Attacks by a previously unknown threat actor leveraged two bugs in firewall devices to install custom backdoors on several government networks globally.

Source: Znakki via Shutterstock

A state-sponsored threat actor has exploited two Cisco zero-day vulnerabilities in firewall devices to target the perimeter of government networks with two custom-built backdoors, in a global cyber-espionage campaign.

Dubbed "ArcaneDoor," the campaign by the previously unknown actor — which researchers from Cisco Talos track as UAT4356 — has targeted Cisco Adaptive Security Appliance (ASA) firewall devices of several Cisco customers since at least December 2023, Cisco Talos researchers revealed in a blog post.

While the actor's initial access vector remains unknown, once it occurs, UAT4356 used a "sophisticated attack chain" involving exploit of the two vulnerabilities — a denial-of-service flaw tracked as CVE-2024-20353 and a persistent local execution flaw tracked as CVE-2024-20359 that have since been patched — to implant malware and execute commands across a small set of Cisco customers. Cisco Talos also flagged a third flaw in ASA, CVE-2024-20358, that was not used in the ArcaneDoor campaign.

The researchers also found evidence that the actor has interest in and potentially will attack devices from Microsoft and other vendors, making it crucial that organizations ensure that all perimeter devices "are properly patched, logging to a central, secure location, and configured to have strong multifactor authentication (MFA)," Cisco Talos wrote in the post.

**Custom Backdoor Malware for Global Governments**

The first sign of suspicious activity in the campaign came in early 2024 when a customer reached out to Cisco's Product Security Incident Response Team (PSIRT) and Cisco Talos about security concerns with its ASA firewall devices.

A subsequent several-months-long investigation conducted by Cisco and intelligence partners uncovered threat actor-controlled infrastructure dating back to early November 2023. Most of the attacks — all of which targeted government networks globally —occurred between December and early January. There is also evidence that the actor — which Microsoft also is now tracking as STORM-1849 — was testing and developing its capability as early as last July.

The primary payloads of the campaign are two custom backdoors— "Line Dancer" and "Line Runner" — which were used together by UAT4356 to conduct malicious activities on the network, such as configuration and modification; reconnaissance; network traffic capture/exfiltration; and potentially lateral movement.  

Line Dancer is a memory-resident shellcode interpreter that enables adversaries to upload and execute arbitrary shellcode payloads. In the campaign, Cisco Talos observed the malware being used to execute various commands on an ASA device, including: disabling the syslog; running and exfiltrating the command show configuration; creating and exfiltrating packet captures; and executing commands present in the shellcode, among other activities.

Line Runner meanwhile is a persistence mechanism deployed on the ASA device using functionality related to a legacy capability that allowed for the pre-loading of VPN clients and plugins on the device during booting that can be exploited as CVE-2024-20359, according to Cisco Talos. In at least one case, the threat actor also abused CVE-2024-20353 to facilitate this process.

"The attackers were able to leverage this vulnerability to cause the target ASA device to reboot, triggering the unzipping and installing" of Line Runner, according to the researchers.

**Protect the Perimeter From Cyberattackers**

Perimeter devices, which sit at the edge between an organization's internal network and the Internet, "are the perfect intrusion point for espionage-focused campaigns," providing threat actors a way to gain a foothold to "directly pivot into an organization, reroute or modify traffic, and monitor network communications into the secure network, according to Cisco Talos.

Zero-days on these devices are an especially attractive attack surface on these devices, notes Andrew Costis, chapter lead of the Adversary Research Team at MITRE ATT&CK testing firm AttackIQ.

"We've seen time and time again critical zero and n-day vulnerabilities being exploited with all of the mainstream security appliances and software," he says, noting previous attacks on bugs in devices from Ivanti, Palo Alto Networks, and others.

The threat to these devices highlights the need for organizations to "routinely and promptly" patch them using up-to-date hardware and software versions and configurations, as well as maintain close security monitoring of them, according to Cisco Talos.

Organizations also should focus on post-compromise TTPs of threat actors and test known adversary behaviors as part of "a layered approach" to defensive network operations, Costis says.

**Detecting ArcaneDoor Cyberattack Activity**

Indicators of compromise (IoCs) that customers can look for if they suspect they may have been targeted by ArcaneDoor include any flows to/from ASA devices to any of the IP addresses present in the IOC list included in the blog.

Organizations also can issue the command "show memory region | include lina" to identify another IOC. "If the output indicates more than one executable memory region … especially if one of these memory sections is exactly 0x1000 bytes, then this is a sign of potential tampering," Cisco Talos wrote.  

And, Cisco provided two sets of steps that network administrators can take to identify and remove the ArcaneDoor persistence backdoor Line Runner on an ASA device once the patch is applied. The first is to conduct a review of the contents of disk0; if a new file (e.g., "client\_bundle\_install.zip" or any other unusual .zip file) appears on the disk, it means that Line Runner had been present but is no longer active due to the update.

Administrators also can follow a series of commands provided that will create an innocuous file with a .zip extension that will be read by the ASA at reboot. If it appears on disk0, it means that Line Runner likely was present on the device in question. Administrators can then delete the "client\_bundle\_install.zip" file to remove the backdoor.

