The new open source security-as-code platform will help developers and security teams automatically detect security policy violations across the organization's cloud infrastructure.

As more organizations migrate their data, applications, and workloads to the cloud, securing the infrastructure remains a challenge. Security teams don't always know exactly what is happening within each cloud environment, making it difficult to detect when security policies are being violated.

That's the problem Paladin Cloud aims to solve with its security-as-code platform.

Paladin Cloud’s platform is intended to help developers and DevOps teams safeguard their applications and data, both in testing and production. It accomplishes this goal by providing teams with full visibility into the organization's various cloud services and systems. The platform includes a plug-in-based architecture that helps developers connect to and ingest data from sources including code repositories, threat intelligence systems, container scanning, API gateways, and cloud-based enterprise systems such as Kubernetes.

Supported vendor systems include Qualys Vulnerability Assessment Platform, Bitbucket, Trend Micro Deep Security, Tripwire, Venafi Certificate Management, and Red Hat. Security teams can write rules based on data collected by these plugins to get a complete picture of the organization's cloud security posture.

"The platform discovers assets, evaluates policy, creates issues for policy violations, and prioritizes remediation," according to a page on Paladin Cloud's GitHub repository. If fixes for policy violations have already been defined, then the platform can go ahead and execute those actions to remediate the issues. This way, the platform provides automatic detection and remediation of violations, such as unauthorized access, misconfigured systems, and insecure APIs.

Organizations can also take advantage of the platform's extensible policy management to oversee hybrid clouds, where the data and applications are hosted on both public and private infrastructure.

Paladin Cloud lists various out-of-the-box features on its GitHub page, including continuous asset discovery, ability to search all discovered resources, custom policies and custom auto-fix actions, dynamic asset grouping to view compliance, exception management, OAuth2 support, and role-based access control.

The platform is now generally available for Amazon Web Services, Google Cloud, and Microsoft Azure. Along with announcing the platform's availability, the company announced a $3.3 million seed financing round.

Paladin Cloud Launches New Cloud Security and Governance Platform

"HavanaCrypt" is also using a command-and-control server that is hosted on a Microsoft Hosting Service IP address, researchers say.

Threat actors are increasingly using fake Microsoft and Google software updates to try to sneak malware on target systems.

The latest example is "HavanaCrypt," a new ransomware tool that researchers from Trend Micro recently discovered in the wild disguised as a Google Software Update application. The malware's command and-control (C2) server is hosted on a Microsoft Web hosting IP address, which is somewhat uncommon for ransomware, according to Trend Micro.

Also notable, according to the researchers, is HavanaCrypt's many techniques for checking if it is running in a virtual environment; the malware's use of code from open source key manager KeePass Password Safe during encryption; and its use of a .Net function called "QueueUserWorkItem" to speed up encryption. Trend Micro notes that the malware is likely a work-in-progress because it does not drop a ransom note on infected systems.

HavanaCrypt is among a growing number of ransomware tools and other malware that in recent months have been distributed in the form of fake updates for Windows 10, Microsoft Exchange, and Google Chrome. In May, security researchers spotted ransomware dubbed "Magniber" doing the rounds disguised as Windows 10 updates. Earlier this year, researchers at Malwarebytes observed the operators of the Magnitude Exploit Kit trying to fool users into downloading it by dressing the malware as a Microsoft Edge update.

As Malwarebytes noted at the time, fake Flash updates used to be a fixture of Web-based malware campaigns until Adobe finally retired the technology because of security concerns. Since then, attackers have been using fake versions of other frequently updated software products to try to trick users into downloading their malware — with browsers being one of the most frequently abused.

Creating fake software updates is trivial for attackers, so they tend to use them to distribute all classes of malware including ransomware, info stealers, and Trojans, says an analyst with Intel 471 who requested anonymity. "A non-technical user might be fooled by such techniques, but SOC analysts or incident responders will likely not be fooled," the analyst says.

