Two new code-execution techniques, Poison Fiber and Phantom Thread, take advantage of a little-known Windows OS workhorse to sneak shellcode and other malware onto victim machines.

Source: Robert K. Chin via Alamy Stock Photo

BLACK HAT ASIA – Singapore – Windows fibers, little-known components of Windows OS, represent a largely undocumented code-execution pathway that exists exclusively in user mode — and is therefore largely overlooked by endpoint detection and response (EDR) platforms. As such, it's possible for attackers to exploit them to stealthily land on PCs and deploy malicious payloads.

That's according to Daniel Jary, an independent security researcher, who laid out two new proof-of-concept (PoC) attacks using fibers in a session at Black Hat Asia on Thursday.

Fibers are an alternative to the standard "threads" that Windows uses to execute code from the OS or an application, he explains.

"Threads are like workers, essentially, within a Windows process or an application, and traditionally, they've always been the way that you'd execute code and get things done," he tells Dark Reading. "But there's a more niche way of doing it, through fibers."

**Fibers: A Forgotten & Overlooked Windows OS Pathway**

Fibers, when used, exist within threads — they're essentially smaller, more lightweight versions of the bigger thread concept. Fibers were initially developed at a time when CPUs had fewer cores available to them and could accommodate only so many threads. At a high level, the smaller were a way to expand capacity, by allowing developers to split up workloads within a single thread and make processes more efficient.

"But as computers became more powerful, with more memory to play with, fibers became somewhat redundant in the vast majority of scenarios," Jary explains. "That's why a lot of people really haven't heard about them and they're a bit obscure, but they do serve a few purposes for some old legacy applications and a way to port programs from other operating systems over to Windows. And some Windows processes themselves actually still use fibers."

Thus, fibers enjoy the dubious honor of being both a core Windows function and an overlooked one by security teams. To boot, Jary notes that traditional detection mechanisms in EDR platforms and antivirus engines tend to ignore them — making them a perfect stealth avenue to execute malicious code.

"Threads are heavily monitored by EDR agents, which look at syscalls and kernel mode callbacks to capture telemetry and send it to a rules engine to generate detection," Jary says. "But fibers exist purely in user mode and don't show up in kernel collection, so their telemetry is not actually getting recorded by EDRs."

Some open source techniques already exist to take advantage of fibers' under-the-radar status. A PoC from 2022, for instance, details a method for hiding malicious shellcode inside a fiber, thus evading the majority of AV engines.  

Others have created methods for callstack masking, which enables attackers to hide a malicious execution pathway within a thread — in this case, a fiber — behind a different, dormant fiber that's benign, also evading detection. The technique takes advantage of the fact that if fibers are in use, there's always an active fiber, then a dormant fiber that it switches off with. This masking capability that was added into Cobalt Strike's Artefact Kit in 2022.

**New Frontiers in Malicious Fiber Execution**

Jary set off to explore whether it's possible to improve on existing malicious fiber techniques, and came up with two new PoCs, dubbed Phantom Thread and Poison Fiber.

Existing adversarial fiber methods have certain disadvantages for attackers: Some indicators could still be used for EDR detection, and the maliciousness isn't hidden from inline event-based callstack collection. Any collection of dormant fibers, for which several techniques exist, would remove callstack masking.

Phantom Thread is a next-gen callstack masking approach that removes the ability of memory scans to target fibers by having those fibers masquerade as threads. This involves creating a fiber, then patching it so that it self-identifies as a thread. Then it becomes possible to remove any fiber callstack indicators and essentially hide the fibers from any scanning altogether.

The second PoC, Poison Fiber, enumerates any running Windows processes, looking at threads in use and then whether any of those threads are using fibers. Then "it presents you with an opportunity to inject your payload or your shellcode into a dormant fiber," Jary explains.

"You can only one run one fiber per thread at any one time, which means you always have another dormant fiber parked somewhere else on the stack," he says. "When we execute our code using Poison Fiber, this injects our code into a dormant fiber, so we don't have to suspend the thread in order to inject the shellcode, which is a huge indicator for malicious activity. And because we've injected the payload into a dormant fiber, then the application triggers the execution for us, and we don't initiate the execution ourselves." The technique has an added benefit of allowing remote code execution (RCE) as well.

**Wake Up to Fiber's Adversarial Potential**

While they remain somewhat obscure, fibers should be on security teams' list of attack vectors, warns Jary, who has not yet released his evolved PoCs or granular details on the methods publicly. He reasons that it's only a matter of time before others find ways of overcoming drawbacks in existing open source fiber execution methods.  

"Fiber's alternate execution method is valuable to attackers because it helps us sidestep traditional telemetry sources that we get with threads, in particular kernel callbacks," he says. "Fibers aren't a privilege escalation tactic, and they aren't a user access control (UAC) bypass. But it does allow a payload delivery that gets a lot less spotlight and attention from the security community. Fibers are really simple to implement, but they're harder to detect. So that makes them perfect for any script kiddie to use to attack businesses."

Jary advises implementing mature EDR products that can be continually tested against emerging techniques like these.

"Talk to your red teamers about open source fiber methods that are being used in the wild," he says. "Do some research to see what attackers are having joy with, what's popular in the wild, then feed that back into your research team and your EDR product developers. That's going to help build better defenses and probably make your threat hunters' lives a little bit easier as well."

