SUMMARY Datadog Security Labs’ cybersecurity researchers have discovered a new, malicious year-long campaign from a threat actor identified…

****SUMMARY****

*   **Fake PoCs on GitHub**: Cybercriminals used trojanized proof-of-concept (PoC) code on GitHub to deliver malicious payloads to unsuspecting users, including researchers and security professionals.

*   **Credential Theft**: The attackers stole over 390,000 WordPress credentials, AWS access keys, SSH private keys, and other sensitive data from compromised systems.

*   **Stealth Techniques**: The campaign employed methods like backdoored configuration files, malicious PDFs, Python dropper scripts, and hidden npm packages to deploy the malware.

*   **Phishing Campaigns**: The attackers also targeted academics through phishing emails, tricking them into installing malware disguised as a fake kernel upgrade.

*   **Supply Chain Impact**: By leveraging trusted platforms like GitHub and popular tools, the attackers exploited the software supply chain, posing risks to professionals trusting these resources.

Datadog Security Labs’ cybersecurity researchers have discovered a new, malicious year-long campaign from a threat actor identified as MUT-1244, which resulted in the theft of over 390,000 WordPress credentials.

According to Datadog Security Labs’ research, the actor used a trojanized WordPress credentials checker to steal data. SSH private and AWS access keys were also stolen from the compromised systems of hundreds of victims. The attackers’ key targets included red teamers, penetration testers, security researchers, and even other malicious actors.

****Use of Phishing and Trojan****

Researchers observed that MUT-1244 has employed two main methods to gain initial access to victim systems including phishing and trojanized GitHub repositories.

**Phishing Campaign:** The campaign targeted academics, specifically those researching high-performance computing (HPC). The email urged them to install a fake kernel upgrade, leading to the download of malicious code.

**Trojanized GitHub Repositories:** MUT-1244 created numerous fake repositories on GitHub. These repositories disguised themselves as **proof-of-concept (PoC)** codes for known vulnerabilities. However, they contained hidden malicious code that infected victims who downloaded and ran them. 

****Fake PoCs: A New Yet Familiar Weapon****

It is worth noting that the use of fake PoCs has emerged as a new weapon for cybercriminals to target cybersecurity researchers and unsuspecting users. **In June 2023**, scammers were caught impersonating real cybersecurity researchers to spread malware disguised as PoCs on GitHub and X (formerly Twitter).

**In July 2023**, a similar campaign was discovered in which fake GitHub repositories were used to distribute malware posing as PoCs. Interestingly, the stolen identity used in that attack belonged to Shakhriyar Mamedyarov, an Azerbaijani chess grandmaster.

**By September 2023**, another malicious campaign surfaced, utilizing a fake proof-of-concept script to trick researchers into downloading and executing a VenomRAT payload. This attack exploited the WinRAR vulnerability (CVE-2023-40477).

****Techniques used in the trojanized repositories:****

The techniques used in the trojanized repositories included multiple methods to hide and deliver malicious payloads. Some repositories contained legitimate exploits but hid malicious code within lengthy, backdoored configuration files.

In other cases, the malicious code was embedded inside PDF files; once opened, the fake exploit would extract and execute the hidden payload. A few repositories employed Python dropper scripts to decode base64-encoded payloads, write them to disk and execute them.

Additionally, some repositories indirectly infected victims by incorporating malicious npm packages into their code, which then downloaded and executed the attacker’s payload.

The ultimate goal of these attacks was to steal sensitive information from victims, including private SSH keys, **AWS credentials**, and command history.  Moreover, research revealed the malicious code contained hardcoded credentials for Dropbox and file.io services. These credentials allowed the attacker to access and download the stolen data from infected machines.

****390,000 WordPress Credentials****

Another shocking disclosure was the attacker’s ability to access over 390,000 WordPress credentials. Researchers believe these credentials were originally obtained by other malicious actors and subsequently compromised when the attackers used a trojanized tool called “yawpp” to validate them. 

The attack flow and one of the profiles used in the scam (Credit: Datadog Security Labs)

“We assess with high confidence that before these credentials were exfiltrated to Dropbox, they were in the hands of offensive actors, who likely acquired them through illicit means,” Datadog’s **report** read.

Yawpp was advertised as a legitimate WordPress credentials checker, making it a perfect lure for attackers unaware of its malicious nature. Nevertheless, the MUT-1244 campaign shows that cybercriminals are finding new ways to trick users, making it vital for individuals to improve their skills. This is especially true for **employees with cybersecurity training**, as staying alert can help prevent risks to themselves and their organizations.

