https://securityinaction.wordpress.com/feed

====================

TL; DR

With the recent publication of post quantum cryptography (PQC) algorithms from NIST, organisations of all size should begin the transition to PQC. Please refer to this PQC readiness publication from CISA as a starting point.

====================

To assist with the transition to PQC, I have provided advice below for government agencies and non-governmental and in their transition to using PQC with a focus on non-governmental organisations. A short frequently asked questions (FAQ) section and further references are also consolidated below:

====================

For government/federal agencies

Please refer to the relevant heading within this page.

====================

For non-government/private sector organisations

While immediate action is not required (although still recommended), migration to post-quantum encryption technology should be present within your strategic roadmap within your organisation. Quantum computers are expected to become operational within the next five to ten years. For further guidance, please refer to this PDF document co-authored by CISA, the NSA and NIST. This document will help prepare for your journey to migrate from current encryption solutions to post-quantum encryption.

For existing data held encrypted at rest by organisations, if any data were now compromised by a threat actor, there is a possibility in the future this encryption could be broken (in a “harvest now decrypt later scenario”). When quantum computing begins to be more accessible, current encryption may become less resilient. Should current data still be valuable when this future becomes a reality, such organisations will need to assess how to migrate to newer post-quantum encryption for such valuable data.

The transition to PQC in more detail

As mentioned above, the transition to quantum computing is expected to take place within the next 5 to 10 years. While the high-level steps are covered in CISA’s Quantum Readiness paper, I wish to provide more detailed advice below:

The overall goal of this preparation is for cyber security teams to effectively manage the transition to post quantum encryption for data in transit and data at rest after the data is handed off their networks from the edge and onto content delivery networks (CDNs). The scale of this task is large and careful planning for a multi-year transition phase is required.

Creating an inventory of your data

Suggested first steps would be to carry out an automated inventory of your assets (my thanks to Dark Reading for this suggestion) with the goal of a creating a cryptography bill of materials. The inventory should include the encryption protocols in use for aspects of your network such as critical security controls, data protection, digital signatures and authentication. Other areas to consider are your public key infrastructure, hardware security modules (HSMs), TLS certificates and any hardware keys in use by your employees.

Prioritise your most important data

With the inventory complete, seek to prioritise your highest value data for migration to post quantum encryption first. Once complete, move to the next priority group within your existing data and so on. If you find legacy encryption algorithms such as Triple DES, GOST89 or Blowfish (or data encrypted in transit by SSLv2, SSLv3, TLS 1.0 or TLS 1.1) seek to move them higher in your priority list enabling them to be remediated sooner. The current PQC standards to implement are FIPS 203, 204, and 205 (as mentioned above) which incorporate public key cryptography and digital signatures.

Refine your roadmap

Another use of the inventory results will be to use the above-mentioned strategic roadmap to better define each of the roadmap steps for your planned implementation (according to dated and defined steps of your roadmap). The steps should include the “how” and “when” of each technology or system being migrated. Also consider the questions from the Post-Quantum Cryptography (PQC) roadmap provided by the DHS (please the seven questions listed in the section Roadmap->Part 6)

Seek to centralise and prevent duplication of effort

For this migration, it is suggested that multiple teams will be involved within your organisation e.g. the IT team, Cyber Security, Legal, HR, Data Protection (including the DPO where relevant for oversight) and your third-party vendors who manage your data.

Remember to seek support from your leadership team so that they can champion and support your efforts to ease the migration. Working across teams in this manner will not only seek to centralise your efforts but also to minimise duplication of effort. With the transition in progress, consider participating in pilot programs (of the new algorithms), collaborating with your third-party vendors and engaging in ongoing research to stay informed about the latest developments in PQC.

====================

Conclusion

With the correct approach, when your transition to PQC is complete you will have the benefit of your organisation being in a far better position to defend itself in the impending reality of a quantum computing world.

Thank you.

====================

FAQ

====================

Which PQC algorithms were published by NIST?

A summary of the three algorithms made available is available from this BleepingComputer post.

What existing encryption algorithms are most at risk of compromise by quantum computing?

Rivest–Shamir–Adleman (RSA) which uses the difficulty for classical computers to factor large numbers and Elliptic Curve Cryptography (ECC) which are underpinned by discrete logarithm problems (which require exponential time for a classical computer to solve) are the algorithms most vulnerable to quantum computing.

What areas of my organisation will need to adapt to PQC?

Software, hardware e.g. HSMs and your operational procedures will need to adapt to the changes PQC introduces in order maintain effectiveness. In the area of procedures, an important consideration will be the securing of quantum resistant keys against more traditional and quantum based brute force attacks. Your public key infrastructure (PKI) will also need updating to accommodate the secure generation and distribution of PQC keys.

What impact does PQC have on the encryption of data in transit secured using TLS?

Currently TLS uses RSA or ECDH (Elliptic Curve Diffie-Hellman) for key exchange while using AES for encryption of the data. The use of the new FIPS 203 algorithm will replace either RSA or ECDH with Module-Lattice-Based Key Encapsulation Mechanism (ML-KEM) which uses a lattice-based approach resistant to quantum attacks. Thus, the symmetric keys used to encrypt the data remain secure. This also means the data will remain secure from interception or decryption by threat actors equipped with quantum computing capabilities.

