By Deeba Ahmed
The damage from the MOVEit hack is slowly emerging.
This is a post from HackRead.com Read the original post: Massive MOVEit Hack: 630K+ US Defense Officials’ Emails Breached

The organization targeted in the incident is Westat, a data firm utilized by the Office of Personnel Management (OPM) for survey administration.

The MOVEit data breach has caused havoc across all prominent industries and organizations. This large-scale cyberattack in May 2023 (from May 28th to May 30th, 2023) has claimed countless victims.

The attackers exploited a vulnerability in a managed file transfer software called MOVEit Transfer developed by Ipswitch INC. Many organizations have become targets of this breach including government agencies, airlines, educational and financial institutions and healthcare providers, and lost sensitive data such as credit card numbers, PII, and SSNs (social security numbers).

Bloomberg reports that the US Department of Justice is amongst the government agencies targeted in the MOVEit Transfer vulnerability exploitation spree. Reportedly, the email addresses of 632,000 employees from the agencies were accessed. 

According to the Office of Personnel Management’s (OPM) documents obtained through the Freedom of Information Act request, hackers obtained access to email addresses linked to government employee surveys and internal agency tracking codes by exploiting the MOVEit file transfer program used by Westat, a data firm the OPM uses for administer surveys.

Impacted employees mostly belonged to the Defense Department, including the Air Force, the Army, the Army Corps of Engineers, the Office of the Secretary of Defense and the Joint Staff officials.

Hackread.com has been following the series of cyberattacks that took place in May 2023. The Russian-speaking cybercrime group Cl0p ransomware gang is blamed for exploiting this vulnerability. The gang made the stolen data public, impacting hundreds of government entities and businesses worldwide.  

In June 2023, the National Student Clearinghouse reported that 900 US schools were impacted by the MOVEit hack, with hackers stealing sensitive student records. In October, Sony confirmed that the data breach caused by the exploitation of MOVEit vulnerability has impacted 6791 of its previous and current employees or their family members,

Progress (formally Ipswitch) released a patch for the vulnerability but many organizations haven’t yet applied the patch and remain vulnerable to cyberattacks. The full extent of damage caused by the breach in May is yet unknown but quite possibly hackers gained access to classified data.

Commenting on this latest development, security awareness advocate at KnowBe4, Eric Kron, told Hackread that the Cl0p ransomware group has continuously made headlines for its attacks exploiting the MOVEit vulnerability, and has emerged as an unconventional gang that doesn’t bother about encrypting the data or disruption of service. This is why in many cases victims of data breaches remain unaware because there aren’t any ‘evident signs.’

“This group continues to make the news due to its exploits against MOVEit and the tactics it employed. Unlike the more traditional ransomware gangs that are operating this group does not bother with the encryption of the data and subsequent disruption of services. This means that in many cases the victims may not realise they are suffering a breach because there are no extremely evident signs such as failures of service or systems going offline.”

“While the group promised to delete information related to governments, cities or police departments, it seems highly unlikely that this group is to be trusted. While they may not leak this information publicly, it could be of great interest to other nation states looking to gather intelligence on American citizens or government agencies, potentially offering them a source of income if willing to sell the information to these entities.”

“Since patches are available for the MOVEit software, organisations must ensure they’ve been applied. Any organisations that have operated the software during the times of known attacks would be wise to ensure that there is no sign of previous exploitation of these vulnerabilities, even if they have not been approached with a ransom demand yet,” Kron added.

****_RELATED ARTICLES_****

1.  IT Security firm Qualys extorted by Clop gang after data breach
2.  Clop ransomware gang leaks Jones Day law firm data on dark web
3.  Human Error: Casio ClassPad Data Breach Impacting 148 Countries
4.  UK’s Ofcom confirms cyber attack as PoC exploit for MOVEit is released
5.  Cisco Web UI Vulnerability Exploited Massly, Impacting Over 40K Devices

Massive MOVEit Hack: 630K+ US Defense Officials’ Emails Breached

Archive, check and export commands in Chef InSpec
prior to 4.56.58 and 5.22.29 allow local command execution via maliciously
crafted profile.





