In Suricata before 6.0.13, an adversary who controls an external source of Lua rules may be able to execute Lua code. This is addressed in 6.0.13 by disabling Lua unless allow-rules is true in the security lua configuration section.

**A rich history of open source contribution**

Stamus Networks has a long history of developing and supporting open source technologies. The company was founded by Éric Leblond and Peter Manev, two open source icons.

Éric and Peter are on the board of directors and executive team for the OISF (the governing body for Suricata), respectively. And they are active developers on the Suricata project, the widely-deployed open source intrusion detection and network security monitoring engine. The OISF is a non-profit organization created to build community and to support open source security technologies like Suricata.

In addition to our extensive contributions to Suricata itself, our team at Stamus Labs have six active projects underway.

*   Since 2014, we have developed and maintained SELKS, the popular turnkey Suricata-based open source intrusion detection system (IDS), Network Security Monitor (NSM) and threat hunting system.
*   In 2020, we introduced the Stamus App for Splunk which is a free and open source Splunk app for investigating and hunting in the IDS alert data and the protocol transaction logs generated by Suricata sensors. This Splunk app also provides complete access to data from Stamus Security Platform.
*   Also in 2020, we introduced GopherCAP, an innovative PCAP manipulation application that provides accurate playback of extra large PCAP files directly from tar archives.
*   In January 2022, we introduced the Suricata Language Server, a tool that adds syntax checking, performance guidance, and auto-completion to popular text editors for Suricata signature developers. 
*   In November 2022, we published the "Security Analyst's Guide to Suricata" - the world's first practical guide for unlocking the full potential of Suricata. Written for security operations center (SOC) analysts and threat hunters who use Suricata to gain insights into what is taking place on their networks, the book provides vital information on entry points and in-depth analysis on the most important Suricata features.
*   Also, in November 2022, we introduced the free Suricata ruleset specifically focused on detecting lateral movement in Microsoft Windows environments
*   In 2023, we introduced the Jupyter Playbooks for Suricata

**NOTE: All open-source contributions from Stamus Networks are free: you may redistribute them and/or modify them under the terms of the GNU General Public License as published by the Free Software Foundation, version 3.0-or-later of the License. Review the terms of the license here:**

https://www.stamus-networks.com/en-us/landing/gplv3-license

CVE-2023-35853: Stamus Labs | Stamus Networks

Plus: The arrest of an alleged Lockbit ransomware hacker, the wild tale of a problematic FBI informant, and one of North Korea’s biggest crypto heists.

Prison surveillance is now much more than skin deep. A jail in Atlanta, Georgia, has begun rolling out a new tracking system that monitors everything from inmates’ locations to their literal heartbeats, according to documents WIRED obtained through a public records request. Made by Talitrix, the system uses hundreds of sensors installed around a jail that link to a Fitbit-like wristband worn by inmates. Georgia prison officials say the surveillance tech will improve safety inside and help mitigate the impacts of staffing shortages. Privacy experts say it’s the latest erosion of inmates’ rights.

If privacy is virtually nonexistent in jail, it may not be much better before you’re even convicted of a crime. Just ask a family in Indiana’s Monroe County, who are being monitored by probation officers through an app called Covenant Eyes. The app records everything a person does on their device, taking screenshots at least once per minute as well as monitoring network requests, all of which are sent to an “ally.” (The allies, in this case, are two probation officers.) The father, who has been charged with possession of child sexual abuse material, is in jail awaiting trial after the app alerted officers that someone had attempted to visit Pornhub, which would have been a violation of his bond. But thanks to shortcomings in the app, the whole thing may have been a mistake.

Beyond potentially unconstitutional surveillance, there are many other ways government data collection can hurt your privacy. Millions of people in India may have had their data exposed thanks to an alleged breach of CoWIN, India’s vaccination-tracking app. The Indian health ministry says reports of a breach are “without any basis,” and independent security researchers say the breach may not be as widespread as some believed. The government is now investigating.

In the US, a newly declassified report commissioned by the Office of the Director of National Intelligence reveals that spy agencies have been compiling a “large” trove of data about virtually every American simply by purchasing the information from commercial sources, like data brokers. Privacy advocates say the practice is a potential end run around constitutional protections.