Is PQC already in use within everyday systems?

Yes, some vendors have implemented PQC, e.g. Google Chrome and Akamai already use post quantum cryptography e.g. OpenSSH began to use Post Quantum Cryptography in April 2022. OpenSSH chose NTRU Prime from NIST’s at the time shortlist. Signal uses PQXDH and Apple iMessage uses PQ3 (as of early 2024)

====================

References

====================

Quantum-Readiness: Migration to Post-Quantum Cryptography

Post-Quantum Cryptography

https://www.dhs.gov/quantum

NIST Hands Off Post-Quantum Cryptography Work to Cyber Teams

https://www.darkreading.com/cyber-risk/nist-post-quantum-cryptography-work-cyber-teams

NIST Releases Three Post-Quantum Cryptography Standards

https://www.hklaw.com/en/insights/publications/2024/08/nist-releases-three-post-quantum-cryptography-standards

Future-Proofing Security: An In-Depth Examination of NIST’s Quantum-Resistant FIPS Standards and its Impact on Industry

https://www.linkedin.com/pulse/future-proofing-security-in-depth-examination-nists-fips-kumar–k9wbc

5 Common Encryption Algorithms and the Unbreakables of the Future

https://www.arcserve.com/blog/5-common-encryption-algorithms-and-unbreakables-future

Top Takeaways from NIST’s Fifth PQC Standardization Conference

https://www.keyfactor.com/blog/top-takeaways-from-nists-fifth-pqc-standardization-conference/

Unpacking News From NIST: Three New Algorithms are Expected in 2024 https://www.keyfactor.com/blog/unpacking-news-from-nist-three-new-algorithms-are-expected-in-2024/

Get Ready for the Year of Quantum-Ready PKI Solutions

https://www.keyfactor.com/blog/get-ready-for-the-year-of-quantum-ready-pki-solutions/

Keyfactor Community

https://www.youtube.com/@KeyfactorCommunity/videos

NIST Releases Quantum-safe Cryptography Standards: What Happens Now?

https://www.digicert.com/blog/nist-pqc-standards-are-here

The NIST standards for quantum-safe cryptography

https://www.digicert.com/blog/nist-standards-for-quantum-safe-cryptography

Why Q-Day is closer than you think

https://www.digicert.com/blog/why-q-day-is-closer-than-you-think

====================

====================

TL; DR

While Microsoft in recent months and in 2023 has resolved security bypasses associated with Microsoft Windows Smart App Control, a more recent bypass “may be fixed” in a future Windows Update (more details below). Reputation based security controls should not be relied upon in isolation.

Update: September 2024: As of 10th September 2024, Microsoft resolved this vulnerability with this security update. As above, even with the update applied, reputation-based security controls should not be relied upon in isolation.

====================

Threat actors are continuously seeking new means for their malware not to be detected. If successful, malware such as trojans and information stealers can be deployed. One means of bypassing detection is to evade reputation-based controls such as Microsoft Windows Smart App Control and Microsoft Windows Defender SmartScreen.

What is Smart App Control?

Smart App Control is a security feature of Windows 11 that compliments the security features offered by Windows Defender. Smart App Control is a reputation-based protection mechanism which seeks to offer a low rate of false positives.

Smart App Control’s goal is to add a further layer of defence against malware and unwanted applications by checking with Microsoft’s cloud security service to determine if the application has been seen before and can be trusted? If it’s believed to be safe, its allowed to run. If there are indications it’s an unwanted or a malicious application, it will be blocked.

If for any reason the cloud service is unavailable, the digital signature of the application is checked. If the signature is valid the application is permitted to run. If the signature is invalid or not present, the application will be blocked.

What is SmartScreen?

Microsoft Windows Defender SmartScreen is the predecessor of Smart App Control introduced in Windows 8. It performed reputation checks against any file or application downloaded from the internet (using the Mark of the Web (MotW) as an indicator)

Can Smart App Control be bypassed? Yes, there are several known means of bypassing Smart App Control that fall in the following categories:

• Reputation Hijacking
• Reputation Seeding
• Reputation Tampering
• Signed Malware
• LNK Stomping

In the case of LNK Stomping, this is a recently documented technique but is known to have been in use since 2018. Elastic Security Labs recently disclosed this technique of Smart App Control bypassing to Microsoft. However, Microsoft have stated this class of bypass may be fixed in a future Windows update.

How have reputation-based controls been bypassed recently and in the past?

In June 2024, Microsoft resolved the vulnerability designated CVE-2024-38213. It had been used in March 2024 by the operators of the DarkGate malware group to deploy malware disguised as Apple iTunes and Nvidia software (among others).

Other examples of bypasses are listed below:

What is Gatekeeper?