CVE-2023-42658: InSpec CLI

The threat actor known as Arid Viper (aka APT-C-23, Desert Falcon, or TAG-63) has been attributed as behind an Android spyware campaign targeting Arabic-speaking users with a counterfeit dating app designed to harvest data from infected handsets.
"Arid Viper's Android malware has a number of features that enable the operators to surreptitiously collect sensitive information from victims' devices

The threat actor known as Arid Viper (aka APT-C-23, Desert Falcon, or TAG-63) has been attributed as behind an Android spyware campaign targeting Arabic-speaking users with a counterfeit dating app designed to harvest data from infected handsets.

"Arid Viper's Android malware has a number of features that enable the operators to surreptitiously collect sensitive information from victims' devices and deploy additional executables," Cisco Talos said in a Tuesday report.

Active since at least 2017, Arid Viper is a cyber espionage that's aligned with Hamas, an Islamist militant movement that governs the Gaza Strip. The cybersecurity firm said there is no evidence connecting the campaign to the ongoing Israel-Hamas war.

The activity is believed to have commenced no earlier than April 2022.

Interestingly, the mobile malware shares source code similarities with a non-malicious online dating application called Skipped, suggesting that the operators are either linked to the latter's developer or managed to copy its features in an attempt at deception.

The use of seemingly-benign chat applications to deliver malware is "in line with the 'honey trap' tactics used by Arid Viper in the past," which has resorted to leveraging fake profiles on social media platforms to trick potential targets into installing them.

Cisco Talos said it also identified an extended web of companies that create dating-themed applications that are similar or identical to Skipped and can be downloaded from the official app stores for Android and iOS.

*   VIVIO - Chat, flirt & Dating (Available on Apple App Store)
*   Meeted (previously Joostly) - Flirt, Chat & Dating (Available on Apple App Store)
*   SKIPPED - Chat, Match & Dating (50,000 downloads on Google Play Store)
*   Joostly - Dating App! Singles (10,000 downloads on Google Play)

The array of simulated dating applications has raised the possibility that "Arid Viper operators may seek to leverage these additional applications in future malicious campaigns," the company noted.

The malware, once installed, hides itself on a victim machine by turning off system or security notifications from the operating system and also disables notifications on Samsung mobile devices and on any Android phone with the APK package name containing the word "security" to fly under the radar.

It's also designed to request for intrusive permissions to record audio and video, read contacts, access call logs, intercept SMS messages, alter Wi-Fi settings, terminate background apps, take pictures, and create system alerts.

Among other noteworthy features of the implant includes the ability to retrieve system information, get an updated command-and-control (C2) domain from the current C2 server, as well as download additional malware, which is camouflaged as legitimate apps like Facebook Messenger, Instagram, and WhatsApp.

The development comes as Recorded Future revealed signs possibly connecting Arid Viper to Hamas through infrastructure overlaps related to an Android application named Al Qassam that's been disseminated in a Telegram Channel claiming affiliation to Izz ad-Din al-Qassam Brigades, the military wing of Hamas.

"They depict not only a possible slip in operational security but also ownership of the infrastructure shared between groups," the company said. "One possible hypothesis to explain this observation is that TAG-63 shares infrastructure resources with the rest of the Hamas organization."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Arid Viper Targeting Arabic Android Users with Spyware Disguised as Dating App

Since April 2022, Cisco Talos has been tracking a malicious campaign operated by the espionage-motivated Arid Viper advanced persistent threat (APT) group targeting Arabic-speaking Android users.

Arid Viper disguising mobile spyware as updates for non-malicious Android applications

Plus: Major vulnerability fixes are now available for a number of enterprise giants, including Cisco, VMWare, Citrix, and SAP.

October has been a security flaw-fest, with Apple, Microsoft, and Google issuing patches for vulnerabilities that are being used in real-life attacks. There were also multiple enterprise fixes during the month, with Cisco, VMWare, and Citrix fixing serious security bugs.

Some of the patches are more urgent than others, so read on to find out what you need to know about the updates released in October.

Apple iOS and iPad OS

October was a busy month for Apple, with the iPhone maker issuing its second set of fixes as part of iOS 17.1 at the end of the month. The two dozen security fixes in iOS 17.1 include patches for serious flaws in the Kernel at the heart of the iOS operating system and WebKit, the engine that underpins the Safari browser.

