There were a record number of zero-day attacks last year, but some basic cyber-hygiene strategies can help keep your organization more safe.

Few security exploits are the source of more sleepless nights for security professionals than zero-day attacks. Just over Memorial Day weekend, researchers discovered a new vulnerability enabling hackers to achieve remote code execution within Microsoft Office. Dubbing the evolving threat the Follina exploit, researchers say all versions of Office are at risk. And because blue teams have no time to prepare or patch their systems to defend against these software vulnerabilities, crafty threat actors can take advantage, taking their time after they've accessed an organization's environment to observe and exfiltrate data while remaining completely unseen.

And though sophisticated threat actors and nations have exploited zero-days for nearly two decades, last year saw a historic rise in the number of vulnerabilities detected. Both Google and Mandiant tracked a record number of zero-days last year, with the caveat that more zero-days are being discovered because security companies are getting better at finding them — not necessarily because hackers are coming up with new vulnerabilities. Not all zero-days are created equal, though. Some require sophisticated and novel techniques, like the attack on SolarWinds, and others exploit simple vulnerabilities in commonly used programs like Windows. Thankfully, there's some basic cyber hygiene strategies that can keep your organization sufficiently prepared to mitigate zero-day exploits.

**How Do Zero-Days Work?**

Typically, what a zero-day will do is gain access to an environment through a vulnerability previously unseen, then it stealthily maps the environment and, when ready, launches the attack. This is far too late for an incident response team to prevent further damage. Staying alert for these slow-burn attacks requires an approach to security that prioritizes looking for certain techniques and behaviors that a hacker or known threat group may use, rather than scanning for specific pieces of malware. In other words, ensure that the technology your organization has is sufficient for protecting from the unknown. Many zero-days may never hit a hard drive, so pointing threat detection tools there could be fruitless.

While it might sound like a broken record, patching is integral to protection against exploits. As soon as a proof of concept (PoC) is made public on the Dark Web or more legitimate forums like GitHub, most vendors will develop a patch. Staying on top of guidance from industry organizations like (ISC)2 or federal authorities like the Cybersecurity and Infrastructure Security Agency is a good way to prioritize the exploits that are most relevant and most risky to your organization.

However, zero-day exploits are those that the vendor doesn't know exist, and therefore no patch is available. It's very difficult to defend against these without protections and detections that are broad enough to identify tactics, techniques, and procedures. In some cases, protection technologies can use behavioral detections to block certain activities, while in other cases, using detection technologies or human expertise in a security operations center is the only defense.

Above all, investing in the human element of security will place an organization in the best position to limit the financial and data losses zero-days can incur. By placing hands on keyboards and unlocking visibility into all aspects of an ecosystem, a security team can more readily detect hints that a zero-day might be targeted against them and deploy necessary patches. For example, if a robot you operate in the US randomly connects to a server in Ukraine without any other unusual behavior, it might signal that a zero-day has been leveraged. And while there may have been an initial access into your robot or environment through a zero-day, having a broad view of your IT security ecosystem, along with technologies like artificial intelligence, can alert an incident response team to create a patch for a vulnerability as soon as possible.

Thankfully, even though more zero-days are being discovered than ever before, they're still relatively rare in the world of cybersecurity. Up until the last several years, zero-day exploits were mostly identified and held closely by national governments, who wanted to save them to deploy whenever necessary. But the commercialization of hacking groups, including ransomware-as-a-service platforms, has created an ecosystem incentivizing the purchasing and selling of zero-days, often with the financial or technological resources of a nation-state in support.

With such capable attackers, virtually every business should be worried — from large companies that serve as final targets for hackers, to smaller companies that can serve as stepping stones in a sequence of attacks. The constant of security operations can detect and mitigate threat actors from lurking behind the scenes of an IT ecosystem through a zero-day exploit, no matter the origin. So, while patching is proper preparation, the investment in trained security professionals, in-house or outsourced, is the best defense against zero-days.

Zero-Days Aren't Going Away Anytime Soon & What Leaders Need to Know

A NULL pointer dereference flaw was found in the Linux kernel’s KVM module, which can lead to a denial of service in the x86_emulate_insn in arch/x86/kvm/emulate.c. This flaw occurs while executing an illegal instruction in guest in the Intel CPU.

Permalink

Browse files

KVM: x86: avoid calling x86 emulator without a decoded instruction

Whenever x86\_decode\_emulated\_instruction() detects a breakpoint, it
returns the value that kvm\_vcpu\_check\_breakpoint() writes into its
pass-by-reference second argument.  Unfortunately this is completely
bogus because the expected outcome of x86\_decode\_emulated\_instruction
is an EMULATION\_\* value.

Then, if kvm\_vcpu\_check\_breakpoint() does "\*r = 0" (corresponding to
a KVM\_EXIT\_DEBUG userspace exit), it is misunderstood as EMULATION\_OK
and x86\_emulate\_instruction() is called without having decoded the
instruction.  This causes various havoc from running with a stale
emulation context.

The fix is to move the call to kvm\_vcpu\_check\_breakpoint() where it was
before commit 4aa2691 ("KVM: x86: Factor out x86 instruction
emulation with decoding") introduced x86\_decode\_emulated\_instruction().
The other caller of the function does not need breakpoint checks,
because it is invoked as part of a vmexit and the processor has already
checked those before executing the instruction that #GP'd.

This fixes CVE-2022-1852.

