Posts on Security, Cloud, DevOps, Citrix, VMware and others.
Words and views are my own and do not reflect on my companies views.
Disclaimer: some of the links on this site are affiliate links, if you click on them and make a purchase, I make a commission.
Cybersecurity researchers have discovered a previously undocumented advanced backdoor dubbed Deadglyph employed by a threat actor known as Stealth Falcon as part of a cyber espionage campaign.
"Deadglyph's architecture is unusual as it consists of cooperating components – one a native x64 binary, the other a .NET assembly," ESET said in a new report shared with The Hacker News.
"This combination is unusual because malware typically uses only one programming language for its components. This difference might indicate separate development of those two components while also taking advantage of unique features of the distinct programming languages they utilize."
It's also suspected that the use of different programming languages is a deliberate tactic to hinder analysis, making it a lot more challenging to navigate and debug.
Unlike other traditional backdoors of its kind, the commands are received from an actor-controlled server in the form of additional modules that allow it to create new processes, read files, and collect information from the compromised systems.
Stealth Falcon (aka FruityArmor) was first exposed by the Citizen Lab in 2016, linking it to a set of targeted spyware attacks in the Middle East aimed at journalists, activists, and dissidents in the U.A.E. using spear-phishing lures embedding booby-trapped links pointing to macro-laced documents to deliver a custom implant capable of executing arbitrary commands.
A subsequent investigation undertaken by Reuters in 2019 revealed a clandestine operation called Project Raven that involved a group of former U.S. intelligence operatives who were recruited by a cybersecurity firm named DarkMatter to spy on targets critical of the Arab monarchy.
Stealth Falcon and Project Raven are believed to be the same group based on the overlaps in tactics and targeting.
The group has since been linked to the zero-day exploitation of Windows flaws such as CVE-2018-8611 and CVE-2019-0797, with Mandiant noting in April 2020 that the espionage actor "used more zero-days than any other group" from 2016 to 2019.
In 2019, ESET detailed the adversary's use of a backdoor named Win32/StealthFalcon that was found to use the Windows Background Intelligent Transfer Service (BITS) for command-and-control (C2) communications and to gain complete control of an endpoint.
Deadglyph is the latest addition to Stealth Falcon's arsenal, according to the Slovak cybersecurity firm, which analyzed an intrusion at an unnamed governmental entity in the Middle East.
The exact method used to deliver the implant is currently unknown, but the initial component that activates its execution is a shellcode loader that extracts and loads shellcode from the Windows Registry, which subsequently launches Deadglyph's native x64 module, referred to as the Executor.
The Executor then proceeds with loading a .NET component known as the Orchestrator that, in turn, communicates with the command-and-control (C2) server to await further instructions. The malware also engages in a series of evasive maneuvers to fly under the radar, counting the ability to uninstall itself.
The commands received from the server are queued for execution and can fall into one of three categories: Orchestrator tasks, Executor tasks, and Upload tasks.
"Executor tasks offer the ability to manage the backdoor and execute additional modules," ESET said. "Orchestrator tasks offer the ability to manage the configuration of the Network and Timer modules, and also to cancel pending tasks."
Some of the identified Executor tasks comprise process creation, file access, and system metadata collection. The Timer module is used to poll the C2 server periodically in combination with the Network module, which implements the C2 communications using HTTPS POST requests.
Upload tasks, as the name implies, allow the backdoor to upload the output of commands and errors.
ESET said it also identified a control panel (CPL) file that was uploaded to VirusTotal from Qatar, which is said to have functioned as a starting point for a multi-stage chain that paves the way for a shellcode downloader that shares some code resemblances with Deadglyph.
While the nature of the shellcode retrieved from the C2 server remains unclear, it has been theorized that the content could potentially serve as the installer for the Deadglyph malware.
Deadglyph gets its name from artifacts found in the backdoor (hexadecimal IDs 0xDEADB001 and 0xDEADB101 for the Timer module and its configuration), coupled with the presence of a homoglyph attack impersonating Microsoft ("Ϻicrоsоft Corpоratiоn") in the Registry shellcode loader's VERSIONINFO resource.
"Deadglyph boasts a range of counter-detection mechanisms, including continuous monitoring of system processes and the implementation of randomized network patterns," the company said. "Furthermore, the backdoor is capable of uninstalling itself to minimize the likelihood of its detection in certain cases."
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
from The Hacker News https://bit.ly/3t2NneO
via IFTTT
The three zero-day flaws addressed by Apple on September 21, 2023, were leveraged as part of an iPhone exploit chain in an attempt to deliver a spyware strain called Predator targeting former Egyptian member of parliament Ahmed Eltantawy between May and September 2023.
"The targeting took place after Eltantawy publicly stated his plans to run for President in the 2024 Egyptian elections," the Citizen Lab said, attributing the attack with high confidence to the Egyptian government owing to it being a known customer of the commercial spying tool.
According to a joint investigation conducted by the Canadian interdisciplinary laboratory and Google's Threat Analysis Group (TAG), the mercenary surveillance tool is said to have been delivered via links sent on SMS and WhatsApp.
"In August and September 2023, Eltantawy's Vodafone Egypt mobile connection was persistently selected for targeting via network injection; when Eltantawy visited certain websites not using HTTPS, a device installed at the border of Vodafone Egypt's network automatically redirected him to a malicious website to infect his phone with Cytrox's Predator spyware," the Citizen Lab researchers said.
The exploit chain leveraged a set of three vulnerabilities – CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993 – which could allow a malicious actor to bypass certificate validation, elevate privileges, and achieve remote code execution on targeted devices upon processing a specially crafted web content.
Predator, made by a company called Cytrox, is analogous to NSO Group's Pegasus, enabling its customers to surveil targets of interest and harvest sensitive data from compromised devices. Part of a consortium of spyware vendors called the Intellexa Alliance, it was blocklisted by the U.S. government in July 2023 for "enabling campaigns of repression and other human rights abuses."
The exploit, hosted on a domain named sec-flare[.]com, is said to have been delivered after Eltantawy was redirected to a website named c.betly[.]me by means of a sophisticated network injection attack using Sandvine's PacketLogic middlebox situated on a link between Telecom Egypt and Vodafone Egypt.
