126
The War Room
1 readers
1 users here now
Community for various OSINT news and subject matter for open discussion or dissemination elsewhere
founded 1 year ago
MODERATORS
127
WinRAR flaw lets hackers run programs when you open RAR archives
A high-severity vulnerability has been fixed in WinRAR, the popular file archiver utility for Windows used by millions, that can execute commands on a computer simply by opening an archive.
The flaw is tracked as CVE-2023-40477 and could give remote attackers arbitrary code execution on the target system after a specially crafted RAR file is opened.
The vulnerability was discovered by researcher "goodbyeselene" of Zero Day Initiative, who reported the flaw to the vendor, RARLAB, on June 8th, 2023.
"The specific flaw exists within the processing of recovery volumes," reads the security advisory released on ZDI's site.
"The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer."
As a target needs to trick a victim into opening an archive, the vulnerability's severity rating drops down to 7.8, as per the CVSS.
However, from a practical perspective, deceiving users into performing the required action shouldn't be overly challenging, and given the vast size of WinRAR's user base, attackers have ample opportunities for successful exploitation.
Mitigating the risk
RARLAB released WinRAR version 6.23 on August 2nd, 2023, effectively addressing CVE-2023-40477. Therefore, WinRAR users are strongly advised to apply the available security update immediately.
Apart from the RAR4 recovery volumes processing code fix, version 6.23 addresses an issue with specially crafted archives leading to wrong file initiation, which is also considered a high-severity problem.
It should also be noted that Microsoft is now testing native support on Windows 11 for RAR, 7-Zip, and GZ files, so third-party software like WinRAR will no longer be required in this version unless its advanced features are needed.
Those continuing to use WinRAR must keep the software updated, as similar flaws in the past were abused by hackers to install malware.
Apart from that, being cautious with what RAR files you open and using an antivirus tool that can scan archives would be a good security measure.
128
1
Massive phishing campaign targets users of the Zimbra Collaboration email server
(securityaffairs.com)
129
1
Africa Cyber Surge II law enforcement operation has led to the arrest of 14 suspects
(securityaffairs.com)
130
131
Hotmail email delivery fails after Microsoft misconfigures DNS
Hotmail users worldwide have problems sending emails, with messages flagged as spam or not delivered after Microsoft misconfigured the domain's DNS SPF record.
The email issues began late last night, with users and admins reporting on Reddit, Twitter, and Microsoft forums that their Hotmail emails were failing due to SPF validation errors.
A Hotmail user explained in a post on Microsoft's forum that their Microsoft Outlook Hotmail accounts were failing to send with the following error:
"For Email Administrators
This error is related to the Sender Policy Framework (SPF). The destination email system's evaluation of the SPF record for the message resulted in an error. Please work with your domain registrar to ensure your SPF records are correctly configured.
exhprdmxe26 gave this error: Message rejected due to SPF policy - Please check policy for hotmail.com"
The Sender Policy Framework (SPF) is an email security feature that reduces spam and prevents threat actors from spoofing domains in phishing attacks.
To configure SPF, admins create a special DNS TXT (text) record for a domain that specifies the specific hostnames and IP addresses allowed to send emails under that domain.
When a mail server receives an email, it will verify that the hostname/IP address for the sending email servers is part of a domain's SPF record, and if it is, allows the email to be delivered as usual.
However, if the IP address or domain of the sending mail server is not listed in the sender domain's SPF record, it will either bounce the email back to the sender with an error or put it in the recipient's SPAM folder.
After analyzing what was causing email delivery errors, admins noted that Microsoft removed the 'include:spf.protection.outlook.com' record from hotmail.com's SPF record.
To illustrate the issue, the previous SPF record for hotmail.com was:
v=spf1 ip4:157.55.9.128/25 include:spf.protection.outlook.com include:spf-a.outlook.com include:spf-b.outlook.com include:spf-a.hotmail.com include:_spf-ssg-b.microsoft.com include:_spf-ssg-c.microsoft.com ~all
Hotmail's current SPF record with spf.protection.outlook.com removed is now:
v=spf1 ip4:157.55.9.128/25 include:spf-a.outlook.com include:spf-b.outlook.com include:spf-a.hotmail.com include:_spf-ssg-b.microsoft.com include:_spf-ssg-c.microsoft.com -all
The spf.protection.outlook.com SPF record contains a large list of hosts allowed to send an email for the hotmail.com domain, and with that record missing, any email from those senders will fail SPF checks.
BleepingComputer tested sending an email from an Outlook.com Hotmail account and replicated the problem, with our email going to Gmail's SPAM folder instead due to its SPF record failing.
