, is hardcoded with an API Gateway that directly connects to the Internet of Things services on AWS.

"Exposing such URLs alongside static credentials makes it easier for attackers to potentially intercept or manipulate communications, leading to unauthorized access to the associated AWS resources," the engineers wrote. Thus, this vulnerable configuration, without proper encryption or obfuscation, "presents a serious risk to the integrity of the application and its backend infrastructure," they noted.

Related:Unmanaged Cloud Credentials Pose Risk to Half of Orgs

Two other iOS apps with hundreds of thousands of App Store ratings also expose AWS credentials by hardcoding them directly within their code; the apps are Eureka: Earn Money for Surveys and Videoshop – Video Editor.

The former allocates an INMAWSCredentials object and initializes it with the access key and secret key, both stored in plaintext and which can be used to log events to AWS, "exposing critical cloud resources to potential attacks," the engineers said.

The latter directly embeds unencrypted AWS credentials in the \[VSAppDelegate setupS3\] method, which means anyone with access to the app's binary could easily extract them. This would give them unauthorized access to the associated S3 buckets and potentially lead to data theft or manipulation.

**Android Apps Expose Azure Credentials**

Similarly, three Android applications expose credentials to Microsoft Azure Blob Storage directly, via either their binaries or codebases, Symantec found.

Related:Cisco Disables DevHub Access After Security Breach

An Indian ride-sharing app, Meru Cabs — which has more than 5 million downloads on Google Play — includes hardcoded Azure credentials within its UploadLogs service by embedding a connection string that includes an account key. "This connection string is used to manage log uploads, exposing critical cloud storage resources to potential abuse," the engineers wrote.

Sulekha Business, another Android app with more than 500,000 downloads, embeds multiple hardcoded Azure credentials used for various purposes — such as adding posts, handling invoices, and storing user profiles — across its codebase.

A third Android app that also has more than 500,000 downloads, ReSound Tinnitus Relief, also hardcodes Azure Blob Storage credentials for managing various assets and sound files, the exposure of which could lead to unauthorized access and data breaches.

**Mitigation Begins With App Development**

Symantec’s findings come a day after the release of a report by Datadog that found that unmanaged credentials that live for too long on a cloud-based network posed a security risk to half of organizations. Indeed, any inadvertent disclosure of credentials to cloud services exposes any organization with network infrastructure, software, or other assets running on them to significant risk, according to Symantec.

A good place to start to mitigate these risks is in the development of applications, where developers should follow best practices for managing sensitive information. They include the use of environment variables to store sensitive credentials so they are loaded at runtime rather than embedded directly in the app's code, according to Symantec.

Developers also should use dedicated secrets management tools, such as AWS Secrets Manager or Azure Key Vault, to securely store and access credentials. If the credentials must be stored in the app, then they should ensure that they use strong encryption algorithms, and decrypt them at runtime as needed.

According to Symantec, another way to protect credentials and also avoid other potential app-development missteps is to integrate automated security-scanning tools into the development pipeline to detect common security flaws early in the development process.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Mobile Apps With Millions of Downloads Expose Cloud Credentials

WarmCookie is a malware family that emerged in April 2024 and has been distributed via regularly conducted malspam and malvertising campaigns.

Wednesday, October 23, 2024 06:02

*   WarmCookie is a malware family that emerged in April 2024 and has been distributed via regularly conducted malspam and malvertising campaigns. 
*   WarmCookie, observed being used for initial access and persistence, offers a means for continuous long-term access to compromised environments and is used to facilitate delivery of additional malware such as CSharp-Streamer-RAT and Cobalt Strike. 
*   Post-compromise intrusion activity associated with WarmCookie overlaps with previously observed activity we attribute to TA866.  
*   We assess that WarmCookie was likely developed by the same threat actor(s) as Resident backdoor, a post-compromise implant previously deployed in intrusion activity that Cisco Talos attributes to TA866.  

**What is WarmCookie? **

WarmCookie, also known as BadSpace, is a malware family that has been distributed since at least April 2024. Throughout 2024, we have observed several distribution campaigns conducted using a variety of lure themes to entice victims to take actions that result in malware infection.  

These campaigns typically rely on malspam or malvertising to initiate the infection process that results in the delivery of WarmCookie. WarmCookie offers a variety of useful functionality for adversaries including payload deployment, file manipulation, command execution, screenshot collection and persistence, making it attractive to use on systems once initial access has been gained to facilitate longer-term, persistent access within compromised network environments.  

In previously analyzed intrusion activity involving WarmCookie, we have observed that it is used as an initial payload and that CSharp-Streamer-RAT and Cobalt Strike were delivered following the initial WarmCookie infection.  

While analyzing the campaigns, intrusion activity, and infrastructure associated with WarmCookie over the course of 2024, we also identified multiple overlaps with activity conducted by TA866 in 2023. 

**Typical infection chains **

As previously mentioned, we have observed WarmCookie campaigns being conducted since at least April 2024. These campaigns rely on malspam or malvertising to facilitate the delivery of malicious content.  

In the case of malspam, we have observed consistent use of invoice-related and job agency themes that entice victims to access hyperlinks present in either the email body, or within attached documents, such as PDFs.  

Examples of common message subjects observed in campaigns conducted between April and August 2024 are listed below. 

*   United Rentals Inc: Invoice# [0-9]{9}\-[0-9]{3} 
*   Invoice and Remittance

In a recent campaign conducted in August, the messages contained PDF attachments. The attachment filenames were randomized but typically use the following format. 

*   Attachment_[0-9]{3}\-[0-9]{3}\.pdf

While there have been variations over time, below is a representative example of one of these emails and the associated PDF attachment. 

__WarmCookie emails and attachments.__

The PDFs contain hyperlinks that direct victims to web servers hosting malicious JavaScript files that continue the infection process. 

We have also observed WarmCookie campaigns leveraging infrastructure associated with traffic distribution and malware delivery systems. In one early campaign, we observed the use of the LandUpdates808 cluster of infrastructure described here. In observed cases, malicious JavaScript downloaders were being hosted at the following paths on servers associated with the LandUpdates808 cluster of web servers. 

/wp-content/upgrade/update\[.\]php

Regardless of whether the delivery stage of the attack was conducted via malspam or malvertising, an obfuscated JavaScript downloader is delivered that is responsible for continuing the infection process. We have observed the use of ZIP archives to compress the JavaScript file and the delivery of the JavaScript file directly from the distribution infrastructure.  

When executed, it deobfuscates and executes a PowerShell command that uses Bitsadmin to retrieve and execute the WarmCookie DLL using syntax, like that shown below. 

__PowerShell execution.__

We have observed a relatively small number of distribution servers hosting WarmCookie DLLs compared to the infrastructure used in earlier stages of the infection chain.  

**WarmCookie **

The main WarmCookie payload has been extensively analyzed in prior reporting here and here. While performing this research, newly observed WarmCookie samples were reported on social media during September 2024. We observed significant additions and changes in this latest version that demonstrate the threat actor is continuing to improve their tooling.  

