A new cyber attack campaign has been observed using spurious MSIX Windows app package files for popular software such as Google Chrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex to distribute a novel malware loader dubbed GHOSTPULSE.
“MSIX is a Windows app package format that developers can leverage to package, distribute, and install their applications to Windows users,” Elastic Security Labs researcher Joe Desimone said in a technical report published last week.
“However, MSIX requires access to purchased or stolen code signing certificates making them viable to groups of above-average resources.”
Based on the installers used as lures, it’s suspected that potential targets are enticed into downloading the MSIX packages through known techniques such as compromised websites, search engine optimization (SEO) poisoning, or malvertising.
Launching the MSIX file opens a Windows prompting the users to click the Install button, doing so which results in the stealthy download of GHOSTPULSE on the compromised host from a remote server (“manojsinghnegi[.]com”) via a PowerShell script.
This process take place over multiple stages, with the first payload being a TAR archive file containing an executable that masquerades as the Oracle VM VirtualBox service (VBoxSVC.exe) but in reality is a legitimate binary that’s bundled with Notepad++ (gup.exe).
Also present within the TAR archive is handoff.wav and a trojanized version of libcurl.dll that’s loaded to take the infection process to the next stage by exploiting the fact that gup.exe is vulnerable to DLL side-loading.
“The PowerShell executes the binary VBoxSVC.exe that will side load from the current directory the malicious DLL libcurl.dll,” Desimone said. “By minimizing the on-disk footprint of encrypted malicious code, the threat actor is able to evade file-based AV and ML scanning.”
The tampered DLL file subsequently proceeds by parsing handoff.wav, which, in turn, packs an encrypted payload that’s decoded and executed via mshtml.dll, a method known as modulestomping, to ultimately load GHOSTPULSE.
GHOSTPULSE acts as a loader, employing another technique known as process doppelgänging to kick start the execution of the final malware, which includes SectopRAT, Rhadamanthys, Vidar, Lumma, and NetSupport RAT.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
New findings have shed light on what’s said to be a lawful attempt to covertly intercept traffic originating from jabber[.]ru (aka xmpp[.]ru), an XMPP-based instant messaging service, via servers hosted on Hetzner and Linode (a subsidiary of Akamai) in Germany.
“The attacker has issued several new TLS certificates using Let’s Encrypt service which were used to hijack encrypted STARTTLS connections on port 5222 using transparent [man-in-the-middle] proxy,” a security researcher who goes by the alias ValdikSS said earlier this week.
“The attack was discovered due to the expiration of one of the MiTM certificates, which haven’t been reissued.”
Evidence gathered so far points to the traffic redirection being configured on the hosting provider network, ruling out other possibilities, such as a server breach or a spoofing attack.
The wiretapping is estimated to have lasted for as long as six months, from April 18 through to October 19, although it’s been confirmed to have taken place since at least July 21, 2023, and until October 19, 2023.
Signs of suspicious activity were first detected on October 16, 2023, when one of the UNIX administrators of the service received a “Certificate has expired” message upon connecting to it.
The threat actor is believed to have stopped the activity after the investigation into the MiTM incident began on October 18, 2023. It’s not immediately clear who is behind the attack, but it’s suspected to be a case of lawful interception based on a German police request.
Another hypothesis, however unlikely but not impossible, is that the MiTM attack is an intrusion on the internal networks of both Hetzner and Linode, specifically singling out jabber[.]ru.
“Given the nature of the interception, the attackers have been able to execute any action as if it is executed from the authorized account, without knowing the account password,” the researcher said.
“This means that the attacker could download the account’s roster, lifetime unencrypted server-side message history, send new messages or alter them in real time.”
The Hacker News has reached out to Akamai and Hetzner for further comment, and we will update the story if we hear back.
Users of the service are recommended to assume that their communications over the past 90 days are compromised, as well as “check their accounts for new unauthorized OMEMO and PGP keys in their PEP storage, and change passwords.”
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
The North Korea-aligned Lazarus Group has been attributed as behind a new campaign in which an unnamed software vendor was compromised through the exploitation of known security flaws in another high-profile software.
The attack sequences, according to Kaspersky, culminated in the deployment of malware families such as SIGNBT and LPEClient, a known hacking tool used by the threat actor for victim profiling and payload delivery.
“The adversary demonstrated a high level of sophistication, employing advanced evasion techniques and introducing SIGNBT malware for victim control,” security researcher Seongsu Park said. “The SIGNBT malware used in this attack employed a diverse infection chain and sophisticated techniques.”
The Russian cybersecurity vendor said the company that developed the exploited software had been a victim of a Lazarus attack several times, indicating an attempt to steal source code or poison the software supply chain, as in the case of the 3CX supply chain attack.
The Lazarus Group “continued to exploit vulnerabilities in the company’s software while targeting other software makers,” Park added. As part of the latest activity, a number of victims are said to have been singled out as of mid-July 2023.
The victims, per the company, were targeted through a legitimate security software designed to encrypt web communications using digital certificates. The name of the software was not disclosed and the exact mechanism by which the software was weaponized to distribute SIGNBT remains unknown.
