Stay ahead of cybercrime with proactive threat hunting. Learn how threat hunters identify hidden threats, protect critical systems,…

Stay ahead of cybercrime with proactive threat hunting. Learn how threat hunters identify hidden threats, protect critical systems, and prevent data breaches through data analysis, investigation, and real-time action.

Cybercrime is more sophisticated than ever, and organizations must stay one step ahead to protect their sensitive data and critical systems. One essential practice to prevent security and data breaches is threat hunting.

Unlike traditional cybersecurity practices that rely on automated systems to detect known threats, threat hunting is a proactive approach that seeks out hidden and unknown threats lurking within an organization’s network.

This guide breaks down the role of the threat hunter and how they help organizations remain protected.

****Step 1: Define Your Threat Hunting Objectives****

Before diving into the technical aspects, setting clear objectives is essential. Threat hunters should ask questions like, “What threats are we most concerned about?” or “Which parts of our network are most vulnerable?” Defining specific goals ensures that threat hunting efforts are directed where they matter most, and it helps in focusing on specific attack vectors.

****Step 2: Gather and Analyze Data****

The next step in threat hunting involves collecting data from various network sources, such as log files, network traffic, and endpoint activity. The goal here is to get a detailed view of network activity to identify anomalies that may indicate a potential threat. Advanced analytical tools, including security information and event management (SIEM) systems, provide threat hunters with centralized data to examine patterns and detect outliers.

****Step 3: Formulate Hypotheses****

Once data is collected and analyzed, threat hunters move on to creating hypotheses. These hypotheses are based on potential threat scenarios and help to guide the search for suspicious activities. For instance, if recent cybercrime reports indicate a surge in phishing attempts, a hypothesis might be, “Attackers could use phishing emails to gain initial access to the network.”

****Step 4: Investigate and Identify Threats****

Now comes the investigative stage, where threat hunters search the network for indicators of compromise (IoCs) based on the hypotheses they’ve formed. This may include looking for unusual login patterns, detecting irregular data flows, or identifying unauthorized access to sensitive files. Specialized tools and software, such as endpoint detection and response (EDR) solutions, can significantly aid this stage by providing real-time insights into network activity.

A crucial part of this step is separating false positives from legitimate threats. Not every anomaly is a cyberattack, so threat hunters must validate findings with caution to avoid unnecessary alarms.

****Step 5: Contain and Eradicate Threats****

If a threat is identified, the next step is containment and eradication. Containment measures prevent the threat from spreading, while eradication eliminates it from the system entirely. These actions might involve isolating infected machines, blocking malicious IPs, or removing compromised accounts.

****Step 6: Review and Improve****

Once the threat has been dealt with, it’s time to conduct a thorough review. This involves analyzing what worked, what didn’t, and how the threat could have been prevented or detected sooner. The insights gained from this review are invaluable, as they help strengthen future threat-hunting efforts and reduce the likelihood of similar incidents.

****The Importance of Proactive Threat Hunting****

Cybercrime is constantly evolving, and organizations cannot rely solely on automated tools to stay protected. By incorporating threat hunting into their cybersecurity strategy, organizations can better protect their data, ensure network security, and maintain a safe digital environment for all stakeholders.

1.  What Is Incident Management Software?
2.  What is OSINT – Best Paid and Free OSINT Tools for 2024
3.  Behavior-based vs IOC-based Threat Detection Approaches
4.  Python in Threat Intelligence: Analyzing – Mitigating Cyber Threats
5.  Enhancing Security Solutions through AWS Marketplace Integration
6.  ANY.RUN Upgrades Threat Intelligence to Identify Emerging Threats

A Step-by-Step Guide to How Threat Hunting Works

The threat actors deceive their victims by impersonating the legal teams of companies, well-known Web stores, and manufacturers.

Source: Andrea Danti via Alamy Stock Photo

An unknown threat actor is targeting Facebook businesses and advertising account users in Taiwan through a phishing campaign, using decoy emails and fake PDF filenames.

These dupes are designed to impersonate a company's legal team and lure the victim in with its falsified details, convincing them to download and execute malware.

In addition, the bad actors sent phishing emails from a well-known industrial motor manufacturer and a famous online store in Taiwan, claiming copyright infringement by the business.

"The emails demand the removal of the infringing content within 24 hours, cessation of further use without written permission, and warn of potential legal action and compensation claims for non-compliance," said Cisco Talos researchers, which observed the scams in action.

They said the threat actors also use a variety of techniques and tools to evade antivirus detection and sandbox analysis, such as shellcode encryption, code obfuscation, and embedding LummaC2 and Rhadamanthys information stealers into legitimate binaries.

Lumma Stealer is a malware designed to exfiltrate information from compromised systems, targeting system details, Web browsers, and browser extensions, among other data.

Rhadamanthys is a sophisticated infostealer sold on underground forums that first emerged two years ago. It gathers system information, credentials, cryptocurrency wallets, passwords, cookies, and data from other applications. 

