The move to IaC has its challenges but done right can fundamentally improve an organization's overall security posture.

Infrastructure as code (IaC) has become a core part of many organizations' IT practices, with adoption of technologies like HashiCorp's Terraform and AWS CloudFormation increasing rapidly. The move to IaC sees companies moving away from either manually configuring servers or using imperative scripting languages to automate those changes and toward a model in which declarative code is used to outline a resource's preferred final state.

As with any change in approach to IT, there are security considerations to understand. The move to IaC presents some risks along with opportunities to improve the way companies secure their environments. Given IaC's key role in configuring the security parameters of an organization's systems and the speed at which a flawed template could be rolled out across a large number of systems, ensuring that good security practices are adhered to is vital to making the best use of this technology.

**IaC Security Risks and Opportunities**  
With the move to IaC, there are new security risks to consider. The first is secrets management. When creating and managing resources, credentials will often be needed to authenticate to remote systems; when IaC code is written to automate these tasks, there is a risk that credentials or API keys may be hard-coded into the code. Care should be taken to ensure that proper secrets management processes are followed to avoid this. Secrets should be held in a secure location, such as a cloud key management service (KMS), and retrieved on demand by scripts as they run.

A second risk is that misconfigurations may creep into the IaC templates — for example, if code is copy/pasted in from an external source — and then propagate throughout an environment quickly as the IaC is used. Avoiding this risk requires both automated and manual review, as with any other source code.

The opportunity inherent in moving to IaC-driving environments is that once all of your infrastructure is defined in code, it's possible to apply common automated linters and review tools to it to ensure that good practices are followed. Tooling can draw from common libraries of good practice and be supplemented with custom rules that apply organization-specific practices.

Additionally, with an IaC-based approach, all configurations should be stored in version- controlled source code repositories. This provides improved tracking of changes so that companies can track modifications over time and also ensure appropriate access control and that auditing is in place.

Lastly, IaC-based deployment means that test environments should be able to effectively mirror production, meaning that security testing can be safely conducted with higher confidence that any results will be meaningful in production.

**IaC Technology Stacks**  
There are a variety of options for IaC. Typically, large organizations will use many of these at the same time, as different tools have different strengths and weaknesses.

Terraform from HashiCorp is one of the most widely used IaC toolsets. It has the advantage of being open source and not tied to any one cloud platform or infrastructure provider, meaning that it works across a range of environments.

Unsurprisingly, the major cloud service providers also have IaC toolsets that focus on their clouds. Amazon's CloudFormation, Microsoft's ARM and Bicep, and Google's Cloud Deployment Manager all provide a means for users of that company's cloud to take advantage of the IaC paradigm.

Another popular option for cloud-native IaC is Pulumi, which allows developers to use programming languages they already know (e.g., JavaScript or Golang) to write their IaC templates.

**IaC Review Tools**  
There are a number of open source tools that can help with the process of security reviews of IaC code. These tools take a similar approach in providing a rule set of common security misconfigurations for a given set of IaC languages. In addition to the main IaC format, some of these tools will review other formats, like Kubernetes manifests and Dockerfiles. Some of the commonly used tools in this arena include the following:

*   Trivy is a vulnerability and misconfiguration scanner that includes rules from the tfsec and cfsec projects covering Terraform and CloudFormation, as well as a set of rules for Kubernetes and Docker. It can be easily integrated into a CI/CD pipeline and run by developers as part of the coding environment.
*   Checkov is a tool written in Python that covers a wide range of IAC languages, including Terraform, CloudFormation, Azure Bicep and ARM, and Kubernetes manifests. It also helps with the challenge of ensuring that IaC files don't hard-code secrets by scanning for instances where this can occur.
*   Terrascan is another popular option for IaC scanning. Despite the name, it supports a range of IaC formats in the same way as Trivy and Checkov. Similarly to Trivy, Terrascan is written in Golang and can be integrated into CI/CD pipelines and run as a standalone program.

**Smoothing the Security Path**  
The move to IaC is well underway at a variety of organizations. While it does bring challenges, the process — if well handled — can fundamentally improve organizations' overall security posture by allowing all of their system configurations to be held in version-controlled source code repositories and regularly checked for misconfigurations.

Given the power of IaC, it is vital that its adoption be accompanied by strong security practices, with scanning and validation key to those processes. By using open source review tools like the ones mentioned above, companies can help to smooth their path in adopting this technology.

The Ins and Outs of Secure Infrastructure as Code

By Waqas
The vulnerability that existed for the last 8 months allowed attackers to weaponize the VirusTotal platform to achieve…
This is a post from HackRead.com Read the original post: Critical RCE Vulnerability Reported in Google’s VirusTotal

**The vulnerability that existed for the last 8 months allowed attackers to weaponize the VirusTotal platform to achieve remote code execution on an unpatched 3rd party sandboxing machine employing anti-virus engines.**

In January 2022, a report dubbed “VirusTotal Hacking” revealed how the platform can be used to access stolen login credentials and other sensitive files. Now, the IT security researchers at CySource have reported a method to abuse the VirusTotal malware scanning service to execute arbitrary commands and access multiple internal hosts remotely by using a remote code execution (RCE) vulnerability (CVE-2021-22204).

According to researchers, the vulnerability could allow attackers to weaponize the VirusTotal platform and achieve remote code execution on an unpatched 3rd party sandboxing machine employing anti-virus engines.