Tracked as CVE-2023-42849, the Kernel issue fixed in iOS 17.1 could allow an attacker that has already achieved code execution to bypass memory mitigations, Apple said on its support page. The three WebKit flaws—tracked as CVE-2023-40447, CVE-2023-41976, and CVE-2023-42852—could lead to arbitrary code execution.

Apple has also issued iOS and iPad OS 16.7.2, fixing the same flaws for users of older devices or those who don’t want to upgrade right away. They came alongside macOS Sonoma 14.1, macOS Ventura 13.6, macOS Monterey 12.7.1, tvOS 17.1, WatchOS 10.1, and Safari 17.1.

Earlier this month, Apple released iOS 17.0.3 and iOS 16.7.1, fixing issues being used in real-life attacks. Tracked as CVE-2023-42824, the first is a Kernel bug that could allow an attacker with access to your device to elevate their privileges.

Apple also fixed CVE-2023-5217, a buffer overflow flaw that could allow an attacker to execute code. Affecting multiple browsers and platforms, the bug has already been patched in Google’s Chrome browser.

Microsoft

Microsoft’s Patch Tuesday has seen the tech giant fix over 100 flaws, including two zero-day vulnerabilities in Microsoft WordPad and Skype for Business.

CVE-2023-36563 is an information disclosure bug in the WordPad word processing program that could expose NTLM hashes and result in NTLM relay attacks. However, it requires user interaction: The attacker must send someone a malicious file and convince them to open it, Microsoft said.

CVE-2023-41763 is an elevation of privilege vulnerability in Skype for Business. “An attacker could make a specially crafted network call to the target Skype for Business server, which could cause the parsing of an http request made to an arbitrary address,” potentially disclosing IP addresses or port numbers, Microsoft said.

Microsoft also patched a flaw in Message Queuing tracked as CVE-2023-35349 with a CVSS critical score of 9.8, which could allow an unauthenticated attacker to remotely execute code.

October’s Patch Tuesday is a particularly urgent one, so it’s important to update as soon as you can.

Google Chrome

Google has released 20 security fixes for its Chrome browser, including one patch for a flaw rated as critical. Tracked as CVE-2023-5218, the bug is a use-after-free issue in Site Isolation. Another six fixes cover inappropriate implementation vulnerabilities marked as having medium impact, while CVE-2023-5476 is a use-after-free flaw in Blink History. Another issue, CVE-2023-5474, is a heap buffer overflow in PDF, according to Google’s blog.

A further four inappropriate implementation vulnerabilities are rated as having a low impact, with Google also fixing a low severity use-after-free bug in Cast tracked as CVE-2023-5473.

None of the flaws fixed in October have been exploited, but given how actively the browser is targeted, it makes sense to update as soon as you can.

Google Android

Google’s October Android update was a major one because it fixed 53 issues, including two vulnerabilities already being used in real-life attacks. The first is CVE-2023-4863, a heap buffer overflow bug in libwebp affecting the applications that use the library to encode and decode images in the WebP format. This vulnerability impacts many applications and could be used to install spyware, security firm Malwarebytes wrote in a blog.

There are indications that the bug “may be under limited, targeted exploitation,” Google said in an advisory.

CVE-2023-4211 is an issue in Arm components rated as having a high impact, which Google said is also being used in attacks. “A local non-privileged user can make improper GPU memory processing operations to gain access to already freed memory,” Malwarebytes said, adding that the vulnerability affects multiple versions of Arm Mali GPU drivers. These are used in multiple Android device models, including those made by Google, Samsung, Huawei, and Xiaomi.

Another scary flaw in the System tracked as CVE-2023-40129 is rated as critical. “The \[vulnerability\] could lead to remote code execution with no additional execution privileges needed,” Google said.

The update is available for Google’s Pixel and Samsung’s Galaxy series, so if you have an Android device, check your settings ASAP.

Cisco

Software giant Cisco has released patches to fix two already exploited flaws. Tracked as CVE-2023-20198 and with an eye-watering CVSS score of 10, the first is an issue in the web user interface feature of Cisco IOS XE software. It affects physical and virtual devices running Cisco IOS XE software that also have the HTTP or HTTPS Server feature enabled, researchers at Cisco Talos said in a blog.

“Successful exploitation of CVE-2023-20198 allows an attacker to gain privilege level 15 access to the device, which the attacker can then use to create a local user and log in with normal user access,” the researchers warned.