We observed changes to the way the malware is executed and how persistence is achieved on infected systems. As described in prior reporting, the malware is typically delivered and executed as a PE DLL or a PE EXE. If the payload is in the DLL format, it is typically executed with specific command-line parameters that determine whether persistence should be achieved.  

In previous WarmCookie samples the execution was consistent with the following: 

rundll32.exe <DLL\_Filename>,Start /p

In the latest samples analyzed, this command-line syntax has been modified as follows: 

rundll32.exe <DLL\_Filename>,Start /u

Additionally, the user agent used during C2 communications in previous WarmCookie samples featured extraneous spaces not consistent with normal user agent strings seen in the wild. This allowed for easy detection of WarmCookie C2 activity via network traffic inspection. In the latest WarmCookie samples, this mistake has been corrected. Below is a comparison between the old and new user agent strings used during C2 communications. 

Old User Agent: 

Mozilla / 4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;.NET CLR 1.0.3705)

New User Agent: 

Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0

We also observed the inclusion of a new self-updating mechanism that would enable an attacker to dynamically deliver updates to WarmCookie via the C2 server, however, this functionality did not appear to be fully implemented in the analyzed sample at the time. 

In the latest sample, changes were made to the sandbox detection mechanism present in the malware where some checks present in previous versions have been removed. 

__WarmCookie sandbox detection.__

Several changes to the C2 commands supported by the malware have also been made in the latest WarmCookie samples analyzed. The command to remove persistence and the malware itself has been deleted. New commands have been added as follows: 

*   **Command 0x8:** Supports the creation of a DLL file received from the C2 server that is assigned a temporary filename and then executed by WarmCookie.   
*   **Command 0xA**: Appears to be a prepared update command, it is like Command 0x8, but adds hardcoded parameters to the DLL:    
    C:\Windows\System32\rundll32.exe <tmpfilename.dll> Start /update
*   **Command 0xB**: Supports moving the malware to a temporary file name and location and deletes the previously scheduled task. It prepends the string ‘dat’ to the temporary filename. It also exits the C2 loop, leading to termination of the malware process. 

During the malware’s initialization and startup phase, the /update parameter of the Command 0xA is checked to determine if the parameter was set. Regardless of the result of this check, the same function is executed, as shown below. 

WarmCookie update parameter. 

Analysis suggests that the malware will continue to evolve moving forward as the threat actor continues to improve on it and adds additional functionality as needed. 

**Links to past intrusion activity **

While analyzing the distribution campaigns, infrastructure used, and post-compromise intrusion activity associated with WarmCookie, we identified multiple overlaps with previously observed malicious activity.  

In earlier WarmCookie distribution campaigns, threat actors relied on lures that appear as if they were associated with talent/job search agencies. As mentioned here, the lure documents and landing pages associated with this campaign are like those used by distributors of Ursnif in past campaigns.  

While analyzing intrusion activity associated with WarmCookie, we observed the deployment of CSharp-Streamer-RAT as a follow-on payload following the initial system compromise. CSharp-Streamer-RAT is a full-featured remote access trojan that offers robust functionality as described here.  

In this case, the sample reached out to a C2 server that was configured to use an SSL certificate that appeared to have been programmatically generated with several fields randomly populated. Using Regular Expressions to identify other servers with similar SSL characteristics, we identified three additional C2 servers, all previously associated with CSharp-Streamer-RAT samples. One of these C2 servers was observed being used by a CSharp-Streamer-RAT sample we identified in a previous intrusion that we assess with high confidence was conducted by TA866.  

The screenshot below shows the relevant fields present within the SSL certificate associated with the CSharp-Streamer-RAT C2 server observed in previous intrusion activity we attribute to TA866.  

__Previous CSharp-Streamer-RAT C2 SSL certificate.__

Below is an example of one of the SSL certificates associated with the CSharp-Streamer-RAT C2 server observed in recent WarmCookie intrusion activity. 

__Recent CSharp-Streamer-RAT C2 SSL certificate.__

Based on analysis of the system involved in this prior intrusion activity, we assess with high confidence that TA866/Asylum Ambuscade deployed CSharp-Streamer-RAT while directly operating on the system leading up to, during, and after its deployment. In the recent WarmCookie case, we also assess with high confidence that the attacker who deployed WarmCookie also deployed CSharp-Streamer-RAT following the initial compromise.

**WarmCookie vs. Resident backdoor **

As referenced here, and in prior reporting, TA866/Asylum Ambuscade has been observed delivering a post-compromise implant called Resident backdoor in prior intrusion activity. Prior reporting on WarmCookie has alluded to observed links between Resident backdoor and WarmCookie.

We performed a code and function level analysis of Resident backdoor samples from previous intrusion activity and WarmCookie samples from September 2024 and observed several notable similarities in the way core functionality has been implemented across both malware families. WarmCookie appears to contain much of the same functionality as Resident backdoor but has been significantly extended to support additional functionality.  

We assess that both were likely developed by the same entity based on the following analysis findings: 

*   The RC4 implementation is consistent across both malware families. 
*   The RC4 string decryption function implementation is consistent across both malware families. 
*   Mutex management is performed consistently across both malware families. 
*   Both malware families use GUID-like strings for the mutex. 
*   The way in which various functions were constructed and the coding conventions used is consistent. 
*   The definition of scheduled tasks to achieve persistence is consistent. 
*   Both malware families wait one minute before executing the scheduled task. 
*   The directory, file schema and parameters are similar in both malware families.  
*   The initial startup logic and command line parameter implementation are similar. 

**Code similarity analysis **

We conducted a similarity analysis of the code execution flow between both Resident backdoor and a recent WarmCookie sample that was shared on social media. We observed consistent implementation of core functionality across both as well as consistent use of coding conventions across both malware families. 

**Task Scheduler implementation **

If the malware is initially executed without supplying any parameters, both Resident and WarmCookie first determine if the initially launched application was a PE DLL or an PE EXE. Depending on the result, they either create a filename with the extension “.dll" or “.exe". Also based on the results of this test, they both create a scheduled task via the Windows Task Scheduler, which spawns a copy of the malware after waiting for 60 seconds. In the case that the initially launched application was a PE DLL, rundll32.exe is used to launch the malware. In the case of a PE EXE file, it is executed directly.  

They both attempt this in the %ALLUSERSPROFILE% directory, if that fails, they try it again in %ALLDATA% directory. 

__WarmCookie startup parameters.__

__WarmCookie persistence mechanism.__

__Resident backdoor startup parameters.__

__Resident backdoor persistence mechanism.__

__Resident backdoor persistence mechanism (cont’d).__

The overall startup logic is also the same in both Resident backdoor and WarmCookie. At the beginning of the startup process both check to determine if the malware was executed with a command line switch. In the case of the Resident backdoor, it is ‘/p’; in the case of WarmCookie it is ‘/u’. This parameter tells the application whether it is the first instance of itself or if the running version is the former copied version, which was previously made persistent via the Task Scheduler. This prevents multiple scheduled tasks from being created once the malware has achieved persistence.  

