Jan 22, 2024NewsroomCyber Attack / Hacking

Media organizations and high-profile experts in North Korean affairs have been at the receiving end of a new campaign orchestrated by a threat actor known as ScarCruft in December 2023.

“ScarCruft has been experimenting with new infection chains, including the use of a technical threat research report as a decoy, likely targeting consumers of threat intelligence like cybersecurity professionals,” SentinelOne researchers Aleksandar Milenkoski and Tom Hegel said in a report shared with The Hacker News.

The North Korea-linked adversary, also known by the name APT37, InkySquid, RedEyes, Ricochet Chollima, and Ruby Sleet, is assessed to be part of the Ministry of State Security (MSS), placing it apart from Lazarus Group and Kimsuky, which are elements within the Reconnaissance General Bureau (RGB).

The group is known for its targeting of governments and defectors, leveraging spear-phishing lures to deliver RokRAT and other backdoors with the ultimate goal of covert intelligence gathering in pursuit of North Korea’s strategic interests.

In August 2023, ScarCruft was linked to an attack on Russian missile engineering company NPO Mashinostroyeniya alongside Lazarus Group in what has been deemed as a “highly desirable strategic espionage mission” designed to benefit its controversial missile program.

Earlier this week, North Korean state media reported that the country had carried out a test of its “underwater nuclear weapons system” in response to drills by the U.S., South Korea, and Japan, describing the exercises as a threat to its national security.

The latest attack chain observed by SentinelOne targeted an expert in North Korean affairs by posing as a member of the North Korea Research Institute, urging the recipient to open a ZIP archive file containing presentation materials.

While seven of the nine files in the archive are benign, two of them are malicious Windows shortcut (LNK) files, mirroring a multi-stage infection sequence previously disclosed by Check Point in May 2023 to distribute the RokRAT backdoor.

There is evidence to suggest that some of the individuals who were targeted around December 13, 2023, were also previously singled out a month prior on November 16, 2023.

SentinelOne said its investigation also uncovered malware – two LNK files (“inteligence.lnk” and “news.lnk”) as well as shellcode variants delivering RokRAT – that’s said to be part of the threat actor’s planning and testing processes.

While the former shortcut file just opens the legitimate Notepad application, the shellcode executed via news.lnk paves the way for the deployment of RokRAT, although this infection procedure is yet to be observed in the wild, indicating its likely use for future campaigns.

The development is a sign that the nation-state hacking crew is actively tweaking its modus operandi likely in an effort to circumvent detection in response to public disclosure about its tactics and techniques.

“ScarCruft remains committed to acquiring strategic intelligence and possibly intends to gain insights into non-public cyber threat intelligence and defense strategies,” the researchers said.

“This enables the adversary to gain a better understanding of how the international community perceives developments in North Korea, thereby contributing to North Korea’s decision-making processes.”

Jan 18, 2024NewsroomSupply Chain Attacks / AI Security

Continuous integration and continuous delivery (CI/CD) misconfigurations discovered in the open-source TensorFlow machine learning framework could have been exploited to orchestrate supply chain attacks.

The misconfigurations could be abused by an attacker to “conduct a supply chain compromise of TensorFlow releases on GitHub and PyPi by compromising TensorFlow’s build agents via a malicious pull request,” Praetorian researchers Adnan Khan and John Stawinski said in a report published this week.

Successful exploitation of these issues could permit an external attacker to upload malicious releases to the GitHub repository, gain remote code execution on the self-hosted GitHub runner, and even retrieve a GitHub Personal Access Token (PAT) for the tensorflow-jenkins user.

TensorFlow uses GitHub Actions to automate the software build, test, and deployment pipeline. Runners, which refer to machines that execute jobs in a GitHub Actions workflow, can be either self-hosted or hosted by GitHub.