Besides relying on various tactics to establish and maintain persistence on compromised systems, the attack chains employ an in-memory loader that acts as a conduit to launch the SIGNBT malware.
The main function of SIGNBT is to establish contact with a remote server and retrieve further commands for execution on the infected host. The malware is so named for its use of distinctive strings that are prefixed with “SIGNBT” in its HTTP-based command-and-control (C2) communications –
SIGNBTLG, for initial connection
SIGNBTKE, for gathering system metadata upon receiving a SUCCESS message from the C2 server
SIGNBTGC, for fetching commands
SIGNBTFI, for communication failure
SIGNBTSR, for a successful communication
The Windows backdoor, for its part, is armed with a wide range of capabilities to exert control over the victim’s system. This includes process enumeration, file and directory operations, and the deployment of payloads such as LPEClient and other credential-dumping utilities.
Kaspersky said it identified at least three disparate Lazarus campaigns in 2023 using varied intrusion vectors and infection procedures, but consistently relied on LPEClient malware to deliver the final-stage malware.
One such campaign paved the way for an implant codenamed Gopuram, which was used in cyber assaults targeting cryptocurrency companies by leveraging a trojanized version of the 3CX voice and video conferencing software.
The latest findings are just the latest example of North Korean-linked cyber operations, in addition to being a testament to the Lazarus Group’s ever-evolving and ever-expanding arsenal of tools, tactics, and techniques.
“The Lazarus Group remains a highly active and versatile threat actor in today’s cybersecurity landscape,” Park said.
“The threat actor has demonstrated a profound understanding of IT environments, refining their tactics to include exploiting vulnerabilities in high-profile software. This approach allows them to efficiently spread their malware once initial infections are achieved.”
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Google has announced that it’s expanding its Vulnerability Rewards Program (VRP) to reward researchers for finding attack scenarios tailored to generative artificial intelligence (AI) systems in an effort to bolster AI safety and security.
“Generative AI raises new and different concerns than traditional digital security, such as the potential for unfair bias, model manipulation or misinterpretations of data (hallucinations),” Google’s Laurie Richardson and Royal Hansen said.
Some of the categories that are in scope include prompt injections, leakage of sensitive data from training datasets, model manipulation, adversarial perturbation attacks that trigger misclassification, and model theft.
It’s worth noting that Google earlier this July instituted an AI Red Team to help address threats to AI systems as part of its Secure AI Framework (SAIF).
Also announced as part of its commitment to secure AI are efforts to strengthen the AI supply chain via existing open-source security initiatives such as Supply Chain Levels for Software Artifacts (SLSA) and Sigstore.
“Digital signatures, such as those from Sigstore, which allow users to verify that the software wasn’t tampered with or replaced,” Google said.
“Metadata such as SLSA provenance that tell us what’s in software and how it was built, allowing consumers to ensure license compatibility, identify known vulnerabilities, and detect more advanced threats.”
The development comes as OpenAI unveiled a new internal Preparedness team to “track, evaluate, forecast, and protect” against catastrophic risks to generative AI spanning cybersecurity, chemical, biological, radiological, and nuclear (CBRN) threats.
The two companies, alongside Anthropic and Microsoft, have also announced the creation of a $10 million AI Safety Fund, focused on promoting research in the field of AI safety.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
When organizations start incorporating cybersecurity regulations and cyber incident reporting requirements into their security protocols, it’s essential for them to establish comprehensive plans for preparation, mitigation, and response to potential threats.
At the heart of your business lies your operational technology and critical systems. This places them at the forefront of cybercriminal interest, as they seek to exploit vulnerabilities, compromise your data, and demand ransoms. In today’s landscape, characterized by the ever-present risk of ransomware attacks and the challenges posed by fragmented security solutions, safeguarding your organization is paramount. This is where The National Institute of Standards and Technology (NIST) advocates for the development of resilient, reliable security systems capable of foreseeing, enduring, and rebounding from cyberattacks.
In this guide, we’ll explore strategies to fortify your defenses against cyber threats and ensure uninterrupted operations. Fidelis Security, a pioneer in proactive cybersecurity, is here to stand with you on this journey.
Prepare
1. Compliance and Regulatory Compliance:
Compliance is especially critical in regulated industries, where adhering to industry-specific and government regulations is non-negotiable. Fidelis Security’s Compliance Management solutions provide controls and monitoring capabilities to ensure that their organizations remain compliant, even in the face of evolving regulatory requirements.
In a world of ever-evolving regulations, maintaining compliance can be a daunting task. Fidelis Security simplifies this challenge by providing comprehensive Compliance Management solutions. These solutions offer the controls and monitoring capabilities necessary to ensure that organizations adhere to industry-specific and government regulations. By maintaining compliance, they not only avoid potential penalties but also bolster their overall cybersecurity posture.
