Plus: Google holds off on killing cookies, Samourai Wallet founders get arrested, and GM stops driver surveillance program.

Controversial gunshot-detection company ShotSpotter has deployed more than 25,000 microphones across 170 cities worldwide. This week, WIRED and _South Side Weekly_ revealed the company may continue to provide gunshot data to police in cities even after contracts have ended. Internal emails seen by the publications suggest ShotSpotter sensors may have stayed online despite law enforcement deals having expired, raising questions about what will happen to 2,500 microphones in Chicago when its contract runs out at the end of the year.

Elsewhere, Change Healthcare finally admitted to paying a ransom to the AlphV hackers, also known as BlackCat, that extorted the medical company. Weeks ago, WIRED revealed the attackers were paid $22 million, one of the largest ransomware payments ever. However, in a statement this week the company admitted for the first time that it paid the ransom as part of its effort “to do all it could to protect patient data from disclosure.” Some of that data still found its way onto the dark web.

In another successful grift, researchers have found animators in North Korea creating artwork for major Hollywood studios. A misconfigured North Korea cloud server, discovered at the end of last year, contained thousands of animation files, notes, and working documents for productions of shows that stream on Amazon Prime Video and Max. The companies likely didn’t know workers from the Hermit Kingdom were creating the artwork, but it’s another example of how North Korea is using skilled workers to circumvent sanctions and make the regime money.

Meanwhile, Cisco revealed this week that some of its devices, called Adaptive Security Appliances, have been targeted by state-sponsored hackers who exploited two zero-day vulnerabilities in the systems. The attack, dubbed ArcaneDoor, is believed to have had an espionage focus and sources suspect China’s state-backed hackers may be the culprits.

The November presidential elections may still be months away, but the next US president will have increased surveillance capabilities. This week Joe Biden signed a controversial bill extending and enhancing Section 702 of the Foreign Intelligence Surveillance Act. FISA allows spy agencies to collect Americans’ calls, emails, and more when pursuing foreign intelligence. Critics say the changes are “a gift to any president who may wish to spy on political enemies.”

That’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**School Principal Framed Using AI Voice Deepfake**

In January, an Instagram account in Baltimore, Maryland, posted an alleged audio recording of local school principal Eric Eiswert making racist and antisemitic comments. Baltimore County Public Schools quickly opened an investigation into the incident. However, this week, a former athletic director at Pikesville High School was arrested after police said he used artificial intelligence software to create the fake audio clip of Eiswert. The audio included comments about “ungrateful Black kids” and disparaging remarks about the Jewish community.

Dazhon Darien, the former staff member, was arrested after being stopped in possession of a gun at an airport when officials saw there was an outstanding arrest warrant, the _Baltimore Banner_ reported. The media organization reports that Darien was charged with disrupting school activities and stalking. The fake clip was allegedly made in retaliation for the principal investigating Darien over irregular payments to his roommate.

Police reports, the _Banner_ says, indicate that the audio clip had a “profound” impact on the school principal. “It not only led to Eiswert’s temporary removal from the school but also triggered a wave of hate-filled messages on social media and numerous calls to the school,” police reports said.

Voice-cloning technology, which can fall under the broader banner of deepfake technology, has rapidly improved within the last year. Cloning tools can recreate someone’s voice to a relatively realistic level using just a few seconds of real audio. The systems have increasingly been used to impersonate politicians and scam people over the phone.

**General Motors Stops Driving Surveillance, Following Privacy Complaints**

Your car knows a lot about you—from where and how you drive, to your weight and how you sit. This week, following a series of revelations from _New York Times_ reporter Kashmir Hill, General Motors announced it will end its “Smart Driver” program and unenroll all customers. Until the reports from the _Times_, GM was sharing data with data brokers LexisNexis and Verisk, which shared it with insurers and led to high payments for some people. The OnStar Smart Driver program had been designed to promote safer driving, GM said. However, many people were not aware they had been enrolled in the system. Ten lawsuits have been filed so far about the Smart Driver program and how it shared data.

**Google Delays Killing Cookies—Again**

In January 2020, Google said it would remove third-party cookies from Chrome within two years—following Safari, Brave, Firefox, and other browsers in eradicating the tracking technology. It’s now April 2024 and the company has delayed the change for a third time, saying it’ll happen in 2025. Google’s proposed cookie replacement has faced scrutiny from competition and privacy regulators in the UK, with critics saying cookies are just being replaced by another form of tracking and suggesting the changes could further benefit Google’s ad business.

**Samourai Wallet Founders Arrested Over $2 Billion Unlawful Transactions**

Keonne Rodriguez and William Lonergan Hill, the founders of crypto-mixing service Samourai Wallet, were charged by US prosecutors this week for running an unlicensed money transfer business and conspiracy to commit money laundering. The company processed $2 billion in “unlawful transactions” and “facilitated more than $100 million in money laundering,” according to Damian Williams, the United States Attorney for the Southern District of New York, and other investigators. The charges can carry a maximum of 20 years each. The move comes as US prosecutors try to clampdown on crypto mixing services that may be used to hide funds or allow illicit behavior. Mixers Bitcoin Fog, Helix, and Tornado Cash have all faced action in recent years.

**Chinese Keyboard Vulnerabilities Could Reveal Typing**

New research from the University of Toronto’s Citizen Lab this week revealed vulnerabilities in eight Chinese keyboard apps that, if exploited, could allow everything typed to be intercepted. Up to a billion people may be impacted, the researchers say. They tested apps from major technology companies and phone makers, including Baidu, Honor, Huawei, Samsung and Tencent. “Most of the vulnerable apps can be exploited by an entirely passive network eavesdropper,” they researchers write, adding that most of the impacted companies fixed the vulnerabilities when they were reported.

School Employee Allegedly Framed a Principal With Racist Deepfake Rant

The semiconductor manufacturing giant's security team describes how hardware hackathons, such as Hack@DAC, have helped chip security by finding and sharing hardware vulnerabilities.

Source: kawin ounprasertsuk via Alamy Stock Photo

Ever since the first Hack@DAC hacking competition in 2017, thousands of security engineers have helped discover hardware-based vulnerabilities, develop mitigation methods, and perform root cause analysis of issues found.

Intel initially decided to organize the competition, which draws security professionals from academia and industry partners around the world, to raise awareness about hardware-based vulnerabilities and to promote the need for more detection tools, says Arun Kanuparthi, a principal engineer and offensive security researcher at Intel. Another goal behind Hack@DAC, capture-the-flag competitions, and other hackathonsis to draw the attention of chip designers, to motivate them to design silicon more securely, he says.

