Microsoft is urging organizations that don't have automatic updates enabled to update to the latest version of Linux Server Fabric to thwart the "FabricScape" cloud bug.

Microsoft this week disclosed a serious container-escape vulnerability in its widely used Azure Service Fabric technology, which gives attackers a way to gain root privileges on the host node and take over all other nodes in the cluster.

The privilege-escalation bug is only exploitable on Linux containers, though it is present in Windows container environments as well, Microsoft said in an advisory Tuesday. Security researchers from Palo Alto Networks reported the bug — which they have dubbed FabricScape — along with a fully operational exploit, on Jan. 30, 2022. Microsoft released a fix for the issue (CVE-2022-30137) on June 14, but details on the bug were just released this week.

The fix has been applied to all customers that are subscribed to Microsoft's automatic update service, but others will need to manually patch to the latest version of Service Fabric. "Customers whose Linux clusters are automatically updated do not need to take further action," the company said in its bug disclosure announcement.

**A Privilege-Escalation Issue**

Service Fabric is a Microsoft container-orchestration technology — like Kubernetes. Numerous organizations use it as a platform-as-a-service to deploy and manage containers and microservices-based cloud applications across a cluster of machines. Palo Alto Networks used Microsoft data to estimate that Service Fabric hosts more than 1 million applications daily across millions of cores.

The bug that Palo Alto Network discovered exists in a logging function with high privileges in a Service Fabric component called Data Collection Agent (DCA). Researchers from the security vendor's Unit 42 threat intelligence team found that an attacker with access to a compromised container could exploit the vulnerability to escalate privileges and gain control of the host node and, from there, escape it and attack the entire cluster.

"The vulnerability allows attackers to take over the entire Service Fabric environment if they get a hold of a single application," says Ariel Zelivansky, director of security research at Palo Alto Networks. This allows attackers to perform lateral movement and to steal, destroy, or manipulate data. Other actions that an attacker could take by exploiting FabricScape include deploying ransomware or hijacking systems for cryptomining.

"If an organization hosts all of its applications, and possibly credentials, on Service Fabric, an attacker can gain control of all of those," Zelivansky says.

For an attack to be successful, a threat actor would first need to find a way to compromise a containerized workload on a Linux Service Fabric cluster, Microsoft said. The attacker would then need to trigger the DCA to run the vulnerable function in a manner that results in a so-called "race condition" where malicious code can be introduced into the environment.

**PoC: Exploiting the Flaw**

Researchers at Palo Alto Networks were able to exploit the vulnerability on Azure Service Fabric using a container under their control and a simulated compromised workload. They found the attack only worked if the compromised container had access to Service Fabric runtime data — something that is granted by default in single-tenant environments but less common in multitenant setups.

"Any application that is powered by a Service Fabric Linux cluster with runtime access, which is granted by default, is affected," Zelivansky said. Last year, Palo Alto Networks discovered another set of vulnerabilities in the Azure Container Instances (ACI) platform that allowed for a similar container escape.

Microsoft urged organizations using Service Fabric to review containerized workloads in both Linux and Windows environments that had access to host clusters. "By default, a \[Service Fabric\] cluster is a single-tenant environment and thus there is no isolation between applications," Microsoft said. All applications running in these single tenant environments are considered trusted and therefore have access to Service Fabric runtime, Microsoft said.

Thus, organizations that want to run untrusted application in a Service Fabric cluster should take additional measures to create isolation between applications and should remove access to Service Fabric runtime for those untrusted apps, Microsoft said.

Zelivansky says the first layer of defense against vulnerabilities such as FabricScape is focusing on the application itself, limiting the possibility of an attack by remediating known vulnerabilities in their code. They can also limit exposure to the Internet.

However, he offers a caveat: "But the reality is that even if an application is safe from any known vulnerability, zero-day vulnerabilities could be discovered and exploited in any code. And \[software\] supply-chain attacks such as typosquatted or malicious packages are becoming more common than before," he says.

Zelivansky says organizations running Linux Service Fabric clusters should check their cluster version and verify the version is at least 9.0.1035.1. "An organization should check if they have Linux-based applications on Service Fabric. If the answer is yes, we recommend giving top priority to addressing this vulnerability now that its full details are out."

**Cloud Vulnerabilities in Cyberattackers' Sights**

Vulnerabilities in cloud products and services have become a growing concern for organizations — and not just because of the security risks associated with them. In many cases, organizations also have a hard time keeping track of cloud vulnerabilities because of the absence of a common vulnerability enumeration (CVE) program for cataloging them. Because many cloud-security issues are considered the service provider's sole responsibility, there often has been little disclosure of these issues, leaving organizations in the dark about whether they might have been exposed to a specific threat.

This week researchers at Wiz launched a new community-based cloud vulnerability database aimed at addressing this lack of information. The database currently contains information on some 70 previous security issues in cloud products and services. Anyone can add to the database going forward. The goal is to make it a central repository for information on cloud threats in the absence of a formal program like MITRE's CVE program for information security flaws.

Patch Now: Linux Container-Escape Flaw in Azure Service Fabric

The malware has been in circulation since 2020, with sophisticated, advanced malicious actors taking advantage of the vulnerabilities in SOHO routers as the work-from-home population expands rapidly.

Security researchers have discovered a multi-stage remote access Trojan (RAT) currently being used against a wide range of small office-home office (SOHO) routers in Europe and North America — potentially the work of a state-sponsored actor.

Researchers believe that at least 80 victims have been infected so far during the campaign.

The malware, known as ZuoRAT, has been active since 2020, according to the Black Lotus Labs, the threat intelligence arm of Lumen Technologies.

According to the report, the malware makes its way onto the routers through exploits for known vulnerabilities. It can also infect other devices in the network and introduce additional malware via DNS and HTTP hijacking.

"ZuoRAT is a MIPS file compiled for SOHO routers that can enumerate a host and internal LAN, capture packets being transmitted over the infected device, and perform person-in-the-middle attacks (DNS and HTTPS hijacking based on predefined rules)," Lumen's threat intelligence team wrote in a blog post on the malware.