Security experts have long noted the need for organizations to have multi-layered defenses in place to defend against ransomware and other threats. This includes having controls for endpoint detection and response, user and entity behavior-monitoring capabilities, network segmentation to minimize damage and limit lateral movement, encryption, and strong identity and access control -- including multi-factor authentication. 

Since adversaries often target end users, it is also critical for organizations to have strong practices in place for educating users about phishing risks and social engineering scams designed to get them to download malware or follow links to credential harvesting sites.

**How HavanaCrypt Works**

HavanaCrypt is .Net malware that uses an open-source tool called Obfuscar to obfuscate its code. Once deployed on a system, HavanaCrypt first checks to see if the "GoogleUpdate" registry is present on the system and only continues with its routine if the malware determines the registry is not present.

The malware then goes through a four-stage process to determine if the infected machine is in a virtualized environment. First it checks the system for services such as VMWare Tools and vmmouse that virtual machines typically use. Then it looks for files related to virtual applications, followed by a check for specific file names used in virtual environments. Finally, it compares the infected systems' MAC address with unique identifier prefixes typically used in virtual machine settings. If any of checks show the infected machine to be in a virtual environment, the malware terminates itself, Trend Micro said.

Once HavanaCrypt determines it's not running in a virtual environment, the malware fetches and executes a batch file from a C2 server hosted on a legitimate Microsoft Web hosting service. The batch file contains commands for configuring Windows Defender in such a manner that it allows detected threats. The malware also stops a long list of processes, many of which are related to database applications such as SQL and MySQL or to desktop applications such as Microsoft Office.

HavanaCrypt's next steps include deleting shadow copies on the infected systems, deleting functions for restoring data, and gathering system information such as the number of processors the system has, processor type, product number, and BIOS version. The malware uses the QueueUserWorkItem function and code from KeePass Password Safe as part of the encryption process.

"QueueUserWorkItem is a standard technique for creating thread pools," says the analyst from Intel 471. "The use of thread pools will speed up encryption of the files on the victim machine."

With KeePass, the ransomware author has copied code from the password manager tool and used this code in their ransomware project. "The copied code is used to generate pseudorandom encryption keys," the analyst notes. "If the encryption keys were generated in a predictable, repeatable way, then it might be possible for malware researchers to develop decryption tools."

The attacker's use of a Microsoft hosting service for the C2 server highlights the broader trend by attackers to hide malicious infrastructure in legitimate services to evade detection. "There is a great deal of badness hosted in cloud environments today, whether it's Amazon, Google, or Microsoft and many others," says John Bambenek, principal threat hunter at Netenrich. "The highly transient nature of the environments makes reputation systems useless."

Fake Google Software Updates Spread New Ransomware

The CODESYS OPC DA Server prior V3.5.18.20 stores PLC passwords as plain text in its configuration file so that it is visible to all authorized Microsoft Windows users of the system.