If administrators find a newly created .zip file on their ASA devices, they should copy that file off the device and email \[email protected\] using a reference to CVE-2024-20359 and including the outputs of the "dir disk0:" and "show version" commands from the device, as well as the .zip file that they extracted.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Cisco Zero-Days Anchor 'ArcaneDoor' Cyber-Espionage Campaign

Ubuntu Security Notice 6743-3 - Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-6743-3April 24, 2024linux-azure-6.5 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-azure-6.5: Linux kernel for Microsoft Azure cloud systemsDetails:Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:   - JFS file system;   - BPF subsystem;   - Netfilter;(CVE-2023-52600, CVE-2024-26589, CVE-2024-26591, CVE-2024-26581,CVE-2023-52603)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:   linux-image-6.5.0-1019-azure    6.5.0-1019.20~22.04.1   linux-image-6.5.0-1019-azure-fde  6.5.0-1019.20~22.04.1   linux-image-azure               6.5.0.1019.20~22.04.1   linux-image-azure-fde           6.5.0.1019.20~22.04.1After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6743-3   https://ubuntu.com/security/notices/USN-6743-1   CVE-2023-52600, CVE-2023-52603, CVE-2024-26581, CVE-2024-26589,   CVE-2024-26591Package Information:   https://launchpad.net/ubuntu/+source/linux-azure-6.5/6.5.0-1019.20~22.04.1

Ubuntu Security Notice USN-6743-3

Within BEC attacks, adversaries will send phishing emails appearing to be from a known or reputable source making a valid request, such as updating payroll direct deposit information.

Thursday, April 25, 2024 08:00

Business email compromise (BEC) was the top threat observed by Cisco Talos Incident Response (Talos IR) in the first quarter of 2024, accounting for nearly half of engagements, which is more than double what was observed in the previous quarter.  

The most observed means of gaining initial access was the use of compromised credentials on valid accounts, which accounted for 29 percent of engagements. The high number of BEC attacks likely played a significant role in valid accounts being the top attack vector this quarter. Weaknesses involving multi-factor authentication (MFA) were observed within nearly half of engagements this quarter, with the top observed weakness being users accepting unauthorized push notifications, occurring within 25 percent of engagements.  

There was a slight decrease in ransomware this quarter, accounting for 17 percent of engagements. Talos IR responded to new variants of Phobos and Akira ransomware for the first time this quarter. 

Manufacturing was the most targeted vertical this quarter, closely followed by education, a continuation from Q4 2024 where manufacturing and education were also two of the most targeted verticals. There was a 20 percent increase in manufacturing engagements from the previous quarter. 

The manufacturing sector faces unique challenges due to its inherently low tolerance for operational downtime. This quarter, Talos IR observed a wide range of threat activity targeting manufacturing organizations including financially motivated attacks, such as BEC and ransomware, and some brute force activity targeting virtual private network (VPN) infrastructure. The use of compromised credentials on valid accounts was the top observed attack vector within attacks targeting the manufacturing sector this quarter, which represents a change from the previous quarter when the top attack vector observed in these types of engagements was exploiting vulnerabilities in public-facing applications.   

**Watch discussion on the report's biggest trends**

**Surge in BEC **

Within BEC attacks, adversaries will send phishing emails appearing to be from a known or reputable source making a valid request, such as updating payroll direct deposit information. BEC attacks can have many motivations, often financially driven, aimed at tricking organizations into transferring funds or sensitive information to malicious actors.  

BEC offers adversaries the advantage of impersonating trusted contacts to facilitate internal spearphishing attacks that can bypass traditional external defenses and increase the likelihood of deception, widespread malware infections and data theft. 

In one engagement, adversaries performed a password-spraying attack and MFA exhaustion attacks against several employee accounts. There was a lack of proper MFA implementation across all the impacted accounts, leading to the adversaries gaining access to at least two accounts using single-factor authentication. The organization detected and disrupted the attack before adversaries could further their access or perform additional post-compromise activities.    

In another cluster of activity, several employees received spear-phishing emails that contained links that, when clicked, led to a redirection chain of web pages ultimately landing on a legitimate single sign-on (SSO) prompt that was pre-populated with each victim’s email address. The attack was unsuccessful because none of the employees interacted with the email, which was likely due to multiple red flags. For example, the email was unexpected and sent from an external email address, and there was small text within the email that referred to the email as a fax, which was all indicators of a phishing attempt. 

**Ransomware trends **

Ransomware accounted for 17 percent of engagements this quarter, an 11 percent decrease from the previous quarter. Talos IR observed new variants of Akira and Phobos ransomware for the first time this quarter. 

**Akira **

Talos IR responded to an Akira ransomware attack for the first time this quarter in an engagement where affiliates deployed the latest ESXi version, “Akira\_v2,” as well as a Windows-based variant of Akira named “Megazord.” These new Akira variants are written in the Rust programming language, which is a notable change from the previously used C++ and Crypto++ programming languages.  