Authentication-Results: mx.google.com; dkim=pass [email protected] header.s=selector1 header.b=Aoix6uEm; arc=pass (i=1); spf=fail (google.com: domain of ###@hotmail.com does not designate 2a01:111:f400:fe5b::808 as permitted sender) smtp.mailfrom=###@hotmail.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=hotmail.com
This is because the allowed IPv6 address (2a01:111:f400) associated with Outlook.com that was used to send my email is designated in the spf.protection.outlook.com record and, with its removal, is no longer accepted as valid.
Other hosts that will now fail SPF checks due to the removal of spf.protection.outlook.com are:
40.92.0.0/15 40.107.0.0/16 52.100.0.0/14 104.47.0.0/17 2a01:111:f400::/48 2a01:111:f403::/49 2a01:111:f403:8000::/50 2a01:111:f403:c000::/51 2a01:111:f403:f000::/52
Unfortunately, there is nothing that Hotmail users can do to fix this problem on their own, and they will have to wait for Microsoft to fix the DNS entry.
BleepingComputer has asked Microsoft about this change, but a reply was not immediately available.
132
Interpol arrests 14 suspected cybercriminals for stealing $40 million
An international law enforcement operation led by Interpol has led to the arrest of 14 suspected cybercriminals in an operation codenamed 'Africa Cyber Surge II,' launched in April 2023.
The four-month operation spanned 25 African countries and disrupted over 20,000 cybercrime networks engaged in extortion, phishing, BEC, and online scams, responsible for financial losses of over $40,000,000.
Along with the arrests, the authorities have also taken down hundreds of malicious IP addresses that hosted malware and helped distribute dangerous software.
Specifically, Interpol's and its partners' investigation, whose findings served as the guidance for 'Africa Cyber Surge II' include the following:
- 3,786 malicious command and control servers
- 14,134 victim IPs linked to data stealer cases
- 1,415 phishing links and domains
- 939 scam IPs
- Over 400 other malicious URLs, IPs, and botnets
Group-IB, one of Interpol's partners in collecting intelligence from cybercrime originating from African regions, today stated that it provided the law enforcement authorities with over a thousand indicators related to malicious infrastructure in the continent.
"The data contained domains, URLs, and server IP addresses used in phishing and malware attacks. INTERPOL member countries in Africa leveraged this information in several takedown operations." - Group-IB
Based on the above, the operation produced the following highlights:
- Cameroon: 3 suspects arrested for $850,000 online art scam.
- Nigeria: 1 individual arrested for defrauding a Gambian victim.
- Mauritius: 2 money mules arrested linked to messaging platform scams.
- Gambia: 185 malicious IPs taken down through proactive measures and partnerships.
- Cameroon: 2 darknet sites shut down by authorities.
- Kenya: 615 malware hosters taken down by authorities.
Interpol has been actively fighting cybercrime in recent months, disrupting multi-million operations and seizing widely-used crime platforms.
Ten days ago, the organization announced the shutdown of the notorious '16shop' phishing-as-a-service (PhaaS) platform and the arrest of its main operator.
In July 2023, Interpol's African branch (Afripol) detained a suspect believed to be a key member of the OPERA1ER cybercrime group, which is responsible for at least 35 attacks between 2018 and 2022, resulting in damages of over $11,000,000.
The first 'Africa Cyber Surge' operation took place in November 2022 and resulted in the arrest of 11 individuals, the takedown of a darknet market that sold hacking tools, and the disruption of 200,000 infrastructure points that aided in the dissemination of malware, phishing, spam, scams, and supported botnet activity.