%PDF-1.7 %���� 1 0 obj <>/Metadata 374 0 R/ViewerPreferences 375 0 R>> endobj 2 0 obj <> endobj 3 0 obj <>/ExtGState<>/Font<>/ProcSet\[/PDF/Text/ImageB/ImageC/ImageI\] >>/MediaBox\[ 0 0 595.32 841.92\] /Contents 4 0 R/Group<>/Tabs/S/StructParents 0>> endobj 4 0 obj <> stream x��W�n�6�o�����Q�\_��@b'Y�� /C�j+��X��\[io�C9���2�Z�Цh��;�|�䰪gW٤F�a\]g�/�\]$�r�)�-��,��Y=+�$\]~����y6ͫ���(9M5�������(���Z�� e)�W�JF�BU����\*���u ������-������<������ۛ{o�:��ޣ1=a������c���&V"�,��AEװ�4u |�N����Oh���;�k^"����\`���u\]��mzR��7��XYK�ܠ,S��DX��\]M@U��O.�??�v+��J���H�����(�8����P+|Z��e$��bG�kt\`���l���5����ne�/�1��C 8� �4�U|���~/��c(IY� �~�v�h�KV\\#��oi�cC� R���|x@)��J�Y��{���\`�P��G&1?����.�\\C˔%.��ю�j� 3������ɥ���5�І|��������9i)i�s���|�/�Ydq ��.��O/S�<��?�\[�^���B����\`}�'��Ǉ\\�g�<�����q\]=n����~@�ڨP=�p.:G#%҄�<� b�l�j\[ϖ�of��\_�ço���{�QM8ߎ� t�}o�v�0�1!{�Aw�uH�&� pA�=�|�}uŕ#6���N�{F�>�^���rmj�볜@�V\\.^�A��p�+G4��Uf��\`=�H�)\[r�s�j�a�p�4�BT�\*q�-� eZ<�dYF��śu����r!(�9rG�����Й3�㣕�G�n��"��3 ��#9�����ƾ���H������y�=C,.��˶x�@7Q��%,H<�o�S����s� ,.�s?�Z�ICw7-�ݭ�i\_�+�w�=�����N��}��Α�uѱ��� �#�����i�)�&$�82mZno�\[ϖ���怒���n7�@+�TUܵPIT�̻��P�\[8���0���V$Ha@i���j��C1C$az �����W$.��Q:Eʷ��-τoj/K���/T�\_�rq+ endstream endobj 5 0 obj <> stream ����JFIF\`\`��JExifMM\*2:(\`\`��XICC\_PROFILEHLinomntrRGB XYZ � 1acspMSFTIEC sRGB���-HP cprtP3desc�lwtpt�bkptrXYZgXYZ,bXYZ@dmndTpdmdd��vuedL�view�$lumi�meas$tech0rTRC<gTRC<bTRC<textCopyright (c) 1998 Hewlett-Packard CompanydescsRGB IEC61966-2.1sRGB IEC61966-2.1XYZ �Q�XYZ XYZ o�8��XYZ b����XYZ $����descIEC http://www.iec.chIEC http://www.iec.chdesc.IEC 61966-2.1 Default RGB colour space - sRGB.IEC 61966-2.1 Default RGB colour space - sRGBdesc,Reference Viewing Condition in IEC61966-2.1,Reference Viewing Condition in IEC61966-2.1view��\_.���\\�XYZ L VPW�meas�sig CRT curv #(-27;@EJOTY^chmrw|������������������������� %+28>ELRY\`gnu|����������������&/8AKT\]gqz������������!-8COZfr~���������� -;HUcq~��������� +:IXgw��������'7HYj{�������+=Oat�������2FZn�������  % : O d y � � � � � �  ' = T j � � � � � �"9Qi������\*C\\u����� & @ Z t � � � � �.Id���� %A^z���� &Ca~����1Om����&Ed����#Cc����'Ij����4Vx���&Il����Ae����@e���� Ek���\*Qw���;c���\*R{���Gp���@j���>i���  A l � � �!!H!u!�!�!�"'"U"�"�"�# #8#f#�#�#�$$M$|$�$�% %8%h%�%�%�&'&W&�&�&�''I'z'�'�( (?(q(�(�))8)k)�)�\*\*5\*h\*�\*�++6+i+�+�,,9,n,�,�--A-v-�-�..L.�.�.�/$/Z/�/�/�050l0�0�11J1�1�1�2\*2c2�2�3 3F33�3�4+4e4�4�55M5�5�5�676r6�6�7$7\`7�7�88P8�8�99B99�9�:6:t:�:�;-;k;�;�<'

CVE-2022-1794

We waited three decades for macro blocking...and now it's going away again!
The post Microsoft appears to be rolling back Office Macro blocking appeared first on Malwarebytes Labs.

We’re seeing several reports indicating that Microsoft may have rolled back its decision to block Macros in Office. Currently no official statement exists—the reports rely on a post by a Microsoft employee in the replies of the original article where the plan to block macros was announced.