"The body of the destination website included two iframes, ID 'if1' which contained apparently benign bait content (in this case a link to an APK file not containing spyware) and ID 'if2' which was an invisible iframe containing a Predator infection link hosted on sec-flare[.]com," the Citizen Lab said.
Google TAG researcher Maddie Stone characterized it as a case of an adversary-in-the-middle (AitM) attack that takes advantage of a visit to a website using HTTP (as opposed to HTTPS) to intercept and force the victim to visit a different site operated by the threat actor.
"In the case of this campaign, if the target went to any 'http' site, the attackers injected traffic to silently redirect them to an Intellexa site, c.betly[.]me," Stone explained. "If the user was the expected targeted user, the site would then redirect the target to the exploit server, sec-flare[.]com."
Eltantawy received three SMS messages in September 2021, May 2023, and September 2023 that masqueraded as security alerts from WhatsApp urging Eltantawy to click on a link to terminate a suspicious login session originating from a purported Windows device.
While these links don't match the fingerprint of the aforementioned domain, the investigation revealed that the Predator spyware was installed on the device approximately 2 minutes and 30 seconds after Eltantawy read the message sent in September 2021.
He also received two WhatsApp messages on June 24, 2023, and July 12, 2023, in which an individual claiming to be working for the International Federation for Human Rights (FIDH) solicited his opinion on an article that pointed to the website sec-flare[.]com. The messages were left unread.
Google TAG said it also detected an exploit chain that weaponized a remote code execution flaw in the Chrome web browser (CVE-2023-4762) to deliver Predator on Android devices using two methods: the AitM injection and via one-time links sent directly to the target.
CVE-2023-4762, a type confusion vulnerability in the V8 engine, was anonymously reported on August 16, 2023, and patched by Google on September 5, 2023, although the internet giant assesses that Cytrox/Intellexa may have used this vulnerability as a zero-day.
According to a brief description on the National Vulnerability Database (NVD), CVE-2023-4762 concerns a "type confusion in V8 in Google Chrome prior to 116.0.5845.179 [that] allowed a remote attacker to execute arbitrary code via a crafted HTML page."
The latest findings, besides highlighting the abuse of surveillance tools to target the civil society, underscores the blindspots in the telecom ecosystem that could be exploited to intercept network traffic and inject malware into targets' devices.
"Although great strides have been made in recent years to 'encrypt the web,' users still occasionally visit websites without HTTPS, and a single non-HTTPS website visit can result in spyware infection," the Citizen Lab said.
Users who are at risk of spyware threats because of "who they are or what they do" are recommended to keep their devices up-to-date and enable Lockdown Mode on iPhones, iPads, and Macs to stave off such risks.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
from The Hacker News https://bit.ly/462sWxg
via IFTTT
Last week Google’s Threat Analysis Group (TAG), in partnership with The Citizen Lab, discovered an in-the-wild 0-day exploit chain for iPhones. Developed by the commercial surveillance vendor, Intellexa, this exploit chain is used to install its Predator spyware surreptitiously onto a device.
In response, yesterday, Apple patched the bugs in iOS 16.7 and iOS 17.0.1 as CVE-2023-41991, CVE-2023-41992, CVE-2023-41993. This quick patching from Apple helps to better protect users and we encourage all iOS users to install them as soon as possible.
Exploit delivery via man-in-the-middle (MITM)
The Intellexa exploit chain was delivered via a “man-in-the-middle” (MITM) attack, where an attacker is in between the target and the website they’re trying to reach. If the target is going to a website using ‘http’, then the attacker can intercept the traffic and send fake data back to the target to force them to a different website. Visiting a website using ‘https’ means that the traffic is encrypted, and it is easily verifiable that the received data came from the intended website using their certificate. That is not the case when using ‘http’.
In the case of this campaign, if the target went to any ‘http’ site, the attackers injected traffic to silently redirect them to an Intellexa site, c.betly[.]me. If the user was the expected targeted user, the site would then redirect the target to the exploit server, sec-flare[.]com. While there’s a spotlight on “0-click” vulnerabilities (bugs that don’t require user interaction) this MITM delivery also didn’t require the user to open any documents, click a specific link, or answer any phone calls.
iOS Exploit Chain
As soon as the attacker redirected the target to their exploit server, the exploit chain began to execute. For iOS, this chain included three vulnerabilities:
CVE-2023-41993: Initial remote code execution (RCE) in Safari
CVE-2023-41991: PAC bypass
CVE-2023-41992: Local privilege escalation (LPE) in the XNU Kernel
The chain then ran a small binary to decide whether or not to install the full Predator implant. However, TAG was unable to capture the full Predator implant.
The attacker also had an exploit chain to install Predator on Android devices in Egypt. TAG observed these exploits delivered in two different ways: the MITM injection and via one-time links sent directly to the target. We were only able to obtain the initial renderer remote code execution vulnerability for Chrome, which was exploiting CVE-2023-4762.
This bug had already been separately reported to the Chrome Vulnerability Rewards Program by a security researcher and was patched on September 5th. We assess that Intellexa was also previously using this vulnerability as a 0-day.
Chrome's work to protect against MITM
For years, Chrome has worked toward universal HTTPS adoption across the web. Additionally Chrome has an “HTTPS-First Mode” that can reduce the likelihood of exploits being delivered via MITM network injection. "HTTPS-First Mode" will attempt to load all pages over HTTPS, and show a large warning before falling back to sending an HTTP request. This setting is currently on by default for users enrolled in the Advanced Protection Program who are also signed into Chrome. We encourage all users to enable “HTTPS-First Mode” to better protect themselves from MITM attacks.
Conclusion
This campaign is yet another example of the abuses caused by the proliferation of commercial surveillance vendors and their serious risk to the safety of online users. TAG will continue to take action against, and publish research about, the commercial spyware industry, as well as work across the public and private sectors to push this work forward.
We would like to acknowledge and thank The Citizen Lab for their collaboration and partnership in the capturing and analysis of these exploits, and Apple for deploying a timely patch for the safety of online users.