**Trojan Targets Cisco, Netgear Routers**

The malware targets routers from Cisco, Netgear, Asus, and DrayTek.

"The device types consisted of, but were not limited to: Cisco RV 320, 325 and 420; Asus RT-AC68U, RT-AC530, RT-AC68P and RT-AC1900U; DrayTek Vigor 3900 and unspecified NETGEAR devices," according to the analysis.

The research team noted that while compromising SOHO routers as an access vector to gain access to an adjacent LAN is not a novel technique, it has seldom been reported.

"Reports of person-in-the-middle style attacks, such as DNS and HTTP hijacking, are \[rare\] and a mark of a complex and targeted operation," the post continued. "The use of these two techniques congruently demonstrated a high level of sophistication by a threat actor, indicating that this campaign was possibly performed by a state-sponsored organization."

From the perspective of Danny Adamitis, principal information security engineer for Lumen Black Lotus Labs, the sophistication of this campaign cannot be overstated, especially the ability to enumerate infected devices and the LANs they are connected to, and packet-capture network traffic for additional targeting.

"Moreover, the multi-stage campaign includes multiple fully functional Trojans, as well as complex and covert C2 and proxy C2 infrastructure to obfuscate command-and-control and evade detection, which is why it went undetected for nearly two years," he adds.

**Other Trojans Found on Hacked Devices**

To Adamitis' point, the researchers found two other Trojans on the hacked devices. One was based on C++ and targeted Windows workstations. The other Trojan was based on the Go programming language and attacked Linux and macOS as well as Windows.

Among other things, they allowed the attackers to start new processes, gain permanent access to infected systems, intercept network traffic, and upload or download arbitrary files.

**Shift to Secure the Home Office**

According to a recent survey, nearly a quarter of the respondents (23%) named securing the remote workforce as their top priority for 2022. Routers are an important part of that, as they act as central waypoints for the rest of the home IT footprint.

"Once you are on the router you have a full trusted connection to poke and prod at whatever device is connected to it," Dahvid Schloss, offensive security team lead at Echelon, said via email. "From there, you could attempt to use proxychains to throw exploits into the network or just monitor all the traffic going in, out, and around the network."

So, as part of the work-from-home shift, some major vendors are moving their security focus, such as HP, which helps admins secure work-from-home endpoints by extending cloud security management that can remotely track, detect, and self-heal remote company devices.

"The consumer router space is ripe for targeting because these devices reside outside of the traditional security perimeter, and they are rarely monitored or patched," Adamitis adds. "This is only exacerbated by the rapid shift to remote work at the start of the pandemic."

Alex Ondrick, director of security operations at incident-response specialist BreachQuest, says a general lack of security controls for consumer-grade routers, and difficulties in "force" patching/update for them, makes SOHO routers particularly vulnerable.

"If a SOHO router is unpatched or vulnerable to known security flaws, ZuoRAT poses a dangerous combination of reconnaissance and authentication-bypass exploit script and lateral-movement capabilities," he explains.

**Bolstering the Human Firewall**

Ondrick adds that the SOHO router threat is an opportunity for organizations to expand their security awareness programs and spread valuable improved security measures among their users.

"Educating users on how to protect their home networks, their passwords, their financial information, and their families increases their engagement and builds cybersecurity hygiene and acumen they take back to the office, and reduces the organization's attack surface and builds the better human firewall," he says.

He says SOHO users should regularly update their router's firmware and ensure their devices are behind multiple layers of security (defense-in-depth) wherever possible.

For home routers, he says it's important to leverage the vendor's built-in security capabilities alongside host-based network security wherever possible.

"Think of your home router as 'yet another' device which should be regularly updated and think of it as the 'first line of defense' between you and the public-facing Internet," he says. "Pending any leaps forward in SOHO router security, consider adding a recurring biannual reminder on your phone or calendar to check for updates on your router's firmware."

ZuoRAT Hijacks SOHO Routers From Cisco, Netgear

It's time to decide which role to play to best serve your organization's security needs: an auditor, a lawyer, or a developer.

Your business relies on software, and attackers know that. To prevent your applications from being used against you, you need an application security (AppSec) program that delivers three crucial things:

*   **Secure code**: Your code has to be vulnerability-free and well-defended.
*   **Secure software supply chain**: Ditto for your libraries, products, and dev tools.
*   **Secure operations:** You must detect attacks and prevent exploits in production.

You can choose a number of paths to get to that level of protection. Which path you choose depends on your teams, processes, technology, and culture. How do they all work together? Keep in mind that an AppSec program isn't about eliminating risk. Business involves taking risks, and there's no way to completely eradicate it. But there's a big difference between taking blind risks while not knowing what could go wrong vs. being aware of how likely it is that an issue will be found and exploited, as well as how catastrophic (or not) the outcomes might be.

When it comes to risk decisions, choosing a strategy for your AppSec program is the most important one you'll face. Setting up an AppSec program is nuanced and varied, but consider which of the following three general types best fits your company. The wrong path could leave you with a massive weight of security debt, or even possibly breached, because time was wasted chasing vulnerabilities that weren't all that relevant and real risks got buried in the "never got to it" pile.

**1\. The Auditor: Checkbox AppSec**

In "minimal" AppSec programs, small teams do only what's required of them by either external standards or their customers. The goal is to simply check off the boxes for application security standards like OWASP, PCI, and NIST, all of which are, essentially, checklists. Many types of companies adopt this strategy — most commonly, small and midsize businesses — but the checklists don't bring them actual security.

It's not that minimal AppSec programs never succeed. They can by relying on free or very inexpensive tools, such as OWASP ZAP and DependencyCheck, to assess code. An inexpensive cloud web application firewall (WAF) for production might also be in the mix. But these tools can show false-negatives that miss real vulnerabilities, giving organizations a false sense of security. Such tools also tend to throw false-positives that lead to squandered resources and huge backlogs instead of actual remediation.

