Categories: Threat Intelligence
In September, two high-profile casino breaches taught us about the nuances of the RaaS affiliate landscape, the asymmetric dangers of phishing, and of two starkly different approaches to ransomware negotiation.



(Read more...)




The post Ransomware review: October 2023 appeared first on Malwarebytes Labs.

_This article is based on research by Marcelo Rivero, Malwarebytes' ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, "known attacks" are those where the victim **did not** pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher._

In September, we recorded a total of 427 ransomware victims. As usual, Lockbit (72) led the charts. New players we observed included LostTrust (53), ThreeAM (10), and CiphBit (8).

Last month, MGM Resorts and Caesar Entertainment made headlines after being attacked by an ALPHV affiliate known as Scattered Spider. Other significant attacks included Sony, targeted by RansomedVC, and Johnson Controls, targeted by Dark Angels.

The attacks on MGM Resorts and Caesar Entertainment—which collectively own most of the casino-hotel properties on the Vegas Strip—resulted in the former losing $100 million in earnings and the latter making a reported $15 million ransom payment to the attackers. In both cases, significant amounts of customer data were stolen.

In other news, both LockBit and the Akira ransomware gang, the latter of which has tallied 125 victims since we first began tracking them in April 2023, were confirmed last month to be exploiting a specific zero-day flaw (CVE-2023-20269) in Cisco VPN appliances. On a related note, the effect of CL0P's MOVEit zero-day campaign was further revealed last month when the National Student Clearinghouse and BORN Ontario Child Registry disclosed data breaches attributed to the group.

Known ransomware attacks by gang, September 2023

Known ransomware attacks by country, September 2023

Known ransomware attacks by industry sector, September 2023

Last month’s two high-profile casino breaches were an interesting case study in the nuances of the RaaS affiliate landscape, the asymmetric dangers of phishing, and of two starkly different approaches to ransomware negotiation.

Primarily hailing from the US and the UK, and founded in May 2022, Scattered Spider launched two casino attacks that have given the group attention on a scale rarely seen with RaaS affiliates—whose attacks are normally grouped under whichever RaaS gang supplied them with the ransomware (in this case, ALPHV).

One possible explanation for Scattered Spider’s unusual spotlight resides in the group's level of sophistication. RaaS, by its very nature, has a low barrier to entry, meaning many affiliates are relatively unsophisticated or possess only moderate technical skills. Scattered Spider, on the contrary, highlights the peril posed when ready-made RaaS software merges with seasoned experience: In both of their casino breaches, the group employed advanced tactics, techniques, and procedures (TTPs), including in-depth reconnaissance, social engineering, and advanced lateral movement techniques. 

Scattered Spider typically kick off their attacks by manipulating employees into granting access, and their breaches of MGM Resorts and Caesar Entertainment began no differently. For the MGM breach, Scattered Spider used LinkedIn to pinpoint an MGM Resorts employee, subsequently impersonating them and contacting the company’s help desk requesting account access. Alarmingly, this ploy unveiled a gaping security flaw at MGM—the absence of a stringent user verification protocol at the service desk. After gaining an initial foothold, they escalated their access to administrative rights and subsequently launched a ransomware attack.

Or, as vx-underground so poetically put it: “A company valued at $33,900,000,000 was defeated by a 10-minute conversation.”

Less specifics are known about the exact social engineering scheme used in the Caesar Entertainment breach, but judging by the company's SEC filing, it’s safe to say Scattered Spider used a similar help desk style scam. Both breaches remind us that, whether ransomware is deployed or not, the human element remains one of the most vulnerable spots in an organization’s defenses.

Additionally, the aftermath of these attacks highlights the absence of a one-size-fits-all solution when it comes to paying attackers ransom. According to the Wall Street Journal, MGM Resorts refused to pay the attackers while Caesars Entertainment, in an effort to prevent their stolen data from being leaked, reportedly paid attackers a ransom worth approximately $15 million. It's worth reiterating, of course, that despite whatever internal calculus Caesars Entertainment made when deciding to pay the ransom, there is no guarantee that attackers will hold up their end of the bargain. The company's public willingness to pay also makes them a vulnerable target for further attacks.

On the other hand, there's no denying that a data leak, especially of sensitive customer or corporate information, can cause a level of reputational harm that some companies might view as impossible to risk taking on—even if it means paying a substantial amount to thieves who may or may not honor their word.

**New Players****LostTrust**

LostTrust is a likely rebrand from the MetaEncryptor ransomware gang we first spotted in August 2023. In September, they had a staggering 53 victims. The reason for the rebrand is unclear at present.

**ThreeAM (3AM)**

ThreeAM, a new ransomware family used as a fallback in failed LockBit attack, had 10 victims in September. 

**CiphBit**

While CiphBit has been posting victims on their dark website since April, the group wasn't discovered in-the-wild until last month. In September, they reported two new victims, bringing their total to eight victims to-date.

How to avoid ransomware

*   **Block common forms of entry**. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
*   **Detect intrusions**. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption**. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups**. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you've isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Ransomware review: October 2023

Cisco's $28 billion purchase of Splunk was the biggest story, but other security majors made strategic acquisitions as well in a better-than-expected quarter.

