Saturday, September 23, 2023

Deadglyph: New Advanced Backdoor with Distinctive Malware Tactics

Cybersecurity researchers have discovered a previously undocumented advanced backdoor dubbed Deadglyph employed by a threat actor known as Stealth Falcon as part of a cyber espionage campaign.

"Deadglyph's architecture is unusual as it consists of cooperating components – one a native x64 binary, the other a .NET assembly," ESET said in a new report shared with The Hacker News.

"This combination is unusual because malware typically uses only one programming language for its components. This difference might indicate separate development of those two components while also taking advantage of unique features of the distinct programming languages they utilize."

It's also suspected that the use of different programming languages is a deliberate tactic to hinder analysis, making it a lot more challenging to navigate and debug.

Unlike other traditional backdoors of its kind, the commands are received from an actor-controlled server in the form of additional modules that allow it to create new processes, read files, and collect information from the compromised systems.

Stealth Falcon (aka FruityArmor) was first exposed by the Citizen Lab in 2016, linking it to a set of targeted spyware attacks in the Middle East aimed at journalists, activists, and dissidents in the U.A.E. using spear-phishing lures embedding booby-trapped links pointing to macro-laced documents to deliver a custom implant capable of executing arbitrary commands.

A subsequent investigation undertaken by Reuters in 2019 revealed a clandestine operation called Project Raven that involved a group of former U.S. intelligence operatives who were recruited by a cybersecurity firm named DarkMatter to spy on targets critical of the Arab monarchy.

Stealth Falcon and Project Raven are believed to be the same group based on the overlaps in tactics and targeting.

The group has since been linked to the zero-day exploitation of Windows flaws such as CVE-2018-8611 and CVE-2019-0797, with Mandiant noting in April 2020 that the espionage actor "used more zero-days than any other group" from 2016 to 2019.

In 2019, ESET detailed the adversary's use of a backdoor named Win32/StealthFalcon that was found to use the Windows Background Intelligent Transfer Service (BITS) for command-and-control (C2) communications and to gain complete control of an endpoint.

Deadglyph is the latest addition to Stealth Falcon's arsenal, according to the Slovak cybersecurity firm, which analyzed an intrusion at an unnamed governmental entity in the Middle East.

The exact method used to deliver the implant is currently unknown, but the initial component that activates its execution is a shellcode loader that extracts and loads shellcode from the Windows Registry, which subsequently launches Deadglyph's native x64 module, referred to as the Executor.

The Executor then proceeds with loading a .NET component known as the Orchestrator that, in turn, communicates with the command-and-control (C2) server to await further instructions. The malware also engages in a series of evasive maneuvers to fly under the radar, counting the ability to uninstall itself.

The commands received from the server are queued for execution and can fall into one of three categories: Orchestrator tasks, Executor tasks, and Upload tasks.

"Executor tasks offer the ability to manage the backdoor and execute additional modules," ESET said. "Orchestrator tasks offer the ability to manage the configuration of the Network and Timer modules, and also to cancel pending tasks."

Some of the identified Executor tasks comprise process creation, file access, and system metadata collection. The Timer module is used to poll the C2 server periodically in combination with the Network module, which implements the C2 communications using HTTPS POST requests.

Upload tasks, as the name implies, allow the backdoor to upload the output of commands and errors.

ESET said it also identified a control panel (CPL) file that was uploaded to VirusTotal from Qatar, which is said to have functioned as a starting point for a multi-stage chain that paves the way for a shellcode downloader that shares some code resemblances with Deadglyph.

While the nature of the shellcode retrieved from the C2 server remains unclear, it has been theorized that the content could potentially serve as the installer for the Deadglyph malware.

Deadglyph gets its name from artifacts found in the backdoor (hexadecimal IDs 0xDEADB001 and 0xDEADB101 for the Timer module and its configuration), coupled with the presence of a homoglyph attack impersonating Microsoft ("Ϻicrоsоft Corpоratiоn") in the Registry shellcode loader's VERSIONINFO resource.

"Deadglyph boasts a range of counter-detection mechanisms, including continuous monitoring of system processes and the implementation of randomized network patterns," the company said. "Furthermore, the backdoor is capable of uninstalling itself to minimize the likelihood of its detection in certain cases."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News

Apple and Chrome Zero-Days Exploited to Hack Egyptian ex-MP with Predator Spyware

The three zero-day flaws addressed by Apple on September 21, 2023, were leveraged as part of an iPhone exploit chain in an attempt to deliver a spyware strain called Predator targeting former Egyptian member of parliament Ahmed Eltantawy between May and September 2023.

"The targeting took place after Eltantawy publicly stated his plans to run for President in the 2024 Egyptian elections," the Citizen Lab said, attributing the attack with high confidence to the Egyptian government owing to it being a known customer of the commercial spying tool.

According to a joint investigation conducted by the Canadian interdisciplinary laboratory and Google's Threat Analysis Group (TAG), the mercenary surveillance tool is said to have been delivered via links sent on SMS and WhatsApp.

"In August and September 2023, Eltantawy's Vodafone Egypt mobile connection was persistently selected for targeting via network injection; when Eltantawy visited certain websites not using HTTPS, a device installed at the border of Vodafone Egypt's network automatically redirected him to a malicious website to infect his phone with Cytrox's Predator spyware," the Citizen Lab researchers said.

The exploit chain leveraged a set of three vulnerabilities – CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993 – which could allow a malicious actor to bypass certificate validation, elevate privileges, and achieve remote code execution on targeted devices upon processing a specially crafted web content.

Predator, made by a company called Cytrox, is analogous to NSO Group's Pegasus, enabling its customers to surveil targets of interest and harvest sensitive data from compromised devices. Part of a consortium of spyware vendors called the Intellexa Alliance, it was blocklisted by the U.S. government in July 2023 for "enabling campaigns of repression and other human rights abuses."

The exploit, hosted on a domain named sec-flare[.]com, is said to have been delivered after Eltantawy was redirected to a website named c.betly[.]me by means of a sophisticated network injection attack using Sandvine's PacketLogic middlebox situated on a link between Telecom Egypt and Vodafone Egypt.

"The body of the destination website included two iframes, ID 'if1' which contained apparently benign bait content (in this case a link to an APK file not containing spyware) and ID 'if2' which was an invisible iframe containing a Predator infection link hosted on sec-flare[.]com," the Citizen Lab said.

Google TAG researcher Maddie Stone characterized it as a case of an adversary-in-the-middle (AitM) attack that takes advantage of a visit to a website using HTTP (as opposed to HTTPS) to intercept and force the victim to visit a different site operated by the threat actor.

"In the case of this campaign, if the target went to any 'http' site, the attackers injected traffic to silently redirect them to an Intellexa site, c.betly[.]me," Stone explained. "If the user was the expected targeted user, the site would then redirect the target to the exploit server, sec-flare[.]com."

Eltantawy received three SMS messages in September 2021, May 2023, and September 2023 that masqueraded as security alerts from WhatsApp urging Eltantawy to click on a link to terminate a suspicious login session originating from a purported Windows device.

While these links don't match the fingerprint of the aforementioned domain, the investigation revealed that the Predator spyware was installed on the device approximately 2 minutes and 30 seconds after Eltantawy read the message sent in September 2021.