POSTED IN:
from Threat Analysis Group (TAG) https://bit.ly/3LzVx4R
via IFTTT
As soon as your company becomes more or less famous, more often than not someone starts exploiting your success for their own purposes. At best, they simply hide behind your name in order to promote some dubious quality goods and services. At worst, they prey on your clients, partners, or even employees. The latter – including the information security department – often don’t even suspect the existence of malicious doppelgangers until their actions begin to cause a flurry of letters to your customer support, or a scandal on social networks. In any case such incidents negatively affect your company’s reputation. Three types of internet-doppelgangers are the most common.
Fake apps in stores
These days, almost every serious business has its own app for convenient customer access to online services – sometimes more than one. Therefore, it’s no surprise that when you search for this or that app in an online store you get more than one result. Sure, most users will download the most popular option, but most likely some will fall for the scammers’ trick and install a fake one – especially if they receive a direct link to it. Inside, anything can be lurking – from a banking Trojan to tools for remote access to your device. Quite recently, our experts found several modified versions of popular instant-messenger apps on Google Play containing spyware code.
Fake social media accounts
Social media accounts purporting to relate to your company can be used by criminals in a variety of different schemes. They are often used to spread false information – to promote some semi-legal (online casinos) or outright fraudulent activities (giveaways for all kinds of prizes, tickets or bitcoins) supposedly affiliated with your brand. However, a fake account can also distribute malicious or phishing links, or serve as a platform for more sophisticated social engineering attacks.
Phishing sites
If your website has a member area for clients, partners or employees, then you can rest assured that the personal credentials for their accounts are of interest to attackers. Therefore, you should not be surprised if at some point attackers will try to imitate your site in order to harvest logins and passwords – at least in order to resell this information to other cybercriminals.
How to protect a company’s reputation from copy-cats?
In the vast majority of cases, the target of various illegal schemes involving imitation of your website, app, or a social media account is targeted at someone else (whether individuals or other companies). However, it’s your reputation that suffers. Therefore, such doppelgangers should be identified and eliminated before they can cause significant damage. Doing this yourself isn’t very convenient, so we’ve updated our Digital Footprint Intelligence service, which can help with this problem.
The Kaspersky Digital Footprint Intelligence service is designed to enable customers to monitor their digital footprint and identify potential risks and vulnerabilities associated with it. Some time ago, its functionality was supplemented with monitoring for phishing sites that use brand names or were registered using typosquatting and combosquatting, as well as with a domain takedown service.
Now the service also allows you to track, identify, and take down accounts on social networks and applications in stores that are illegally using your company name. You can learn more about Kaspersky Digital Footprint Intelligence on the solution's website.
from Kaspersky official blog https://bit.ly/3EMALem
via IFTTT
pfSense® software from Netgate® received 42 awards in the G2 Fall 2023 report in several categories, including new regional awards in EMEA, Asia Pacific, and the Americas. The list included Enterprise, Mid-Market, and Small Business awards in categories such as Best Estimated ROI, Best Relationship, Best Usability, Most Implementable, and Users Most Likely to Recommend, for both the Firewall Software and Business VPN groups.
These G2 awards are based on reviews by real users. The number of awards we have received is an important sign that we continue to provide valuable network security solutions. Placing first in so many of these categories provides further validation that our work is important and appreciated. We are honored to receive these awards and grateful to our customers for your support. We continue to strive for excellence in all we do, and we look forward to providing even more high-performance and affordable firewall, VPN, and routing solutions in the future. Thank you to everyone who has supported us along the way – we couldn't have done it without you!
Top pfSense Software Awards
#1 EMEA Regional Grid® Report for Business VPN #1 Asia Pacific Regional Grid® Report for Business VPN #1 Small-Business EMEA Regional Grid® Report for Business VPN #1 Small-Business Americas Regional Grid® Report for Business VPN #1 Europe Regional Grid® Report for Business VPN #1 Momentum Grid® Report for Firewall Software #1 Small-Business Usability Index for Firewall Software #1 Mid-Market Results Index for Business VPN #1 Small-Business Results Index for Business VPN #1 Results Index for Business VPN Overall #1 Small-Business Results Index for Firewall Software #1 Results Index for Firewall Software Overall #1 Small-Business Relationship Index for Business VPN #1 Relationship Index for Business VPN Overall #1 Enterprise Relationship Index for Firewall Software #1 Small-Business Relationship Index for Firewall Software #1 Relationship Index for Firewall Software #1 Small-Business Implementation Index for Business VPN #1 Implementation Index for Business VPN #1 Enterprise Implementation Index for Firewall Software #1 Small-Business Implementation Index for Firewall Software #1 Implementation Index for Firewall Software #1 Small-Business Grid® Report for Business VPN #1 Small-Business Grid® Report for Firewall Software
Other Notable pfSense Software Awards #3 Usability Index for Firewall Software Overall #3 Grid® Report for Firewall Software Overall #2 Grid® Report for Business VPN Overall #3 Enterprise Grid® Report for Business VPN Overall
More on pfSense Software The world’s leading open-source-driven firewall, router, and VPN solution for network edge and cloud secure networking, pfSense Plus software is the world’s most trusted firewall. The software has garnered the respect and adoration of users worldwide - installed well over seven million times. pfSense software is made possible by open-source technology and made into a robust, reliable, dependable product by Netgate.
More About Us Netgate is constantly striving to provide leading-edge network security at a fair price. We are the primary developer and maintainer of pfSense software, an open-source firewall, VPN, and router platform, and TNSR®, a high-performance software router based on FD.io’s Vector Packet Processing (VPP), of which we are a leading contributor. We also fund additional open source work that we upstream to projects like FreeBSD, the Linux Foundation FD.io, Clixon, and others. Please contact us with any questions about using pfSense software to solve your small business, mid-market, or enterprise needs.
Wireshark is a free protocol analyzer that can record and display packet captures (pcaps) of network traffic. IT professionals use this tool to investigate a wide range of network issues. Security professionals also use Wireshark to review traffic generated from malware.
What makes Wireshark so useful? It is very customizable. Wireshark’s default column display provides a wealth of information, but you should customize the columns to meet your specific needs.