Earlier this month, a former intelligence officer publicly claimed the US government has an “intact” craft made by a “non-human” entity, among other extraterrestrial allegations. The claims have caught the attention US Congress members, several of whom are planning investigations. Given the openness some lawmakers have to conspiratorial thinking, this issue may finally fly out of the shadows.

A more pressing concern for the US government may come from right here on Earth. Encryption chips made by a subsidiary of a company on the US Commerce Department’s so-called Entity List are being used by a slew of government bodies, including the US Navy, NATO, and NASA. The company, Hualan, landed on the Entity List thanks to its close ties to China’s military. But this “red flag” hasn’t stopped these agencies and others from purchasing the encryption chips from Initio, a Hualan subsidiary, raising concerns over a potential backdoor. Initio says it doesn’t have the ability to implement a backdoor in its chips, and several agencies told WIRED that they take the necessary precautions to ensure the security of the tech they use. Given how difficult it is to find a backdoor in these chips, however, these assurances may do little to assuage experts’ fears.

Finally, the Russia-based ransomware gang Clop went on a hacking spree that hit US government agencies and international companies including Shell and British Airways. Clop hackers carried out their cybercriminal campaign by exploiting a vulnerability in the file-transfer service MOVEit. The flaw has since been patched, but the full extent of the stolen data and list of targets remains unclear.

But that's not all. Each week, we round up the biggest security and privacy stories we weren't able to cover in depth ourselves. Click on the headlines to read the full stories, and stay safe out there.

As Russia has carried out its unprecedented cyberwar in Ukraine over nearly a decade, its GRU military intelligence hackers have taken center stage. The notorious GRU hacker groups Sandworm and APT28 have triggered blackouts, launched countless destructive cyberattacks, released the NotPetya malware, and even attempted to spoof results in Ukraine’s 2014 presidential election. Now, according to Microsoft, there’s a new addition to that hyper-aggressive agency’s cyberwar-focused bench.

Microsoft this week named a new group of GRU hackers that it’s calling Cadet Blizzard, and has been tracking since just before Russia’s full-scale invasion of Ukraine in February 2022. Redmond’s cybersecurity analysts now blame Cadet Blizzard for the destructive malware known as WhisperGate, which hit an array of government agencies, nonprofits, IT organizations, and emergency services in Ukraine in January 2022, just a month before Russia’s invasion began. Microsoft also attributes to Cadet Blizzard a series of web defacements and a hack-and-leak operation known as Free Civilian that dumped the data of several Ukrainian hacking victim organizations online while loosely impersonating hacktivists, another of the GRU’s trademarks.

Microsoft assesses that Cadet Blizzard appears to have the help of at least one private sector Russian firm in its hacking campaign but that it’s neither as prolific nor as sophisticated as previously known GRU groups plaguing Ukraine. But as Russia has switched up the tempo of its cyberwar, focusing on quantity rather than quality of attacks, Cadet Blizzard may play a key role in that brutal cadence of chaos.

You might think that in 2023, Russian hackers would have learned not to travel to countries with US extradition treaties—not to mention a US state. But one allegedly prolific ransomware extortionist associated with the notorious Lockbit group was arrested this week in Arizona, the Department of Justice announced. Ruslan Magomedovich Astamirov, a 20-year-old man living in Russia’s Chechen Republic, carried out at least five ransomware attacks against victims in Florida, Tokyo, Virginia, France, and Kenya, according to prosecutors. And in one case, he allegedly pocketed 80 of the bitcoin ransom personally. Astamirov’s arrest represents a relatively rare instance of US officials laying hands on a ransomware hacker, most of whom typically stay on Russian soil and evade arrest. It’s not yet clear why Astamirov made the mistake of traveling, but here’s hoping it’s a trend. Lots of other US-extradition countries are lovely this time of year.

File this one under “complicated headlines”: According to a search warrant unearthed by _Forbes_, the FBI used information stolen by a hacker from a dark-web assassination market to investigate a person going by the pseudonym Bonfire—whom the FBI believes is a Louisiana hairdresser named Julie Coda—to commission the murder of her niece’s father. In fact, Bonfire was being scammed by a fake murder-for-hire service, as is almost always the case with such dark-web deals. And to compound her problems, her alleged attempted murder-for-hire was revealed to the FBI by a hacker working as an informant to the US Department of Homeland Security. To further complicate this dark, strange story, that hacker appears to have been a foreign national flipped by the DHS and convicted of possessing child sexual abuse materials.