An upside to having a minimal AppSec program is that the budget for people and tools tend to be small. But because minimal AppSec programs don't offer a clear understanding of business risk, organizations are underinvesting in enterprise security based on incomplete information.

**2\. The Lawyer: Adversarial AppSec**

In adversarial AppSec programs, the development team tries to deliver code as fast as possible while the siloed security team wrestles for control. Development focuses on delivering features, while the security team tries to add more security activities. Large companies tend to adopt this approach, as do critical industries such as finance, banking, e-commerce, and insurance.

This approach requires a large security team to execute all of the activities. Most have various subteams focused on architecture, policy, threat modeling, policy, static scanning, dynamic scanning, WAFs, training, and more. Adversarial programs always have more analysis to do, but security teams don't actually fix code in this type of program. Organizations often adopt "champion" programs to help get all of the work done. But without a clear line of sight from activities desired outcomes, much of the busy work has little to no measurable effect.

Given a big enough team and a big budget, adversarial AppSec programs can be effective. But most programs struggle to handle the volume of tool output, particularly as development teams speed up their software releases. Most vulnerabilities wind up in an ever-growing pile of issues that are neither triaged nor remediated. Development teams are confronted with significant delays and bottlenecks due to these backlogs, which are coupled with security testing and gates. Innovation suffers because of these delays, which cause frustration and force development teams to seek exceptions and bypass security.

**3\. The Developer: Developer-Centric AppSec**

Developer-centric AppSec programs strive to put application security directly into the hands of software development teams as part of their regular work. The goal: for the teams to eventually establish an automated pipeline that ensures strong security across the software development life cycle, starting with the developer and on into production. This type of program is often called "DevSecOps," or "shift left."

DevSecOps programs use the "big machinery" of software development to do security work, as opposed to smaller, siloed AppSec teams. Given that developers won't tolerate slowing down pipelines or wasting time on false-positives, developer teams automate security testing in pipelines, using fast and highly accurate tools that enable fast security feedback loops and reduce cost.

Developer-centric programs employ interactive application security testing (IAST) tools to simultaneously perform fully automated security and quality tests. Doing so aligns development and security interests, as the teams work together on expanding test coverage and strengthening the pipeline. Visibility into attacks with runtime application self-protection (RASP) also provides teams with threat intelligence that informs security priorities. RASP technology prevents vulnerabilities from being exploited, allowing teams to respond to new vulnerabilities without having to run a fire drill.

The developer-centric approach is ideal for projects regardless of their stage in DevOps transformation. That said, this approach may not be able to take advantage of automated pipelines, quality testing infrastructure, and DevOps culture if applied to completely traditional projects. Then again, adopting a developer-centric approach to security may be the perfect catalyst to spark or to speed a DevOps transformation.

**Software Security Has Changed**

Inspired by incidents like SolarWinds, Log4Shell, and Spring4Shell, the world's governments have been pushed into doing something about application security. New regulations and standards from NIST, PCI, and OWASP all require a more sophisticated approach to AppSec and real evidence that what you're doing is actually effective.

Those employing a "minimal" or "adversarial" AppSec program will likely have to respond by making some changes, including:

*   **Threat modeling:** The days of checklists are over. You're going to need to threat-model your applications and then demonstrate that you've implemented decent controls for each.
*   **AST****:** You're also going to be expected to do a much more thorough job of testing the security of your applications and APIs. You'll have to provide evidence that you're testing the effectiveness of your defenses and remediating any problems found.
*   **SBOMs****:** To really get a handle on your open source use, you're probably going to need sensors that report library data to an always-up-to-date database. But in the meantime, you'll also need to generate software bills of materials (SBOMs) for your customers.

Bear in mind that if you decide to change up your approach, transforming one team at a time is probably preferable to trying to change everything all at once.

The trend toward more transparent application security that goes beyond simply checking off boxes likely won't stop here. The US government, for one, is evaluating a software security labeling scheme to create visibility and drive better security from producers. Whether this becomes reality remains to be seen, but one thing's safe to say: Now is a fine time to make sure you've chosen the right strategy for application security.

What's Your AppSec Personality?

Cybersecurity researchers have documented a new information-stealing malware that targets YouTube content creators by plundering their authentication cookies.
Dubbed "YTStealer" by Intezer, the malicious tool is likely believed to be sold as a service on the dark web, with it distributed using fake installers that also drop RedLine Stealer and Vidar.
"What sets YTStealer aside from other

Cybersecurity researchers have documented a new information-stealing malware that targets YouTube content creators by plundering their authentication cookies.

Dubbed "YTStealer" by Intezer, the malicious tool is likely believed to be sold as a service on the dark web, with it distributed using fake installers that also drop RedLine Stealer and Vidar.

"What sets YTStealer aside from other stealers sold on the dark web market is that it is solely focused on harvesting credentials for one single service instead of grabbing everything it can get ahold of," security researcher Joakim Kenndy said in a report shared with The Hacker News.

The malware's modus operandi, however, mirrors its counterparts in that it extracts the cookie information from the web browser's database files in the user's profile folder. The reasoning given behind targeting content creators is that it uses one of the installed browsers on the infected machine to gather YouTube channel information.

It achieves this by launching the browser in headless mode and adding the cookie to the data store, followed by using a web automation tool called Rod to navigate to the user's YouTube Studio page, which enables content creators to "manage your presence, grow your channel, interact with your audience, and make money all in one place."

From there, the malware captures information about the user's channels, including the name, the number of subscribers, and its creation date, alongside checking if it's monetized, an official artist channel, and if the name has been verified, all of which is exfiltrated to a remote server carrying the domain name "youbot\[.\]solutions."

Another notable aspect of YTStealer is its use of the open-source Chacal "anti-VM framework" in an attempt to thwart debugging and memory analysis.

Further analysis of the domain has revealed that it was registered on December 12, 2021, and that it's possibly connected to a software company of the same name that's located in the U.S. state of New Mexico and claims to provide "unique solutions for getting and monetizing targeted traffic."