"There is very little awareness of hardware security weaknesses in general," says Kanuparthi, who spoke about lessons Intel learned from years running Hack@DAC at the recent Black Hat Asia conference in Singapore. "And we thought, really, how can we get this awareness amongst the security research community?"

"If you look at software, there are lots of tools for security, with software or firmware, but when you look at hardware, there are really only a handful of EDA or electronic design automation tools," Kanuparthi says.

These kinds of events are effective for bringing people together to find vulnerabilities and share their knowledge. CTFs are established methods for teaching and learning new skills and best practices. Intel also believes it is important to give students "an experience of what it feels like to be a security researcher at a design company," says Kanuparthi.

Intel is now accepting entries for the 2024 Hack@DAC, which will take place in June in San Francisco.

**Tackling Hard Problems**

When Intel first organized Hack@DAC, there was no standard design or open-source platform for discovering or sharing information on hardware vulnerabilities, says Hareesh Khattri, a principal engineer for offensive security research at Intel. That has changed with Intel’s collaboration with Texas A&M University and Technical University of Darmstadt in Germany. The professors and students took open-source projects and inserted existing hardware vulnerabilities to create a common framework for detecting them and new ones.

"And now a lot of hardware security research papers have also started citing this work," Khattri says.

In 2020, Intel joined other semiconductor manufacturers in aligning with MITRE’s Common Weakness Enumeration (CWE) team, which lists and classifies potential vulnerabilities in software, hardware and firmware to bring more focus to hardware.  It was an attempt to address a gap, since MITRE only maintained software weakness types, and CWE fell short of addressing root cause analyses of hardware vulnerabilities, Kanuparthi recalls.

"If a hardware issue was identified, \[the CWE\] would be tagged with some generic catch-all kind of \[alert that said\] there’s a problem or the system does not work as expected," Kanuparthi says. "But now there is a design view for hardware which you can root cause that this is specifically the problem. And that has largely been the output of some of the work that we have been doing that led to hack attack and the creation of the hybrid CWE."

As semiconductor manufacturers accelerate their focus on adding designs that can support new AI capabilities, security researchers are looking to identify weaknesses even closer to hardware design, Khattri adds. That has accelerated interest in new efforts like the Google-contributed OpenTitan Project, an open-source reference design and integration guidelines for securing root of trust RoT chips.

The efforts behind Hack@DAC and Intel’s work with MITRE on CWE have led to improved tooling, Khattri says. For example, hardware vulnerability assessment tool provider Cycuity (which uses OpenTitan as a benchmark for how its tool measures CWEs) claims its Radix can now identify 80% of known hardware weaknesses in the CWE database.

"We’ve seen a lot of progression in this space compared to when we started it," Khattri says. "Now, a lot of security research communities’ focus has gone towards trying to identify weaknesses that are closer to the hardware design."

**About the Author(s)**

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Intel Harnesses Hackathons to Tackle Hardware Vulnerabilities

The targeted operation utilized CVE-2017-8570 as the initial vector and employed a notable custom loader for Cobalt Strike, yet attribution to any known threat actor remains elusive.

Source: Yuriy Tuchkov via Alamy Stock Photo

An unknown threat actor targeted government entities in Ukraine toward the end of 2023 using an old Microsoft Office remote code execution (RCE) exploit from 2017 (CVE-2017-8570) as the initial vector and military vehicles as the lure.

The threat actor initiated the attack using a malicious PowerPoint file (.PPSX) sent as an attachment through a message on secure messaging platform Signal. This file, which masqueraded as an old instruction manual by the US Army for mine-clearing blades for tanks, had in fact a remote relationship to an external script hosted on a Russian virtual private server (VPS) provider domain protected by Cloudflare.

The script executed the CVE-2017-8570 exploit to achieve RCE, according to a Deep Instinct blog post on the attack this week, in an effort to steal information.

**Underneath the Hood of a Tricky Cyberattack**

In terms of the technical nitty-gritty, the obfuscated script masqueraded as Cisco AnyConnect APN configuration and was responsible for setting persistency, decoding, and saving the embedded payload to disk, which happened in several stages to evade detection.

The payload includes a loader/packer dynamic link library (DLL) named "vpn.sessings" that loads a Cobalt Strike Beacon into memory and awaits instructions from the command-and-control (C2)  server of the attacker.

Mark Vaitzman, threat lab team leader at Deep Instinct, notes that the penetration testing tool Cobalt Strike is very commonly used among threat actors, but this particular beacon makes use of a custom loader that relies on several techniques that slow down analysis.

"It is continuously updated to provide attackers with a simple way to move laterally once the initial footprint is set," he says. "\[And\] it was implemented in several anti-analysis and unique evasion techniques."

Vaitzman notes that in 2022, a severe CVE allowing RCE was found in Cobalt Strike — and many researchers predicted that threat actors would alter the tool to create open source alternatives.

"Several cracked versions can be found on underground hacking forums," he says.

Beyond the tweaked version of Cobalt Strike, he says, the campaign is also notable for the lengths to which the threat actors continuously attempt to masquerade their files and activity as a legitimate, routine OS and common applications operations, to remain hidden and maintain the control of infected machines as long as possible. In this campaign, he says, the attackers took this "living off the land" strategy further.

"This attack campaign shows several masquerading techniques and a smart way of persistence that has not been documented yet," he explains, without divulging details.

**Cyberthreat Group Has Unknown Make & Model**

Ukraine has been targeted by multiple threat actors on multiple occasions during its war with Russia, with the Sandworm Group serving as the aggressor's primary cyberattack unit.

But unlike in most attack campaigns during the war, the threat lab team couldn’t link this effort to any known threat group, which may indicate that this is the work of a new group or representative of a fully upgraded tool set of a known threat actor.

Mayuresh Dani, manager of security research at Qualys Threat Research Unit, points out the use of geographically disparate sources to help the threat actors dispel attribution also make it difficult for security teams to provide targeted protection based on geographical locations.

"The sample was uploaded from Ukraine, the second stage was hosted and registered under a Russian VPS provider, and the Cobalt beacon \[C2\] was registered in Warsaw, Poland," he explains.

He says that what he found most interesting about the chain of attack was that the initial compromise was accomplished via the secure Signal app.

"The Signal messenger has been largely used by security-focused personnel or those who are involved in sharing clandestine information, such as journalists," he notes.

**Beef Up Cyber Armor With Security Awareness, Patch Management**

Vaitzman says that because most of cyberattacks start with phishing or link-luring via emails or messages, broader employee cyber awareness plays an important role in mitigating such attack attempts.

And for security teams, "We also recommend scanning for the provided IoCs in the network, as well as making sure that Office is patched to the latest version," Vaitzman says.

Callie Guenther, senior manager of cyber threat research at Critical Start, says that from a defense perspective, the reliance on older exploits also stresses the importance of robust patch management systems.