__WarmCooke startup logic.__

__Resident backdoor startup logic.__

One slight difference is that Resident uses the hardcoded string ‘RtlUpd’ to generate the filename for the scheduled task, whereas WarmCookie uses a hardcoded list of company names and randomly selects one, as shown below: 

__WarmCookie filename list.__

Based on our analysis of Resident backdoor and WarmCookie, we assess that they were likely developed by the same entity. While there are significant overlaps in the code and functionality implementations across Resident backdoor and WarmCookie, WarmCookie contains significantly more robust functionality and command support compared to Resident backdoor. Additionally, while WarmCookie has typically been deployed as an initial access payload in intrusion activity we have analyzed, Resident backdoor was deployed post-compromise following the deployment of several other components such as WasabiSeed, Screenshotter and AHK Bot.  

Given the differences in functionality and where each is encountered in the attack lifecycle, we classify Resident and WarmCookie as separate malware families that have been developed by the same threat actor. 

**Coverage **

Ways our customers can detect and block this threat are listed below. 

 Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. 

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protection with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

The following Snort rule(s) have been developed to detect activity associated with this malicious activity.  

*   Snort 2 SIDs: 64139, 64140, 64141, 64142, 64143, 64144, 64145, 64146, 64147, 64148, 64149, 64150, 64151, 64152, 64153, 64154, 64155, 64156, 64157, 64158, 64159, 64160, 64161, 64162. 
*   Snort 3 SIDs: 64153, 64154, 64155, 64156, 64157, 64158, 64159, 64160, 64161, 64162, 301044, 301045, 301046, 301047, 301048, 301049, 301050.  

The following ClamAV signatures have been developed to detect activity associated with this malicious activity.  

*   Js.Downloader.Agent-10022279-0  
*   Vbs.Downloader.Agent-10022291-0  
*   Win.Trojan.WasabiSeed-10022304-0  
*   Js.Trojan.Screenshotter-10022306-0  
*   Js.Trojan.Agent-10022307-0  
*   Win.Trojan.Lazy-10022308-0  
*   Win.Trojan.Screenshotter-10022309-0  
*   PUA.Win.Tool.NetPing-10022493-0  
*   Win.Malware.CobaltStrike-10022494-0  
*   PUA.Win.Tool.AutoHotKey-10022305-1  
*   PUA.Win.Tool.RemoteUtilities-9869515-0  
*   PUA.Win.Tool.AdFind-9962378-0   
*   Txt.Downloader.AHKBot-10024463-0  
*   Ps1.Malware.CobaltStrike-10024466-0  
*   Win.Infostealer.Rhadamanthys-10024467-0  
*   Txt.Infostealer.Rhadamanthys-10024468-0  
*   Win.Backdoor.Agent-10025011-0  
*   Vbs.Trojan.Screenshotter-10025015-0  
*   Win.Malware.Warmcookie-10036688-0 
*   Win.Malware.CSsharpStreamer-10036641-0 

**Indicators of Compromise **

Indicators of compromise associated with WarmCookie/BadSpace activity can be found in our GitHub repository here.

Threat Spotlight: WarmCookie/BadSpace

TA866 (also known as Asylum Ambuscade) is a threat actor that has been conducting intrusion operations since at least 2020.

Highlighting TA866/Asylum Ambuscade Activity Since 2021

Russian-speaking users have become the target of a new phishing campaign that leverages an open-source phishing toolkit called Gophish to deliver DarkCrystal RAT (aka DCRat) and a previously undocumented remote access trojan dubbed PowerRAT.
"The campaign involves modular infection chains that are either Maldoc or HTML-based infections and require the victim's intervention to trigger the

Russian-speaking users have become the target of a new phishing campaign that leverages an open-source phishing toolkit called Gophish to deliver DarkCrystal RAT (aka DCRat) and a previously undocumented remote access trojan dubbed PowerRAT.

"The campaign involves modular infection chains that are either Maldoc or HTML-based infections and require the victim's intervention to trigger the infection chain," Cisco Talos researcher Chetan Raghuprasad said in a Tuesday analysis.

The targeting of Russian-speaking users is an assessment derived from the language used in the phishing emails, the lure content in the malicious documents, links masquerade as Yandex Disk ("disk-yandex\[.\]ru"), and HTML web pages disguised as VK, a social network predominantly used in the country.

Gophish refers to an open-source phishing framework that allows organizations to test their phishing defenses by leveraging easy-to-use templates and launch email-based campaigns that can then be tracked in near real-time.

The unknown threat actor behind the campaign has been observed taking advantage of the toolkit to send phishing messages to their targets and ultimately push DCRat or PowerRAT depending on the initial access vector used: A malicious Microsoft Word document or an HTML embedding JavaScript.

When the victim opens the maldoc and enables macros, a rogue Visual Basic (VB) macro is executed to extract an HTML application (HTA) file ("UserCache.ini.hta") and a PowerShell loader ("UserCache.ini").

The macro is responsible for configuring a Windows Registry key such that the HTA file is automatically launched every time a user logs into their account on the device.

The HTA file, for its part, drops a JavaScript file ("UserCacheHelper.lnk.js") that's responsible for executing the PowerShell Loader. The JavaScript is executed using a legitimate Windows binary named "cscript.exe."

"The PowerShell loader script masquerading as the INI file contains base64 encoded data blob of the payload PowerRAT, which decodes and executes in the victim's machine memory," Raghuprasad said.

The malware, in addition to performing system reconnaissance, collects the drive serial number and connects to remote servers located in Russia (94.103.85\[.\]47 or 5.252.176\[.\]55) to receive further instructions.

"\[PowerRAT\] has the functionality of executing other PowerShell scripts or commands as directed by the \[command-and-control\] server, enabling the attack vector for further infections on the victim machine."

In the event no response is received from the server, PowerRAT comes fitted with a feature that decodes and executes an embedded PowerShell script. None of the analyzed samples thus far have Base64-encoded strings in them, indicating that the malware is under active development.

The alternate infection chain that employs HTML files embedded with malicious JavaScript, in a similar vein, triggers a multi-step process that leads to the deployment of DCRat malware.

"When a victim clicks on the malicious link in the phishing email, a remotely located HTML file containing the malicious JavaScript opens in the victim machine's browser and simultaneously executes the JavaScript," Talos noted. "The JavaScript has a Base64-encoded data blob of a 7-Zip archive of a malicious SFX RAR executable."

Present within the archive file ("vkmessenger.7z") – which is downloaded via a technique called HTML smuggling – is another password-protected SFX RAR that contains the RAT payload.

It's worth noting that the exact infection sequence was detailed by Netskope Threat Labs in connection with a campaign that leveraged fake HTML pages impersonating TrueConf and VK Messenger to deliver DCRat. Furthermore, the use of a nested self-extracting archive has been previously observed in campaigns delivering SparkRAT.

"The SFX RAR executable is packaged with the malicious loader or dropper executables, batch file, and a decoy document in some samples," Raghuprasad said.

"The SFX RAR drops the GOLoader and the decoy document Excel spreadsheet in the victim machine user profile applications temporary folder and runs the GOLoader along with opening the decoy document."

The Golang-based loader is also designed to retrieve the DCRat binary data stream from a remote location through a hard-coded URL that points to a now-removed GitHub repository and save it as "file.exe" in the desktop folder on the victim's machine.