This phishing campaign has been ongoing since at least July; the initial vector of the campaign is a malware download link included in a phishing email using typical decoys in traditional Chinese, indicating that the target victims are Chinese speakers.

Facebook Businesses Targeted in Infostealer Phishing Campaign

Cisco Talos' Vulnerability Research team recently discovered five Nvidia out-of-bounds access vulnerabilities in shader processing, as well as eleven LevelOne router vulnerabilities spanning a range of possible exploits.
For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our

Thursday, October 31, 2024 11:29

Cisco Talos' Vulnerability Research team recently discovered five Nvidia out-of-bounds access vulnerabilities in shader processing, as well as eleven LevelOne router vulnerabilities spanning a range of possible exploits.

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website. 

**NVIDIA Graphics remote out-of-bounds execution vulnerabilities**

_Discovered by Piotr Bania._

NVIDIA Graphics drivers are software for NVIDIA Graphics GPU installed on the PC. They are used to communicate between the operating system and the GPU device. This software is required in most cases for the hardware device to function properly.

Talos discovered multiple out-of-bounds read vulnerabilities in Nvidia that could be triggered remotely in virtualized environments, via web browser, potentially leading to disclosure of sensitive information and further memory corruption. Researchers used RemoteFX; while recently deprecated by Microsoft, some older machines may still use this software.

Advisories related to these vulnerabilities:  
TALOS-2024-1955 (CVE-2024-0121)  
TALOS-2024-2012 (CVE-2024-0117)  
TALOS-2024-2013 (CVE-2024-0118)  
TALOS-2024-2014 (CVE-2024-0120)  
TALOS-2024-2015 (CVE-2024-0119)

**LevelOne wireless SOHO router vulnerabilities**

_Discovered by Patrick DeSantis and Francesco Benvenuto_.

Eleven vulnerabilities of different types were discovered in the LevelOne WBR-6012 SOHO router.

The LevelOne WBR-6012 is a low-cost wireless SOHO router, marketed as an easy-to-configure and operate internet gateway for homes and small offices.

Talos discovered these vulnerabilities in the R0.30e6 version of the router:

TALOS-2024-1979 (CVE-2024-28875,CVE-2024-31151): Hard-coded credentials exist in the web service, allowing attackers to gain unauthorized access during the first 30 seconds post-boot. Used with other vulnerabilities that force a reboot, time restrictions for exploitation can be greatly reduced. An undocumented user account with hard-coded credentials also exists.

TALOS-2024-1981 (CVE-2024-24777): A cross-site request forgery vulnerability exists in the web application, and a specially crafted HTTP request can lead to unauthorized access. An attacker can stage a malicious web page to trigger this vulnerability.

TALOS-2024-1982 (CVE-2024-31152): An improper resource allocation vulnerability exists due to improper resource allocation within the web application. A series of HTTP requests can cause a reboot, which could lead to network service interruptions and access to a backdoor account.

TALOS-2024-1983 (CVE-2024-32946): A cleartext transmission vulnerability exists, and sensitive information is transmitted via FTP and HTTP services, exposing it to network sniffing attacks.

TALOS-2024-1984 (CVE-2024-33699): A weak authentication vulnerability exists in the web application firmware, which allows attackers to change the administrator password to gain higher privileges without knowing the current administrator password.

TALOS-2024-1985 (CVE-2024-33603): An information disclosure in the web application allows unauthenticated users to access an undocumented verbose system log page and obtain sensitive data, such as memory addresses and IP addresses for login attempts. This flaw could lead to session hijacking due to the device's reliance on IP addresses for authentication.

TALOS-2024-1986 (CVE-2024-33626): A web application information disclosure vulnerability can reveal sensitive information, such as the Wi-Fi WPS PIN, through a hidden page accessible by an HTTP request. Disclosure of this information could enable attackers to connect to the device's Wi-Fi network.

TALOS-2024-1996 (CVE-2024-23309): An authentication bypass vulnerability results from the web application’s reliance on client IP addresses for authentication. Attackers can spoof an IP address to gain unauthorized access without a session token.

TALOS-2024-1997 (CVE-2024-28052): A buffer overflow vulnerability can be caused by specially crafted HTTP POST requests with URIs containing 1,454 or more characters, not starting with “upn” or “upg”.

TALOS-2024-1998 (CVE-2024-33700): An improper input validation within the FTP functionality can enable attackers to cause denial of service through a series of malformed FTP commands.

TALOS-2024-2001 (CVE-2024-33623): A denial-of-service vulnerability, triggered by multiple types of specially crafted HTTP POST requests, will cause the router to crash.

NVIDIA shader out-of-bounds and eleven LevelOne router vulnerabilities

The issue of GitHub data protection is increasingly discussed among developers on platforms like Reddit, X, and HackerNews.…

The issue of GitHub data protection is increasingly discussed among developers on platforms like Reddit, X, and HackerNews. This year alone, GitHub has been in the news multiple times due to malware incidents, high-severity vulnerabilities, and data deletion events, all of which pose risks to users’ data.