**How Could the Vulnerability be Exploited?**

Israeli security services provider CySource’s researchers Shai Alfasi and Marlon Fabiano da Silva embedded a payload in the DjVu file’s metadata for exploiting the vulnerability, identified in ExifTool open-source utility. This utility extracts Exchangeable Image File annotations, metadata, and tags.

Moreover, it can trigger another vulnerability to obtain remote code execution. This vulnerability is triggered by DjVu files and was identified by researcher William Bowling in 2021 in ExifTool 12.23. It was surprising that none of the VirusTotal anti-virus scanners could detect the CySource researchers’ Base64 encoded payload they included in the malicious DjVu file’s metadata.

> “Instead of ExifTool detecting the metadata of the file, it executes our payload.”
> 
> CySource

The researchers also got a reverse shell that allowed them to access over 50 internal network hosts with high privileges at Google and its other VirusTotal security vendor partners. Every time they uploaded a file with a new hash and a new payload, VirusTotal forwarded it to bots.

This indicates that apart from an RCE, the payload was forwarded by Google servers to the company’s internal network, partners, and customers as well. When researchers were able to invade the networks, they mapped out various services, including MySQL, Kubernetes container orchestration, Oracle databases, web applications, and Secure Shell (SSH).

**More Vulnerability News on Hackread.com**

1.  Hackers mining Monero on Microsoft SQL databases for last 2 years
2.  Hackers are using a 19-year-old WinRAR bug to install nasty malware
3.  12-Year-Old vulnerability in Windows Defender risked 1 billion devices
4.  Google, Microsoft and Oracle generated the most vulnerabilities in 2021
5.  Google Drive accounted for 50% of malicious Office document downloads

**Google Released Patch after Eight Months**

The vulnerability was disclosed to Google’s vulnerability reward program in April 2021, and the report was accepted in May 2021. However, the fix was dispatched in January 2022, after which CySource received the green signal to share details of the bug.

It is still unclear why Google took so long to fix this vulnerability. VirusTotal is a trusted service from Google’s subsidiary Chronicle, offering access to more than 70 different anti-virus scanning solutions from mainstream security vendors, including ESET, Kaspersky, and 360 Total Security. It is, therefore, quite shocking that a dangerous remote code execution vulnerability plagued this service for over eight months.

![](https://secure.gravatar.com/avatar/cf728b76a63b387b11edeafcb1b9b654?s=100&d=wavatar&r=g)

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Critical RCE Vulnerability Reported in Google’s VirusTotal

Unauthenticated Cross-Site Scripting (XSS) vulnerability in Tripetto's Tripetto plugin <= 5.1.4 on WordPress via SVG image upload.

CVE-2021-36895: WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto

An issue was discovered in CipherMail Webmail Messenger 1.1.1 through 4.1.4. A local attacker could access secret keys (found in a Roundcube configuration file) that are used to protect Webmail user passwords and two-factor authentication (2FA).

CVE-2022-28218: Webmail Messenger release notes - CipherMail Email Encryption

Making document.domain immutable

![Google is about to depreciate a little-used and insecure web dev hack](https://portswigger.net/cms/images/97/da/bdef-article-220426-chrome-main-image.png "tanuha2001 / Shutterstock")

Web developers who rely on a workaround that relaxed the same origin policy to allow sub-domains to exchange content will soon need to take a different approach.

Starting with the upcoming Chrome 106 release, Google’s web browser will close a loophole that went against best practices as well as, more importantly, posing a danger in hosted environments.

More specifically, starting from Chrome 106, websites will be unable to set ‘document.domain’, a technique that allows same-site-but-cross-origin communications.

Read more of the latest news about browser security

The current mainstream release of Google’s browser – Chrome 100 – already throws up a warning about the soon-to-be depreciated facility that allows website developers to take advantage of document.domain to relax the same-origin policy.

Website developers are urged to scan their website to access the potential impact of the deprecation of document.domain before swamping out instances where the “hack” has been applied for more secure method of cross-origin communication, as explained in a recent blog post by Google.

“On Chrome, websites will be unable to set document.domain. You will need to use alternative approaches, such as postMessage() or the Channel Messaging API, to communicate cross-origin,” Google explains.

“If your website relies on same-origin policy relaxation via document.domain to function correctly, the site will need to send an Origin-Agent-Cluster: ?0 header, as will all other documents that require that behavior.”

These alternative techniques have existed for some years however in reality, few developers rely on document.domain to relax the same-origin policy.

**Disavowed**

Google is effectively killing a feature that is not widely used and is gaining a huge security benefit as a result.

The development switches the browser security paradigm from site isolation to origin isolation – drastically reducing the utility of Spectre-style attacks in the process.

Google and other browser makers are laying the groundwork for preventing attackers from pivoting between sub-domains using Spectre-style attacks.

The same-origin policy offers assurances that any web page cannot access (modify, or extract data from) another page, unless those pages are hosted on the same origin.

The use of document.domain by web devs runs contrary to this rubric and poses a particular threat in the context of Spectre-style attacks, as a Github post by Google Chrome security developer Mike West illustrates.

**Host of problems**

Websites set document.domain in order to allow same-site documents to communicate more easily. Whilst offering convenience benefits, the approach introduces a security risk, as Google explains.