133
134
1
In Other News: US Hacking China, Unfixed PowerShell Gallery Flaws, Free Train Tickets
(www.securityweek.com)
135
136
MAR-10459736.r1.v1 WHIRLPOOL Backdoor
Notification This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise. This document is marked TLP:CLEAR--Recipients may share this information without restriction. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp. Summary Description CISA obtained a variant of the WHIRLPOOL backdoor. The malware was used by threat actors exploiting CVE-2023-2868, a former zero-day vulnerability affecting versions 5.1.3.001-9.2.0.006 of Barracuda Email Security Gateway (ESG). WHIRLPOOL is a backdoor that establishes a Transport Layer Security (TLS) reverse shell to the Command-and-Control (C2) server. For information about related malware, specifically information on the initial exploit payload and other backdoors, see CISA Alert: CISA Releases Malware Analysis Reports on Barracuda Backdoors. Download the PDF version of this report: AR23-230A PDF (PDF, 357.86 KB ) For a downloadable copy of IOCs associated with this MAR in JSON format, see: AR23-230A JSON (JSON, 8.47 KB ) Submitted Files (1) 0af253e60456b03af49cc675f71d47b2dd9a48f50a927e43b9d8116985c06459 (ssld) Findings 0af253e60456b03af49cc675f71d47b2dd9a48f50a927e43b9d8116985c06459 Tags trojan Details --> Name ssld Size 5034648 bytes Type ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, BuildID[sha1]=9d3200c170c74a79f66e2c885e51519866e636eb, for GNU/Linux 3.2.0, stripped MD5 77e1e9bf69b09ed0840534adb8258540 SHA1 deadca9bd85ee5c4e086fd81eee09407b769e9b6 SHA256 0af253e60456b03af49cc675f71d47b2dd9a48f50a927e43b9d8116985c06459 SHA512 3ad6bd00c4195c9b1757a9d697196e8beffb343c331509c2eda24bbbd009cc1af552a1900ab04d169a22d273e6359cb2ff149050a7f792b9630108a4af226e2d ssdeep 98304:1z2EGoxipg0NPbuqbVxbNgqE+Q+F4YGZLx4BAFm/CyU:LLXYGNFLj Entropy 6.385269 Malware Result unknown Antivirus ESET a variant of Linux/WhirlPool.A trojan YARA Rules rule CISA_10452108_02 : WHIRLPOOL backdoor communicates_with_c2 installs_other_components { meta: Author = "CISA Code & Media Analysis" Incident = "10452108" Date = "2023-06-20" Last_Modified = "20230804_1730" Actor = "n/a" Family = "WHIRLPOOL" Capabilities = "communicates-with-c2 installs-other-components" Malware_Type = "backdoor" Tool_Type = "unknown" Description = "Detects malicious Linux WHIRLPOOL samples" SHA256_1 = "83ca636253fd1eb898b244855838e2281f257bbe8ead428b69528fc50b60ae9c" SHA256_2 = "8849a3273e0362c45b4928375d196714224ec22cb1d2df5d029bf57349860347" strings: $s0 = { 65 72 72 6f 72 20 2d 31 20 65 78 69 74 } $s1 = { 63 72 65 61 74 65 20 73 6f 63 6b 65 74 20 65 72 72 6f 72 3a 20 25 73 28 65 72 72 6f 72 3a 20 25 64 29 } $s2 = { c7 00 20 32 3e 26 66 c7 40 04 31 00 } $a3 = { 70 6c 61 69 6e 5f 63 6f 6e 6e 65 63 74 } $a4 = { 63 6f 6e 6e 65 63 74 20 65 72 72 6f 72 3a 20 25 73 28 65 72 72 6f 72 3a 20 25 64 29 } $a5 = { 73 73 6c 5f 63 6f 6e 6e 65 63 74 } condition: uint32(0) == 0x464c457f and 4 of them } ssdeep Matches No matches found. Description The file 'ssld' is a Linux ELF reverse shell and is a variant of WHIRLPOOL malware used on the Barracuda Email Security Gateway (ESG) device (Figure 1). The file looks for an encoded string with a '.io' extension (Figure 2). The string will be decoded and the data will be passed as the C2 which will include the Internet Protocol (IP) address and port number used to establish a reverse shell. Screenshots  Figure 1. - The reverse shell component of 'ssld'.  Figure 2. - The file 'ssld' looking for a string with a '.io' extension. Recommendations CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts. Maintain up-to-date antivirus signatures and engines. Keep operating system patches up-to-date. Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication. Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required. Enforce a strong password policy and implement regular password changes. Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known. Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests. Disable unnecessary services on agency workstations and servers. Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header). Monitor users' web browsing habits; restrict access to sites with unfavorable content. Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.). Scan all software downloaded from the Internet prior to executing. Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs). Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops". Contact Information 1-888-282-0870 CISA Service Desk (UNCLASS) CISA SIPR (SIPRNET) CISA IC (JWICS) CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: Document FAQ What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis. What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis. Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk. Can I submit malware to CISA? Malware samples can be submitted via three methods: Web: https://malware.us-cert.gov E-Mail: [email protected] FTP: ftp.malware.us-cert.gov (anonymous) CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov. |
|---|
137
138
1
Cybersecurity Snapshot: CIS Guide Outlines How To Attain an Affordable Cyber Hygiene Foundation
(www.tenable.com)
Cybersecurity Snapshot: CIS Guide Outlines How To Attain an Affordable Cyber Hygiene Foundation
The Center for Internet Security unpacks how to establish foundational cyber hygiene at a reasonable cost. Plus, the Cyber Safety Review Board issues urgent security recommendations on its Lapsus$ report – and announces it’ll next delve into cloud security. Moreover, are humans or AI better at crafting phishing emails? Check out what a study found. And much more!
