151
The War Room
1 readers
1 users here now
Community for various OSINT news and subject matter for open discussion or dissemination elsewhere
founded 1 year ago
MODERATORS
152
153
154
1
Google Chrome's New Feature Alerts Users About Auto-Removal of Malicious Extensions
(thehackernews.com)
155
156
157
1
GPT_Vuln-analyzer: create vulnerability reports via ChatGPT API, Python-Nmap, DNS Recon modules
(securityonline.info)
158
159
Microsoft: BlackCat's Sphynx ransomware embeds Impacket, RemCom
Microsoft has discovered a new version of the BlackCat ransomware that embeds the Impacket networking framework and the Remcom hacking tool, both enabling spreading laterally across a breached network.
In April, cybersecurity researcher VX-Underground tweeted about a new BlackCat/ALPHV encryptor version called Sphynx.
"We are pleased to inform you that testing of basic features ALPHV/BlackCat 2.0: Sphynx is completed," said the BlackCat operators in a message to their affiliates.
"The code, including encryption, has been completely rewritten from scratch. By default all files are frozen. The main priority of this update was to optimize detection by AV/EDR," further explained the ransomware operations.
Soon after, IBM Security X-Force performed a deep dive into the new BlackCat encryptor, warning that the encryptor evolved into a toolkit.
This was based on strings in the executable that indicated it contained impacket, used for post-exploitation functions such as remote execution and dumping secrets from processes.
Impacket strings found by IBM X-Force
Source: IBM
The BlackCat Sphynx encryptor
In a series of posts today, the Microsoft's Threat Intelligence team says they have also analyzed the new Sphynx version and found that it used the Impacket framework to spread laterally on compromised networks.
"Microsoft has observed a new version of the BlackCat ransomware being used in recent campaigns," posted Microsoft.
"This version includes the open-source communication framework tool Impacket, which threat actors use to facilitate lateral movement in target environments."
Impacket is described as an open-source collection of Python classes for working with network protocols.
However, it is more commonly used as a post-exploitation toolkit by penetration testers, red teamers, and threat actors to spread laterally on a network, dump credentials from processes, perform NTLM relay attacks, and much more.
Impacket has become very popular among threat actors who breach a device on a network and then use the framework to obtain elevated credentials and gain access to other devices.
According to Microsoft, the BlackCat operation is using the Impacket framework for credential duping and remote service execution to deploy the encryptor across an entire network.
In addition to Impacket, Microsoft says that the encryptor embeds the Remcom hacking tool, which is a small remote shell that allows the encryptor to remotely execute commands on other devices on a network.
In a private Microsoft 365 Defender Threat Analytics advisory seen by BleepingComputer, Microsoft says they saw this new encrypted used by BlackCat affiliate 'Storm-0875' since July 2023.
Microsoft is identifying this new version as BlackCat 3.0, even though, as we previously said, the ransomware operation calls it 'Sphynx' or 'BlackCat/ALPHV 2.0' in communications with affiliates.
Sample of a BlackCat ransom note
An ever-evolving ransomware gang
BlackCat, aka ALPHV, launched its operation in November 2021 and is believed to be a rebrand of the DarkSide/BlackMatter gang, which was responsible for the attack on Colonial Pipeline.
The ransomware gang has always been considered one of the most advanced and top-tier ransomware operations, constantly evolving its operation with new tactics.
For example, as a new extortion tactic last summer, the ransomware gang created a clearweb website dedicated to leaking data for a particular victim, so customers and employees could check if their data was exposed.
More recently, the threat actors created a data leak API, allowing for easier dissemination of stolen data.
With the BlackCat encryptor evolving from a decryptor to a full-fledged post-exploitation toolkit, it allows the ransomware affiliates to more quickly deploy file encryption across the network
As it is vital to detect ransomware attacks as soon as they occur, adding these tools only makes it harder for defenders.
160
161
162
1
A massive campaign delivered a proxy server application to 400,000 Windows systems
(securityaffairs.com)
163
Hackers ask $120,000 for access to multi-billion auction house
Hackers claim to have breached the network of a major auction house and offered access to whoever was willing to pay $120,000.
Security researchers found the advertisement on a hacker forum known for providing a market for initial access brokers (IABs) after analyzing a sample of 72 posts.
Expensive network access
Researchers at threat intelligence company Flare poured through three months of IAB offers on the Russian-language hacker forum Exploit to better understand who they target, their ask prices, and who are the most active.
From May 1st until July 27, brokers advertised access to more than 100 companies across 18 industries including defense, telecommunications, healthcare, and financial services.
Eric Clay, vice president of marketing at Flare, says in a report shared with BleepingComputer that attacks against companies in the U.S., Australia, and the U.K. companies were the most common - not surprising given their high gross domestic product (GDP).
Organizations in the finance and retail sectors were the most targeted, followed by construction and manufacturing, Clay notes in the report.
Depending on the company profile and country, prices started at $150 and most of them were for initial access through VPN or RDP. About a third of the listings were under $1,000.
However, the most expensive item for sale was $120,000 (BTC 4 at the time) for access to the network of a multi-billion dollar auction house.
The hackers did not provide too many details but said they had privileged backend access to multiple high-end auctions (i.e. admin panel), like Stradivarius violins or collectible cars.