“We recommend that you only use self-hosted runners with private repositories,” GitHub notes in its documentation. “This is because forks of your public repository can potentially run dangerous code on your self-hosted runner machine by creating a pull request that executes the code in a workflow.”

Put differently, this allows any contributor to execute arbitrary code on the self-hosted runner by submitting a malicious pull request.

This, however, does not pose any security concern with GitHub-hosted runners, as each runner is ephemeral and is a clean, isolated virtual machine that’s destroyed at the end of the job execution.

Praetorian said it was able to identify TensorFlow workflows that were executed on self-hosted runners, subsequently finding fork pull requests from previous contributors that automatically triggered the appropriate CI/CD workflows without requiring approval.

An adversary looking to trojanize a target repository could, therefore, fix a typo or make a small but legitimate code change, create a pull request for it, and then wait until the pull request is merged in order to become a contributor. This would then enable them to execute code on the runner sans raising any red flag by creating a rogue pull request.

Further examination of the workflow logs revealed that the self-hosted runner was not only non-ephemeral (thus opening the door for persistence), but also that the GITHUB_TOKEN permissions associated with the workflow came with extensive write permissions.

“Because the GITHUB_TOKEN had the contents:write permission, it could upload releases to https://github[.]com/tensorflow/tensorflow/releases/,” the researchers pointed out. “An attacker that compromised one of these GITHUB_TOKEN’s could add their own files to the Release Assets.”

On top of that, the contents:write permissions could be weaponized to push code directly to the TensorFlow repository by covertly injecting the malicious code into a feature branch and getting it merged into the main branch.

That’s not all. A threat actor could steal the AWS_PYPI_ACCOUNT_TOKEN used in the release workflow to authenticate to the Python Package Index (PyPI) registry and upload a malicious Python .whl file, effectively poisoning the package.

“An attacker could also use the GITHUB_TOKEN’s permissions to compromise the JENKINS_TOKEN repository secret, even though this secret was not used within workflows that ran on the self-hosted runners,” the researchers said.

Following responsible disclosure on August 1, 2023, the shortcomings were addressed by the project maintainers as of December 20, 2023, by requiring approval for workflows submitted from all fork pull requests, counting those from previous contributors, and by changing the GITHUB_TOKEN permissions to read-only for workflows that run on self-hosted runners.

“Similar CI/CD attacks are on the rise as more organizations automate their CI/CD processes,” the researchers said.

“AI/ML companies are particularly vulnerable as many of their workflows require significant compute power that isn’t available in GitHub-hosted runners, thus the prevalence of self-hosted runners.”

The disclosure comes as both researchers revealed that several public GitHub repositories, including those associated with Chia Networks, Microsoft DeepSpeed, and PyTorch, are susceptible to malicious code injection via self-hosted GitHub Actions runners.

Jan 19, 2024NewsroomMalware / Endpoint Security

Pirated applications targeting Apple macOS users have been observed containing a backdoor capable of granting attackers remote control to infected machines.

“These applications are being hosted on Chinese pirating websites in order to gain victims,” Jamf Threat Labs researchers Ferdous Saljooki and Jaron Bradley said.

“Once detonated, the malware will download and execute multiple payloads in the background in order to secretly compromise the victim’s machine.”

The backdoored disk image (DMG) files, which have been modified to establish communications with actor-controlled infrastructure, include legitimate software like Navicat Premium, UltraEdit, FinalShell, SecureCRT, and Microsoft Remote Desktop.

The unsigned applications, besides being hosted on a Chinese website named macyy[.]cn, incorporate a dropper component called “dylib” that’s executed every time the application is opened.

The dropper then acts as a conduit to fetch a backdoor (“bd.log”) as well as a downloader (“fl01.log”) from a remote server, which is used to set up persistence and fetch additional payloads on the compromised machine.

The backdoor – written to the path “/tmp/.test” – is fully-featured and built atop an open-source post-exploitation toolkit called Khepri. The fact that it is located in the “/tmp” directory means it will be deleted when the system shuts down.