If a hosting service provides different subdomains per user, an attacker can set document.domain to pretend they are the same-origin as another user’s page.

Further, an attacker can host a website under a shared hosting service, which serves sites through the same IP address with different port numbers.

In that case, the attacker can pretend to be on the same-site-but-same-origin as yours. This is possible because document.domain ignores the port number part of the domain.

Other browser makers, including Mozilla, are also looking to depreciate document.domain.

RELATED Spectre attacks against websites still a serious threat, Google warns

Disavowed: Chrome plans to deprecate ‘document.domain’ lays the groundwork for shift in browser security

By Deeba Ahmed
Hackread.com earlier reported a website designed by software engineer Philip Wang that can create realistic faces of people…
This is a post from HackRead.com Read the original post: New Scam Utilizing AI-Generated Images to Represent Fake Law Firm

**Hackread.com earlier reported a website designed by software engineer Philip Wang that can create realistic faces of people who don’t even exist simply by clicking the Refresh button.**

**Non-Existent People Posed as Boston Law Firm**

It may seem like a story straight out of a Hollywood script, but it is indeed true that scammers are using AI-generated images to scam people. According to Ben Dickson of TechTalks, he received an email from a law firm’s attorney, which turned out to be fake, and surprisingly, the sender didn’t even exist.

**Details of the Scam**

In his blog post published in TechTalks, Dickson wrote that on April 13, Nicole Palmer sent an email citing “DMCA Copyright Infringement Notice.” The email introduced Nicole as a Trademark Attorney of Arthur Davidson Legal Services and claimed that the recipient had used an image in TechTalks that belonged to one of her clients.

“Our client is happy for their image to be used and shared across the internet. However, proper image credit is due for past or ongoing usage,” the email supposedly sent by Nicole read.

The email contained references to Section 512(c) of DMCA with a professional signature that made it appear legit. If it wasn’t done, Nicole threatened legal action against Dickson.

![](https://www.hackread.com/wp-content/uploads/2022/04/Nicole-Palmer-fake-email-side-1024x332.jpg)

DMCA Notice (Image: TechTalks)

**How was the Scam Discovered?**

Dickson spent around 7 days adding credit to that image and a homepage to Nicole’s client’s website. But, when he couldn’t be successful, he re-read the email and identified something off. It was a link to an image-sharing website called Imgur. On this site, anyone can upload images without creating a profile.

“So it was perfectly possible that they had downloaded the image from my website, uploaded it on Imgur, and then claimed that their image was there before mine,” Dickson wrote.

Dickson had taken that image from Pexels, a license-free stock photo library. He emailed Nicole with proof that no attribution was needed and waited for a reply. When he didn’t receive a response, he checked out her legal firm Arthur Davidson Legal website, which seemed authentic with profiles of 18 lawyers who graduated from prestigious institutions, 420 cases, and a 90% success rate with 380 wins.

A quick Google search didn’t yield any results of such a well-known law firm either. Red flags were raised when Dickson noted the website domain was set up in February 2022 while the firm was established in 2009.

Later, it turned out that Nicole Palmer didn’t even exist because when Dickson checked her photograph on the website, he learned that a generative adversarial network created the image.

![New Scam Utilizing AI-Generated Images to Represent a Fake Law Firm](https://www.hackread.com/wp-content/uploads/2022/04/fake-nicole-palmer.jpg)

Fake AI-Generated Image of Nicole Palmer (Image: TechTalks)

It is worth noting that in 2019, Hackread.com reported a website (thispersondoesnotexist.com) designed by software engineer Philip Wang that can create realistic faces of people who don’t even exist simply by clicking the Refresh button.

It is quite possible that Palmer’s image was also created using the same website. Nevertheless, watch out for fake emails claiming to represent law firms or threatening people with phony DMCA notices or subpoenas.

1.  AI firm exposes 2.5 million sensitive medical records online
2.  ‘Optical Adversarial Attack’ uses a low-cost projector to trick AI
3.  New Underactor tool reveals pixelated text to expose sensitive data
4.  Ukrainian News Channel Hacked to Run Deepfake video of President Zelensky
5.  These people don’t exist – They were created by tech using Artificial Intelligence

New Scam Utilizing AI-Generated Images to Represent Fake Law Firm

Ransomware continues as the top threat, while a novel increase in APT activity emerges




By Caitlin Huey.
Ransomware was still the top threat Cisco Talos Incident Response (CTIR) saw in active engagements this quarter, continuing a trend that started in 2020. As mentioned in the 2021...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

**Ransomware continues as the top threat, while a novel increase in APT activity emerges**

![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_m4GPG0IRtDZT8UPmsyLr0gHPUOZG1xe-nqkh_-htxekZ2VwXvCDwQ8BYNRdgArcMmYzlZFnuF0jeHt6cX635yT0RoREd4bm8DmU2JUzXrdw3rsGmOB8tMP6AvQ1RHXqXJXrFF_aM73nFmVAh8Q3U1yVoIP7sM9E5QwxT2wmK99_PaSTG7iyWXvVm/s16000/TIR_quarterly_trends_banner.jpg)

_By Caitlin Huey._

Ransomware was still the top threat Cisco Talos Incident Response (CTIR) saw in active engagements this quarter, continuing a trend that started in 2020. As mentioned in the 2021 year-in-review report, CTIR continues to deal with an expanding set of ransomware adversaries and major cybersecurity incidents affecting organizations worldwide.  