**About the Author(s)**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Sneaky Shellcode: Windows Fibers Offer EDR-Proof Code Execution

A survey of cybercrime experts assessing the top cybercrime-producing nations results in some expected leaders — Russia, Ukraine, and China — but also some surprises.

Source: Wavebreakmedia Ltd IFE-221116 via Alamy Stock Photo

An academic research project to gain insight into which nations produce the most cybercrime has ranked the usual suspects of Russia, Ukraine, China, and the United States at the very top but also found some relative surprises with Nigeria at No. 5, Romania at No. 6, and Brazil at No. 9.

Nations with high technology levels typically scored fairly high on the World Cybercrime Index (WCI), especially if those countries also have state-sponsored threat actors that overlap with cybercriminal groups. Yet other nations dominated in one of the five areas, such as Nigeria taking the top score for scams and Romania scoring highly in data and identity theft, according to the university research effort by academic institutions in the United Kingdom, Australia, and France.

While cybersecurity experts have long associated different countries with different types of cybercrime — Russia with banking and ransomware and China with intellectual-property theft and financial crimes, for example — this is the first time that researchers have been able to compare various countries based on specific attributes and cybercriminal approaches, says Miranda Bruce, a postdoctoral fellow in sociology at the University of Oxford.

"If you look closely at these five indices, you'll get more insight into the character of each country as a cybercrime hotspot," she says. "Nigeria is No. 1 in the Scams index, but comes between 5th and 10th in the other four cybercrime types. Clearly they're a significant producer of all types of cybercrime, but it's also clear that, as a country, they specialize."

The researchers collected survey data from 92 cybercrime experts, asking them to pick the top five cybercrime-producing nations in five different categories of crime: technical products and services; attacks and extortion; data and identity theft; scams; and cashing out or money laundering. For each nation, participants were asked to rate the nation on the impact of the crimes, the actors' professionalism, and their technical skill.

The top 15 nations as ranked by their overall World Cybercrime Index. Source: PLOS One

In all, the cybercrime experts nominated 97 different countries, according to a paper the group published in the journal PLOS One.

The WCI scores may not, however, discern between true cybercriminals residing in a nation and those mercenary groups that also conduct operations on behalf of their state sponsors, says Sean McNee, vice president of research and data at DomainTools, a domain security services firm.

"When evaluating cybercrime groups in locales such as Russia, China, Iran, or North Korea, it is always challenging to determine if groups are operating purely on their own accord or operating on behalf of a nation-state sponsor," McNee says. "This makes cybercrime actors in other countries more interesting to look into, such as Nigeria, India, and Brazil."

**Low Technical Score, High Threat**

Nigeria's top marks in the scams category — in which the researchers lumped together advance-fee fraud, business email compromise, and online auction fraud — underscore that a highly developed cybercrime ecosystem does not necessarily require significant depth of technical skills and infrastructure. While Nigeria has prioritized its cybersecurity capabilities, the country remains a bastion for email fraud, as demonstrated by the case of a Nigerian-based group conducting romance scams with a US-based national, who was sentenced earlier this year.

Romania, which ranked No. 6 on the list, has a long history of hosting a cybercriminal ecosystem, so its ranking is a bit of a surprise, says Chester Wisniewski, director and field CTO at cybersecurity firm Sophos.

"Romania has always had elevated cybercrime activity ... likely due to its well-educated population and proximity and relationships with neighboring cybercrime states like Ukraine, Russia, and Moldova," he says. "Romania has been cooperative with cybercrime takedowns, but I am not sure they are very proactive in nature."

The researchers plan to investigate how the World Cybercrime Index correlates with other characteristics of each nation — such as gross domestic product (GDP), income inequality, Internet penetration, and corruption — and how cybercrime policies can impact their scores, the University of Oxford's Bruce says.

"There's still much to learn about how and why countries like Russia, China, and the USA have become major cybercrime hotspots, but the countries that appear lower in the Index will tell us more about the nuances of cyber criminality," she says. "That is, the specific combination of factors that enable a region to become a thriving economic hub of cybercriminal activity. It's important that we pay attention to these countries and regions in the coming years."

**Room for Improvement**

Unfortunately, the data gives little actionable information to defenders, although it could be useful to policymakers and diplomats interested in influencing countries and gaining cooperation, says Sophos' Wisniewski.

"If these stats are accurate, only the countries listed are in a position to address the problem of them being a source country for cybercrime," he says. "Many of those listed might not only be uninterested in reducing their rank, but they may also be proud of it."

The researchers conducted the survey in 2021, so unfortunately, that means that the rankings have aged, and do not include major changes to the cyberthreat landscape, such as Russia's invasion of Ukraine, the most recent rise in romance scams, and an increase in cryptocurrency scams from North Korea, says DomainTools' McNee.

"This suggests that encouraging policies to promote technology sectors in these countries — turn cybercriminals to entrepreneurs — could have a net positive impact on the economy," he says. "It may be more beneficial to track these trends in countries further down the WCI to help encourage such policies before a notable cybercrime industry takes hold."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Nigeria &amp; Romania Ranked Among Top Cybercrime Havens

Permiso Security announced Cloud Console Cartographer during Black Hat Asia to help defenders look inside Amazon Web Services events logs for signs of cyberattacks.