This article is the first in a series of Wireshark tutorials that provides customization options helpful for investigating malicious network traffic. It was first published in August 2018 and has been updated for 2023.
We recommend using a non-Windows environment like BSD, Linux or macOS. Pcaps from Windows infections may contain malicious binaries that present a risk of infection when using Wireshark on a Windows computer. For this tutorial, we use the Xubuntu Linux distro.
If possible, review pcaps using the most recent version of Wireshark for your environment. Recent versions have more features, capabilities and bug fixes than older versions. We recommend at least version 3.6.2 or later. In this tutorial, we use Wireshark version 4.0.7.
Wireshark users must have a basic understanding of network traffic, and this series of tutorials focuses on IPv4 traffic. The term “basic understanding” means different things to different people, but the knowledge does not have to be extensive.
For example, readers should know the difference between a public IPv4 address and an internal, nonroutable IPv4 address. Basic network knowledge includes recognizing TCP and UDP traffic and knowing about DNS. Readers should also have some idea how network traffic is routed between an internal client like a desktop computer and an external server like a website.
Ultimately, this series of tutorials assumes readers have some sort of background and interest in reviewing malicious network traffic.
Supporting Material
The pcap for this tutorial is hosted at our GitHub repository. Download the pcap as shown below in Figure 1.
Figure 1. Saving the pcap for this tutorial from our GitHub repository.
The name of your downloaded ZIP archive should be Wireshark-tutorial-column-setup.pcap.zip. Use infected as the password to unlock the ZIP archive as shown below in Figure 2.
Figure 2. Extracting our pcap from the password-protected zip archive.
The extracted pcap for this tutorial is named Wireshark-tutorial-column-setup.pcap. Now that we have our pcap, let’s check our version of Wireshark.
Wireshark Version Check
Without any pcap loaded, Wireshark displays its version number on the welcome screen as shown below in Figure 3.
Figure 3. Wireshark’s version number displayed on its welcome screen.
We can also select “About Wireshark” under the Help menu to view the version number as shown below in Figure 4.
Figure 4. Wireshark’s version number from About Wireshark under the Help menu.
Configuration Profiles
After confirming you have Wireshark version 3.6.2 or newer, select Configuration Profiles under Wireshark’s Edit menu. Make a copy of the default configuration profile by clicking the Copy button as shown below in Figure 5.
Figure 5. Copying the default configuration profile in Wireshark.
After copying the default profile, give it a new name. We suggest changing the name to “Customized” as shown below in Figure 6.
Figure 6. Renaming the copy of the default configuration profile.
If this newly created profile is still selected when we close the Configuration Profiles window, any customizations to Wireshark will be stored to this newly created profile.
Web Traffic and the Default Wireshark Column Display
Malware distribution frequently occurs through web traffic. Data exfiltration and command and control activity can also use web traffic. However, when reviewing such malicious activity, Wireshark's default column options are not ideal.
Fortunately, we can customize Wireshark’s column display to provide a better view of web traffic. To view the default layout of Wireshark, open the pcap we previously downloaded for this tutorial. The default layout for Wireshark version 4.0.7 is shown below in Figure 7.
Figure 7. Default layout for Wireshark version 4.0.7 after opening our pcap.
Examine your column display. Wireshark’s default columns are listed below in Table 1.
Column Name
Column Description
No.
Frame number from the beginning of the pcap. The first frame is always 1.
Time
Seconds broken down to the microsecond from the first frame of the pcap. The first frame is always 0.000000.
Source
Source address, commonly an IPv4, IPv6 or Ethernet address.
Destination
Destination address, commonly an IPv4, IPv6 or Ethernet address.
Protocol
Protocol used in the Ethernet frame, IP packet or TCP segment (ARP, DNS, TCP, HTTP, etc.).
Length
Length of the frame in bytes.
Info
Information about the Ethernet frame, IP packet or TCP segment.
Table 1. Columns used in Wireshark’s default display.
To better examine Windows-based malware traffic, this tutorial customizes Wireshark to use the columns shown below in Table 2.
Column Name
Column Description
Time
Date and time in UTC.
Source address
IPv4, IPv6 or Ethernet sourceaddress.
Source port
TCP or UDP port used by the source address for IPv4 or IPv6 traffic.
Destination address
IPv4, IPv6 or Ethernet destinationaddress.
Destination port
TCP or UDP port used by the destination address for IPv4 or IPv6 traffic.
Domain
Domain name used in HTTP or HTTPS traffic.
Info
Information about the Ethernet frame, IP packet or TCP segment.
Table 2. Columns for our customized Wireshark column display.
To customize our Wireshark column display, we will first change the Time column to show the date and time in Universal Coordinated Time (UTC).
Changing Date and Time to UTC
When publicly sharing information about a malware infection, the recipients can be in any part of the world. Due to the different time-zones, a standard format for reporting the time of malicious activity is UTC.
To change Wireshark's time display format, under the View menu, go to "Time Display Format," and change the value from "Seconds Since Beginning of Capture" to "UTC Date and Time of Day." Use the same menu path to change the resolution from "Automatic" to "Seconds." Figure 8 shows the menu paths for these options.
Figure 8. Changing Wireshark’s time display format to UTC date and time.
When finished, the column display shows the UTC date and time as noted below in Figure 9. Now when we review a pcap, we immediately know the date and time of the network traffic.
Figure 9. UTC date and time in our updated Wireshark column display.
Our next step in customizing Wireshark is to remove columns we do not need for our day-to-day work.
Removing Columns
The No., Protocol and Length columns are not necessary when reviewing web-based traffic, so we suggest removing them. To remove these columns, right-click on the column header and select "Remove this Column" from the menu as shown below in Figure 10.
Figure 10. Removing the No. column in Wireshark.
Your updated column display should now show only four columns: Time, Source, Destination and Info, as noted in Figure 11.
Figure 11. The four columns remaining in our updated column display.
After removing the unnecessary columns, we are ready to add new columns to our Wireshark display.
Adding Columns
We can add columns in Wireshark using the Column Preferences window. To open this window, right-click on any of the column headers, then select “Column Preferences…” in the resulting menu as shown below in Figure 12.