Last week it came to light that Estonia-based cryptocurrency wallet service Atomic Wallet had been breached by hackers apparently based in North Korea who stole tens of millions of dollars. Crypto analysts at Elliptic have now uncovered the larger picture of that heist and found that the hackers’ haul was in fact in the nine figures, making it one of North Korea’s biggest crypto heists in recent years. According to Elliptic, a large tranche of the funds have flowed to the Russian exchange Garantex, which was sanctioned by the US Treasury Department last year but continues to operate.

A Newly Named Group of GRU Hackers is Wreaking Havoc in Ukraine

By Waqas
According to researchers, these fake accounts on GitHub and Twitter are spreading malware that infects both Windows- and Linux-based systems.
This is a post from HackRead.com Read the original post: Warning: Fake GitHub Repos Delivering Malware as PoCs

Around half a dozen fake accounts were discovered on GitHub, and several were found on Twitter. All of them used headshots of renowned security researchers and hosted zero-day exploits.

Supply chain attacks could be highly destructive if the target is as high-profile and widely used as GitHub. Cybersecurity researchers at VulnCheck have discovered a supply chain attack targeting GitHub and Twitter.

According to their report, multiple accounts on GitHub and Twitter claim to distribute PoC (proof-of-concept) exploits for zero-day exploits in popular software. However, these are fake accounts, and the PoCs deliver malware.

****Campaign Discovery****

VulnCheck discovered this campaign in May 2023 when it checked a GitHub repository hosting code that the author claimed was a zero-day for the Signal app. The next day, they discovered another account offering a WhatsApp zero-day.

Researchers kept finding bogus accounts throughout May 2023, all offering zero-day exploits for apps such as Google Chrome, Signal, Microsoft Exchange Server, and Discord. Later in May, researchers came across similar accounts on Twitter.

Around half a dozen fake accounts were discovered on GitHub, and several were found on Twitter. All of them used headshots of renowned security researchers and hosted zero-day exploits.

****Beware of Fake Accounts on GitHub, Twitter****

According to VulnCheck, unidentified threat actors have created a network of fake accounts on GitHub and Twitter that appear to be associated with cybersecurity researchers. To generate credibility for these accounts, the threat actors have used profile pictures of actual security researchers.

Researchers have noted that these fake repositories are promoted as part of a non-existent firm called High Sierra Cyber Security. Each account features a headshot, Twitter handle, associated organization, followers, a link to the company’s website, and a hidden, malicious repository.

Greg and 6 other fake profiles on GitHub (Left) – Fake account on Twitter (Right) – VulnCheck

****Malicious Objectives Behind Fake Accounts****

These fake accounts distribute a Python script through which a malicious binary is downloaded and executed on the device. It is worth noting that the malware can work on both Windows and Linux-based systems. GitHub accounts have been suspended, but Twitter accounts remain online.

****What are the Dangers?****

Researchers believe that this supply chain attack is very elaborate and can have serious consequences. The SolarWinds attack is one of the most devastating supply chain attacks, affecting many public and private sector agencies and causing extensive damage. A malware-infected software was responsible for this attack.

Considering that GitHub is the world’s largest open-source code repository, the consequences of this particular supply chain attack could be even more drastic. Injecting malicious code into a repository or compromising it can impact various software used by countless endpoints. Attackers can deploy malware to steal sensitive data, perform identity theft, or launch ransomware attacks and wire frauds.

Researchers are unclear whether this is an experiment or a campaign. Nevertheless, it is essential to be cautious when accessing untrusted sources for executing code. Check the full list of fake accounts here.

**RELATED ARTICLES**

1.  Portion of Twitter’s proprietary source code leaked on GitHub
2.  Commit metadata spoofed to create false GitHub repositories
3.  SolarWinds Hackers Use Post-Exploitation Backdoor ‘MagicWeb’

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Warning: Fake GitHub Repos Delivering Malware as PoCs

Microsoft Publisher Remote Code Execution Vulnerability

CVE-2023-28295

CVE-2023-28287

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 9 and June 16. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for June 9 to June 16

The Clop ransomware group has claimed responsibility for exploiting the vulnerability to deploy a previously unseen web shell, LemurLoot.