That said, open-source intelligence gathered by Intezer has also linked the logo of the supposed company to a user account on an Iranian video-sharing service called Aparat.

A majority of the dropper payloads delivering YTStealer together with RedLine Stealer are packaged under the guise of installers for legitimate video editing software such as Adobe Premiere Pro, Filmora, and HitFilm Express; audio tools like Ableton Live 11 and FL Studio; game mods for Counter-Strike: Global Offensive and Call of Duty; and cracked versions of security products.

"YTStealer doesn't discriminate about what credentials it steals," Kenndy said. "On the dark web, the 'quality' of stolen account credentials influences the asking

price, so access to more influential Youtube channels would command higher prices."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

New YTStealer Malware Aims to Hijack Accounts of YouTube Content Creators

See how these novel, sophisticated, or creative threats used techniques such as living off the land to evade detection from traditional defensive measures — but were busted by AI.

We're now halfway through 2022, and already we have seen a range of cyberattacks, familiar and unfamiliar, disrupting organizations. However, we have also seen uplifting stories of successful threat detection efforts, as well.

In this article, we will look at five novel, sophisticated, or creative threats that used techniques such as "living off the land" to evade detection by traditional defensive measures. These threats were all discovered by artificial intelligence (AI) technology, which can spot subtle deviations in device and user behavior and autonomously enforce "normal," stopping a threat in its tracks.

**1\. Leading Laboratory Interrupts Dark Web Insider Threat With AI**

Cyberattacks against the healthcare sector hit record highs last year, and for these organizations cyber threats can have severe real-world consequences. One of Darktrace's healthcare clients is a company specializing in the research, development, and manufacturing of innovative in vitro diagnostic tests for disease, conditions, and infections.

In March, this company was targeted by a malicious insider threat. An employee was looking to exploit their access within the organization to sell proprietary intellectual property, perhaps even medical supplies, on the Dark Web. The employee was detected using Tor on a company device to connect to a Dark Web pharmaceutical market forum.

Malicious or compromised insiders can be difficult to identify because their privileged access and knowledge of company workings allow them to evade detection by traditional security tools. In order to protect intellectual property from insider threat, organizations need to augment security teams with AI-powered technology to stop malicious activity in real time.

In this case, given that no other company device had visited the Tor network in the past, Darktrace's AI flagged the activity to the security team, who were then able to investigate the employee and discover their malicious intentions.

**2\. Babuk Double-Extortion Ransomware Neutralized at a Technology Manufacturer**

Babuk is a double-extortion ransomware strain that has successfully attacked high-value organizations around the world since 2021. In February 2022, however, it targeted a multinational technology manufacturer that had deployed AI cybersecurity. The targeted company facilitates the adoption of smart medical devices as well as electric and autonomous vehicles. This means uptime is important, and ransomware poses a significant risk.

The first sign of a threat came in the early hours of the morning, when the AI detected a company device performing network scanning and making unusual connections to other internal devices. Based on its understanding of the device's usual "pattern of life," the AI identified this out-of-the-ordinary behavior as malicious and calculated a response.

The AI was able to stop this attack without interfering with normal business operations in the company's office or on the manufacturing floor. It blocked only the malicious connections, while allowing the rest of the compromised device's operations to continue.

Once the attack had been stopped, a post-compromise analysis conducted by the AI revealed that the compromised device had indeed been attempting to distribute files with "babyk" extensions. These attacks often strike out of hours, so defenders of critical infrastructure should consider using artificial intelligence to allow their organizations to self-defend against advanced threats.

**3\. HR-Spoofing Attack Targets Employees at Private Equity Firm**

Phishing and spoofing emails continue to be the favorite initial entry point for cyberattackers. Earlier this year, a private equity firm looking to bolster its email security efforts trialed an AI email security solution and detected a targeted spoofing attack almost immediately.

The attackers had tailored their email to imitate the company's internal HR communications, titling it "Q3 Commission 2021 and Agenda" and designing it to look like a SharePoint Microsoft document. To a company employee, this email would not have looked at all out of place in their inbox.

Further investigation showed the email to be part of a wider trend of targeted phishing campaigns that use fake Microsoft branding to trick employees. The exact motivations of this attack are unknown because it was stopped in its earliest stages, but attacks like it are often launched with the aim of causing operational disruption or conducting IP and financial theft.

**4\. Ransomware Attack Against a Financial Services Provider Halted**

In March 2022, a South African financial services firm decided to try out Darktrace's technology and immediately uncovered an in-progress ransomware attack attempting to encrypt its most valuable data.

The first sign of compromise was a company mail server making unusual HTTP connections to an external endpoint and communicating with a malicious server via the Internet. Its understanding of the business and this particular mail server's normal behavior allowed the AI to identify the threatening activity.

The compromised server was then seen attempting to perform network reconnaissance and lateral movement to increase its presence within the organization. Further investigation revealed that attackers had obtained the credentials of 11 employees, including several C-level executives. With the attack spreading fast, more and more company devices began attempting to communicate with the malicious external server.

The AI quickly interrupted further attempts at communication with the malicious server but allowed normal business operations to continue. With the attack safely contained, Darktrace helped the company's security team to conduct a full investigation and ensure that the attack had been completely neutralized.

**5\. AI Stops Log4j Exploit at a Global Financial Services Provider**

The Log4Shell vulnerability that went public at the end of 2021 is one of the most serious and widespread exploits on record. It is thought by some to have affected hundreds of millions of devices and, as a zero-day, it has evaded lots of traditional security tools.

Fortunately, AI security has been able to mitigate the effects of Log4Shell for many of the organizations it protects. One of these, a global financial services provider with assets of over $5 billion, was targeted in March 2022.

The attackers used a Log4j vulnerability to gain access to one of the company's virtual desktop infrastructure (VDI) servers, from which they attempted to scan the surrounding network and spread throughout the enterprise. The server began downloading a shell script from a suspicious external endpoint, prompting an immediate alert from the company's AI-driven security measures.