The attacker can use the new unauthorized local user account to exploit a second vulnerability, CVE-2023-20273, in another component of the WebUI feature. “This allows the adversary to inject commands with elevated root privileges, giving them the ability to run arbitrary commands on the device,” said Talos Intelligence, Cisco’s cybersecurity firm.

Cisco “strongly recommends that customers disable the HTTP Server feature on all internet-facing systems or restrict its access to trusted source addresses,” the firm wrote in an advisory.

VMWare

VMWare has patched two out-of-bounds write and information disclosure vulnerabilities in its vCenter Server. Tracked as CVE-2023-34048, the first is a vulnerability in the implementation of the DCERPC protocol that could lead to remote code execution. VMware has rated the flaw as critical with a CVSS base score of 9.8.

At the other end of the CVSS scale but still worth mentioning is CVE-2023-34056, a partial information disclosure bug with a score of 4.3. “A malicious actor with non-administrative privileges to vCenter Server may leverage this issue to access unauthorized data,” VMWare wrote in an advisory.

Citrix

Enterprise software firm Citrix has issued urgent fixes for vulnerabilities in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). Tracked as CVE-2023-4966 and with a CVSS score of 9.4, the first bug could allow an attacker to expose sensitive information.

CVE-2023-4967 is a denial of service issue with a CVSS score of 8.2. Exploits of CVE-2023-4966 on unmitigated appliances “have been observed,” Citrix said. “Cloud Software Group strongly urges customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions of NetScaler ADC and NetScaler Gateway as soon as possible.”

SAP

SAP’s October Security Patch Day saw the release of seven new security notes, all of which were rated as having a medium impact. Tracked as CVE-2023-42474, the worst flaw is a cross-site scripting vulnerability in SAP BusinessObjects Web Intelligence with a CVSS score of 6.8.

With only nine new and updated security notes, SAP’s October Patch Day “belongs to the calmest of the last five years,” security firm Onapsis said.

While SAP’s October flaw count was much smaller than its peers’, attackers are still out there, so you should still keep up to date and get patching as soon as you can.

Apple, Google, and Microsoft Just Patched Some Spooky Security Flaws

CISOs offer recommendations to help secure identities, data, code, and cloud infrastructure and protect against evolving threats and vulnerabilities.

The COVID-19 pandemic ignited an unprecedented wave of remote work adoption, forcing organizations to rapidly embrace remote collaboration tools. However, the transition to remote work came with its own set of challenges, especially in ensuring robust security measures for remote access. Today, CISOs face a new frontier — a borderless enterprise landscape — where they must forge a strong security posture to protect their organizations from evolving threats and vulnerabilities.

To better understand these demands, Cisco partnered with Forgepoint Capital, NightDragon, and Team8 to evaluate the evolving threat landscape and gather invaluable insights and takeaways that chief information security officers (CISOs) can leverage to prepare for the future. Together, we created the 2023 CISO Survival Guide, a simple framework for understanding how teams can secure modern enterprises by defining the security posture of identities, data, and code that are distributed across a hybrid infrastructure.

**Identity**

Identity management is a critical concern for CISOs, as the lack of a unified platform across identity access management (IAM), identity governance and administration (IGA), and privileged access management (PAM) leads to a fragmented identity topology within organizations. CISOs express the need for technology startups to address this pain point by offering solutions that are easier to deploy, provide comprehensive coverage, and offer rich integrations.

**Data**

CISOs are no longer tasked with security alone. They are also now responsible for securely enabling overall collaboration and business operations. This means they must balance data protection and use. To do this, CISOs are breaking data down into four key categories:

*   **Data collaboration:** Being able to locate and apply data governance controls on distributed data.
*   **Data reliability:** Making sure data is accurate and useable.
*   **Data privacy management:** Applying governance, risk, and compliance controls to adhere to data privacy regulations and enable analytics on sensitive data.
*   **Data protection:** Finding, categorizing, and remediating access so that all data serves its intended purpose.

**Code**

As agile DevOps creates a more rapid software development life cycle, enterprise security will only be as strong as its weakest link: the software supply chain. To give an idea of how big a deal this is, 70% of CISOs surveyed say they are prioritizing securing the software supply chain. To do this, CISOs will need full visibility into the development pipeline so that they can adopt a holistic strategy, which includes open source governance, delivery pipeline management, and an understanding of risk in third-party software.