**Casey Ellis**, Founder and Advisor at Bugcrowd, a San Francisco, Calif.-based leader in crowdsourced cybersecurity commented on the issue stating, _“_Targeting red-teamers and security researchers through fake POCs is a troll technique as old as security research itself, however, as this attack demonstrates, it can also be an effective approach to watering-hole attacks._“_ Casey added, _“_This is a good reminder for those who provide offensive security services that they themselves are part of an exploitable supply-chain, and that malicious attackers know this._“_

1.  **Researcher release PoC exploit for 0-day in Chrome**
2.  **Facial DNA provider leaks biometric data via WordPress folder**
3.  **Thousands of WordPress Websites Hacked with Sign1 Malware**
4.  **Lazarus Targets Blockchain Pros with Fake Video Conferencing**
5.  **Hackers Publish PoC of 0-day Vulnerability in Windows on Twitter**

Hackers Use Fake PoCs on GitHub to Steal WordPress Credentials, AWS Keys

SUMMARY Cicada3301, a ransomware group, has claimed responsibility for a data breach targeting Concession Peugeot (concessions.peugeot.fr), a prominent…

****SUMMARY****

*   **Cicada3301 ransomware group claims to have breached Concession Peugeot, stealing 35GB of sensitive data.**

*   **The group operates a Ransomware-as-a-Service (RaaS) model with a 20% commission.**

*   **First observed in June 2024, their ransomware targets Windows and Linux/ESXi systems.**

*   **Cicada3301 shares similarities with BlackCat, using ChaCha20 encryption and similar tactics.**

*   **Leaked data includes invoices, passport copies, and internal communications.**

Cicada3301, a ransomware group, has claimed responsibility for a data breach targeting Concession Peugeot (concessions.peugeot.fr), a prominent French automotive dealership linked to the Peugeot brand. The group claims to have stolen 35GB of sensitive data, marking a continuation of their aggressive cyber campaigns.

Screenshot from cicada3301 Ransomware’s dark web leak site (Screenshot: Hackread.com)

The alleged breach was announced by the group over the weekend (Sunday, December 15, 2024) on its official dark web leak site. It is also worth noting that the name Cicada3301 was historically associated with **cryptographic puzzles** in the early 2010s, it has since been co-opted by the ransomware group operating under a Ransomware-as-a-Service (RaaS) model.

This model enables affiliates to carry out attacks by renting the ransomware infrastructure and splitting the proceeds with the operators. Check Point’s **report** in September 2024, also discusses Cicada3301 who posted an advertisement on a Russian-language underground forum offering ransomware-as-a-service. The group demands a 20% commission on successful attacks and even provides negotiation mechanisms for disputes among partners.

The Cicada3301 ransomware group was first identified by cybersecurity firm Truesec and observed in June 2024. Written in Rust, the ransomware can target both Windows and Linux/ESXi systems, showcasing its cross-platform capabilities.

Cicada3301 has notable similarities to **ALPHV/BlackCat ransomware**, including the use of ChaCha20 encryption, identical commands to shut down virtual machines, and the -ui commands that provide graphic output for encryption. Both groups also share a similar file-naming pattern and key parameters used to decrypt ransom notes. These overlaps suggest a shared connection or the adoption of proven techniques to maximize efficiency and impact.

The attack on Concession Peugeot aligns with Cicada3301’s strategy of targeting high-value organizations to maximize impact. The theft of 35GB of data is particularly concerning, as a screenshot of the leaked files, reviewed by Hackread.com, reveals official and internal communications, invoices, passport copies, and even recipes.

Screenshot from cicada3301 Ransomware’s dark web leak site (Screenshot: Hackread.com)

**Editor’s Note**

The fact that Concession Peugeot operates under the official subdomain concessions.peugeot.fr creates a closer association with the larger Peugeot brand. Big companies like Peugeot often let their authorized dealerships use subdomains to maintain a consistent online presence and make it easier for customers to trust their services.

However, this setup means that an attack on a dealership can easily look like an attack on the main company. While this breach only targeted the dealership, the use of Peugeot’s domain could lead to confusion and raise questions about security across the brand.

1.  **13GB Data of Automobile Insurance Giant AA Exposed Online**
2.  **French automobile Citroën breached, user login details leaked**
3.  **Hackers Can Access Mazda Vehicle Controls Via System Flaws**
4.  **Contractor Database Exposes Irish Police Vehicle Seizure Records**
5.  **Nissan Confirms Data Breach Affected 100K Customers, Employees**
6.  **ALPHV Ransomware Used Vishing to Scam MGM Resorts Employee**

Cicada3301 Ransomware Claims Attack on French Peugeot Dealership

A thwarted attack demonstrates that threat actors using yet another delivery method for the malware, which already has been spread using phishing emails, malvertising, hijacking of instant messages, and SEO poisoning.

Source: Brian Jackson via Alamy Stock Photo

The DarkGate remote access Trojan (RAT) has a new attack vector: A threat actor targeted a Microsoft Teams user via a voice call to gain access to their device.