Source: Pop Tika via Shutterstock

When investigating a potential attack on cloud services, Daniel Bohannon frequently has to contend with the verbose logging of Amazon Web Services (AWS), a problem that can allow an attacker to hide in an avalanche of data.

While AWS typically produces only a single event for every programmatic API call, accessing the management console through the Web leads to an exponential increase in events, says Bohannon, a principal threat researcher with cloud identity service provider Permiso Security. In one session, for example, 81 clicks on users, workloads, and roles resulted in 5,370 events recorded in the AWS log file.

The sheer volume of events results in so much noise that it becomes hard to determine what a user is actually doing in the AWS console, the threat researcher says. For that reason, Bohannon and fellow threat researcher Andi Ahmeti plan to release an open source tool at the Black Hat Asia conference in Singapore to help security managers and incident responder consolidate cloud log events into a record of user actions.

"The idea is that you input your raw logs — and we \[show\] 100% of those raw logs — but then we enrich the data on top of that, which ... contains all the information about the events that led to those events," he says. "We all have that full signal information, which ... contains the summary, the labels, all that kind of stuff."

Historically, the volume of data in log files have made it difficult to determine the events that led up to a compromise. Sometimes the problem is that the cloud service does not log enough events to determine what happens, such as last year's criticism that Google Cloud Platform (GCP) fails to log adequate data when a user accesses a storage instance.

In other cases, the specific ways that cloud services communicate information to their customers can result in a lack of visibility, especially with the differences that companies face with multicloud use. More than half of companies have open ports undermining their security and take some two months to close the vulnerabilities. 

**AWS Produces Avalanche of Events**

For businesses using AWS, the number of events produced in a log while using the Web console can be significant. Just clicking on a list of users produces 18 events for only three identities, and that's a mild case of AWS's verbosity, says Bohannon. A user who clicks in the AWS console to view the users in the identity and access management (IAM) console will see more than 300 events produced in the logs for CloudTrail, Amazon's auditing capability.

"That number can actually get as high as 100, 300, or even 700 events, depending on the settings you have in your Web browser — all just for one click," he says. "So at a core level, every single action you take produces at least one event, but often it's dozens or sometimes even hundreds of additional events associated with it."

The researchers' open source tool, Cloud Console Cartographer, aims to turn the list of events captured by CloudTrail into a succinct timeline of actions taken by the user. The program adds comments to the cloud log that categorizes a series of captured events into signals — actual user actions.

"We want to show all of our mapping to remove as much noise as we can but still keep all the raw events," Bohannon says. "So anything that's unmapped is great, it's still evidence, and defenders can make the most sense of it."

**No Plans for Other Clouds**

Cloud Console Cartographer, which will be available on GitHub, produces an enriched log of events and has a Web interface that lists the signals in a table. Currently, 240-plus rules for classifying collections of events into user actions — that is, signals — have been created that will be used to enrich log files.

The two threat researchers intend to keep working on expanding the number of classifiers and hope that others will do the same.

Bohannon and Ahmeti may move on to developing the tool for other cloud platforms, but because different cloud providers have different ways of logging, what works for AWS will not work for Microsoft Azure or Google Cloud Platform, they say. AWS is verbose, but Azure is the opposite — its logs are so terse as to be unhelpful, Bohannon says.

"I feel like every platform, every cloud platform has unique challenges that will have to be addressed in different ways," he says. "So we might find in the future that we can integrate other cloud platforms into this, but \[for now\] we at least have plans for additional GUIs related to AWS that we are going to be working on after the initial release."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Open Source Tool Looks for Signals in Noisy AWS Cloud Logs

Caller ID spoofing and AI voice deepfakes are supercharging phone scams. Fortunately, we have tools that help organizations and people protect themselves against the devious combination.

Source: Ian Allenden via Alamy Stock Photo

COMMENTARY  
Three seconds of audio is all it takes to clone a voice. Vishing, or voice fraud, has rapidly become a problem many of us know only too well, impacting 15% of the population. Over three-quarters of victims end up losing money, making this the most lucrative type of imposter scam on a per-person basis, according to the US Federal Trade Commission (FTC).

When caller ID spoofing is combined with AI-based deepfake technology, fraudsters can, at very little cost and huge scale, disguise their real numbers and locations and highly convincingly impersonate trusted organizations, such as a bank or local council, or even friends and family.

While artificial intelligence (AI) is presenting all manner of new threats, the ability to falsify caller IDs is still the primary point of entry for sophisticated fraud. This has also posed serious challenges for authenticating genuine calls. Let's delve into the criminal world of caller ID spoofing.

**What's Behind the Rise in Voice Fraud?**

The democratization of spoofing technology, such as spoofing apps, has made it easier for malicious actors to impersonate legitimate caller IDs, leading to an increase in fraudulent activities conducted via voice calls. One journalist, who said she's known for her rational and meticulous nature, fell victim to a sophisticated scam that exploited her fear and concern for her family's safety. Initially contacted through a spoof call that appeared to be from Amazon, she was transferred to someone posing as an FTC investigator, who convincingly presented her with a fabricated story involving identity theft, money laundering, and threats to her safety.