Figure 12. Getting to the Column Preferences window.
This brings up the Column Preferences window, which lists all of Wireshark’s columns, viewed or hidden. Near the bottom-left side of the Column Preferences window are two buttons. One is labeled with a plus sign to add columns. The other has a minus sign to remove columns. Left-click on the plus sign as shown below in Figure 13.
Figure 13. The button to add a new column to Wireshark’s column display.
A new entry with the title “New Column” should appear at the bottom of the list. Double-click on the title to change the column name as shown below in Figure 14.
Figure 14. Renaming the newly created column.
Name this new column “Src port” and change the column type from number by double-clicking on column type setting as shown below in Figure 15.
Figure 15. Getting ready to change our newly created column’s type.
Click again to bring up a scrollable list of options for the column type. Scroll down and select “Src port (unresolved)” for the column type as shown below in Figure 16.
Figure 16. Selecting Src port (unresolved).
Next, create a new column entry, label it “Dst port” and select “Dest port (unresolved)” as the column type as shown below in Figure 17.
Figure 17. Selecting Dest port (unresolved) for a newly created Dst port column.
When finished, the Column Preferences window should show the two newly created columns as shown below in Figure 18.
Figure 18. Our two newly created columns for Wireshark’s column display.
We can drag these columns to place Src port after the Source address and Dst port after the Destination address entry. Left-click to select, hold the mouse button and drag the entry to its new position in the list. Figure 19 shows an attempt to move the Dst port column to a position immediately after the Destination address entry.
Figure 19. Moving our newly created Dst port column entry.
After moving our newly created Src port and Dst port entries, we suggest changing the column type for your Source address to “Src addr (unresolved)” and Destination address to “Dest addr (unresolved).” If you do this, the Column Preferences window should appear similar to Figure 20.
Figure 20. Our updated column list in the Column Preferences window.
After completing these changes, click OK to close the Column Preferences window. Wireshark should now display the following six columns (read: label - type):
Time - Time (format as specified)
Src - Src addr (unresolved)
Src port - Src port (unresolved)
Dst - Dest addr (unresolved)
Dst port - Dest port (unresolved)
Info - Information
Figure 21 shows an example of what this should look like.
Figure 21. Wireshark’s column display after updating our columns.
Figure 21 reveals our newly created Src port and Dst port columns are aligned to the right, while all the other columns are aligned to the left. Right click the column header for each of our right-aligned columns to bring up a menu, then click the “Align Left” checkbox to align these columns to the left. Figure 22 shows an example for the Src port column.
Figure 22. Aligning our newly created Src port column to the left.
When finished, the Src port and Dst port columns should be aligned to the left, matching all the other columns as shown below in Figure 23.
Figure 23. Src port and Dst port columns now aligned to the left.
While we can add several different types of columns through the Column Preferences window, we cannot add every conceivable column type. For example, we cannot add a column showing the domains associated with web traffic this way. Fortunately we can add a customized column that reveals these web traffic domains.
Adding Customized Columns
Wireshark allows users to add customized columns based on almost any value found in the frame details window. To better view the frame details, we should temporarily hide the hexadecimal view. Under the View menu, uncheck "Packet Bytes" as shown below in Figure 24.
Figure 24. Hiding the hexadecimal panel by unchecking the Packet Bytes view.
Now we should only have two sections displaying pcap data: the column display and the frame details.
First, we should create a customized column for domains used in unencrypted HTTP web traffic. In Wireshark, type http.request in the Wireshark filter bar and hit enter. Select the first frame in your column display. In the frame details section, expand the line for Hypertext Transmission Protocol. Then find the “Host” line. In this case, it should have msftconnecttest in the name. Left-click on that line to select it, then right-click to bring up a menu. Select “Apply as Column” as shown below in Figure 25.
Figure 25. Under the frame details window, find the line to create an HTTP hostname column.
This should create a new column titled Host as shown below in Figure 26.
Figure 26. Newly created Host column shown when viewing HTTP traffic in our pcap.
Next, let’s create another customized column for domains used in encrypted HTTPS web traffic. Clear your Wireshark filter bar, then type tls.handshake.type eq 1 and hit enter. Select the first frame in your column display.
In the frame details panel, expand the line for Transport Layer Security. Under that, expand the line for TLSv1.2 Record Layer: Handshake Protocol: Client Hello. Under that, expand the line that reads Handshake Protocol Client Hello. The expanded frame details are shown below in Figure 27.
Figure 27. Filtering on HTTPS traffic and expanding items in the frame details window.
Scroll down in the frame details section to find and expand the line that starts with Extension: server_name. Under that, find and expand the line that reads Server Name: Indication extension. Under that is a line that reads Server Name: geo.prod.do.dsp.mp.microsoft.com. Left-click on that line to select it, right-click to bring up a menu and select Apply as Column as shown below in Figure 28.
Figure 28. Under the frame details window, find the line to create an HTTPS server name column.
This should create a new column to the right of our recently created Host column titled “Server Name” as shown below in Figure 29.
Figure 29. Newly created Server Name column shown when viewing HTTPS traffic in our pcap.
Right-click any of the column headers to bring up a menu to reach our Column Preferences window again. In our Column Preferences window, we see these two newly created customized columns as shown below in Figure 30.
Figure 30. Our two newly created customized columns in the Column Preferences window.
To save screen space, we should combine these two columns into a single column. First, double-click on the Fields value in the Server Name entry and copy the text reading tls.handshake.extensions_server_name as shown below in Figure 31.
Figure 31. Copying the Fields value from the Server Name column.
Next, use the or operand to combine that text with the Fields value for the Host entry. The new value for the Host entry should read http.host or tls.handshake.extensions_server_name as shown below in Figure 32.
Figure 32. New Fields value for our recently created Host column.
Since both Fields values are now in the Host entry, delete the Server Name entry as shown below in Figure 33.
Figure 33. Delete the Server Name column, because it is no longer needed.
When finished, the list in your Column Preferences window should appear similar to Figure 34.
Figure 34. Our updated column display list.
Close the Column Preference window. Now we can filter for both HTTP and HTTPS activity, and any domains associated with this web traffic will appear in our updated Host column.