He also received two WhatsApp messages on June 24, 2023, and July 12, 2023, in which an individual claiming to be working for the International Federation for Human Rights (FIDH) solicited his opinion on an article that pointed to the website sec-flare[.]com. The messages were left unread.

Google TAG said it also detected an exploit chain that weaponized a remote code execution flaw in the Chrome web browser (CVE-2023-4762) to deliver Predator on Android devices using two methods: the AitM injection and via one-time links sent directly to the target.

CVE-2023-4762, a type confusion vulnerability in the V8 engine, was anonymously reported on August 16, 2023, and patched by Google on September 5, 2023, although the internet giant assesses that Cytrox/Intellexa may have used this vulnerability as a zero-day.

According to a brief description on the National Vulnerability Database (NVD), CVE-2023-4762 concerns a "type confusion in V8 in Google Chrome prior to 116.0.5845.179 [that] allowed a remote attacker to execute arbitrary code via a crafted HTML page."

The latest findings, besides highlighting the abuse of surveillance tools to target the civil society, underscores the blindspots in the telecom ecosystem that could be exploited to intercept network traffic and inject malware into targets' devices.

"Although great strides have been made in recent years to 'encrypt the web,' users still occasionally visit websites without HTTPS, and a single non-HTTPS website visit can result in spyware infection," the Citizen Lab said.

Users who are at risk of spyware threats because of "who they are or what they do" are recommended to keep their devices up-to-date and enable Lockdown Mode on iPhones, iPads, and Macs to stave off such risks.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News

Friday, September 22, 2023

0-days exploited by commercial surveillance vendor in Egypt

Last week Google’s Threat Analysis Group (TAG), in partnership with The Citizen Lab, discovered an in-the-wild 0-day exploit chain for iPhones. Developed by the commercial surveillance vendor, Intellexa, this exploit chain is used to install its Predator spyware surreptitiously onto a device.

In response, yesterday, Apple patched the bugs in iOS 16.7 and iOS 17.0.1 as CVE-2023-41991, CVE-2023-41992, CVE-2023-41993. This quick patching from Apple helps to better protect users and we encourage all iOS users to install them as soon as possible.

Exploit delivery via man-in-the-middle (MITM)

The Intellexa exploit chain was delivered via a “man-in-the-middle” (MITM) attack, where an attacker is in between the target and the website they’re trying to reach. If the target is going to a website using ‘http’, then the attacker can intercept the traffic and send fake data back to the target to force them to a different website. Visiting a website using ‘https’ means that the traffic is encrypted, and it is easily verifiable that the received data came from the intended website using their certificate. That is not the case when using ‘http’.

In the case of this campaign, if the target went to any ‘http’ site, the attackers injected traffic to silently redirect them to an Intellexa site, c.betly[.]me. If the user was the expected targeted user, the site would then redirect the target to the exploit server, sec-flare[.]com. While there’s a spotlight on “0-click” vulnerabilities (bugs that don’t require user interaction) this MITM delivery also didn’t require the user to open any documents, click a specific link, or answer any phone calls.

iOS Exploit Chain

As soon as the attacker redirected the target to their exploit server, the exploit chain began to execute. For iOS, this chain included three vulnerabilities:

  • CVE-2023-41993: Initial remote code execution (RCE) in Safari
  • CVE-2023-41991: PAC bypass
  • CVE-2023-41992: Local privilege escalation (LPE) in the XNU Kernel

The chain then ran a small binary to decide whether or not to install the full Predator implant. However, TAG was unable to capture the full Predator implant.

We plan to publish a technical deep dive on these exploits in line with the Google vulnerability disclosure policy.

Android Exploit Chain

The attacker also had an exploit chain to install Predator on Android devices in Egypt. TAG observed these exploits delivered in two different ways: the MITM injection and via one-time links sent directly to the target. We were only able to obtain the initial renderer remote code execution vulnerability for Chrome, which was exploiting CVE-2023-4762.

This bug had already been separately reported to the Chrome Vulnerability Rewards Program by a security researcher and was patched on September 5th. We assess that Intellexa was also previously using this vulnerability as a 0-day.

Chrome's work to protect against MITM

For years, Chrome has worked toward universal HTTPS adoption across the web. Additionally Chrome has an “HTTPS-First Mode” that can reduce the likelihood of exploits being delivered via MITM network injection. "HTTPS-First Mode" will attempt to load all pages over HTTPS, and show a large warning before falling back to sending an HTTP request. This setting is currently on by default for users enrolled in the Advanced Protection Program who are also signed into Chrome. We encourage all users to enable “HTTPS-First Mode” to better protect themselves from MITM attacks.


This campaign is yet another example of the abuses caused by the proliferation of commercial surveillance vendors and their serious risk to the safety of online users. TAG will continue to take action against, and publish research about, the commercial spyware industry, as well as work across the public and private sectors to push this work forward.

We would like to acknowledge and thank The Citizen Lab for their collaboration and partnership in the capturing and analysis of these exploits, and Apple for deploying a timely patch for the safety of online users.

from Threat Analysis Group (TAG)

How to deal with your brand's doppelgangers | Kaspersky official blog

As soon as your company becomes more or less famous, more often than not someone starts exploiting your success for their own purposes. At best, they simply hide behind your name in order to promote some dubious quality goods and services. At worst, they prey on your clients, partners, or even employees. The latter – including the information security department – often don’t even suspect the existence of malicious doppelgangers until their actions begin to cause a flurry of letters to your customer support, or a scandal on social networks. In any case such incidents negatively affect your company’s reputation. Three types of internet-doppelgangers are the most common.

Fake apps in stores

These days, almost every serious business has its own app for convenient customer access to online services – sometimes more than one. Therefore, it’s no surprise that when you search for this or that app in an online store you get more than one result. Sure, most users will download the most popular option, but most likely some will fall for the scammers’ trick and install a fake one – especially if they receive a direct link to it. Inside, anything can be lurking – from a banking Trojan to tools for remote access to your device. Quite recently, our experts found several modified versions of popular instant-messenger apps on Google Play containing spyware code.

Fake social media accounts

Social media accounts purporting to relate to your company can be used by criminals in a variety of different schemes. They are often used to spread false information – to promote some semi-legal (online casinos) or outright fraudulent activities (giveaways for all kinds of prizes, tickets or bitcoins) supposedly affiliated with your brand. However, a fake account can also distribute malicious or phishing links, or serve as a platform for more sophisticated social engineering attacks.

Phishing sites

If your website has a member area for clients, partners or employees, then you can rest assured that the personal credentials for their accounts are of interest to attackers. Therefore, you should not be surprised if at some point attackers will try to imitate your site in order to harvest logins and passwords – at least in order to resell this information to other cybercriminals.

How to protect a company’s reputation from copy-cats?

In the vast majority of cases, the target of various illegal schemes involving imitation of your website, app, or a social media account is targeted at someone else (whether individuals or other companies). However, it’s your reputation that suffers. Therefore, such doppelgangers should be identified and eliminated before they can cause significant damage. Doing this yourself isn’t very convenient, so we’ve updated our Digital Footprint Intelligence service, which can help with this problem.

The Kaspersky Digital Footprint Intelligence service is designed to enable customers to monitor their digital footprint and identify potential risks and vulnerabilities associated with it. Some time ago, its functionality was supplemented with monitoring for phishing sites that use brand names or were registered using typosquatting and combosquatting, as well as with a domain takedown service.