Reported-by: Qiuhao Li <qiuhao@sysec.org>
Reported-by: Gaoning Pan <pgn@zju.edu.cn>
Reported-by: Yongkang Jia <kangel@zju.edu.cn>
Fixes: 4aa2691 ("KVM: x86: Factor out x86 instruction emulation with decoding")
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20220311032801.3467418-2-seanjc@google.com>
\[Rewrote commit message according to Qiuhao's report, since a patch
 already existed to fix the bug. - Paolo\]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

*   Loading branch information

CVE-2022-1852: KVM: x86: avoid calling x86 emulator without a decoded instruction · torvalds/linux@fee060c

Oliver Tavakoli, CTO at Vectra AI, gives us hope that surviving a ransomware attack is possible, so long as we apply preparation and intentionality to our defense posture.

Oliver Tavakoli, CTO at Vectra AI, gives us hope that surviving a ransomware attack is possible, so long as we apply preparation and intentionality to our defense posture.

Surviving ransomware is possible with a combination of preparation and intentionality. Often, there is a misguided characterization of ransomware attacks that implies defenders either completely thwart an attack or that attackers establish complete control of their targets’ IT infrastructure. But the past couple of years have illustrated that defenders’ success in dealing with ransomware attacks fall along a broad spectrum of potential outcomes, some obviously better than others.

It’s also easy to imagine that all groups who are in the ransomware business have the same skills, aim for the same goals, and operate under the same business models. But as is the case in any industry vertical, ransomware groups come with a wide range of skills and a variety of goals and business models.

And while it’s in vogue to refer to REvil and DarkSide as “franchise models” which supply Ransomware-as-a-Service, it is important to remember that the franchisees are effectively freelance cybercriminals. The franchiser provides back-office operations for these freelancers while exerting little influence on how they otherwise operate.

Given the above, let’s consider each of the factors that may affect an attack’s outcome.

****Attacker Skill and Persistence****

The skills of the attackers and the skills of the defenders – plus some elements of luck – generally determine the _possible_ extent to which an attack could progress:

*   **Low skills:** Some attackers may be skilled at attacking organizations with lagging security practices but will often meet their match in organizations that have robust defenses
*   **Wrong skills:** Attackers with skills and tooling useful in attacking traditional data centers will have trouble breaking into targets who have moved everything to the cloud
*   **Bad luck:** Organizations who are generally locked down but may have a temporary exposure which an attacker happens to stumble across
*   **Good luck:** Organizations who have left a persistent opening (e.g., open RDP access to the outside in an AWS enclave) may have a run of good luck as no attacker encounters it

****Attacker Goal****

Attack groups may also specialize in leak-centered vs. operation-centered goals.

Leak-centered goals involve exfiltrating and threatening to leak confidential data belonging to the targeted organization. The most valuable data in this regard is often data related to the target’s customers and employees as the potential for reputational and legal liability acts as a strong incentive for ransom payment.

Alternately, public disclosure or sale of intellectual property or trade secrets can also warrant the payment of ransom. The playbook for such attacks generally involves sending the victim a sample of the data to show what the attacker has. From there, it can escalate to publicizing a data sample and contacting the victim’s customers to apply pressure to the victim to pay the ransom.

An example of an attack with a leak-centered goal was the REvil-associated attack on Quanta, which exfiltrated specs of future Apple product designs. The attackers first demanded a $50m ransom from Quanta but soon decided that Apple had deeper pockets and tried to extort $50m in return for not publicly leaking the data or selling it to an Apple competitor.

Operation-centered goals involve attempts to cripple the ability of the victim organization to continue to operate. These attacks sometimes focus on traditional IT systems and at other times target systems which act as OT (Operational Technology), but which are often assembled from legacy IT (e.g. Windows NT) technology.

The exfiltration of confidential data and public leak or sale of the data is usually not present in this scheme. The DarkSide-associated attack on Colonial Pipeline (who paid $4.5m in ransom) and the REvil-associated attack on JBS Foods (who paid $11m in ransom) squarely targeted this goal: the ransoms were paid to try to ensure quick recovery in the ability of the companies to resume normal operations.

****Degrees of Success****

Several factors (including luck) constrain the possible outcomes of a ransomware attack. Possible outcomes include:

*   The attackers make insufficient progress on a targeted organization and give up. This may be due to the perceived degree of difficulty in successfully carrying out the attack or because some other targets that the attackers are simultaneously pursuing look more promising. Think of this as opportunity cost. Either way, no ransom is demanded.
*   The attackers succeed to a point and believe themselves to have _some_ leverage in demanding a ransom, but the ransom is ultimately not paid. The outcome in these cases is often some operational impact or reputational harm, but ultimately survival and (hopefully) a sense of renewed commitment to cyber security.
*   The attackers succeed to a point and the ransom request is modest enough that the victim may choose to pay the ransom as it is less costly than the recovery effort would be. This may also be influenced by the victim having a cyber insurance policy which provides ransomware coverage.
*   The attackers get access to the crown jewels and effectively can prevent the victim organization from operating their business. In this case, the victim organization may pay the ransom (Colonial Pipeline, JBS Foods) and restore services relatively quickly. Or they refuse to pay it (see the RobbinHood attack of the city of Baltimore or the Samsam attack on the city of Atlanta) and basically end up rebuilding their IT infrastructure from the ground up.

****Takeaways****

You should tabletop various scenarios covering attackers pursuing both leak-centered and operations-centered goals and consider your reactions to partial and complete success by the attackers:

*   Know the extent of your cyber insurance policy and what limitations it has.
*   If it comes to a ransom request, will your cyber insurance provider provide someone to handle ransom negotiations?
*   Do you have an incident response firm on retainer?
*   How robust is your disaster recovery plan?