Talos IR could not determine how initial access was gained, which is common because ransomware attacks often involve multi-stage attack strategies that add additional complexity during the investigation process. Once inside the network, the adversaries began collecting credentials from the memory of the Local Security Authority Subsystem Service (LSASS) and the New Technology Directory Services Directory Information Tree (NTDS.dit) database, where Active Directory data is stored, and leveraged Remote Desktop Protocol (RDP) for lateral movement. Prior to encryption, Megazord ransomware began executing several commands to disable tools and impair defenses, including “net stop” and “taskkill.” Akira\_v2 appended the file extension “.akiranew” during encryption, while Megazord ransomware appended the file extension “.powerranges”.   

First discovered in early 2023, Akira operates as a ransomware-as-a-service (RaaS) model and employs a double extortion scheme that involves exfiltrating data before encryption. Akira affiliates are known to heavily target small- to medium-sized businesses within several verticals primarily located within the U.S. but have targeted organizations within the U.K., Canada, Iceland, Australia and South Korea. Akira affiliates are notorious for leveraging compromised credentials and exploiting vulnerabilities as a means of gaining initial access, such as the SQL injection vulnerability, tracked as CVE-2021-27876, affecting certain versions of Zoho ManageEngine ADSelfService Plus, and the vulnerability, tracked as CVE-2023-27532, affecting certain versions of Veeam’s Backup & Replication (VBS) software.    

**Phobos **

Talos IR has previously observed variants of Phobos ransomware, such as “Faust,” but this quarter, Talos IR responded to an engagement with the “BackMyData” variant of Phobos ransomware. The adversaries leveraged Mimikatz to dump credentials from Active Directory. The adversary also installed several tools in the NirSoft product suite designed to recover passwords, such as PasswordFox and ChromePass, for additional credential enumeration. 

The adversaries used PsExec to access the domain controller before setting a registry key to permit remote desktop connections. Shortly after, the adversaries also modified the firewall to allow remote desktop connections using the Windows scripting utility, netsh. The remote access tool AnyDesk was downloaded to enable remote access as a means of persistence in the environment. Talos IR assessed with high confidence that Windows Secure Copy (WinSCP) and Secure Shell (SSH) were likely used to exfiltrate staged data. Adversaries also relied on PsExec to execute commands, such as deleting volume shadow copies, as a precursor to deploying the ransomware executable. After encryption, the ransomware appended the file extension “.fastbackdata”.   

A notable finding was the persistent use of the “Users/\[username\]/Music” directory as a staging area for data exfiltration to host malicious scripts, tools and malware, a common technique used by numerous ransomware affiliates to evade detection and remain persistent in the environment. Talos IR also identified a digitally signed executable, “HRSword,” developed by Beijing Huorong Network Technology. It is a tool the affiliate used during the attack for potential secure file deletion and as a defensive measure to disable endpoint protection tools, which Phobos affiliates were previously using, according to public reporting.   

Phobos ransomware first emerged in late 2018 and shared many similarities with the Crysis and Dharma ransomware families. Unlike other ransomware families, there are many variants of Phobos ransomware, such as Eking, Eight, Elbie, Devos and Faust. There is little information known about the business model leveraged by the Phobos ransomware operation. In November 2023, Cisco Talos analyzed over a thousand samples of Phobos ransomware to learn more about the affiliate structure and activity, which revealed that Phobos may operate a RaaS model due to the hundreds of contact emails and IDs associated with Phobos campaigns, indicating the malware has a dispersed affiliate base. Talos assessed with moderate confidence that the Phobos ransomware operation is actively managed by a central authority, as there is only one private key capable of decryption in all observed campaigns. 

**Other observed threats  **

Talos IR responded to an attack where adversaries were attempting to brute force several Cisco Adaptive Security Appliances (ASAs). Although the adversaries were unsuccessful in their attack, this activity is in line with the recently observed trend affecting VPN services. 

Cisco Talos has recently seen an increase in malicious activity targeting VPN services, web application authentication interfaces, and Secure Shell (SSH) globally. Since at least March 18, Cisco has observed scanning and brute force activity sourcing from The Onion Router (TOR) exit nodes and other anonymous tunnels and proxies. 

Depending on the target environment, a successful attack could result in unauthorized access to a target network, possibly leading to account lockouts and denial-of-service (DoS) conditions. The brute force attempts include a combination of generic usernames and valid usernames unique to specific organizations. The activity seems indiscriminate and has been observed across multiple industry verticals and geographic regions. 

**Initial vectors **

The most observed means of gaining initial access was the use of compromised credentials on valid accounts, accounting for 29 percent of engagements, a continuation of a trend from the previous quarter when valid accounts were also a top attack vector. 

**Security weaknesses **

For the first time, users accepting unauthorized MFA push notifications was the top observed security weakness, accounting for 25 percent of engagements this quarter. The lack of proper MFA implementation closely followed, accounting for 21 percent of engagements, a 44 percent decrease from the previous quarter. 

Users must have a clear understanding of the appropriate business response protocols when their devices are overwhelmed with an excessive volume of push notifications. Talos IR recommends organizations educate their employees about the specific channels and points of contact for reporting these incidents. Prompt and accurate reporting enables security teams to quickly identify the nature of the issue and implement the necessary measures to address the situation effectively. Organizations should also consider implementing number-matching in MFA applications to provide an additional layer of security to prevent users from accepting malicious MFA push notifications. 