These stories are becoming increasingly common. Individuals are primed to be skeptical of a withheld, international, or unknown number, but if they see the name of a legitimate company flash up on their phones, they are more likely to answer the call in an accommodating manner.

In addition to spoofing, we are also seeing a rise in AI-generated audio deepfakes. Last year in Canada, criminals scammed senior citizens out of more than $200,000 by using AI to mimic the voices of loved ones in trouble. A mother in the US state of Arizona also received a desperate call from her 15-year-old daughter claiming she'd been kidnapped; the call turned out to be AI-generated. When combined with caller ID spoofing, these deepfakes would be almost impossible for the average person to catch.

As generative AI and AI-based tools become more accessible, this kind of fraud is becoming more common. Cybercriminals don't necessarily need to make direct contact to replicate a voice because over half of people willingly share their voice in some form at least once a week on social media, according to McAfee. Nor do they need exceptional digital skills, since apps do the hard work of cloning the voice based on a short audio clip, as highlighted recently by high-profile deepfakes of US President Joe Biden and singer Taylor Swift.

Entire organizations can fall prey to voice fraud, not just individuals. All it takes is one threat actor to convince one employee to share some seemingly insignificant detail about their business over the phone, which is then used to join the dots and enable a cybercriminal to gain access to sensitive data. It's a particularly worrisome trend in industries where voice communication is a key component of customer interaction, such as banking, healthcare, and government services. Many businesses rely on voice calls for verifying identities and authorizing transactions. As such, they are particularly vulnerable to AI-generated voice fraud.

**What We Can Do About It**

Regulators, industry bodies, and businesses increasingly recognize the need for collective action against voice fraud. This could include intelligence to better understand scam patterns across regions and industries, the development of industrywide standards to improve voice call security, and tighter regulations governing reporting for network operators.

Regulators around the world are now tightening the rules around AI-based voice fraud. For instance, the US Federal Communications Commission (FCC) has made it illegal for robocalls to use either AI-generated or prerecorded voices. In Finland, the government has imposed new obligations on telecommunications operators to guard against caller ID spoofing and the transfer of scam calls to recipients. The EU is investigating similar measures, primarily driven by banks and other financial institutions that want to keep their customers safe. In all instances, efforts are underway to close the door on caller ID spoofing and smishing (fake text messages), which often serve as the entry point for more sophisticated, AI-based tactics.

Many promising detection tools in development could, in theory, drastically reduce voice fraud. They include voice biometrics, deepfake detectors, AI anomaly detection analysis, blockchain, signaling firewalls, and so on. However, cybercriminals are adept at outpacing and outwitting technological leaps, so only time will tell what will work best.

For businesses of all sizes and sectors, cybersecurity capabilities will become increasingly important for telecom services. Aside from the communications network level, businesses should establish clear policies and processes, such as multifactor authentication that uses a variety of verification methods.

Companies should also raise awareness of the most common fraud tactics. Regular training for employees should focus on recognizing and responding to scams, while customers should be encouraged to report suspicious calls.

On a consumer level, the UK's communications regulator, Ofcom, revealed that more than 41 million people were targeted by suspicious calls or texts over a three-month period in 2022. In other words, although brands and governments have been reiterating the message that legitimate businesses will never ask for money or sensitive information over the phone, continued vigilance is necessary.

The easy availability of cloning tools and spiraling crime levels have experts like the Electronic Frontier Foundation suggesting that people should agree on a family password to combat AI-based fraud attempts. It's a surprisingly low-fi solution to a high-tech challenge.

**About the Author(s)**

Senior Industry Analyst, Enea

Laura Wilber is a Senior Industry Analyst at Enea. She supports cross-functional and cross-portfolio teams with technology and market analysis, product marketing, product strategy, and corporate development. She is also an ESG Advisor & Committee Member. Her expertise includes cybersecurity and networking in enterprise, telecom, and industrial markets, and she loves helping customers meet today's challenges while musing about what the next ten years will bring.

Countering Voice Fraud in the Age of AI

Modern networks teem with machine accounts tasked with simple automated tasks yet given too many privileges and left unmonitored. Resolve that situation and you close an attack vector.

Source: Westend61 GmbH via Alamy Stock Photo

COMMENTARY  
Over my 32 years in cybersecurity, one painful constant has been managing the risks associated with network service accounts.

Service accounts are supposed to be machine-to-machine accounts that perform repetitive and automated scheduled tasks without human interaction. Common examples of service accounts include running applications on operating systems, databases, automated backups, and network maintenance. They should have extremely limited access rights, disallow human interaction, and only perform their intended function.

Rare is the management model that addresses service account concerns adequately from a security perspective. Best practices reduce the ability of threat actors to use such accounts to move laterally within the enterprise, undetected by our monitoring systems.

**Trouble Points of Service Accounts**

Every organization has service accounts. Every organization would also like to have fewer accounts and better monitoring and control for the accounts they must have. Threat actors understand the security risks of service accounts and take advantage of:

*   Lack of visibility. Service accounts can have complex dependencies in processes, applications, database structures, and programmatic systems. These accounts can be exceedingly difficult, if not impossible, to monitor and properly secure.
    