"Additionally, the sophistication of the attack underscores the need for advanced detection mechanisms that go beyond signature-based cyber-defense approaches," she says, "incorporating behavior and anomaly detection to identify modified malicious software."

**About the Author(s)**

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Military Tank Manual, 2017 Zero-Day Anchor Latest Ukraine Cyberattack

Plus, new details emerge on the Scattered Spider cybercrime network and ArcaneDoor.

Thursday, April 25, 2024 14:00

I wrote last week about the problems arising from the massive backlog of vulnerabilities at the U.S. National Vulnerability Database.  

Thousands of CVEs are still without analysis data, and the once-reliable database of every single vulnerability that’s disclosed and/or patched is now so far behind, it could take up to 100 days for the National Institute of Standards and Technology (NIST) to catch up, and that would be assuming no new vulnerabilities are disclosed during that period. 

While the U.S. government and NIST try to sort out a potential solution, and hopefully await more funding and restructuring, NIST says it’s hoping to launch a consortium to help either rebuild the NVD or create a replacement.  

Other security experts have floated the idea of other companies or organizations creating a brand-new solution of their own. The main problem with that is, what’s in it for them?  

What works about the NVD is that it’s funded by the U.S. government, so the money is always coming in to help fund the workforce and at least gives MITRE and the other private companies who contribute to the NVD motivation to keep working on it. 

To start up a whole new database of \*every\* CVE out there would take countless man-hours, and then what at the end? Would the company or person(s) who created it start charging for access? 

Several open-source solutions have_man-hours_ popped up over the past few weeks, such as “NVD Data Overrides,” which “is meant to provide additional data that is currently missing from NVD.” However, these types of volunteer projects still can’t assign CVSS scores, because only the NVD is authorized to hand out official NVD CVSS scores. 

This brings up another problem for private companies that may want to develop a solution: Do they want to play referee?  

Sometimes, when there’s a disagreement on how severe a vulnerability is and what severity score to assign it, the NVD will weigh in and provide their own, independently calculated CVSS score. Who really wants to be the “bad guy” to get between a massive tech company like Microsoft or Apple and a security researcher saying a vulnerability is a 9.5 out of 10 CVSS? 

I absolutely give major credit to any volunteers or open-source developers who are working on their own solutions for essentially nothing — but how long can we expect them to keep maintaining these databases? 

Unfortunately, I don’t have a great answer for this, either. I’m far from an expert on vulnerability management, nor do I have any connections to the federal government. But I do feel the onus is on the government to come up with a solution, and potentially provide incentives for companies and researchers to participate in this new proposed consortium because I don’t see the incentives there for the private sector to come up with their own solution.  

**The one big thing **

ArcaneDoor is a new campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors. Talos and Cisco PSIRT recently identified a previously unknown actor, now tracked as UAT4356 by Talos and STORM-1849 by the Microsoft Threat Intelligence Center. This actor utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor. UAT4356 deployed two backdoors as components of this campaign, “Line Runner” and “Line Dancer,” which were used collectively to conduct malicious actions on-target, which included configuration modification, reconnaissance, network traffic capture/exfiltration and potentially lateral movement.   

**Why do I care? **

Gaining a foothold on these devices allows an actor to directly pivot into an organization, reroute or modify traffic and monitor network communications. In the past two years, we have seen a dramatic and sustained increase in the targeting of these devices in areas such as telecommunications providers and energy sector organizations — critical infrastructure entities that are likely strategic targets of interest for many foreign governments. As a critical path for data into and out of the network, these devices need to be routinely and promptly patched; using up-to-date hardware and software versions and configurations; and be closely monitored from a security perspective. 

**So now what? **

There are some known indicators of compromise that customers can look for if they suspect they may have been targeted in this campaign. First, organizations should look for any flows to/from ASA devices to any of the IP addresses present in the IOC list provided at the bottom of this blog. This is one indication that further investigation is necessary. Potential targets can also follow the steps detailed in the Cisco ASA Forensic Investigation Procedures for First Responders. When following these procedures, first responders should NOT attempt to collect a core dump or reboot the device if they believe that the device has been compromised, based on the lina memory region output. Talos also released some Snort signatures to detect the activity on the wire including access attempts. Snort Signatures 63139, 62949 and 45575 have been released to detect the implants or associated behaviors. 

**Top security headlines of the week **

**A previously known Windows print spooler bug is still being actively exploited, according to Microsoft.** The company’s threat research team recently disclosed that APT28, a well-known Russian state-sponsored actor, is exploiting the vulnerability to deliver a previously unknown malware called “GooseEgg.” Microsoft disclosed and patched CVE-2022-38028 in October 2022, but APT28 may have been exploiting it as far back as 2020. The actor’s exploitation involved modifying a JavaScript constraints file in the printer spooler and executing it with SYSTEM-level permissions. The new research prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add CVE-2022-38028 to its Known Exploited Vulnerabilities (KEV) catalog. If installed, GooseEgg can load other applications with System-level permissions and allow the adversary to execute remote code on the targeted device or deploy other backdoors. Another set of print spooler vulnerabilities, called PrintNightmare, made headlines in July 2021, though no one reported active exploitation of that vulnerability at the time. (SC Magazine, Security Week) 

**A new investigation revealed how members of the group Scattered Spider are partnering with Russian state-sponsored actors to carry out ransomware attacks.** Scattered Spider is made up of younger individuals based out of the U.S., U.K. and Canada. They are primarily English speakers who have been blamed for several notable ransomware attacks, including one against MGM Casinos that disrupted operations at several casinos and hotels last year. The group specializes in social engineering, more recently using LinkedIn to steal employee information and use that to infiltrate corporate networks. Members, some as young as teenagers, are connecting over the dark web and online forums like Discord and use their advanced knowledge of Western civilization to provide crucial details to Russian actors. The “60 Minutes” investigation also included new details about The Community (aka “The Comm,” the online collection of hackers who like to brag about their recent cybercrimes, often through Telegram. (CBS News) 

**The U.S. government has re-upped a law that expands government surveillance by opening the door for private companies to partner with the government on these types of activities.** The controversial Foreign Intelligence Surveillance Act (FISA) was re-approved just hours after it lapsed. The White House and proponents in U.S. Congress argued that the powers granted in Section 702 of the FISA helps prevent the spread of terrorism and cyber attacks and that any lapse in those powers would harm the government’s ability to gather crucial intelligence. However, privacy advocates say that the FISA is an overreach, and provides too much power for private companies to potentially spy on consumers. The bill also includes a new definition of “electronic communications service provider,” which could allow the U.S. government to force Big Tech companies and telecommunications providers to hand over users’ data if requested. (NBC News, TechCrunch) 