DCRat is a modular RAT that can steal sensitive data, capture screenshots and keystrokes, and provide remote control access to the compromised system and facilitate the download and execution of additional files.

"It establishes persistence on the victim machine by creating several Windows tasks to run at different intervals or during the Windows login process," Talos said. "The RAT communicates to the C2 server through a URL hardcoded in the RAT configuration file \[...\] and exfiltrates the sensitive data collected from the victim machine."

The development comes as Cofense has warned of phishing campaigns that incorporate malicious content within virtual hard disk (VHD) files as a way to avoid detection by Secure Email Gateways (SEGs) and ultimately distribute Remcos RAT or XWorm.

"The threat actors send emails with .ZIP archive attachments containing virtual hard drive files or embedded links to downloads that contain a virtual hard drive file that can be mounted and browsed through by a victim," security researcher Kahng An said. "From there, a victim can be misled into running a malicious payload."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Gophish Framework Used in Phishing Campaigns to Deploy Remote Access Trojans

GoDaddy flagged a ClickFix campaign that infected 6,000 sites in a one-day period, with attackers using stolen admin credentials to distribute malware.

Source: Primakov via Shutterstock

Threat actors have taken a campaign that uses fake browser updates to spread malware to a new level, weaponizing scores of WordPress plug-ins to deliver malicious infostealing payloads, after using stolen credentials to log in to and infect thousands of websites.

Domain registrar GoDaddy is warning that a new variant of malware disguised as a fake browser update known as ClickFix infected more than 6,000 WordPress sites in a one-day period from Sept. 2 to Sept. 3.

Threat actors used stolen WordPress admin credentials to infect compromised websites with malicious plug-ins as part of an attack chain unrelated "to any known vulnerabilities in the WordPress ecosystem," GoDaddy principal security engineer Denis Sinegubko wrote in a recent blog post.

"These seemingly legitimate plugins are designed to appear harmless to website administrators, but contain embedded malicious scripts that deliver fake browser update prompts to end users," he wrote.

The campaign leverages fake WordPress plug-ins that inject JavaScript leading to ClickFix fake browser updates, which use blockchain and smart contracts to obtain and deliver malicious payloads. Attackers use social engineering strategies to trick users into thinking they are updating their browser, but instead they are executing malicious code, "ultimately compromising their systems with various types of malware and information stealers," Sinegubko explained.

Related:Samsung Zero-Day Vuln Under Active Exploit, Google Warns

**Related, Yet Separate Campaigns**

It should be mentioned that ClearFake, widely identified in April, is another fake browser update activity cluster that compromises legitimate websites with malicious HTML and JavaScript. Initially it targeted Windows systems, but later spread to macOS as well.

Researchers have linked ClickFix to ClearFake, but the campaigns as described by various analysts have numerous differences and are likely separate activity clusters. GoDaddy claims to have been tracking ClickFix malware campaign since August 2023, spotting it on more than 25,000 compromised sites worldwide. Other analysts at Proofpoint detailed ClickFix for the first time earlier this year.

The new ClickFix variant as described by GoDaddy is spreading fake browser update malware via bogus WordPress plug-ins with generic names such as "Advanced User Manager" and "Quick Cache Cleaner," according to the post.

"These seemingly legitimate plugins are designed to appear harmless to website administrators but contain embedded malicious scripts that deliver fake browser update prompts to end users," Sinegubko wrote.

Related:Bad Actors Manipulate Red-Team Tools to Evade Detection

All information in the plug-in metadata is fake, including the plug-in name, URL, description, version, and author, but appears plausible at first glance and wouldn't raise suspicion immediately, according to GoDaddy.

**Automation Used to Scale Campaign**

Further analysis detected automation in the naming convention of the plug-ins, with researchers noting a JavaScript file naming pattern consisting of the first letter of each word in the plug-in name, appended with "-script.js."

For example, the Advanced User Manager plug-in contains the aum-script.js file, according to the researchers, who used this naming convention to detect other malicious plug-ins related to the campaign, such as Easy Themes Manager, Content Blocker, and Custom CSS Injector.

The plug-in and author URIs also frequently reference GitHub, but analysis showed that repositories associated with the plug-in don't actually exist. Moreover, the GitHub usernames followed a systematic naming convention linked to the plug-in names, which "indicates an automated process behind the creation of these malicious plugins," Sinegubko wrote.

Indeed, the researchers eventually discovered that the plug-ins are systematically generated using a common template, allowing "threat actors to rapidly produce a large number of plausible plugin names, complete with metadata and embedded code designed to inject JavaScript files into WordPress pages," Sinegubko wrote. This allowed attackers to scale their malicious operations and add an additional layer of complexity for detection.

Related:The Lingering 'Beige Desktop' Paradox

**Credential Theft as Initial Entry?**

GoDaddy isn't clear on how attackers acquired WordPress admin credentials to initiate the latest ClickFix campaign, but it noted that potential vectors include brute-force attacks and phishing campaigns aimed at acquiring legitimate passwords and usernames. 

Moreover, as the payloads of the campaign itself are the installation of various infostealers on compromised end-user systems, it's possible that the threat actors are collecting admin credentials in this way, Sinegubko observed.

"When talking about infostealers, many people think about bank credentials, crypto-wallets and other things of this nature, but many stealers can collect information and credentials from a much wider range of programs," he noted.

Another possible scenario is that the residential IP addresses from which the fake plug-ins were installed could belong to a botnet of infected computers that the attackers use as proxies to hack websites, according to GoDaddy.

Because the campaign includes the theft of legitimate credentials to log in to WordPress sites, people are urged to follow general best practices for protecting their passwords as well as avoid interacting with any unknown websites or messages that ask them to divulge private credentials.

GoDaddy also included a long list of indicators of compromise (IoCs) for the campaign — including names of plug-ins and malicious JavaScript files, endpoints to which smart contracts in the campaign connect, and associated GitHub accounts — in the blog post, so defenders can identify if a website has been compromised.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Swarms of Fake WordPress Plug-ins Infect Sites With Infostealers

Cisco Talos recently discovered a phishing campaign using an open-source phishing toolkit called Gophish by an unknown threat actor.

*   Cisco Talos recently discovered a phishing campaign using an open-source phishing toolkit called Gophish by an unknown threat actor.  
*   The campaign involves modular infection chains that are either Maldoc or HTML-based infections and require the victim’s intervention to trigger the infection chain.  
*   Talos discovered an undocumented PowerShell RAT we’re calling PowerRAT,  as one of the payloads and another infamous Remote Access Tool (RAT) DCRAT. 
*   We found a few placeholders for base64 encoded PowerShell scripts in the PowerRAT, indicating that the threat actor is actively developing their tools.  

**Victimology **

Talos assesses with high confidence that the threat actor is targeting Russian-speaking users based on the language used in the Phishing emails, luring contents of Malicious documents, a masqueraded HTML webpage of Vkontake (VK), a popular social media application amongst Russian speakers, especially in Russia, Ukraine, Belarus, Kazakhstan, Uzbekistan, and Azerbaijan.  