How can developers secure their GitHub environments? While widely recommended practices include least-privilege access controls, routine testing, API authentication, frequent rotation of access tokens, and using SSH keys, backups deserve particular focus. Establishing a reliable GitHub backup system is essential for safeguarding data effectively.

****Why back up your GitHub account?** **

According to The State of DevOps Threats Report by GitProtect.io, the number of incidents that impacted GitHub users in 2023 grew by over 21%. And around 13.94% of events that took place had a major impact on the service. 

If you check Q1 and Q2 of 2024, you will see that there have already been 70+ incidents that influence GitHub users in various ways. Just to note, in 2023 there were 160+ different incidents, starting from major impact to maintenance. 

Why is it important to back up your GitHub environment? Anything can happen, and it’s always wise to prepare for worst-case scenarios. In such cases, having a backup can help by:

*   Protect GitHub repositories and metadata against outages and other unpredictable threats, as it allows the restoration of a copy to another location and ensures workflow and business continuity, 

*   Safeguard against human errors, like accidental deletion of files, 

*   Ensure data recoverability in case of a ransomware attack, as backup is the final line of protection, 

*   Fulfill the Shared Responsibility Model which defines the roles and responsibilities of GitHub and its users. Here it’s worth mentioning that GitHub data protection is the user’s duty. In GitHub Terms of Service, it’s written: “You are responsible for keeping your Account secure while you use our Service. We offer tools such as two-factor authentication to help you maintain your Account’s security, but the content of your Account and its security are up to you.” 

*   Meet security compliance and data retention requirements, as the majority of security protocols and compliance regulations require organizations to have longer retention times, backup, and Disaster Recovery guarantees. GDPR, HIPAA, PCI DSS, FedRAMP, ISO/IEC 27001, FINRA, HITECH, NIS 2 Directive, etc. – they all require organizations to have a backup. 

****Top 10 tips to make sure your GitHub backup plan is effective** **

Considering all the threats, an effective backup plan should help to foresee any disaster scenario and guarantee that all the GitHub account data won’t be lost. 

****Tip 1: Full data coverage** **

Efficient backup should include all the repositories, and metadata, such as issues, pull requests, issue comments, webhooks, wiki, labels, deployment keys, projects, pipelines, and Git LFS. It will help to ensure complete repo integrity and full data protection. 

****Tip 2: Backup automation** **

It’s important to have the possibility to automate backup processes by scheduling backup policies at the most appropriate time and frequency. For example, set up a backup plan that triggers a copy every 4 hours.  

****Tip 3: Various backup performance schemes** **

Not to overload your storage, you should have the option to define different rotation and performance schemes for every backup copy you set up. They may be full, incremental, or differential backup copies. 

****Tip 4: Multi-storage consistency** **

By having a few copies in different storage locations, you can eliminate any risk of a disaster and meet the 3-2-1 backup rule which requires to have at least 3 backup copies in 2 or more storage locations, with 1 offsite. 

Moreover, when it comes to storage destinations, you should be able to back up your repository and other related data to both local and cloud storage instances. 

****Tip 5: Backup replication** **

Having a few copies in various locations isn’t enough. You should make sure that you can enable replication between backup storage destinations. In this case, all the copies will be consistent and in the event of failure, you will be able to restore your data from any of the storage instances if one of them fails to run. 

****Tip 6:  Long-term retention** **

Retention is closely related to compliance and data recovery from any point in the past. By default, GitHub stores build logs for 90 days. However, it might be not enough for those organizations that operate in regulated industries or require much longer retention times. 

A backup solution should help solve this issue by allowing long-term or even unlimited retention. Thus, an organization will be able to recover its data from any point in time, for example, from 3 or 5 years prior. 

****Tip 7: Transparent management and monitoring** **

Not all team members should have the same access to backups. Hence, the backup software should allow you to set various roles and assign different responsibilities to your team members. For example, there may be those, who are either responsible for setting up GitHub backups, triggering recovery in case of a failure, only viewing backup performance, or system administrators who can operate without restrictions.  

What is more, you should always get notifications when your backup or restore was performed with details and statuses. There can be different ways of notifications – email, Slack, webhooks as well as a dedicated console with all data-driven information, tasks, SLA, and compliance reports. 

****Tip 8: In-flight and at-rest encryption** **

Your GitHub repo and metadata should be protected at every stage – in-flight, during the transmission, and at rest. Moreover, as an additional security measure, you should be able to set your personal encryption key. 

Also, your device should have no information about the encryption key, it should receive it only during the backup performance to keep up with the zero-encryption approach.  

****Tip 9: Ransomware protection** **

As backup is a final line of defence, it must be ransomware-proof. Immutable storage that helps keep data in a non-executable format, every-scenario-ready Disaster Recovery, encryption should be arranged and work as a clock to ensure your GitHub data protection and recoverability. Moreover, backup software should guarantee secure access authorization, for example, via SAML SSO protocols. 