**Can’t get enough Talos? **

*   Talos Takes Ep. #180: What are the dangers of enabling sideloading and third-party apps? 
*   Suspected CoralRaider continues to expand victimology using three information stealers 
*   Brute-force attacks surge worldwide, warns Cisco Talos    
*   Cisco Warns of Massive Surge in Password-Spraying Attacks on VPNs 
*   Rare Computer Virus Detected in Ukrainian Network, Confidential Document Potentially Compromised 

**Upcoming events where you can find Talos **

**CARO Workshop 2024** **(May 1 - 3)** 

_Arlington, Virginia_

> Over the past year, we’ve observed a substantial uptick in attacks by YoroTrooper, a relatively nascent espionage-oriented threat actor operating against the Commonwealth of Independent Countries (CIS) since at least 2022. Asheer Malhotra's presentation at CARO 2024 will provide an overview of their various campaigns detailing the commodity and custom-built malware employed by the actor, their discovery and evolution in tactics. He will present a timeline of successful intrusions carried out by YoroTrooper targeting high-value individuals associated with CIS government agencies over the last two years.

**RSA** **(May 6 - 9)** 

_San Francisco, California_    

**Cisco Live** **(June 2 - 6)** 

_Las Vegas, Nevada_  

**Most prevalent malware files from Talos telemetry over the past week **

_This section will be on a brief hiatus while we work through some technical difficulties._ _Several open-source solutions have_

The private sector probably isn’t coming to save the NVD

Attacks by a previously unknown threat actor leveraged two bugs in firewall devices to install custom backdoors on several government networks globally.

Source: Znakki via Shutterstock

A state-sponsored threat actor has exploited two Cisco zero-day vulnerabilities in firewall devices to target the perimeter of government networks with two custom-built backdoors, in a global cyber-espionage campaign.

Dubbed "ArcaneDoor," the campaign by the previously unknown actor — which researchers from Cisco Talos track as UAT4356 — has targeted Cisco Adaptive Security Appliance (ASA) firewall devices of several Cisco customers since at least December 2023, Cisco Talos researchers revealed in a blog post.

While the actor's initial access vector remains unknown, once it occurs, UAT4356 used a "sophisticated attack chain" involving exploit of the two vulnerabilities — a denial-of-service flaw tracked as CVE-2024-20353 and a persistent local execution flaw tracked as CVE-2024-20359 that have since been patched — to implant malware and execute commands across a small set of Cisco customers. Cisco Talos also flagged a third flaw in ASA, CVE-2024-20358, that was not used in the ArcaneDoor campaign.

The researchers also found evidence that the actor has interest in and potentially will attack devices from Microsoft and other vendors, making it crucial that organizations ensure that all perimeter devices "are properly patched, logging to a central, secure location, and configured to have strong multifactor authentication (MFA)," Cisco Talos wrote in the post.

**Custom Backdoor Malware for Global Governments**

The first sign of suspicious activity in the campaign came in early 2024 when a customer reached out to Cisco's Product Security Incident Response Team (PSIRT) and Cisco Talos about security concerns with its ASA firewall devices.

A subsequent several-months-long investigation conducted by Cisco and intelligence partners uncovered threat actor-controlled infrastructure dating back to early November 2023. Most of the attacks — all of which targeted government networks globally —occurred between December and early January. There is also evidence that the actor — which Microsoft also is now tracking as STORM-1849 — was testing and developing its capability as early as last July.

The primary payloads of the campaign are two custom backdoors— "Line Dancer" and "Line Runner" — which were used together by UAT4356 to conduct malicious activities on the network, such as configuration and modification; reconnaissance; network traffic capture/exfiltration; and potentially lateral movement.  

Line Dancer is a memory-resident shellcode interpreter that enables adversaries to upload and execute arbitrary shellcode payloads. In the campaign, Cisco Talos observed the malware being used to execute various commands on an ASA device, including: disabling the syslog; running and exfiltrating the command show configuration; creating and exfiltrating packet captures; and executing commands present in the shellcode, among other activities.

Line Runner meanwhile is a persistence mechanism deployed on the ASA device using functionality related to a legacy capability that allowed for the pre-loading of VPN clients and plugins on the device during booting that can be exploited as CVE-2024-20359, according to Cisco Talos. In at least one case, the threat actor also abused CVE-2024-20353 to facilitate this process.

"The attackers were able to leverage this vulnerability to cause the target ASA device to reboot, triggering the unzipping and installing" of Line Runner, according to the researchers.

**Protect the Perimeter From Cyberattackers**

Perimeter devices, which sit at the edge between an organization's internal network and the Internet, "are the perfect intrusion point for espionage-focused campaigns," providing threat actors a way to gain a foothold to "directly pivot into an organization, reroute or modify traffic, and monitor network communications into the secure network, according to Cisco Talos.

Zero-days on these devices are an especially attractive attack surface on these devices, notes Andrew Costis, chapter lead of the Adversary Research Team at MITRE ATT&CK testing firm AttackIQ.

"We've seen time and time again critical zero and n-day vulnerabilities being exploited with all of the mainstream security appliances and software," he says, noting previous attacks on bugs in devices from Ivanti, Palo Alto Networks, and others.

The threat to these devices highlights the need for organizations to "routinely and promptly" patch them using up-to-date hardware and software versions and configurations, as well as maintain close security monitoring of them, according to Cisco Talos.

Organizations also should focus on post-compromise TTPs of threat actors and test known adversary behaviors as part of "a layered approach" to defensive network operations, Costis says.

**Detecting ArcaneDoor Cyberattack Activity**

Indicators of compromise (IoCs) that customers can look for if they suspect they may have been targeted by ArcaneDoor include any flows to/from ASA devices to any of the IP addresses present in the IOC list included in the blog.

Organizations also can issue the command "show memory region | include lina" to identify another IOC. "If the output indicates more than one executable memory region … especially if one of these memory sections is exactly 0x1000 bytes, then this is a sign of potential tampering," Cisco Talos wrote.  

And, Cisco provided two sets of steps that network administrators can take to identify and remove the ArcaneDoor persistence backdoor Line Runner on an ASA device once the patch is applied. The first is to conduct a review of the contents of disk0; if a new file (e.g., "client\_bundle\_install.zip" or any other unusual .zip file) appears on the disk, it means that Line Runner had been present but is no longer active due to the update.

Administrators also can follow a series of commands provided that will create an innocuous file with a .zip extension that will be read by the ASA at reboot. If it appears on disk0, it means that Line Runner likely was present on the device in question. Administrators can then delete the "client\_bundle\_install.zip" file to remove the backdoor.