Now the service also allows you to track, identify, and take down accounts on social networks and applications in stores that are illegally using your company name. You can learn more about Kaspersky Digital Footprint Intelligence on the solution's website.

from Kaspersky official blog

pfSense Takes Home 42 Awards in the G2 Fall 2023 Report

pfSense® software from Netgate® received 42 awards in the G2 Fall 2023 report in several categories, including new regional awards in EMEA, Asia Pacific, and the Americas. The list included Enterprise, Mid-Market, and Small Business awards in categories such as Best Estimated ROI, Best Relationship, Best Usability, Most Implementable, and Users Most Likely to Recommend, for both the Firewall Software and Business VPN groups.


These G2 awards are based on reviews by real users. The number of awards we have received is an important sign that we continue to provide valuable network security solutions. Placing first in so many of these categories provides further validation that our work is important and appreciated. We are honored to receive these awards and grateful to our customers for your support. We continue to strive for excellence in all we do, and we look forward to providing even more high-performance and affordable firewall, VPN, and routing solutions in the future. Thank you to everyone who has supported us along the way – we couldn't have done it without you!

Top pfSense Software Awards

   #1 EMEA Regional Grid® Report for Business VPN
   #1 Asia Pacific Regional Grid® Report for Business VPN
   #1 Small-Business EMEA Regional Grid® Report for Business VPN
   #1 Small-Business Americas Regional Grid® Report for Business VPN
   #1 Europe Regional Grid® Report for Business VPN 
   #1 Momentum Grid® Report for Firewall Software
   #1 Small-Business Usability Index for Firewall Software
   #1 Mid-Market Results Index for Business VPN
   #1 Small-Business Results Index for Business VPN
   #1 Results Index for Business VPN Overall
   #1 Small-Business Results Index for Firewall Software
   #1 Results Index for Firewall Software Overall
   #1 Small-Business Relationship Index for Business VPN
   #1 Relationship Index for Business VPN Overall
   #1 Enterprise Relationship Index for Firewall Software
   #1 Small-Business Relationship Index for Firewall Software
   #1 Relationship Index for Firewall Software
   #1 Small-Business Implementation Index for Business VPN
   #1 Implementation Index for Business VPN
   #1 Enterprise Implementation Index for Firewall Software
   #1 Small-Business Implementation Index for Firewall Software
   #1 Implementation Index for Firewall Software
   #1 Small-Business Grid® Report for Business VPN
   #1 Small-Business Grid® Report for Firewall Software

Other Notable pfSense Software Awards
   #3 Usability Index for Firewall Software Overall
   #3 Grid® Report for Firewall Software Overall
   #2 Grid® Report for Business VPN Overall
   #3 Enterprise Grid® Report for Business VPN Overall

More on pfSense Software
The world’s leading open-source-driven firewall, router, and VPN solution for network edge and cloud secure networking, pfSense Plus software is the world’s most trusted firewall. The software has garnered the respect and adoration of users worldwide - installed well over seven million times. pfSense software is made possible by open-source technology and made into a robust, reliable, dependable product by Netgate. 

Get pfSense Today

More About Us
Netgate is constantly striving to provide leading-edge network security at a fair price. We are the primary developer and maintainer of pfSense software, an open-source firewall, VPN, and router platform, and TNSR®, a high-performance software router based on’s Vector Packet Processing (VPP), of which we are a leading contributor. We also fund additional open source work that we upstream to projects like FreeBSD, the Linux Foundation, Clixon, and others. Please contact us with any questions about using pfSense software to solve your small business, mid-market, or enterprise needs.

from Blog

Thursday, September 21, 2023

Wireshark Tutorial: Changing Your Column Display

A pictorial representation of changing column display in Wireshark. Binary is displayed on a computer monitor along with graphs and charts. The image is green and white.

This post is also available in: 日本語 (Japanese)

Executive Summary

Wireshark is a free protocol analyzer that can record and display packet captures (pcaps) of network traffic. IT professionals use this tool to investigate a wide range of network issues. Security professionals also use Wireshark to review traffic generated from malware.

What makes Wireshark so useful? It is very customizable. Wireshark’s default column display provides a wealth of information, but you should customize the columns to meet your specific needs.

This article is the first in a series of Wireshark tutorials that provides customization options helpful for investigating malicious network traffic. It was first published in August 2018 and has been updated for 2023.

Table of Contents

Supporting Material
Wireshark Version Check
Configuration Profiles
Web Traffic and the Default Wireshark Column Display
Changing Date and Time to UTC
Removing Columns
Adding Columns
Adding Customized Columns
Hiding Columns
Exporting Your Updated Configuration Profile


We recommend using a non-Windows environment like BSD, Linux or macOS. Pcaps from Windows infections may contain malicious binaries that present a risk of infection when using Wireshark on a Windows computer. For this tutorial, we use the Xubuntu Linux distro.

If possible, review pcaps using the most recent version of Wireshark for your environment. Recent versions have more features, capabilities and bug fixes than older versions. We recommend at least version 3.6.2 or later. In this tutorial, we use Wireshark version 4.0.7.

Wireshark users must have a basic understanding of network traffic, and this series of tutorials focuses on IPv4 traffic. The term “basic understanding” means different things to different people, but the knowledge does not have to be extensive.

For example, readers should know the difference between a public IPv4 address and an internal, nonroutable IPv4 address. Basic network knowledge includes recognizing TCP and UDP traffic and knowing about DNS. Readers should also have some idea how network traffic is routed between an internal client like a desktop computer and an external server like a website.

Ultimately, this series of tutorials assumes readers have some sort of background and interest in reviewing malicious network traffic.

Supporting Material

The pcap for this tutorial is hosted at our GitHub repository. Download the pcap as shown below in Figure 1.

Image 1 is a screenshot of the Unit 42 Wireshark tutorials GitHub. A black arrow indicates the icon to download a file, which in this case is the tutorial for the column setup. A second black arrow points to the save button of the popup window for downloading the Zip archive.
Figure 1. Saving the pcap for this tutorial from our GitHub repository.

The name of your downloaded ZIP archive should be Use infected as the password to unlock the ZIP archive as shown below in Figure 2.

Image 2 is how to extract the zip file to the end user’s download folder. After clicking on zip file in the downloads folder, a black arrow points to the menu where “Extract Here” is selected. A popup for a password has a filled password field. After hitting the button with a green check that says “OK” the .pcap file is extracted.
Figure 2. Extracting our pcap from the password-protected zip archive.

The extracted pcap for this tutorial is named Wireshark-tutorial-column-setup.pcap. Now that we have our pcap, let’s check our version of Wireshark.

Wireshark Version Check

Without any pcap loaded, Wireshark displays its version number on the welcome screen as shown below in Figure 3.

Image 3 a screenshot of the Welcome screen of Wireshark. Highlighted in a red box and indicated by a red arrow is the version number for Wireshark.
Figure 3. Wireshark’s version number displayed on its welcome screen.

We can also select “About Wireshark” under the Help menu to view the version number as shown below in Figure 4.