The attack adds to the other methods for spreading the RAT, which previously has been propagated using phishing emails, malvertising, hijacking of Skype and Teams messages, and search engine optimization (SEO) poisoning, researchers said.

Researchers at Trend Micro discovered the voice phishing, or vishing, attack, in which an attacker initially tried to install a Microsoft remote support application to gain access to the user's device, they revealed in a recent blog post. While this failed, the cyberattackers then used social engineering to convince the victim to download the AnyDesk tool for remote access, which they eventually achieved.

The attacker loaded multiple "suspicious files" onto the victim's machine via a connection that was established to a command-and-control (C2) server, one of which was DarkGate, according to Trend Micro. The RAT, distributed as usual via an AutoIt script, enabled remote control over the user's machine, executed malicious commands, gathered system information, and connected to a command-and-control (C2) server.

**A Multistage Vishing Cyberattack**

The multistage attack started off in a more typical DarkGate way, through a flood of thousands of phishing emails sent to the victim's inbox. The emails were followed up with a Microsoft Teams call purportedly for technical support, which kicked off the vishing attack.

The caller claimed to be an employee of an external supplier of the victim's company needing assistance, and instructed the victim to download the Microsoft Remote Support application.

"However, the installation via the Microsoft Store failed," Trend Micro researchers Catherine Loveria, Jovit Samaniego, and Gabriel Nicoleta wrote in the post. "The attacker then instructed the victim to download AnyDesk via browser and manipulate the user to enter her credentials to AnyDesk."

The attacker used AnyDesk to set up a communication channel to C2 and initiate various malicious scripts and eventually a PowerShell command to drop DarkGate using the Autoit legitimate Windows automation and scripting tool favored by attackers for obfuscation and defense evasion. After installation, the attack also loaded files and a registry entry for persistence.

**Another Channel for Spreading DarkGate Malware**

While ultimately the attack was stopped before data could be exfiltrated from the victim's machine, it demonstrates DarkGate actors using yet another means to spread the formidable RAT, adding to a long list of previously used delivery methods, the researchers said.

DarkGate has been used to target users around the world since at least 2017 and integrates multiple diverse and malicious functions. Among its capabilities are executing commands for gathering system information, mapping networks, and doing directory traversal, as well as launching Remote Desktop Protocol (RDP), hidden virtual network computing, AnyDesk, and other remote access software.

DarkGate also has features to support cryptocurrency mining, keylogging, privilege escalation, and stealing information from browsers, and is even known to carry additional payloads, including other RATs like Remcos.

**How to Protect Against Sophisticated Vishing Attacks**

Vishing attacks are becoming ever more psychologically sophisticated, with attackers even resorting to physical intimidation to coerce victims into complying with demands. Training employees on signs of a vishing attack, including staying up to date on the latest tactics, is becoming increasingly important as these attacks escalate.

"Well-informed employees are less likely to fall victim to social engineering attacks, strengthening the organization’s overall security posture," the researchers wrote.

Organizations also should "thoroughly vet third-party technical support providers" to "ensure that any claims of vendor affiliation are directly verified before granting remote access to corporate systems, the researchers wrote. Moreover, they should establish cloud-vetting processes to evaluate and approve remote access tools, such as AnyDesk to assess security compliance and vendor reputation before putting them in use.

Whitelisting approved remote access tools and blocking any unverified applications as well as integrating multifactor authentication (MFA) on remote access tools also reduce "the risk of malicious tools being used to gain control over internal machines," the researchers wrote.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Microsoft Teams Vishing Spreads DarkGate RAT

Plus: The US indicts North Koreans in fake IT worker scheme, file-sharing firm Cleo warns customers to patch a vulnerability amid live attacks, and more.

What a week! On Monday, police arrested 26-year-old Luigi Mangione and charged him in the murder of UnitedHealthcare CEO Brian Thompson. Mangione’s five-day run from authorities ended after he was spotted eating at a McDonald’s in Altoona, Pennsylvania, about 300 miles from Manhattan, where Thompson was gunned down on the morning of December 4. Authorities say they found Mangione carrying fake IDs and a 3D-printed “ghost gun,” the model of which is known as the FMDA, or “Free Men Don’t Ask.”

Meanwhile, a flood of mysterious drone sightings across New Jersey and neighboring states caused so much havoc, it quickly gained federal attention. While many people wondered why the US military couldn’t just shoot down the drones, the FBI, Department of Homeland Security, and independent experts say the drone mystery may not be much of a mystery, and the drones are probably mostly just airplanes.

As for more terrestrial threats, we dove into the far-right realm of “Active Clubs,” small groups of young, fitness-focused men who are steeped in extremist ideology and linked to several violent attacks. While the man who helped invent the Active Club network, Robert Rundo, was sentenced in federal court this week, Active Clubs around the world are proliferating.