 

 

**Actor uses Gophish to send phishing emails **

Our analysis of the malicious hyperlinks embedded in the phishing emails disclosed to us the attacker-controlled hosting domains disk-yanbex\[.\]ru delivered the Malicious Microsoft Word document, and an HTML file embedded with the malicious JavaScript.   

The domain disk-yanbex\[.\]ru resolves to the IP address 34\[.\]236\[.\]234\[.\]165, an AWS EC2 instance with the fully qualified domain name ec2-34-236-234-165\[.\]compute-1\[.\]amazonaws\[.\]com, during our analysis. We also observed that the same server 34\[.\]236\[.\]234\[.\]165 was reverse resolving to another domain e-connection\[.\]ru, which also delivered malicious JavaScript-embedded HTML files. Our further analysis of the server 34\[.\]236\[.\]234\[.\]165 disclosed to us that the actor hosted the Gophish toolkit on the server running at port number 3333. Gophish is an Open-Source easy-to-deploy phishing toolkit that is developed to conduct security awareness training according to the tool’s developer.  

Attacker hosting Gophish.

Talos analysis of the phishing email sample’s header showed us that the email was first delivered from server 34\[.\]236\[.\]234\[.\]165, indicating that the threat actor is misusing the Gophish framework in this campaign to deliver phishing emails to their targets.   

Sample Phishing email header. 

**Multi-modular Campaign delivers PowerRAT and DCRAT  **

The campaign has two initial attack vectors, one based on malicious Word documents and another based on HTML files containing malicious JavaScript. Upon activation, these would lead to the download and activation of PowerRAT or DCRAT depending on the initial vector. Both the attack chains require user intervention to trigger the infections on the compromised machines. 

**Maldoc-based infection delivers PowerRAT **

When a victim opens the Microsoft Word document and enables the view contents button displayed in the document banner, the malicious VB macro program executes.  

The macro program initially executes a function that decodes or translates specific encoded symbols in the lure contents of the Word document into their corresponding characters from another alphabet in Cyrillic, transforming the lure contents into readable form. 

We spotted a base64 encoded data blob on the third page of the Word document and the actor used the text color the same as that of the document's default background color, hiding them from the victim’s view.  

To identify the hidden encoded data, the macro executes a function that searches for specific strings such as “DigitalRSASignature:” and “CHECKSUM” in the content section of the Word document, and when found, it copies the data following the search strings to an array.  

To decode the base64 encoded data blob, the actor uses a custom function called CheckContent() in the macro. It removes any “=” characters which are the padding characters in the encoded data blob and decodes them into two parts in a byte array. The first part is the contents of a malicious HTML application (HTA) file and the second is a PowerShell loader.  

The macro drops the decoded contents of the malicious HTA file to “UserCache.ini.hta” and the PowerShell loader into “UserCache.ini” in the victim machine's current user profile folder.   

The actor has abused the Windows NT current version autorun registry key called “LOAD”. The registry key “HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LOAD” is used by Windows to automatically launch applications or processes when a user logs into their account. Specifically, this key stores information about programs that are set to load upon user login. It works similarly to other startup mechanisms in Windows (such as the Startup folder or the Run registry keys), but this specific key is less commonly used. The macro after dropping the malicious HTA and the PowerShell loader script in the victim machine user profile folder, it configures the registry key “HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LOAD” with the value “C:\\Users\\<Username>\\UserCache.ini.hta”. 

Finally, the macro checks if there are any headers in the Word documents and deletes the contents of the headers from all sections of the Word document.  

The malicious HTA “UserCache.ini.hta” is executed through the LOAD registry key when a victim logs into the machine. It drops a JavaScript called “UserCacheHelper.lnk.js” in the victim machine user profile folder and writes a single line code embedding with a PowerShell command to execute the dropped PowerShell Loader masquerading as “UserCache.ini” file. The HTA file executes the JavaScript “UserCacheHelper.lnk.js” using the LOLbin “cscript.exe”. 

Sample of malicious HTA file.

The dropped JavaScript “UserCacheHelper.lnk.js” loads the contents of the “UserCache.ini” and executes it using the Invoke-Expression PowerShell command. The PowerShell Loader script masquerading as the INI file contains base64 encoded data blob of the payload PowerRAT, which decodes and executes in the victim’s machine memory.   

Sample PowerShell Loader script embedded with PowerRAT.

**PowerRAT expands the attack vector for further infections  **

Talos discovered a new PowerShell remote access tool as one of the payloads in this campaign we are calling PowerRAT that executes in the victim’s machine memory. It has the functionality of executing other PowerShell scripts or commands as directed by the C2 server, enabling the attack vector for further infections on the victim machine.   

The PowerRAT that executes in the victim machine memory initially checks if the JavaScript “UserCacheHelper.lnk.js” exists in the user profile folder and if not found, it will reinfect the victim machine by performing the actions of the PowerShell loader script described in the previous section. Then it hides the “UserCache.ini” by modifying the file attributes to “Hidden”. 

The PowerRAT performs reconnaissance on the victim’s machine by executing a function GetID() which collects the username, computer name, and the system driver letter through the PowerShell command Get-CimInstance. It also collects the drive serial number through the win32\_volume class of WMIobject.  The collected data is written to memory in the format <Computername\_Username\_drive serial number>. 

After performing the reconnaissance, the PowerRAT attempts to connect to the C2 server by sending the collected data of the victim’s machine using a hardcoded URL through the HTTP GET method.  The C2 servers identified in this campaign are 94\[.\]103\[.\]85\[.\]47 located in Russia with the ASN 48282 of Hosting Technology LTD and 5\[.\]252\[.\]176\[.\]55 also geographically located in Russia with the ASN 39798 of MivoCloud SRL.  

When there is no response from the C2 server, the PowerRAT has a placeholder function called offlineworker() that has the functionality to decode an embedded base64 encoded string of a PowerShell script and executes it using the Invoke-Expression command. The actor has built this functionality to keep the infection alive in the victim machine even if the victim's environment detects the malicious C2 traffic and blocks the connection. We didn’t see any embedded base64 encoded strings in the PowerRAT sample that we analyzed and is likely a placeholder, indicating that the actor is actively developing and updating their tools.  

The PowerRAT generates a random number between 7 - 23 and pauses its execution for (300 + random number) seconds and re-attempts to connect to the C2 server continuously waiting for a response. During our analysis, the C2 servers were not responding, and still, our further analysis of the PowerRAT showed us that the C2 server will likely respond with an XML configuration file having multiple modules with embedded base64 encoded PowerShell commands or scripts.   

The PowerRAT has the functionality to parse the received XML file and search for the sections called config.  It periodically executes the embedded encoded PowerShell commands or scripts, according to their defined intervals and run limits. The PowerRAT continues to run until all commands or scripts in the config sections are executed the required number of times.   

**HTML-based infection delivers DCRAT **

Talos discovered that the threat actor is also using HTML files embedded with malicious JavaScript in this campaign that are delivered to the victims through the malicious links in the phishing email, leading to the infection of the DCRAT payload.  