“While most access is low to medium value, occasionally extremely unique or high-value access is auctioned that can cause extreme pricing variation compared to our average” - Flare
Many other expensive offers were for initial access to companies in the U.S., and the U.K., initial access offers were for critical infrastructure organizations like healthcare, financial service, and manufacturing.
Access privilege and geography
Most of the posts mentioned the geograpy of the victim and researchers were able to create a map showing 35 allegedly hacked entities outside the U.S.
Victim distribution based on initial access advertisements
source: Flare.io
IABs on Exploit forum still avoid targets in Russia and countries in the Commonwealth of Independent States (CIS) but a surprise is the small number in China, which has the second-highest GDP in the world.
Clay told BleepingComputer that while IABs typically avoid targeting China, there was one listing for network access to a Chinese artificial intelligence company.
The most frequent type of access seen in the posts was through RDP (seen in 32 posts) or VPN (seen in 11 posts), which together accounted for 60% of the listings in the data set.
The level of privileges associated with the access accounts ranged from cloud administrator (14 cases) to local admin (5 cases) and domain user (2 cases).
As a side note, Clay told BleepingComputer that one broker offered “privileged access to a U.S. radio station,” which hackers said could be used to “run ads.”
Some IABs advertised access to backup and recovery systems along with access to the corporate IT network, which could serve ransomware operations.
Typically, access to corporate networks comes from info-stealing malware but some actors clearly stated that they used a different method, likely some other type of malware, phishing, or exploiting a vulnerability.
“Stealer logs are an overlooked primary vector of access for initial access brokers, it's a surprisingly simple type of infection that is almost certain to be one of the major ways that IABs and ransomware groups are getting access to corporate IT environments" - Mathieu Lavoie. Chief Technology Officer at Flare
Regardless of the method initial access brokers used to obtain access to a network, companies should at least implement monitoring mechanisms for info-stealing malware, a regular source of corporate credentials.
Monitoring forums where initial access brokers advertise their offers may also help organizations get a clue about possible compromise even if the name of the victim is anonymized.
Combining data like geography, revenue, industry, and the type of access are enough hints to start an investigation into a potential breach.
This process can also come with positive side effects, such as uncovering areas that need stronger security or identifying devices, services, and accounts that could pose a risk.
164
165
166
1
Microsoft PowerShell Gallery vulnerable to spoofing, supply chain attacks
(www.bleepingcomputer.com)
Microsoft PowerShell Gallery vulnerable to spoofing, supply chain attacks
Lax policies for package naming on Microsoft’s PowerShell Gallery code repository allow threat actors to perform typosquatting attacks, spoof popular packages and potentially lay the ground for massive supply chain attacks.
PowerShell Gallery is a Microsoft-run online repository of packages uploaded by the wider PowerShell community, hosting a large number of scripts and cmdlet modules for various purposes.
It is a very popular code hosting platform, and some packages on it count tens of millions of monthly downloads.
Aqua Nautilus discovered the problems in the market’s policies in September 2022 and even though Microsoft has acknowledged the reception of the corresponding bug reports and PoC exploits, it has not taken action to remediate the flaws.
Easy spoofing
AquaSec's Nautilus team discovered that users can submit to the PS Gallery packages with very similar names to existing repositories, so-called 'typosquatting' when cybercriminals leverage it for malicious purposes.
A proof-of-concept (PoC) example in the report refers to the popular “AzTable” module - with a download count of 10 million, which could be easily impersonated with a new name like 'Az.Table', making it difficult for users to distinguish between them.
Another problem the researchers discovered is the ability to spoof module details, including Author and Copyright, by copying them from legitimate projects.
Not only would this make the first issue of package typosquatting even more dangerous, but it can also be abused to make arbitrary packages appear as the work of trustworthy publishers.
Furthermore, PS Gallery hides by default the more reliable ‘Owner’ field under ‘Package Details’, which shows the publisher account that uploaded the package.
.jpg)
Spoofed package (left) and real module (right)
source: AquaSec
Exposing hidden packages
A third flaw discovered by AquaSec concerns the ability to expose unlisted packages/modules on the platform, which are normally not indexed by the Gallery’s search engine.
To the researchers' surprise, they found on the platform an XML file that provided comprehensive details about both listed and unlisted packages.
“By utilizing the API link located at the bottom of the XML response [...], an attacker can gain unrestricted access to the complete PowerShell package database, including associated versions.” explains AquaSec's Nautilus team.
“This uncontrolled access provides malicious actors with the ability to search for potentially sensitive information within unlisted packages.”
API key of a big tech firm exposed on the unlisted project (AquaSec)
Disclosure and mitigation
AquaSec reported all flaws to Microsoft on September 27, 2022, and were able to replicate them on December 26, 2022, despite Microsoft stating in early November that they had fixed the issues.
On January 15, 2023, Microsoft stated that a short-term solution was implemented until its engineers developed a fix for the name typosquatting and package details spoofing.
AquaSec says that on August 16 they the flaws still persisted, indicating that a fix has not been implemented.
Users of the PS Gallery repository are advised to adopt policies that allow execution of only signed scripts, utilize trusted private repositories, regularly scan for sensitive data in module source code, and implement real-time monitoring systems in cloud environments to detect suspicious activity.
BleepingComputer has contacted Microsoft with a request for a comment on AquaSec’s findings, and we will update this post as soon as we hear back.
167
168
169
170
171
172
173
174
175