Many of these types of questions will surface from tabletop exercises which will help you be more prepared should the fateful day arrive.

**_Oliver Tavakoli is CTO at Vectra AI._**

**_Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite._**

A Guide to Surviving a Ransomware Attack

Plus: Google issues fixes for Android bugs, and Cisco, Citrix, SAP, WordPress, and more issue major patches for enterprise systems.

June has seen the release of multiple security updates, with important patches issued for the likes of Google's Chrome and Android as well as dozens of patches for Microsoft products, including fixes for a Windows zero-day vulnerability that attackers had already exploited. Apple updates were absent at the time of writing, but the month also included some major enterprise-focused patches for Citrix, SAP, and Cisco products.

Here’s what you need to know about the major patches released in the past month.

Microsoft

Microsoft’s Patch Tuesday release was pretty hefty in June, including fixes for 55 flaws in the tech giant’s products. This Patch Tuesday was particularly important because it addressed an already exploited remote code execution (RCE) issue in Windows dubbed Follina, which Microsoft has been aware of since at least May.

Tracked as CVE-2022-30190, Follina—which takes advantage of vulnerabilities in the Windows Support Diagnostic tool and can execute without the need to open a document—has already been used by multiple criminal groups and state-sponsored attackers.

Three of the vulnerabilities addressed in Patch Tuesday affecting Windows Server are RCE flaws and rated as critical. However, the patches seem to be breaking some VPN and RDP connections, so be careful.

Google Chrome

Google Chrome updates continue to come thick and fast. That’s no bad thing, as the world’s most popular browser is by default one of the biggest targets for hackers. In June, Google released Chrome 103 with patches for 14 vulnerabilities, some of which are serious.

Tracked as CVE-2022-2156, the biggest flaw is a use-after-free issue in Base reported by Google’s Project Zero bug-hunting team that could lead to arbitrary code execution, denial of service, or corruption of data. Worse, when chained with other vulnerabilities the flaw could lead to full system compromise.

Other issues patched in Chrome include vulnerabilities in Interest Groups, WebApp Provider, and a flaw in the V8 Javascript and WebAssembly engine.

Google Android

Of the multiple Android security issues Google patched in June, the most severe is a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed, Google said in its Android Security Bulletin.

Google also released updates for its Pixel devices to patch issues in the Android Framework, Media Framework, and System Components.

Samsung users seem to have gotten lucky with Android updates of late, with the device maker rolling out its patches very quickly. The June security update is no different, reaching the Samsung Galaxy Tab S7 series, Galaxy S21 series, Galaxy S22 series, and the Galaxy Z Fold 2 straightaway.

Cisco

Software maker Cisco released a patch in June to fix a critical vulnerability in Cisco Secure Email and Web Manager and Cisco Email Security Appliance that could allow a remote attacker to bypass authentication and log in to the web management interface of an affected device.

The issue, tracked as CVE-2022-20798, could be exploited if an attacker enters something specific on the login page of the affected device, which would provide access to the web-based management interface, Cisco said.

Citrix

Citrix has issued a warning urging users to patch some major vulnerabilities that could let attackers reset admin passwords. The vulnerabilities in Citrix Application Delivery Management could result in corruption of the system by a remote, unauthenticated user, Citrix said in a security bulletin. “The impact of this can include the reset of the administrator password at the next device reboot, allowing an attacker with ssh access to connect with the default administrator credentials after the device has rebooted,” the company wrote.

Citrix recommends that traffic to the Citrix ADM’s IP address be segmented from standard network traffic. This diminishes the risk of exploitation, it said. However, the vendor also urged customers to install the updated versions of Citrix ADM server and Citrix ADM agent “as soon as possible.”

SAP

Software firm SAP has released 12 security patches as part of its June Patch Day, three of which are serious. The first listed by SAP relates to an update released on April 2018 Patch Day and applies to the browser control Google Chromium used by the firm’s business clients. Details of this vulnerability aren’t available, but it has a severity score of 10, so the patch should be applied straightaway.

Another major fix concerns an issue in the SAProuter proxy in NetWeaver and ABAP Platform, which could allow an attacker to execute SAProuter administration commands from a remote client. The third major patch fixes a privilege escalation bug in SAP PowerDesigner Proxy 16.7.

Splunk Enterprise

Splunk has released some out-of-band patches for its Enterprise product, fixing issues including a critical-rated vulnerability that could lead to arbitrary code execution.

Labeled CVE-2022-32158, the flaw could allow an adversary to compromise a Universal Forwarder endpoint and execute code on other endpoints connected to the deployment server. Thankfully, there’s no indication that the vulnerability has been used in any real-world attacks.

Ninja Forms WordPress Plug-In

Ninja Forms, a WordPress plug-in with over a million active installations, has patched a serious issue that’s probably being used by attackers in the wild. “We uncovered a code injection vulnerability that made it possible for unauthenticated attackers to call a limited number of methods in various Ninja Forms classes, including a method that unserialized user-supplied content, resulting in Object Injection,” security analysts at the WordPress Wordfence Threat Intelligence team said in an update.

This could allow attackers to execute arbitrary code or delete arbitrary files on sites where a separate POP chain was present, researchers said.

The flaw has been fully patched in versions 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4, and 3.6.11. WordPress appears to have performed a forced automatic update for the plug-in, so your site may already be using one of the patched versions.

Atlassian

Australian software company Atlassian has released a patch to fix a zero-day flaw that’s already being exploited by attackers. Tracked as CVE-2022-26134, the RCE vulnerability in the Confluence Server and Data Center can be used to backdoor internet-exposed servers.