Similar to Smart App Control, Gatekeep for Apple macOS is a security feature that checks all applications downloaded from the internet to check if they have a received a developer signature from Apple. This is carried out by checking an extended attribute of the downloaded application known as com.apple.quarantine (similar to the Mark of the Web, mentioned above).

Recommendations

For security teams within organisations, security controls such as Windows Smart App Control and Windows Defender Smartscreen can be bypassed and should not be solely relied upon. Defenders should be able to detect malware persistence, fileless malware (namely in memory only), suspicious use of credentials and lateral movement of threat actors (all areas detectable with an XDR solution). In addition, methods to check legitimacy of downloaded files should be employed e.g. anti-malware software.

Thank you.

Acknowledgements: My thanks to Microsoft, Bleeping Computer and Trend Micro for the references linked to within this post.

Image Credit: https://unsplash.com/@tylergm

====================

TL; DR

If you use both 2.4 Ghz and 5 Ghz within your organisation or your home, consider having different credentials to access them.

====================

Academic researchers from Belgium’s KU Leuven University have discovered a design flaw within the Wi-Fi standard which allows the spoofing of the SSID (Service Set Identifier) name (the name of the network you connect to) which if exploited could connect you to a network you wouldn’t otherwise do so.

How could this vulnerability be exploited?

If a corporate or home network has both 2.4 Ghz and 5 Ghz networks authenticated with the same credentials, a threat actor may choose to host a rogue SSID with the same SSID as that of the 5 Ghz network via a man in the middle attack, redirecting an unsuspecting user to the 2.4 Ghz network. Some VPNs disconnect when connected to trusted networks (when the user is actually connected to the rogue threat actor-controlled access point).

The flaw affects many Wi-Fi clients including devices those secured using WPA3* and the obsolete WEP, whereas WPA 1 and 2 are not vulnerable. The 802.11 (Wi-Fi) standard does not always require an SSID to be authenticated when a device connects to it. 802.11 doesn’t mandate that the SSID be included in the key derivation process thus providing the opportunity for spoofing.

How can I protect my organisation or myself from this vulnerability?

The VPN review website, Top10VPN offers suggested mitigations for this potential form of attack, however, at this time only one mitigation is practical by making certain even if SSID names are the same network but use both 2.4 and 5 Ghz frequencies, that different credentials are used for each one.

One of remaining mitigations listed below may become available in the future if the 802.11 standard is updated to include them while another is present in the still emerging Wi-Fi 7 standard:

·         Addition of mandatory SSID authentication

·         Detection of SSID name changes by enhanced protection of periodic beacons transmitted by Wi-Fi access points (available in Wi-Fi version 7 using symmetric key authentication).

End of Life Wi-Fi Access Points

On a related topic, if your Wi-Fi access point has been in use for several years, please make certain to check it is still receiving firmware updates from its manufacturer. The U.S. Cybersecurity & Infrastructure Security Agency (CISA) notes that vulnerabilities in now discontinued access points e.g. D-Link DIR-600 are being exploited by threat actors.

====================

*For WPA3, only the Simultaneous Authentication of Equals (SAE), SAE-loop authentication method is vulnerable, the SAE-const method is not.

====================

Thank you.

Image Credit: https://unsplash.com/@jado_tornado

====================

Aside

====================

Apologies for my absence from this blog for an extended period. I appreciate your understanding and patience as I attempt to balance professional and personal commitments, just like many others do. Thanks

TL; DR

In recent months threat actors have been leveraging alternative means of compromising Windows based systems in order to evade detection. Make certain to download and install software from legitimate sources and where possible make use of the Windows driver blocklist (further recommendations listed below).

====================

By employing techniques such as DLL sideloading (defined below) (first seen in 2010) and bring your own vulnerable driver (BYOVD), threat actors are seeking to increase their chances of success be that information stealing, cryptocurrency theft or the installation of ransomware.

DLL Sideloading

Computer users in China have recently fallen victim to trojanised applications believed to have originated from black search engine optimisation (SEO) results or malicious advertising (malvertising).

The advanced persistent threat (APT) group Dragon Breath has begun to use a variation of a classic DLL sideloading technique (MITRE ATT&CK framework T1574.002) seeking to evade detection in order to infect systems. The applications being targeted by the group are primarily Telegram, LetsVPN and WhatsApp for Android, Apple iOS, or Windows. The group is targeting Chinese speaking users within China, Japan, Taiwan, Singapore, Hong Kong, and the Philippines.

As defined by CrowdStrike, DLL sideloading is “DLL side-loading is the proxy execution of a malicious DLL via a benign executable planted in the same directory, similar to DLL search-order hijacking.” Since the applications loading the malicious DLL are trusted, the DLL will be less likely to be detected. The DLL will also often employ encrypted or obfuscated (more difficult to understand) code to bypass basis anti-malware scanning. With this in mind, this particular attack makes use of an encrypted text file to load its malicious code from (it is the second clean application which loads the malicious DLL).