Finally, we investigated cheating schemes that use tiny cameras to gain an illicit edge in poker, and we interrogated the ways humans will use generative AI to make the world a more dangerous place.

But that’s not all. Each week, we round up the privacy and security news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

Back in May, Microsoft jubilantly announced Recall, an AI feature for some Windows PCs that silently takes screenshots every five seconds and then allows you to easily search through the resulting digital footprint. Forgotten where you saw a recipe online? Tapping a couple of keywords into Recall could, in theory, find the dish again. It didn’t take long for the privacy and security community to find gaping holes in the feature.

In response, Microsoft delayed Recall’s launch and eventually made some significant changes—such as making Recall opt-in rather than on by default, better encrypting information captured by Recall, and adding authentication to access data that it stored. Recall finally launched for some users this month.

However, this week, testing of Recall by Tom’s Hardware demonstrated that a key safeguard put in place by Microsoft can still fail. With a Recall setting called “filter sensitive information” turned on, Tom’s Hardware’s tests found that it still took screenshots of some sensitive information—such as credit card numbers and Social Security numbers. When the publication typed a credit card number and a username and password into a Notepad window, they were gathered in the screenshots. “Similarly, when I filled out a loan application PDF in Microsoft Edge, entering a social security number, name and DOB, Recall captured that,” Avram Piltch writes. The tool, however, didn’t record details when they were entered on a couple of online stores.

Microsoft pointed to its product information that says the system will get better over time and that people should report if sensitive information is captured by Recall. While that may be the case, it’s unlikely that any system can correctly determine what is and isn’t sensitive every time. And that could make it a bigger target for hackers.

**14 North Koreans Identified and Indicted as Fraudulent IT Workers**

For years, North Korean nationals posing as tech workers have tried to get hired by global businesses so they can send their wages back to help the Hermit Kingdom pay for its nuclear programs. Increasingly, some companies are revealing they were targeted, and investigators are unravelling the schemes. This week, the US government indicted 14 North Koreans for their alleged role in generating $88 million, stealing sensitive business information, and attempting to use that information to extort more payments from companies. To get hired, the FBI alleges, the IT workers stole real identities, paid people in the US to use their home Wi-Fi connections, or paid them to attend job interviews. Researchers from Google-owned cybersecurity firm Mandiant who focus on North Korea say that in recent months they’ve seen IT workers following through on leaking sensitive data and demanding more cryptocurrency than ever before—although, they say this desperation could be a sign of the schemes becoming less effective.

**Cleo File-sharing Software Exploited to Spread Cybercriminal Malware**

File-sharing software firm Cleo this week warned customers to implement a new security patch to prevent a wave of intrusions by cybercriminals actively exploiting a vulnerability in its code. Researchers at security firm Huntress Labs told news outlet Recorded Future that at least two dozen organizations have already been breached by the hackers exploiting the Cleo flaw. Huntress has found a sample of malware found on those victims’ networks it calls Malichus, and says it appears to have been used by a sophisticated hacker group. Huntress also noted that Blue Yonder, a software firm breached by the Termite ransomware gang in November, had a vulnerable instance of Cleo’s software exposed on its network, and some evidence suggests the same cybercrime group may now be using the software’s vulnerability to hit other victims. Cleo first released a patch for the bug currently being exploited in October, but hackers appear to have circumvented it, and the company is urging customers to apply its new patch now.

**US Sanctions Chinese Hackers Who Allegedly Hijacked Thousands of Firewalls**

For five years, UK cybersecurity firm Sophos engaged in a cat-and-mouse game with a mysterious group of Chinese hackers targeting the company’s firewalls as a vector to break into its customers’ networks, as WIRED chronicled in October. Sophos went so far as to download surveillance “implants” to its devices that the hackers were testing to better monitor and preempt their intrusion techniques—and to gain more information about who they were and where they operated. Now, following Sophos’s revelations, those hackers have been hit with sanctions from the US government, and one of them has been indicted by name. Sichuan Silence Information Technology, based in Chengdu, and an alleged hacker named Guan Tianfeng are accused of hijacking 81,000 firewalls by exploiting a zero-day vulnerability that Guan is said to have discovered. Sichuan Silence, a known seller of disinformation tools to the Chinese government, and Guan are accused of targeting 23,000 firewalls in the US specifically, 36 of which were used in US critical infrastructure networks. The US State Department also issued a $10 million bounty for information about the company or Guan.

Microsoft’s AI Recall Tool Is Still Sucking Up Credit Card and Social Security Numbers

Defenders running the Cleo managed file transfer are urged to be on the lookout for the Cleopatra backdoor and other indicators of an ongoing ransomware campaign, as patching details remain foggy, and no CVE has been issued.