*   Difficulty in monitoring. Since service accounts are not typically associated with a specific person, monitoring the logs can cause confusion and complicate incident investigations. This can result in networks being exposed to threat actor actions and lateral movements, while the malicious actors remain completely undetected as they move around in the network.
    
*   Complicated nature of evictions. If threat actors breach your network and you need to evict them, every single password must be changed over a brief period, some more than once. This is when service accounts can really become burdensome and complicated. To commit to an eviction, you must change every single service account password. If you do not have a good inventory and understand the functionality of all service accounts, you should not attempt an eviction. In such a case, the few service accounts you could not change will probably be used by the threat actors.
    

**Common Gaps in Knowledge**

Many times during an incident response engagement, I have seen the following tendencies among organizations with regard to service accounts:

*   No one knows how many service accounts exists or how they are used.
    
*   The passwords have not been changed in years, and no one knows how to change the password — or what will break if they do.
    
*   No one knows why a service account exists or who owns the account.
    
*   The organization doesn't have a process for monitoring and securing the service accounts.
    

This is why it makes sense that threat actors gravitate toward service accounts. Often, these accounts have unnecessary rights and access.

**Developing a Comprehensive Strategy**

Understanding the problem is just the first part of developing a comprehensive strategy. Let us now identify the steps to solving security issues concerning service accounts.

*   Inventory all the service accounts. This can be done programmatically, using PowerShell or Active Directory tools.
    
*   Once you have a good inventory, assign an owner to each service account. This brings human insight and accountability. You may find that some service accounts are no longer needed.
    
*   Determine the purpose of all service accounts. How is the account used, and what does it do?
    
*   Document this information very carefully.
    

Finally, now you can formalize your service account program in a way that brings more security and oversight. You could choose to add your service accounts into a privileged access management (PAM) system, which would be ideal. However, remember this can be a long and tedious endeavor. While it is worth the effort, do not think it is not going to require lots of time and effort.

Next, whether or not you used PAM, develop a formalized audit reconciliation program around the use of each service account. This will heavily depend on the service account owners. An organization should require every owner to attest to the continued need for the service account periodically — I did this every six months — and accept the risk associated with the account's continued use. When the account owner accepts the risks associated with the service account, they change the password for the account.

Ideally, you can automate this process by using software platforms designed to manage risks and assist organizations in governance, risk, and compliance (GRC) issues. In such a system, if the automated workflow does not get processed correctly, the service account will be automatically disabled. If the service then remains disabled for a set period, it will automatically be deleted. This brings accountability to the management of service accounts.

This comprehensive strategy will reduce risks around the usage of service accounts. The most important thing is that the strategy ensures all service accounts are documented and holds a specific person accountable for their continued usage. This accountability, along with routine password changes, will dramatically reduce risks and help reconcile this important and often overlooked security weakness.

**About the Author(s)**

Principal Consultant, Secureworks Incident Response Team

Patrick B Barnett is Principal Consultant within the Secureworks Incident Response Team. With more than 26 years of experience in IT and information security, Pat architects and implements custom cybersecurity solutions for networks across the globe and has managed over 1,000 cyber incident responses over the last 25 years. Pat is passionate about seeing cybersecurity done right and is committed to aiding organizations in defining proper policies, procedures, and mechanisms to respond to any size event. Pat has a Master of Science degree in Computer Engineering and Business Administration and several post-graduate cybersecurity certificates from MIT and Stanford University. Pat holds the following certifications: CISSP, HISSP, PCI QSA, PCPIP, CISM, CEH, and CISA. Professional affiliations include ISSA, EC-Council, ISC2, and PCI DSS.

For Service Accounts, Accountability Is Key to Security

PRESS RELEASE

CAMBRIDGE, April 17, 2024 - Redgate, the end-to-end Database DevOps provider, has launched an enterprise version of its popular database monitoring tool, providing a range of new features to address the challenges of scale and complexity faced by larger organizations.

Redgate Monitor Enterprise offers the most comprehensive and advanced capabilities for monitoring large, complex estates, optimizing performance, and ensuring security, compliance and high availability with a single, all-in-one tool.

“In delivering extended monitoring capabilities, Redgate Monitor Enterprise addresses the needs of large organizations, delivering on multiple challenges for those managing multi-platform database estates and allowing people to do far more, far faster,” said David Gummer, Chief Product Officer at Redgate. “Managing security and compliance can be an extremely manual task, often requiring additional tooling and absorbing significant time and resources. With the easy-to-use web-based dashboard built into Redgate Monitor Enterprise, IT leaders benefit from instant visibility into access rights and can significantly improve the efficiency of compliance auditing.”

Redgate Monitor launched as SQL Monitor in 2008 and has grown to become a favored database monitoring tool, offering instant problem diagnosis, customizable alerting, seamless scaling, and a single at-a-glance view of hybrid estates, whether on-premises or in the cloud. Redgate Monitor Enterprise builds yet further on that heritage and is tailored for larger organizations that require advanced features beyond typical monitoring.