If administrators find a newly created .zip file on their ASA devices, they should copy that file off the device and email \[email protected\] using a reference to CVE-2024-20359 and including the outputs of the "dir disk0:" and "show version" commands from the device, as well as the .zip file that they extracted.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Cisco Zero-Days Anchor 'ArcaneDoor' Cyber-Espionage Campaign

Within BEC attacks, adversaries will send phishing emails appearing to be from a known or reputable source making a valid request, such as updating payroll direct deposit information.

Thursday, April 25, 2024 08:00

Business email compromise (BEC) was the top threat observed by Cisco Talos Incident Response (Talos IR) in the first quarter of 2024, accounting for nearly half of engagements, which is more than double what was observed in the previous quarter.  

The most observed means of gaining initial access was the use of compromised credentials on valid accounts, which accounted for 29 percent of engagements. The high number of BEC attacks likely played a significant role in valid accounts being the top attack vector this quarter. Weaknesses involving multi-factor authentication (MFA) were observed within nearly half of engagements this quarter, with the top observed weakness being users accepting unauthorized push notifications, occurring within 25 percent of engagements.  

There was a slight decrease in ransomware this quarter, accounting for 17 percent of engagements. Talos IR responded to new variants of Phobos and Akira ransomware for the first time this quarter. 

Manufacturing was the most targeted vertical this quarter, closely followed by education, a continuation from Q4 2024 where manufacturing and education were also two of the most targeted verticals. There was a 20 percent increase in manufacturing engagements from the previous quarter. 

The manufacturing sector faces unique challenges due to its inherently low tolerance for operational downtime. This quarter, Talos IR observed a wide range of threat activity targeting manufacturing organizations including financially motivated attacks, such as BEC and ransomware, and some brute force activity targeting virtual private network (VPN) infrastructure. The use of compromised credentials on valid accounts was the top observed attack vector within attacks targeting the manufacturing sector this quarter, which represents a change from the previous quarter when the top attack vector observed in these types of engagements was exploiting vulnerabilities in public-facing applications.   

**Watch discussion on the report's biggest trends**

**Surge in BEC **

Within BEC attacks, adversaries will send phishing emails appearing to be from a known or reputable source making a valid request, such as updating payroll direct deposit information. BEC attacks can have many motivations, often financially driven, aimed at tricking organizations into transferring funds or sensitive information to malicious actors.  

BEC offers adversaries the advantage of impersonating trusted contacts to facilitate internal spearphishing attacks that can bypass traditional external defenses and increase the likelihood of deception, widespread malware infections and data theft. 

In one engagement, adversaries performed a password-spraying attack and MFA exhaustion attacks against several employee accounts. There was a lack of proper MFA implementation across all the impacted accounts, leading to the adversaries gaining access to at least two accounts using single-factor authentication. The organization detected and disrupted the attack before adversaries could further their access or perform additional post-compromise activities.    

In another cluster of activity, several employees received spear-phishing emails that contained links that, when clicked, led to a redirection chain of web pages ultimately landing on a legitimate single sign-on (SSO) prompt that was pre-populated with each victim’s email address. The attack was unsuccessful because none of the employees interacted with the email, which was likely due to multiple red flags. For example, the email was unexpected and sent from an external email address, and there was small text within the email that referred to the email as a fax, which was all indicators of a phishing attempt. 

**Ransomware trends **

Ransomware accounted for 17 percent of engagements this quarter, an 11 percent decrease from the previous quarter. Talos IR observed new variants of Akira and Phobos ransomware for the first time this quarter. 

**Akira **

Talos IR responded to an Akira ransomware attack for the first time this quarter in an engagement where affiliates deployed the latest ESXi version, “Akira\_v2,” as well as a Windows-based variant of Akira named “Megazord.” These new Akira variants are written in the Rust programming language, which is a notable change from the previously used C++ and Crypto++ programming languages.  

Talos IR could not determine how initial access was gained, which is common because ransomware attacks often involve multi-stage attack strategies that add additional complexity during the investigation process. Once inside the network, the adversaries began collecting credentials from the memory of the Local Security Authority Subsystem Service (LSASS) and the New Technology Directory Services Directory Information Tree (NTDS.dit) database, where Active Directory data is stored, and leveraged Remote Desktop Protocol (RDP) for lateral movement. Prior to encryption, Megazord ransomware began executing several commands to disable tools and impair defenses, including “net stop” and “taskkill.” Akira\_v2 appended the file extension “.akiranew” during encryption, while Megazord ransomware appended the file extension “.powerranges”.   

First discovered in early 2023, Akira operates as a ransomware-as-a-service (RaaS) model and employs a double extortion scheme that involves exfiltrating data before encryption. Akira affiliates are known to heavily target small- to medium-sized businesses within several verticals primarily located within the U.S. but have targeted organizations within the U.K., Canada, Iceland, Australia and South Korea. Akira affiliates are notorious for leveraging compromised credentials and exploiting vulnerabilities as a means of gaining initial access, such as the SQL injection vulnerability, tracked as CVE-2021-27876, affecting certain versions of Zoho ManageEngine ADSelfService Plus, and the vulnerability, tracked as CVE-2023-27532, affecting certain versions of Veeam’s Backup & Replication (VBS) software.    

**Phobos **

Talos IR has previously observed variants of Phobos ransomware, such as “Faust,” but this quarter, Talos IR responded to an engagement with the “BackMyData” variant of Phobos ransomware. The adversaries leveraged Mimikatz to dump credentials from Active Directory. The adversary also installed several tools in the NirSoft product suite designed to recover passwords, such as PasswordFox and ChromePass, for additional credential enumeration. 

The adversaries used PsExec to access the domain controller before setting a registry key to permit remote desktop connections. Shortly after, the adversaries also modified the firewall to allow remote desktop connections using the Windows scripting utility, netsh. The remote access tool AnyDesk was downloaded to enable remote access as a means of persistence in the environment. Talos IR assessed with high confidence that Windows Secure Copy (WinSCP) and Secure Shell (SSH) were likely used to exfiltrate staged data. Adversaries also relied on PsExec to execute commands, such as deleting volume shadow copies, as a precursor to deploying the ransomware executable. After encryption, the ransomware appended the file extension “.fastbackdata”.   

A notable finding was the persistent use of the “Users/\[username\]/Music” directory as a staging area for data exfiltration to host malicious scripts, tools and malware, a common technique used by numerous ransomware affiliates to evade detection and remain persistent in the environment. Talos IR also identified a digitally signed executable, “HRSword,” developed by Beijing Huorong Network Technology. It is a tool the affiliate used during the attack for potential secure file deletion and as a defensive measure to disable endpoint protection tools, which Phobos affiliates were previously using, according to public reporting.   