Friday, June 16, 2023 14:06

*   Cisco Talos is monitoring recent reports of exploitation attempts against CVE-2023-34362, a SQL injection zero-day vulnerability in the MOVEit Transfer managed file transfer (MFT) solution that has been actively targeted since late May 2023.
*   Successful exploitation could lead to remote code execution (RCE), allowing unauthenticated adversaries to execute arbitrary code to support malicious activity, such as disabling anti-virus solutions (AV) or deploying malware payloads.
*   The Clop ransomware group has claimed responsibility for exploiting the vulnerability to deploy a previously unseen web shell, LemurLoot, to exfiltrate victims’ data and extort payments, and Microsoft has attributed these attacks to the same group, according to public reporting.
*   Two more vulnerabilities have since been found in MOVEit Transfer solutions, CVE-2023-35036 and CVE-2023-35708, although at this time, they are reportedly not being actively exploited.

**CVE-2023-34362 details and ongoing exploitation**

On May 31, the Progress Software Corporation released a security advisory warning customers of a vulnerability in internet-facing and on-premises instances of their MOVEit Transfer solution, which could lead to escalated privileges and potential unauthorized access to an environment. The vulnerability, CVE-2023-34362, has been actively exploited since May 27, but the threat actors may have begun experimenting to compromise it as early as 2021.

As of late May, there were approximately 2,500 exposed MOVEit instances primarily located in the U.S., according to public reporting, highlighting its prevalence in enterprise environments.

**Vulnerability details**

The MOVEit Transfer vulnerability, CVE-2023-34362, covers multiple flaws that an attacker can chain together to achieve RCE with elevated privileges. The first part of the exploit chain uses SQL injection to obtain a sysadmin API token. That token can then be used to call a deserialization function that does not properly validate input, allowing for remote code execution.

A second vulnerability, CVE-2023-35036, was assigned and Progress Software released patches and an advisory addressing this issue. Patches for CVE-2023-35036 are meant to mitigate multiple parts of the successful exploit chain initially discovered to have been used during the exploitation of the first vulnerability, CVE-2023-34362.

On June 15, 2023, another vulnerability was identified, CVE-2023-35708. Progress Software is in the process of releasing installable patches for this issue although DLL drop-ins.

**Ongoing exploitation**

The Clop ransomware group released a public statement on their Tor data leak site on June 5, claiming responsibility for the attacks and threatening to publish victims’ data if the extortion demand is not paid. The group provided a deadline of June 14 for victims to initiate contact or else their company name would be posted on the data leak site as a warning. At this time, no data has been published but they have begun publicly naming and shaming affected companies.

  
In this activity, the Clop ransomware group exploited CVE-2023-34362 to install a previously unknown web shell now dubbed “LemurLoot”.

Written in C#, LemurLoot is designed to exfiltrate data and execute on systems running MOVEit Transfer. The web shell is deployed with a hardcoded, 36-character GUID-formatted value used to authenticate incoming connection requests from the threat actor. The authentication code value must be present in the “X-siLock-Comment” header field without which an HTTP 404 error code will be returned to the operator. If the value is correct, the web shell confirms it can accept taskings and connects to an attacker-controlled SQL server.

LemurLoot uses the header field “X-siLock-Step1’ to receive the commands from the operator. There are two well-defined commands: -1 and -2. The fields “X-siLock-Step2’ and  “X-siLock-Step3” are used to hold parameters to be used when no command has been defined.

**_Command “-1”:_** _LemurLoot retrieves Azure system settings from MOVEit Transfer and performs SQL queries to retrieve files._

**_Command “-2”:_** _LemureLoot deletes a user account with the LoginName and RealName set to "Health Check Service"._

For any other values of “X-siLock-Step1,” the web shell will open a file specified by the folder and file name in “X-siLock-Step2”, and “X-siLock-Step3” respectively and retrieve it for the operator.

If no values of “X-siLock-Step2” and “X-siLock-Step3” are specified, then the web shell creates the “Health Check Service” admin user and creates an active session.