Within this attack, the DLL deploys a backdoor (a means of hidden access) to the system which accepts commands from the threat actor enabling them to:

1. Edit Windows registry keys
2. Download files of their choice
3. Steal clipboard contents
4. Enter commands of the threat actor’s choice into a hidden command prompt window
5. Restart the system
6. Steal cryptocurrency from the MetaMask Google Chrome extension

Recommended Mitigations

Download software and software updates from trusted sources.

For corporate environments, centralise the deployment and updating of your software seeking to prevent the use of shadow IT as well the use of compromised software installers as seen in the above examples.

For corporate environments, employ the use of EDR, MDR (Managed EDR) or XDR (Extended EDR) solutions to detect and respond to attacks sooner.

====================

Bring Your Own Vulnerable Driver (BYOVD)

As a response to Microsoft blocking the use of macros (a series of commands and instructions that you group together as a single command to accomplish a task automatically) since July 2022, threat actors have increasingly used a technique known as Bring Your Own Vulnerable Driver (BYOVD).

In February 2023, Trend Micro observed the BlackCat ransomware using a signed kernel driver to evade detection by anti-malware and Endpoint Detection and Response (EDR) solutions (the threat actors must already have elevated privileges on a system to install such a driver (sometimes obtained using stolen network credentials or SMS phishing)). Such a capability also enables the threat actors to terminate almost any running security solution.

The use of such drivers is often associated with more sophisticated groups with skills and funding to develop and test them. The use of signed drivers for malicious purposes are used to impair defences and attempt to stay hidden for longer periods due to their ability to “shift left” within the cyber kill chain (thus beginning their attack sooner in the kill chain) blocking detection before they launch their primary attacks within a compromised environment.

Recommended Mitigations

For corporate environments, employ the use of EDR, MDR (Managed EDR) or XDR (Extended EDR) solutions to detect and respond to attacks sooner to detect the indicators of compromise shared by vendors such as Trend Micro for such attacks. A Security information and event management (SIEM) can provide this capability across your entire environment (when its scope encompasses all of your devices).

For consumer and corporate environments, make certain your Windows system has the Windows driver blocklist enabled. Windows Defender (when used as the primary anti-malware solution) can also be used to enable an Attack Surface Reduction rule to block abuse of exploited vulnerable signed drivers.

My thanks to BleepingComputer, The Register, Sophos, Trend Micro and CrowdStrike as references for this article.

Image Credit: https://unsplash.com/@rayhennessy

TL; DR

Following the recent supply chain attack upon 3CX that was detected in late March, follow the links below to determine the appropriate response actions, how to tell if your environment was affected and mitigation/prevention advice.

========================

Getting Started

If you use 3CX software within your organisation, if you have not already done so, follow the advice within the 3CX advisories listed below. Depending upon the size of your environment, you may have a small group of systems to remediate or perhaps many systems across your organisation:

In summary you will be removing the 3CX Electron Desktop Application (if in use), switching to the 3CX progressive web app and checking your environment with your anti-malware and EDR solutions for signs of compromise and remediating any compromised systems:

https://www.3cx.com/blog/news/security-incident-updates/

https://www.3cx.com/blog/news/desktopapp-security-alert/

========================

Checking for signs of compromise

Make use of your EDR solutions and a SIEM (if available) to search for the IOCs listed within the following links isolating and cleaning any systems which are found to be compromised.

Monitor your systems using your EDR, SIEM and IPS to look for and act upon any suspicious events such as data exfiltration attempts or attempts to connect to known unsafe sites or IP addresses:

Indicators of Compromise (IOCs)

https://www.fortinet.com/blog/threat-research/3cx-desktop-app-compromised

IOCs specific to the Gopuram malware

YARA rules (for malware detection)

Threat hunting information specific to the Sophos XDR

========================

Further recommendations

1. Consider deploying the opt-in Microsoft fix for the vulnerability leveraged within the 3CX attack, namely CVE-2013-3900. Recently upgraded systems should also be checked to verify this fix is in place. While Symantec and other sources note this fix is not suitable for all systems and environments, it should still be employed on systems where possible. While the fix would not have prevented the 3CX compromise, it would have made detection simpler. While the fix is not perfect it is a step in the right direction.
2. Once you are certain your environment is free of malware from this attack, if your organisation develops software consider conducting checks of your software supply chain to verify all parts of it are secure.
3. If you use open source components in your software, consider creating a software bill of materials which may be useful in future to show which software is built from which components should any be affected by software vulnerabilities in the future and assist in responding faster to any potential compromises.

Thank you.

========================

References

https://digital.nhs.uk/cyber-alerts/2023/cc-4291

https://twitter.com/wdormann/status/1642156921737060352

https://www.bleepingcomputer.com/news/security/3cx-confirms-north-korean-hackers-behind-supply-chain-attack/

https://www.bleepingcomputer.com/news/security/cryptocurrency-companies-backdoored-in-3cx-supply-chain-attack/

https://www.bleepingcomputer.com/news/microsoft/10-year-old-windows-bug-with-opt-in-fix-exploited-in-3cx-attack/

https://www.bleepingcomputer.com/news/security/hackers-compromise-3cx-desktop-app-in-a-supply-chain-attack/

https://therecord.media/north-korea-hackers-linked-to-3cx-attack

TL; DR

With threat actors deploying ransomware in new ways, security awareness training, protecting and testing your backups is more crucial than ever. Blocking the running of scripts on systems and the use of an XDR and/or SIEM should also be considered.