GitLab

GitLab has issued patches for versions 15.0.1, 14.10.4, and 14.9.5 for GitLab Community Edition and Enterprise Edition. The updates contain important security fixes for eight vulnerabilities, one of which could allow for account takeover.

With this in mind, the firm “strongly recommends” that all GitLab installations be upgraded to the latest version “as soon as possible.” GitLab.com is already running the patched version.

You Need to Update Windows and Chrome Right Now

By Waqas
The new phishing scam uses malicious and fake chatbots to steal login credentials of unsuspected Facebook users through…
This is a post from HackRead.com Read the original post: Facebook Phishing Scam: Crooks Using Messenger Chatbots to Steal Login Data

****The new phishing scam uses malicious and fake chatbots to steal login credentials of unsuspected Facebook users through Facebook Messenger.****

A new phishing campaign has been discovered by Trustwave security researchers, which involves using Facebook Messenger chatbots while the campaign’s objective is to steal user credentials.

According to Trustwave’s analysis of this new phishing campaign, the chatbots impersonate customer support staff of the social network. These bots then hijack pages by compelling page managers to enter credentials for that Facebook page. The malicious chatbots and websites were quickly taken down after Trustwave’s report.

Chatbots are basically specially designed programs that provide customer support and answer user queries as live support staff before the question is forwarded to a human employee. These bots are generally used by businesses that offer live chat or customer support services.

**Attack Scenario Explained**

This phishing attack started with an email informing the recipient that Facebook would delete their page after 48 hours for violating Meta community standards. When the recipient clicked on the Appeal Now link, they were redirected to a fake Messenger support page hosted by Google Firebase, where they had to interact with chatbots. 

Fake Support chatbot (Image: Trustwave)

Researchers noticed that the phony support chatbot profile was a fan/business page that didn’t have any followers or posts. However, the attackers used the official Messenger logo on the profile page to make the bot appear legit. In the Appeal form, the user entered their name, surname, email ID, page name, and mobile number. 

They were also prompted to complete 2FA authentication, and the OTP could be of any length. As soon as the user clicked on Submit button, the attackers received the form, and the credentials were compromised while the user was redirected to Meta’s official intellectual property and copyright guidelines page.

Password stealing and Fake OTP Page (Image: Trustwave)

**How was the Scam Exposed?**

Concerns were raised when researchers identified many errors in the email, which hinted at its malicious nature. Such as, a dot was missing after the third sentence, and there was incorrect capitalization of the word Page.

The email header also contained several errors pointing to the email’s illegitimacy. For instance, Policy Issues was written in the sender’s name, and the sender domain didn’t belong to Facebook/Meta.

> “The fact that the spammers are leveraging the platform that they are mimicking makes this campaign a perfect social engineering technique.”
> 
> Trustwave

In conclusion, it is imperative that social media users be cautious when opening such warning notices and always check for red flags before giving away sensitive information. Moreover, it is always best to be cautious when engaging with someone on Facebook or social media in general. If you are unsure about the legitimacy of a user or bot, do not provide any personal information and report them to Facebook.

**More Facebook Phishing News**

*   URL Padding: Facebook Mobile Users Hit by Phishing Scam
*   Facebook ads used in spreading Facebook Messenger phishing scam
*   Facebook Last Warning Phishing Scam Stealing Login, Credit Card Data
*   “I think you appear in this video” phishing scam hijacks Facebook accounts
*   Microsoft, PayPal & Facebook most targeted brands in phishing scams: Report

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Facebook Phishing Scam: Crooks Using Messenger Chatbots to Steal Login Data

Microsoft is urging organizations that don't have automatic updates enabled to update to the latest version of Linux Server Fabric to thwart the "FabricScape" cloud bug.

Microsoft this week disclosed a serious container-escape vulnerability in its widely used Azure Service Fabric technology, which gives attackers a way to gain root privileges on the host node and take over all other nodes in the cluster.

The privilege-escalation bug is only exploitable on Linux containers, though it is present in Windows container environments as well, Microsoft said in an advisory Tuesday. Security researchers from Palo Alto Networks reported the bug — which they have dubbed FabricScape — along with a fully operational exploit, on Jan. 30, 2022. Microsoft released a fix for the issue (CVE-2022-30137) on June 14, but details on the bug were just released this week.

The fix has been applied to all customers that are subscribed to Microsoft's automatic update service, but others will need to manually patch to the latest version of Service Fabric. "Customers whose Linux clusters are automatically updated do not need to take further action," the company said in its bug disclosure announcement.

**A Privilege-Escalation Issue**

Service Fabric is a Microsoft container-orchestration technology — like Kubernetes. Numerous organizations use it as a platform-as-a-service to deploy and manage containers and microservices-based cloud applications across a cluster of machines. Palo Alto Networks used Microsoft data to estimate that Service Fabric hosts more than 1 million applications daily across millions of cores.

The bug that Palo Alto Network discovered exists in a logging function with high privileges in a Service Fabric component called Data Collection Agent (DCA). Researchers from the security vendor's Unit 42 threat intelligence team found that an attacker with access to a compromised container could exploit the vulnerability to escalate privileges and gain control of the host node and, from there, escape it and attack the entire cluster.

"The vulnerability allows attackers to take over the entire Service Fabric environment if they get a hold of a single application," says Ariel Zelivansky, director of security research at Palo Alto Networks. This allows attackers to perform lateral movement and to steal, destroy, or manipulate data. Other actions that an attacker could take by exploiting FabricScape include deploying ransomware or hijacking systems for cryptomining.