Talos IR recommends implementing MFA on all critical services including all remote access and identity access management (IAM) services. MFA will be the most effective method for the prevention of remote-based compromises. It also prevents lateral movement by requiring all administrative users to provide a second form of authentication. Organizations can set up alerting for single-factor authentication to quickly identify potential gaps. 

**Top observed MITRE ATT&CK techniques **

The table below represents the MITRE ATT&CK techniques observed in this quarter’s IR engagements and includes relevant examples and the number of times seen. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic based on the way they were leveraged. Please note, this is not an exhaustive list. 

Key findings from the MITRE ATT&CK framework include:  

*   Remote access software, such as SplashTop and AnyDesk, were used in 17 percent of engagements this quarter, a 20 percent decrease from the previous quarter.  
*   The use of email hiding rules was the top observed defense evasion technique, accounting for 21 percent of engagements this quarter.   
*   Scheduled tasks were leveraged by adversaries the most this quarter for persistence, accounting for 17 percent of engagements this quarter, a 33 percent increase from the previous quarter.  
*   The abuse of remote services, such as RDP, SSH, SMB and WinRM, more than doubled this quarter compared to the previous quarter, accounting for nearly 60 percent of engagements. 

Reconnaissance 

Example 

T1589.001 Gather Victim Identity Information: Credentials 

Adversaries may gather credentials that can be used during their attack.  

T1598.003 Phishing for Information: Spearphishing Link 

Adversaries may send a spearphishing email with a link to a credential harvesting page to collect credentials for their attack. 

Resource Development 

Example 

T1586.002 Compromise Accounts: Email Accounts 

Adversaries may compromise email accounts that can be used during their attack for malicious activities, such as internal spearphishing. 

T1583.001 Acquire Infrastructure: Domains 

Adversaries may acquire domains that can be used for malicious activities, such as hosting malware. 

T1608.001 Stage Capabilities: Upload Malware 

Adversaries may upload malware to compromised domains to make it accessible during their attack.  

T1583.008 Acquire Infrastructure: Malvertising 

Adversaries may purchase online advertisements, such as Google ads, that can be used distribute malware to victims. 

T1608.004 Stage Capabilities: Drive-by Target 

Adversaries may prepare a website for drive-by compromise by inserting malicious JavaScript.  

Initial Access 

Example 

T1078 Valid Accounts 

Adversaries may use compromised credentials to access valid accounts during their attack. 

T1566 Phishing 

Adversaries may send phishing messages to gain access to target systems. 

T1189 Drive-by Compromise 

Victims may infect their systems with malware over browsing, providing an adversary with access.  

T1190 Exploit in Public-Facing Application 

Adversaries may exploit a vulnerability to gain access to a target system. 

T1566.002 Phishing: Spearphishing Link 

Adversaries may send phishing emails with malicious links to lure victims into installing malware.  

Execution 

Example 

T1059.001 Command and Scripting Interpreter: PowerShell 

Adversaries may abuse PowerShell to execute commands or scripts throughout their attack. 

T1059.003 Command and Scripting Interpreter: Windows Command Shell 

Adversaries may abuse Windows Command Shell to execute commands or scripts throughout their attack. 

T1569.002 System Services: Service Execution 

Adversaries may abuse Windows service control manager to execute commands or payloads during their attack. 

Persistence 

Example 

T1053.005 Scheduled Task / Job: Scheduled Task 

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for recurring execution of malware or malicious commands. 

T1574.002 Hijack Execution: DLL Side-Loading 

Adversaries may execute their own malicious code by side-loading DLL files into legitimate programs.  

Privilege Escalation 

Example 

T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 

Adversaries may bypass UAC mechanisms to elevate their permissions on a system. 

Defense Evasion 

Example 

T1564.008 Hide Artifacts: Email Hiding Rules 

Adversaries may create inbox rules to forward certain incoming emails to a folder to hide them from the inbox owner. 

T1070.004 Indicator Removal: File Deletion 

Adversaries may delete files to cover their tracks during the attack.  

T1218.011 System Signed Binary Proxy Execution: Rundll32 

Adversaries may abuse the Windows utility rundll32.exe to execute malware.  

T1112 Modify Registry 

Adversaries may modify the registry to maintain persistence on a target system.  

T1562.010 Impair Defenses: Downgrade Attack 

Adversaries may downgrade a program, such as PowerShell, to a version that is vulnerable to exploits. 

Credential Access 

Example 

T1621 Multi-Factor Authentication Request Generation 

Adversaries may generate MFA push notifications causing an MFA exhaustion attack. 

T1003.005 OS Credential Dumping: NTDS 

Adversaries may dump the contents of the NTDS.dit file to access credentials that can be used for lateral movement. 

T1003.001 OS Credential Dumping: LSASS 

Adversaries may dump the contents of LSASS to access credentials that can be used for lateral movement 

T1003.002 OS Credential Dumping: Service Account Manager 

Adversaries may dump the contents of the service account manager to access credentials that can be used for lateral movement. 

T1110.002 Brute Force: Password Cracking 

Adversaries may use brute force account passwords to compromise accounts. 

Discovery 

Example 

T1069.001 Permission Groups Discovery: Local Groups 

Adversaries may attempt to discover local permissions groups with commands, such as “net localgroup.”  