Cisco's massive $28 billion acquisition of Splunk in September was the financial highlight of a quarter during which several other vendors also made strategic purchases to position themselves for emerging enterprise requirements around cloud, application and identity security.

The acquisitions added to a better-than-expected quarter ended Sept. 30, 2023, with venture funding too picking up steam after a slowdown earlier this year following the collapse of Silicon Valley Bank. IPO activity showed early signs of a revival for the first since late 2021 as well and provided further evidence of the resilience of the sector against economic conditions that have roiled other verticals.

Security segments that witnessed the most activity included services, security consulting, application GRC, security operations and identity and access management.

**Reasonable Valuations Drive Acquisition Interest**

The third-quarter's M&A activity continued a gradual consolidation of the security industry as big players got bigger through acquisitions and smaller players looked for opportunities to make profitable exits.

"It appears to have been quite an active quarter, even without Cisco’s $28bn acquisition of Splunk, and there are some good reasons for this," says Rik Turner an analyst at Omdia. With IPO activity still not fully revived, some venture capital firms are looking for quicker exits, resulting in a lot of cybersecurity companies being available at reasonable prices. "That’s why there are currently stories circulating about the likes of Dig and Talon being in negotiation to be acquired by Palo Alto, for instance. Even SentinelOne—which is currently public--is also said to be on the hunt for an acquirer," Turner says.

Cisco's purchase of Splunk positioned the company as one of the industry's foremost players in the next generation SIEM market, a cloud and analytics-driven alternative to traditional security information and event management technologies.

The acquisition—Cisco's largest ever—was one of more than half-a-dozen purchases the company has made this year to insert itself into multiple hot cybersecurity segments. Others include identity management vendor Oort, AI/ML software vendor Armorblox, network performance monitoring vendor Acedian and cloud security vendors Lightspin and Valtix.

**A Gradual Reshaping of the Industry**

Cisco was not alone in its attempts to buy its way into lucrative and emerging security segments. Q3, 2023 had several other vendors making similar moves. The most prominent among them were CrowdStrike's purchase of application security posture management vendor Bionic for a report $350 million; Check Point's forking out of some $490 million for secure remote access vendor Perimeter 81; Thales' $3.6 billion acquisition of Imperva in July and Tenable's $265 million cash and restricted stock purchase of cloud native application protection platform vendor Ermetic.

"Strategic technology buyers are actively looking to round up their offerings by acquiring innovative solutions and teams with the subject matter expertise that will help them stay relevant and competitive in emerging market segments," says Alberto Yépez managing director of Forgepoint Capital. "Sponsors are also actively looking for acquisitions that will help them add capabilities to the platform companies they own in order to expand their addressable market and increase their rate of growth."

Yépez identified the managed security services market as a segment that garnered considerable interest from acquisition hunters last quarter—and through the year in general. Much of the activity was in response to growing demand for security services from companies that were either struggling to find professionals or were looking to outsource the security function to others.

"We expect more activity in this segment in the next four to six quarter. It is primed for consolidation," he says. M&A activity so far this year suggests that cloud security and compliance are sectors with lots of potential for consolidation given how overcrowded the segments are with emerging companies, Yépez notes.

Momentum Cyber recorded a total of 63 M&A deals in Q3, 2023 with a total disclosed value of $34.9 billion. Of those, eight involved transactions of $100 million or more. Active M&A sectors in Q3 2023 according to Momentum included security consulting and services, managed security services, security operations, incident response, threat intel and identity and access management.

"While the majority of 2023 has centered around continued headwinds in a difficult market, strategic activity did see an uptick in deal volume across both M&A and financing toward the back half of Q3," says Momentum analyst John Gould. Momentum anticipates the trend will continue into 2024. "Strategic investors are becoming more opportunistic in M&A markets as evidenced by a number of key deals this past quarter," Gould says.

**Investment Activity Showed Signs of a Rebound**

Activity in the third quarter also suggested that investors are finally putting the disruption caused by Silicon Valley Bank's spectacular collapse in March, behind them.

All signs point to total venture funding in cybersecurity hitting $10 billion in 2023, matching the record setting year of 2020 says Richard Stiennon, chief research analyst at IT-Harvest. That total is less than half of the all-time record of $24 billion in 2021, he says. But "considering the failure of Silicon Valley Bank early in the year and the devastating impact that had on VCs, investments are not too shabby," Stiennon says.

IT-Harvest's data showed there was some $7.5 billion invested through the end of September in the cybersecurity sector with the GRC segment—once again—attracting the most investments at $1.6 billion. At the other end of the spectrum was the API security segment with just four investments totaling a paltry $15.9 million so far this year and email security with an even smaller $12.2 million in investor funding.

Investments activity in Q3, 2023 included some big rounds such as the $238 million that Cato Networks raised in equity investment in September. The financing round valued Cato at $3 billion and bought to $773 million in total that the secure access service edge technology provider has raised so far. Cato is one of several companies in the third quarter that hinted at going public in the near term Stiennon says. "There are signs of life on Wall Street with companies like Palo Alto Networks, CrowdStrike, and Zscaler up 63% to 95% from their lows on January 6," he notes.

Other major investments that Momentum tracked in the third-quarter included OneTrust's $150 million later stage venture capital raise in July, SpyCloud's $110 million growth round in August, Resilience's $100 million Series D round and Nord Security's $100 million growth raise in September.