![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUDkQFdigkJg7M2nBf3gqfEKhHJO6U55wD02LN9awloHiV14wGiJp9DeUDcT8UHImiNQsCzeR08Omtjk6FCRRyYYrRg4ffp-oVJ793zZLouMKN3LHw8G0JAoUG_VtyM_3C-yISYFTlWoTN7Uc0DAUawRa3FyPe6Rz4XBddpnrDWdE8aSqRv3HRC_mL/w200-h48/blog-onepager-button.jpg)

The first quarter of 2022 also featured an increase in engagements involving advanced persistent threat (APT) activity. This included Iranian state-sponsored MuddyWater APT activity, China-based Mustang Panda activity leveraging USB drives to deliver the PlugX remote access trojan (RAT), and a suspected Chinese adversary dubbed “Deep Panda” exploiting Log4j. 

**Targeting**

A wide variety of verticals were targeted, including education, energy, financial services, health care, industrial production and equipment, local government, manufacturing, real estate, telecommunications and utilities. The top targeted vertical was telecommunications, following a trend where it was among the top targeted verticals in the previous quarter, closely followed by organizations in the education and government sectors. 

**Threats**

Ransomware continued to comprise the majority of threats CTIR responded to. No one ransomware family was observed twice in incidents that closed out this quarter. This is indicative of a trend toward greater democratization of ransomware adversaries that Talos began observing last year. This quarter also saw the appearance of emerging ransomware families, including Cerber (aka CerberImposter), Entropy and Cuba. There were also high-profile ransomware families, such as Hive and Conti. 

CTIR observed ransomware adversaries exfiltrating sensitive data supporting double extortion as another method to further compel victims to pay the ransom, a continuation of a trend that began in the winter of 2019. For example, in an Entropy ransomware engagement affecting a local government organization, CTIR identified traffic and activity associated with mega\[.\]nz, a utility commonly used for file transfer and data exfiltration. It was first observed executing from the following path: "C:\\Users\\admin\\AppData\\Local\\MEGAsync\\MEGAsync.exe".  

After ransomware, the next most commonly observed threat this quarter included exploitation of Log4j, the Apache logging utility commonly used by organizations globally. Adversaries have continued to exploit Log4j (CVE-2021-44228, CVE-2021-45046, and related vulnerabilities) since the security flaws were initially published in December 2021. In January 2022, CTIR started to observe a growing number of engagements in which adversaries are attempting to exploit Loj4j in vulnerable VMware Horizon servers. 

In one engagement affecting an education institution, CTIR found evidence of PowerShell scripts including a line that killed the process “ws\_TomcatService.exe”, a key parent process in commonly observed malicious Log4j activity. The combination of the timeframe and the unpatched, vulnerable state of the VMware Horizon server suggests that Log4j exploitation was a probable root cause of the compromise. The adversary also installed cryptocurrency miners; conducted reconnaissance with Bloodhound, an application used to enumerate relations within Active Directory (AD); created at least one local “DomainAdmin” account; and leveraged remote desktop protocol (RDP) for potential lateral movement. 

**Advanced persistent threats**

As mentioned above, CTIR observed a novel increase in APT activity in engagements compared to previous quarters. This includes activity associated with Iranian state-sponsored MuddyWater, China-based Mustang Panda deploying the PlugX RAT, and a suspected Chinese state-sponsored actor dubbed Deep Panda leveraging Log4j. 

For example, a health care organization was affected by threat activity associated with Deep Panda in which the adversary exploited Log4j to deploy a custom backdoor. CTIR initially observed a PowerShell command that downloaded three additional files — “1.bat”, “syn.exe” and “l.dll” — from the attacker’s server, which has been linked to the adversary by other security firms. The PowerShell script executes “1.bat,” which subsequently executes “syn.exe” and proceeds to delete all three files from the disk. The “syn.exe” file creates a service set to autorun and is launched via “svchost.exe”. The “1.dll” file is packed with Themida, which is used to detect monitoring programs that may be used for malware reversing.    

In another engagement affecting a telecommunications organization, CTIR’s research provided moderate to high confidence that several of the indicators of compromise (IOCs) and tactics, techniques and procedures (TTPs) discovered were linked to Mustang Panda. The initial compromise was determined to be due to a malware-infected USB connected to corporate resources that subsequently deployed PlugX, a RAT commonly deployed by Mustang Panda that steals credentials from compromised machines. After the USB was connected to the corporate environment for approximately one hour, a hidden directory was created within “C:\\ProgramData” containing files associated with PlugX. The variant can uniquely spread via USB, which distinguishes it from other PlugX variants. This PlugX variant creates a hidden folder named “RECYCLE.BIN” and copies three files: a benign EXE, a loader DLL and an encrypted DAT file. The malware hides all of the folders in the root directory and creates LNK files for each one in order to deceive the victim. In this instance, the malware used legitimate Avast-signed executables to sideload a malicious PlugX DLL.  

**Initial vectors**

For the majority of engagements, identifying an initial vector was difficult due to shortfalls in logging and visibility. However, in engagements in which the initial vector could be confirmed, or reasonably assumed, this quarter featured a number of engagements where adversaries exploited public-facing applications that were vulnerable to Log4j. For example, in one engagement affecting a telecommunications company, CTIR observed a large number of PowerShell download requests to an IP address associated with Log4j exploitation attempts against vulnerable VMware Horizon servers. Following this activity, high CPU usage was detected on a VMware Horizon server, leading to the identification of several clusters of cryptocurrency miners, consistent with typical cryptocurrency miner threat actor behavior following the release of high-profile vulnerabilities.