Convinced of the severity of the threat by the alert, the company's security team promptly deployed AI technology to take precise action against the threat and maintain the regular business activities on the VDI server.

Fast action from this AI-driven response technology blocked the malicious connections and prevented the threat from progressing further, very likely saving the company from a ransomware attack.

5 Surprising Cyberattacks AI Stopped This Year

Team behind Abuse.ch and ThreatFox launch new hub for scanning and hunting files using YARA

Team behind Abuse.ch and ThreatFox launch new hub for scanning and hunting files using YARA

Security teams have a new tool to hunt for malware, using open source YARA rules.

YARAify can scan files using public YARA rules, integrate public and non-public YARA rules from Malpedia, operated by Germany’s Fraunhofer Institute, and scan using open and commercial ClamAV signatures.

Researchers can set up hunting rules to match both YARA rules and ClamAV signatures, and link YARAify to other tools via APIs.

**Pattern matching**

YARAify was developed by security researchers at Abuse.ch, a project from the Institute for Cybersecurity and Engineering (ICE) at the University of Applied Sciences at Bern, Switzerland.

According to founder Roman Hüssy, YARA rules are powerful but difficult to handle.

For example, rules are spread across platforms and git repositories, and there is no simple way to share them. Nor is there a single, consistent naming convention for YARA rules, leading to duplication and difficulties in rule handling.

Hüssy has added both a unique identity, , and YARAhub to help researchers share rules.

**RECOMMENDED** GhostTouch: Hackers can reach your phone’s touchscreen without even touching it

Rule authors can also set up TLP classifications on YARAhub to allow others to use the YARA rule to hunt for threats, without seeing the rule itself.

“YARA is an open source tool for pattern matching,” Hüssy told _The Daily Swig_. “It allows anyone, usually security researchers or vendors of security software, to write their own rules to detect \[issues\] such as malicious or suspicious files.

“We decided to launch the YARAify platform to the public to allow anyone to share their YARA rules with the community in a structured way and to use those to hunt for suspicious and malicious files seen within the Abuse.ch universe.”

Hüssy hopes that YARAify will become the default platform for security researchers to share YARA rules. The response so far has been overwhelmingly positive, he said.

**Threat intel**

Security vendors are increasingly supporting YARA rules in their own applications, and YARA rules are used widely by SOCs and in threat hunting and threat intelligence.

Data protection and resilience vendor Rubrik, for example, has built support for YARA rules into its tools, to help IT teams with incident containment, and with threat hunting, especially to prevent a firm reinfecting its systems from compromised backups.

"When talking about YARA it is important to distinguish between YARA the tool and YARA rules,” James Blake, field CISO at Rubrik, told _The Daily Swig_.

“YARA rules are the descriptions of malware that the YARA tool creates when given a file to analyse. The adoption of YARA rules in open source and commercial preventative and detective controls, other standards such as STIX for threat intelligence exchange, as well as in threat intelligence platforms, have now extended way beyond just the YARA tool.”

Check out more of the latest hacking tools

YARA rules can be used to “allow a net to be cast wide and then gradually refined” during threat hunting, as researchers focus in on particular malware strains. But YARA rules are powerful because they can describe not just the content of an executable, but also its behavior. This helps researchers track malware families, even as they adapt.

“YARA rules are extensively used in mature SOCs and mature service provider organizations to improve detection and prevent some of the noise that’s generated by more simplified hash-based detections,” Martin Riley, director of managed security services at consulting firm Bridewell, told _The Daily Swig_.

Bridewell uses YARA rules to identify trends and carry out reverse map engineering on some malware.

“YARA rules essentially replace hash values of files, which can be easily manipulated by attackers,” Riley said.

“YARA rules provide a higher fidelity and more valuable detection mechanism for malicious objects within a network.” YARAify, he suggested, provides researchers with an alternative to tools such as Google’s VirusTotal.

**DON’T MISS** Rise in off-the-shelf ransomware kits continues

YARAify: Defensive tool scans suspicious files against a large repository of YARA rules

Marval MSM v14.19.0.12476 is vulnerable to Cross Site Request Forgery (CSRF). An attacker can disable the 2FA by sending the user a malicious form.

**Work smarter with Marval**

Our powerful Enterprise Service Management solution drives productivity and delivers exceptional customer service. Available as SaaS or on premises, this out of the box, ITIL aligned ITSM solution seamlessly integrates with all your business apps to transparently share data between departments to help your organisation make informed decisions faster.

Learn more

**Solutions that make ITSM all about you**

Improve control & accountability | Boost performance & processes | Optimise service delivery | Reduce operational costs | Enhance customer experiences

Discover more

**The power of AI and ML**

Combining Artificial Intelligence (AI), Machine Learning (ML) and data analytics, Marval helps you access real-time actionable insights, automate end-to-end business processes, rapidly resolve issues, automatically prevent incidents and make smarter decisions.

Learn more

**Empowering enterprises**

From the IT Service Desk to Human Resources, the Finance team and beyond, our enterprise ready Service Management solution connects people, functions, and systems to improve control, drive productivity, reduce costs and enhance customer experiences across the organization.

Find your ideal ITSM solution

**Council kick starts digital transformation**

Read more

**Hospital reduces service desk calls**

Read more

**Who we work with**

**About Marval**

With over 30 years in the ITSM business, Marval offers unrivalled industry knowledge and expertise combined with innovative system design to ensure service levels, governance and compliance are met, while enabling support teams to deliver the best possible service to colleagues and consumers.

Find out more

CVE-2022-31886: Future Proof your IT Service Management

Researchers this week said they had observed criminals using a new and improved version of the prolific malware, barely three months after its authors announced they were quitting.

The authors of "Raccoon Stealer," one of the most prolific information stealers of 2021, have released a new and improved version of the malware just three months after shutting down operations following the death of its lead developer in Ukraine.