When a victim clicks on the malicious link in the phishing email, a remotely located HTML file containing the malicious JavaScript opens in the victim machine’s browser and simultaneously executes the JavaScript. The JavaScript has a base64 encoded data blob of a 7-ZIP archive of a malicious SFXRAR executable. It decodes the embedded base64 encoded data blob into binary data blob with the type “application/octet-stream” in the memory. A download URL for the binary data blob is created using the URL.createObjectURL() method and assigned to a variable in memory. It calls the click() method on the URL of the binary data blob which triggers the download of the binary data to a 7-Zip archive file. The malicious 7-Zip archive masquerades as the VK messenger application archive file in one of the malicious HTML files and another with a Russian name. The actor is using this technique in the JavaScript function to masquerade as the actual download activity of a file over the internet through a browser.  

A victim must inflate the 7-Zip archive manually to run the SFXRAR executable which is masquerading as the legitimate VK application executable which leads to DCRAT infection. The SFX RAR executable is packaged with the malicious loader or dropper executables, batch file, and a decoy document in some samples.  

When a victim runs the SFX executable, the SFX script drops the packaged files into a folder and executes the batch file which runs another password-protected SFXRAR with the hardcoded password “riverdD” and runs the DCRAT.   

In another sample, we observed that the SFXRAR drops the GOLoader and the decoy document Excel spreadsheet in the victim machine user profile applications temporary folder and runs the GOLoader along with opening the decoy document.   

Talos observed an overlap of the technique used by the threat actor in this campaign with an earlier SparkRAT attack reported by Hunt researchers in April 2024, indicating that SparkRAT is another payload in the threat actor’s arsenal. 

**GOLoader downloads and runs the DCRAT **

In DCRAT infection, the SFX script runs a malicious Loader executable and simultaneously opens a decoy document. The malicious loader executable we are calling “GOLoader” is compiled in Golang. It modifies the configuration settings for Microsoft Defender Antivirus, specifically by excluding the root directory “C:\\” and the folder “C:\\Users\\$user\\Desktop” in the victim machine by executing the PowerShell commands.  

powershell -Command Add-MpPreference -ExclusionPath 'C:\\Users\\$user\\Desktop'

powershell -Command Add-MpPreference -ExclusionPath 'C:\\'

After configuring the exclusion paths, the GOLoader downloads the DCRAT binary data stream from a remote location through a hardcoded URL and writes it into a dropped executable with the file name “file.exe” in the desktop folder on the victim’s machine. During our analysis, we found that the remote location URL hardcoded in the GOLoader was pointing to a GitHub repository, which was not accessible. However, we found that the hosted payload binary in the GitHub repository is the Dark Crystal RAT (DCRAT) binary based on open-source intelligence data.   

**Threat actor delivers DCRAT **

The payload Dark Crystal RAT (DCRAT) sample that we analyzed in this campaign is a modular RAT associated with plugins to perform the DLL injection and information stealing tasks.  

Key features of the DCRAT sample of this campaign include: 

*   Provides remote control access to the victim machine to the actor who can execute arbitrary commands, manage files, and monitor user activities.  
*   It has the capability of downloading and executing other files on the victim's machine. 
*   With its stealer plugin modules, the RAT can steal sensitive information including credentials, files, and financial information from the victim's machine.  
*   The RAT can take screenshots and capture the keystrokes on the victim's machine. 
*   We found that the RAT creates multiple copies of its binary masquerading as legitimate Windows executables including csrss.exe, dllhost.exe, taskhostw.exe, and winlogon.exe in the folders such as ProgramData, Pictures, Saved Games, and Windows start menu. It drops the embedded modules in the administrator user desktop folder using random file names and with the “.log” file extension.  

C:\\Users\\admin\\Desktop\\zaHrebVC.log

C:\\Users\\admin\\Desktop\\HQLYdHol.log

C:\\Users\\admin\\Desktop\\qJutJUJW.log

C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\taskhostw.exe

C:\\ProgramData\\dllhost.exe

C:\\Users\\Default\\Pictures\\csrss.exe

C:\\Users\\Default\\Saved Games\\winlogon.exe

*   It establishes persistence on the victim machine by creating several Windows tasks to run at different intervals or during the Windows login process. 

Task Scheduler Commands

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\\Users\\Default\\Saved Games\\winlogon.exe'" /f

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\\Users\\Default\\Saved Games\\winlogon.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\\Users\\Default\\Saved Games\\winlogon.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\\Users\\Default\\Pictures\\csrss.exe'" /f

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\\Users\\Default\\Pictures\\csrss.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\\Users\\Default\\Pictures\\csrss.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\\Users\\Public\\dllhost.exe'" /f

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\\Users\\Public\\dllhost.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\\Users\\Public\\dllhost.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\\Users\\All Users\\dllhost.exe'" /f

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\\Users\\All Users\\dllhost.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\\Users\\All Users\\dllhost.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\\Users\\Default\\Start Menu\\taskhostw.exe'" /f

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\\Users\\Default\\Start Menu\\taskhostw.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\\Users\\Default\\Start Menu\\taskhostw.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "filef" /sc MINUTE /mo 13 /tr "'C:\\Users\\admin\\AppData\\Local\\Temp\\file.exe'" /f

schtasks.exe /create /tn "file" /sc ONLOGON /tr "'C:\\Users\\admin\\AppData\\Local\\Temp\\file.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "filef" /sc MINUTE /mo 9 /tr "'C:\\Users\\admin\\AppData\\Local\\Temp\\file.exe'" /rl HIGHEST /f

*   The RAT communicates to the C2 server through a URL hardcoded in the RAT configuration file as shown in the picture and exfiltrates the sensitive data collected from the victim machine. From other DCRAT samples identified in this campaign, we found another C2 URL “hxxp\[://\]cr87986\[.\]tw1\[.\]ru/L1nc0In\[.\]php”.  

Sample of DCRAT configuration file. 

****Coverage** **

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. 

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protection with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 63963 – 63970, 63971 and 301004. 

ClamAV detections are also available for this threat: 

Win.Downloader.RustAgent-10036537-0 

Win.Downloader.RustAgent-10036538-0 

Win.Downloader.RustAgent-10036539-0 

Win.Downloader.GoAgent-10036540-0 

Win.Backdoor.PowershellRAT-10036541-0 

Win.Phishing.VbsAgent-10036542-0 

Win.Phishing.JsAgent-10036543-0 

Win.Loader.PowershellLoader-10036544-0 

Win.Loader.HtaAgent-10036545-0 

Win.Loader.DonutLoader-10036546-0

**IOCs **

IOCs for this research can be found in our GitHub repository here.

Threat actor abuses Gophish to deliver new PowerRAT and DCRAT

34 sessions from 54 presenters representing 20 organizations! We are thrilled to reveal the lineup of speakers and presentations for the 23rd BlueHat Security Conference, in Redmond WA from Oct 29-30. This year’s conference continues the BlueHat ethos and Secure Future Initiative mission of “Security Above All Else”.
Security researchers and responders from inside and outside of Microsoft will gather on the Microsoft campus in Redmond, WA to share, debate, and challenge each other, with the shared goal of creating a safer and more secure world for all.

**34 sessions from 54 presenters representing 20 organizations!**

We are thrilled to reveal the lineup of speakers and presentations for the 23rd BlueHat Security Conference, in Redmond WA from Oct 29-30.  