In a Cerber ransomware incident affecting a holding company, the adversary used vulnerabilities affecting GitLab (CVE-2021-22204 and CVE-2021-22205) to upload and execute code remotely, ultimately granting unauthorized access to that system in the context of the "git" account. This is consistent with reporting from other security firms on a new version of Cerber ransomware targeting Atlassian Confluence and GitLab servers with older RCE vulnerabilities. The adversary attempted to expand access through privilege escalation and lateral movement and ultimately executed ransomware.  

**Security weaknesses**

The top recommendation that responders have for organizations is to implement multi-factor authentication (MFA) on all critical services, including endpoint detection response (EDR) solutions. MFA is an effective way to prevent adversaries from gaining unwanted access, and we routinely see threat activity that could have been prevented if MFA had been enabled.  

In one engagement that kicked off this quarter affecting a telecommunications company involving pre-ransomware TTPs, the adversary compromised the organization’s help desk/call center partner company. This was identified as the root cause of the compromise due to the third party having access to the organization’s Citrix machines while not enabling MFA. CTIR recommends that all third parties in the environment are following MFA security policies and guidelines.

**Top-observed MITRE ATT&CK techniques**

Below is a list of the MITRE ATT&CK techniques observed in this quarter’s IR engagements. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic in which they were leveraged. The table below represents the techniques used with a relevant example, and the approximate number of times seen. However, it is not an exhaustive list.

Key findings from the MITRE ATT&CK appendix include: 

*   We observed an increase in engagements in which initial access was achieved via phishing with a malicious link or document that relied upon subsequent user execution. Compared to last quarter, we observed more threats leveraging social engineering techniques, as well as masquerading as legitimate files or utilities to entice users to click or execute a given link or file.
*   Due to the number of engagements responders supported that exploited Log4j, we observed an increase in techniques relying on exploiting unpatched and vulnerable public-facing applications. This coincides with our observations of adversaries capitalizing on organizations’ lack of up-to-date patches and improper data protections.
*   We saw a large increase in defense evasion and collection techniques compared to previous quarters. The observed collection techniques exhibited the actors’ interest in specific information, including collecting details about certain hosts that could be used for targeting, keylogging to access credentials in the browser, and selecting particular files of interest for possible exfiltration.  
*   Consistent with last quarter’s findings, we continued to see a reliance on utilities such as PsExec and Cobalt Strike and a variety of remote access software, such as TeamViewer and ScreenConnect, to facilitate remote access. 

Tactic

Technique

Example

Initial Access (TA0001)

T1190 Exploit Public-Facing Application

Attackers successfully exploited a vulnerable application that was publicly exposed to the Internet.

Reconnaissance (TA0043)

T1592 Gather Victim Host Information

Malicious file contains details about host

Persistence (TA0003)

T1053 Scheduled Task/Job

Scheduled tasks were created on a compromised server

Execution (TA0002)

T1059.001 Command and Scripting Interpreter: PowerShell

Executes PowerShell code to retrieve information about the client's Active Directory environment

Discovery (TA0007)

T1087 Account Discovery

Use a utility like ADRecon to enumerate information on users and groups

Credential Access (TA0006)

T1003.001 OS Credential Dumping: LSASS Memory

Use “lsass.exe” for stealing password hashes from memory

Privilege Escalation (TA0004)

T1574.002 Hijack Execution Flow: DLL Side-Loading

A malicious PowerShell script attempted to side-load a DLL into memory

Lateral Movement (TA0008)

T1021.001 Remote Desktop Protocol

Adversary made attempts to move laterally using Windows Remote Desktop

Defense Evasion (TA0005)

T1027 Obfuscated Files or Information

Use base64-encoded PowerShell scripts

Command and Control (TA0011)

T1219 Remote Access Software

Remote access tools found on the compromised system

Impact (TA0040)

T1486 Data Encrypted for Impact

Deploy Conti ransomware and encrypt critical systems

Exfiltration (TA0010)

T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Actor exfiltrated data to file sharing site mega\[.\]nz

Collection (TA0009)

T1114.003 Email Collection: Email Forwarding Rule

Adversary used a compromised account to create a new inbox rule to place emails in a folder

Software/Tool

S0029 PsExec

Adversary made use of PsExec for lateral movement

Quarterly Report: Incident Response trends in Q1 2022

Researchers propose fresh approaches to cloud-security bugs and mitigating exposure, impact and risk.

Researchers propose fresh approaches to cloud-security bugs and mitigating exposure, impact and risk.

Big gaps exist in the 22-year-old Common Vulnerability and Exposures (CVE) system that do not address dangerous flaws in cloud services that drive millions of apps and backend services. Too often, cloud providers needlessly expose customers to risk by not sharing the details of bugs discovered on their platform. A CVE-like approach to cloud bug management must exist to help customers weigh exposure, impact and mitigate risk.

That is the opinion of a growing number of security firms pushing for a better cloud vulnerability and risk management. They argue because of CVE identification rules, which only assign CVE tracking numbers to vulnerabilities that end-users and network admin can directly manage, the current model is broken.