Source: Allstar Picture Library Ltd. via Alamy Stock Photo

An active ransomware campaign against the Cleo managed file transfer tool is about to ramp up now that a proof-of-concept exploit for a zero-day flaw in the software has become publicly available. Defenders should brace for widespread deployment of the Cleopatra backdoor and other steps in the attack chain.

The flaw, which is the result of an insufficient patch for an arbitrary file write tracked as CVE-2024-50623, is being used for remote code execution (RCE) and impacts Cleo Harmony, Cleo VLTrader, and Cleo LexiCon products, according to the company's security advisory. The new issue does not yet have a CVE or CVSS severity score as of the time of this writing.

Active attacks against the zero-day appear to have begun on Dec. 3, and just days later cyberattackers had breached at least 10 Cleo clients, including those in the trucking, shipping, and food industries. Cleo currently has more than 4,000 customers, mostly mid-sized organizations.

The current ransomware campaign has been attributed to a group called "Termite," which is also believed to be connected to similar cyberattacks against Blue Yonder that ultimately impacted household brand names like Starbucks.

But that's just a taste of what's to come, according to Artic Wolf analysts, who predict that ransomware cyberattacks against vulnerable Cleo systems are about to escalate.

**Is a MOVEit-Style Deluge of Cyberattacks Imminent?**

Since 2023's ransomware success against MOVEit, a similar file transfer service, threat actors have become keenly aware of the broad access to sensitive enterprise data and systems these MFT solutions provide, researchers at Artic Wolf noted.

That's especially true in light of a public proof of exploit of the Cleo zero-day published on Dec. 11 by Watchtowr Labs, the researchers predicted. Like MOVEit, Cleo has the potential to offer attackers a mass-attack avenue.

And unfortunately for those impacted, patching this zero-day has been a bit confusing for Cleo customers, widening the door for attackers to pounce.

The original bug, CVE-2024-50623, was first "fixed" in the Oct. 30 release of an updated Cleo version, 5.8.0.21. However, customers continued to report compromises, "suggesting the existence of a separate means of compromise," a new backgrounder from Rapid7 on the Cleo zero-day explained.

Researchers at Huntress first reported on continued widespread active exploits of the supposedly patched vulnerability on Dec. 9. Cleo responded with a new version containing a new security patch (version 5.8.0.24). However, the new exploitable issue has not yet received a new CVE designation, raising questions from industry watchers like Rapid7.

"Cleo issued a new advisory as of December 10 that previously said versions up to 5.8.0.21 were vulnerable to an as-yet-unassigned CVE," a Rapid7 blog post noted. "That advisory was updated to indicate a patch is now available for all affected products — it's unclear exactly when the update occurred. There is still no CVE for the new issue."

Cleo has since added a note to its advisory page on the insufficient patching issue that a "CVE is pending."

**Cleopatra Backdoor: How to Tell if Cleo Has Been Compromised**

With the added patching confusion, it's up to cyber defense teams to understand what a Cleo compromise looks like and stop it before it takes hold.

The Artic Wolf team tracked the attack chain down to a malicious PowerShell stager that ultimately executes a new Java-based backdoor that their team appropriately called "Cleopatra."

"The Cleopatra backdoor supports in-memory file storage, and is designed for cross-platform support across Windows and Linux. It implements functionality designed to access data stored within Cleo MFT software specifically," the Artic Wolf report explained. "Although many IP addresses were used as C2 destinations, vulnerability scanning originated from only two IP addresses."

The Arctic Wolf researchers urge defenders to focus in on monitoring server assets for unusual activity, like PowerShell, in order to respond early in the attack chain.

"Additionally, devices should be continuously audited for potential weaknesses in internet-accessible services, and vulnerable services should be kept off the public Internet where possible to minimize the potential exposure in mass exploitation campaigns such as this one," the report added. "This can be accomplished by IP access control lists, or by keeping applications behind a VPN to reduce the potential attack surface."

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Cleo MFT Zero-Day Exploits Are About Escalate, Analysts Warn

Proxy and anonymization networks have been dominating the headlines, this piece discusses its origins and evolution on the threat landscape with specific focus on state sponsored abuse.

Thursday, December 12, 2024 06:00

As long as we've had the internet, users have tried to obfuscate how and what they are connecting to. In some cases, this is to work around restrictions put in place by governments or a desire to access content that is not otherwise available in a given region.

This is why technologies like VPNs and The Onion Router (TOR) become popular: They allow users to easily access content without exposing their IP address or location. These technologies are intended to protect users and information and have done a good job of doing so. However, adversaries have taken notice and are using proxy networks for malicious activities.