Phobos ransomware first emerged in late 2018 and shared many similarities with the Crysis and Dharma ransomware families. Unlike other ransomware families, there are many variants of Phobos ransomware, such as Eking, Eight, Elbie, Devos and Faust. There is little information known about the business model leveraged by the Phobos ransomware operation. In November 2023, Cisco Talos analyzed over a thousand samples of Phobos ransomware to learn more about the affiliate structure and activity, which revealed that Phobos may operate a RaaS model due to the hundreds of contact emails and IDs associated with Phobos campaigns, indicating the malware has a dispersed affiliate base. Talos assessed with moderate confidence that the Phobos ransomware operation is actively managed by a central authority, as there is only one private key capable of decryption in all observed campaigns. 

**Other observed threats  **

Talos IR responded to an attack where adversaries were attempting to brute force several Cisco Adaptive Security Appliances (ASAs). Although the adversaries were unsuccessful in their attack, this activity is in line with the recently observed trend affecting VPN services. 

Cisco Talos has recently seen an increase in malicious activity targeting VPN services, web application authentication interfaces, and Secure Shell (SSH) globally. Since at least March 18, Cisco has observed scanning and brute force activity sourcing from The Onion Router (TOR) exit nodes and other anonymous tunnels and proxies. 

Depending on the target environment, a successful attack could result in unauthorized access to a target network, possibly leading to account lockouts and denial-of-service (DoS) conditions. The brute force attempts include a combination of generic usernames and valid usernames unique to specific organizations. The activity seems indiscriminate and has been observed across multiple industry verticals and geographic regions. 

**Initial vectors **

The most observed means of gaining initial access was the use of compromised credentials on valid accounts, accounting for 29 percent of engagements, a continuation of a trend from the previous quarter when valid accounts were also a top attack vector. 

**Security weaknesses **

For the first time, users accepting unauthorized MFA push notifications was the top observed security weakness, accounting for 25 percent of engagements this quarter. The lack of proper MFA implementation closely followed, accounting for 21 percent of engagements, a 44 percent decrease from the previous quarter. 

Users must have a clear understanding of the appropriate business response protocols when their devices are overwhelmed with an excessive volume of push notifications. Talos IR recommends organizations educate their employees about the specific channels and points of contact for reporting these incidents. Prompt and accurate reporting enables security teams to quickly identify the nature of the issue and implement the necessary measures to address the situation effectively. Organizations should also consider implementing number-matching in MFA applications to provide an additional layer of security to prevent users from accepting malicious MFA push notifications. 

Talos IR recommends implementing MFA on all critical services including all remote access and identity access management (IAM) services. MFA will be the most effective method for the prevention of remote-based compromises. It also prevents lateral movement by requiring all administrative users to provide a second form of authentication. Organizations can set up alerting for single-factor authentication to quickly identify potential gaps. 

**Top observed MITRE ATT&CK techniques **

The table below represents the MITRE ATT&CK techniques observed in this quarter’s IR engagements and includes relevant examples and the number of times seen. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic based on the way they were leveraged. Please note, this is not an exhaustive list. 

Key findings from the MITRE ATT&CK framework include:  

*   Remote access software, such as SplashTop and AnyDesk, were used in 17 percent of engagements this quarter, a 20 percent decrease from the previous quarter.  
*   The use of email hiding rules was the top observed defense evasion technique, accounting for 21 percent of engagements this quarter.   
*   Scheduled tasks were leveraged by adversaries the most this quarter for persistence, accounting for 17 percent of engagements this quarter, a 33 percent increase from the previous quarter.  
*   The abuse of remote services, such as RDP, SSH, SMB and WinRM, more than doubled this quarter compared to the previous quarter, accounting for nearly 60 percent of engagements. 

Reconnaissance 

Example 

T1589.001 Gather Victim Identity Information: Credentials 

Adversaries may gather credentials that can be used during their attack.  

T1598.003 Phishing for Information: Spearphishing Link 

Adversaries may send a spearphishing email with a link to a credential harvesting page to collect credentials for their attack. 

Resource Development 

Example 

T1586.002 Compromise Accounts: Email Accounts 

Adversaries may compromise email accounts that can be used during their attack for malicious activities, such as internal spearphishing. 

T1583.001 Acquire Infrastructure: Domains 

Adversaries may acquire domains that can be used for malicious activities, such as hosting malware. 

T1608.001 Stage Capabilities: Upload Malware 

Adversaries may upload malware to compromised domains to make it accessible during their attack.  

T1583.008 Acquire Infrastructure: Malvertising 

Adversaries may purchase online advertisements, such as Google ads, that can be used distribute malware to victims. 

T1608.004 Stage Capabilities: Drive-by Target 

Adversaries may prepare a website for drive-by compromise by inserting malicious JavaScript.  

Initial Access 

Example 

T1078 Valid Accounts 

Adversaries may use compromised credentials to access valid accounts during their attack. 

T1566 Phishing 

Adversaries may send phishing messages to gain access to target systems. 

T1189 Drive-by Compromise 

Victims may infect their systems with malware over browsing, providing an adversary with access.  

T1190 Exploit in Public-Facing Application 

Adversaries may exploit a vulnerability to gain access to a target system. 

T1566.002 Phishing: Spearphishing Link 

Adversaries may send phishing emails with malicious links to lure victims into installing malware.  

Execution 

Example 

T1059.001 Command and Scripting Interpreter: PowerShell 

Adversaries may abuse PowerShell to execute commands or scripts throughout their attack. 

T1059.003 Command and Scripting Interpreter: Windows Command Shell 

Adversaries may abuse Windows Command Shell to execute commands or scripts throughout their attack. 

T1569.002 System Services: Service Execution 

Adversaries may abuse Windows service control manager to execute commands or payloads during their attack. 

Persistence 

Example 

T1053.005 Scheduled Task / Job: Scheduled Task 

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for recurring execution of malware or malicious commands. 

T1574.002 Hijack Execution: DLL Side-Loading 

Adversaries may execute their own malicious code by side-loading DLL files into legitimate programs.  

Privilege Escalation 

Example 

T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 

Adversaries may bypass UAC mechanisms to elevate their permissions on a system. 

Defense Evasion 

Example 

T1564.008 Hide Artifacts: Email Hiding Rules 

Adversaries may create inbox rules to forward certain incoming emails to a folder to hide them from the inbox owner. 

T1070.004 Indicator Removal: File Deletion 

Adversaries may delete files to cover their tracks during the attack.  

T1218.011 System Signed Binary Proxy Execution: Rundll32 

Adversaries may abuse the Windows utility rundll32.exe to execute malware.  

T1112 Modify Registry 

Adversaries may modify the registry to maintain persistence on a target system.  