MITRE, the non-profit organization behind the CVE system, does not designate CVE IDs for security issues deemed to be the responsibility of cloud providers. The assumption is that cloud providers own the problem, and that assigning CVEs that are not customer-controlled or patched by admins falls outside of the CVE system purview.

_\[**Editor’s Note:** This article was originally published in the free Threatpost eBook “Cloud Security: The Forecast for 2022.” In it we explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists. Please download the FREE eBook for the full story\]_

“\[It is a false\] assumption that all issues can be resolved by the cloud provider and therefore do not need a tracking number,” wrote Scott Piper, a cloud-security researcher with Summit Route, in a recent blog. “This view is sometimes incorrect, and even when the issue can be resolved by the cloud provider, I still believe it warrants having a record.”

Piper’s critiques are part of his introduction to a curated list of dozens of documented instances of cloud-service provider mistakes that he says prove the point.

Over the past year, for example, Amazon Web Services snuffed out a host of cross-account vulnerabilities. As well, Microsoft recently patched two nasty Azure bugs (ChaosDB and OMIGOD). And, last year, Alphabet’s Google Cloud Platform tackled a number of bugs, including a policy-bypass flaw.

“As we uncover new types of vulnerabilities, we discover more and more issues that do not fit the current \[MITRE CVE reporting\] model,” wrote cloud researchers Alon Schindel and Shir Tamari with the cloud security firm Wiz, in a post. “Security industry call to action: we need a \[centralized\] cloudvulnerability database.”

The researchers acknowledged that cloud service providers do respond quickly to cloud bugs and work fast to mitigate issues. However, the process of identifying, tracking and helping those affected to assess risk needs streamlining.

![AWS computing](https://media.threatpost.com/wp-content/uploads/sites/103/2020/08/21091044/podcast-news-wrap-300x203.jpg)

An example: When researchers found a series of cross-account AWS vulnerabilities in August, Amazon moved quickly to mitigate the problem by changing AWS defaults and updating the user set-up guides. Next, AWS emailed affected customers and urged them to update any vulnerable configurations.

“The problem here is that \[many\] users weren’t aware of the vulnerable configuration and the response actions they should take. Either the email never made it to the right person, or it got lost in a sea of other issues,” Schindel and Tamari wrote.

In the context of cloud, affected users should be able to easily track a vulnerability and whether it has already been addressed in their organizations, as well as what cloud resources have already been scoped and fixed, the researchers said.

The CVE approach to cloud bugs also has the support of the Cloud Security Alliance (CSA), which counts Google, Microsoft and Oracle as executive members.

**Cloud Bug CVE Approach: Shared Industry Goals**

The efforts share many of the same goals, including:

*   Standardized notification channels to be used by all cloud service providers
*   Standardized bug or issue tracking
*   Severity scoring to help prioritize mitigation efforts
*   Transparency into the vulnerabilities and their detection

In August, Brian Martin, on his blog Curmudgeonly Ways, pointed out that MITRE’s history covering cloud vulnerabilities is mixed.

“At times, some of the CVE (editorial) Board has advocated for CVEs to expand to cover cloud vulnerabilities, while others argue against it. At least one who advocated for CVE coverage said they should get CVE IDs, \[with\] others that supported and disagreed with the idea saying that if cloud was covered, \[those bugs\] should get their own ID scheme,” he wrote.

Martin also pointed out that even if a CVE-like system were created, the question remains: Who will run it?

“The only thing worse than such a project not getting off the ground is one that does, becomes an essential part of security programs, and then goes away,” he said.

In July, under the auspices of CSA, the Global Security Database Working Group was chartered to go one step further than the idea of expanding CVE tracking. Its goal is to offer an alternative to CVEs and what the group called a one-size-fits-all approach to vulnerability identification. The working group believes the “on-demand” nature and continued growth of IT infrastructures brought on by cloud migration necessitate a corresponding maturity in cybersecurity.

“What we see is a need to figure out how to create identifiers for vulnerabilities in software, services and other IT infrastructure that is proportional to the amount of technology in existence,” said Jim Reavis, cofounder and chief executive officer of CSA, when introducing the working group. “The common design goal is for vulnerability identifiers to be easily discovered, fast to assign, updatable and publicly available” – not just in the cloud, but across IT infrastructure.

**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our_** **_FREE downloadable eBook_****_, “Cloud Security: The Forecast for 2022.”_** **_We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**

Firms Push for CVE-Like Cloud Bug System

Phishers racked up an enormous haul of stolen cryptocurrency via rogue Google ads. Time to check if you're free from bad ad worry.
The post Rogue ads phishing for cryptocurrency: Are you secure? appeared first on Malwarebytes Labs.

Bad ads are at it again. Rogue Google ads caused no end of misery for cryptocurrency enthusiasts, costing them roughly $4.31 million between the 12th and the 21st of April. This is an astonishing slice of cryptocurrency cash to lose for the sake of clicking on something in a search engine.