Image 4 is a screenshot of Wireshark's welcome screen. The help menu has been selected. A black arrow indicates to select About Wireshark. An inset popup of the About Wireshark menu shows the first tab, which is Wireshark. Indicated by a red rectangle and a red arrow is the version number. Here it is version 4.0.7.
Figure 4. Wireshark’s version number from About Wireshark under the Help menu.

Configuration Profiles

After confirming you have Wireshark version 3.6.2 or newer, select Configuration Profiles under Wireshark’s Edit menu. Make a copy of the default configuration profile by clicking the Copy button as shown below in Figure 5.

Image 5 is a screenshot of Wireshark’s Edit menu. Highlighted is the configuration profiles option. A black arrow indicates the pop-up window that comes up when this is selected. This is where you will copy the default profile and give it a new name. In the configure figuration profile, the default is selected, and a black arrow points to the copy icon.
Figure 5. Copying the default configuration profile in Wireshark.

After copying the default profile, give it a new name. We suggest changing the name to “Customized” as shown below in Figure 6.

Image 6 is a screenshot of the configuration profile window in Wireshark. A black arrow indicates the new, customized configuration profile, and the type is Personal. A tooltip notes that it is copied from the default.
Figure 6. Renaming the copy of the default configuration profile.

If this newly created profile is still selected when we close the Configuration Profiles window, any customizations to Wireshark will be stored to this newly created profile.

Web Traffic and the Default Wireshark Column Display

Malware distribution frequently occurs through web traffic. Data exfiltration and command and control activity can also use web traffic. However, when reviewing such malicious activity, Wireshark's default column options are not ideal.

Fortunately, we can customize Wireshark’s column display to provide a better view of web traffic. To view the default layout of Wireshark, open the pcap we previously downloaded for this tutorial. The default layout for Wireshark version 4.0.7 is shown below in Figure 7.

Image 7 is a screenshot of Wireshark that shows the default layout. Black arrows indicate, from the top down, the display filter, the column display, and the frame details. Another window shows the hexadecimal view of the frame.
Figure 7. Default layout for Wireshark version 4.0.7 after opening our pcap.

Examine your column display. Wireshark’s default columns are listed below in Table 1.

Column Name Column Description
No. Frame number from the beginning of the pcap. The first frame is always 1.
Time Seconds broken down to the microsecond from the first frame of the pcap. The first frame is always 0.000000.
Source Source address, commonly an IPv4, IPv6 or Ethernet address.
Destination Destination address, commonly an IPv4, IPv6 or Ethernet address.
Protocol Protocol used in the Ethernet frame, IP packet or TCP segment (ARP, DNS, TCP, HTTP, etc.).
Length Length of the frame in bytes.
Info Information about the Ethernet frame, IP packet or TCP segment.

Table 1. Columns used in Wireshark’s default display.

To better examine Windows-based malware traffic, this tutorial customizes Wireshark to use the columns shown below in Table 2.

Column Name Column Description
Time Date and time in UTC.
Source address IPv4, IPv6 or Ethernet source address.
Source port TCP or UDP port used by the source address for IPv4 or IPv6 traffic.
Destination address IPv4, IPv6 or Ethernet destination address.
Destination port TCP or UDP port used by the destination address for IPv4 or IPv6 traffic.
Domain Domain name used in HTTP or HTTPS traffic.
Info Information about the Ethernet frame, IP packet or TCP segment.

Table 2. Columns for our customized Wireshark column display.

To customize our Wireshark column display, we will first change the Time column to show the date and time in Universal Coordinated Time (UTC).

Changing Date and Time to UTC

When publicly sharing information about a malware infection, the recipients can be in any part of the world. Due to the different time-zones, a standard format for reporting the time of malicious activity is UTC.

To change Wireshark's time display format, under the View menu, go to "Time Display Format," and change the value from "Seconds Since Beginning of Capture" to "UTC Date and Time of Day." Use the same menu path to change the resolution from "Automatic" to "Seconds." Figure 8 shows the menu paths for these options.

Image 8 is a screenshot of the main view menu in Wireshark. A black arrow indicates that the time display format has been selected. A second menu from time display format shows the different options. Two black arrows indicate two separate selections. The first is UTC date and time of day, and the other is seconds. This will change Wireshark's time display format to UTC and seconds. Other options include nanoseconds, hundredths of a second, time of day, etc.
Figure 8. Changing Wireshark’s time display format to UTC date and time.

When finished, the column display shows the UTC date and time as noted below in Figure 9. Now when we review a pcap, we immediately know the date and time of the network traffic.

Image 9 is a screenshot of Wireshark showing the changed time display. The time column is highlighted with an a black rectangle. It now displays the time with seconds in a UTC format.
Figure 9. UTC date and time in our updated Wireshark column display.

Our next step in customizing Wireshark is to remove columns we do not need for our day-to-day work.

Removing Columns

The No., Protocol and Length columns are not necessary when reviewing web-based traffic, so we suggest removing them. To remove these columns, right-click on the column header and select "Remove this Column" from the menu as shown below in Figure 10.

Image 10 is a screenshot of Wireshark’s column display? A black arrow indicates the number column. By clicking on this column, you can select “remove this column” on the very bottom, as indicated by another black arrow.
Figure 10. Removing the No. column in Wireshark.

Your updated column display should now show only four columns: Time, Source, Destination and Info, as noted in Figure 11.

Image 11 is a Wireshark screenshot showing the four columns in the updated column display. These are time, source, destination, and info.
Figure 11. The four columns remaining in our updated column display.

After removing the unnecessary columns, we are ready to add new columns to our Wireshark display.

Adding Columns

We can add columns in Wireshark using the Column Preferences window. To open this window, right-click on any of the column headers, then select “Column Preferences…” in the resulting menu as shown below in Figure 12.

Image 12 is a screenshot of Wireshark's column preferences window, which displays after right-clicking on any of the columns in the column view. These are indicated by black arrows.
Figure 12. Getting to the Column Preferences window.

This brings up the Column Preferences window, which lists all of Wireshark’s columns, viewed or hidden. Near the bottom-left side of the Column Preferences window are two buttons. One is labeled with a plus sign to add columns. The other has a minus sign to remove columns. Left-click on the plus sign as shown below in Figure 13.

Image 13 is the Preferences window in Wireshark. Under the Appearance menu on the left, Columns has been selected. A black arrow indicates to select the green plus sign to add a new column to Wireshark's column display.
Figure 13. The button to add a new column to Wireshark’s column display.

A new entry with the title “New Column” should appear at the bottom of the list. Double-click on the title to change the column name as shown below in Figure 14.

Image 14 is the Preferences window in Wireshark. Under the Appearance menu on the left, Columns has been selected. A black arrow indicates that a new column has been created. The title is New Column. The type is Number.
Figure 14. Renaming the newly created column.

Name this new column “Src port” and change the column type from number by double-clicking on column type setting as shown below in Figure 15.

Image 15 is the Preferences window in Wireshark. Under the Appearance menu on the left, Columns has been selected. A black arrow indicates that the type of new column that has been created is Number. The title is now Src port.
Figure 15. Getting ready to change our newly created column’s type.

Click again to bring up a scrollable list of options for the column type. Scroll down and select “Src port (unresolved)” for the column type as shown below in Figure 16.

Image 16 is the Preferences window in Wireshark. Under the Appearance menu on the left, Columns has been selected. A black arrow indicates how to select Src port (unresolved) as the type.
Figure 16. Selecting Src port (unresolved).