T1562.010 Impair Defenses: Downgrade Attack 

Adversaries may downgrade a program, such as PowerShell, to a version that is vulnerable to exploits. 

Credential Access 

Example 

T1621 Multi-Factor Authentication Request Generation 

Adversaries may generate MFA push notifications causing an MFA exhaustion attack. 

T1003.005 OS Credential Dumping: NTDS 

Adversaries may dump the contents of the NTDS.dit file to access credentials that can be used for lateral movement. 

T1003.001 OS Credential Dumping: LSASS 

Adversaries may dump the contents of LSASS to access credentials that can be used for lateral movement 

T1003.002 OS Credential Dumping: Service Account Manager 

Adversaries may dump the contents of the service account manager to access credentials that can be used for lateral movement. 

T1110.002 Brute Force: Password Cracking 

Adversaries may use brute force account passwords to compromise accounts. 

Discovery 

Example 

T1069.001 Permission Groups Discovery: Local Groups 

Adversaries may attempt to discover local permissions groups with commands, such as “net localgroup.”  

T1069.002 Permission Groups Discovery: Domain Groups 

Adversaries may attempt to discover domain groups with commands, such as “net group /domain.” 

T1201 Password Policy Discovery 

Adversaries may attempt to discover information about the password policy within a compromised network with commands, such as “net accounts.” 

Lateral Movement 

Example 

T1021.001 Remote Services: Remote Desktop Protocol 

Adversaries may abuse valid accounts using RDP to move laterally in a target environment.  

T1534 Internal Spearphishing 

Adversaries may abuse a compromised email account to send internal spearphishing emails to move laterally. 

T1021.002 Remote Services: SMB / Windows Admin Shares 

Adversaries may abuse valid accounts using SMB to move laterally in a target environment. 

T1021.004 Remote Services: SSH 

Adversaries may abuse valid accounts using SSH to move laterally in a target environment. 

T1021.001 Remote Services: Windows Remote Management 

Adversaries may abuse valid accounts using WinRM to move laterally in a target environment. 

Collection 

Example 

T1114.002 Email Collection: Remote Email Collection 

Adversaries may target a Microsoft Exchange server to collect information.  

T1074.001 Data Staged: Local Data Staging 

Adversaries may stage collected data in preparation for exfiltration. 

T1074 Data Staged 

Adversaries may stage collected data in preparation for exfiltration. 

Command and Control 

Example 

T1105 Ingress Tool Transfer 

Adversaries may transfer tools from an external system to a compromised system. 

T1219 Remote Access Software  

Adversaries may abuse remote access software, such as AnyDesk, to establish an interactive C2 channel during their attack.  

Exfiltration 

Example 

T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage 

Adversaries may exfiltrate data to a cloud storage provider, such as Dropbox.  

Impact 

Example 

T1486 Data Encrypted for Impact 

Adversaries may use ransomware to encrypt data on a target system.  

T1490 Inhibit System Recovery 

Adversaries may disable system recovery features, such as volume shadow copies.  

T1657 Financial Theft 

Adversaries may commit financial fraud during the attack.

Talos IR trends: BEC attacks surge, while weaknesses in MFA persist

A new malware campaign leveraged two zero-day flaws in Cisco networking gear to deliver custom malware and facilitate covert data collection on target environments.
Cisco Talos, which dubbed the activity ArcaneDoor, attributing it as the handiwork of a previously undocumented sophisticated state-sponsored actor it tracks under the name UAT4356 (aka Storm-1849 by Microsoft).
"

State-Sponsored Hackers Exploit Two Cisco Zero-Day Vulnerabilities for Espionage

Sources suspect China is behind the targeted exploitation of two zero-day vulnerabilities in Cisco’s security appliances.

Network security appliances like firewalls are meant to keep hackers out. Instead, digital intruders are increasingly targeting them as the weak link that lets them pillage the very systems those devices are meant to protect. In the case of one hacking campaign over recent months, Cisco is now revealing that its firewalls served as beachheads for sophisticated hackers penetrating multiple government networks around the world.

On Wednesday, Cisco warned that its so-called Adaptive Security Appliances—devices that integrate a firewall and VPN with other security features—had been targeted by state-sponsored spies who exploited two zero-day vulnerabilities in the networking giant's gear to compromise government targets globally in a hacking campaign it's calling ArcaneDoor.

The hackers behind the intrusions, which Cisco's security division Talos is calling UAT4356 and which Microsoft researchers who contributed to the investigation have named STORM-1849, couldn't be clearly tied to any previous intrusion incidents the companies had tracked. Based on the group's espionage focus and sophistication, however, Cisco says the hacking appeared to be state-sponsored.

“This actor utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor,” a blog post from Cisco's Talos researchers reads.

Cisco declined to say which country it believed to be responsible for the intrusions, but sources familiar with the investigation tell WIRED the campaign appears to be aligned with China's state interests.

Cisco says the hacking campaign began as early as November 2023, with the majority of intrusions taking place between December and early January of this year, when it learned of the first victim. “The investigation that followed identified additional victims, all of which involved government networks globally,” the company's report reads.

In those intrusions, the hackers exploited two newly discovered vulnerabilities in Cisco's ASA products. One, which it's calling Line Dancer, let the hackers run their own malicious code in the memory of the network appliances, allowing them to issue commands to the devices, including the ability to spy on network traffic and steal data. A second vulnerability, which Cisco is calling Line Runner, would allow the hackers' malware to maintain its access to the target devices even when they were rebooted or updated. It's not yet clear if the vulnerabilities served as the initial access points to the victim networks, or how the hackers might have otherwise gained access before exploiting the Cisco appliances.

Cisco has released software updates to patch both vulnerabilities, and advises that customers implement them immediately, along with other recommendations for detecting whether they've been targeted. Despite the hackers' Line Runner persistence mechanism, a separate advisory from the UK's National Cybersecurity Center notes that physically unplugging an ASA device does disrupt the hackers' access. “A hard reboot by pulling the power plug from the Cisco ASA has been confirmed to prevent Line Runner from re-installing itself,” the advisory reads.

The ArcaneDoor hacking campaign represents just the latest series of intrusions to target network perimeter applications sometimes referred to as “edge” devices like email servers, firewalls, and VPNs—often devices intended to provide security—whose vulnerabilities allowed hackers to obtain a staging point inside a victim's network. Cisco's Talos researchers warn of that broader trend in their report, referring to highly sensitive networks that they've seen targeted via edge devices in recent years. “Gaining a foothold on these devices allows an actor to directly pivot into an organization, reroute or modify traffic and monitor network communications,” they write. “In the past two years, we have seen a dramatic and sustained increase in the targeting of these devices in areas such as telecommunications providers and energy sector organizations—critical infrastructure entities that are likely strategic targets of interest for many foreign governments.”