T1069.002 Permission Groups Discovery: Domain Groups 

Adversaries may attempt to discover domain groups with commands, such as “net group /domain.” 

T1201 Password Policy Discovery 

Adversaries may attempt to discover information about the password policy within a compromised network with commands, such as “net accounts.” 

Lateral Movement 

Example 

T1021.001 Remote Services: Remote Desktop Protocol 

Adversaries may abuse valid accounts using RDP to move laterally in a target environment.  

T1534 Internal Spearphishing 

Adversaries may abuse a compromised email account to send internal spearphishing emails to move laterally. 

T1021.002 Remote Services: SMB / Windows Admin Shares 

Adversaries may abuse valid accounts using SMB to move laterally in a target environment. 

T1021.004 Remote Services: SSH 

Adversaries may abuse valid accounts using SSH to move laterally in a target environment. 

T1021.001 Remote Services: Windows Remote Management 

Adversaries may abuse valid accounts using WinRM to move laterally in a target environment. 

Collection 

Example 

T1114.002 Email Collection: Remote Email Collection 

Adversaries may target a Microsoft Exchange server to collect information.  

T1074.001 Data Staged: Local Data Staging 

Adversaries may stage collected data in preparation for exfiltration. 

T1074 Data Staged 

Adversaries may stage collected data in preparation for exfiltration. 

Command and Control 

Example 

T1105 Ingress Tool Transfer 

Adversaries may transfer tools from an external system to a compromised system. 

T1219 Remote Access Software  

Adversaries may abuse remote access software, such as AnyDesk, to establish an interactive C2 channel during their attack.  

Exfiltration 

Example 

T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage 

Adversaries may exfiltrate data to a cloud storage provider, such as Dropbox.  

Impact 

Example 

T1486 Data Encrypted for Impact 

Adversaries may use ransomware to encrypt data on a target system.  

T1490 Inhibit System Recovery 

Adversaries may disable system recovery features, such as volume shadow copies.  

T1657 Financial Theft 

Adversaries may commit financial fraud during the attack.

Talos IR trends: BEC attacks surge, while weaknesses in MFA persist

A new malware campaign leveraged two zero-day flaws in Cisco networking gear to deliver custom malware and facilitate covert data collection on target environments.
Cisco Talos, which dubbed the activity ArcaneDoor, attributing it as the handiwork of a previously undocumented sophisticated state-sponsored actor it tracks under the name UAT4356 (aka Storm-1849 by Microsoft).
"

State-Sponsored Hackers Exploit Two Cisco Zero-Day Vulnerabilities for Espionage

PRESS RELEASE

Houston, Texas – Black Girls Do Engineer recently signed an Education Partnership Agreement (EPA) with the National Security Agency in an effort to continue playing a key role in developing science and technology talent for possible national security challenges.

The National Security Agency (NSA) partners with select universities and nonprofit organizations as part of the Agency’s Minority Serving Institution (MSI) Hacking 4 Intelligence (H4I) program. It is a program where the U.S. Government and industry partners, collaborate to solve national security problems. The program engages HBCU students and college bound students studying STEM disciplines.

Black Girls Do Engineer, a 501c3 nonprofit organization that provides access, education and resources to Black students K-12 in STEM was selected to participate because of its stellar reputation in hosting cohorts of students through various STEM subjects including co-ed HBCU and High School programs, utilizing Microsoft technology to do so.

The NSA’s collaborative H4I program is for students to have the opportunity to cultivate essential skills by deconstructing and analyzing NSA and Microsoft problem sets, all while collaborating and networking with government and industry partners. Students will form interdisciplinary teams and work to solve real-world NSA and Microsoft problem sets. At the end of a 12-week cohort, students exit the program with a minimum viable product ready for deployment.

“This partnership with NSA will allow our program to provide our cybersecurity resources and curriculum to Higher Education institutions through our developed BGDE digital infrastructure enhanced by Microsoft tools,” states Kara Branch the Founder and CEO of Black Girls Do Engineer.

Black Girls Do Engineer’s licensed STEM curriculum is committed to excellence in cyber defense education and research. Some of its programs include cybersecurity, artificial intelligence, data science and a host of technical training. Higher education programs include their design Badge A Thon event offered for college students.

“This collaboration will allow our national impact to reach new heights with higher education students,” concludes Kara Branch, Founder and CEO of Black Girls Do Engineer.

About Black Girls Do Engineer

As the fastest growing nationwide program for Black girls in STEM., BGDE has been dubbed “The Ivy League of Nonprofits.” The program is application-based and offers full-time membership-based STEM camps and workshops to Black girls in grades K through 12, with mentorship and individual workshops offered to college students up through age 21. The program currently has a 100% college acceptance rate and 100% job placement rate among its members. Since its launch in 2019, BGDE has served 4,000 girls though its program. The nonprofit has also helped secure its members $44,000 in STEM-related college scholarships.

BGDE futuristic programs of study include: A.I., Energy, Audio/Visual, Aerospace, Engineering, Medical, Robotics and Coding. Mentoring includes: College Prep, Financial Literacy, Upskilling, and Mentorship from professionals working in these fields offering real life experience.