Next, create a new column entry, label it “Dst port” and select “Dest port (unresolved)” as the column type as shown below in Figure 17.

Image 17 is the Preferences window in Wireshark. Under the Appearance menu on the left, Columns has been selected. A black arrow indicates that another new column has been created and the type is Dest port (unresolved).
Figure 17. Selecting Dest port (unresolved) for a newly created Dst port column.

When finished, the Column Preferences window should show the two newly created columns as shown below in Figure 18.

Image 18 is the Preferences window in Wireshark. Under the Appearance menu on the left, Columns has been selected. A red rectangle and a red arrow indicate that to new columns have been created that have been added to the column display. They are sore support and destination port. Both are unresolved.
Figure 18. Our two newly created columns for Wireshark’s column display.

We can drag these columns to place Src port after the Source address and Dst port after the Destination address entry. Left-click to select, hold the mouse button and drag the entry to its new position in the list. Figure 19 shows an attempt to move the Dst port column to a position immediately after the Destination address entry.

Image 19 is the Preferences window in Wireshark. Under the Appearance menu on the left, Columns has been selected. The icon of a gripped hand with an arrow indicates that the destination port is being moved, and the order of the columns has now changed.
Figure 19. Moving our newly created Dst port column entry.

After moving our newly created Src port and Dst port entries, we suggest changing the column type for your Source address to “Src addr (unresolved)” and Destination address to “Dest addr (unresolved).” If you do this, the Column Preferences window should appear similar to Figure 20.

Image 20 is the Preferences window in Wireshark. Under the Appearance menu on the left, Columns has been selected. The columns now display in a different order. From top to bottom, these are time, source, source port, destination, destination port, and information.
Figure 20. Our updated column list in the Column Preferences window.

After completing these changes, click OK to close the Column Preferences window. Wireshark should now display the following six columns (read: label - type):

  • Time - Time (format as specified)
  • Src - Src addr (unresolved)
  • Src port - Src port (unresolved)
  • Dst - Dest addr (unresolved)
  • Dst port - Dest port (unresolved)
  • Info - Information

Figure 21 shows an example of what this should look like.

Image 21 is the column display in Wireshark, showing the new columns that were added. Black arrows indicate their name and their order.
Figure 21. Wireshark’s column display after updating our columns.

Figure 21 reveals our newly created Src port and Dst port columns are aligned to the right, while all the other columns are aligned to the left. Right click the column header for each of our right-aligned columns to bring up a menu, then click the “Align Left” checkbox to align these columns to the left. Figure 22 shows an example for the Src port column.

Image 22 is a Wireshark screenshot showing how to align the new columns to the left. By right-clicking on the column header, Align Left can be selected from the menu.
Figure 22. Aligning our newly created Src port column to the left.

When finished, the Src port and Dst port columns should be aligned to the left, matching all the other columns as shown below in Figure 23.

Image 23 is a Wireshark screenshot. Two black rectangles indicate how the source port and the destination port columns are now both aligned left.
Figure 23. Src port and Dst port columns now aligned to the left.

While we can add several different types of columns through the Column Preferences window, we cannot add every conceivable column type. For example, we cannot add a column showing the domains associated with web traffic this way. Fortunately we can add a customized column that reveals these web traffic domains.

Adding Customized Columns

Wireshark allows users to add customized columns based on almost any value found in the frame details window. To better view the frame details, we should temporarily hide the hexadecimal view. Under the View menu, uncheck "Packet Bytes" as shown below in Figure 24.

Image 24 is a Wireshark screenshot. Under the view menu, a black arrow indicate to uncheck Packet Bytes.
Figure 24. Hiding the hexadecimal panel by unchecking the Packet Bytes view.

Now we should only have two sections displaying pcap data: the column display and the frame details.

First, we should create a customized column for domains used in unencrypted HTTP web traffic. In Wireshark, type http.request in the Wireshark filter bar and hit enter. Select the first frame in your column display. In the frame details section, expand the line for Hypertext Transmission Protocol. Then find the “Host” line. In this case, it should have msftconnecttest in the name. Left-click on that line to select it, then right-click to bring up a menu. Select “Apply as Column” as shown below in Figure 25.

Image 25 is a Wireshark screenshot. Three black arrows indicate that by selecting under the frame details window, you can select Apply as Column from the preferences.
Figure 25. Under the frame details window, find the line to create an HTTP hostname column.

This should create a new column titled Host as shown below in Figure 26.

Image 26 is a Wireshark screenshot. A black rectangle indicates the newly-created Host column.
Figure 26. Newly created Host column shown when viewing HTTP traffic in our pcap.

Next, let’s create another customized column for domains used in encrypted HTTPS web traffic. Clear your Wireshark filter bar, then type tls.handshake.type eq 1 and hit enter. Select the first frame in your column display.

In the frame details panel, expand the line for Transport Layer Security. Under that, expand the line for TLSv1.2 Record Layer: Handshake Protocol: Client Hello. Under that, expand the line that reads Handshake Protocol Client Hello. The expanded frame details are shown below in Figure 27.

Image 27 is a Wireshark screenshot. A black arrow indicates one line has been selected. three black arrows in the lower pane indicate the details from that line. These include Transport Layer Security, the TLSv1.2 Record Layer, and the Handshake Protocol. The filter used is tls.handshake.type. eq 1.
Figure 27. Filtering on HTTPS traffic and expanding items in the frame details window.

Scroll down in the frame details section to find and expand the line that starts with Extension: server_name. Under that, find and expand the line that reads Server Name: Indication extension. Under that is a line that reads Server Name: Left-click on that line to select it, right-click to bring up a menu and select Apply as Column as shown below in Figure 28.

Image 28 is a Wireshark screenshot. A black arrow indicates one line has been selected in the lower pane. Apply as column has been selected from the menu. The filter used is tls.handshake.type. eq 1.
Figure 28. Under the frame details window, find the line to create an HTTPS server name column.

This should create a new column to the right of our recently created Host column titled “Server Name” as shown below in Figure 29.

Image 29 is a Wireshark screenshot. A black rectangle indicates the new Server Name column. The filter used is tls.handshake.type. eq 1.
Figure 29. Newly created Server Name column shown when viewing HTTPS traffic in our pcap.

Right-click any of the column headers to bring up a menu to reach our Column Preferences window again. In our Column Preferences window, we see these two newly created customized columns as shown below in Figure 30.

Image 30 is a Wireshark screenshot of the Preferences window. A red rectangle highlights the host and server name in the column display. The type shows the both of these columns are custom.
Figure 30. Our two newly created customized columns in the Column Preferences window.

To save screen space, we should combine these two columns into a single column. First, double-click on the Fields value in the Server Name entry and copy the text reading tls.handshake.extensions_server_name as shown below in Figure 31.

Image 31 is a Wireshark screenshot of the Preferences window. The Server Name column has been selected. A black arrow indicate to copy this column in a popup menu.
Figure 31. Copying the Fields value from the Server Name column.

Next, use the or operand to combine that text with the Fields value for the Host entry. The new value for the Host entry should read or tls.handshake.extensions_server_name as shown below in Figure 32.

Image 32 is a Wireshark screenshot of the Preferences window. The custom Host row has its Fields column highlighted in green.
Figure 32. New Fields value for our recently created Host column.