"If an organization hosts all of its applications, and possibly credentials, on Service Fabric, an attacker can gain control of all of those," Zelivansky says.

For an attack to be successful, a threat actor would first need to find a way to compromise a containerized workload on a Linux Service Fabric cluster, Microsoft said. The attacker would then need to trigger the DCA to run the vulnerable function in a manner that results in a so-called "race condition" where malicious code can be introduced into the environment.

**PoC: Exploiting the Flaw**

Researchers at Palo Alto Networks were able to exploit the vulnerability on Azure Service Fabric using a container under their control and a simulated compromised workload. They found the attack only worked if the compromised container had access to Service Fabric runtime data — something that is granted by default in single-tenant environments but less common in multitenant setups.

"Any application that is powered by a Service Fabric Linux cluster with runtime access, which is granted by default, is affected," Zelivansky said. Last year, Palo Alto Networks discovered another set of vulnerabilities in the Azure Container Instances (ACI) platform that allowed for a similar container escape.

Microsoft urged organizations using Service Fabric to review containerized workloads in both Linux and Windows environments that had access to host clusters. "By default, a \[Service Fabric\] cluster is a single-tenant environment and thus there is no isolation between applications," Microsoft said. All applications running in these single tenant environments are considered trusted and therefore have access to Service Fabric runtime, Microsoft said.

Thus, organizations that want to run untrusted application in a Service Fabric cluster should take additional measures to create isolation between applications and should remove access to Service Fabric runtime for those untrusted apps, Microsoft said.

Zelivansky says the first layer of defense against vulnerabilities such as FabricScape is focusing on the application itself, limiting the possibility of an attack by remediating known vulnerabilities in their code. They can also limit exposure to the Internet.

However, he offers a caveat: "But the reality is that even if an application is safe from any known vulnerability, zero-day vulnerabilities could be discovered and exploited in any code. And \[software\] supply-chain attacks such as typosquatted or malicious packages are becoming more common than before," he says.

Zelivansky says organizations running Linux Service Fabric clusters should check their cluster version and verify the version is at least 9.0.1035.1. "An organization should check if they have Linux-based applications on Service Fabric. If the answer is yes, we recommend giving top priority to addressing this vulnerability now that its full details are out."

**Cloud Vulnerabilities in Cyberattackers' Sights**

Vulnerabilities in cloud products and services have become a growing concern for organizations — and not just because of the security risks associated with them. In many cases, organizations also have a hard time keeping track of cloud vulnerabilities because of the absence of a common vulnerability enumeration (CVE) program for cataloging them. Because many cloud-security issues are considered the service provider's sole responsibility, there often has been little disclosure of these issues, leaving organizations in the dark about whether they might have been exposed to a specific threat.

This week researchers at Wiz launched a new community-based cloud vulnerability database aimed at addressing this lack of information. The database currently contains information on some 70 previous security issues in cloud products and services. Anyone can add to the database going forward. The goal is to make it a central repository for information on cloud threats in the absence of a formal program like MITRE's CVE program for information security flaws.

Patch Now: Linux Container-Escape Flaw in Azure Service Fabric

The malware has been in circulation since 2020, with sophisticated, advanced malicious actors taking advantage of the vulnerabilities in SOHO routers as the work-from-home population expands rapidly.

Security researchers have discovered a multi-stage remote access Trojan (RAT) currently being used against a wide range of small office-home office (SOHO) routers in Europe and North America — potentially the work of a state-sponsored actor.

Researchers believe that at least 80 victims have been infected so far during the campaign.

The malware, known as ZuoRAT, has been active since 2020, according to the Black Lotus Labs, the threat intelligence arm of Lumen Technologies.

According to the report, the malware makes its way onto the routers through exploits for known vulnerabilities. It can also infect other devices in the network and introduce additional malware via DNS and HTTP hijacking.

"ZuoRAT is a MIPS file compiled for SOHO routers that can enumerate a host and internal LAN, capture packets being transmitted over the infected device, and perform person-in-the-middle attacks (DNS and HTTPS hijacking based on predefined rules)," Lumen's threat intelligence team wrote in a blog post on the malware.

**Trojan Targets Cisco, Netgear Routers**

The malware targets routers from Cisco, Netgear, Asus, and DrayTek.

"The device types consisted of, but were not limited to: Cisco RV 320, 325 and 420; Asus RT-AC68U, RT-AC530, RT-AC68P and RT-AC1900U; DrayTek Vigor 3900 and unspecified NETGEAR devices," according to the analysis.

The research team noted that while compromising SOHO routers as an access vector to gain access to an adjacent LAN is not a novel technique, it has seldom been reported.

"Reports of person-in-the-middle style attacks, such as DNS and HTTP hijacking, are \[rare\] and a mark of a complex and targeted operation," the post continued. "The use of these two techniques congruently demonstrated a high level of sophistication by a threat actor, indicating that this campaign was possibly performed by a state-sponsored organization."

From the perspective of Danny Adamitis, principal information security engineer for Lumen Black Lotus Labs, the sophistication of this campaign cannot be overstated, especially the ability to enumerate infected devices and the LANs they are connected to, and packet-capture network traffic for additional targeting.

"Moreover, the multi-stage campaign includes multiple fully functional Trojans, as well as complex and covert C2 and proxy C2 infrastructure to obfuscate command-and-control and evade detection, which is why it went undetected for nearly two years," he adds.

**Other Trojans Found on Hacked Devices**

To Adamitis' point, the researchers found two other Trojans on the hacked devices. One was based on C++ and targeted Windows workstations. The other Trojan was based on the Go programming language and attacked Linux and macOS as well as Windows.