Enhancing the proficiencies of DBAs and IT management

Redgate Monitor Enterprise gives those in IT management deliverable and demonstrable business advantages. It minimizes risk by enabling the shifting regulatory landscape to be navigated with ease and helps to avoid the cost of non-compliance. It builds and maintains trust with customers by preventing unauthorized access to sensitive information. It turns compliance into a strategic advantage by removing the administrative burden and freeing up resources for strategic projects. By doing so, it fosters positive relationships with regulatory bodies through transparent and effective communication and an always-on compliance posture.

David Gummer adds, “By helping zcontribute to security, making it everyone’s responsibility.”

“Redgate Monitor Enterprise's capability to gather permissions from all our servers and databases is going to save us so much time! Before, we had to use scripts - hundreds of lines of code. Now, we can just click a button to export this info and give it to our security team. They can check it against our rules, and we can get back to our main jobs. It's a big win for us,” added Redgate customer Patrick Meyer, DBA at Atruvia. 

Advanced enterprise capabilities:

Streamlined user permissions

Accessing a clear overview of user permissions and providing role-based access control is an ongoing headache for database management teams who want to give developers access to database environments yet remain compliant with both internal frameworks and external standards and regulations. The user permissions feature in Redgate Monitor Enterprise provides a streamlined approach to maintaining security and compliance across all environments by addressing the challenge of unauthorized changes and preventing unexpected issues during audits.

Its intuitive interface comprehensively tracks the past and present access rights of users, specifying the server, database, and level of permissions granted, along with identifying all users with access to a particular server. This data provides immediate actionable insights into access rights, speeding up the reporting process. It can also be exported, filtered and searched to meet specific administrative needs, easing the laborious, time-consuming process of access management, and providing full transparency for compliance reporting.

Simplified SQL Server configuration compliance

Many enterprises, particularly in highly regulated sectors, are expected to meet global standards when configuring their SQL Servers, wherever those servers are and on a constant, rolling basis. Redgate Monitor Enterprise centralizes database and server configuration checks from a single dashboard where all configurations can be reviewed and managed against recognized security benchmarks. This enables DBAs to ensure their SQL Servers meet every compliance requirement without having to manually sift through configurations. They can easily monitor configurations and generate reports, especially for large estates with numerous servers, significantly simplifying compliance efforts.

High Availability architecture support

Five 9s availability is a typical SLA for enterprises, with the expectation that applications and websites are operational 99.999% of the time. Redgate Monitor Enterprise fully supports High Availability architectures, enabling it to be installed within a resilient setup, ensuring continuous monitoring by having backup servers ready to take over in case of component failure. This is crucial for enterprises, for whom monitoring is production-critical, allowing them to maintain database visibility without interruption.

Comprehensive and seamless data API

The Data API in Redgate Monitor Enterprise allows direct queries to its data repository by adding a REST API layer for user access. It enables custom reports to be created and monitoring data to be integrated into broader IT infrastructures. This is particularly useful for large corporations with specific reporting needs or those wishing to seamlessly incorporate monitoring data into tools like Power BI dashboards.

Redgate Launches Enterprise Edition of Redgate Monitor

"Kapeka" and "Fuxnet" are the latest examples of malware to emerge from the long-standing conflict between the two countries.

Source: Andrew Angelov via Shutterstock

Two dangerous malware tools targeted at industrial control systems (ICS) and operating technology (OT) environments in Europe are the latest manifestations of the cyber fallout from the war in Ukraine.

One of the tools, dubbed "Kapeka," appears linked to Sandworm, a prolific Russian state-backed threat actor that Google's Mandiant security group this week described as the country's primary cyberattack unit in Ukraine. Security researchers from Finland-based WithSecure spotted the backdoor featured in 2023 attacks against an Estonian logistics company and other targets in Eastern Europe and perceive it as an active and ongoing threat.

**Destructive Malware**

The other malware — somewhat colorfully dubbed Fuxnet — is a tool that Ukraine government-backed threat group Blackjack likely used in a recent, destructive attack against Moskollector, a company that maintains a large network of sensors for monitoring Moscow's sewage system. The attackers used Fuxnet to successfully brick what they claimed was a total of 1,700 sensor-gateways on Moskollector's network and in the process disabled some 87,000 sensors connected to these gateways.

"The main functionality of the Fuxnet ICS malware was corrupting and blocking access to sensor gateways, and trying to corrupt the physical sensors as well," says Sharon Brizinov, director of vulnerability research at ICS security firm Claroty, which recently investigated Blackjack's attack. As a result of the attack, Moskollector will likely have to physically reach each of the thousands of affected devices and replace them individually, Brizinov says. "To restore \[Moskollector's\] ability of monitoring and operating the sewage system all around Moscow, they will need to procure and reset the entire system."

Kapeka and Fuxnet are examples of the broader cyber fallout from the conflict between Russia and Ukraine. Since the war between the two countries started in February 2022 — and even well before that — hacker groups from both sides developed and used a range of malware tools against each other. Many of the tools, including wipers and ransomware, have been destructive or disruptive in nature and mainly targeted critical infrastructure, ICS, and OT environments in both countries.

But on several occasions, attacks involving tools spawned from the long-standing conflict between the two countries have affected a broader swath of victims. The most notable example remains NotPetya, a malware tool that the Sandworm group originally developed for use in Ukraine, but which ended up impacting tens of thousands of systems worldwide in 2017. In 2023, the UK's National Cyber Security Centre (NCSC) and the US National Security Agency (NSA) warned of a Sandworm malware toolset dubbed "Infamous Chisel" posing a threat to Android users everywhere.