Earlier this year, Microsoft decided to disable macros downloaded from the Internet in five Office apps, by default. Users trying to open files downloaded from the Internet that contained macros would see a message, with a link to an article explaining the block.

> SECURITY RISK: Microsoft has blocked macros from running because the source of this file is untrusted

Malicious macros have been popular with criminals for more than three decades, and the step was welcomed by the security community. However, some users of Microsoft products have queried a surprising change. Dangerous files downloaded from the internet are _not_ being treated as expected in Office.

**The shifting sands of macro blocking**

Bizarrely, we’ve only experienced a few months of no macro worries as people discover the currently changing situation. A recent comment on the article describing the block mentioned that macro blocking has now been removed in Office Current Channel:

> Is it just me or have Microsoft rolled this change back on the Current Channel?
> 
> I was trying to reproduce the pinkish-red ‘Security Risk… Learn More’ notification in the Message Bar, in preparation for demonstrating the new default behaviour for a YouTube video I’m putting together about my company’s macro-enabled toolkit.
> 
> Created a simple .xlsm to show a MsgBox in the open event of the workbook, saved it and uploaded it to cloud storage, deleted it from my local storage, re-downloaded it from cloud storage (to a non-trusted location, my Downloads library)… did not use the Unblock checkbox on the Properties dialog to remove the mark of the web… then opened up the file.
> 
> It first went into Protected View (expected behaviour), but then after I clicked Enable Editing, instead of getting the pink/red message about macros being blocked altogether, I just got the old ‘Security warning…’ message with the ‘Enable Content’ button. The file’s VBA project wasn’t digitally signed, wasn’t saved to a Trusted Location, and still had the mark of the web on it… so macros should have been blocked.

A response came from someone called Angela Robertson, billed as “A Microsoft employee on the Microsoft Tech Community”:

> Based on feedback received, a rollback has started. An update about the rollback is in progress. I apologize for any inconvenience of the rollback starting before the update about the change was made available.

**Waiting for more information**

At the time of writing, we can’t say what this community feedback is or why it’s been so influential in triggering the apparent decision to disable macro blocking. The response in security circles is somewhat less than enthusiastic, and there’s no new information outside of waiting to see what’s contained in the promised “update”.

Indeed, all we have currently is a second Microsoft post which confirms the rollback:

> …based on feedback, we’re rolling back this change from Current Channel production. We appreciate the feedback we’ve received so far, and we’re working to make improvements in this experience. We’ll provide another update when we’re ready to release again to Current Channel. Thank you.

We will update this article as soon as Microsoft clarifies what exactly is going on.

Microsoft appears to be rolling back Office Macro blocking

A newly observed phishing campaign is leveraging the recently disclosed Follina security vulnerability to distribute a previously undocumented backdoor on Windows systems.
"Rozena is a backdoor malware that is capable of injecting a remote shell connection back to the attacker's machine," Fortinet FortiGuard Labs researcher Cara Lin said in a report this week.
Tracked as CVE-2022-30190, the

A newly observed phishing campaign is leveraging the recently disclosed Follina security vulnerability to distribute a previously undocumented backdoor on Windows systems.

"Rozena is a backdoor malware that is capable of injecting a remote shell connection back to the attacker's machine," Fortinet FortiGuard Labs researcher Cara Lin said in a report this week.

Tracked as CVE-2022-30190, the now-patched Microsoft Windows Support Diagnostic Tool (MSDT) remote code execution vulnerability has come under heavy exploitation in recent weeks ever since it came to light in late May 2022.

The starting point for the latest attack chain observed by Fortinet is a weaponized Office document that, when opened, connects to a Discord CDN URL to retrieve an HTML file ("index.htm") that, in turn, invokes the diagnostic utility using a PowerShell command to download next-stage payloads from the same CDN attachment space.