Among other things, they allowed the attackers to start new processes, gain permanent access to infected systems, intercept network traffic, and upload or download arbitrary files.

**Shift to Secure the Home Office**

According to a recent survey, nearly a quarter of the respondents (23%) named securing the remote workforce as their top priority for 2022. Routers are an important part of that, as they act as central waypoints for the rest of the home IT footprint.

"Once you are on the router you have a full trusted connection to poke and prod at whatever device is connected to it," Dahvid Schloss, offensive security team lead at Echelon, said via email. "From there, you could attempt to use proxychains to throw exploits into the network or just monitor all the traffic going in, out, and around the network."

So, as part of the work-from-home shift, some major vendors are moving their security focus, such as HP, which helps admins secure work-from-home endpoints by extending cloud security management that can remotely track, detect, and self-heal remote company devices.

"The consumer router space is ripe for targeting because these devices reside outside of the traditional security perimeter, and they are rarely monitored or patched," Adamitis adds. "This is only exacerbated by the rapid shift to remote work at the start of the pandemic."

Alex Ondrick, director of security operations at incident-response specialist BreachQuest, says a general lack of security controls for consumer-grade routers, and difficulties in "force" patching/update for them, makes SOHO routers particularly vulnerable.

"If a SOHO router is unpatched or vulnerable to known security flaws, ZuoRAT poses a dangerous combination of reconnaissance and authentication-bypass exploit script and lateral-movement capabilities," he explains.

**Bolstering the Human Firewall**

Ondrick adds that the SOHO router threat is an opportunity for organizations to expand their security awareness programs and spread valuable improved security measures among their users.

"Educating users on how to protect their home networks, their passwords, their financial information, and their families increases their engagement and builds cybersecurity hygiene and acumen they take back to the office, and reduces the organization's attack surface and builds the better human firewall," he says.

He says SOHO users should regularly update their router's firmware and ensure their devices are behind multiple layers of security (defense-in-depth) wherever possible.

For home routers, he says it's important to leverage the vendor's built-in security capabilities alongside host-based network security wherever possible.

"Think of your home router as 'yet another' device which should be regularly updated and think of it as the 'first line of defense' between you and the public-facing Internet," he says. "Pending any leaps forward in SOHO router security, consider adding a recurring biannual reminder on your phone or calendar to check for updates on your router's firmware."

ZuoRAT Hijacks SOHO Routers From Cisco, Netgear

It's time to decide which role to play to best serve your organization's security needs: an auditor, a lawyer, or a developer.

Your business relies on software, and attackers know that. To prevent your applications from being used against you, you need an application security (AppSec) program that delivers three crucial things:

*   **Secure code**: Your code has to be vulnerability-free and well-defended.
*   **Secure software supply chain**: Ditto for your libraries, products, and dev tools.
*   **Secure operations:** You must detect attacks and prevent exploits in production.

You can choose a number of paths to get to that level of protection. Which path you choose depends on your teams, processes, technology, and culture. How do they all work together? Keep in mind that an AppSec program isn't about eliminating risk. Business involves taking risks, and there's no way to completely eradicate it. But there's a big difference between taking blind risks while not knowing what could go wrong vs. being aware of how likely it is that an issue will be found and exploited, as well as how catastrophic (or not) the outcomes might be.

When it comes to risk decisions, choosing a strategy for your AppSec program is the most important one you'll face. Setting up an AppSec program is nuanced and varied, but consider which of the following three general types best fits your company. The wrong path could leave you with a massive weight of security debt, or even possibly breached, because time was wasted chasing vulnerabilities that weren't all that relevant and real risks got buried in the "never got to it" pile.

**1\. The Auditor: Checkbox AppSec**

In "minimal" AppSec programs, small teams do only what's required of them by either external standards or their customers. The goal is to simply check off the boxes for application security standards like OWASP, PCI, and NIST, all of which are, essentially, checklists. Many types of companies adopt this strategy — most commonly, small and midsize businesses — but the checklists don't bring them actual security.

It's not that minimal AppSec programs never succeed. They can by relying on free or very inexpensive tools, such as OWASP ZAP and DependencyCheck, to assess code. An inexpensive cloud web application firewall (WAF) for production might also be in the mix. But these tools can show false-negatives that miss real vulnerabilities, giving organizations a false sense of security. Such tools also tend to throw false-positives that lead to squandered resources and huge backlogs instead of actual remediation.

An upside to having a minimal AppSec program is that the budget for people and tools tend to be small. But because minimal AppSec programs don't offer a clear understanding of business risk, organizations are underinvesting in enterprise security based on incomplete information.

**2\. The Lawyer: Adversarial AppSec**

In adversarial AppSec programs, the development team tries to deliver code as fast as possible while the siloed security team wrestles for control. Development focuses on delivering features, while the security team tries to add more security activities. Large companies tend to adopt this approach, as do critical industries such as finance, banking, e-commerce, and insurance.

This approach requires a large security team to execute all of the activities. Most have various subteams focused on architecture, policy, threat modeling, policy, static scanning, dynamic scanning, WAFs, training, and more. Adversarial programs always have more analysis to do, but security teams don't actually fix code in this type of program. Organizations often adopt "champion" programs to help get all of the work done. But without a clear line of sight from activities desired outcomes, much of the busy work has little to no measurable effect.

Given a big enough team and a big budget, adversarial AppSec programs can be effective. But most programs struggle to handle the volume of tool output, particularly as development teams speed up their software releases. Most vulnerabilities wind up in an ever-growing pile of issues that are neither triaged nor remediated. Development teams are confronted with significant delays and bottlenecks due to these backlogs, which are coupled with security testing and gates. Innovation suffers because of these delays, which cause frustration and force development teams to seek exceptions and bypass security.