****Tip 10: Restore and Disaster Recovery** **

Having a consistent GitHub backup should mean that you can restore your data in any event of failure – ransomware attack, service outage, infrastructure downtime, etc. The backup solution should allow you to restore your data fully or granularly – only selected metadata or repositories. 

Regarding the restore destinations, the solution should also foresee any event of failure. Thus, you should have the option to recover your GitHub data to the same or a new GitHub account, to your local machine, or cross-over recovery to another Git hosting platform, like GitLab, Bitbucket, or Azure DevOps. 

What’s more, during the recovery process, you shouldn’t overwrite the existing data but have the opportunity to restore it as a new file. 

****Is my GitHub backup effective?** **

To ensure that your backup processes are efficient, your backup should respond to the mentioned tips. 

However, how to build your backup strategy for your GitHub environment is the question you should answer taking into account your security and compliance requirements, the size of your GitHub ecosystem, the evaluation of data loss risks, and others. 

You can go with the “Download zip” files and folders option or backup scripts, however, they won’t ensure automation, proper protection against ransomware, and restore capabilities. In this case, all the responsibility over GitHub data protection is on your side. 

Alternatively, you can use a dedicated backup software, like GitProtect.io for GitHub, that will help you both share your duties over GitHub data protection and ensure your data is accessible and recoverable in any disaster scenario. With scheduled automated backup procedures, full data coverage, data residency of your choice, ransomware protection, and advanced disaster recovery measures, the backup provider brings peace of mind that every line of your source code is secured.

1.  **How To Safeguard Your Data With Cloud MRP System**
2.  **How to Hide Tables in SQL Server Management Studio**
3.  **How to Recover Deleted Emails from Exchange Server?**
4.  **Cloud Solutions Transform Software Quality Assurance**
5.  **How to Choose the Best Analytics Tools for Mobile Apps**
6.  **How To Craft The Perfect Data Loss Prevention Strategy**
7.  **How to Install Microsoft Exchange Updates with Reliability**
8.  **Insights on Google Cloud Backup, Disaster Recovery Service**

How To Create a Complete GitHub Backup

Cybersecurity researchers have discovered an improved version of an Apple iOS spyware called LightSpy that not only expands on its functionality, but also incorporates destructive capabilities to prevent the compromised device from booting up.
"While the iOS implant delivery method closely mirrors that of the macOS version, the post-exploitation and privilege escalation stages differ

Spyware / Mobile Security

Cybersecurity researchers have discovered an improved version of an Apple iOS spyware called LightSpy that not only expands on its functionality, but also incorporates destructive capabilities to prevent the compromised device from booting up.

"While the iOS implant delivery method closely mirrors that of the macOS version, the post-exploitation and privilege escalation stages differ significantly due to platform differences," ThreatFabric said in an analysis published this week.

LightSpy, first documented in 2020 as targeting users in Hong Kong, is a modular implant that employs a plugin-based architecture to augment its capabilities and allow it to capture a wide range of sensitive information from an infected device.

Attack chains distributing the malware leverage known security flaws in Apple iOS and macOS to trigger a WebKit exploit that drops a file with the extension ".PNG," but is actually a Mach-O binary responsible for retrieving next-stage payloads from a remote server by abusing a memory corruption flaw tracked as CVE-2020-3837.

This includes a component dubbed FrameworkLoader that, in turn, downloads LightSpy's Core module and its assorted plugins, which have gone up significantly from 12 to 28 in the latest version (7.9.0).

"After the Core starts up, it will perform an Internet connectivity check using Baidu.com domain, and then it will check the arguments that were passed from FrameworkLoader as the \[command-and-control\] data and working directory," the Dutch security company said.

"Using the working directory path /var/containers/Bundle/AppleAppLit/, the Core will create subfolders for logs, database, and exfiltrated data."

The plugins can capture a wide range of data, including Wi-Fi network information, screenshots, location, iCloud Keychain, sound recordings, photos, browser history, contacts, call history, and SMS messages, as well as gather information from apps like Files, LINE, Mail Master, Telegram, Tencent QQ, WeChat, and WhatsApp.

Some of the newly added plugins also boast destructive features that can delete media files, SMS messages, Wi-Fi network configuration profiles, contacts, and browser history, and even freeze the device and prevent it from starting again. Furthermore, LightSpy plugins can generate fake push notifications containing a specific URL.

The exact distribution vehicle for the spyware is unclear, although it's believed to be orchestrated via watering hole attacks. The campaigns have not been attributed to a known threat actor or group to date.

However, there is some evidence that the operators are likely based in China owing to the fact that the location plugin "recalculates location coordinates according to a system used exclusively in China." It's worth noting that Chinese map service providers follow a coordinate system called GCJ-02.

"The LightSpy iOS case highlights the importance of keeping systems up to date," ThreatFabric said. "The threat actors behind LightSpy closely monitor publications from security researchers, reusing newly disclosed exploits to deliver payloads and escalate privileges on affected devices."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New LightSpy Spyware Version Targets iPhones with Increased Surveillance Tactics

Application security teams from Fortune 500 companies are already using Noma's life cycle platform, which offers organizations data and AI supply chain security, AI security posture management, and AI threat detection and response.