This includes the Rozena implant ("Word.exe") and a batch file ("cd.bat") that's designed to terminate MSDT processes, establish the backdoor's persistence by means of Windows Registry modification, and download a harmless Word document as a decoy.

The malware's core function is to inject shellcode that launches a reverse shell to the attacker's host ("microsofto.duckdns\[.\]org"), ultimately allowing the attacker to take control of the system required to monitor and capture information, while also maintaining a backdoor to the compromised system.

The exploitation of the Follina flaw to distribute malware through malicious Word documents comes as social engineering attacks relying on Microsoft Excel, Windows shortcut (LNK), and ISO image files as droppers to deploy malware such as Emotet, QBot, IcedID, and Bumblebee to a victim's device.

The droppers are said to be distributed through emails that contain directly the dropper or a password-protected ZIP as an attachment, an HTML file that extracts the dropper when opened, or a link to download the dropper in the body of the email.

While attacks spotted in early April prominently featured Excel files with XLM macros, Microsoft's decision to block macros by default around the same time is said to have forced the threat actors to pivot to alternative methods like HTML smuggling as well as .LNK and .ISO files.

Last month, Cyble disclosed details of a malware tool called Quantum that's being sold on underground forums so as to equip cybercriminal actors with capabilities to build malicious .LNK and .ISO files.

It's worth noting that macros have been a tried-and-tested attack vector for adversaries looking to drop ransomware and other malware on Windows systems, whether it be through phishing emails or other means.

Microsoft has since temporarily paused its plans to disable Office macros in files downloaded from the internet, with the company telling The Hacker News that it's taking the time to make "additional changes to enhance usability."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Exploiting Follina Bug to Deploy Rozena Backdoor

Security experts criticize company for reversing course, albeit temporarily, on a decision it made just this February to block macros in files downloaded from the Internet.

_Updated 5:19 p.m. EDT to include Microsoft's clarification that the change is temporary._ 

Several security experts expressed disappointment this week at Microsoft's quiet reversal Wednesday of a decision it had announced in February to disable Office macros in files from the Internet. Likely in response, Microsoft on Friday clarified that the rollback is only temporary while the company makes some additional changes to enhance usability.

In a brief — and barely noticeable — update Wednesday to the February announcement, the company originally said it was taking the step because customers wanted it to do so. "Based on feedback, we're rolling back this change from Current Channel," Microsoft said. "We appreciate the feedback we've received so far, and we're working to make improvements in this experience."

On Friday, the company revised the wording to make clear the rollback was not permanent. "This is a temporary change, and we are fully committed to making the default change for all users," Microsoft noted. The update noted that organizations that wanted to could block Internet macros through the Group Policy setting.

Macros allow users to automate commonly repeated tasks in Microsoft applications such as Word, PowerPoint, and Excel. But they have also long been a favorite attack vector for threat looking to deploy ransomware and other malware on Windows systems via phishing emails and other means. As a glaring example: in January 2022, just before Microsoft announced its decision to block macros from running by default, some 31% of all threats that Netskope blocked involved weaponized Office files.

"Macros in Microsoft Office have been a mixed blessing since their inception," says Mike Parkin, senior technical engineer at Vulcan Cyber. "While they provide a lot of functionality that users like and have leveraged in myriad ways, they’ve also been a popular attack vector since they were introduced."

Microsoft's February announcement that they were doing something about macros as an attack vector was welcomed by people in cybersecurity. So, its change of heart now is a bit disappointing, Parkin says. "While Microsoft has not yet said why they are rolling back the change, it seems likely it’s because users have come to depend on the functionality and would rather keep it in spite of the risk."

A Microsoft spokesman pointed Dark Reading to the company's updated update on the rollback when asked for comment.  