Researchers from French cybersecurity vendor Sekoia this week reported stumbling upon active servers hosting Raccoon Stealer files while searching for signs of the malware earlier this month. Sekoia's subsequent investigation showed the authors of the malware had been selling the new version via their Telegram channel since at least May 17.

Sekoia said its analysis showed the authors of Raccoon Stealer have rewritten the malware and administrative panel for it, from scratch. The focus of the effort appears to have been on improving the stealer’s performance and efficiency. At its core, the new Raccoon Stealer remains a classic information stealer, with an extra focus on cryptocurrency wallets. It is designed to steal passwords, cookies, credit card data, and autofill forms from most modern browsers. The malware can steal from a wide range of desktop crypto wallets including Electrum, Exodus, MetaMask, and Coinomi.

**New and Improved**

Sekoia found Raccoon Stealer V2 to also feature capabilities — such as a file grabber for all disks and a built-in file downloader — for exfiltrating files for compromised systems and loading other software on the systems. Additional capabilities include screenshot capturing, keystroke logging, and application enumeration. "It's worth noting that the malware implements almost no defense evasion techniques, such as anti-analysis \[or\] obfuscation,” Sekoia said in a report summarizing its analysis this week. However, expect the malware authors to add those capabilities soon, the security vendor said.

Several security researchers had fully expected Raccoon Stealer to resurface when its developers announced they were stopping operations on March 25. The malware, which first surfaced in 2019, is widely regarded as one of the most effective information stealers in recent memory. Racoon Stealer's developers initially distributed it via a malware-as-a-service model that allowed other criminals to rent and use the stealer for a portion of the profits.

Over time, criminals began distributing it in other ways as well, including by planting it on websites selling pirated software. Last August, researchers from Sophos reported criminals dropping the malware from sites that were optimized to surface high on Google search engine results when people searched for sources of pirated software. In that campaign, Sophos concluded the criminals distributing Raccoon Stealer were likely using "droppers-as-a-service" to distribute the malware. Sophos researchers also observed attackers using a Telegram channel to deliver the address of the command-and-control gateway to systems infected with Raccoon Stealer. The security vendor surmised that Raccoon Stealer attackers had begun using the Telegram channel to make it harder to locate the malware's command and control infrastructure.

**Resurfacing on Cue**

In January 2022, Bitdefender's Cyber Threat Intelligence Lab observed the operators of the widely used RIG Exploit Kit include Raccoon Stealer in their kit. However, when Raccoon Stealer's developers announced they were quitting, the authors of RIG quickly swapped out the malware for the older but still popular Dridex banking Trojan. Recently, criminals have also used fake installers for legitimate software — such as VPNs from F-Secure and Proton — to distribute Raccoon Stealer.

In a report last week, Bitdefender predicted that Raccoon Locker would return despite the setback that pushed the developers to ceasing operations in March. It's an assessment that Sekoia shared this week. "We expect a resurgence of Raccoon Stealer v2 as developers implemented a version tailored to the needs of cybercriminals and scaled their backbone servers to handle large loads," Sekoia said.

'Raccoon Stealer' Scurries Back on the Scene After Hiatus

On December 7, 2021, Google announced it had sued two Russian men allegedly responsible for operating the Glupteba botnet, a global malware menace that has infected millions of computers over the past decade. That same day, AWM Proxy -- a 14-year-old anonymity service that rents hacked PCs to cybercriminals -- suddenly went offline. Security experts had long seen a link between Glupteba and AWM Proxy, but new research shows AWM Proxy's founder is one of the men being sued by Google.

On December 7, 2021, **Google** announced it was suing two Russian men allegedly responsible for operating the **Glupteba** botnet, a global malware menace that has infected millions of computers over the past decade. That same day, **AWM Proxy** — a 14-year-old anonymity service that rents hacked PCs to cybercriminals — suddenly went offline. Security experts had long seen a link between Glupteba and AWM Proxy, but new research shows AWM Proxy’s founder is one of the men being sued by Google.

AWMproxy, the storefront for renting access to infected PCs, circa 2011.

Launched in March 2008, AWM Proxy quickly became the largest service for crooks seeking to route their malicious Web traffic through compromised devices. In 2011, researchers at **Kaspersky Lab** showed that virtually all of the hacked systems for rent at AWM Proxy had been compromised by **TDSS** (a.k.a TDL-4 and Alureon), a stealthy “rootkit” that installs deep within infected PCs and loads even before the underlying Windows operating system boots up.

In March 2011, security researchers at **ESET** found TDSS was being used to deploy Glupteba, another rootkit that steals passwords and other access credentials, disables security software, and tries to compromise other devices on the victim’s network — such as Internet routers and media storage servers — for use in relaying spam or other malicious traffic.

A report from the Polish computer emergency response team (CERT Orange Polksa) found Glupteba was by far the biggest malware threat in 2021.

Like its predecessor TDSS, Glupteba is primarily distributed through “pay-per-install” or PPI networks, and via traffic purchased from traffic distribution systems (TDS). Pay-per-install networks try to match cybercriminals who already have access to large numbers of hacked PCs with other crooks seeking broader distribution of their malware.

In a typical PPI network, clients will submit their malware—a spambot or password-stealing Trojan, for example —to the service, which in turn charges per thousand successful installations, with the price depending on the requested geographic location of the desired victims. One of the most common ways PPI affiliates generate revenue is by secretly bundling the PPI network’s installer with pirated software titles that are widely available for download via the web or from file-sharing networks.

An example of a cracked software download site distributing Glupteba. Image: Google.com.

Over the past decade, both Glupteba and AWM Proxy have grown substantially. When KrebsOnSecurity first covered AWM Proxy in 2011, the service was selling access to roughly 24,000 infected PCs scattered across dozens of countries. Ten years later, AWM Proxy was offering 10 times that number of hacked systems on any given day, and Glupteba had grown to more than one million infected devices worldwide.

There is also ample evidence to suggest that Glupteba may have spawned **Meris**, a massive botnet of hacked Internet of Things (IoT) devices that surfaced in September 2021 and was responsible for some of the largest and most disruptive distributed denial-of-service (DDoS) attacks the Internet has ever seen.