The bogus links were at the top of results for Terra blockchain projects. Searches for projects like Astroport or Anchor resulted in the below search results:

> Our security team conducted an analysis of this incident and discovered that the bulk of this attack was from google phishing ads. Users would search well know projects on the Terra blockchain such as @anchor\_protocol or @astroport\_fi only to click on the first link by google. pic.twitter.com/aucIcnsCd7
> 
> — SlowMist (@SlowMist\_Team) April 21, 2022

The design of the phish page is quite similar to many that we’ve seen. They’re quite basic, and include little beyond a set of “connect your wallet” buttons. However, as you can see in the below tweet, they’re after people’s seed phrase:

> These may look like normal ads and some even show the same domain names, but once you click on the link, the domain name actually changes. When clicked, it'll prompt you to connect your wallet, however instead of connecting, users are asked to input their seed phrase. pic.twitter.com/OZjifaJ17m
> 
> — SlowMist (@SlowMist\_Team) April 21, 2022

We’ve talked about seed/recovery phishing several times. Seed phrases are your keys to the kingdom, and giving them to a phisher could have serious consequences. It’s no wonder these phishers made off with so much money.

**The problem with bad ads**

Rogue adverts have been around pretty much for as long as paid adverts have existed. They’ve been the stomping ground of exploit kits, ransomware, fake tech support scams, and much more for years.

One of the main ways to hurt yourself in a search engine used to be SEO poisoning. That didn’t involve ads, but rather involved the search results themselves being bad. If a site got compromised and the content altered, innocent looking results could end up whisking you away to spam or malware. Alongside SEO poisoning, which search engines really tried to clamp down on, bogus ads started making major inroads.

**Big numbers, big rewards**

Ad fraud costs billions each year. Any network could potentially allow a bad actor onboard, and that’s before you consider that there are rogue ad networks who simply don’t care what’s being pushed to end-users. Slow, cumbersome static ads were replaced by real time bidding, and techniques to push bad content became ever more inventive.

On top of that, you have the usual tricks like fingerprinting and browser search string agents to ensure your bad content reaches specific people. For example, only allowing certain mobile users to land on your mobile-centric scam page. Or how about stopping users at a gateway to see if they run exploitable types of software before letting them progress to the exploit page?

The SEO poisoning tactics all look a bit antiquated next to the “paid-for ad might lose you a fortune” merry-go-round.

**Blink and you’ll miss it?**

The big problem with paid ads in search engines is one of assumed legitimacy. The fact that they usually appear at the top of the page originally led to complaints that they were being mixed up with “proper” results. This brought about many changes to make it clearer that paid ads were just that.

Sadly, people still struggle with figuring out paid ads vs organic. Close to 60% in one survey didn’t know the difference. This is despite changes from search engine providers for both desktop and mobile platforms.

> Last year, our search results on mobile gained a new look. That’s now rolling out to desktop results this week, presenting site domain names and brand icons prominently, along with a bolded “Ad” label for ads. Here’s a mockup: pic.twitter.com/aM9UAbSKtv
> 
> — Google SearchLiaison (@searchliaison) January 13, 2020

Does the word “Ad” next to the result in Google really leap out enough to be noticeable? Or when “Ad” appears in Yahoo! or the additional “Ads related to…” under the main ads? How about Bing’s very tiny “Ad” next to the results?

I vaguely recall a search engine placing paid results in a prominent box a few years back, but I suppose I could just be mixing it up with a screenshot of someone _highlighting_ a rogue advert instead.

**Avoiding bad ads**

There’s multiple ways to avoid bad ads, but some of them come at a cost to either yourself or the sites serving the ads. It’s one of those very personal choices for which there’s no single fit. I’m not going to suggest you do any of these; I’m merely going to give you examples of what people do and leave the decision in your hands.

1.  Some folks have simply had enough of adverts. They’ll install ad-blockers, hit the “disallow all” button, and that’s that. However, one drawback is that sites you like may not work. You’ve definitely seen a “please unblock our ads to continue” message at this point. Some sites take a hard line on this, and it’s a case of unblock or go elsewhere. Others will allow you to choose whether to view the site with the ads still blocked, or add them to your “safe site” list. Sometimes this goodwill gesture is enough to have the visitor unblock the ads. If it doesn’t and someone becomes a repeat visitor anyway (with ads still blocked), then the site loses ad revenue.
2.  Others may go down the script blocker route. This may allow ads, but will potentially contribute to preventing forms of redirect and/or malicious script loading. Script blocking tools are a lot better than they used to be, with more customisation available than ever before. In the bad old days, it was mostly a case of “enable this and break hundreds of websites”. The trade-off here is that you may end up enabling something that renders the site usable, but also allows for bad things to happen.
3.  Security tools. This is one of the more hands-on ways to shut bad things down. Browser extensions, security tools with real-time protection, regular security scans, and keeping your system (and programs) up to date will all help keep exploits, phishing pages, and malware far away, even with all adverts enabled. Nothing is guaranteed, of course, and that’s why several layers of defence tailored to your specific requirements will do significant heavy lifting on your behalf.

Rogue ad attacks are sadly a fact of internet life, and targeting cryptocurrency enthusiasts means potentially massive payouts in comparison to some other forms of phishing. With no way to get your stolen coins back in most cases, it’s not something you can afford to ignore. Start shoring up those defences now, and have a long think about the level of advert exposure you’re comfortable with.

Rogue ads phishing for cryptocurrency: Are you secure?

A campaign by APT37 used a sophisticated malware to steal information about sources , which appears to be a successor to Bluelight.

A campaign by APT37 used a sophisticated malware to steal information about sources , which appears to be a successor to Bluelight.