**The Macro Threat**

Microsoft itself has noted the threat that macros pose. In fact, as recently as April, the company urged Windows administrators to ensure Office macros are disabled in the environment to protect against macro malware. The company pointed to several ransomware families that attackers had distributed on Windows systems by abusing macros. Because of this, many security experts reacted with enthusiasm when Microsoft announced that macros from the Internet would be blocked by default in Office starting April 2022.

Starting with Office version 2203, users would no longer be able to enable content macros in files from the Internet by clicking a button, Microsoft had said. Instead, when they attempt to open a download or attachment from the Internet, a message would alert users them about the presence of VBA macros in the file and direct them to learn more about the potential risks associated with the file.

The change prompted a noticeable drop in Office-based attacks. According to Netskope, the percentage of Office malware detected by the company's cloud security platform has declined steadily since February 2022 and hovered at less than 10% for the last five months — compared with 35% a year ago.

Microsoft's reversal this week is going to result in a resurgence of Office malware, says Ray Canzanese, director of Netskope Threat Labs. "We are disappointed with the decision," Canzanese says. "Malicious Office documents are a major infiltration vector for attackers, being used to spread backdoors, info stealers, and ransomware."

Microsoft's decision suggests the company decided to prioritize the usability concerns of a vocal minority of customers over the security benefits inherent in disabling macros by default for all Office users, he says. "Instead of having users who preferred the old behavior opt-out of the enhanced security measure, users and admins will now have to opt-in," Canzanese says. "With this reversal, we expect Office documents to regain their previous popularity among attackers."

Ian McShane, vice president of strategy at Arctic Wolf, says disabling Office macros by default was a huge step forward in securing a tried and tested attack path for adversaries. Re-enabling macros now means Office users are less secure today than they were a week ago. McShane says it would have been better for Microsoft to have continued blocking macros by default than leaving it up to organizations to do it. via group policy settings. The multiple steps and settings that are often involved in doing this can be confusing, he says. 

Instead, the better approach would have been to let those who need macros to enable it via group settings. "Opt-in security benefits no one and is dangerous," he says.

Microsoft Reverses Course on Blocking Office Macros by Default

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 1 and July 8. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics,...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

Threat Roundup for July 1 to July 8

Threat actor released decryption keys after abandoning malware to focus on cryptojacking

Adam Bannister 08 July 2022 at 15:40 UTC

Threat actor released decryption keys after abandoning malware to focus on cryptojacking

Malware protection specialist Emsisoft has released free decryption tools for the AstraLocker and Yashma ransomware variants.

The decryptors were recently uploaded to the VirusTotal malware analysis platform by the ransomware’s developer after they reportedly shut down their operation in order to pivot to cryptojacking.

The AstraLocker decryptor and Yashma decryptor join a host of other decryptors made available for free by Emsisoft, a New Zealand-based outfit.

**Using the decryptor**

“Be sure to quarantine the malware from your system first, or it may repeatedly lock

your system or encrypt files,” reads a guide (PDF) on how to use the AstraLocker tool.

For systems compromised via Windows Remote Desktop, users are advised to change passwords for all users permitted to login remotely and check local user accounts for additional accounts the attacker might have added.

Catch up with the latest ransomware news and attacks

By default, the AstraLocker decryptor pre-populates locations selected for decryption from network and connected drives, but users can add other locations before initiating the decryption process.

The decryptor also defaults to leaving encrypted files in place, although users can enable automatic deletion if disk space is an issue.

“Since the ransomware does not save any information about the unencrypted files, the decryptor can’t guarantee that the decrypted data is identical to the one that was previously encrypted,” the guide warns.

**BabyK offspring**

AstraLocker, which emerged in 2021, is seemingly built on Babuk (or BabyK), a variant deployed via a ransomware-as-a-service (RaaS) model, according to a ReversingLabs analysis of the latter’s leaked source code.

Files are encrypted using a modified HC-128 encryption algorithm and Curve25519 cryptographic function, and or extensions are appended to encrypted files.

Yashma – or ‘AstraLocker 2.0’ – harnesses AES-128 and RSA-2048 to encrypt files and appends encrypted files with the extension or a random four-character alphanumeric combination.