**Recommendations  
**

Progress Software Corporation offers several mitigations for safeguarding against potential exploitation of this vulnerability and best practices for network security:

*   Please refer to the advisories for CVE-2023-34362, CVE-2023-35036 and CVE-2023-35708 to apply corresponding patches.
*   Modify firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443 until the patch can be applied.
*   Delete unauthorized files and user accounts and reset service account credentials.
*   Continuously monitor networks for early detection in the event of a compromise.
*   Update network firewall rules to only allow connections to the MOVEit Transfer infrastructure from known trusted IP addresses.
*   Update remote access policies to only allow inbound connections from known and trusted IP addresses, and use certificate-based access control.
*   Enable multi-factor authentication. Multi-factor authentication (MFA) protects MOVEit Transfer accounts from unverified users when a user's account password is lost, stolen, or compromised.

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Cisco Talos is releasing the following Snort SIDs to protect against this threat:

*   61876 - 61879
*   61936
*   300582, 300583

The following ClamAV signatures have been released to detect malware artifacts related to this threat:

*   Win.Ransomware.Clop-6881304-0
*   Win.Ransomware.Clop-6887770-0

**IOCs  
****Webshell (LemurLoot)**

702421bcee1785d93271d311f0203da34cc936317e299575b06503945a6ea1e0  
9d1723777de67bc7e11678db800d2a32de3bcd6c40a629cd165e3f7bbace8ead  
9e89d9f045664996067a05610ea2b0ad4f7f502f73d84321fb07861348fdc24a  
d49cf23d83b2743c573ba383bf6f3c28da41ac5f745cde41ef8cd1344528c195  
b1c299a9fe6076f370178de7b808f36135df16c4e438ef6453a39565ff2ec272  
6015fed13c5510bbb89b0a5302c8b95a5b811982ff6de9930725c4630ec4011d  
48367d94ccb4411f15d7ef9c455c92125f3ad812f2363c4d2e949ce1b615429a  
2413b5d0750c23b07999ec33a5b4930be224b661aaf290a0118db803f31acbc5  
e8012a15b6f6b404a33f293205b602ece486d01337b8b3ec331cd99ccadb562e

Active exploitation of the MOVEit Transfer vulnerability — CVE-2023-34362 — by Clop ransomware group

Threat groups created a fake security company, "High Sierra," with faux exploits and fake profiles for security researchers on GitHub and elsewhere, aiming to get targets to install their malware.

During the month of May, an unknown threat group created a malicious GitHub repository that claimed to contain a zero-day exploit for a vulnerability in the Signal messaging app. The attackers supported the credibility of the exploit by creating a fake security company — High Sierra Cyber Security — linked to a number of made-up profiles of security researchers.

That's according to research conducted by threat intelligence firm VulnCheck, which found that the level of effort that the attacker put into create a social presence around the fake security company and the fake exploits is on a whole other level compared to what researchers have seen in the past.

"They put in a decent amount of effort into building personas, if you will, for each of these characters — these actors that who would advertise the GitHub repositories with the actual malware," VulnCheck security researcher William Vu tells Dark Reading. "So they put a lot of time and effort into building, really, a fake security company, and that, to me, is kind of new."

Targeting security researchers is rare, but has a long history. In 2021, for example, Google's Threat Analysis Group (TAG) warned that North Korea-backed hackers had created a faux research blog and multiple fake Twitter profiles. Researchers would then be asked to collaborate on vulnerability research, and those who agreed would be sent a Visual Studio project file that would run custom malware to infect the target's system, according to Google TAG's analysis. Three months later, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert about the campaign.

A similar attack — also by North Korea — targeted security researchers by using LinkedIn accounts and acting as recruiters, according to research released in March by Mandiant.

The latest attack also uses social engineering to target the supply chain, says Mike Parkin, a senior technical engineer at Vulcan Cyber, a provider of enterprise cyber-risk remediation services.

"One of the core defenses against malicious packages is for developers to actually vet the package before they download and use it, and part of that vetting process is determining if the package was created by a trustworthy source, whether commercial or otherwise," he says. "If threat actors can do a good job of faking that, they have a better chance of getting a victim to download their package and then not give it as close of an inspection as they should."