Source: BillionPhotos.com via Adobe Stock Photo

The rapid adoption of artificial intelligence (AI) and machine learning (ML) tools in enterprises has put the pressure on security teams to secure the data and AI life cycle. Organizations can be compromised via misconfigured data pipelines, insecure MLOps tools, and vulnerable and malicious open source models.

Noma emerged from stealth today with a platform to help organizations manage the risks around AI applications. The platform offers organizations with end-to-end AI discovery, security, protection, and compliance. Noma deploys across any cloud-based, software-as-a-service, or self-hosted environment, and does not require agents or code changes, the company said.

Noma protects against supply chain risks, such as vulnerable data pipelines, unscanned code in data science environments, misconfigured MLOps tools, and sensitive data used for model training. The platform also protects organizations vulnerable and malicious models, runtime prompt injection, and other threats.

The Noma platform is already in use by paying customers, including Fortune 500 companies.

As part of the launch, Noma announced $32 million in series A funding from Ballistic Ventures and "dozens of strategic angel investors." The company had a previously undisclosed seed round less than a year ago. Noma's co-founders, Niv Braun and Alon Tron, have experience leading security and data science teams, the company said.

Noma Launches With Plans to Secure Data, AI Life Cycle

Cisco Talos has observed an unknown threat actor conducting a phishing campaign targeting Facebook business and advertising account users in Taiwan. 
The decoy email and fake PDF filenames are designed to impersonate a company's legal department, attempting to lure the victim into downloading and executing malware.

Thursday, October 31, 2024 09:37

*   Cisco Talos has observed an unknown threat actor conducting a phishing campaign targeting Facebook business and advertising account users in Taiwan. 
*   The decoy email and fake PDF filenames are designed to impersonate a company's legal department, attempting to lure the victim into downloading and executing malware. 
*   This campaign abuses Google's Appspot\[.\]com domains, a short URL and Dropbox service, to deliver an information stealer onto the target's machine to avoid network security product detections. 
*   Talos also observed the threat actor using multiple techniques to evade antivirus detection and sandbox analysis, such as code obfuscation, shellcode encryption, hiding malicious code in resource data to expand the file size to over 700 MB, and embedding LummaC2 or Rhadamanthys information stealers into legitimate binaries. 

**Phishing email campaign targets Taiwan **

Talos observed an unknown threat actor conducting a malicious phishing campaign targeting victims in Taiwan since at least July 2024. The campaign specifically targets victims whose Facebook accounts are used for business or advertising purposes. 

The initial vector of the campaign is a phishing email containing a malware download link. The phishing email uses traditional Chinese in decoy templates and the fake PDF files, suggesting the target is likely traditional Chinese speakers. Some of the fake PDF filenames that we observed during our analysis are: 

*   IMAGE COPYRIGHTED.exe 
*   \[Redacted\] 的影片內容遭到侵犯版權.exe (translates to “\[Redacted\]'s video content has been copyright infringed.exe”) 
*   版權侵權信息- \[Redacted\] Media Co Ltd.exe (translates to “Copyright Infringement Information - \[Redacted\] Media Co Ltd.exe”) 
*   版權侵權信息- \[Redacted\] Media Group Inc.exe (translates to “Copyright Infringement Information - \[Redacted\] Media Group Inc.exe”) 
*   版權侵權信息- \[Redacted\] Technology Group.exe (translates to “Copyright Infringement Information - \[Redacted\] Technology Group.exe”) 
*   版權侵權信息- \[Redacted\] Co. Ltd.exe (translates to “Copyright Infringement Information - \[Redacted\] Co. Ltd.exe”) 
*   \[Redacted\] Online -宣布侵權.exe (translates to “\[Redacted\] Online - declare infringement.exe”) 

The decoy email and fake PDF filenames are designed to impersonate a company's legal department, attempting to lure the victim into downloading and executing malware. Another observation we found is that the fake PDF malware uses the names of well-known technology and media companies in Taiwan and Hong Kong. This provides strong evidence that the threat actor conducted thorough research before launching this campaign. 

Additionally, we observed two phishing emails masquerading as notices from a well-known industrial motor manufacturer and a famous online shopping store in Taiwan. The emails claim that the company’s legal representatives have issued a notice to a Facebook page administrator alleging copyright infringement due to the unauthorized use of their images and videos for product promotion. The emails demand the removal of the infringing content within 24 hours, cessation of further use without written permission, and warn of potential legal action and compensation claims for non-compliance. Last but not least, with these two emails, we can easily identify that the threat actor uses the same template with minor modifications, such as changing the company name, legal department information, address, and website.  

Phishing email impersonating a well-known industrial motor manufacturer. 

Phishing email impersonating a famous online shopping store. 

**Attribution **

Talos observed an unknown image printing EPS file within the encrypted archive, with the filename "Support." Based on the file name and file size, it is likely that all encrypted archives we found on VirusTotal, which we have not been able to decrypt, contain the same EPS files inside. Pivoting off the EPS file metadata and its preview image on a search engine, we found an identical image with the same file name on a Vietnamese-language website. However, there is no strong evidence that it was created by an author from that region.   