Since both Fields values are now in the Host entry, delete the Server Name entry as shown below in Figure 33.

Image 33 is a Wireshark screenshot of the Preferences window. The custom Server Name column is now being deleted. It is selected, and a black arrow indicates to hit the red minus button.
Figure 33. Delete the Server Name column, because it is no longer needed.

When finished, the list in your Column Preferences window should appear similar to Figure 34.

Image 34 is a Wireshark screenshot of the Preferences window. The updated column display list is now time, source, source port, destination, destination port, host, and info.
Figure 34. Our updated column display list.

Close the Column Preference window. Now we can filter for both HTTP and HTTPS activity, and any domains associated with this web traffic will appear in our updated Host column.

Type the following in your Wireshark filter:

http.request or tls.handshake.type eq 1

Scroll through the results in your updated Wireshark column display. The results should look similar to the Wireshark screenshot in Figure 35.

Image 35 is a Wireshark screenshot of the updated Host column. It is highlighted by a black rectangle. The filter used is http.request or tls.handshake.type eq 1.
Figure 35. Updated Host column showing domains associated with web traffic.

Now that we have created all of our columns, we can hide any of them as needed.

Hiding Columns

When reviewing pcaps of web traffic generated by malware, the activity is often collected from a single internal IP address used by the infected host. One such example is a pcap generated by an online sandbox that analyzes malware. When investigating an alert for a suspected infection, investigators pull traffic from the internal IP associated with that alert, if the traffic is available.

In these cases, filtering on web traffic will reveal the same internal IP address in our Src column. For this tutorial, we captured our pcap from an internal IP address at 172.16.1[.]135, so our column display will only show that IP in the Src column when filtering for web traffic.

Because of this, we can hide the Src and Src port columns to better focus on the web traffic.

To hide any column in Wireshark, left-click on any of the column headers, then uncheck the columns you want to hide. Figure 36 shows unchecked boxes for the Src and Src port columns.

Image 36 is a Wireshark screenshot demonstrating how to hide the Source and Source Port columns by unchecking boxes from the menu.
Figure 36. Hiding the Src and Src port columns by unchecking the boxes.

Hiding these columns provides a better idea of the traffic when viewing web activity. For example, we see the host generated unencrypted web traffic to the site httpforever[.]com on Aug. 7, 2023, at 18:57 UTC as revealed below in Figure 37.

Image 37 is a Wireshark screenshot that displays the more concise view of the web traffic.
Figure 37. A more concise view of the web traffic in our pcap.

Now that we have customized our column display, we should export our updated configuration profile.

Exporting Your Updated Configuration Profile

Recent versions of Wireshark allow users to export or load personal configuration profiles. This is useful when installing Wireshark in a new environment. Instead of redoing all the steps in this tutorial, we can load the profile saved from a previously exported configuration.

To export our newly customized configuration profile, select “Configuration Profiles…” under the Edit menu as shown below in Figure 38.

Image 38 is a Wireshark screenshot. From the edit menu, Configuration Profiles has been selected, as indicated by the black arrow.
Figure 38. Menu path for the Configuration Profiles window.

The Configuration Profiles window should still have our customized profile selected. To export this profile, click on the Export button as shown below in Figure 39. You can export multiple personal profiles you have created.

Image 39 is a screenshot of Wireshark's Configuration Profiles menu. Highlighted in blue is customized profile with the type being personal. A black arrow indicate to select Export, with all personal profiles being selected from the drop down menu.
Figure 39. Exporting your personal profile(s) from the Configuration Profile window.

Exported profile(s) are saved as a ZIP archive. If necessary, ensure your saved filename has a .zip file extension as shown below in Figure 40.

Image 40 displays how to save your exported profile as a zip from Wireshark. The name of the zip file is customized-profiles. Desktop has been selected as the location to save the zip file to.
Figure 40. Save your exported profile(s) as a ZIP archive.

To import a saved profile, click the Import button in your Configuration Profiles window as shown below in Figure 41.

Image 41 displays how to import a profile from a zip into Wireshark. Indicated by a black arrow is the import button. From the zip file has been selected from the drop-down menu.
Figure 41. Importing a previously exported configuration profile from the Configuration Profiles window.


Wireshark’s default configuration works well for many people, but users can customize Wireshark to better fit their specific needs. For example, the customizations in this tutorial can be extremely useful when reviewing web traffic to determine an infection chain.

Our next tutorial in this series focuses on display filter expressions useful for investigating suspicious network traffic.

Additional Resources

Get updates from
Palo Alto

Sign up to receive the latest news, cyber threat intelligence and research from us

from Unit 42

Mysterious 'Sandman' Threat Actor Targets Telecom Providers Across Three Continents

Sep 21, 2023THNTelecom Security / Cyber Attack

A previously undocumented threat actor dubbed Sandman has been attributed to a set of cyber attacks targeting telecommunic koation providers in the Middle East, Western Europe, and the South Asian subcontinent.

Notably, the intrusions leverage a just-in-time (JIT) compiler for the Lua programming language known as LuaJIT as a vehicle to deploy a novel implant called LuaDream.

"The activities we observed are characterized by strategic lateral movement to specific targeted workstations and minimal engagement, suggesting a deliberate approach aimed at achieving the set objectives while minimizing the risk of detection," SentinelOne security researcher Aleksandar Milenkoski said in an analysis published in collaboration with QGroup.

"The implementation of LuaDream indicates a well-executed, maintained, and actively developed project of a considerable scale."

Neither the campaign nor its tactics have been correlated with any known threat actor or group, although available evidence points to a cyber espionage adversary with a penchant for targeting the telecom sector across geographies. The attacks were first observed over several weeks in August 2023.

"The LuaDream staging chain is designed to evade detection and thwart analysis while deploying the malware directly into memory," Milenkoski explained. "LuaDream's implementation and staging process leverage the LuaJIT platform, the just-in-time compiler for the Lua scripting language. This is primarily to make malicious Lua script code difficult to detect."

String artifacts contained within the implant's source code reference June 3, 2022, indicating that the preparatory work has been underway for more than a year.

It's suspected that LuaDream is a variant of a new malware strain referred to as DreamLand by Kaspersky in its APT trends report for Q1 2023, with the Russian cybersecurity company describing it as employing "the Lua scripting language in conjunction with its Just-in-Time (JIT) compiler to execute malicious code that is difficult to detect."

The use of Lua is something of a rarity in the threat landscape, having been previously observed in three different instances since 2012: Flame, Animal Farm (aka SNOWGLOBE), and Project Sauron.

The exact mode of initial access remains unclear, but it has been observed stealing administrative credentials and conducting reconnaissance to breach workstations of interest and ultimately deliver LuaDream.

A modular, multi-protocol backdoor with 13 core and 21 support components, LuaDream is primarily designed to exfiltrate system and user information as well as manage attacker-provided plugins that expand on its features, such as command execution. It also features various anti-debugging capabilities to evade detection and thwart analysis.

Command-and-control (C2) communication is accomplished by establishing contact with a domain named "mode.encagil[.]com" using the WebSocket protocol. But it can also listen for incoming connections over TCP, HTTPS, and QUIC protocols.