"IPO rumors are also heating up for the first time in a while going into 2024," Gould says. "Later-stage security startups including Cato Networks and Rubrik have been rumored to be considering going public next year as the market looks to rebound from a dead period in traditional IPO activity since late 2021," he says.

Reasonable Valuations Drove Mergers and Acquisition Activity in Q3, 2023

Two other vulnerabilities that Microsoft is fixing Tuesday — CVE-2023-36563 in Microsoft WordPad and CVE-2023-41763 in the Skype communication platform — have already been publicly exploited in the wild and have proof-of-concept code available.

Wednesday, October 11, 2023 07:10

Microsoft disclosed 104 vulnerabilities in its extensive range of software and services, the most in a single Patch Tuesday since July.  

What is most notable is that this batch of vulnerabilities includes 12 that are considered “critical,” nine of which are remote code execution vulnerabilities in the Layer 2 Tunneling Protocol.   

Two other vulnerabilities that Microsoft is fixing Tuesday — CVE-2023-36563 in Microsoft WordPad and CVE-2023-41763 in the Skype communication platform — have already been publicly exploited in the wild and have proof-of-concept code available, making it more likely that attackers will try to exploit unpatched versions of these pieces of software. However, these issues are only considered “important.”  

The nine Layer 2 Tunneling Protocol vulnerabilities all require an attacker to win a race condition. A race condition is when two threads in a piece of code try to reach the same piece of data at the same time, and thus one action must be completed before the other.  

In this scenario, an attacker could exploit the Tunneling Protocol by sending a specially crafted protocol message to a Routing and Remote Access Service (RAS) server, which could lead to remote code execution on the RAS server machine. The vulnerabilities Microsoft disclosed and patched on Tuesday are:  

*   CVE-2023-38166 
*   CVE-2023-41765 
*   CVE-2023-41767 
*   CVE-2023-41768 
*   CVE-2023-41769 
*   CVE-2023-41770 
*   CVE-2023-41771 
*   CVE-2023-41773 
*   CVE-2023-41774 

The Layer 2 Tunneling Protocol allows remote users to connect to a machine, or site-to-site connectivity via a VPN. Vulnerabilities involving VPNs have come under a microscope since the discovery of the VPNFilter malware in 2018 that affected thousands of devices across the globe. 

A vulnerability in Fortinet’s SSL VPN, CVE-2018-13379, topped the U.S. Cybersecurity and Infrastructure Security Agency’s list of the most-exploited vulnerabilities in 2022, despite being disclosed back in 2018. U.S. officials also warned earlier this year of Volt Typhoon, a large APT believed to be backed by China’s government that is targeting networking devices to possibly gain a foothold onto U.S. military networks and critical infrastructure.  

Another critical remote execution vulnerability disclosed Tuesday, CVE-2023-35349, exists in the Microsoft Message Queuing service. An unauthenticated attacker could exploit this vulnerability to execute code on the targeted server. 

However, this vulnerability is only exploitable if the user has Message Queuing enabled. Microsoft stated in its advisory that users should check to see if there is a service running named “Message Queuing” and if TCP port 1801 is listening on the machine. 

One of the other critical vulnerabilities fixed this month is CVE-2023-36718, a remote code execution vulnerability in the Microsoft Virtual Trusted Platform Module. An attacker who exploits this vulnerability could perform a contained execution environment escape.  

The attack complexity is considered “high” and therefore less likely to be exploited, Microsoft said, because exploitation relies on complex memory shaping techniques and the attacker must at least be authenticated as a guest first.  

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page. 

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org. 

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 62486 - 62493 and 62508 - 62511, and Snort 3 signatures 300719 - 300722.

Microsoft patches 12 critical vulnerabilities, nine of which are in Layer 2 Tunneling Protocol

Microsoft has released its Patch Tuesday updates for October 2023, addressing a total of 103 flaws in its software, two of which have come under active exploitation in the wild.
Of the 103 flaws, 13 are rated Critical and 90 are rated Important in severity. This is apart from 18 security vulnerabilities addressed in its Chromium-based Edge browser since the second Tuesday of September.
The two

Vulnerability / Endpoint Security

Microsoft has released its Patch Tuesday updates for October 2023, addressing a total of 103 flaws in its software, two of which have come under active exploitation in the wild.

Of the 103 flaws, 13 are rated Critical and 90 are rated Important in severity. This is apart from 18 security vulnerabilities addressed in its Chromium-based Edge browser since the second Tuesday of September.

The two vulnerabilities that been weaponized as zero-days are as follows -

*   **CVE-2023-36563** (CVSS score: 6.5) - An information disclosure vulnerability in Microsoft WordPad that could result in the leak of NTLM hashes
*   **CVE-2023-41763** (CVSS score: 5.3) - A privilege escalation vulnerability in Skype for Business that could lead to exposure of sensitive information such as IP addresses or port numbers (or both), enabling threat actors to gain access to internal networks

"To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system," Microsoft said in an advisory for CVE-2023-36563.

"Additionally, an attacker could convince a local user to open a malicious file. The attacker would have to convince the user to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file."

Also fixed by Redmond are dozens of flaws impacting Microsoft Message Queuing (MSMQ) and Layer 2 Tunneling Protocol that could lead to remote code execution and denial-of-service (DoS).