**Kapeka: A Sandworm Replacement for GreyEnergy?**

According to WithSecure, Kapeka is a novel backdoor that attackers can use as an early stage toolkit and for enabling long-term persistence on a victim system. The malware includes a dropper component for dropping the backdoor on a target machine and then removing itself. "Kapeka supports all basic functionalities that allow it to operate as a flexible backdoor in the victim's estate," says Mohammad Kazem Hassan Nejad, a researcher at WithSecure.

Its capabilities include reading and writing files from and to disk, executing shell commands, and launching malicious payloads and processes including living-off-the-land binaries. "After gaining initial access, Kapeka's operator can utilize the backdoor to perform a wide variety of tasks on the victim's machine, such as discovery, deploying additional malware, and staging next stages of their attack," Nejad says.

According to Nejad, WithSecure was able to find evidence suggesting a connection to Sandworm and the group's GreyEnergy malware used in attacks on Ukraine's power grid in 2018. "We believe Kapeka may be a replacement for GreyEnergy in Sandworm's arsenal," Nejad notes. Though the two malware samples do not originate from the same source code, there are some conceptual overlaps between Kapeka and GreyEnergy, just as there were some overlaps between GreyEnergy and its predecessor, BlackEnergy. "This indicates that Sandworm may have upgraded their arsenal with new tooling over time to adapt with the changing threat landscape," Nejad says.

**Fuxnet: A Tool to Disrupt and Destroy**

Meanwhile, Claroty's Brizinov identifies Fuxnet as ICS malware intended to cause damage to specific Russian-made sensor equipment. The malware is meant for deploying on gateways that monitor and collect data from physical sensors for fire alarms, gas monitoring, lighting, and similar use cases.

"Once the malware is deployed, it will brick the gateways by overwriting its NAND chip and disabling external remote access capabilities, preventing operators from remotely controlling the devices," Brizinov says.  

A separate module then attempts to flood the physical sensors themselves with useless M-Bus traffic. M-Bus is a European communications protocol for remotely reading gas, water, electric, and other meters. "One of the main purposes of Blackjack’s Fuxnet ICS malware \[is\] to attack and destroy the physical sensors themselves after gaining access to the sensor gateway," Brizinov says. To do so, Blackjack chose to fuzz the sensors by sending them an unlimited number of M-Bus packets. "In essence, BlackJack hoped that by endlessly sending the sensor random M-Bus packets, the packets would overwhelm them and potentially trigger a vulnerability that would corrupt the sensors and place them in an inoperable state," he says.

The key takeaway for organizations from such attacks is to pay attention to the security basics. Blackjack, for instance, appears to have gained root access to target sensor-gateways by abusing weak credentials on the devices. The attack highlights why it "is important to uphold a good password policy, making sure devices do not share the same credentials or use default ones," he says. "It is also important to deploy good network sanitization and segmentation, making sure attackers would not be able to move laterally inside the network, and deploy their malware to all edge devices."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Dangerous ICS Malware Targets Orgs in Russia and Ukraine

Once attackers have control over a workload in the cluster, they can leverage access for lateral movement both inside the cluster and to external resources.

Source: Sergey Novikov via Alamy Stock Photo

Known vulnerabilities in OpenMetadata's open source metadata repository have been under active exploit since the beginning of April, allowing threat actors to launch remote code execution cyberattacks against unpatched Kubernetes clusters, according to research from Microsoft Threat Intelligence.

OpenMetadata is an open source platform that operates as a management tool as well as a central repository for metadata. In mid-March, researchers published information on five new vulnerabilities (CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848, CVE-2024-28254) that affected versions preceding v1.3.1, according to Microsoft's report.

And while many cybersecurity teams might have missed the advisory, adversaries picked up on the opportunity to break into vulnerable Kubernetes environments and leverage them for cryptocurrency mining, the vendor said.

"In this case, a vulnerable Kubernetes workload which is exposed to the Internet got exploited," Microsoft researcher Yossi Weizman explains. While the cybercriminals were engaged in crypto mining, he warns there's a wide range of nefarious activity an adversary can engage in once they're inside a Kubernetes cluster.

"In general (not specifically in this case), once attackers have control over a workload in the cluster, they can try to leverage this access also for lateral movement, both inside the cluster and also to external resources," Weizman adds.

OpenMetadata administrators are advised to update, use strong authentication, and reset any default credentials in use.

Active Kubernetes RCE Attack Relies on Known OpenMetadata Vulns

Users will need to download the latest version of Ivanti's Avalanche to apply fixes for all of the bugs.

Source: Alexander Tolstykh via Shutterstock

Ivanti has released 27 fixes for various reported vulnerabilities in its 2024 first-quarter release. None of the vulnerabilities are being actively exploited, according to the vendor.

The company recommends users download the Avalanche installer and update to the latest version of Avalanche 6.4.3, which will, in turn, apply all the fixes listed in the update.

Each of the vulnerabilities has a CVSS score, ranging from a 4.3, a vulnerability that can allow an authenticated remote attacker to view sensitive information in memory, to a 9.8, a heap overflow vulnerability in the WLAvalancheService part of Avalanche, prior to version 6.4.3, that allows a remote attacker to execute commands without authentication.