State-sponsored hackers' shift to compromising edge devices has become prevalent enough over the past year that Google-owned security firm Mandiant also highlighted it in its annual M-Trends report earlier this week, based on the company's threat intelligence and incident response findings. The report points to widely exploited vulnerabilities in network edge devices sold by Barracuda and Ivanti and notes that hackers—and specifically espionage-focused Chinese groups—are building custom malware for edge devices, in part because many networks have little or no way to monitor for compromise of the devices. Detecting the ArcaneDoor hackers' access to Cisco ASA appliances, in particular, is “incredibly difficult,” according to the advisory from the UK's NCSC.

Mandiant notes that it has observed Russian state-sponsored hackers targeting edge devices too: It's observed the unit of Russia's GRU military intelligence agency, known as Sandworm, repeatedly hack edge devices used by Ukrainian organizations to gain and maintain access to those victim networks, often for data-destroying cyberattacks. In some cases, the lack of visibility and monitoring in those edge devices has meant that Sandworm was able to wipe a victim network while holding on to its control of an edge device—then hit the same network again.

“They’re systemically targeting security appliances that sit on the edge for access to the rest of the network,” says John Hultquist, Mandiant's head of threat intelligence. “This is no longer an emerging trend. It's established."

Hultquist notes, however, that China is unmatched in its discovery and use of network appliance zero days, like the ones it has used to run rampant through Cisco firewalls over the past several months. He expects more to come, as China's cyberspies continue to turn devices meant to protect target networks against their owners. “It's unlikely these zero days are being produced haphazardly. We suspect a well-resourced, coordinated effort is underway to find and exploit these vulnerabilities,” Hultquist says. “Unfortunately, we'll almost certainly see several more zero-days in security appliances this year.”

'ArcaneDoor' Cyberspies Hacked Cisco Firewalls to Access Government Networks

ArcaneDoor is a campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors. Coveted by these actors, perimeter network devices are the perfect intrusion point for espionage-focused campaigns.

ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices

An exploit for the vulnerability allows unauthenticated attackers to escape a virtual file system sandbox to download system files and potentially achieve RCE.

Source: Andre Boukreev via Shutterstock

Virtual file transfer system provider CrushFTP and various security researchers are sounding the alarm about a sandbox escape flaw in the CrushFTP server that attackers already have exploited as a zero-day in attacks against organizations in the US.

CrushFTP is a multiprotocol, multiplatform, cloud-based file transfer server. The security vulnerability, tracked as CVE-2024-4040, is an improper input validation bug in the CrushFTP file transfer server version 11.1. The company unveiled and patched the flaw on April 19 with the release of version 11.1.0 of the product; however, there already were various reports of threat actors hammering the flaw with an existing exploit.

These attacks, which were potentially "politically motivated," were targeted in nature for intelligence gathering and detected at various US entities, according to Crowdstrike's threat hunters Falcon OverWatch and Falcon Intelligence, which published an advisory on Reddit.

**A Developing Attack Scenario for Cloud File Transfer**

The attack scenario is developing, with new research by Tenable published April 23 identifying more than 7,100 CrushFTP servers publicly accessible "based on a Shodan query in a Nuclei template created by h4sh," according to the report. However, "it's unclear how many of these systems are potentially vulnerable," Satnam Narang, a Tenable senior staff research engineer, noted in the post.

Attacks are likely to continue on unpatched servers given that a proof-of-concept (PoC) exploit for the flaw is now publicly available, posted April 23 to GitHub by the researcher who discovered and reported the flaw to CrushFTP, Simon Garrelou of Airbus Community Emergency Response Team (CERT), Narang added.

Other attackers also aim to benefit from all the attention in the flaw, by targeting users with fake PoCs, Narang wrote, noting there already is a repository posted to GitHub that directs users to a third-party site called SatoshiDisk, which requests a payment of 0.00735 bitcoin (around $513) for an alleged exploit.

"It is unlikely that the exploit code will work and we do not expect it to be malicious in nature," Narang wrote. "Instead, it is more likely that the attackers are seeking to make money from the interest in the exploit code for this vulnerability."

**CVE-2024-4040: Potential for RCE**

The vulnerability as described by the vendor is an arbitrary read flaw that allows an attacker with low privileges to escape the server's virtual file system (VFS) sandbox to access and download system files.

However, there is evidence that it is more to the flaw than has so far been reported, Rapid7 researchers noted in a blog post published on April 23.

"Although the vulnerability has been formally described as an arbitrary file read, Rapid7 believes that it can be more accurately categorized as a server-side template injection (SSTI)," Caitlin Condon, Rapid7's director of vulnerability intelligence, wrote in the post.

CVE-2024-4040 is a "fully unauthenticated flaw" and is easy to exploit; successful exploitation allows not only or arbitrary file read as root, but also authentication bypass for administrator account access and full remote code execution (RCE), she observed.

"Successful exploitation allows a remote, unauthenticated attacker to access and potentially exfiltrate all files stored on the CrushFTP instance," Condon wrote.

**Exploit Code Available**

The PoC exploit posted by Garrelou includes two scripts. The first, scan\_host.py, attempts to use the vulnerability to read files outside the sandbox, according to the GitHub post.

"If it succeeds, the script writes Vulnerable to standard output and returns with exit code 1," according to Garrelou. "If exploiting the vulnerability does not succeed, the script writes Not vulnerable and exits with status code 0."

The second script, scan\_logs.py, looks for indicators of compromise in a CrushFTP server installation directory and, upon finding them, will attempt to extract the IP that tried to exploit the server.

**Patch Now for Full Protection**

The best way for organizations with CrushFTP present in their environment to mitigate the situation is to update their systems to the patched version of the product now, the company and security researchers alike advised.

Customers using a front-end demilitarized zone (DMZ) server to process protocols and connections in front of their main CrushFTP instance are afforded partial protection from exploit due to the protocol translation system used in the DMZ, according to CrushFTP.

"A DMZ, however, does not fully protect you, and you must update immediately," the company advised customers in its advisory. One of the factors complicating an organization's detection of exploitation of CVE-2024-4040 is that payloads "can be delivered in many different forms," Rapid7's Condon noted.

"When certain evasive techniques are leveraged, payloads will be redacted from logs and request history, and malicious requests will be difficult to discern from legitimate traffic," she wrote.

For this reason, Rapid7 recommends that CrushFTP customers harden their servers against administrator-level RCE attacks by enabling Limited Server mode with the most restrictive configuration possible. Condon added that they also should use firewalls wherever possible to aggressively restrict which IP addresses are permitted to access CrushFTP services.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Tag

#cisco