The core modules implement all of the aforementioned features, while the support components are responsible for augmenting the backdoor's capabilities to await connections based on the Windows HTTP server API and execute commands.

"LuaDream stands as a compelling illustration of the continuous innovation and advancement efforts that cyber espionage threat actors pour into their ever-evolving malware arsenal," Milenkoski said.

The disclosure coincides with a parallel report from SentinelOne which detailed sustained strategic intrusions by Chinese threat actors in Africa, including those aimed at telecommunication, finance and government sectors in Africa, as part of activity clusters dubbed BackdoorDiplomacy, Earth Estries, and Operation Tainted Love.

The goal, the company said, is to extend influence throughout the continent and leverage such offensives as part of its soft power agenda.

SentinelOne said it detected a compromise of a telecommunications entity based in North Africa by the same threat actor behind Operation Tainted Love, adding the timing of the attack aligned with the organization's private negotiations for further regional expansion.

"Targeted intrusions by the BackdoorDiplomacy APT and the threat group orchestrating Operation Tainted Love indicate a level intention directed at supporting [China in its efforts to] shape policies and narratives aligned with its geostrategic ambitions, establishing itself as a pivotal and defining force in Africa's digital evolution," security researcher Tom Hegel said.

It also comes days after Cisco Talos revealed that telecommunication service providers in the Middle East are the target of a new intrusion set dubbed ShroudedSnooper that employs a set of stealthy backdoors called HTTPSnoop and PipeSnoop.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News

Meet HashiCorp’s boomerang interns

Internships are a great way to retain top talent. According to the National Association of Colleges and Employers, interns are 16% more likely to to stay with the company they interned with than those who interned elsewhere. But what happens when an intern comes to work for a company not just for one summer, but two summers?

To find out, we asked four returning Hashi-interns about why they chose to come back to work with us and how HashiCorp is helping them gain real-world experience and skills.


From left to right:

  • Kelly McCarthy: Solutions Engineer I, Williams College
  • Machi Dima: People Team Generalist Intern, University of Washington
  • Madeline Mallory: Sales Program Coordinator Intern, University of Colorado
  • Sonya Pieklik: Solutions Engineer I, University of Texas

Many students try to obtain internships with multiple companies. How do you feel returning for a second summer with HashiCorp benefited your career progression?

Kelly McCarthy: I think my two internships with HashiCorp benefitted my career progression because it allowed me to explore two potential occupations (Inside Sales and Solutions Engineering) within the same company environment and working with the same set of tools. In addition, my first internship was remote, while my second summer was spent in-person at HashiCorp’s Austin office.

Machi Dima: Returning allowed me to develop a broader understanding of how different departments collaborate, especially because I interned with two different teams. During my second internship, I was able to strengthen existing relationships and develop a more extensive professional network. I even had the chance to present my projects to executive leaders and have regular meetings with them while helping plan an important offsite event. These connections have been incredibly valuable to me as many of the execs have offered career guidance.

Madeline Mallory: I think students intern with multiple different companies in order to gain experience from different aspects of a company. But I feel that returning to HashiCorp for a second summer helped me learn more than I could have at a second internship with a different company. Interning at HashiCorp let me try different things, be exposed to different programs, and learn from a variety of people. It also shows the growth potential of working at HashiCorp. I feel that returning to HashiCorp for a second internship significantly benefited my career progression and has enabled me to see where my career is headed in the future.

Sonya Pieklik: Returning to HashiCorp for a second summer was one of the best choices I made for my future career. As a returning intern, I already knew the team and the products that I would be working with, as well as the day-to-day activities of a Solutions Engineer. This gave me the opportunity to help other interns onboard more quickly. Being a second-year intern gave me the opportunity to act as a leader. Before interning at HashiCorp, I had interned at a couple of other companies. While I had a great time, it was difficult to make much of an impact in a few short months. Returning to HashiCorp helped me fine tune my technical skills and prepare for a full-time position.

How do your experiences from your first and second summers compare?

Kelly: During my first summer, I was a Sales Development Representative intern and learned how they partnered with Solutions Engineering teams. The following summer, I switched roles to intern as a Solutions Engineer. What I believe was most beneficial was the appreciation and understanding I gained from seeing both occupations. I observed how they operate independently while simultaneously supporting one another. It really helped shed light on the team aspect of sales. I am looking forward to joining that team and continuing to learn and grow my career at HashiCorp.

Machi: My first internship as a Recruiting Coordinator Intern with the Early Career team allowed me to further develop my organizational, communication, and time-management skills. My second internship as a People Team Generalist intern, I supported both the DE&I and the Communications Directors. It has been extremely valuable for my career. It allowed me to develop a broader skill set and gain insights into creating inclusive initiatives and fostering diversity within the workplace, while also exposing me to content creation, event planning, and effective communication strategies. Handling the challenges of supporting two teams pushed me out of my comfort zone, leading to significant personal growth. I learned to adapt quickly, manage my time efficiently, and prioritize tasks effectively.

Madeline: The greatest differences between my first and second internships was switching from working in the office to being fully remote, and from a Customer Success Manager intern role into a Program Coordinator intern role. While working in person made it easier to collaborate with teammates and meet colleagues, remote work helped improve my problem-solving skills. With no one sitting right next to you, there’s more incentive to take a few extra steps to answer your own questions.

Sonya: I had the privilege of being part of HashiCorp’s first cohort of interns, which was exciting because we were able to help build out the expectations and learning paths for future interns. I was also given the opportunity to work alongside Solutions Engineers and work with beta products.

My second year allowed me to learn more about emerging products such as HashiCorp Packer, and also go more in depth with the products that I already knew, like HashiCorp Terraform. My first summer was all remote, but for my second summer, the SE intern team worked out of the Austin office, which was a fantastic experience as I was able to meet the other interns, the SE team, and collaborate in person.

What are some benefits to working at the same company twice?

Kelly: One of the biggest benefits is familiarity with the people, which really helped me transition to the in-person internship experience. Colleagues who I had met virtually in my first internship were there to welcome me aboard during my first week, which helped me get acclimated quickly. My biggest piece of advice, regardless of whether you intend to return to a company for a second summer or not, is to meet as many people as you can. Every person that you work with has a unique set of experiences and skills that you can learn from.

Machi: Working with the DE&I team was an incredible experience because it allowed me to actively participate in organizing workshops and collaborate with all the employee resource groups (ERGs). It was an opportunity for me to contribute to promoting inclusivity through content creation. On the other hand, my time with the Comms team allowed me to make meaningful contributions in event planning. I'm really passionate about building my career in either HR or communications, and both my summers were instrumental in shaping my career goals. Having hands-on experience in both areas is going to make me a much more well-rounded and competitive candidate when I start looking for future job opportunities.

Madeline: One of the biggest benefits of being a returning intern is the ability to continue building on the relationships that you have already established with people at the company. When returning to a company, you’re already familiar with the way things work. This eliminates the introduction period when starting to work with a new boss or team, and enabling interns to hit the ground running.

Sonya: Being a returning intern can shorten the onboarding experience. Having a stronger grasp on processes, product knowledge, and client needs going in can give interns a sturdier launchpad. Returning can also help interns build better rapport with their team as well as with partnering teams. It also shows loyalty and commitment to the organization.

from HashiCorp Blog

What’s the point of press releases from threat actors?

What’s the point of press releases from threat actors?