The security update further resolves a severe privilege escalation bug in Windows IIS Server (CVE-2023-36434, CVSS score: 9.8) that could permit an attacker to impersonate and login as another user via a brute-force attack.

The tech giant has also released an update for CVE-2023-44487, also referred to as the HTTP/2 Rapid Reset attack, which has been exploited by unknown actors as a zero-day to stage hyper-volumetric distributed denial-of-service (DDoS) attacks.

"While this DDoS has the potential to impact service availability, it alone does not lead to the compromise of customer data, and at this time we have seen no evidence of customer data being compromised," it said.

Finally, Microsoft has announced that Visual Basic Script (aka VBScript), which is often exploited for malware distribution, is being deprecated, adding, "in future releases of Windows, VBScript will be available as a feature on demand before its removal from the operating system."

**Software Patches from Other Vendors**

In addition to Microsoft, security updates have also been released by other vendors since the start of the month to rectify several vulnerabilities, including —

*   Adobe
*   AMD
*   Android
*   Apache Projects
*   Apple
*   Aruba Networks
*   Arm
*   Atlassian
*   Atos
*   Cisco
*   Citrix
*   CODESYS
*   Dell
*   Drupal
*   F5
*   Fortinet
*   GitLab
*   Google Chrome
*   Hitachi Energy
*   HP
*   IBM
*   Juniper Networks
*   Lenovo
*   Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
*   MediaTek
*   Mitsubishi Electric
*   Mozilla Firefox, Firefox ESR, and Thunderbird
*   Qualcomm
*   Samba
*   Samsung
*   SAP
*   Schneider Electric
*   Siemens
*   Sophos, and
*   VMware

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Releases October 2023 Patches for 103 Flaws, Including 2 Active Exploits

eClass Junior version 4.0 suffers from a remote SQL injection vulnerability.

**eClass Junior 4.0 SQL Injection**

Posted Oct 9, 2023

Authored by indoushka

eClass Junior version 4.0 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection

SHA-256 | fe25bf20628b95e728482b08a8d3f9ce6bd4e732844de33554a5951468322a2a

Download | Favorite | View

**eClass Junior 4.0 SQL Injection**

    ====================================================================================================================================| # Title     : eClass Junior 4.0 Sql injection Vulnerability                                                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : https://www.eclass.com.hk/en/product/eclass-junior/                                                                |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /gallery_detail.php?cid=55 <===== inject here[+] http://127.0.0.www.cls.eduhk/tc/gallery_detail.php?cid=55[+] Panel : /templates/index.php?err=1&DirectLink= or /ad_min_man/login.phpGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (82,456)
*   Arbitrary (16,316)
*   BBS (2,859)
*   Bypass (1,764)
*   CGI (1,029)
*   Code Execution (7,343)
*   Conference (680)
*   Cracker (843)
*   CSRF (3,352)
*   DoS (23,623)
*   Encryption (2,372)
*   Exploit (52,159)
*   File Inclusion (4,230)
*   File Upload (977)
*   Firewall (821)
*   Info Disclosure (2,797)
*   Intrusion Detection (895)
*   Java (3,054)
*   JavaScript (865)
*   Kernel (6,760)
*   Local (14,525)
*   Magazine (586)
*   Overflow (12,775)
*   Perl (1,423)
*   PHP (5,156)
*   Proof of Concept (2,345)
*   Protocol (3,623)
*   Python (1,543)
*   Remote (30,920)
*   Root (3,598)
*   Rootkit (513)
*   Ruby (612)
*   Scanner (1,644)
*   Security Tool (7,912)
*   Shell (3,201)
*   Shellcode (1,216)
*   Sniffer (896)
*   Spoof (2,213)
*   SQL Injection (16,422)
*   TCP (2,417)
*   Trojan (687)
*   UDP (896)
*   Virus (666)
*   Vulnerability (31,915)
*   Web (9,732)
*   Whitepaper (3,753)
*   x86 (965)
*   XSS (18,011)
*   Other

**File Archives**

*   October 2023
*   September 2023
*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,026)
*   BSD (375)
*   CentOS (57)
*   Cisco (1,925)
*   Debian (6,858)
*   Fedora (1,692)
*   FreeBSD (1,246)
*   Gentoo (4,347)
*   HPUX (879)
*   iOS (358)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (46,943)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (486)
*   RedHat (13,974)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,974)
*   UNIX (9,323)
*   UnixWare (186)
*   Windows (6,591)
*   Other

eClass Junior 4.0 SQL Injection

eClass IP version 2.5 suffers from a remote SQL injection vulnerability.