Sophisticated hackers believed to be tied to the North Korean government are actively targeting journalists with novel malware dubbed Goldbackdoor. Attacks have consisted of multistage infection campaign with the ultimate goal of stealing sensitive information from targets. The campaign is believed to have started in March and is ongoing, researchers have found.

Researchers at Stairwell followed up on an initial report from South Korea’s NK News, which revealed that a North Korean APT known as APT37 had stolen info from the private computer of a former South Korean intelligence official. The threat actor–also known as Ricochet Collima, InkySquid, Reaper or ScarCruft—attempted to impersonate NK News and distributed what appeared to be a novel malware in an attempt to target journalists who were using the official as a source, according to the report.

NK News passed details to Stairwell for further investigation. Researchers from the cybersecurity firm uncovered specific details of the malware, called Goldbackdoor. The malware is likely a successor of the Bluelight malware, according to a report they published late last week.  
![Infosec Insiders Newsletter](https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/10165815/infosec_insiders_in_article_promo.png)

“The Goldbackdoor malware shares strong technical overlaps with the Bluelight malware,” researchers wrote. “These overlaps, along with the suspected shared development resource and impersonation of NK News, support our attribution of Goldbackdoor to APT37.”

APT37 was previously seen using Bluelight as a secondary payload last August in a series of watering hole attacks against a South Korean newspaper that used known Internet Explorer vulnerabilities.

As Stairwell researchers noted, journalists are “high-value targets for hostile governments,” and often the target of cyber-espionage attacks. In fact, one of the biggest security stories of last year was various governments’ use of the NGO Group’s Pegasus spyware against journalists, among other targets.

“\[Journalists\] often are aggregators of stories from many individuals–sometimes including those with sensitive access,” Stairwell researchers wrote. “Compromising a journalist can provide access to highly-sensitive information and enable additional attacks against their sources.”

****Multi-Stage Malware****

The current campaign saga unfolded beginning March 18, when NK News shared “multiple malicious artifacts with the Stairwell threat research team from a spear-phishing campaign targeting journalists who specialize in the DPRK,” researchers wrote. The messages were sent from the personal email of a former director of South Korea’s National Intelligence Service, NIS.

“One of these artifacts was a new malware sample we have named Goldbackdoor, based on an embedded development artifact,” they wrote.

Goldbackdoor is a multi-stage malware that separates the first stage tooling and the final payload, which allows the threat actor to halt deployment after initial targets are infected, researchers said.

“Additionally, this design may limit the ability to conduct retrospective analysis once payloads are removed from control infrastructure,” they wrote in the report.

The malware, like Bluelight before it, uses cloud service providers for receiving actor commands and exfiltrating data. The sample specifically analyzed by researchers used Microsoft OneDrive and Graph APIs, while an additional identified sample SHA256 hash used Google Drive.

Embedded within the malware are a set of API keys used to authenticate against Microsoft’s cloud computing platform Azure and retrieve commands for execution, researchers said.

“Goldbackdoor provides attackers with basic remote command execution, file downloading/uploading, keylogging, and the ability to remotely uninstall,” they wrote. “This functionality and implementation closely match Bluelight; however, the increased focus appears to have been placed on file collection and keylogging.”

****Stage One****

Goldbackdoor is a sophisticated malware that researchers broke down into two stages. In stage one, a victim must download a ZIP file from a compromised site, https\[:\]//main\[.\]dailynk\[.\]us/regex?id=oTks2&file=Kang Min-chol Edits2.zip, which executes a compressed Windows shortcut.

“The domain dailynk\[.\]us was likely chosen to impersonate NK News (dailynk\[.\]com),” researchers said, and had been previously used by APT37 in a previous campaign.

Stairwell researchers retrieved the ZIP file for analysis from a DNS history of the site, which had stopped resolving already by the time of their investigation. They identified that the file was created on March 17 and contained a 282.7 MB Windows shortcut file LNK named Kang Min-chol Edits, likely a reference to Kang Min-chol, North Korea’s Minister of Mining Industries.

“The attackers masqueraded this shortcut as a document, using both the icon for Microsoft Word and adding comments similar to a Word document,” researchers wrote.

They also padded the LNK file 0x90, or NOP/No Operation, bytes to artificially increase the size of this file, potentially as a means of preventing upload to detection services or malware repositories they said.

Once executed, the LNK executes a PowerShell script that writes and opens a decoy document before starting the deployment process of Goldbackdoor, researchers said.

****Stage Two****

After deploying the decoy document, the PowerShell script decodes a second PowerShell script that then will download and execute a shellcode payload XOR—named “Fantasy” stored on Microsoft OneDrive.

 That Fantasy payload is the second stage of the malware’s process, and the first of a two-part final process for deploying Goldbackdoor, researchers said.

“Both parts are written in position-independent code (shellcode) containing an embedded payload, and use process injection to deploy Goldbackdoor,” they wrote.

Fantasy parses and decodes the payload and uses a standard process involving VirtualAllocEx,WriteProcessMemory, and RtlCreateUserThread to spawn a thread under the previously created process in order to execute it, researchers said.

The final dropper is a shellcode payload running as that thread in a process created by Fantasy to execute the final deployment of the malware.

“The payload delivered by this stage is a Windows Portable Executable PE file for Goldbackdoor,” researchers wrote.

Tag

#google