Type the following in your Wireshark filter:
http.request or tls.handshake.type eq 1
Scroll through the results in your updated Wireshark column display. The results should look similar to the Wireshark screenshot in Figure 35.
Figure 35. Updated Host column showing domains associated with web traffic.
Now that we have created all of our columns, we can hide any of them as needed.
Hiding Columns
When reviewing pcaps of web traffic generated by malware, the activity is often collected from a single internal IP address used by the infected host. One such example is a pcap generated by an online sandbox that analyzes malware. When investigating an alert for a suspected infection, investigators pull traffic from the internal IP associated with that alert, if the traffic is available.
In these cases, filtering on web traffic will reveal the same internal IP address in our Src column. For this tutorial, we captured our pcap from an internal IP address at 172.16.1[.]135, so our column display will only show that IP in the Src column when filtering for web traffic.
Because of this, we can hide the Src and Src port columns to better focus on the web traffic.
To hide any column in Wireshark, left-click on any of the column headers, then uncheck the columns you want to hide. Figure 36 shows unchecked boxes for the Src and Src port columns.
Figure 36. Hiding the Src and Src port columns by unchecking the boxes.
Hiding these columns provides a better idea of the traffic when viewing web activity. For example, we see the host generated unencrypted web traffic to the site httpforever[.]com on Aug. 7, 2023, at 18:57 UTC as revealed below in Figure 37.
Figure 37. A more concise view of the web traffic in our pcap.
Now that we have customized our column display, we should export our updated configuration profile.
Exporting Your Updated Configuration Profile
Recent versions of Wireshark allow users to export or load personal configuration profiles. This is useful when installing Wireshark in a new environment. Instead of redoing all the steps in this tutorial, we can load the profile saved from a previously exported configuration.
To export our newly customized configuration profile, select “Configuration Profiles…” under the Edit menu as shown below in Figure 38.
Figure 38. Menu path for the Configuration Profiles window.
The Configuration Profiles window should still have our customized profile selected. To export this profile, click on the Export button as shown below in Figure 39. You can export multiple personal profiles you have created.
Figure 39. Exporting your personal profile(s) from the Configuration Profile window.
Exported profile(s) are saved as a ZIP archive. If necessary, ensure your saved filename has a .zip file extension as shown below in Figure 40.
Figure 40. Save your exported profile(s) as a ZIP archive.
To import a saved profile, click the Import button in your Configuration Profiles window as shown below in Figure 41.
Figure 41. Importing a previously exported configuration profile from the Configuration Profiles window.
Conclusion
Wireshark’s default configuration works well for many people, but users can customize Wireshark to better fit their specific needs. For example, the customizations in this tutorial can be extremely useful when reviewing web traffic to determine an infection chain.
A previously undocumented threat actor dubbed Sandman has been attributed to a set of cyber attacks targeting telecommunic koation providers in the Middle East, Western Europe, and the South Asian subcontinent.
Notably, the intrusions leverage a just-in-time (JIT) compiler for the Lua programming language known as LuaJIT as a vehicle to deploy a novel implant called LuaDream.
"The activities we observed are characterized by strategic lateral movement to specific targeted workstations and minimal engagement, suggesting a deliberate approach aimed at achieving the set objectives while minimizing the risk of detection," SentinelOne security researcher Aleksandar Milenkoski said in an analysis published in collaboration with QGroup.
"The implementation of LuaDream indicates a well-executed, maintained, and actively developed project of a considerable scale."
Neither the campaign nor its tactics have been correlated with any known threat actor or group, although available evidence points to a cyber espionage adversary with a penchant for targeting the telecom sector across geographies. The attacks were first observed over several weeks in August 2023.
"The LuaDream staging chain is designed to evade detection and thwart analysis while deploying the malware directly into memory," Milenkoski explained. "LuaDream's implementation and staging process leverage the LuaJIT platform, the just-in-time compiler for the Lua scripting language. This is primarily to make malicious Lua script code difficult to detect."
String artifacts contained within the implant's source code reference June 3, 2022, indicating that the preparatory work has been underway for more than a year.
It's suspected that LuaDream is a variant of a new malware strain referred to as DreamLand by Kaspersky in its APT trends report for Q1 2023, with the Russian cybersecurity company describing it as employing "the Lua scripting language in conjunction with its Just-in-Time (JIT) compiler to execute malicious code that is difficult to detect."
The use of Lua is something of a rarity in the threat landscape, having been previously observed in three different instances since 2012: Flame, Animal Farm (aka SNOWGLOBE), and Project Sauron.
The exact mode of initial access remains unclear, but it has been observed stealing administrative credentials and conducting reconnaissance to breach workstations of interest and ultimately deliver LuaDream.
A modular, multi-protocol backdoor with 13 core and 21 support components, LuaDream is primarily designed to exfiltrate system and user information as well as manage attacker-provided plugins that expand on its features, such as command execution. It also features various anti-debugging capabilities to evade detection and thwart analysis.
Command-and-control (C2) communication is accomplished by establishing contact with a domain named "mode.encagil[.]com" using the WebSocket protocol. But it can also listen for incoming connections over TCP, HTTPS, and QUIC protocols.
The core modules implement all of the aforementioned features, while the support components are responsible for augmenting the backdoor's capabilities to await connections based on the Windows HTTP server API and execute commands.
"LuaDream stands as a compelling illustration of the continuous innovation and advancement efforts that cyber espionage threat actors pour into their ever-evolving malware arsenal," Milenkoski said.
The disclosure coincides with a parallel report from SentinelOne which detailed sustained strategic intrusions by Chinese threat actors in Africa, including those aimed at telecommunication, finance and government sectors in Africa, as part of activity clusters dubbed BackdoorDiplomacy, Earth Estries, and Operation Tainted Love.
The goal, the company said, is to extend influence throughout the continent and leverage such offensives as part of its soft power agenda.
SentinelOne said it detected a compromise of a telecommunications entity based in North Africa by the same threat actor behind Operation Tainted Love, adding the timing of the attack aligned with the organization's private negotiations for further regional expansion.