Dive into six things that are top of mind for the week ending August 18.
1 – CIS: Yes, Virginia, you can have solid cyber hygiene without breaking the bank
When tasked with beefing up their cybersecurity foundation, organizations often struggle with basic questions. What steps should we take first? Which products will we need? How much money should we plan to spend?
To help with such a scenario, the Center for Internet Security released a guide this week titled “The Cost of Cyber Defense: CIS Controls Implementation Group 1 (IG1).” The 36-page document outlines how organizations can adopt the CIS’ first tier of safeguards – known as IG1 – contained within the 18 CIS Controls.
Specifically, there are 56 safeguards in IG1, and this new guide organizes these actions into 10 categories: asset management; data management; secure configurations; account and access control management; vulnerability management; log management; malware defense; data recovery; security training; and incident response.
The guide is divided into five sections:
- Methodology
- Protections to start with
- IG1 enterprise profiles
- Tooling
- Costs
“The safeguards in IG1 can be implemented for a relatively low cost and are a foundational and achievable set of security actions for even the smallest of enterprises,” the guide reads. “Additionally, enterprises can implement IG1 and defend against a wide array of threats with a relatively small number of tools.”
CIS has two other Implementation Groups – IG2 and IG3 – with more advanced safeguards, but those aren’t discussed in this particular guide.
(Source: Center for Internet Security)
To get more details, check out:
- the CIS blog “Essential Cyber Hygiene: Making Cyber Defense Cost Effective”
- the full guide “The Cost of Cyber Defense: CIS Controls Implementation Group 1 (IG1)”
- a page about the CIS Implementation Group 1 (IG1)
- a page about all three CIS Implementation Groups: IG1, IG2 and IG3
- the home page for the CIS Critical Security Controls Version 8
2 – Prompted by Exchange Online breach, CSRB tackles cloud security
The U.S. government will probe the recent Microsoft Exchange Online breach in which hackers backed by the Chinese government swiped emails from U.S. government officials’ inboxes.
The Department of Homeland Security’s Cyber Safety Review Board (CSRB) will carry out the review, which will also focus more broadly on the security of cloud computing environments and their identity and authentication infrastructure.
“Organizations of all kinds are increasingly reliant on cloud computing to deliver services to the American people, which makes it imperative that we understand the vulnerabilities of that technology,” Secretary of Homeland Security Alejandro N. Mayorkas said in a statement.
When completed, the review will offer recommendations aimed at arming cloud computing customers and providers with cybersecurity best practices. Previously, the CSRB has issued reports on the Log4j vulnerabilities and on the Lapsus$ ransomware gang, which we cover in our next item – so read on!
To get more details, check out the DHS announcement, along with coverage from CRN, Reuters, TechCrunch and The Register.
3 – CSRB Lapsus$ report calls for stronger MFA
After a months-long deep dive into Lapsus$, the CSRB has concluded that the notorious ransomware gang used a playbook of well-known, run-of-the-mill techniques that other cyber criminals use and will continue to employ.
“If richly resourced cybersecurity programs were so easily breached by a loosely organized threat actor group, which included several juveniles, how can organizations expect their programs to perform against well-resourced cybercrime syndicates and nation-state actors?,” reads the “Review Of The Attacks Associated with Lapsus$ And Related Threat Groups” report.
Given this troubling finding, the 59-page document offers a slate of recommendations for businesses, the government and telecom and tech vendors, including:
- Voice- and SMS-based multi-factor authentication should be replaced by passwordless methods. Software and device manufacturers, as well as the U.S. government, should actively try to facilitate this transition, and end-user organizations should be willing to adopt these new phishing-resistant options.
MFA Methods and Common Exploitations
(Source: CSRB’s “Review Of The Attacks Associated with Lapsus$ And Related Threat Groups” report, August 2023)
- Because mobile devices are widely used for authentication, telecom providers should take steps to make their devices more secure through technological, process and oversight measures.
- End-user organizations should be ready to face cyberattacks through planning and investing in prevention, detection, response and recovery capabilities. They also should incorporate cybersecurity requirements into their contracts with tech providers.
To get more details, read the DHS announcement and the full report.