Third-party software is its own issue. It supports quick innovation while operating a distributed workforce, but it can be a black box for CISOs looking to secure their enterprise. Third parties should be held to the same security standards as the rest of the enterprise.

**Infrastructure**

If it is connected, it needs to be secured, even if you can't see it. This is the cloud. By 2025 more than 85% of enterprises are expected to embrace a cloud-first approach. That means cloud security must be near the top of any CISO's priorities because attackers are shifting to the cloud just as quickly as enterprises. There are many tools out there that let enterprises address data challenges related to the cloud, but they don't necessarily go far enough to help CISOs discover the who, what, and where in the event of a data breach.

**CISO Survival Guide**

There is a lot that CISOs must do to stay ahead of these constantly evolving cybersecurity threats. Thankfully, emerging technology startups are providing fresh solutions to help CISOs stay one step ahead of the game in securing their enterprises. Defining security postures of the identities, data, and code distributed across a hybrid infrastructure is just one part to having a secured network that can protect data with a distributed workforce.

For more information, with an in-depth look at survey results as well as insights and analysis from CISOs, read the 2023 CISO Survival Guide from Cisco.

**About the Author**

    

Janey Hoe is a Vice President of Cisco Investments. Previously, she held multiple product management, technical marketing, and business development leadership roles at Cisco, operating multi-billion-dollar product lines as well as pioneering new products in switching, security, data center, and video collaboration. Along with her team, she was recognized as a finalist for the Pioneer Award, the highest honor for innovation at Cisco.

Securing Modern Enterprises in a Borderless Landscape

A new cyber attack campaign has been observed using spurious MSIX Windows app package files for popular software such as Google Chrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex to distribute a novel malware loader dubbed GHOSTPULSE.
"MSIX is a Windows app package format that developers can leverage to package, distribute, and install their applications to Windows users," Elastic

Malware / Endpoint Security

A new cyber attack campaign has been observed using spurious MSIX Windows app package files for popular software such as Google Chrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex to distribute a novel malware loader dubbed **GHOSTPULSE**.

"MSIX is a Windows app package format that developers can leverage to package, distribute, and install their applications to Windows users," Elastic Security Labs researcher Joe Desimone said in a technical report published last week.

"However, MSIX requires access to purchased or stolen code signing certificates making them viable to groups of above-average resources."

Based on the installers used as lures, it's suspected that potential targets are enticed into downloading the MSIX packages through known techniques such as compromised websites, search engine optimization (SEO) poisoning, or malvertising.

Launching the MSIX file opens a Windows prompting the users to click the Install button, doing so which results in the stealthy download of GHOSTPULSE on the compromised host from a remote server ("manojsinghnegi\[.\]com") via a PowerShell script.

This process take place over multiple stages, with the first payload being a TAR archive file containing an executable that masquerades as the Oracle VM VirtualBox service (VBoxSVC.exe) but in reality is a legitimate binary that's bundled with Notepad++ (gup.exe).

Also present within the TAR archive is handoff.wav and a trojanized version of libcurl.dll that's loaded to take the infection process to the next stage by exploiting the fact that gup.exe is vulnerable to DLL side-loading.

"The PowerShell executes the binary VBoxSVC.exe that will side load from the current directory the malicious DLL libcurl.dll," Desimone said. "By minimizing the on-disk footprint of encrypted malicious code, the threat actor is able to evade file-based AV and ML scanning."

The tampered DLL file subsequently proceeds by parsing handoff.wav, which, in turn, packs an encrypted payload that's decoded and executed via mshtml.dll, a method known as module stomping, to ultimately load GHOSTPULSE.

GHOSTPULSE acts as a loader, employing another technique known as process doppelgänging to kick start the execution of the final malware, which includes SectopRAT, Rhadamanthys, Vidar, Lumma, and NetSupport RAT.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Using MSIX App Packages to Infect Windows PCs with GHOSTPULSE Maware

New YoroTrooper research, the latest on the Cisco IOS vulnerability, and more.

Thursday, October 26, 2023 14:10

Coming from the newspaper and media industry, I’m no stranger to wanting to write catchy headlines. I’m certainly at fault for throwing together a story about so-and-sos house sold for X million dollars.  