**3\. The Developer: Developer-Centric AppSec**

Developer-centric AppSec programs strive to put application security directly into the hands of software development teams as part of their regular work. The goal: for the teams to eventually establish an automated pipeline that ensures strong security across the software development life cycle, starting with the developer and on into production. This type of program is often called "DevSecOps," or "shift left."

DevSecOps programs use the "big machinery" of software development to do security work, as opposed to smaller, siloed AppSec teams. Given that developers won't tolerate slowing down pipelines or wasting time on false-positives, developer teams automate security testing in pipelines, using fast and highly accurate tools that enable fast security feedback loops and reduce cost.

Developer-centric programs employ interactive application security testing (IAST) tools to simultaneously perform fully automated security and quality tests. Doing so aligns development and security interests, as the teams work together on expanding test coverage and strengthening the pipeline. Visibility into attacks with runtime application self-protection (RASP) also provides teams with threat intelligence that informs security priorities. RASP technology prevents vulnerabilities from being exploited, allowing teams to respond to new vulnerabilities without having to run a fire drill.

The developer-centric approach is ideal for projects regardless of their stage in DevOps transformation. That said, this approach may not be able to take advantage of automated pipelines, quality testing infrastructure, and DevOps culture if applied to completely traditional projects. Then again, adopting a developer-centric approach to security may be the perfect catalyst to spark or to speed a DevOps transformation.

**Software Security Has Changed**

Inspired by incidents like SolarWinds, Log4Shell, and Spring4Shell, the world's governments have been pushed into doing something about application security. New regulations and standards from NIST, PCI, and OWASP all require a more sophisticated approach to AppSec and real evidence that what you're doing is actually effective.

Those employing a "minimal" or "adversarial" AppSec program will likely have to respond by making some changes, including:

*   **Threat modeling:** The days of checklists are over. You're going to need to threat-model your applications and then demonstrate that you've implemented decent controls for each.
*   **AST****:** You're also going to be expected to do a much more thorough job of testing the security of your applications and APIs. You'll have to provide evidence that you're testing the effectiveness of your defenses and remediating any problems found.
*   **SBOMs****:** To really get a handle on your open source use, you're probably going to need sensors that report library data to an always-up-to-date database. But in the meantime, you'll also need to generate software bills of materials (SBOMs) for your customers.

Bear in mind that if you decide to change up your approach, transforming one team at a time is probably preferable to trying to change everything all at once.

The trend toward more transparent application security that goes beyond simply checking off boxes likely won't stop here. The US government, for one, is evaluating a software security labeling scheme to create visibility and drive better security from producers. Whether this becomes reality remains to be seen, but one thing's safe to say: Now is a fine time to make sure you've chosen the right strategy for application security.

What's Your AppSec Personality?

Cybersecurity researchers have documented a new information-stealing malware that targets YouTube content creators by plundering their authentication cookies.
Dubbed "YTStealer" by Intezer, the malicious tool is likely believed to be sold as a service on the dark web, with it distributed using fake installers that also drop RedLine Stealer and Vidar.
"What sets YTStealer aside from other

Cybersecurity researchers have documented a new information-stealing malware that targets YouTube content creators by plundering their authentication cookies.

Dubbed "YTStealer" by Intezer, the malicious tool is likely believed to be sold as a service on the dark web, with it distributed using fake installers that also drop RedLine Stealer and Vidar.

"What sets YTStealer aside from other stealers sold on the dark web market is that it is solely focused on harvesting credentials for one single service instead of grabbing everything it can get ahold of," security researcher Joakim Kenndy said in a report shared with The Hacker News.

The malware's modus operandi, however, mirrors its counterparts in that it extracts the cookie information from the web browser's database files in the user's profile folder. The reasoning given behind targeting content creators is that it uses one of the installed browsers on the infected machine to gather YouTube channel information.

It achieves this by launching the browser in headless mode and adding the cookie to the data store, followed by using a web automation tool called Rod to navigate to the user's YouTube Studio page, which enables content creators to "manage your presence, grow your channel, interact with your audience, and make money all in one place."

From there, the malware captures information about the user's channels, including the name, the number of subscribers, and its creation date, alongside checking if it's monetized, an official artist channel, and if the name has been verified, all of which is exfiltrated to a remote server carrying the domain name "youbot\[.\]solutions."

Another notable aspect of YTStealer is its use of the open-source Chacal "anti-VM framework" in an attempt to thwart debugging and memory analysis.

Further analysis of the domain has revealed that it was registered on December 12, 2021, and that it's possibly connected to a software company of the same name that's located in the U.S. state of New Mexico and claims to provide "unique solutions for getting and monetizing targeted traffic."

That said, open-source intelligence gathered by Intezer has also linked the logo of the supposed company to a user account on an Iranian video-sharing service called Aparat.

A majority of the dropper payloads delivering YTStealer together with RedLine Stealer are packaged under the guise of installers for legitimate video editing software such as Adobe Premiere Pro, Filmora, and HitFilm Express; audio tools like Ableton Live 11 and FL Studio; game mods for Counter-Strike: Global Offensive and Call of Duty; and cracked versions of security products.

"YTStealer doesn't discriminate about what credentials it steals," Kenndy said. "On the dark web, the 'quality' of stolen account credentials influences the asking

price, so access to more influential Youtube channels would command higher prices."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

New YTStealer Malware Aims to Hijack Accounts of YouTube Content Creators

See how these novel, sophisticated, or creative threats used techniques such as living off the land to evade detection from traditional defensive measures — but were busted by AI.