4 – Study: Expert phishers trounce GPT-4 – for now
Much has been said about how attackers are using generative AI chatbots like ChatGPT to quickly automate the creation of effective and polished phishing emails. Well, a new research study concluded that skilled scammers still outperform the AI robots when it comes to phishing attacks – with one caveat. When advanced manual phishing rules are combined with generative AI, the success rate edges all other methods.
According to the paper “Devising and Detecting Phishing: Large Language Models vs. Smaller Human Models,” the researchers randomly selected 112 people for the study and sent them four types of phishing emails.
These were the results, based on the 77 people who fully participated in the survey:
- Manually-written generic emails had a click-through rate (CTR) of 19%-28%
- Emails generated by OpenAI’s GPT-4 had a CTR of 30%-44%
- Emails written manually using the V-Triad advanced set of rules got a CTR of 69%-79%
- Emails crafted using both the V-Triad rules and ChatGPT nabbed a CTR of 43%-81%
(Source: “Devising and Detecting Phishing: Large Language Models vs. Smaller Human Models” research paper, August 2023)
The study, authored by Fredrik Heiding, Bruce Schneier, Arun Vishwanath and Jeremy Bernstein, also probed the ability of GPT-4 and three other large language models to detect phishing emails. The result? The LLMs proved to be “surprisingly good” at this task in some cases, besting human detection at times, but overall fell short compared with humans.
For more information about the use of generative AI for phishing creation and detection:
- “7 guidelines for identifying and mitigating AI-enabled phishing campaigns” (CSO Online)
- “How AI Protects (and Attacks) Your Inbox” (Wired)
- “A.I. is helping hackers make better phishing emails” (CNBC)
- “AI vs AI: Next front in phishing wars” (TechRepublic)
- “How to Spot a Job Offer Scam Written by AI” (Lifehacker)
5 – CISA zooms in on securing remote monitoring software
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published a roadmap for securing remote monitoring and management (RMM) software, whose exploitation the agency views as “a systemic risk” to all organizations.
Working with CISA’s Joint Cyber Defense Collaborative (JCDC), a group of public- and private-sector collaborators participated in the creation of the “Remote Monitoring and Management Cyber Defense Plan,” which was released this week.
The plan outlines actions to be taken in order to help RMM vendors, managed service providers, SMBs, and critical infrastructure operators make this software more secure and resilient.
It specifically highlights these four areas:
- Sharing cyberthreat and vulnerability information
- Creating mechanisms for the RMM community to mature its security efforts long-term
- Developing and enhancing end-user education and cybersecurity guidance
- Amplifying security advisories and alerts within the RMM ecosystem
To get more details, check out:
- CISA’s announcement
- A summary of the plan
- The “Remote Monitoring and Management Cyber Defense Plan”
- A separate CISA guide titled “Guide to Securing Remote Access Software”
6 – Study: Cloud-native apps go mainstream
To sidestep the challenge of digitally transforming operations using legacy technology, organizations are increasingly adopting a cloud-first strategy, a trend that now finds cloud-native applications and methodologies becoming the new normal.
That’s according to Enterprise Strategy Group’s “Distributed Cloud Series: The Mainstreaming of Cloud-native Apps and Methodologies” report, which surveyed 378 IT, DevOps and application development pros in North America.
“This approach involves prioritizing cloud-based, developer-friendly solutions over traditional on-premises software and infrastructure to increase agility,” reads an ESG infographic about the report.
Of course, this enthusiastic embrace of cloud-native apps and methodologies has major implications for security and compliance teams, which must be in sync with these cloud shifts to properly protect their organizations’ digital assets and data.
Here are some of the findings from the survey, whose respondents evaluate, purchase, build and manage application infrastructure in their organizations:
- 94% of organizations use two or more cloud infrastructure service providers
- 64% develop cloud-native apps based on microservices architectures
- 63% release new code to production every day
- 91% will bump up tech spending for cloud-native app development in the next 12-18 months
To get more details, check out:
- the report’s landing page
- the infographic
For more information about cloud security, check out these Tenable resources:
- “Unpacking the Shared Responsibility Model for Cloud Security” (blog)
- “Avoiding the Security Potluck: Good Governance Helps You from Code to Cloud” (blog)
- “Building a Resilient Container Security Strategy: The Power of Prevention” (ebook)
- “The Challenges of Multi-Cloud Compliance” (blog)
VIDEO
Tenable Cloud Security Coffee Break Episode 15: Container Security
139
140
141
142
143
144
145
146
147
1
Israel, US to Invest $4 Million in Critical Infrastructure Security Projects
(www.securityweek.com)
148
1
Federally Insured Credit Unions Required to Report Cyber Incidents Within 3 Days
(www.securityweek.com)
149
150