But recently I’ve been wondering if those “big numbers” for cybersecurity are helpful at all, even though they might generate clicks to a news organization. 

I saw several media outlets had reported on a new estimate from commercial insurance market Lloyd's of London that a cyber attack on any international global payments systems could cost $3.5 trillion globally, hurting many major world economies. 

At face value, that seems bad, and it’s a number that’s sure to come up with board rooms or any place decision-makers meet to discuss cybersecurity. 

It likely catches the eye of readers at home who are skimming newspaper headlines (if you’re like my dad and one of the last people who still reads physical newspapers).  

But what use is actually throwing these types of numbers out there? It reminds me of the discussion around climate change or any other problem that seems larger than life. I tend to not dwell on the worst-case scenario reports that always come out and make headlines because I feel these have a tendency to make people feel defeated — like there is no purpose in trying to make a difference because the problem is so overwhelming that one individual contribution won’t matter anyway, so then we all sit by and do nothing. 

If every time there is a major cyber attack, and we shame the targeted company by pointing out how many millions of dollars they lost, it’s just another form of public shaming that I’ve written about before that can lead to a stigma around disclosing cyber attacks. 

That Lloyd’s of London report is far from the first of its kind, these kinds of numbers pop up all the time, especially at the end of the calendar year when outlets want to write stories about how much cyber attacks cost consumers that year (there were estimates ranging from $7 billion to $10 billion in 2022). 

To me, numbers like this only contribute to fear, uncertainty and doubt (FUD) in the cybersecurity space. A small business owner who sees cybersecurity as a trillion-dollar problem to be solved by world governments isn’t going to see implementing a better password on their store’s wireless router as anything that’s going to help, because the global economy is in a bad place anyway if one day everyone’s point-of-sale systems go down at once. 

I’m sure many of these reports and estimates are created in good faith by experts who know what they’re talking about, and on a grand scale, yes, it’s important to know how serious of a problem this is for everyone, no matter where you live in the world. 

But I think we’d all be better served spending time talking about ways to get easy cybersecurity wins rather than losing sleep over a global hack that may or may not ever happen. 

**The one big thing **

New Talos research shows that the YoroTrooper threat actor is likely operating out of Kazakhstan. Our latest blog post on this group outlines how they’re still expanding their spam operations and using Azerbaijan-related false flags to throw researchers off their scent. The threat actor also uses online exchanges, such as alfachange\[.\]com, which converts money from Kazakhstani Tenge to Bitcoin via their Visa and Mastercard cards. 

**Why do I care? **

YoroTrooper’s targeting appears to be focused on Commonwealth of Independent States (CIS) countries, and the operators have compromised multiple state-owned websites and accounts belonging to government officials of these countries between May and August 2023. Any organization that falls into that category should certainly be on the lookout, but since this actor has continued to operate for so long, it’s impossible to say where they’d pivot next. Talos believes that, in addition to commodity and custom malware, YoroTrooper continues to rely heavily on phishing emails that direct victims to credential harvesting sites. 

**So now what? **

Talos has an exhaustive list of new indicators of compromise that you can run against your network to check for any YoroTrooper activity. A new round of Snort rules and ClamAV signatures can also detect this activity, along with the many information-stealing malware that YoroTrooper tends to use in its campaigns.  

**Top security headlines of the week **

**AI tools like ChatGPT are getting increasingly good at writing malicious code and spam emails, two new studies found.** An internal study at IBM found that employees who were targeted with ChatGPT-written spam emails were just as likely to click on them as ones written by humans. The leader of the experiment said it only took her team about five minutes to get ChatGPT to write the spam email in question, despite workarounds in place to keep users from exploiting the chat bot for these types of uses. A separate study at the University of Sheffield released last week also found that, by asking ChatGPT and other AI applications for a certain series of prompts, they produced malicious code. When executed, that code would leak confidential database information, interrupt a database's normal service, or destroy it. That study specifically focused on Text-to-SQL systems, which is AI that allows users to search databases by asking questions in plain language. (Axios, TechXplore) 