========================

Introduction

First of all, to all of my readers, I hope you are doing well. Sorry for not posting in such a long time. Similar to the past, this was due to other professional commitments. Let’s examine a cyber security topic I have been researching lately.

========================

In recent months, threat actors that use ransomware against their victims have been changing their tactics to increase their chances of being paid.

What is intermittent encryption?

Intermittent encryption is when the victim’s files instead of being encrypted in totality by ransomware are partially encrypted, enough to corrupt them and make them unusable (in short, the same result as ransomware has become known for). This is not only performed to carry out the encryption faster but also in an attempt to evade detection.

Intermittent encryption can damage files faster than fully encrypting them (thus reducing the chances of being detected while the encryption is in progress by reducing the time needed to do so). Evasion from detection is also achieved by being less demanding in terms of I/O (input/output) operations on the systems hard disk(s).

Threat intel sharing firm SentinelOne first encountered this technique in 2021 with the LockFile ransomware using it but other families of ransomware soon adopted it including Black Basta, BlackCat (ALPHV), Agenda, Qyick and PLAY.

Black Basta is the most prevalent family at this time and I have confirmed with anti-ransomware vendors they can detect its use of intermittent encryption but were less certain about the other families listed above.

The table below summarises the techniques used by these ransomware families (many thanks to SentinelOne for providing the original and more detailed version):

Use of Windows Shortcut files

Since Microsoft’s decision to block macros within Microsoft Office documents downloaded from the internet since February this year (later finalising the change in July 2022), threat actors have been seeking not only alternatives, but alternatives that can easily scale and not be trivial to detect. The choice of Windows shortcuts fits these criteria.

The shortcut files act as convenient clickable links and icons threat actors can use for their intended victims to click on. These shortcuts can allow threat actors to carry out actions of their choice on your systems by using tools built into Windows for malicious purposes thus reducing the chances of being detected. Examples of such tools/utilities are cmd.exe, powershell.exe, rundll32.exe and wscript.exe These are used to shut down anti-malware software, deny access to folders, carry out further recon, install malware and establish persistence (starting malware after the system reboots to maintain a foothold).

Threat actors continue to develop toolkits that use shortcuts to evade detection from anti-malware software e.g. Windows Defender and bypass permission barriers such as User Account Control (UAC) within Windows with the end goal of using installing ransomware on compromised systems. Some threat actors use these shortcuts to distribute malware such as QBot and Emotet (and others).

The shortcuts usually use random filenames but others are deliberately chosen e.g. setup.exe or windowsupdater.exe. Other shortcuts appear to be point to data files such as Microsoft Word documents (.docx) or video files (.avi) but actually point to executable files (.exe)

Tampering with backups

While tampering with backups or wiping them just before encrypting systems is not new, ransomware threat actors are diversifying to catch organisations off-guard. The aim is to impact organisations who create read only (immutable) backups to prevent tampering or use the technique of air-gapping backups (backups physically separated from the network to prevent corruption/tampering).

With this in mind, threat actors have been observed encrypting systems using ransomware after a backup has been restored. They are also seeking to compromise corporate login credentials in order to obtain privileged access within an IT environment with the intention of deleting backups or adding seemingly harmless files to them. Threat actors may seek to compromise your systems and ultimately your backups by seeking to hide scripts within PDF documents inside encrypted ZIP/archive files to avoid detection by anti-malware, EDR and XDR solutions (EDR vs XDR).

They have also been observed changing the retention period of backups to just 30 minutes and then making their presence on the network known 1 hour later thus making certain no backups are then available for the victims to restore from. These newer techniques are discussed in more detail in this webinar (free to join). However, the appendix (below) includes further detail that I feel should have been present in the webinar. Please don’t misunderstand me, this is a good webinar but I feel it left out some details.

How can I protect my organisation or myself from these ransomware techniques?

1. With these newer techniques to deliver and attack using ransomware becoming more common it’s important that your employees/staff know not to open suspicious attachments from unknown or even known senders and not to click links in phishing emails (or suspicious links from other sources). Regularly carried out and updated security awareness training is a key defence against these newer techniques. This advice of being vigilant of phishing attacks and suspicious links and attachments also applies to individuals.
2. In an effort to prevent threat actors running scripts and code of their choice on your systems, consider migrating your employees/staff to using standard user accounts on the systems they make use of each day. They should log into a privileged account only, when necessary (preferably using a Privilege Identity Management (PIM), tool). Many scripts won’t execute or have limited effect if the threat actor can’t obtain root or administrator rights on system (they could try to escalate their privileges by exploiting a vulnerability but this is still making it harder than otherwise would be for them). To block scripts on Windows, consider the use of Windows AppLocker or the newer Windows Defender Application Control (WDAC).
3. For larger organisations, to detect and block the use of scripts, consider an extended detection and response (XDR) solution. The use of an XDR solution across the organisation in addition to a SIEM while seek to make certain any suspicious or confirmed malicious activity is detected enabling you to respond.
4. Make use of cyber threat intelligence to inform you of the types of organisations being targeted and what are the likely methods threat actors will use to breach your network.
5. Carry out regular privileged access audits to help reduce your risk by removing old accounts and seeking to detect any suspicious activity (e.g. unknown newly created accounts or accounts with more permissions than expected).