According to ReversingLabs, AstraLocker 2.0 is smuggled into networks via malicious Microsoft Office files.

This ‘smash and grab’ attack methodology is suggestive of a low-skill threat actor, argued Joseph Edwards, senior malware researcher at ReversingLabs.

“This underscores the risk posed to organizations following code leaks like that affecting Babuk, as a large population of low-skill, high-motivation actors leverage the leaked code for use in their own attacks.”

RELATED Ransomware market evolution results in fewer variants, but rise in off-the-shelf cybercrime kits continues

AstraLocker ransomware decryptors released by Emsisoft

Latest campaigns are a break from its usual financially motivated attacks and appear aligned with Russian interests, security researchers say.

In a break from precedent, Russia's hitherto purely financially motivated Trickbot threat group has systematically been attacking targets in Ukraine over the past three months, apparently in support of Russian government interests in the region.

Researchers from IBM's X-Force threat intelligence group this week said they had uncovered two campaigns — and analyzed four others that Ukraine’s Computer Emergency Response Team (CERT-UA) disclosed — where Trickbot went after targets in Ukraine. The campaigns began after Russia’s invasion of Ukraine in February and have targeted Ukrainian state authorities, government organizations, specific individuals, and the general population. Several of the attacks have involved phishing emails with various themes designed to grab the attention of Ukrainian users — included some that are war-related.

The attacks highlight an unprecedented shift for Trickbot, and it's notable because threat groups in former Soviet Union states have typically avoided attacking targets in each other’s countries, IBM said.

Prior to the Russian invasion, ITG23, which is the name by which IBM tracks Trickbot, had not been known to target Ukraine. "Much of the group's malware was even configured to not execute on systems if the Ukrainian language was detected," IBM said in a report summarizing its findings this week. "ITG23's campaigns against Ukraine are notable due to the extent to which this activity differs from historical precedent and the fact that these campaigns appeared specifically aimed at Ukraine with some payloads that suggest a higher degree of target selection."

**Multiple Malware Tools**

IBM said it has observed Trickbot distributing several known malware tools such as IcedID, Cobalt Strike, AnchorMail, and Meterpreter in its attacks on Ukrainian targets. Some of the attacks involved the use of new tools such as a malicious Excel downloader, a self-extracting archive for dropping various malware payloads and a new malware encryption and obfuscation tool.

One of the two Trickbot campaigns that IBM uncovered was in early May. In those attacks, IBM observed the threat actor using a weaponized Excel file to download its AnchorMail backdoor on compromised systems. AnchorMail is a revamped version of Trickbot’s AnchorDNS, a backdoor that members of the closely affiliated Conti group have been using to deploy Conti ransomware. IBM X-Force researchers have previously described the malware as notable for communicating with its command-and-control (C2) server using the DNS protocol.

The second recent Trickbot campaign that IBM X-Force researchers spotted occurred likely in late May or early June. In that campaign, Trickbot actors used an ISO image file — or archive file containing the contents of an optical disk — as part of an attack chain to drop the Cobalt Strike post-exploit attack kit on target system. In June, Trickbot users were observed exploiting the so-called “Follina” zero-day bug in the Windows Microsoft Support Diagnostic Tool (MSDT) to deploy Cobalt Strike.

The campaigns that CERT-UA disclosed, and which IBM X-Force researchers analyzed, involved Trickbot attempts to deploy IcedID, a banking Trojan turned malware distributor; Metasploit attack payload, Meterpreter; and Cobalt Strike. In five of the six observed campaigns, Trickbot actors directly downloaded Cobalt Strike, AnchorMail, or Meterpreter on target systems — another break from their usual habit of deploying these tools as secondary payloads. IBM said the switch suggests "these attacks are part of targeted campaigns during which ITG23 is willing to immediately deploy higher-value backdoors."