**GitHub, WhatsApp, What's Next?**

VulnCheck contacted GitHub about the project hosting the fake exploit, and the page was taken down. A day later, however, the same group created a similar page advertising a WhatsApp zero-day exploit, VulnCheck's researchers stated in the advisory. That pattern continued, and each time the company notified GitHub of a new page, it was removed but a new project page would appear. Pages offering a purported Microsoft Exchange remote code execution (RCE) bug, a Discord zero-day RCE, and others continued the cat-and-mouse game, the company stated.

In each case, instead of an exploit, a Python file in the repository would — if run by the target — download an operating-system-specific binary. While most antivirus programs detected the Windows malware that the Python script loaded, only three of the 62 Linux host-based scanners detected that binary, VulnCheck stated.

The threat actor used a variety of social media profiles to push out links to the pages. While the technique has been used as a way to convince software developers to download vulnerable or malicious components as a way of infecting the supply chain, this attack seems more likely to gain access to security professionals' own research, Vu says.

"Security researchers and testers usually have their own research, and if I were going after security researchers this way, I would be looking to obtain their cache of real zero-day exploits, and any kind of corporate IP that they might have access to," he says.

**Not the Sharpest Tool in the Toolbox**

While companies should always educate their developers about the risks that come with online code and how to best vet projects and unknown developers to determine if they are legitimate, researchers need to learn to be wary too, says Erich Kron, security awareness advocate at KnowBe4.

"Running code that others have written, especially when available in free and open websites such as GitHub, always carries some risk," he said. "In this case, researchers looking at the code may even assume that the malicious parts are simply a piece of these zero days being disclosed, when in fact it's designed to infect their own systems."

For most security researchers, a little due diligence will go a long way. A little research would likely discover that the company behind the "security research" has no track record, and that the researchers have no history in the industry, says Vulcan Cyber's Parkin.

"If a package just appeared out of nowhere, and the developers all seem to be new on the scene? Red flags," he says. "The sad thing is that this will have some negative impact on newly active researchers who may not have any history yet, but it's also easy to tell the difference between someone who doesn't have a history because they're just getting started and someone who has no history because they don't exist."

Attackers Create Synthetic Security Researchers to Steal IP

Categories: News
Tags: GitHub

Tags:  malware

Tags:  repository

Tags:  security researcher

Tags:  fake

Tags:  download

Tags:  scam

Tags:  twitter

Tags:  social

We take a look at reports of fake security researchers offering up malware downloads via GitHub repositories.



(Read more...)




The post Fake security researchers push malware files on GitHub appeared first on Malwarebytes Labs.

Researchers from VulnCheck have observed a campaign using real security researchers as bait for malware. The campaign goes to some lengths to appear genuine, using fake profiles, downloads, websites, and bogus GitHub profiles, to paint a convincing picture of security professionals offering up exploit code for popular programs.

The campaign included a network of fictitious Twitter accounts posing as employees of a firm called “High Sierra Cyber Security”. The Record notes that several photographs of real security researchers working at well known firms were misused in the campaign.

The tale begins in May of this year, with the discovery of a malicious GitHub repository claiming to be for a zero-day attack for the Signal messaging app. This bogus offering was taken down, but the group behind the page were determined to stick around.

New downloads were offered, but this time in the guise of the previously mentioned security entities. Every High Sierra Cyber Security account claiming to offer exploits for well known products was actually offering up malicious repositories harbouring malware. The supposedly exploitable products included Chrome, Discord, and Exchange. All popular programs, and guaranteed to grab the attention of anyone interested in the security space.

The people behind this leaned heavily into social media to make it all look real, promoting their “finds” on networks such as Twitter. This was a risky gambit for the creators of this malware scam. While it added legitimacy to the overall gameplan, it ran the risk of someone realising that one of the security researchers actually worked somewhere else. This is indeed exactly what happened, and more researchers were identified from the stolen images as the days went by.

The GitHub pages also leaned into social aspects, making use of popular tags like “discordapp”, “cve”, and “rce-exploits” to draw more potential victims in to look at the rogue pages. They must have known that using tags like that would guarantee actual security researchers taking a look and saying “Wait a minute…”

While the GitHub pages are all now offline, the fake Twitter accounts are still live. VulnCheck notes that if you’ve interacted with any of the GitHub pages and Twitter accounts listed on its advisory, you may have been compromised if you downloaded and executed the files.