Black Girls Do Engineer Signs Education Partnership Agreement With NSA

Unlike the SolarWinds and CodeCov incidents, all that it took for an adversary to nearly pull off a massive supply chain attack was some slick social engineering and a string of pressure emails.

Source: Mongta Studio via Shutterstock

An adversary doesn't need sophisticated technical skills to execute a broad software supply chain attack like the ones experienced by SolarWinds and CodeCov. Sometimes, all it takes is a little bit of time and ingenius social engineering.

That appears to have been the case with whoever introduced a backdoor in the XZ Utils open source data compression utility in Linux systems earlier this year. Analysis of the incident from Kaspersky this week, and similar reports from others in recent days, identified the attacker as relying almost entirely on social manipulation to slip the backdoor into the utility.

**Social Engineering the Open Source Software Supply Chain**

Ominously, it may be a model that attackers are using to slip similar malware into other widely used open source projects and components.

In an alert last week, the Open Source Security Foundation (OSSF) warned of the XZ Utils attack likely not being an isolated incident. The advisory identified at least one other instance where an adversary employed tactics similar to the one used on XZ Utils to take over the OpenJS Foundation for JavaScript projects.

"The OSSF and OpenJS Foundations are calling all open source maintainers to be alert for social engineering takeover attempts, to recognize the early threat patterns emerging, and to take steps to protect their open source projects," the OSSF alert said.

A developer from Microsoft discovered the backdoor in newer versions of an XZ library called liblzma while investigating odd behavior around a Debian installation. At the time, only unstable and beta releases of Fedora, Debian, Kali, openSUSE, and Arch Linux versions had the backdoored library, meaning it was virtually a non-issue for most Linux users.

But the manner in which the attacker introduced the backdoor is especially troubling, Kasperksy said. "One of the key differentiators of the SolarWinds incident from prior supply chain attacks was the adversary’s covert, prolonged access to the source/development environment," Kaspersky said. "In this XZ Utils incident, this prolonged access was obtained via social engineering and extended with fictitious human identity interactions in plain sight."

**A Low and Slow Attack**

The attack appears to have begun in October 2021, when an individual using the handle "Jia Tan" submitted an innocuous patch to the single-person XZ Utils project. Over the next few weeks and months, the Jia Tan account submitted multiple similar harmless patches (described in detail in this timeline) to the XZ Utils project, which its sole maintainer, an individual named Lasse Collins, eventually began merging into the utility.

Starting in April 2022, a couple of other personas — one using the handle "Jigar Kumar" and the other "Dennis Ens" — began sending emails to Collins, pressuring him to integrate Tan's patches into XZ Utils at a faster pace.

The Jigar Kumar and Dennis Ens personas gradually ratcheted up the pressure on Collins, eventually asking him to add another maintainer to the project. Collins at one point reaffirmed his interest in maintaining the project but confessed to being constrained by "long-term mental health issues." Eventually, Collins succumbed to the pressure from Kumar and Ens and gave Jia Tan commit access to the project and the authority to make changes to the code.

"Their goal was to grant full access to XZ Utils source code to Jia Tan and subtly introduce malicious code into XZ Utils," Kaspersky said. "The identities even interact with one another on mail threads, complaining about the need to replace Lasse Collin as the XZ Utils maintainer." The different personas in the attack — Jia Tan, Jigar Kumar, and Dennis Ens — appear to have deliberately been made to look like they were from different geographies, to dispel any doubts about their working in concert. Another individual, or persona, Hans Jansen, surfaced briefly in June 2023 with some new performance optimization code for XZ Utils that ended up being integrated into the utility.

**A Wide Cast of Actors**

Jia Tan introduced the backdoor binary into the utility in February 2024 after gaining control of the XZ Util maintenance tasks. Following that, the Jansen character resurfaced — along with two other personas — each pressuring major Linux distributors to introduce the backdoored utility into their distribution, Kasperksy said.

What's not entirely clear is if the attack involved a small team of actors or a single individual who successfully managed several identities and manipulated the maintainer into giving them the right to make code changes to the project.

Kurt Baumgartner, principal researcher at Kaspersky’s global research and analysis team, tells Dark Reading that additional data sources, including login and netflow data, could help aid in the investigation of the identities involved in the attack. "The world of open source is a wildly open one," he says, "enabling murky identities to contribute questionable code to projects that are major dependencies."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Attacker Social-Engineered Backdoor Code Into XZ Utils

Sources suspect China is behind the targeted exploitation of two zero-day vulnerabilities in Cisco’s security appliances.

Network security appliances like firewalls are meant to keep hackers out. Instead, digital intruders are increasingly targeting them as the weak link that lets them pillage the very systems those devices are meant to protect. In the case of one hacking campaign over recent months, Cisco is now revealing that its firewalls served as beachheads for sophisticated hackers penetrating multiple government networks around the world.

On Wednesday, Cisco warned that its so-called Adaptive Security Appliances—devices that integrate a firewall and VPN with other security features—had been targeted by state-sponsored spies who exploited two zero-day vulnerabilities in the networking giant's gear to compromise government targets globally in a hacking campaign it's calling ArcaneDoor.