**The alleged leader of the Ragnar Locker ransomware gang was arrested in Paris earlier this month.** Eleven law enforcement agencies teamed up to find the suspected developer and take down infrastructure associated with Ragnar Locker. Five additional suspects were interviewed in Spain and Latvia. Authorities seized the group’s leak site, as well, posting a takedown notice for victims, though no resources appear to be available yet for anyone looking to negotiate with the attackers or who are currently infected with Ragnar Locker. Ragnar Locker has been active since 2019, targeting the energy sector, hospitals, airports, and more. It utilized double extortion tactics, threatening to leak any stolen data if the ransom isn’t paid. For example, this resulted in the reveal of several video games under development by Capcom. (Dark Reading, CPO Magazine) 

**Attackers breached the network of software firm Okta, stealing access tokens and sitting on the company’s customer support platform for at least two weeks.** Okta said the attack only affected a few customers, but password management service 1Password said this week it was the target of a follow-on attack using the stolen tokens. However, 1Password said no customer login information was affected. Okta provides identity and login tools like multi-factor authentication and single sign-on to major companies across the globe. The disclosure from Okta came weeks after major cyber attacks on MGM Resorts and Caesar’s Entertainment, in which adversaries tricked Okta multi-factor authentication administrators into resetting requirements, which provided them easier access to the targeted networks at those casinos and hotels. (Krebs on Security, Ars Technica) 

**Can’t get enough Talos? **

*   Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerabilities 
*   Attacks on web applications spike in third quarter, new Talos IR data shows 
*   The Need to Know: What is cracktivator software? 
*   9 vulnerabilities found in VPN software, including 1 critical issue that could lead to remote code execution 
*   Talos Takes Ep. #159: What happens when you actually click the "report spam" button?  

**Upcoming events where you can find Talos **

**Black Hat Middle East and Africa** **(Nov. 16)** 

Riyadh, Saudi Arabia 

> _Rami Atalhi from Talos Incident Response will discuss how generative AI affects red and blue teams in cybersecurity. Discover how generative AI creates a bridge between these teams, fostering teamwork and innovative strategies. Real-world cases will demonstrate how generative AI drives success, providing insights for building resilient cybersecurity plans._ 

**misecCON** **(Nov. 17)** 

Lansing, Michigan 

> _Terryn Valikodath from Talos Incident Response will deliver a talk providing advice on the best ways to conduct analysis, learning from his years of experience (and mishaps). He will speak about the everyday tasks he and his Talos IR teammates must go through to properly perform analysis. This talk covers topics such as planning, finding evil, recording findings, correlation and creating your own timelines._ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** b9ddbd1a4cec61e6b022a275d66312b5b676f9a0a9537a7708de9aa8ce34de59   
**MD5:** 3b100bdcd61bb1da816cd7eaf9ef13ba   
**Typical Filename:** vt-upload-C6In1   
**Claimed Product:** N/A    
**Detection Name:** Backdoor:KillAV-tpd 

**SHA 256:** 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5   
**MD5:** 8c80dd97c37525927c1e549cb59bcbf3     
**Typical Filename:** Eternalblue-2.2.0.exe     
**Claimed Product:** N/A     
**Detection Name:** Win.Exploit.Shadowbrokers::5A5226262.auto.talos 

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934    
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c    
**VirusTotal:** Typical Filename: Wextract    
**Claimed Product:** Internet Explorer    
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg 

**SHA 256:** 744c5a6489370567fd8290f5ece7f2bff018f10d04ccf5b37b070e8ab99b3241   
**MD5:** a5e26a50bf48f2426b15b38e5894b189   
**Typical Filename:** a5e26a50bf48f2426b15b38e5894b189.vir   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Generic::1201 

**SHA 256: 1fa0222e5ae2b891fa9c2dad1f63a9b26901d825dc6d6b9dcc6258a985f4f9ab**   
**MD5:** 4c648967aeac81b18b53a3cb357120f4   
**Typical Filename:** yypnexwqivdpvdeakbmmd.exe   
**Claimed Product:** N/A    
**Detection Name:** Win.Dropper.Scar::1201

How helpful are estimates about how much cyber attacks cost?

A relatively new threat actor known as YoroTrooper is likely made of operators originating from Kazakhstan.
The assessment, which comes from Cisco Talos, is based on their fluency in Kazakh and Russian, use of Tenge to pay for operating infrastructure, and very limited targeting of Kazakhstani entities, barring the government's Anti-Corruption Agency.
"YoroTrooper attempts to obfuscate the

Endpoint Protection / Malware

A relatively new threat actor known as **YoroTrooper** is likely made of operators originating from Kazakhstan.