The GitHub accounts and repositories discovered by VulnCheck are as follows:

**GitHub Accounts**

*   github.com/AKuzmanHSCS
*   github.com/RShahHSCS
*   github.com/BAdithyaHSCS
*   github.com/DLandonHSCS
*   github.com/MHadzicHSCS
*   github.com/GSandersonHSCS
*   github.com/SSankkarHSCS

**Malicious Repositories**

*   github.com/AKuzmanHSCS/Microsoft-Exchange-RCE
*   github.com/MHadzicHSCS/Chrome-0-day
*   github.com/GSandersonHSCS/discord-0-day-fix
*   github.com/BAdithyaHSCS/Exchange-0-Day
*   github.com/RShahHSCS/Discord-0-Day-Exploit
*   github.com/DLandonHSCS/Discord-RCE
*   github.com/SSankkarHSCS/Chromium-0-Day

If any of the above look familiar, and if you recognise any of the usernames from their matching Twitter accounts, it may well be time to run some security scans on your PC. It’s not unusual for security researchers themselves to be targeted by scams and attacks. If nothing else it’s a major win for malware authors and people up to no good, the bigger the target’s name the better.

However, it’s not quite as common to see security researchers themselves used as a way to infect others online. This is a valuable reminder to always check code you download before executing it. If in doubt, ask someone more familiar with whatever it is you’re trying to do. As a general rule, “download this cool exploit for popular program X” tends to not work out very well for the person or organisation downloading it.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Fake security researchers push malware files on GitHub

The threat actor known as ChamelGang has been observed using a previously undocumented implant to backdoor Linux systems, marking a new expansion of the threat actor's capabilities.
The malware, dubbed ChamelDoH by Stairwell, is a C++-based tool for communicating via DNS-over-HTTPS (DoH) tunneling.
ChamelGang was first outed by Russian cybersecurity firm Positive Technologies in September 2021,

Endpoint Security / Network Security

The threat actor known as **ChamelGang** has been observed using a previously undocumented implant to backdoor Linux systems, marking a new expansion of the threat actor's capabilities.

The malware, dubbed ChamelDoH by Stairwell, is a C++-based tool for communicating via DNS-over-HTTPS (DoH) tunneling.

ChamelGang was first outed by Russian cybersecurity firm Positive Technologies in September 2021, detailing its attacks on fuel, energy, and aviation production industries in Russia, the U.S., India, Nepal, Taiwan, and Japan.

Attack chains mounted by the actor have leveraged vulnerabilities in Microsoft Exchange servers and Red Hat JBoss Enterprise Application to gain initial access and carry out data theft attacks using a passive backdoor called DoorMe.

"This is a native IIS module that is registered as a filter through which HTTP requests and responses are processed," Positive Technologies said at the time. "Its principle of operation is unusual: the backdoor processes only those requests in which the correct cookie parameter is set."

The Linux backdoor discovered by Stairwell, for its part, is designed to capture system information and is capable of remote access operations such as file upload, download, deletion, and shell command execution.

What makes ChamelDoH unique is its novel communication method of using DoH, which is used to perform Domain Name System (DNS) resolution via the HTTPS protocol, to send DNS TXT requests to a rogue nameserver.

"Due to these DoH providers being commonly utilized DNS servers \[i.e., Cloudflare and Google\] for legitimate traffic, they cannot easily be blocked enterprise-wide," Stairwell researcher Daniel Mayer said.

The use of DoH for command-and-control (C2) also offers additional benefits for the threat actor in that the requests cannot be intercepted by means of an adversary-in-the-middle (AitM) attack owing to the use of the HTTPS protocol.

UPCOMING WEBINAR

🔐 Mastering API Security: Understanding Your True Attack Surface

Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!

Join the Session

This also means that security solutions cannot identify and prohibit malicious DoH requests and sever the communications, thereby turning it to an encrypted channel between a compromised host and the C2 server.

"The result of this tactic is akin to C2 via domain fronting, where traffic is sent to a legitimate service hosted on a CDN, but redirected to a C2 server via the request's Host header – both detection and prevention are difficult," Mayer explained.

The California-based cybersecurity firm said it detected a total of 10 ChamelDoH samples on VirusTotal, one of which was uploaded back on December 14, 2022.

The latest findings show that the "group has also devoted considerable time and effort to researching and developing an equally robust toolset for Linux intrusions," Mayer said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#microsoft