**eClass IP 2.5 SQL Injection**

Posted Oct 9, 2023

Authored by indoushka

eClass IP version 2.5 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection

SHA-256 | b711babfc66671ea5103fe26d521747c60621f2c26be69bc9fb4ef7463b6da31

Download | Favorite | View

**eClass IP 2.5 SQL Injection**

    ====================================================================================================================================| # Title     : eClass IP 2.5 Sql injection Vulnerability                                                                          || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : https://www.eclass.com.hk/en/product/eclass-ip/                                                                    |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /gallery_detail.php?cid=55&id=161 <===== inject here[+] http://127.0.0.www.cls.eduhk/tc/gallery_detail.php?cid=55&id=161[+] Panel : /templates/index.php?err=1&DirectLink= or /ad_min_man/login.phpGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (82,456)
*   Arbitrary (16,316)
*   BBS (2,859)
*   Bypass (1,764)
*   CGI (1,029)
*   Code Execution (7,343)
*   Conference (680)
*   Cracker (843)
*   CSRF (3,352)
*   DoS (23,623)
*   Encryption (2,372)
*   Exploit (52,159)
*   File Inclusion (4,230)
*   File Upload (977)
*   Firewall (821)
*   Info Disclosure (2,797)
*   Intrusion Detection (895)
*   Java (3,054)
*   JavaScript (865)
*   Kernel (6,760)
*   Local (14,525)
*   Magazine (586)
*   Overflow (12,775)
*   Perl (1,423)
*   PHP (5,156)
*   Proof of Concept (2,345)
*   Protocol (3,623)
*   Python (1,543)
*   Remote (30,920)
*   Root (3,598)
*   Rootkit (513)
*   Ruby (612)
*   Scanner (1,644)
*   Security Tool (7,912)
*   Shell (3,201)
*   Shellcode (1,216)
*   Sniffer (896)
*   Spoof (2,213)
*   SQL Injection (16,422)
*   TCP (2,417)
*   Trojan (687)
*   UDP (896)
*   Virus (666)
*   Vulnerability (31,915)
*   Web (9,732)
*   Whitepaper (3,753)
*   x86 (965)
*   XSS (18,011)
*   Other

**File Archives**

*   October 2023
*   September 2023
*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,026)
*   BSD (375)
*   CentOS (57)
*   Cisco (1,925)
*   Debian (6,858)
*   Fedora (1,692)
*   FreeBSD (1,246)
*   Gentoo (4,347)
*   HPUX (879)
*   iOS (358)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (46,943)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (486)
*   RedHat (13,974)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,974)
*   UNIX (9,323)
*   UnixWare (186)
*   Windows (6,591)
*   Other

eClass IP 2.5 SQL Injection

By Waqas
September 2023’s Most Wanted Malware: Remcos Wreaks Havoc in Colombia and Formbook Takes Top Spot after Qbot Shutdown, reveals Check Point.
This is a post from HackRead.com Read the original post: Formbook Takes the Throne as Most Prevalent Malware

Check Point’s Global Threat Index for September 2023, released on October 6th, revealed that Education and Research remain the top targeted industries in September 2023.

The cybersecurity researchers at Check Point have released its Global Threat Index for September 2023, revealing significant shifts in the cyber threat landscape. The report highlights a notable phishing campaign that targeted numerous organizations in Colombia, resulting in the surge of the Remcos Remote Access Trojan (RAT) and the rise of Formbook as the most prevalent malware following the demise of Qbot.

Here, it’s worth noting that Qbot, also known as Qakbot and Pinkslipbot malware, faced disruption by the FBI in August 2023, having infected 700,000 computers globally. Despite this disruption, a recent report from Cisco Talos Intelligence Group reveals that the cybercriminals responsible for Qbot remain active, now distributing a new malware known as Ransom Knight.

****Colombia Under Attack: Remcos RAT Unleashed****

In September, Check Point Research uncovered a large-scale phishing campaign aimed at over 40 prominent businesses across various industries in Colombia. The primary objective of this campaign was to surreptitiously deploy the Remcos RAT on victims’ computers.

Remcos ranked as the second most prevalent malware in September, is a sophisticated Remote Access Trojan, offering attackers full control over the infected systems and versatile malicious capabilities. The consequences of a Remcos infection are dire, encompassing data theft, subsequent malware infections, and account takeovers.

Maya Horowitz, VP of Research at Check Point Software, stated, “The campaign that we uncovered in Colombia offers a glimpse into the intricate world of evasion techniques employed by attackers. It is also a good illustration of how invasive these techniques are and why we need to employ cyber resilience to guard against a variety of attack types.”

****Formbook Takes the Throne****

The September Global Threat Report Index also revealed a noteworthy shift in the top malware rankings. Formbook, an Infostealer targeting Windows OS, claimed the number one spot with a global impact of 3% on organizations worldwide.

First detected in 2016, Formbook data stealer is marketed as Malware as a Service (MaaS) in underground hacking forums for its potent evasion techniques and relatively low price. Its capabilities include harvesting credentials from web browsers, capturing screenshots, logging keystrokes, and executing files on the attacker’s command.

****Qbot’s Reign Ends**?**

The most significant change in the malware landscape was the exit of Qbot from the top malware list. The FBI had seized control of the Qbot botnet in August, marking the end of its long-standing reign as the most prevalent malware throughout most of 2023.

However, as the group responsible for Qbot is still active and already disseminating new malware, the significance of the disruption of the malware’s infrastructure may have somewhat diminished.

****Top Attacked Industries and Vulnerabilities****

In terms of attacked industries globally, Education/Research remained the top target, followed by Communications and Government/Military. These sectors continue to face relentless cyber threats.

Regarding exploited vulnerabilities, “Web Servers Malicious URL Directory Traversal” took the top spot, affecting 47% of organizations worldwide. This vulnerability allows unauthenticated remote attackers to access arbitrary files on vulnerable servers. “Command Injection Over HTTP” followed closely with 42%, and “Zyxel ZyWALL Command Injection” was at 39% in terms of impact.