The assessment, which comes from Cisco Talos, is based on their fluency in Kazakh and Russian, use of Tenge to pay for operating infrastructure, and very limited targeting of Kazakhstani entities, barring the government's Anti-Corruption Agency.

"YoroTrooper attempts to obfuscate the origin of their operations, employing various tactics to make its malicious activity appear to emanate from Azerbaijan, such as using VPN exit nodes local to that region," security researchers Asheer Malhotra and Vitor Ventura said.

First documented by the cybersecurity company in March 2023, the adversary is known to be active since at least June 2022, singling out various state-owned entities in the Commonwealth of Independent States (CIS) countries. Slovak cybersecurity firm ESET is tracking the activity under the name SturgeonPhisher.

YoroTrooper's attack cycles primarily rely on spear-phishing to distribute a medley of commodity and open source stealer malware, although the group has also been observed using the initial access vector to direct victims to attacker-controlled credential harvesting sites.

"The practice of credential-harvesting runs complementary to YoroTrooper's malware-based operations with the end goal being data theft," the researchers said.

Public disclosure of the threat actor's campaigns has prompted a tactical revamp of its arsenal, pivoting from commodity malware to custom tools programmed in Python, PowerShell, Golang, and Rust.

The actor's strong ties to Kazakhstan stem from the fact that it regularly conducts security scans of the state-owned email service, mail\[.\]kz, indicating continued efforts to monitor the website for potential security vulnerabilities.

It also periodically checks for currency conversion rates between Tenge and Bitcoin on Google ("btc to kzt") and uses alfachange\[.\]com to convert Tenge to Bitcoin and pay for infrastructure upkeep.

Beginning in June 2023, YoroTrooper's targeting of CIS countries has been accompanied by an increased focus on bespoke implants, while simultaneously using vulnerability scanners such as Acunetix and open-source data from search engines like Shodan to locate and infiltrate victim networks.

Some of the targets included Tajikistan's Chamber of Commerce, the Drug Control Agency, the Ministry of Foreign Affairs, Kyrgyzstan's KyrgyzKomur, and the Ministry of Energy of the Republic of Uzbekistan.

Another notable aspect is the use of email accounts to register and purchase tools and services, including a NordVPN subscription and a VPS instance from netx\[.\]hosting for $16 a month.

A major update to the infection chain entails porting its Python-based remote access trojan (RAT) to PowerShell as well as employing a custom-built interactive reverse shell to run commands on infected endpoints via cmd.exe. The PowerShell RAT is designed to accept incoming commands and exfiltrate data via Telegram.

In addition to experimenting with multiple types of delivery vehicles for their backdoors, YoroTrooper is said to have added Golang- and Rust-based malware as of September 2023, allowing it to establish a reverse shell and harvest sensitive data.

"Their Golang-based implants are ports of the Python-based RAT that uses Telegram channels for file exfiltration and C2 communication," the researchers explained.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

YoroTrooper: Researchers Warn of Kazakhstan's Stealthy Cyber Espionage Group

The YoroTrooper group claims to be from Azerbaijan and even routes its phishing traffic through the former Soviet republic.

A Kazakhstan attack group with a penchant for sending phishing messages is doing its dirty work in an Azerbaijani disguise.

YoroTrooper was first detected in June 2022 and often targets former Soviet republics, including Russia, Armenia, Belarus, and Moldova, as well as Azerbaijan, and typically targets government entities.

But given YoroTrooper's language preferences, its use of Kazakhstani currency, and very limited targeting of Kazakhstani entities, researchers from Cisco Talos have concluded that the group is from Kazakhstan.

Researchers also determined "with high confidence" that YoroTrooper made numerous efforts to disguise its origin by hosting a majority of their infrastructure in Azerbaijan, while still targeting institutions in that country.

Most of YoroTrooper's operations are routed via Azerbaijan, although the attackers do not appear to speak the Azerbaijani language.

"Our primary observation that points toward the actor being of Kazakh origin is that they speak Kazakh and Russian, both of which are official languages of Kazakhstan," researchers said. "YoroTrooper frequently visits websites written in Kazakh and has used Russian in debugging and logging messages in their custom Python Remote Access Trojans."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Tag

#cisco