Support EPS file metadata. 

The support EPS file preview image in this campaign (left) and the image we found from the internet (right). 

**Actor infrastructure **

The threat actor is abusing Google's Appspot.com domains, a short URL and Dropbox service, to deliver an information stealer onto the target's machine. Appspot.com is a cloud computing platform for developing and hosting web applications in Google-managed data centers. When the victim clicks on the download link, it initially connects to Appspot.com, then redirects to a short URL created by a third-party service, and finally redirects to Dropbox to download the malicious archive. The actor is using the third-party data storage service as a download server to deceive network defenders.  

Malware download link. 

We also discovered that the actor is using multiple command and control (C2) domains in the campaign. The DNS requests for the domains during our analysis period are shown in the graph, indicating the campaign is ongoing.  

C2 domain DNS requests. 

**Malware infection summary **

The infection chain begins with a phishing email containing a malicious download link. When the victim downloads the malicious RAR file, they will need a specific password to extract it, revealing a fake PDF executable malware and an image printing file. Once the malware is decrypted and the fake PDF executable is run, it will execute the embedded LummaC2 or Rhadamanthys information stealer, which then collects the victim’s credentials and data, sending them back to the C2 server. 

The malicious RAR file usually contains a fake PDF executable malware and an image printing file, but we observed a few malicious RAR files that contain an additional DLL file. However, without the correct password, we are not able to extract the malicious RAR file and analyze it. 

The RAR file contains a fake PDF and an image printing file.  

The RAR file contains a fake PDF, an image printing file, and additional DLL file. 

The fake PDF executable malware variant was delivered as a payload in this campaign. This malware will embed LummaC2 or Rhadamanthys information stealers into legitimate binary and the legitimate binary including iMazing Converter, foobar2000, Punto Switcher, PDF Visual Repair, LedStatusApp, and PrivacyEraser. Below shows one of the file details of the fake PDF executable. 

Fake PDF file detail information. 

**LummaC2 stealer and its loader **

LummaC2 Stealer is a type of malware designed to exfiltrate sensitive information from compromised systems. It can target system details, web browsers, cryptocurrency wallets, and browser extensions. Written in C, this malware is sold on underground forums. To avoid detection and analysis, it employs various obfuscation methods. The malware connects to a C2 server to receive instructions and transmit the stolen data. 

The loader for LummaC2 changes the execution flow of the binary malware, causing it to invoke an unknown library to execute the malicious code functions. This strategic modification complicates detection and analysis efforts. Once these malicious functions are invoked, the malware utilizes the CreateFileMappingA API to write the payload into a mapped memory block, effectively hiding it within the system's memory. After successfully mapping the payload, the malware then executes it. 

Call to an unknown library to execute the malicious code functions. 

When the malware begins executing the shellcode in memory, it first decrypts the second half of the program block, which contains part of the shellcode loader and the LummaC2 malware execution file. Once the decryption is complete, it will call the VirtualAllocate API to allocate a memory block, write the information stealer's execution file to that block, and then execute it.   

Jump code to shellcode block. 

 

 

Encrypted shellcode (left side) and decrypted shellcode (right side). 

We also collected all of the build IDs of the LummaC2 in this campaign and below are the screenshots of the LummaC2 stealer alert message box and its POST message. 

Alert message shown to the user when executing LummaC2. 

POST message with act=life and url path /api. 

Build ID: 

*   sTDsFx--Socks 
*   iAlMAC--ghost 

**Rhadamanthys stealer and its loader **

Rhadamanthys is a sophisticated information stealer that emerged in 2022 and is sold on underground forums. This comprehensive stealer malware is capable of gathering system information, credentials, cryptocurrency wallets, browser passwords, cookies, and data from various other applications. It employs numerous anti-analysis techniques, complicating analysis efforts and hindering its execution in sandbox environments. 

We observed the Rhadamanthys loader in this campaign contains 10 sections in its binary structure. Despite the presence of multiple sections, the threat actor specifically targets the .rsrc section to insert the malicious code. This section is heavily obfuscated to conceal the malicious activities and make analyses more challenging. The choice of the .rsrc section is strategic, as it is typically associated with resource data like icons and menus, making it less likely to raise immediate suspicion.  

The loader of Rhadamanthys binary structure sections. 

After analysis, we discovered that the Rhadamanthys loader employs several sophisticated techniques to ensure its persistence and evasion. Initially, the loader copies itself and writes the file to “C:\\Users\\\[user\]\\Documents\\lumuiUpdater\\ffUpdaar.exe”. In order to avoid detection by antivirus programs and sandbox environments, it expands the file size to over 700 MB. This significant increase in file size is intended to bypass heuristic and signature-based detection mechanisms commonly used by security products, which may struggle to process such large files effectively. 

The loader copies itself to the lumuiUpdater folder. 