But on Dec. 7, 2021, Google announced it had taken technical measures to dismantle the Glupteba botnet, and filed a civil lawsuit (PDF) against two Russian men thought to be responsible for operating the vast crime machine. AWM Proxy’s online storefront disappeared that same day.

AWM Proxy quickly alerted its customers that the service had moved to a new domain, with all customer balances, passwords and purchase histories seamlessly ported over to the new home. However, subsequent takedowns targeting AWM Proxy’s domains and other infrastructure have conspired to keep the service on the ropes and frequently switching domains ever since.

Earlier this month, the United States, Germany, the Netherlands and the U.K. dismantled the “**RSOCKS**” botnet, a competing proxy service that had been in operation since 2014. KrebsOnSecurity has identified the owner of RSOCKS as a 35-year-old from Omsk, Russia who runs the world’s largest forum catering to spammers.

The employees who kept things running for RSOCKS, circa 2016.

Shortly after last week’s story on the RSOCKS founder, I heard from **Riley Kilmer**, co-founder of Spur.us, a startup that tracks criminal proxy services. Kilmer said RSOCKS was similarly disabled after Google’s combined legal sneak attack and technical takedown targeting Glupteba.

“The RSOCKS website gave you the estimated number of proxies in each of their subscription packages, and that number went down to zero on Dec. 7,” Kilmer said. “It’s not clear if that means the services were operated by the same people, or if they were just using the same sources (i.e., PPI programs) to generate new installations of their malware.”

Kilmer said each time his company tried to determine how many systems RSOCKS had for sale, they found each Internet address being sold by RSOCKS was also present in AWM Proxy’s network. In addition, Kilmer said, the application programming interfaces (APIs) used by both services to keep track of infected systems were virtually identical, once again suggesting strong collaboration.

“One hundred percent of the IPs we got back from RSOCKS we’d already identified in AWM,” Kilmer said. “And the IP port combinations they give you when you access an individual IP were the same as from AWM.”

In 2011, KrebsOnSecurity published an investigation that identified one of the founders of AWM Proxy, but Kilmer’s revelation prompted me to take a fresh look at the origins of this sprawling cybercriminal enterprise to determine if there were additional clues showing more concrete links between RSOCKS, AWM Proxy and Glupteba.

**IF YOUR PLAN IS TO RIP OFF GOOGLE…**

Supporting Kilmer’s theory that AWM Proxy and RSOCKS may simply be using the same PPI networks to spread, further research shows the RSOCKS owner also had an ownership stake in **AD1\[.\]ru**, an extremely popular Russian-language pay-per-install network that has been in operation for at least a decade.

Google took aim at Glupteba in part because its owners were using the botnet to divert and steal vast sums in online advertising revenue. So it’s more than a little ironic that the critical piece of evidence linking all of these operations begins with a Google Analytics code included in the HTML code for the original AWM Proxy back in 2008 (**UA-3816536**).

That analytics code also was present on a handful of other sites over the years, including the now-defunct Russian domain name registrar **Domenadom\[.\]ru**, and the website **web-site\[.\]ru**, which curiously was a Russian company operating a global real estate appraisal business called American Appraisal.

Two other domains connected to that Google Analytics code — Russian plastics manufacturers **techplast\[.\]ru** and **tekhplast.ru** — also shared a different Google Analytics code (**UA-1838317**) with web-site\[.\]ru and with the domain “**starovikov\[.\]ru**.”

The name on the WHOIS registration records for the plastics domains is an “**Alexander I. Ukraincki**,” whose personal information also is included in the domains tpos\[.\]ru and alphadisplay\[.\]ru, both apparently manufacturers of point-of-sale payment terminals in Russia.

Constella Intelligence, a security firm that indexes passwords and other personal information exposed in past data breaches, revealed dozens of variations on email addresses used by Alexander I. Ukraincki over the years. Most of those email addresses start with some variation of “**uai@**” followed by a domain from one of the many Russian email providers (e.g., yandex.ru, mail.ru). \[Full disclosure: Constella is currently an advertiser on this website\].

But Constella also shows those different email addresses all relied on a handful of passwords — most commonly “**2222den**” and “**2222DEN**.” Both of those passwords have been used almost exclusively in the past decade by the person who registered more than a dozen email addresses with the username “**dennstr**.”

The dennstr identity leads to several variations on the same name — Denis Strelinikov, or Denis Stranatka, from Ukraine, but those clues ultimately led nowhere promising. And maybe that was the point.

Things began looking brighter after I ran a search in DomainTools for web-site\[.\]ru’s original WHOIS records, which shows it was assigned in 2005 to a “private person” who used the email address **lycefer@gmail.com**. A search in Constella on that email address says it was used to register nearly two dozen domains, including starovikov.ru and **starovikov\[.\]com**.

A cached copy of the contact page for Starovikov\[.\]com shows that in 2008 it displayed the personal information for a **Dmitry Starovikov**, who listed his Skype username as “lycefer.”

Finally, Russian incorporation documents show the company LLC Website (web-site\[.\]ru)was registered in 2005 to two men, one of whom was named **Dmitry Sergeevich Starovikov**.

Bringing this full circle, Google says Starovikov is one of the two operators of the Glupteba botnet:

The cover page for Google’s lawsuit against the alleged Glupteba botnet operators.

Mr. Starovikov did not respond to requests for comment. But attorneys for Starovikov and his co-defendant last month filed a response to Google’s complaint in the Southern District of New York, denying (PDF) their clients had any knowledge of the scheme.

Despite all of the disruption caused by Google’s legal and technical meddling, AWM is still around and nearly as healthy as ever, although the service has been branded with a new name and there are dubious claims of new owners. Advertising customer plans ranging from $50 a day to nearly $700 for “VIP access,” AWM Proxy says its malware has been running on approximately 175,000 systems worldwide over the last 24 hours, and that roughly 65,000 of these systems are currently online.