"Targeted intrusions by the BackdoorDiplomacy APT and the threat group orchestrating Operation Tainted Love indicate a level intention directed at supporting [China in its efforts to] shape policies and narratives aligned with its geostrategic ambitions, establishing itself as a pivotal and defining force in Africa's digital evolution," security researcher Tom Hegel said.
It also comes days after Cisco Talos revealed that telecommunication service providers in the Middle East are the target of a new intrusion set dubbed ShroudedSnooper that employs a set of stealthy backdoors called HTTPSnoop and PipeSnoop.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
from The Hacker News https://bit.ly/3F7ioBf
via IFTTT
Internships are a great way to retain top talent. According to the National Association of Colleges and Employers, interns are 16% more likely to to stay with the company they interned with than those who interned elsewhere. But what happens when an intern comes to work for a company not just for one summer, but two summers?
To find out, we asked four returning Hashi-interns about why they chose to come back to work with us and how HashiCorp is helping them gain real-world experience and skills.
From left to right:
Kelly McCarthy: Solutions Engineer I, Williams College
Machi Dima: People Team Generalist Intern, University of Washington
Madeline Mallory: Sales Program Coordinator Intern, University of Colorado
Sonya Pieklik: Solutions Engineer I, University of Texas
Many students try to obtain internships with multiple companies. How do you feel returning for a second summer with HashiCorp benefited your career progression?
Kelly McCarthy: I think my two internships with HashiCorp benefitted my career progression because it allowed me to explore two potential occupations (Inside Sales and Solutions Engineering) within the same company environment and working with the same set of tools. In addition, my first internship was remote, while my second summer was spent in-person at HashiCorp’s Austin office.
Machi Dima: Returning allowed me to develop a broader understanding of how different departments collaborate, especially because I interned with two different teams. During my second internship, I was able to strengthen existing relationships and develop a more extensive professional network. I even had the chance to present my projects to executive leaders and have regular meetings with them while helping plan an important offsite event. These connections have been incredibly valuable to me as many of the execs have offered career guidance.
Madeline Mallory: I think students intern with multiple different companies in order to gain experience from different aspects of a company. But I feel that returning to HashiCorp for a second summer helped me learn more than I could have at a second internship with a different company. Interning at HashiCorp let me try different things, be exposed to different programs, and learn from a variety of people. It also shows the growth potential of working at HashiCorp. I feel that returning to HashiCorp for a second internship significantly benefited my career progression and has enabled me to see where my career is headed in the future.
Sonya Pieklik: Returning to HashiCorp for a second summer was one of the best choices I made for my future career. As a returning intern, I already knew the team and the products that I would be working with, as well as the day-to-day activities of a Solutions Engineer. This gave me the opportunity to help other interns onboard more quickly. Being a second-year intern gave me the opportunity to act as a leader. Before interning at HashiCorp, I had interned at a couple of other companies. While I had a great time, it was difficult to make much of an impact in a few short months. Returning to HashiCorp helped me fine tune my technical skills and prepare for a full-time position.
How do your experiences from your first and second summers compare?
Kelly: During my first summer, I was a Sales Development Representative intern and learned how they partnered with Solutions Engineering teams. The following summer, I switched roles to intern as a Solutions Engineer. What I believe was most beneficial was the appreciation and understanding I gained from seeing both occupations. I observed how they operate independently while simultaneously supporting one another. It really helped shed light on the team aspect of sales. I am looking forward to joining that team and continuing to learn and grow my career at HashiCorp.
Machi: My first internship as a Recruiting Coordinator Intern with the Early Career team allowed me to further develop my organizational, communication, and time-management skills. My second internship as a People Team Generalist intern, I supported both the DE&I and the Communications Directors. It has been extremely valuable for my career. It allowed me to develop a broader skill set and gain insights into creating inclusive initiatives and fostering diversity within the workplace, while also exposing me to content creation, event planning, and effective communication strategies. Handling the challenges of supporting two teams pushed me out of my comfort zone, leading to significant personal growth. I learned to adapt quickly, manage my time efficiently, and prioritize tasks effectively.
Madeline: The greatest differences between my first and second internships was switching from working in the office to being fully remote, and from a Customer Success Manager intern role into a Program Coordinator intern role. While working in person made it easier to collaborate with teammates and meet colleagues, remote work helped improve my problem-solving skills. With no one sitting right next to you, there’s more incentive to take a few extra steps to answer your own questions.
Sonya: I had the privilege of being part of HashiCorp’s first cohort of interns, which was exciting because we were able to help build out the expectations and learning paths for future interns. I was also given the opportunity to work alongside Solutions Engineers and work with beta products.
My second year allowed me to learn more about emerging products such as HashiCorp Packer, and also go more in depth with the products that I already knew, like HashiCorp Terraform. My first summer was all remote, but for my second summer, the SE intern team worked out of the Austin office, which was a fantastic experience as I was able to meet the other interns, the SE team, and collaborate in person.
What are some benefits to working at the same company twice?
Kelly: One of the biggest benefits is familiarity with the people, which really helped me transition to the in-person internship experience. Colleagues who I had met virtually in my first internship were there to welcome me aboard during my first week, which helped me get acclimated quickly. My biggest piece of advice, regardless of whether you intend to return to a company for a second summer or not, is to meet as many people as you can. Every person that you work with has a unique set of experiences and skills that you can learn from.
Machi: Working with the DE&I team was an incredible experience because it allowed me to actively participate in organizing workshops and collaborate with all the employee resource groups (ERGs). It was an opportunity for me to contribute to promoting inclusivity through content creation. On the other hand, my time with the Comms team allowed me to make meaningful contributions in event planning. I'm really passionate about building my career in either HR or communications, and both my summers were instrumental in shaping my career goals. Having hands-on experience in both areas is going to make me a much more well-rounded and competitive candidate when I start looking for future job opportunities.
Madeline: One of the biggest benefits of being a returning intern is the ability to continue building on the relationships that you have already established with people at the company. When returning to a company, you’re already familiar with the way things work. This eliminates the introduction period when starting to work with a new boss or team, and enabling interns to hit the ground running.