Furthermore, the loader is configured to start automatically by modifying the Windows Registry. It writes an entry to “HKEY\_CURRENT\_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run” and key name value “sausageLoop”, a registry key that specifies programs to be launched during the system startup. This registry modification ensures that the malicious loader is executed every time the victim's computer restarts, thereby maintaining its persistence on the infected system. 

The loader is configured to start automatically. 

Finally, the loader executes the legitimate system process "%Systemroot%\\system32\\dialer.exe" and injects Rhadamanthys' payload into it. This process injection technique allows the malware to run its malicious code within the context of a legitimate system process, further evading detection. Additionally, it uses mutex objects to ensure that only one instance of the malware runs on the infected host. Below is the list of mutex names we observed in this campaign, which has also been disclosed in previous reporting by other. 

*   Global\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\1\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\2\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\3\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\4\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\5\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\6\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\7\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\8\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 

**Coverage **

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. 

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protection with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 64167-64169. 

**IOC **

IOCs for this research can also be found at our GitHub repository here.

Threat actors use copyright infringement phishing lure to deploy infostealers

Sophos went so far as to plant surveillance “implants” on its own devices to catch the hackers at work—and in doing so, revealed a glimpse into China's R&D pipeline of intrusion techniques.

For years, it's been an inconvenient truth within the cybersecurity industry that the network security devices sold to protect customers from spies and cybercriminals are, themselves, often the machines those intruders hack to gain access to their targets. Again and again, vulnerabilities in “perimeter” devices like firewalls and VPN appliances have become footholds for sophisticated hackers trying to break into the very systems those appliances were designed to safeguard.

Now one cybersecurity vendor is revealing how intensely—and for how long—it has battled with one group of hackers that have sought to exploit its products to their own advantage. For more than five years, the UK cybersecurity firm Sophos engaged in a cat-and-mouse game with one loosely connected team of adversaries who targeted its firewalls. The company went so far as to track down and monitor the specific devices on which the hackers were testing their intrusion techniques, surveil the hackers at work, and ultimately trace that focused, years-long exploitation effort to a single network of vulnerability researchers in Chengdu, China.

On Thursday, Sophos chronicled that half-decade-long war with those Chinese hackers in a report that details its escalating tit-for-tat. The company went as far as discreetly installing its own “implants” on the Chinese hackers' Sophos devices to monitor and preempt their attempts at exploiting its firewalls. Sophos researchers even eventually obtained from the hackers' test machines a specimen of “bootkit” malware designed to hide undetectably in the firewalls' low-level code used to boot up the devices, a trick that has never been seen in the wild.

In the process, Sophos analysts identified a series of hacking campaigns that had started with indiscriminate mass exploitation of its products but eventually became more stealthy and targeted, hitting nuclear energy suppliers and regulators, military targets including a military hospital, telecoms, government and intelligence agencies, and the airport of one national capital. While most of the targets—which Sophos declined to identify in greater detail—were in South and Southeast Asia, a smaller number were in Europe, the Middle East, and the United States.

Sophos' report ties those multiple hacking campaigns—with varying levels of confidence—to Chinese state-sponsored hacking groups including those known as APT41, APT31, and Volt Typhoon, the latter of which is a particularly aggressive team that has sought the ability to disrupt critical infrastructure in the US, including power grids. But the common thread throughout those efforts to hack Sophos' devices, the company says, is not one of those previously identified hackers groups but instead a broader network of researchers that appears to have developed hacking techniques and supplied them to the Chinese government. Sophos' analysts tie that exploit development to an academic institute and a contractor, both around Chengdu: Sichuan Silence Information Technology—a firm previously tied by Meta to Chinese state-run disinformation efforts—and the University of Electronic Science and Technology of China.

Sophos says it’s telling that story now not just to share a glimpse of China's pipeline of hacking research and development, but also to break the cybersecurity industry's awkward silence around the larger issue of vulnerabilities in security appliances serving as entry points for hackers. In just the past year, for instance, flaws in security products from other vendors including Ivanti, Fortinet, Cisco, and Palo Alto have all been exploited in mass hacking or targeted intrusion campaigns. “This is becoming a bit of an open secret. People understand this is happening, but unfortunately everyone is _zip,_” says Sophos chief information security officer Ross McKerchar, miming pulling a zipper across his lips. “We're taking a different approach, trying to be very transparent, to address this head-on and meet our adversary on the battlefield.”

**From One Hacked Display to Waves of Mass Intrusion**

As Sophos tells it, the company's long-running battle with the Chinese hackers began in 2018 with a breach of Sophos itself. The company discovered a malware infection on a computer running a display screen in the Ahmedabad office of its India-based subsidiary Cyberoam. The malware had gotten Sophos' attention due to its noisy scanning of the network. But when the company's analysts looked more closely, they found that the hackers behind it had already compromised other machines on the Cyberoam network with a more sophisticated rootkit they identified as CloudSnooper. In retrospect, the company believes that initial intrusion was designed to gain intelligence about Sophos products that would enable follow-on attacks on its customers.