**Proxy Chain Services**

It is important to distinguish the different proxy chain services, as there are legitimate reasons for some of them to exist. From a privacy/defender point-of-view, they can be split into the following groups:

*   **VPN and TOR:** These services provide the user anonymity, but the defender can, for the most part, determine that it's receiving requests from these networks. As such, there is no expectation that the origin of the connection is the exact same as the user’s physical location. The user has no control of the path or exit node location. 
*   **Commercial residential services:** These provide anonymity to users, while at the same time allowing them to choose the exit point. These services do not provide any clues to the defender about the nature of the connection. 
*   **Malicious proxy services:** Threat actors use these networks to hide their location and choose their exit node. These are set up to be used by malicious operators from multiple sources. They can take two shapes: The nodes are installed on leased servers from different providers in different regions, or their nodes can be compromised edge devices that bounce connections in chains.

The first group has a clear legitimate use case, and the second has been advertised as a means to measure marketing engagement. However, threat actors can also use them without the bandwidth owner understanding what is at risk. The third case is clear: The networks are built to be rented for distributed denial-of-service (DDoS) attacks or access to be sold so other actors can anonymize their activities.

**History**

Leveraging proxy networks for malicious purposes was something we first stumbled on with our research into Honeygain. This was one of the first times we saw technologies like proxyware being abused maliciously. 

Proxyware is a type of technology that uses agents installed by users to act as proxies for other users. The users installing these agents are typically compensated for adding their node to the proxy network. Criminals stumbled upon this quickly and began to weaponize and monetize it, allowing them to benefit from the anonymity these technologies provide since it traces back to a random computer in a random location. At the time, the focus was purely criminal in nature, but state-sponsored groups have been leveraging TOR and VPNs for decades to launch their attacks, typically dropping out of a VPN near the target.

State-sponsored groups also realize that TOR and VPNs have limitations and could potentially expose their operations, so they needed something more opaque and less traceable. Enter VPNFilter.

VPNFilter was the first large-scale proxy network leveraged by state-sponsored actors, in this case Russia. This completely changed how proxy networks were operated and would set the tradecraft for state-sponsored proxy networks for the next several years. The most unique aspect of VPNFilter was the targeting: small office and home office (SOHO) routers. 

The network was made up of SOHO routers that were being compromised with malicious firmware providing a variety of capabilities, including interception and proxy capabilities. 

This was also a fairly significant botnet, consisting of some 500,000 devices that created a massive network from which to launch attacks without repercussions. Fortunately, we worked with affected vendors, and they resolved many of the issues that were being exploited, both vulnerability and otherwise. 

This wasn't the last time we saw Russian-aligned actors leveraging these types of botnets. A few years later, Cyclops Blink was uncovered. Another Russian actor controlled a proxy network that again primarily consisted of consumer devices. 

The targeting of consumer devices for this type of activity has become the focus of state-sponsored groups’ foray into this space. They also make excellent targets, since many users leave default configurations in place and rarely think to update their devices. Fortunately, post-VPNFilter, many vendors have switched to automatic updates, allowing for more frequent patching. This has resulted in state-sponsored groups widening their targeting. 

Today, we see not just SOHO routers, but also NAS and a variety of IoT devices being targeted and added to these networks. This problem has just gotten worse in the past several years.

**State of the Art**

As recently as September, the FBI took down a botnet associated with Chinese hacking activities. This was just the latest in a spate of attacks originating from proxy networks. This activity has been largely associated with Volt Typhoon by the U.S. Government, with a broader attribution of China-linked activities in the recent FBI takedown.

Currently, there are several proxy-based networks, with a focus on SOHO devices (e.g., routers, NAS, etc.) and a variety of IoT components (e.g., security cameras) being compromised and added to a botnet that, in some ways, mirrors Mirai botnet activities. 

The basic operating model for these botnets is that they are peer-to-peer, meaning there is no discernable routing. This model provides a sophisticated network of devices to obfuscate the true origin of an attack, and in many circumstances, allows the attacker to appear in close proximity to the victim, including coming from geographically adjacent residential networks. 

The attacks originating from these networks have been tied to espionage and the targeting of critical infrastructure in the U.S. and globally. Most countries are concerned with this escalation, and it has the attention of the majority of vendors in this space. 

These networks have also grown with staggering efficiency, with new nodes being added constantly as other nodes fall off and need to be compromised again. Based on reporting, the majority of these infections are using N-Day vulnerabilities or weak credentials to gain access, something we've seen repeatedly out of botnets like Mirai for the last decade. The major difference is that Mirai is used to conduct DDoS attacks, and the new iterations are being used to launch state-sponsored attacks with anonymity.

**Network Resiliency Coalition**

The repeated use of N-Day vulnerabilities and weak credentials ties into the work that Cisco has been doing for some time related to old and outdated networking equipment and the risks they introduce. The Network Resiliency Coalition is one of the projects aimed at trying to resolve this difficult problem. Anonymization networks' reliance on networking equipment, specifically exploiting known vulnerabilities, adds more weight to the importance of this effort. By working with industry peers, Cisco is trying to help remove many of the systems that are being abused in these attacks by working with vendors to ensure proper patching is provided to mitigate these known vulnerabilities, in a timely manner.  