****Malware Attacks Against Smartphones****

In the mobile malware arena, Anubis retained its position as the most prevalent mobile malware, followed by AhMyth and SpinOk. Anubis, initially a banking Trojan, has evolved to include Remote Access Trojan (RAT) functionality, keylogging, audio recording capabilities, and ransomware features.

AhMyth, discovered in 2017, is another RAT distributed through Android apps that collect sensitive information from infected devices. SpinOk, operating as spyware, was found in over 100 Android apps, amassing more than 421 million downloads as of May 2023.

As cybersecurity threats continue to evolve, organizations must remain vigilant and proactive in implementing robust cybersecurity measures to protect against the ever-present dangers of malware and vulnerabilities.

****_RELATED ARTICLES_****

1.  US, India and China Most Targeted in DDoS Attacks
2.  Microsoft Office Most Exploited Software in Malware Attacks
3.  Schools Are the Most Targeted Industry by Ransomware Gangs
4.  Russian Dark Net Markets Dominate the Global Illicit Drug Trade
5.  What Are the Top 10 Android Edu Apps That Collect Most User Data?
6.  VirusTotal Reveals Apps Most Exploited by Hackers to Spread Malware
7.  Microsoft, PayPal & Facebook most targeted brands in phishing scams

Formbook Takes the Throne as Most Prevalent Malware

“I’m completely interested in the creative ways computers can break down,” Schultz jokes.

Monday, October 9, 2023 08:10

At this point in his career, Jaeson Schultz has seen nearly every type of online scam there is to see.

From fake bomb threats at schools, to “sextortion” campaigns, cryptocurrency mining, metaverse and more of the 2010s, to the earliest type of spam emails in the 1990s that promised to protect people from a Y2K meltdown or had the next great penny stock that the recipient needed to jump on asap, Schultz’s security career has spanned more than 25 years now.

At this point, nothing adversaries come up with surprises him, but that doesn’t mean he’s not looking for those surprises.

Schultz, a researcher for the Talos Outreach team focused specifically on email threats and spam, is currently looking to new and emerging technologies and how they play into attackers’ hands, including Web3, the metaverse (including the capital “M” Metaverse from the company Meta), cryptocurrency exchanges and the blockchain.

But his security experience dates back to the early days of email when he took a job with the state government of Nevada performing traditional IT troubleshooting and support. At the time, cybersecurity was not a specialized field, so by working in IT, you already needed to be interested in security, Schultz said.

“At that point, \[cybersecurity\] was more of a hobby for me in the late 80s and early 90s. It wasn’t an established profession, and you couldn’t study it. So, if you were into network administration, you were probably also into security,” he said.

Schultz started pursuing cybersecurity as a hobby, and he even attended some of the first DEF CON conferences, which today is known as one of the largest hacking conferences in the world.

That eventually led him to a job with Brightmail – one of the earliest anti-spam filtering offerings for email — and at the “abuse desk” for another email service provider, where he was tasked with stopping malicious users from sending spam.

At the time, the threats and tactics he saw then were the same as the ones most users get today: They focus heavily on social engineering, trying to trick users into providing personal information, sending money to the attacker or clicking on a malicious link that downloads malware.

Schultz eventually made his way to Cisco through the company’s acquisition of IronPort, which eventually became part of Cisco Talos nearly 10 years ago, where he became part of the Outreach team, conducting more public-facing threat research.

Today, Schultz said attacks are more sophisticated than before thanks to AI language models and years of experience on the attackers’ end. In his earlier career, Schultz said the wildest scam he saw was an email sender claiming to be a time traveler searching for pieces of their time machine, a tactic that (most) users would sniff out quickly in 2023.

“The techniques have evolved over time, but the basic themes have primarily remained the same,” he said.

One of the techniques Schultz is particularly interested in currently is DNS and URL manipulation. He’s written extensively for the Talos blog about how adversaries are using typosquatted domains — attacks in which bad actors use eerily similar URLs to legitimate sites to trick users into visiting an attacker-controlled page. For example, instead of visiting google.com, an attacker may use the domain googie.com in a spam email.

He’s also conducted research into attackers who distort the DNS system. DNS is essentially the backbone of browsing the internet and is what ensures attackers are visiting the page they want to land on — that typing in google.com will take the user to Google.com. Other attackers are using newly released top-level domains like .zip to trick targets into disclosing potentially sensitive files that end in that extension.

Perhaps in one of the more unlikely scenarios, Schultz is also researching how cosmic rays could interfere with network connections and mistakenly send users to the wrong destination.

“I’m completely interested in the creative ways computers can break down,” Schultz jokes.

Many users can feel hopeless when it comes to spam because they’re still getting emails and text messages every day despite the best efforts to research and continued calls to report certain phone numbers, emails or email subjects as spam. But Schultz said he’s driven by the victories he does get along the way.

“There are just so many people out there who are out to commit crimes online. And the number of people who actually get in trouble for committing those crimes is pretty low when you consider how much work goes into cybersecurity,” he said. “It gets under my skin when there are innocent users who get scammed by these people, like what if it was my mom or my grandma? It motivates me to go out there and disrupt their operations.”