IBM described the new malicious Excel downloader that Trickbot is using in the Ukrainian attacks as designed to download malware from a hard-coded URL. The downloader is stored as a macro within the Excel file and runs automatically if the file is opened — provided the user has macros enabled. The new dropper for AnchorMail that IBM observed is in the form of a WinRAR Self Extracting Archive. The dropper is rigged to extract and execute a script for building and configuring AnchorMail on infected systems.

Trickbot is a highly successful threat group that has been around since at least 2016. The group initially used its eponymously named malware to steal credentials to banking accounts. Over the years, the group evolved into a sort of initial access broker and a distributor for several ransomware and malware tools, most notably Conti and Ryuk and Emotet. Trickbot is used variously for stealing data, enabling cryptomining, enumerating systems, and other malicious activities.

Court documents in connection with the arrest of a key member of the group last year showed that nearly 20 cybercriminals — including several malware experts — collaborated in building the malware. A massive 2020 international law enforcement operation to take the threat actor down temporarily disrupted its activities but failed to stop them.

In Switch, Trickbot Group Now Attacking Ukrainian Targets

Acronyms serve as a gatekeeper — if you don't sling the lingo, you don't belong. So here's a quick guide to the letter salad of cloud cybersecurity.

**Question: There are so many cloud security acronyms nobody seems to be spelling out. What do they mean?**

**Answer:** Acronyms are confusing jargon that can often serve as a gatekeeper — if you don't sling the lingo, the thinking goes, you don't belong. But if you're reading this, you _do_ belong in cybersecurity, which has to become more welcoming if we ever hope to close the talent gap. So here's a quick guide to some of the acronyms you may come across when talking about cloud security.

**CDR – Cloud detection and response.** These tools continuously aggregate, normalize, and analyze data provided by SaaS (software-as-a-service) and cloud services about accounts, privileges, configurations, and activity to power insights, situational knowledge, and threat alerts. It provides single-pane visibility into cloud environments while maintaining user context.

**CIEM – Cloud infrastructure entitlement management.** Such tools address the issue of excessive permissions and entitlements to cloud resources. They detect over-permissioned accounts and roles and unused permissions and accounts. Note that this is distinct from SIEM (security information and event management), which analyzes alerts in real time, and CIAM (customer identity and access management), which aims to give users secure access to resources.

**CNAPP – Cloud-native application protection platform.** CNAPP addresses the inevitable increased number of moving parts and interlocking systems in cloud-native applications. Using a modular approach, existing CI/CD (continuous integration and continuous delivery) pipelines and runtime platforms can be extended and updated as better methods are discovered. Leveraging a CNAPP gives you in-depth, multilayered, agent-based, and agentless coverage across all aspects of your environment — everything from proactive validation of workloads to auditing policies on the public cloud platform you're running on. Providing more than just convergence of CIEM, CWPP, and CSPM (read on for more about the latter two), CNAPP allows CISOs (chief information security officers) to see the value that cloud security suites deliver, as opposed to a series of disjoint point solutions needing painstaking integration.

**CSPM – Cloud security posture management.** This refers to a set of controls that detect when your deployed accounts and resources deviate from best practices. CSPM tools embed a variety of standards that allow you to continuously evaluate all cloud accounts and workloads and quickly identify areas of drift and misconfiguration.

**CWPP – Cloud workload protection platform.** These protect workloads and focus on securing the entire application life cycle, providing cloud-based security solutions that protect instances on AWS, Google Cloud Platform, Microsoft Azure, and other cloud vendors' platforms. CWPP focuses on specific application use cases, such as runtime detection, system hardening, vulnerability management, network security, compliance, and incident response.

**SSPM – SaaS security posture management.** Such tools monitor security risks in SaaS applications. SSPM looks for and surfaces misconfigurations, compliance risks, unnecessary or defunct user accounts, excessive user permissions, and other cloud security issues so that security personnel can resolve them.

Tag

#microsoft