Fidelis Security’s patented deep session inspect (DSI) and real-time traffic analysis enable analysts to find information on the network that is controlled by regulatory compliances statutes, such as PCI, HIPAA, FISMA, GLBA and FERPA, in addition to PII, intellectual property, finance-related, and confidential or secret information. By using pre-built data leakage protection (DLP) or custom-built policy, analysts can match these classes of content in addition to any content they deem sensitive. Prevention can be enabled on the network to stop exfiltration as the transfer occurs, which may have originated from a malicious actor or possibly an insider threat.
2. Continuous Monitoring and Threat Detection:
Continuous monitoring and real-time threat detection are essential components of a proactive cybersecurity strategy. Fidelis Security’s Network Detection and Response (NDR) solutions offer continuous monitoring and advanced threat detection capabilities, helping organizations identify and respond to threats in real-time.
In the face of constantly evolving cyber threats, the ability to monitor networks and detect threats in real-time is invaluable. Fidelis Security’s Network Detection and Response (NDR) solutions are designed to provide continuous monitoring of networks and endpoints. These solutions leverage advanced threat detection capabilities to identify and respond to potential threats before they escalate. With Fidelis NDR, organizations gain the upper hand in the ongoing battle against cyberattacks.
Fidelis NDR employs many features over the entire platform to accomplish real-time detection and response. Deep Session Inspection (DSI) and decoding, Deep Packet Inspection (DPI), Antivirus detection (AV), and DNS protocol anomaly detections, on network and mail sensors, provide a multi-faceted approach to network-based detection. Event and sequence-based detections, as well as anomaly detections, are accomplished using the Fidelis Collector, a real-time database of all decoded session and object metadata that is collected as it traverses the network. In addition, Fidelis Endpoint detects malicious objects, traffic flows, and behaviors on endpoints with an agent installed.
Fidelis Deception empowers you to create deception layers that are aligned with your actual network infrastructure. These layers are designed to identify and track malware and intruders as they attempt to move stealthily within your network. By strategically placing decoys and breadcrumbs, this solution aids in enhancing your network’s security posture. This approach enables you to achieve heightened visibility and safeguard your assets, even in areas where conventional security agents cannot be deployed—such as in enterprise IoT, Shadow IT, and legacy systems. As a result, you can proactively pinpoint and neutralize threats within your network, preventing potential harm to your organization.
Finally, the Fidelis Threat Research Team provides timely intelligence in the form of detection policy and threat intelligence feeds to each of these platforms to catch bad actors during the threat lifecycle and not after the fact. Any detections are presented to analysts in the Fidelis CommandPost so that they may initiate a rapid response.
Mitigate
3. Vulnerability Management:
Vulnerability management plays a critical role in reducing security risks. It involves identifying and addressing weaknesses in IT infrastructure. Fidelis Security’s Vulnerability Management solutions offer a robust approach to identifying and prioritizing vulnerabilities effectively, helping organizations fortify their defenses.
Vulnerabilities in IT infrastructure can provide cybercriminals with entry points into systems. To counter this threat, Fidelis Security’s Vulnerability Management solutions empower organizations to identify and prioritize vulnerabilities effectively. By addressing weaknesses in infrastructure, they fortify their defenses and reduce security risks, ultimately enhancing their cybersecurity posture.
4. Insider Threat Mitigation:
The threat of insider incidents, whether intentional or accidental, is a concerning challenge. Mitigating these risks is vital to business continuity. Fidelis Security’s Data Loss Prevention (DLP) solution is designed to address insider threats by detecting unusual activities and protecting sensitive data from unauthorized access.
Insider threats are a complex challenge that can have far-reaching consequences. Fidelis DLP provides a multifaceted approach to mitigating these risks, by safeguarding sensitive data from unauthorized access and exfiltration.
Respond
5. Incident Response and Recovery Planning:
Incident response and recovery plans are the lifelines in times of a cyber crisis. Fidelis Security’s Incident Response solutions are their go-to resource for creating and implementing effective response plans, ensuring swift and efficient actions when needed most.
Incidents are a matter of ‘when’ rather than ‘if’ in the cybersecurity landscape. Being prepared to respond swiftly and effectively is essential. Fidelis Security’s Incident Response solutions are designed to help organizations create and implement effective response plans. These plans are their lifeline in times of crisis, ensuring that organizations can respond swiftly and efficiently to contain and mitigate the impact of cyber incidents.
6. The Fidelis Challenge:
Fidelis Security brings expertise and commitment to the forefront of cybersecurity. They firmly believe that their perspective on cyber threats is unmatched. To prove this, organizations are invited to take the Fidelis Challenge. For 30 days, they can integrate Fidelis Elevate into your enterprise environment, and Fidelis Security will showcase its unparalleled threat detection capabilities. Fidelis Security is confident that organizations will see the difference they can make in safeguarding their organizations. Try it for free.
Conclusion
Cyber incidents have the potential to impact national security, economic stability, and public safety. Therefore, organizations should prioritize the security of their critical infrastructure. The main points from this guide emphasize the importance of robust cybersecurity measures for maintaining seamless operations. Organizations are encouraged to concentrate on their cybersecurity efforts and leverage expertise to find the right tailored solutions for their security needs, thereby enhancing their protection against ever-evolving threats.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