More projects like this that encompass the IoT industry and the non-edge SOHO appliances like NAS devices would also have a contribution to the fight against anonymization networks. This combined with better credential management, most notably ensuring that default credentials are complex and unique, could make a huge impact on how successful these networks are in continuing to grow. Vendors are working to try and resolve some of these weaknesses, but it also is paramount for defenders to take note.

**Impact on Defenders**

This continued focus by state-sponsored groups to leverage these networks presents problems for defenders. Attacks from these groups are likely to be coming from residential networks, potentially even from residential networks in the same cities and countries as your organization operates, making identification and attribution increasingly difficult. 

Organizations need to realize that attacks can come from anywhere, even the same IP space that your employees connect to their VPNs, so plan accordingly. 

This is further complicated by the increased focus by state-sponsored groups on the use of legitimate credentials. If you have a connection coming from the same IP space as your employees, using legitimate credentials organizations have little hope to stop it. This is where the increased focus on identity comes into play — organizations need to start taking additional steps to be able to distinguish between the illegitimate and legitimate use of credentials, and that ties back to behavior. 

Increasingly, organizations should be looking at users’ behavior when it comes to connections.

*   Are they using their typical device type? (e.g., Windows desktop/MacOS laptop)
*   Are they logging on during their typical hours? (e.g., 9-5 M-F)
*   Are there other managed devices in proximity?
*   Are they using their managed device?

This last point is a critical one. For organizations particularly concerned with credential abuse, managed device access restriction may be the best option. 

This ensures that only managed devices can connect to corporate VPNs through technologies like certificates. 

The downside to this approach is that it's expensive, and for many organizations not practical, but for those with the budgets and the concern, it's a needed escalation beyond just multi-factor authentication (MFA). 

You may have noticed we haven’t mentioned MFA until now. But that’s because in 2024, it's assumed you've already rolled out MFA for medium to large enterprises. It is no longer an optional security feature. 

Defenders need to adjust for the state-sponsored threats they will be facing in 2024 and beyond. This means adding more identity capabilities in the near term and looking at additional security protections like managed device-only access in the future.

The evolution and abuse of proxy networks

**Why are there no links to an update or instructions with steps that must be taken to protect from this vulnerability?**

This vulnerability has already been fully mitigated by Microsoft. There is no action for users of this service to take. The purpose of this CVE is to provide further transparency.

Please see Toward greater transparency: Unveiling Cloud Service CVEs for more information.

CVE-2024-49071: Windows Defender Information Disclosure Vulnerability

A newly devised technique leverages a Windows accessibility framework called UI Automation (UIA) to perform a wide range of malicious activities without tipping off endpoint detection and response (EDR) solutions.
"To exploit this technique, a user must be convinced to run a program that uses UI Automation," Akamai security researcher Tomer Peled said in a report shared with The Hacker News. "

New Malware Technique Could Exploit Windows UI Framework to Evade EDR Tools

SUMMARY Cybersecurity researchers at Deep Instinct have uncovered a novel and powerful Distributed Component Object Model (DCOM) based…

****SUMMARY****

*   **The new DCOM attack leverages Windows Installer service for stealthy backdoor deployment.**

*   **Attack exploits the IMsiServer interface for remote code execution and persistence.**

*   **Malicious DLLs are remotely written, loaded, and executed to compromise systems.**

*   **It requires the attacker and victim to be within the same domain, limiting the scope.**

*   **Consistent DCOM hardening patches can mitigate attack effectiveness.**

Cybersecurity researchers at Deep Instinct have uncovered a novel and powerful Distributed Component Object Model (DCOM) based lateral movement attack method that enables attackers to stealthily deploy backdoors on target Windows systems.

The attack exploits the Windows Installer service to remotely write custom DLLs, load them into an active service, and execute them with arbitrary parameters. For context, a DLL (Dynamic Link Library) is a Windows file that contains code, data, and resources shared by multiple programs.

The attack, detailed in Deep Instinct’s technical blog and shared with Hackread.com, exploits the IMsiServer COM interface. By reversing its internals, attackers can manipulate its functions to achieve remote code execution, bypass traditional security controls and establish persistent footholds on compromised systems.

For your information, DCOM Lateral Movement is a technique used to move sideways within a network by exploiting vulnerabilities in DCOM, which allows communication between programs on different computers.

On the other hand, Computer Objects (COM) are compiled code that provides services to the system, based on interfaces implemented by its class defined by a globally unique Class ID (CLSID) and accessed remotely with a globally unique identifier (GUID) – AppID. All communication among COM components occurs through interfaces.