This year’s conference continues the BlueHat ethos and Secure Future Initiative mission of “Security Above All Else”.

Security researchers and responders from inside and outside of Microsoft will gather on the Microsoft campus in Redmond, WA to share, debate, and challenge each other, with the shared goal of creating a safer and more secure world for all.

For those unable to attend in-person sessions will be available to view on demand in the weeks following the conference.

_Please note that session times and order are still subject to change. The final schedule will be published and provided to attendees in advance of the conference._

**Day 1, Tuesday, October 29, 2024**

**Keynote: Chris Wysopal (Weld Pond)**  
Co-founder & Chief Security Evangelist, Veracode

**Track A: Cloud & Identity Security**

**Track B: OS & App Security**

**The two sides of UnOAuthorized** Presented by Eric Woodruff from Semperis and Cameron Vincent from Microsoft

**DCOM Research for Everyone!** Presented by James Forshaw from Google

**Tokens & Takeovers: Cloud-Powered Supply Chain Attacks** Presented by Nitesh Surana from Trend Micro and Gaurav Mathur from Microsoft

**Outlook Unleashing RCE Chaos CVE-2024-30103 & CVE-2024-38021 & CVE-2024-38173** Presented by Michael Gorelik from Morphisec

**Double Agent: Exploiting Pass-through Authentication Credential Validation in Azure AD** Presented by Cymulate

**Pointer Problems – Why We’re Refactoring the Windows Kernel** Presented by Joe Bialek from Microsoft

**Lightning Talks**

**World of Scams - A systematic analysis of online scams using the Scam Tactics and Techniques Framework** Presented by Amit Tambe from F-Secure

**A Security Engineer’s Journey: Creating a Developer-Friendly Security Tool** Presented by Susan Krkasharian from Microsoft

**My Best Frenemy: A Synergy Between Red Team and Blue Team in Oracle's SaaS Security** Presented by Svetlana Gaivoronski and David B. Cross from Oracle

**Lessons Learned: Scaling Out Securing Open Source** Presented by Zachary Steindler from Microsoft

**Entitlements on macOS and why they matter** Presented by Yves Younan from Cisco Talos

**Creating a Transparent Cloud Industry** Presented by Justin T Mourfield and Sesha Machiraju from Microsoft

**How Microsoft is Scaling DAST** Presented by Jason Geffner from Microsoft

**Echoes of Intrusion: Demystifying MS Graph API Attacks** Presented by Miriam Wiesner from Microsoft

**When the Levee Breaks: Exposing Critical Flaws in Wi-Fi Camera Ecosystems** Presented by Mark Mager and Eric Forte from Elastic

**Deprecating Azure AD Graph API is Easy and Other Lies We Tell Ourselves** Presented by Nestori Syynimaa from Microsoft

**Sweet QuaDreams or Nightmare Before Christmas? Dissecting an iOS 0-day** Presented by Christine Fossaceca from Microsoft and Bill Marczak from Citizen Lab

**Day 2, Wednesday, October 30, 2024**

**Keynote: Amanda Silver**  
CVP & Head of Product, Developer Division, Microsoft

**Track C: Threat Hunting & Intel**

**Threat D: AI & ML Security**

**Patterns in the Shadows: Scaling Threat Hunting and Intelligence for Modern Adversaries** Presented by Mark Parsons and Colin Cowie from Sophos

**Lessons Learned from Red Teaming 100 Generative AI Applications** Presented by Ram Shankar Siva Kumar and Blake Bullwinkel from Microsoft

**Scaling AppSec With an SDL for Citizen Development** Presented by Michael Bargury from Zenity/OWASP and Don Willits from Microsoft

**Isolation or Hallucination? Hacking AI Infrastructure Providers for Fun and Weights** Presented by Hillai Ben-Sasson and Sagi Tzadik from Wiz

**Embedding Sysmon Logs for Enhanced Threat Detection: A Practical Approach to Using RAG in Cybersecurity** Presented by Jose Rodriguez from George Mason University

**Breaking LLM Applications - Advances in Prompt Injection Exploitation** Presented by Johann Rehberger from embracethered.com

**Lightning Talks**

**Getting "In Tune" with an Enterprise: Detecting Microsoft Intune Lateral Movement** Presented by Brett Hawkins from IBM

**AI's got Muffins- the RAG-a-muffins!!!** Presented by Vivek Vinod Sharma from Microsoft

**Ransomware Resilience: Turning the Tide Against Cyber Extortion** Presented by Tom Williams from True Zero Technologies

**SafeChatAI: Enhancing Cybersecurity Awareness Using Artificial Intelligence** Presented by Ayobami Olatunji from Microsoft

**Firmware Security: The Middle Child of Security** Presented by Nithin Sade from Google

**Three Decades of Network Security Evolution** Presented by Vern Paxson from Corelight

**PyRIT: From LLM Security Research to Practical Attacks** Presented by Richard Lundeen from Microsoft

**MSTIC Ghost Stories - A Threat Intelligence Year in Review** Presented by Rachel Giacobozzi from Microsoft

**SLIP: Securing LLMs IP Using Weights Decomposition** Presented by Adam Hakim from Microsoft

**Minting Silver Bullets is Challenging** Presented by Josh Brown-White from Microsoft

**Automate AI Red Teaming in your existing tool chain with PyRIT** Presented by Joris de Gruyter and Shiven Chawla from Microsoft

To join the conversation and follow along with BlueHat 2024 please follow us on X/Twitter @MSFTBlueHat and on LinkedIn at aka.ms/MSRC-LinkedIn

Looking forward to seeing you all at BlueHat!

_Nic Fillingham, BlueHat Program Manager_

Announcing the BlueHat 2024 Sessions 

The networking company confirms that cyberattackers illegally accessed data belonging to some of its customers.

Source: Sergiy Palamarchuk via Shutterstock

Cisco has disabled public access to one of its DevHub environments after threat actors downloaded some customer data from the site and put it up for sale on a cybercrime forum.

The compromised data included source code, API tokens, hardcoded credentials, certificates, and other secrets belonging to some large companies, including Microsoft, Verizon, T-Mobile, AT&T, Barclays, and SAP.

**Data Heist From Public-Facing Environment**

News of the breach first surfaced a week ago, when researchers spotted three threat actors using the monikers IntelBroker, EnergyWeaponUser, and zjj, putting up the data for sale on BreachForums. IntelBroker is a known Serbian entity that began operations in 2022 and is linked to several major data heists, including ones at Europol, General Electric, and DARPA (Defense Advanced Research Projects Agency).

Cisco announced it was investigating the incident on Oct. 15. Three days later, the company confirmed the security incident in an update that offered little detail on the kind of data that the attackers managed to access and download.

Cisco's own systems appear not to have been affected in the incident. "We have determined that the data in question is on a public-facing DevHub environment — a Cisco resource center that enables us to support our community by making available software code, scripts, etc. for customers to use as needed," Cisco's advisory noted. "At this stage in our investigation, we have determined that a small number of files that were not authorized for public download may have been published."