Specifically for Backups

1. Backups should be regularly tested to make certain they can be restored from when necessary.
2. Become familiar with your recovery time objective (RTO) and work to resolve any issues that slow down recovery in advance of a real incident taking place.
3. Carry out pen (penetration) testing and red team exercises to help to highlight potential vulnerabilities your backups may be exposed to and seek to address any issues found.
4. Seek to check data to be backed up is malware free before backing it up*. If possible, restore the backups to a test environment to verify they are clean.
5. Where possible, only dedicated individuals should have access to backups with strong authentication in place. The systems which create and store backups should have strong controls and be security hardened where possible (consider the use of the CIS benchmarks or NIST 800-123).

========================

*A system that regularly has software updates installed to patch known vulnerabilities, is connected to the internet via an application-level proxy or next generation firewall and has no alerts from an installed XDR solution are contributing factors to a known clean system.

========================

Thank you.

========================

Appendix

The following is an extended analysis of a potential scenario involving ransomware that was discussed at a high level in this webinar. This analysis is my opinion on whether that scenario could occur:

One newer form of ransomware attack is to deliver the ransomware in the manner of a trojan horse attack (related to but not the same as the category of trojan horse malware). If the threat actors can deliver the ransomware code in a form that is not immediately executable (e.g. the file is treated similar to a data file since it’s not executable), by some means e.g. phishing or an email attachment that you may not be able to open (or by another means), then the ransomware can carry out its goal at a later time.

The idea is for this code to be very new and undetectable by an anti-malware product since it has not been seen before by an anti-malware vendor or the wider community e.g., VirusTotal. Since the code is not executable (at this time), there will be no behavioural characteristics to show its malware. The threat actor’s goal is for this file (or files) to be backed up with the rest of your corporate data. Should another incident occur and you need to restore from your backups, the threat actors can now activate that file (or files) and then encrypt your data using a ransomware attack.

This form of attack is described in this webinar, however very little details of it are shared. From my experience, what has been omitted from the description in the webinar is how this file (or files) are suddenly executed. If the file is not executable, it could be an executable file with a deliberately wrong file extension (in a Windows environment) but that is usually detected by anti-malware software since at the binary level, the file will still begin with the format of a portable executable (represented as the letters “MZ” when viewed with a hexadecimal editor).

The webinar doesn’t describe how that change occurs (if it occurs at all). E.g. is the file a Zip (or another archive file) that is decrypted and then executed? But what would trigger that execution? An EDR, XDR solution or anti-malware software might detect that transformation (decryption) or block the script (PowerShell etc.) from executing and prevent that transformation.

A more likely scenario that the webinar doesn’t describe is for the threat actors to already be present in the network and to have established a form of persistence (e.g. fileless malware or start-up entries within the Windows registry e.g. adding a String value to the registry key HKEY_LOCALMACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run or a scheduled task that executes code at a specific time (fitting into the logic bomb scenario described in that webinar). These forms of persistence have equivalents on Unix and Linux based systems.

Using the above forms of persistence, the ransomware could encrypt your data each time you restore from your backup since that persistence will still be present on the restored system(s) and will likely be able to determine the current date is later than a time period of the threat actor’s choice in order to begin its intended purpose.

The scenario of the ransomware becoming active from dormant code upon being restored by the backup application doesn’t seem possible since executable code can’t just execute, it requires an external event e.g. a script, persistence mechanism on a system or user interaction for it to begin executing.

========================

TL; DR

With multi-factor authentication becoming more common, threat actors are varying their previous techniques to successfully bypass it. Follow standard phishing prevention steps (be suspicious of messages you weren’t expecting, look slightly different and those that suggest immediate or prompt action). Microsoft also suggests additional monitoring policies and safeguards.

========================

Background

Earlier this month, Microsoft published details of widespread phishing attacks being used by threat actors specifically seeking to bypass multifactor authentication (MFA) of the websites being targeted. More than 10,000 organisations were targeted since September 2021 using this form of attack with phishing attacks doubling in number during the year 2020 (according to Microsoft’s statistics).

How are threat actors bypassing multi-factor authentication using phishing attacks?

The phishing campaigns observed by Microsoft began with the threat actors sending emails to potential victims containing HTML file attachments. The emails claimed a voicemail message had been left and that the message would be deleted in 24 hours if not listened to. If the link within the message is clicked, the user’s credentials are requested and captured by the threat actor.

The user is re-directed to the real office.com website but the credentials have already been captured using an adversary in the middle (AiTM) attack (defined below).

What is an Adversary in the middle (AiTM) attack?