The technique involves identifying the vulnerable Windows Installer service, exploiting its COM interface, crafting a malicious DLL containing malicious code, writing the DLL remotely, loading the DLL into a running service process, and executing the code. The attacker gains control over the service, manipulating its functions to remotely interact with it.

The malicious DLL is then loaded into the Windows Installer service, allowing the attacker to execute its code, and granting them remote access to the system. This method is particularly effective against Windows Installer due to its broad system privileges and network accessibility.

The DCOM Upload & Execute attack is powerful but has limitations, researchers noted in the technical blog post. It requires both attacker and victim machines to be within the same domain, restricting its applicability to specific organizational boundaries.

Consistent DCOM Hardening patch statuses can reduce the attack’s effectiveness in environments with varying patch levels. Apart from that, the uploaded payload must be a strongly named .NET assembly and must be compatible with the target machine’s architecture, either x86 or x64, which adds complexity to the attack process.

COM interfaces and tables (Credit: Deep Instinct)

Deep Instinct research discusses IDispatch, a fundamental COM interface that enables scripting languages and higher-level languages to interact with COM objects. However, it is not directly involved in the DCOM Upload & Execute attack due to the IMsiServer interface not implementing IDispatch.

This means that traditional scripting languages like PowerShell cannot directly interact with it using standard techniques. Researchers used lower-level techniques to manipulate the IMsiServer interface and achieve remote code execution by directly calling the interface’s methods and passing necessary parameters.

1.  Voice assistant devices manipulated with ultrasonic waves
2.  Hackers can Downgrade Windows to Exploit Patched Flaws
3.  Electromagnetic Waves Steal Data from Air-Gapped Systems
4.  ‘Matrix’ Hackers Deploy Massive IoT Botnet for DDoS Attacks
5.  Hackers Can Steal Data from Air-Gapped PCs via SATA Cables

New DCOM Attack Exploits Windows Installer for Backdoor Access

Microsoft today released updates to plug at least 70 security holes in Windows and Windows software, including one vulnerability that is already being exploited in active attacks. The zero-day seeing exploitation involves CVE-2024-49138, a security weakness in the Windows Common… Read More »

**Microsoft** today released updates to plug at least 70 security holes in **Windows** and Windows software, including one vulnerability that is already being exploited in active attacks.

The zero-day seeing exploitation involves CVE-2024-49138, a security weakness in the **Windows Common Log File System** (CLFS) driver — used by applications to write transaction logs — that could let an authenticated attacker gain “system” level privileges on a vulnerable Windows device.

The security firm **Rapid7** notes there have been a series of zero-day elevation of privilege flaws in CLFS over the past few years.

“Ransomware authors who have abused previous CLFS vulnerabilities will be only too pleased to get their hands on a fresh one,” wrote **Adam Barnett**, lead software engineer at Rapid7. “Expect more CLFS zero-day vulnerabilities to emerge in the future, at least until Microsoft performs a full replacement of the aging CLFS codebase instead of offering spot fixes for specific flaws.”

Elevation of privilege vulnerabilities accounted for 29% of the 1,009 security bugs Microsoft has patched so far in 2024, according to a year-end tally by **Tenable**; nearly 40 percent of those bugs were weaknesses that could let attackers run malicious code on the vulnerable device.

**Rob Reeves**, principal security engineer at **Immersive Labs**, called special attention to CVE-2024-49112, a remote code execution flaw in the **Lightweight Directory Access Protocol** (LDAP) service _on every version of Windows since Windows 7._ CVE-2024-49112 has been assigned a CVSS (badness) score of 9.8 out of 10.

“LDAP is most commonly seen on servers that are Domain Controllers inside a Windows network and LDAP must be exposed to other servers and clients within an enterprise environment for the domain to function,” Reeves said. “Microsoft hasn’t released specific information about the vulnerability at present, but has indicated that the attack complexity is low and authentication is not required.”

**Tyler Reguly** at the security firm **Fortra** had a slightly different 2024 patch tally for Microsoft, at 1,088 vulnerabilities, which he said was surprisingly similar to the 1,063 vulnerabilities resolved in 2023 and the 1,119 vulnerabilities resolved in 2022.

“If nothing else, we can say that Microsoft is consistent,” Reguly said. “While it would be nice to see the number of vulnerabilities each year decreasing, at least consistency lets us know what to expect.”

If you’re a Windows end user and your system is not set up to automatically install updates, please take a minute this week to run Windows Update, preferably after backing up your system and/or important data.

System admins should keep an eye on AskWoody.com, which usually has the details if any of the Patch Tuesday fixes are causing problems. In the meantime, if you run into any problems applying this month’s fixes, please drop a note about in the comments below.

Tag

#windows