Welcome to this week’s edition of the Threat Source newsletter.

As a former reporter, I’ve seen my fair share of press releases. But one from a threat actor was definitely a new one for me last week.

ALPHV (aka BlackCat) publicly took credit for a massive cyber attack against MGM, a resort, gambling and sports betting company best known for its massive casinos. The attack took down slot machines, guest reservation systems, and more belonging to MGM, and the company is still feeling the effects as of Tuesday.

And despite every major news outlet reporting on the incident, the actor wanted to take messaging into its own hands and “clarify” what happened exactly. Attackers have occasionally posted updates and pseudo-press releases in the past, but this particular press release on ALPHV’s leak site (don’t worry I didn’t actually link to their site) was peak unintentional comedy to me.

For starters, the actor blamed MGM for not using their official communication channels to contact them to start negotiating a ransom payment:

“As they were not responding to our emails with the special link provided (In order to prevent other IT Personnel from reading the chats) we could not actively identify if the user in the victim chat was authorized by MGM Leadership to be present,” the statement reads.

They also said that, hypothetically, if personally identifiable information *had* been stolen, they would allow the website Have I Been Pwned? to responsibly disclose this information, even though they stopped short of saying they stole PII.

Lastly, they took a victory lap by saying several news outlets had reported false information, claimed attribution too early, or made ALPHV seem too basic of a threat actor because the tactics, techniques and procedures “used by the people they blame for the attacks are known to the public and are relatively easy for anyone to imitate.”

The entire statement reads as someone who thinks they’ve done nothing wrong, and certainly written to intimate that the situation could have gone much more smoothly had MGM just reached out to the threat actor early on through what is deemed as the appropriate channels and negotiated early.

So, it makes me wonder what ALPHV thinks they’re gaining from all this? Part of me wonders if they were upset that public reporting had connected the attack to a group called “'Scattered Spider” and they wanted to make sure everyone knew who deserved the credit. Or it could have been that they wanted to turn up the heat on MGM representatives and apply public pressure to hopefully get them to communicate and settle on a ransom payment.

It reads as if ALPHV really wants to come across as the “good guys” in this case, but I’m not sure who outside of dark web circles would be willing to feel sorry for them.

The one big thing

Talos researchers recently discovered a new malware family we’re calling “HTTPSnoop” being deployed against telecommunications providers in the Middle East. HTTPSnoop is a simple, yet effective, backdoor that consists of novel techniques to interface with Windows HTTP kernel drivers and devices to listen to incoming requests for specific HTTP(S) URLs and execute that content on the infected endpoint. We also discovered a sister implant to “HTTPSnoop” we’re naming “PipeSnoop,” which can accept arbitrary shellcode from a named pipe and execute it on the infected endpoint. All these new tools are linked to a group we’re calling “ShroudedSnooper.”

Why do I care?

This activity is a continuation of a trend we have been monitoring over the last several years in which sophisticated actors are frequently targeting the telecommunications sector. This sector was consistently a top-targeted industry vertical in 2022, according to Cisco Talos Incident Response data. However, since this is a new, relatively unknown group, we can’t be certain that they’ll only stick to targeting this particular field. The various malware at their disposal can leave a backdoor on infected machines for future attacks and malware installations and execute arbitrary shellcode on the infected endpoint.

So now what?

We found specific URL patterns that make it look like the infected system being contacted is a server hosting Microsoft’s Exchange Web Services (EWS) API. The URLs consisted of “ews” and “autodiscover” keywords over Ports 443 and 444. The blog post has a list of these patterns so potentially affected targets can scan to see if they're infected. There is also a host of detection content available for Cisco Secure products.

Top security headlines of the week

Apple released long-awaited updates to its “Lockdown Mode” with iOS 17 this week, its answer to a recent global uptick in spyware attacks. Lockdown Mode now also works on Apple Watches, in addition to iPhones and iPads, which is notable because threat actors have increasingly started targeting Apple Watches with spyware. New features also remove geolocation information from photos when Lockdown Mode is enabled and automatically block insecure Wi-Fi networks. Apple and other cellphone manufacturers are working on addressing the use of cell site simulators, also known as “stingrays.” These fake cell base stations track phone locations and spy on calls and messages after a device connects to it. Google also announced new features earlier this year that ensure their devices’ communications are always encrypted when connecting to cell towers. (TechCrunch, Electronic Frontier Foundation)

The U.S. Cybersecurity and Infrastructure Security Agency announced a new program offering free security scans to public water utilities and other critical infrastructure. CISA is offering to run specialized scanners to identify a facility’s vulnerabilities and any weak configurations on internet-exposed endpoints. Then, they generate a report of any flaws or vulnerabilities found and send the plant a list of recommendations and offers for further scans to determine if the potential target has taken the appropriate steps to solve the issues. A brochure for the new program promises a “significant reduction in identified vulnerabilities in the first few months of scanning for newly enrolled water utilities.” (StateScoop, CISA)

China’s government has accused the U.S. of a campaign to infiltrate servers belonging to tech company Huawei to conduct cyber attacks and steal information, potentially as far back as 2009. China's Ministry of State Security on Wednesday outlined the accusations in a post on its WeChat account Wednesday. "In 2009, the Office of Tailored Access Operations started to infiltrate servers at Huawei's headquarters and continued conducting such surveillance operations," the post reads. China and the U.S. have continually launched accusations of spying on one another this year as tensions between the two nations rise. China also accused the U.S. National Security Agency of installing a backdoor tool that "runs secretly on thousands of network devices in many countries around the world” meant to steal data from other governments, including China and Russia. (Nikkei Asia, The Register)

Can’t get enough Talos?

Upcoming events where you can find Talos

LABScon (Sept. 20 - 23)

Scottsdale, Arizona

Vitor Ventura gives a presentation that’s a detailed account and timeline of one such mercenary organization, from almost bankrupt to having a fully working spyware targeting iOS and Android with one-click zero-day exploit.

Grace Hopper Celebration (Sept. 26 - 29)

Orlando, Florida

Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation.

ATT&CKcon 4.0 (Oct. 24 - 25)

McLean, Virginia

Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking.

Most prevalent malware files from Talos telemetry over the past week

SHA 256: 7f66d4580871e3ee6a35c8fef6da7ab26a93ba36b80279625328aaf184435efa
MD5: e9a6b1346d1a2447cabb980f3cc5dd27
Typical Filename: профиль 10 класс.exe
Claimed Product: N/A
Detection Name: Application_Blocker

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
MD5: 93fefc3e88ffb78abb36365fa5cf857c
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name:

SHA 256: bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a
MD5: 200206279107f4a2bb1832e3fcd7d64c
Typical Filename: lsgkozfm.bat
Claimed Product: N/A
Detection Name: Win.Dropper.Scar::tpd

SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c
MD5: a087b2e6ec57b08c0d0750c60f96a74c
Typical Filename: AAct.exe
Claimed Product: N/A
Detection Name: PUA.Win.Tool.Kmsauto::1201

SHA 256: 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647
MD5: bbcf7a68f4164a9f5f5cb2d9f30d9790
Typical Filename: bbcf7a68f4164a9f5f5cb2d9f30d9790.vir
Claimed Product: N/A
Detection Name: Win.Dropper.Scar::1201

from Cisco Talos Blog