Adversary in the middle (AiTM) attacks are another form of phishing where a proxy server (defined) has been placed in between the intended phishing victim and the target website. The above definition while correct, is not how a proxy server is being used in this context, similar to any tool, it can be used for good or bad purposes.

The proxy server enables a threat actor to capture the victim’s password and the session cookie (defined) of the website. These are used to authenticate the victim to the website but can be used by the threat actor to capture the above details without the victim being aware of this (the subtle difference in the website address is the only difference between the real and fake websites). As Microsoft pointed out, AiTM is not a new technique but was observed in more detail by Microsoft from September 2021.

Why does this work?

To avoid the inconvenience for the user of a website needing to re-authenticate, the website stores a cookie for the length of the user’s session with the website. If a threat actor can steal this cookie using the proxy server, the threat actor then “becomes” the user.

In addition, when the threat actor places the captured session cookie into their browser, it enables them to bypass the authentication process even when MFA is enabled.

Does this mean MFA is not worthwhile?

This is not a vulnerability in MFA. Once the session cookie has been created, the MFA credentials have already been requested and entered successfully to enable the cookie to be created in the first instance.

NIST states MFA is better than passwords and Microsoft points out that the extra security added by MFA is the reason why threat actors are adapting to attempt to bypass it.

How can I protect my organisation or myself from these forms of phishing attacks?

The same forms of recommendations/defences that are successfully at preventing and detecting phishing attacks are also effective for this more recent form of phishing attack. For example, the technique of spear phishing emails documented by the FBI here is used in these attacks. The FBI’s final recommendation of “Be especially wary if the requestor is pressing you to act quickly” also applies here since the emails suggested completing an action within 24 hours.

To better detect and prevent these phishing attacks, please also consider following these suggestions (Source):

1. Use conditional access policies: These will seek to check the device or the location being used to access corporate resources and alert if unusual behaviour is detected.
2. Making certain your web browsers ability to detect phishing websites is enabled (reference links for Mozilla Firefox, Google Chrome, Apple Safari and Microsoft Edge)
3. Continuously monitor for the creation of suspicious inbox rules or inboxes being accessed from unusual locations.

Thank you.

Update: This security issue was resolved by the Microsoft security update published in August 2022. Thank you.

========================

TL; DR

In early June with the vulnerability named “Follina” affecting Windows now designated CVE-2022-30190 being exploited (but since patched), this related vulnerability (dubbed “DogWalk”) first documented in early 2020 has re-gained attention. At the time of writing it is not patched by Microsoft. Please exercise caution with diagcab files on Windows systems

========================

What is this vulnerability and which systems are vulnerable?

This is a path directory traversal vulnerability (dubbed “DogWalk”) (no CVE has been assigned yet) which can be used to store an executable file of a threat actor’s choice within the Windows start-up directory after the target user opens a specifically crafted .diagcab archive file.

Windows 7, Windows Server 2008 R2 up to Windows 11 and Windows Server 2022 are affected.

This vulnerability was responsibly disclosed to Microsoft in January 2020 but they didn’t deem it a security issue. Files downloaded from the internet generally have a Mark of the Web flag to indicate to applications that they are potentially untrusted but the MSDT application responsible for accessing the crafted .diagcab files does not read this flag. These files can be downloaded by a web browser (including Microsoft Edge). No warning is shown during or after downloading such files.

How does this exploit work?
This path traversal vulnerability presents various options to a threat actor to exploit it. Please find below a table that details these approaches (Many thanks to Imre Rad for this table within his detailed blog post).

The Microsoft Support Diagnostics Tool can open files with the extension .diagcab (which are XML files with references to one or more diagnostic packages collected together with the XML in Microsoft cabinet files (.cab)). Within the XML file, the fie paths to the diagnostic packages point to the %WINDIR%\Diagnostic directory. This directory contains known trusted packages with other packages subject to a digital signature verification. Before checking the signature, a copy is of the package is placed in a temporary directory. If the signature is valid and the user has proceeded through the graphical interface windows of the Microsoft Support Diagnostics Tool then PowerShell scripts are executed in the background to carry out the necessary diagnostics.

However, if the source of the data is controlled by the threat actor and since network file systems are supported by Windows, the threat actor could take advantage of an attached network file share before the signature verification is carried out on the threat actor’s malformed diagnostic package.

In order to exploit this, the threat actor can set the package path of their .diagcab to a rogue network share under their control. Once the victim opens the .diagcab file a new file is saved under the Startup directory of Windows (thus providing the threat actor’s malware with persistence even if the system is restarted). That file will then be executed every time the system starts.

How would a threat actor use this?

The download of a .diagcab file could take place as drive by download as shown in Imre Rad’s proof of concept. But all major web browsers can download these files and run them with just one click from the user. As noted above, while these files are tagged with a Mark of the Web, the MSDT application ignores this mark.

How can I protect my organisation or myself from this vulnerability?

At the time of writing, this vulnerability has not been officially patched by Microsoft despite being informed of it back in January 2020. The original security researcher who responsibility disclosed this issue to them recommends not opening .diagcab files received from any source and for system administrators who maintain email servers to block the receiving of these attachments via email.