We're now halfway through 2022, and already we have seen a range of cyberattacks, familiar and unfamiliar, disrupting organizations. However, we have also seen uplifting stories of successful threat detection efforts, as well.

In this article, we will look at five novel, sophisticated, or creative threats that used techniques such as "living off the land" to evade detection by traditional defensive measures. These threats were all discovered by artificial intelligence (AI) technology, which can spot subtle deviations in device and user behavior and autonomously enforce "normal," stopping a threat in its tracks.

**1\. Leading Laboratory Interrupts Dark Web Insider Threat With AI**

Cyberattacks against the healthcare sector hit record highs last year, and for these organizations cyber threats can have severe real-world consequences. One of Darktrace's healthcare clients is a company specializing in the research, development, and manufacturing of innovative in vitro diagnostic tests for disease, conditions, and infections.

In March, this company was targeted by a malicious insider threat. An employee was looking to exploit their access within the organization to sell proprietary intellectual property, perhaps even medical supplies, on the Dark Web. The employee was detected using Tor on a company device to connect to a Dark Web pharmaceutical market forum.

Malicious or compromised insiders can be difficult to identify because their privileged access and knowledge of company workings allow them to evade detection by traditional security tools. In order to protect intellectual property from insider threat, organizations need to augment security teams with AI-powered technology to stop malicious activity in real time.

In this case, given that no other company device had visited the Tor network in the past, Darktrace's AI flagged the activity to the security team, who were then able to investigate the employee and discover their malicious intentions.

**2\. Babuk Double-Extortion Ransomware Neutralized at a Technology Manufacturer**

Babuk is a double-extortion ransomware strain that has successfully attacked high-value organizations around the world since 2021. In February 2022, however, it targeted a multinational technology manufacturer that had deployed AI cybersecurity. The targeted company facilitates the adoption of smart medical devices as well as electric and autonomous vehicles. This means uptime is important, and ransomware poses a significant risk.

The first sign of a threat came in the early hours of the morning, when the AI detected a company device performing network scanning and making unusual connections to other internal devices. Based on its understanding of the device's usual "pattern of life," the AI identified this out-of-the-ordinary behavior as malicious and calculated a response.

The AI was able to stop this attack without interfering with normal business operations in the company's office or on the manufacturing floor. It blocked only the malicious connections, while allowing the rest of the compromised device's operations to continue.

Once the attack had been stopped, a post-compromise analysis conducted by the AI revealed that the compromised device had indeed been attempting to distribute files with "babyk" extensions. These attacks often strike out of hours, so defenders of critical infrastructure should consider using artificial intelligence to allow their organizations to self-defend against advanced threats.

**3\. HR-Spoofing Attack Targets Employees at Private Equity Firm**

Phishing and spoofing emails continue to be the favorite initial entry point for cyberattackers. Earlier this year, a private equity firm looking to bolster its email security efforts trialed an AI email security solution and detected a targeted spoofing attack almost immediately.

The attackers had tailored their email to imitate the company's internal HR communications, titling it "Q3 Commission 2021 and Agenda" and designing it to look like a SharePoint Microsoft document. To a company employee, this email would not have looked at all out of place in their inbox.

Further investigation showed the email to be part of a wider trend of targeted phishing campaigns that use fake Microsoft branding to trick employees. The exact motivations of this attack are unknown because it was stopped in its earliest stages, but attacks like it are often launched with the aim of causing operational disruption or conducting IP and financial theft.

**4\. Ransomware Attack Against a Financial Services Provider Halted**

In March 2022, a South African financial services firm decided to try out Darktrace's technology and immediately uncovered an in-progress ransomware attack attempting to encrypt its most valuable data.

The first sign of compromise was a company mail server making unusual HTTP connections to an external endpoint and communicating with a malicious server via the Internet. Its understanding of the business and this particular mail server's normal behavior allowed the AI to identify the threatening activity.

The compromised server was then seen attempting to perform network reconnaissance and lateral movement to increase its presence within the organization. Further investigation revealed that attackers had obtained the credentials of 11 employees, including several C-level executives. With the attack spreading fast, more and more company devices began attempting to communicate with the malicious external server.

The AI quickly interrupted further attempts at communication with the malicious server but allowed normal business operations to continue. With the attack safely contained, Darktrace helped the company's security team to conduct a full investigation and ensure that the attack had been completely neutralized.

**5\. AI Stops Log4j Exploit at a Global Financial Services Provider**

The Log4Shell vulnerability that went public at the end of 2021 is one of the most serious and widespread exploits on record. It is thought by some to have affected hundreds of millions of devices and, as a zero-day, it has evaded lots of traditional security tools.

Fortunately, AI security has been able to mitigate the effects of Log4Shell for many of the organizations it protects. One of these, a global financial services provider with assets of over $5 billion, was targeted in March 2022.

The attackers used a Log4j vulnerability to gain access to one of the company's virtual desktop infrastructure (VDI) servers, from which they attempted to scan the surrounding network and spread throughout the enterprise. The server began downloading a shell script from a suspicious external endpoint, prompting an immediate alert from the company's AI-driven security measures.

Convinced of the severity of the threat by the alert, the company's security team promptly deployed AI technology to take precise action against the threat and maintain the regular business activities on the VDI server.

Fast action from this AI-driven response technology blocked the malicious connections and prevented the threat from progressing further, very likely saving the company from a ransomware attack.

Tag

#intel