The company said that, at the moment, there is no evidence the attackers illegally accessed any personal identity data or financial information, but it added that it was still investigating that possibility. "Out of an abundance of caution, we have disabled public access to the site while we continue the investigation," the company said.

In their BreachForums post, the threat actors claimed the data they downloaded from Cisco's DevHub site included GitHub and GitLab projects, source code, Jira tickets, container images, data from AWS storage buckets, and at least some confidential Cisco information.

**Reminder: The Need to Secure Public-Facing Assets**

The Cisco incident is a reminder why organizations need to protect public-facing environments with measures like input validation to protect against injection attacks, strong authentication tools and processes, and regular vulnerability assessments, says Jason Soroko, senior fellow at Sectigo.

Common mistakes organizations make when it comes to securing their public-facing assets include neglecting OWASP guidelines, underestimating security risks, failing to update systems regularly, and not prioritizing secure coding practices, Soroko says: "Don't forget to back up your website code and practice restoring it. Malware detection tools are available that make it easy to regularly scan."

Organizations can sometimes tend to perceive their public-facing assets as less critical when, in reality, they can expose sensitive information that attackers could use for future intrusions, he adds. The data that the attackers obtained in the Cisco incident, for instance, included source code, API tokens, certificates, and credentials that attackers could potentially leverage in a significant way in a future campaign.

Eric Schwake, director of cybersecurity strategy at Salt Security, says various factors contribute to sensitive data ending up on an organization's public-facing environments. "This can occur due to accidental misconfigurations of access controls, human errors in code or file management, inadequate security testing before deployment, or the compromise of third-party services," he says. These oversights can lead to the exposure of sensitive data and create potential entry points for attackers.

Schwake recommends that organizations implement a multilayered security strategy to reduce this risk. "This involves enforcing strict access controls, promoting secure coding practices, conducting thorough security testing, building posture governance standards, and performing regular security assessments," he says. "Using secrets management solutions and continuous monitoring tools can further improve security and protect against unauthorized access to sensitive information."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Cisco Disables DevHub Access After Security Breach

As the Akira ransomware group continues to evolve its operations, Talos has the latest research on the group's attack chain, targeted verticals, and potential future TTPs.

Akira ransomware continues to evolve

A hacker known as “TAINTU” is advertising a “Top Secret U.S. Space Force Military Technology Archive” for sale,…

A hacker known as “TAINTU” is advertising a “Top Secret U.S. Space Force Military Technology Archive” for sale, allegedly containing classified data on advanced space-based defence systems and AI-driven weapons.

A hacker using the alias “TAINTU” is offering what they claim to be 1.45 TB of “top secret USSF military technology archives” for sale, priced at $15,000 in Bitcoin (BTC) or Monero (XMR) cryptocurrency.

The acronym USSF stands for the United States Space Force, the space operations branch of the U.S. Armed Forces. The USSF is responsible for organizing, training, and equipping military personnel for space-related operations.

The ad, viewed by _**Hackread.com**_, was initially posted on the data breach and cybercrime platform Breach Forums on Saturday, October 19, 2024. However, it was removed by the hacker on the same day. When _**Hackread.com**_ inquired about the removal, the hacker explained that the data remains available for sale through underground channels, citing the lack of “seriousness” from users on Breach Forums.

Partial screenshot from the now deleted post (Screenshot: Hackread.com)

**What’s in the Archive?**

The hacker’s use of the term “archive” implies a comprehensive collection of information rather than just a single piece of file/data. The sample data published by the hacker appears to be contains classified leaks from the United States Space Force (USSF), detailing advanced military technologies, space-based weapon systems, future developments, and simulated battle scenarios.

The trove of data also allegedly also includes in-depth technical analyses, project files, and system diagrams from ongoing USSF development programs, with a focus on next-generation orbital defence.

This collection, described as “dozens of files,” holds critical military data, technical diagrams, and performance simulations. It reportedly provides unprecedented insight into next-generation weaponry and space-based defence systems, including the following:

**Directed Energy Weapons (DEW):** Advanced systems optimized for targeting satellites and enemy space infrastructure using high-energy lasers. 

**Quantum Cyber Warfare:** Cutting-edge encryption-breaking technology for intercepting and neutralizing enemy satellite communications. 

**Electromagnetic Pulse (EMP) Systems:** Area-wide electronic grid disruptors, capable of disabling enemy communication, radar, and missile systems over a vast range. 

**AI-Controlled Weapons:** Autonomous targeting systems using advanced machine learning algorithms for real-time satellite interception and space warfare scenarios. 

The archive allegedly contains leaked content such as project files with technical breakdowns and financial allocations for the development of Directed Energy Weapons (DEW), AI-based orbital weapons, and quantum cybersecurity systems. It also includes research on future technologies like antimatter energy and quantum teleportation, schematics and diagrams outline high-orbit defence systems and missile interception strategies, while CSV data files provide comprehensive simulation data on energy consumption and AI response times.

In addition, the files appears to be contain over 20 technical PDF reports covering satellite communication encryption, EMP defence, and AI targeting systems, as well as classified intelligence on adversarial capabilities from nations like China and Russia, and countermeasures for hypersonic missile threats.

The sample files published by the hacker are claimed to be "technical samples extracted directly from the archive." These include PDF files detailing “Phase 3 testing of the Helios *** laser platform,” CSV files containing detailed test results related to high-tech weapons or defence systems—apparently involving directed energy weapons (DEWs) or similar technologies—and a project file snippet outlining the budget and technical progress report for the DEW-\*\*\*1.

The data also includes several diagrams, including one titled “Orbital Defense and Interception Scenarios,” which details a “beam divergence analysis for orbital defence” among other related information. However, due to security concerns and the potential implications of this being a national security breach for the United States, **_Hackread.com_** is refraining from publishing any images or details that could compromise the security of the institution.

**“Exclusive Access and Direct Breach”**

When asked whether the alleged data breach involving a third-party contractor, as seen in the April 2024 case of US defence contractor Acuity Inc., where an Intel Broker hacker leaked ICE and USCIS data, the hacker claimed it was a “direct data breach,” with no third-party firm involved.

“This archive offers exclusive access to classified military technologies currently in development by the USSF. The data covers cutting-edge research, including highly advanced AI-controlled defence systems and quantum-based communication, which are reshaping the future of warfare,” the hacker told _**Hackread.com**_.

“These documents are invaluable to anyone interested in military technology or defence strategies, providing insights into the most advanced space-based weapon systems on the planet.”

The authenticity of the breach has yet to be confirmed. _**Hackread.com**_ has reached out to the Cybersecurity and Infrastructure Security Agency (CISA) for comment. However, the hacker remains confident in the legitimacy of the archive.

1.  **Crimson Palace: Chinese Hackers Stole Military Secrets**
2.  **Military Satellite Access Sold on Russian Forum for $15,000**
3.  **Intel Broker Claims Cisco Breach, Selling Data from Major Firms**
4.  **Russian National Jailed for Smuggling US Military Tech to Russia**
5.  **S3 Buckets Exposed US Military’s Social Media Spying Campaign**

1.  \* indicates redacted information ↩︎

Tag

#cisco