Ivanti urges its users to ensure that their MSSQL database password is readily available because it does not store the password. Users can download the Avalanche 6.4.3 release through Ivanti, along with information on next steps to take.

**About the Author(s)**

Ivanti Releases Fixes for More Than 2 Dozen Vulnerabilities

Moobot, Miori, AGoent, and a Gafgyt variant have joined the infamous Mirai botnet in attacking unpatched versions of vulnerable Wi-Fi routers.

Source: Stuart Miles via Alamy Stock Photo

A number of botnets are pummeling a nearly year-old command-injection vulnerability in TP-Link routers to compromise the devices for IoT-driven distributed denial of service (DDoS) attacks.

There already is a patch for the flaw, tracked as CVE-2023-1389, found in the Web management interface of the TP-Link Archer AX21 (AX1800) Wi-Fi router and affecting devices Version 1.1.4 Build 20230219 or prior.

However, threat actors are taking advantage of unpatched devices to dispatch various botnets — include Moobot, Miori, AGoent, a Gafgyt variant, and variants of the infamous Mirai botnet — that can compromise the devices for DDoS and further nefarious activity, according to a blog post from Fortiguard Labs Threat Research.

"Recently, we observed multiple attacks focusing on this year-old vulnerability," which already was previously exploited by the in Mirai botnet, according to the post by Fortiguard researchers Cara Lin and Vincent Li. Fortiguard's IPS telemetry has detected significant traffic peaks, which alerted the researchers to the malicious activity, they said.

**Exploiting the TP-Link Flaw**

The flaw creates a scenario in which there is no sanitization of the "Country" field of the router's management interface, "so an attacker can exploit it for malicious activities and gain foothold," according to TP-Link's security advisory for the flaw.

"This is an unauthenticated command-injection vulnerability in the 'locale' API available via the web management interface," Lin and Li explained.

To exploit it, users can query the specified form "country" and conduct a "write" operation, which is handled by the "set\_country" function, the researchers explained. That function calls the "merge\_config\_by\_country" function and concatenates the argument of the specified form "country" into a command string. This string is then executed by the "popen" function.

"Since the 'country' field won't be emptied, the attacker can achieve command injection," the researchers wrote.

**Botnets to the Siege**

TP-Link's advisory when the flaw was revealed last year included acknowledgement of exploitation by the Mirai botnet. But since then other botnets as well as various Mirai variants also have taken siege against vulnerable devices.

One is Agoent, a Golang-based agent bot that attacks by first fetching the script file "exec.sh" from an attacker-controlled website, which then retrieves the Executable and Linkable Format (ELF) files of different Linux-based architectures.

The bot then executes two primary behaviors: the first is to create the host username and password using random characters, and the second is to establish connection with command and control (C2) to pass on the credentials just created by the malware for device takeover, the researchers said.

A botnet that creates denial of service (DoS) in Linux architectures called the Gafgyt variant also is attacking the TP-Link flaw by downloading and executing a script file and then retrieving Linux architecture execution files with the prefix filename "rebirth." The botnet then gets the compromised target IP and architecture information, which it concatenates into a string that is part of its initial connection message, the researchers explained.

"After establishing a connection with its C2 server, the malware receives a continuous 'PING' command from the server to ensure persistence on the compromised target," the researchers wrote. It then waits for various C2 commands to create DoS attacks.

The botnet called Moobot also is attacking the flaw to conduct DDoS attacks on remote IPs via a command from the attacker's C2 server, the researchers said. While the botnet targets various IoT hardware architectures, Fortiguard researchers analyzed the botnet's execution file designed for the "x86\_64" architecture to determine its exploitation activity, they said.

A variant of Mirai also is conducting DDoS attacks in its exploitation of the flaw by sending a packet from the C&C server to direct the endpoint to initiate the attack, the researchers noted.

"The command specified is 0x01 for a Valve Source Engine (VSE) flood, with a duration of 60 seconds (0x3C), targeting a randomly selected victim's IP address and the port number 30129," they explained.

Miori, another Mirai variant, also has joined the fray to conduct brute-force attacks on compromised devices, the researchers noted. And they also observed attacks by Condi that remains consistent with a version of the botnet that was active last year.

The attack retains the function to prevent reboots by deleting binaries responsible for shutting down or rebooting the system, and scans active processes and cross-references with predefined strings to terminate processes with matching names, the researchers said.

**Patch & Protect to Avoid DDoS**

Botnet attacks that exploit device flaws to target IoT environments are "relentless," and thus users should be vigilant against DDoS botnets," the researchers noted. Indeed, IoT adversaries are advancing their attacks by pouncing on unpatched device flaws to further their sophisticated attack agendas.

Attacks against TP-Link devices can be mitigated by applying the available patch for affected devices, and this practice should be followed for any other IoT devices "to safeguard their network environments from infection, preventing them from becoming bots for malicious threat actors," the researchers wrote.

Fortiguard also included in its post various indicators of compromise (IoCs) for the different botnet attacks, including C2 servers, URLs, and files that can help server administrators identify an attack.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Source

DARKReading