That said, it will be created again at the same location the next time the pirated application is loaded and the dropper is executed.

On the other hand, the downloader is written to the hidden path “/Users/Shared/.fseventsd,” following which it creates a LaunchAgent to ensure persistence and sends an HTTP GET request to an actor-controlled server.

While the server is no longer accessible, the downloader is designed to write the HTTP response to a new file located at /tmp/.fseventsds and then launch it.

Jamf said the malware shares several similarities with ZuRu, which has been observed in the past spreading via pirated applications on Chinese sites.

“It’s possible that this malware is a successor to the ZuRu malware given its targeted applications, modified load commands and attacker infrastructure,” the researchers said.

In the current digital landscape, data has emerged as a crucial asset for organizations, akin to currency. It’s the lifeblood of any organization in today’s interconnected and digital world. Thus, safeguarding the data is of paramount importance. Its importance is magnified in on-premises Exchange Server environments where vital business communication and emails are stored and managed.

In this article, you will learn about the evolving threats of data loss, the shift in responsibilities of administrators, and key backup and recovery strategies for preventing data loss in the Exchange Server environment.

Data Loss Scenarios in Exchange Servers

Data loss in on-premises Exchange Server environment has become increasingly common. Cybersecurity threats, like ransomware attacks, have emerged as a significant cause of data loss in recent years, with many financially motivated threat actors increasingly targeting the vulnerabilities in Exchange Servers. These attackers try to exploit the vulnerabilities, such as ProxyLogon, to gain unauthorized access to the server or users’ email accounts.

Besides vulnerabilities in the system, hardware failure and human errors can also cause data loss in on-premises Exchange Servers. According to a study by Gartner, it is estimated that 30% of organizations will experience an incident involving data loss caused by a negligent employee by 2025.

Evolving Role of Exchange Server Administrators

The role of Exchange Server administrators has significantly evolved in recent years due to increasing malware/ransomware attacks, forcing them to quickly adapt and act as guardians to protect the organizations’ data and reputation.

However, the complexity of managing huge volumes of data in modern on-premises Exchange Server environments has also increased substantially. Today, administrators need to navigate the complexity of the Exchange Server environment, which is primarily driven by factors such as requirements for enhanced security measures to fight against sophisticated cybercriminals and newer threats.

Understanding the Stakes

The consequences of data loss in Exchange Server environments are profound.

1. Financial Losses

Financial losses are one of the most common consequences of data loss. The operations of an organization are supported by data. If the data is lost, it means the organization loses not only its ability to generate income but also its ways of operating. In addition, when data is lost, a considerable amount of resources are channeled towards data recovery.

2. Reputational Damage

Building trust takes time. However, losing it takes only one bad decision. A data breach or ransomware attack can severely tarnish an organization’s reputation in the market, breaking customers’ or clients’ trust. Nobody wants to end up in the headlines of the media for all the wrong reasons.

3. Downtime and Lack of Business Continuity

Email communication is essential for daily operations. Loss of critical data can disrupt workflow and hamper productivity, which can have severe implications on the organization.

A report by IDC states that the average cost of downtime due to data loss in a mid-sized organization is approximately $1.25 million per year.

4. Business Closure

Data loss can potentially lead to an organization’s bankruptcy or closure. According to the University of Texas, 94% of companies that suffer from catastrophic data loss do not survive. Out of these, 43% never reopened, and 51% closed within two years.

5. Regulatory and Legal Fines

Businesses are obliged by the data protection laws, rules, regulations, and industry standards. Failing to do so can have severe implications, such as hefty fines. Legal actions can also undermine your organization’s reputation.

Prevent Data Loss – Develop a Thoughtful Backup Strategy

The most common reason for data loss in Exchange Servers is database corruption or damage. To safeguard against data loss, administrators need a comprehensive backup strategy tailored to their Exchange Server environments.