0Patch has also released a micropatch for this vulnerability. At this time, it’s unclear if Microsoft will mitigate or patch this vulnerability in the future.

Thank you.

TL; DR

If you use a QNAP NAS server on your network (corporate or home), please update its firmware to the most recent available version and check that its isn’t accepting connections from the public internet. Threat actors are actively scanning the internet for vulnerable QNAP NAS devices and locking their contents using ransomware.

What is happening?

Since January of this year, threat actors have been scanning the internet for unpatched NAS (defined) devices from QNAP in order to encrypt their contents using ransomware. Due to the nature of NAS devices, depending how and when you use them, it may not be immediately obvious your data is no longer accessible.

How does this occur?

Rather than relying on needing to click a link, open an attachment or any other action a threat actor may wish for you to complete, instead they are scanning the internet (likely using Shodan or an equivalent) looking for vulnerable QNAP devices.

If the NAS device is available to access via the internet, this also exposes to be targeted by threat actors. Once located, if the device is vulnerable to the issue resolved in this QNAP security bulletin, the threat actors will encrypt your device and request a ransom to release it and your data.

Suggested Resolution

While QNAP took the unusual step of deploying the update referenced from the above security bulletin to vulnerable devices it appears not all devices received it. Censys has detected more than 1000 devices still vulnerable.

If you own or manage a QNAP NAS device if you have not done so already, please make certain the update in this QNAP security bulletin has been installed.

In addition, please follow QNAP’s advice on disabling port forwarding and Universal Plug and Play (UPnP). Please also consider maintaining a separate offline backup of your data to use should your NAS backup be affected by any issues in the future.

Thank you.

TL; DR

Trend Micro security researchers have discovered a known and highly capable advanced persistent threat (APT) group targeting Asus routers to recruit those routers into a botnet. Since the group has previously targeted other vendors too, please make certain your router is security hardened (see below) and has the latest available firmware.

What is happening?

In the latter half of last week Trend Micro researchers acquired malware samples which target Asus consumer routers seeking to recruit these devices into a botnet (defined). This malware originated from the advanced persistent threat group (APT) known as Sandworm or Voodoo Bear known for attacks on the Ukrainian electrical grid in 2015 and 2016 in addition to previous router-based malware, namely VPNFilter and the high impact NotPetya malware.

What capabilities does the malware have?

The overall intentions/purpose of the malware is unclear, but it does contain the following capabilities:

1. It may be used to conduct DDos (defined) attack
2. To carry out espionage activities or to act a proxy to other networks.
3. The malware has the ability to persist (even with a factory reset since it is designed to access and replace the router’s flash memory) and to work around domain sinkholes (used by the security community to attempt to disable the malware).

Security researchers theorise that the purpose of the botnet may be larger than DDoS since some devices have been compromised for more than 2 years while also acting as stable command and control (defined) sites for other botnets.

Why does it matter?

A compromised router within a corporate or home environment could be used:

1. For espionage activities within those environments
2. To carry our DDoS attacks external to your networks
3. To act as a means for accessing other segments of the networks the router is connected

While the malware currently only targets WatchGuard and now Asus devices, given the malware is modular in its design and the groups previous success in exploiting devices from other vendors e.g., D-Link, Huawei, Linksys, MikroTik, Netgear, QNAP, TP-Link, Ubiquiti, UPVEL and ZDE, its likely more devices will be targeted in the future. The Trend Micro researchers noted that that while they have evidence of other routers being targeted, they were unable to collect samples for analysis.

Suggested resolution

Already compromised?

At this time, there does not appear to be a means of checking if your Asus router may have already been infected. If you are using a model of router from the list with firmware version less than those listed within the Asus security bulletin (no direct link is available, click the entry for Security Advisory for Cyclops Blink to view it) it’s possible its already infected. Indicators of compromise for corporate environments are available here.

If your router has already been infected, its best to simply replace it and then follow the prevention steps below going forward. This malware can persist even with a factory reset and not all firmware updates will overwrite the compromised parts of the routers operating system.

Prevention

Preventing infection of your router (and not just an Asus router) from this malware is possible and most of the security recommendations you may already have in place:

1. Make certain your router has the most recent firmware installed from the vendor (set reminders to periodically check the vendor’s website or opt to install updates automatically (if available as an option)
2. Make certain the default password to access the administrative interface of the router has been changed
3. Disable Remote Management (for Asus routers this disabled by default and can only be enabled via the Advanced Settings)

Refer to the user guide for the router to learn how to carry out these steps if you are not sure. Usually the steps are quick and straight forward.

Additional recommendations for corporate environments

1. Only essential services should be exposed to the internet (e.g., a web servers port 80 and 443)
2. Use a VPN if you need to access services remotely

For reference, indicators of compromise for corporate environments are available here.

Further Reference

New Sandworm Malware Cyclops Blink Replaces VPNFilter

https://www.cisa.gov/uscert/ncas/alerts/aa22-054a

Thank you.