AWM Proxy, as it exists today.

Meanwhile, the administrators of RSOCKS recently alerted customers that the service and any unspent balances will soon be migrated over to a new location.

Many people seem to equate spending time, money and effort to investigate and prosecute cybercriminals with the largely failed war on drugs, meaning there is an endless supply of up-and-coming crooks who will always fill in any gaps in the workforce whenever cybercriminals face justice.

While that may be true for many low-level cyber thieves today, investigations like these show once again how small the cybercriminal underground really is. It also shows how it makes a great deal of sense to focus efforts on targeting and disrupting the relatively small number of established hackers who remain the real force multipliers of cybercrime.

The Link Between AWM Proxy & the Glupteba Botnet

The previously unknown state-sponsored group is compromising industrial targets with the ShadowPad malware before burrowing deeper into networks.

A previously unknown Chinese-speaking advanced persistent threat (APT) is exploiting the ProxyLogon Microsoft Exchange vulnerability to deploy the ShadowPad malware, researchers said — with the end goal of taking over building-automation systems (BAS) and moving deeper into networks.

That's according to researchers at Kaspersky ICS CERT, who said that the infections affected industrial control systems (ICS) and telecom firms in Afghanistan and Pakistan, as well as a logistics and transport organization in Malaysia. The attacks came to light in October but appear to date back to March 2021.

"We believe that it is highly likely that this threat actor will strike again and we will find new victims in different countries," according to Kaspersky's Monday analysis.

In this specific spate of attacks, Kaspersky observed a unique set of tactics, techniques, and procedures (TTPs) linking the incidents together, including attackers compromising BAS engineering computers as their initial access point. Researchers noted this is an unusual move for an APT group, despite proof-of-concept malware being available for such platforms.

"Building-automation systems are rare targets for advanced threat actors," said Kirill Kruglov, security expert at Kaspersky ICS CERT, in the alert. "However, those systems can be a valuable source of highly confidential information and may provide the attackers with a backdoor to other, more secured, areas of infrastructures."

The attacks also threaten the physical integrity of buildings, researchers warned. BAS infrastructure unites operational features, such as electricity, lighting, HVAC systems, fire alarms, and security cameras, so they can be managed from a single management console.

"Once a BAS is compromised, all processes within that are at risk, including those relating to information security," according to Kaspersky's alert about the attacks.

In a real-world example of this rare kind of attack, last December a building automation engineering firm suddenly lost contact with hundreds of its BAS devices, including light switches, motion detectors, shutter controllers, and others — after being locked down with the system's own digital security key, which the attackers hijacked. The firm had to revert to manually flipping on and off the central circuit breakers in order to power on the lights in the building.  

**ProxyLogon Leads to ShadowPad Malware in Stealthy Infections**

In many cases, the cyberattackers exploited the ProxyLogon remote code-execution (RCE) vulnerability in MS Exchange (CVE-2021-26855), the firm added. When used in an attack chain, the exploits for these ProxyLogon could allow an attacker to authenticate as the Exchange server and deploy a Web shell so they can remotely control the target server.

ProxyLogon was disclosed in March 2021 after being exploited as a zero-day bug by a Chinese state-sponsored group that Microsoft calls Hafnium — but soon a dizzying array of threat groups piled on to exploit the issue to enable different kinds of attacks.

In this case, once in, the APT deploys the ShadowPad remote access Trojan (RAT) — a popular backdoor and loader used by various Chinese APTs. According to previous analysis from Secureworks, ShadowPad is advanced and modular, first deployed by the "Bronze Atlas" threat group in 2017. "A growing list of other Chinese threat groups have deployed it globally since 2019 in attacks against organizations in various industry verticals," the report noted.

Kaspersky researchers said that in the BAS attacks, "The ShadowPad backdoor was downloaded onto the attacked computers under the guise of legitimate software."

Specifically, the malware originally masqueraded as the mscoree.dll file, which is a Microsoft library file essential for the execution of "managed code" applications written for use with the .NET Framework. As such, the malware was launched by the legitimate AppLaunch.exe application, which itself was executed by creating a task in the Windows Task Scheduler. Last fall, the attackers switched to using the DLL-hijacking technique in legitimate software for viewing OLE-COM objects (OleView). The Windows Task Scheduler is also used in the newer approach. In both cases, using such living-off-the-land tools (i.e., legitimate native software) means that the activity is unlikely to raise any system-intrusion flags.

After the initial infection, the attackers first sent commands manually, then automatically, to deploy additional tools. Researchers said those included the following:

*   The CobaltStrike framework (for lateral movement)
*   Mimikatz (for stealing credentials)
*   The well-known PlugX RAT
*   BAT files (for stealing credentials)
*   Web shells (for remote access to the Web server)
*   The Nextnet utility (for scanning network hosts)

"The artifacts found indicate that the attackers stole domain-authentication credentials from at least one account in each attacked organization (probably from the same computer that was used to penetrate the network)," according to Kaspersky. "These credentials were used to further spread the attack over the network … we do not know the ultimate goal of the attacker. We think it was probably data harvesting."

**How to Protect Against APT Attacks Targeting BAS, Critical Infrastructure**

The attacks develop "extremely rapidly," Kaspersky said, so early-state detection and mitigation is key to minimizing damage. The researchers recommended the following best practices to protect industrial infrastructure, including BAS footprints:

*   Regularly update operating systems and any application software that are part of the enterprise's network. Apply security fixes and patches to operational-technology (OT) network equipment such as BAS, as soon as they are available.
*   Conduct regular security audits of OT systems to identify and eliminate possible vulnerabilities.
*   Use OT network traffic monitoring, analysis, and detection solutions for better protection from attacks that potentially threaten OT systems and main enterprise assets.
*   Provide dedicated OT security training for IT security teams and OT engineers.
*   Provide the security team responsible for protecting ICS with up-to-date threat intelligence.
*   Use layered security solutions for OT endpoints and networks.

Tag

#intel