Below are some Exchange Server backup methods and strategies that administrators can follow to prevent permanent data loss.

1. Utilize VSS-Based Backup

Exchange Server supports Volume Shadow Copy Service (VSS)-based backups. You can use the Exchange-aware Windows Server Backup application with a VSS plug-in to back up active and passive Exchange database copies and restore the backed-up database copies.

2. Backup Combination

Exchange administrators should ideally use a combination of full and incremental backups. Full backups capture the entire Exchange Server database, while Exchange Server incremental backupscapture and store the changes since the last full backup.

In addition, there are differential backups that record changes since the last full backup without truncating transaction logs. However, these are used less frequently due to their complexity.

3. Transaction Log Management

Transaction logs play a crucial role in maintaining database consistency. It’s also critical for database recovery on Exchange Servers. When you perform a full backup, it automatically truncates the transaction logs to save disk storage. Thus, always backup the transaction logs before performing a full backup.

4. Circular Logging

Circular logging is disabled in Exchange Server by default. However, administrators can enable it to truncate the database logs automatically. You can use this when the transaction logs are not purging automatically after a full backup.

5. Follow the 3-2-1 Backup Rule

Follow the 3-2-1 backup strategy to protect your Exchange Server data from permanent loss. The strategy simply states that you must have the following:

• At least three copies of your data on different media, such as disks and tape.
• One copy is stored off-site or in a remote location to ensure that natural, man-made, or geographical disasters cannot damage all the backup copies (disaster recovery).

Proactive Measures for Data Protection

A proactive approach has been fundamental in preventing data loss. Therefore, administrators should consider the following best practices for data protection:

• Robust Security Measures
• Implement robust security protocols, regularly update security software, and install Exchange Server and Windows updates to protect against threats.
• Continuous Learning
• Continuous learning and training about email security and cyber-attacks among administrators, employees, and customers is critical to stay informed about emerging threats and vulnerabilities.
• Access Control
• Restrict access to sensitive data and implement strong authentication mechanisms. Make sure to use the RBAC to restrict access on Windows and Exchange Server environments.

Exchange Server Recovery Strategies

Exchange administrators also need to be ready when it comes to the recovery of corrupt or dismounted databases in case something happens. Here are some strategies that can help in the quick recovery of the database in case of an issue or incident.

1. Recovery Databases

Recovery databases (RDBs) are special Exchange Server databases that allow administrators to mount and extract data from the restored mailbox database. RDBs help in restoring data without impacting the live environment.

2. Use Exchange Native Data Protection

Exchange Server 2016 and 2019 have capabilities to safeguard data without relying solely on traditional backups.

3. Dial Tone Portability

Administrators can use Dial Tone Portability or Dial Tone Recovery. In this, an empty Exchange database with the same database name and schema version is created that allows users to continue to send and receive new emails while the administrators restore and recover the failed databases. This method provides continuity during disaster recovery.

4. Exchange Recovery Tools

In case of a server crash and/or when the Exchange database backup isn’t available or obsolete, Exchange recovery tool, such as Stellar Repair for Exchange, can help Exchange administrators extract mailboxes from severely corrupt or damaged Exchange database. The tool also assists in the dial tone recovery method. It allows the extraction and export of recovered mailboxes from damaged EDB files to the dial tone database or any existing healthy database on the same Exchange Server. This helps restore the mailboxes of users and their Outlook connectivity and minimize downtime and disruption.

Conclusion

Exchange Server administrators play a critical role in protecting crucial business data in an increasingly challenging landscape. The risks associated with data loss are substantial and range from financial repercussions to damage to the organization’s reputation. To mitigate these risks, administrators must develop thoughtful backup strategies and adopt proactive security measures along with robust recovery plans in place.

To mitigate data loss risks, organizations should prioritize backup and recovery strategies. Regularly backing up Exchange Server data and having a well-defined recovery plan can significantly reduce the impact of data loss incidents.