Disruption may not even look like directly taking down email servers they’re using or other infrastructure. Even by writing a blog about an actor’s operations or talking to other security researchers at a conference, Schultz said his team’s work can make bad actors’ work more difficult in many ways. Even by just publicly exploiting their tactics, it forces them to change their strategy on the fly.

Schultz’s life doesn’t slow down outside the office, though. He juggles many interests like snow skating during the cooler months. He also owns a home in Ecuador where he likes to get away from the cold at times — Cisco’s work flexibility allows him to work remotely from either location to fit his schedule. Though he did joke his teammates get jealous when he’s working from Ecuador and brings a fresh coconut on a Webex call for a lunchtime drink.

Perhaps his most personal endeavor is running a toy shop in South Lake Tahoe, California with his family. Schultz’s late wife opened the store in 2019 — she wanted to be her own boss after years of having partners in other small business endeavors around the state.

After her death, Schultz said he and his three children wanted to keep the store running so he got more involved on a day-to-day basis. He even gets to put his IT admin hat back on while managing the online storefront and website.

“This was her project, she was always involved in different small businesses around Lake Tahoe, I talked her into buying this toy store so she would be the sole proprietor and not have to answer to anyone else,” Schultz said. “She bought it in 2019, and thankfully it survived the pandemic.”

Since getting more involved at the store, Schultz has gotten into collecting trading cards like Pokemon and the recently released Disney “Lorcana.” Interestingly, he’s interested in collecting real-world goods while the adversaries he typically tracks try to swindle users out of their virtual NFTs.

How looking at decades of spam led Jaeson Schultz from Y2K to the metaverse and cryptocurrency

A use-after-free vulnerability exists in the MediaRecorder API of Webkit WebKitGTK 2.40.5. A specially crafted web page can abuse this vulnerability to cause memory corruption and potentially arbitrary code execution. A user would need to to visit a malicious webpage to trigger this vulnerability.

CVE-2023-39928: TALOS-2023-1831 || Cisco Talos Intelligence Group

Plus, Qakbot appears to be still active, despite efforts from the FBI and other international law enforcement agencies to disrupt the massive botnet.

Thursday, October 5, 2023 14:10

Welcome to this week’s edition of the Threat Source newsletter.

It’s Cybersecurity Awareness Month, which means it’s time to hug your nearest defender — they’re probably tired, could be facing burnout or just have had too much coffee today.

What makes the cybersecurity landscape even more fraught right now is that qualified analysts, researchers and security practitioners are having a hard time finding work. Several major security firms have recently experienced layoffs or have shut down entirely, at the same time the community is lamenting about a cybersecurity skills gap and a lack of workers.

I was watching TechCrunch’s “Disrupt” conference last week and I found it interesting that one particular panel was discussing the challenges of hiring in cybersecurity right now, and the host of the panel asked if there is a stigma around hiring workers who had been a part of major breaches or security incidents (think: a SolarWinds employee who may have been working there during the major supply chain attack that targeted their software).

I had no idea this was even a going concern among security hiring managers, and it makes no sense why there would be. So, I started looking through job board postings and security forums and found that many active security job hunters are afraid to list if they worked somewhere during a notable incident. For example, this user on r/cybersecurity asked last year if they should leave a job off their résumé if they worked there when a major data breach occurred, even though they were not directly involved in the breach whatsoever.

And even if they were, who cares?

Sherrod DeGrippo, the director of threat intelligence strategy at Microsoft, had the perfect answer for this on the aforementioned TechCrunch panel. She said that if she sees a prospective employee who worked somewhere during a security “trash fire,” she looks "at that as somebody who has been on the frontlines and been under fire. They know what to do and they've been through it, and I guarantee they have learned from it.”

There has always been a stigma around disclosing data breaches for companies and employees alike, with targets being afraid of negative press or scrutiny that comes from publicly admitting to a data breach or cyber attack.

And I can see why someone wouldn’t want to mention that during a job interview. There could be an inherent “stink” that comes from working somewhere that got owned or had a ton of negative headlines around it, but I feel like that’s a stigma that needs to go away immediately if the security community does have any hope of closing the skills gap.

Anyone who’s been through a major security event, as I know firsthand from talking to many of Talos’ incident responders, always has something to learn — from either a positive or negative experience. It’s the same in every field, too.

When I was a journalist, I can’t say that I never had to issue a correction for a story I wrote or apologize to a source for misquoting them. They were mistakes I had to make as a young professional and learn from. And in this job, I’ve made a fair share of mistakes, too, and probably will make more. The important thing is, that I learn from those mistakes and make changes to my processes going forward to avoid those mistakes.

I would imagine the same would be for any engineer who mistakenly left a vulnerability in some code or downloaded that software update that seemed legitimate but actually was packed with malware.

If you’ve worked in security for long enough, no matter for what company, you’ve been involved in a major security incident. That should not deter someone from hiring you for your next job, and you shouldn’t be leaving this off a résumé.

I am curious to know if this is a real issue or stigma that’s out there, so if you’re a hiring manager or job applicant who’s experienced this, DM us on Twitter!