The hackers behind the intrusions, which Cisco's security division Talos is calling UAT4356 and which Microsoft researchers who contributed to the investigation have named STORM-1849, couldn't be clearly tied to any previous intrusion incidents the companies had tracked. Based on the group's espionage focus and sophistication, however, Cisco says the hacking appeared to be state-sponsored.

“This actor utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor,” a blog post from Cisco's Talos researchers reads.

Cisco declined to say which country it believed to be responsible for the intrusions, but sources familiar with the investigation tell WIRED the campaign appears to be aligned with China's state interests.

Cisco says the hacking campaign began as early as November 2023, with the majority of intrusions taking place between December and early January of this year, when it learned of the first victim. “The investigation that followed identified additional victims, all of which involved government networks globally,” the company's report reads.

In those intrusions, the hackers exploited two newly discovered vulnerabilities in Cisco's ASA products. One, which it's calling Line Dancer, let the hackers run their own malicious code in the memory of the network appliances, allowing them to issue commands to the devices, including the ability to spy on network traffic and steal data. A second vulnerability, which Cisco is calling Line Runner, would allow the hackers' malware to maintain its access to the target devices even when they were rebooted or updated. It's not yet clear if the vulnerabilities served as the initial access points to the victim networks, or how the hackers might have otherwise gained access before exploiting the Cisco appliances.

Cisco has released software updates to patch both vulnerabilities, and advises that customers implement them immediately, along with other recommendations for detecting whether they've been targeted. Despite the hackers' Line Runner persistence mechanism, a separate advisory from the UK's National Cybersecurity Center notes that physically unplugging an ASA device does disrupt the hackers' access. “A hard reboot by pulling the power plug from the Cisco ASA has been confirmed to prevent Line Runner from re-installing itself,” the advisory reads.

The ArcaneDoor hacking campaign represents just the latest series of intrusions to target network perimeter applications sometimes referred to as “edge” devices like email servers, firewalls, and VPNs—often devices intended to provide security—whose vulnerabilities allowed hackers to obtain a staging point inside a victim's network. Cisco's Talos researchers warn of that broader trend in their report, referring to highly sensitive networks that they've seen targeted via edge devices in recent years. “Gaining a foothold on these devices allows an actor to directly pivot into an organization, reroute or modify traffic and monitor network communications,” they write. “In the past two years, we have seen a dramatic and sustained increase in the targeting of these devices in areas such as telecommunications providers and energy sector organizations—critical infrastructure entities that are likely strategic targets of interest for many foreign governments.”

State-sponsored hackers' shift to compromising edge devices has become prevalent enough over the past year that Google-owned security firm Mandiant also highlighted it in its annual M-Trends report earlier this week, based on the company's threat intelligence and incident response findings. The report points to widely exploited vulnerabilities in network edge devices sold by Barracuda and Ivanti and notes that hackers—and specifically espionage-focused Chinese groups—are building custom malware for edge devices, in part because many networks have little or no way to monitor for compromise of the devices. Detecting the ArcaneDoor hackers' access to Cisco ASA appliances, in particular, is “incredibly difficult,” according to the advisory from the UK's NCSC.

Mandiant notes that it has observed Russian state-sponsored hackers targeting edge devices too: It's observed the unit of Russia's GRU military intelligence agency, known as Sandworm, repeatedly hack edge devices used by Ukrainian organizations to gain and maintain access to those victim networks, often for data-destroying cyberattacks. In some cases, the lack of visibility and monitoring in those edge devices has meant that Sandworm was able to wipe a victim network while holding on to its control of an edge device—then hit the same network again.

“They’re systemically targeting security appliances that sit on the edge for access to the rest of the network,” says John Hultquist, Mandiant's head of threat intelligence. “This is no longer an emerging trend. It's established."

Hultquist notes, however, that China is unmatched in its discovery and use of network appliance zero days, like the ones it has used to run rampant through Cisco firewalls over the past several months. He expects more to come, as China's cyberspies continue to turn devices meant to protect target networks against their owners. “It's unlikely these zero days are being produced haphazardly. We suspect a well-resourced, coordinated effort is underway to find and exploit these vulnerabilities,” Hultquist says. “Unfortunately, we'll almost certainly see several more zero-days in security appliances this year.”

'ArcaneDoor' Cyberspies Hacked Cisco Firewalls to Access Government Networks

ArcaneDoor is a campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors. Coveted by these actors, perimeter network devices are the perfect intrusion point for espionage-focused campaigns.

ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices

Ubuntu Security Notice 6742-2 - Daniele Antonioli discovered that the Secure Simple Pairing and Secure Connections pairing in the Bluetooth protocol could allow an unauthenticated user to complete authentication without pairing credentials. A physically proximate attacker placed between two Bluetooth devices could use this to subsequently impersonate one of the paired devices. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-6742-2April 23, 2024linux-azure, linux-lowlatency, linux-nvidia vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-azure: Linux kernel for Microsoft Azure Cloud systems- linux-lowlatency: Linux low latency kernel- linux-nvidia: Linux kernel for NVIDIA systemsDetails:Daniele Antonioli discovered that the Secure Simple Pairing and SecureConnections pairing in the Bluetooth protocol could allow anunauthenticated user to complete authentication without pairingcredentials. A physically proximate attacker placed between two Bluetoothdevices could use this to subsequently impersonate one of the paireddevices. (CVE-2023-24023)Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:   - JFS file system;   - Netfilter;(CVE-2024-26581, CVE-2023-52600, CVE-2023-52603)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:   linux-image-5.15.0-105-lowlatency  5.15.0-105.115   linux-image-5.15.0-105-lowlatency-64k  5.15.0-105.115   linux-image-5.15.0-1053-nvidia  5.15.0-1053.54   linux-image-5.15.0-1053-nvidia-lowlatency  5.15.0-1053.54   linux-image-5.15.0-1061-azure   5.15.0-1061.70   linux-image-azure-lts-22.04     5.15.0.1061.59   linux-image-lowlatency          5.15.0.105.100   linux-image-lowlatency-64k      5.15.0.105.100   linux-image-nvidia              5.15.0.1053.53   linux-image-nvidia-lowlatency   5.15.0.1053.53After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6742-2   https://ubuntu.com/security/notices/USN-6742-1   CVE-2023-24023, CVE-2023-52600, CVE-2023-52603, CVE-2024-26581Package Information:   https://launchpad.net/ubuntu/+source/linux-azure/5.15.0-1061.70   https://launchpad.net/ubuntu/+source/linux-lowlatency/5.15.0-105.115   https://launchpad.net/ubuntu/+source/linux-nvidia/5.15.0-1053.54

Ubuntu Security Notice USN-6742-2

Just like you should check the quality of the ingredients before you make a meal, it's critical to ensure the integrity of AI training data.

Source: Nico El Nino via Shutterstock

COMMENTARY

Picture this: It's a Saturday morning, and you made breakfast for your family. The pancakes were golden brown and seemingly tasted OK, but everyone, including you, got sick shortly after eating them. Unbeknown to you, the milk that you used to make the batter expired several weeks ago. The quality of the ingredients impacted the meal, but everything looked fine on the outside.

The same philosophy can be applied to artificial intelligence (AI). Regardless of its purpose, AI's output is directly related to the quality of its input. As the popularity of AI continues to rise, security concerns around the data being fed into AI are coming into question.

A majority of today's organizations are integrating AI into business operations at some capacity — and threat actors are taking note. Over the past few years, a tactic known as AI poisoning has become increasingly prevalent. This new malicious practice involves injecting deceptive or harmful data into AI training sets. The tricky part about AI poisoning is that, despite the input being compromised, the output can initially continue as normal. It isn't until a threat actor gets a firm grip on the data and begins a full-fledged attack that deviations from the norm become obvious. The consequences range from slightly inconvenient to damaging a brand's reputation.

It's a risk affecting organizations of all sizes, even today's most prominent tech vendors. For example, over the past few years, adversaries launched several large-scale attacks to poison Google's Gmail spam filters and even turned Microsoft's Twitter chatbot hostile.

**Defending Against AI Data Poisoning**

Fortunately, organizations can take the following steps to shield AI technologies from potential poisoning.

*   Build a comprehensive data catalog. First, organizations should create a live data catalog that serves as a centralized repository of information that is being fed to its AI systems. Any time new data is added to AI systems, it should be tracked in this index. In addition, the catalog should be able to categorize the data flowing into AI systems by the who, what, when, where, why, and how to ensure transparency and accountability.
    
*   Develop a normal baseline for users and devices interacting with AI data. Once the security and IT teams have a solid understanding of all of the data in AI systems and who has access to it, it's important to develop a baseline of normal user and device behavior.
    

Compromised credentials are one of the easiest ways for cybercriminals to break into networks. All a threat actor has to do is either play a guessing game or buy one of the 24 billion username and password combinations available on the cybercriminal marketplace. Once they have access, a threat actor can easily maneuver their way into accessing AI training datasets.

By establishing user and device baseline behavior, security teams can easily detect abnormalities that might be indicative of an attack. Often, this helps stop a threat actor before an incident escalates into a full-blown data breach. For example, say you have an IT executive who typically works from the New York office and who oversees the AI data training sets. One day, it shows that he is active in another country and is adding large amounts of data to the AI. If your security team already has a baseline of user behavior, they can quickly tell that this is abnormal. Then security could either talk to the executive and verify that he was performing the action or, if he wasn't, temporarily disable his account until the alert is thoroughly investigated to prevent any further damage.

**Taking Responsibility of AI Training Sets**

Just like you should check the quality of the ingredients before you make a meal, it's critical to ensure the integrity of AI training data. AI intelligence is intricately linked to the quality of data it processes. Implementing guidelines, policies, monitoring systems, and improved algorithms plays a pivotal role in ensuring the safety and effectiveness of AI. These measures safeguard against potential threats and empower organizations to harness the transformative potential of AI. It is a delicate balance where organizations must learn to leverage AI's capabilities, while remaining vigilant in the face of the ever-evolving threat landscape.

**About the Author(s)**

CISO, Exabeam

Tyler Farrar is the Chief Information Security Officer (CISO) at Exabeam. He graduated from the United States Naval Academy in 2012, and received his Bachelor of Science in Aerospace Engineering. Tyler continued his education at Robert H. Smith School of Business, where he earned a Master of Business Administration in Accounting and Finance.

Tag

#microsoft