Then in the spring of 2020, Sophos began to learn about a broad campaign of indiscriminate infections of tens of thousands of firewalls around the world in an apparent attempt to install a trojan called Asnarök and create what it calls “operational relay boxes” or ORBs—essentially a botnet of compromised machines the hackers could use as launching points for other operations. The campaign was surprisingly well resourced, exploiting multiple zero-day vulnerabilities the hackers appeared to have discovered in Sophos appliances. Only a bug in the malware's cleanup attempts on a small fraction of the affected machines allowed Sophos to analyze the intrusions and begin to study the hackers targeting its products.

Inside Sophos' 5-Year War With the Chinese Hackers Hijacking Its Devices

A successful CIA hack of Venezuela's military payroll system, insider fights for spy agency resources, and messy opposition politics: A WIRED investigation reveals a secret Trump-era attempt to oust autocratic ruler Nicolás Maduro.

The Untold Story of Trump's Failed Attempt to Overthrow Venezuela's President

The Russian-backed group is using a novel access vector to harvest victim data and compromise devices in a large-scale intelligence-gathering operation.

Source: Funtap via Shutterstock

"Midnight Blizzard," a threat group linked to Russia's foreign intelligence service, is stoking more concern than usual for both its sheer scope and its use of a new tactic for harvesting information and gaining control of victim systems.

Microsoft this week said its threat intelligence group observed Midnight Blizzard actors sending out thousands of spear-phishing emails to targeted individuals at more than 100 organizations worldwide since Oct. 22.

**Large-Scale Campaign**

Besides its wide scope, the campaign is noteworthy for Midnight Blizzard's use of a digitally signed Remote Desktop Protocol (RDP) configuration file in its spear-phishing emails. The RDP file connects to a server controlled by a threat actor; when the file is opened, it allows the attacker to harvest user credentials and detailed system information to aid further exploit activity.

"The emails were highly targeted, using social engineering lures relating to Microsoft, Amazon Web Services (AWS), and the concept of zero trust," Microsoft said on its threat intelligence group blog this week. "Microsoft has observed this campaign targeting governmental agencies, higher education, defense, and non-governmental organizations in dozens of countries, but particularly in the UK, Europe, Australia, and Japan."

Midnight Blizzard — aka Cozy Bear, APT29, and UNC2452 — has been the proverbial thorn in the side of security organizations for some years now. The group's many victims include SolarWinds, Microsoft, HPE, multiple US federal government agencies, and diplomatic entities worldwide. Its well-documented tactics, techniques, and procedures (TTPs) include using spear phishing, stolen credentials, and supply chain attacks for initial access. Midnight Blizzard actors have also targeted vulnerabilities in widely used networking and collaboration technologies such as those from Fortinet, Pulse Secure, Citrix, and Zimbra to gain an initial toehold on a target network.

**Bidirectional Connection**

The RDP file in the Microsoft, AWS, and zero-trust themed emails in Midnight Blizzard's latest campaign allows the attacker to establish a quick, bidirectional connection with a compromised device. The threat actor is using it to harvest a range of information including user credentials, files, and directories on the victim system and connected network drives; information from connected smart cards and other peripherals; Web authentication credentials; and clipboard data. The RDF file is signed with a LetsEncrypt certificate to lend it an air of legitimacy. "This access could enable the threat actor to install malware on the target's local drive(s) and mapped network share(s), particularly in AutoStart folders, or install additional tools such as remote access Trojans (RATs) to maintain access when the RDP session is closed," Microsoft cautioned.

Stephen Kowski, field CTO at SlashNext, says Midnight Blizzard's use of signed RDP files in its current campaign is significant. Signed RDP files can bypass traditional security controls since they appear to come from a legitimate source, he points out.

"This technique is particularly cunning because RDP files are commonly used in business environments, making them less likely to raise immediate suspicion, while the legitimate signature helps evade standard malware detection systems," he says. He advocates that organizations scan all email attachments in real time, with a particular focus on RDP files and other seemingly legitimate Microsoft-related content. "The use of legitimately signed files creates a significant blind spot for conventional security tools that rely heavily on signature-based detection or reputation scoring," Kowski advises.

**Mitigating the Threat**

Microsoft has released a list of indicators of compromise for the new Midnight Blizzard campaign, including email sender domains, RDP files, and RDP remote computer domains. It has recommended that security teams review their organizational email security settings and antivirus and anti-phishing measures; turn on Safe Links and Safe Attachments settings in Office 365; and enable measures for quarantining sent email if needed. Other recommendations include using firewalls to block RDP connections, implementing multifactor authentication, and strengthening endpoint security configurations.

Venky Raju, field CTO at ColorTokens, says the campaign is a reminder why organizations need to maintain a tight rein over the use of Microsoft's remote desktop. While it can be useful to share devices, folders, and clipboard content over an RDP session, it gives attackers a way into a user's device. "Signing the RDP configuration file may prevent email security systems from classifying the email as having a suspicious link or attachment. It may also reduce the warnings presented by the RDP client," he points out.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Tag

#mac