**The one big thing**

Qakbot appears to be still active, despite efforts from the FBI and other international law enforcement agencies to disrupt the massive botnet. Talos researchers discovered that the threat actors behind the Qakbot malware have been conducting a campaign since early August 2023 in which they have been distributing Ransom Knight ransomware and the Remcos backdoor via phishing emails. Notably, this activity appeared to begin before the FBI seized Qakbot infrastructure in late August and has been ongoing since, indicating the law enforcement operation may not have impacted Qakbot operators’ spam delivery infrastructure but rather only their command and control (C2) servers.

**Why do I care?**

Qakbot is one of the largest, most notable malware networks on the landscape currently, so any activity from this group is notable. But it’s particularly noteworthy now that the actor was able to recover so quickly after the FBI’s efforts. This group is still actively sending spam, despite what recent headlines may indicate. Though Talos has not seen the threat actors distributing Qakbot itself post-infrastructure takedown, we assess the malware will continue to pose a significant threat moving forward.

**So now what?**

Given that Qakbot’s operators remain active, they may choose to rebuild Qakbot infrastructure to fully resume their pre-takedown activity, so it’s important to monitor the Talos blog and other security research for any additional activity. Talos has new ClamAV signatures that can detect the malware associated with this current campaign, and there is a list of IOCs at the end of our blog post everyone should be adding to their blocklists or other detection.

**Top security headlines of the week**

**The company that manages the MOVEit file transfer software disclosed several vulnerabilities in one of its other products.** Progress Software, the makers of MOVEit, which was the subject of a large data breach responsible for dozens of follow-on attacks, urged users to patch WS\_FTP Server immediately. CVE-2023-40044 is a deserialization vulnerability in the Ad Hoc Transfer module in WS\_FTP Server that an attacker could exploit without authentication to execute remote code. In all, the company disclosed eight vulnerabilities last week and released hotfixes for all versions of the software. According to the company’s website, WS\_FTP Server offers “the unique business-grade features required to assure reliable and secure transfer of critical data.” The site lists several major customers who use the affected software, including the NFL’s Denver Broncos and clothing retailer H&M. (The Record by Recorded Future, Decipher)

**Google and Yahoo are implementing new rules around bulk email sending designed to reduce the amount of spam users receive and encourage more users to report spam.** Starting in early 2024, anyone sending more than 5,000 messages a day, will need to authenticate all messages using current authentication protocols like SPF or DKIM. All these emails must also offer a one-click unsubscribe option for recipients (so hopefully no more confusing “Are you sure you want to go?!” messages on email preference pages). In its announcement, Google says its current AI-based spam filters block 99.9 percent of spam emails. However, it’s become increasingly difficult as attackers have developed new methods of bypassing traditional blocking methods or create more convincing spam emails. (The Verge, ZDNet)

**The U.S. Department of Homeland Security is investigating if any floorplans for U.S. government buildings or other physical security information were affected by a data breach at a large government contractor.** Johnson Controls International, which manufacturers security systems and other hardware important to physical offices, disclosed this week that they are actively investigating a cyber attack "to assess what information was impacted" and is "executing our incident management and protection plan." An internal DHS memo that CNN obtained stated that “Until further notice, we should assume that \[the contractor\] stores DHS floor plans and security information tied to contracts on their servers.” At the time of the memo, DHS was concerned about the possibility about a government shutdown in the U.S. that could delay research, however, Congress avoided a shutdown over the weekend by passing a temporary spending bill. (CNN, Axios)

**Can’t get enough Talos?**

*   The Need to Know: What is the dark web?
*   Threat Roundup for Sept. 22 - 29
*   Talos Takes Ep. #156: Inside a Talos Incident Response emergency event
*   Cisco Cybersecurity Awareness Month homepage

**Upcoming events where you can find Talos**

**Bsides PDX** **(Oct. 6 - 7)**

Portland State University, Oregon, U.S.

**Cisco Cybersecurity Day** **(Oct. 11)**

Nuremberg Exhibition Center, Germany

**ATT&CKcon 4.0** **(Oct. 24 - 25)**

McLean, Virginia

> _Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking._

**misecCON** **(Nov. 17)**

Lansing, Michigan

> _Terryn Valikodath from Talos Incident Response will deliver a talk providing advice on the best ways to conduct analysis, learning from his years of experience (and mishaps). He will speak about the everyday tasks he and his Talos IR teammates must go through to properly perform analysis. This talk covers topics such as planning, finding evil, recording findings, correlation and creating your own timelines._

**Most prevalent malware files from Talos telemetry over the past week**

**SHA 256:** 975517668a3fe020f1dbb1caafde7180fd9216dcbf0ea147675ec287287f86aa  
**MD5:** 9403425a34e0c78a919681a09e5c16da  
**Typical Filename:** vincpsarzh.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::tpd

**SHA 256:** 4c3c7be970a08dd59e87de24590b938045f14e693a43a83b81ce8531127eb440  
**MD5:** ef6ff172bf3e480f1d633a6c53f7a35e  
**Typical Filename:** iizbpyilb.bat  
**Claimed Product:** N/A  
**Detection Name:** Trojan.Agent.DDOH

**SHA 256:** 7f66d4580871e3ee6a35c8fef6da7ab26a93ba36b80279625328aaf184435efa  
**MD5:** e9a6b1346d1a2447cabb980f3cc5dd27  
**Typical Filename:** профиль 10 класс.exe  
**Claimed Product:** N/A  
**Detection Name:** Application\_Blocker

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

Tag

#cisco