Sonya: Being a returning intern can shorten the onboarding experience. Having a stronger grasp on processes, product knowledge, and client needs going in can give interns a sturdier launchpad. Returning can also help interns build better rapport with their team as well as with partnering teams. It also shows loyalty and commitment to the organization.
from HashiCorp Blog https://bit.ly/3t0kqA5
via IFTTT
Welcome to this week’s edition of the Threat Source newsletter.
As a former reporter, I’ve seen my fair share of press releases. But one from a threat actor was definitely a new one for me last week.
ALPHV (aka BlackCat) publicly took credit for a massive cyber attack against MGM, a resort, gambling and sports betting company best known for its massive casinos. The attack took down slot machines, guest reservation systems, and more belonging to MGM, and the company is still feeling the effects as of Tuesday.
And despite every major news outlet reporting on the incident, the actor wanted to take messaging into its own hands and “clarify” what happened exactly. Attackers have occasionally posted updates and pseudo-press releases in the past, but this particular press release on ALPHV’s leak site (don’t worry I didn’t actually link to their site) was peak unintentional comedy to me.
For starters, the actor blamed MGM for not using their official communication channels to contact them to start negotiating a ransom payment:
“As they were not responding to our emails with the special link provided (In order to prevent other IT Personnel from reading the chats) we could not actively identify if the user in the victim chat was authorized by MGM Leadership to be present,” the statement reads.
They also said that, hypothetically, if personally identifiable information *had* been stolen, they would allow the website Have I Been Pwned? to responsibly disclose this information, even though they stopped short of saying they stole PII.
Lastly, they took a victory lap by saying several news outlets had reported false information, claimed attribution too early, or made ALPHV seem too basic of a threat actor because the tactics, techniques and procedures “used by the people they blame for the attacks are known to the public and are relatively easy for anyone to imitate.”
The entire statement reads as someone who thinks they’ve done nothing wrong, and certainly written to intimate that the situation could have gone much more smoothly had MGM just reached out to the threat actor early on through what is deemed as the appropriate channels and negotiated early.
So, it makes me wonder what ALPHV thinks they’re gaining from all this? Part of me wonders if they were upset that public reporting had connected the attack to a group called “'Scattered Spider” and they wanted to make sure everyone knew who deserved the credit. Or it could have been that they wanted to turn up the heat on MGM representatives and apply public pressure to hopefully get them to communicate and settle on a ransom payment.
It reads as if ALPHV really wants to come across as the “good guys” in this case, but I’m not sure who outside of dark web circles would be willing to feel sorry for them.
The one big thing
Talos researchers recently discovered a new malware family we’re calling “HTTPSnoop” being deployed against telecommunications providers in the Middle East. HTTPSnoop is a simple, yet effective, backdoor that consists of novel techniques to interface with Windows HTTP kernel drivers and devices to listen to incoming requests for specific HTTP(S) URLs and execute that content on the infected endpoint. We also discovered a sister implant to “HTTPSnoop” we’re naming “PipeSnoop,” which can accept arbitrary shellcode from a named pipe and execute it on the infected endpoint. All these new tools are linked to a group we’re calling “ShroudedSnooper.”
Why do I care?
This activity is a continuation of a trend we have been monitoring over the last several years in which sophisticated actors are frequently targeting the telecommunications sector. This sector was consistently a top-targeted industry vertical in 2022, according to Cisco Talos Incident Response data. However, since this is a new, relatively unknown group, we can’t be certain that they’ll only stick to targeting this particular field. The various malware at their disposal can leave a backdoor on infected machines for future attacks and malware installations and execute arbitrary shellcode on the infected endpoint.
So now what?
We found specific URL patterns that make it look like the infected system being contacted is a server hosting Microsoft’s Exchange Web Services (EWS) API. The URLs consisted of “ews” and “autodiscover” keywords over Ports 443 and 444. The blog post has a list of these patterns so potentially affected targets can scan to see if they're infected. There is also a host of detection content available for Cisco Secure products.
Top security headlines of the week
Apple released long-awaited updates to its “Lockdown Mode” with iOS 17 this week, its answer to a recent global uptick in spyware attacks. Lockdown Mode now also works on Apple Watches, in addition to iPhones and iPads, which is notable because threat actors have increasingly started targeting Apple Watches with spyware. New features also remove geolocation information from photos when Lockdown Mode is enabled and automatically block insecure Wi-Fi networks. Apple and other cellphone manufacturers are working on addressing the use of cell site simulators, also known as “stingrays.” These fake cell base stations track phone locations and spy on calls and messages after a device connects to it. Google also announced new features earlier this year that ensure their devices’ communications are always encrypted when connecting to cell towers. (TechCrunch, Electronic Frontier Foundation)
The U.S. Cybersecurity and Infrastructure Security Agency announced a new program offering free security scans to public water utilities and other critical infrastructure. CISA is offering to run specialized scanners to identify a facility’s vulnerabilities and any weak configurations on internet-exposed endpoints. Then, they generate a report of any flaws or vulnerabilities found and send the plant a list of recommendations and offers for further scans to determine if the potential target has taken the appropriate steps to solve the issues. A brochure for the new program promises a “significant reduction in identified vulnerabilities in the first few months of scanning for newly enrolled water utilities.” (StateScoop, CISA)
China’s government has accused the U.S. of a campaign to infiltrate servers belonging to tech company Huawei to conduct cyber attacks and steal information, potentially as far back as 2009. China's Ministry of State Security on Wednesday outlined the accusations in a post on its WeChat account Wednesday. "In 2009, the Office of Tailored Access Operations started to infiltrate servers at Huawei's headquarters and continued conducting such surveillance operations," the post reads. China and the U.S. have continually launched accusations of spying on one another this year as tensions between the two nations rise. China also accused the U.S. National Security Agency of installing a backdoor tool that "runs secretly on thousands of network devices in many countries around the world” meant to steal data from other governments, including China and Russia. (Nikkei Asia, The Register)
Vitor Ventura gives a presentation that’s a detailed account and timeline of one such mercenary organization, from almost bankrupt to having a fully working spyware targeting iOS and Android with one-click zero-day exploit.
Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation.
Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking.
Most prevalent malware files from Talos telemetry over the past week
