To minimize the impact of cyber incidents, organizations must be pragmatic and develop a strategy of resilience for dealing with break-ins, advanced malware, and data theft.

The frequency and severity of cyber threats are escalating and will continue to get stronger as cybercriminals pivot from one target to the next to maximize profit potential. Sooner or later, an attack will be successful. This presents a huge risk for businesses that lack sufficient cyber-resiliency preparation to stop the spread and recover quickly.

Cybercriminals are becoming experts in deception, which makes them increasingly difficult to detect. When they infiltrate an organization’s system, the door remains open for them to recode and encrypt a business's data. Once this happens, cybercriminals gain control (of data and systems) and can hold a business's information for ransom.

In addition to the ransom cost, additional costs are incurred following a ransom attack. Of those companies falling victim, 74% report business disruption lasting more than a day, with 28% taking a week or longer to recover from a ransom attack. For many, especially small and midsize companies, the financial and reputational repercussions of recovering from the occurrence can be devastating.

**Cyber-Resilience Framework**

To minimize the impact of cyber incidents, organizations must become pragmatic and develop a cyber-resilience strategy for dealing with the ramifications of cyber incidents. While reducing cyber-risk doesn’t guarantee there will never be a creaky backdoor for cybercriminals to slip in, it decreases the opportunities for attack and can accelerate an organization's recovery rate.

A cyber-resilience framework must include numerous elements of prevention and the ability to recover (if an attack is successful). There are six steps organizations can leverage when creating a multipronged cyber framework to achieve cyber resiliency.

**1\. Identify**

Organizations cannot protect what they have not identified. IT teams must regularly scan the organization's entire IT footprint including endpoints, servers, and cloud applications. This ensures assets as well as potential vulnerabilities are identified before cybercriminals can exploit them.

**2\. Protect**

With the hybrid work model here to stay, employees' remote devices are often the first target for cybercriminals. To mitigate this risk, organizations must ensure employee devices have endpoint protection solutions enabled to ensure cyber intrusions are automatically blocked while still allowing their work routines to be left undisturbed.

**3\. Detect**

While prevention is key to reducing cyber-risks, one thing can be said about cybercriminals: They are persistent. If they meet a closed door, they will try another. Threat intelligence and experience-based detection are essential to prevent a cyberattack attempt from evolving into a major cybersecurity breach.

**4\. Respond**

If a threat is detected in the third step, organizations can find themselves in a harmful spot when considering business continuity. To lessen the impact of a cyber breach, organizations should have a predefined playbook in times of crisis. This step can reduce the period of panic and allow for IT teams and the entire organization to act timely and efficiently when a breach is detected.

**5\. Recover**

In many cases, a cybercriminal will create their own backdoor as they infiltrate an organization's system. This allows cybercriminals to return and continue to collect the information needed to hold a business for ransom. To enable an easy return, organizations need to back up critical servers and endpoints. This allows organizations to recover damaged devices and use their backup file recovery as a lifeline.

**6\. Educate**

This step comes back to cyber protection being only as strong as each remote employee. Cyber awareness is essential when establishing cyber resilience so IT teams need to take the time to educate employees about cybercrime tactics such as phishing and business email compromise. By consistently implementing periodic, easy-to-understand awareness and response training, organizations are one step closer to ensuring cyber resilience and mitigating human risk.

**From Framework to Action**

Unless implemented, a framework is just a blueprint. Organizations must convert a cyber-resilience plan into their cybersecurity infrastructure to ensure effectiveness. Furthermore, leveraging a cyber-resilience framework can act as a confidence assessment guide. Business leaders and IT teams alike must revaluate their action plans to achieve practical cyber-prevention methods for the next time cybercriminals knock at the backdoor.

6 Steps to Ensure Cyber Resilience

DPRK hackers are tricking their way into jobs with western firms. A US government alert reminds employers they're on the front lines—and potentially on the hook.

For more than a decade, North Korean hackers and digital scammers have run wild, pilfering hundreds of millions of dollars to raise funds for the Hermit Kingdom and often leaving chaos in their wake. But while the United States and other governments regularly call out North Korea’s digital espionage operations and issue indictments against their hackers, it has proved more difficult to bring charges for rogue theft and profiteering. North Korea has been under extensive sanctions by the US and other governments for years, but efforts to address the regime’s financial crimes have met with obstacles. 

Last week, the US Treasury, State Department, and Federal Bureau of Investigation jointly issued a 16-page alert warning businesses to guard against a particular scam in which North Korean IT workers apply for freelance contracts—often with wealthy North American, European, and East Asian firms—to generate revenue for their country. The workers pose as IT workers of other nationalities, pretending to be remote workers from South Korea, China, Japan, Eastern Europe, or the US. The alert notes that there are thousands of North Korean IT workers taking on such contracts. Some conduct their work from North Korea itself and others work overseas, mainly out of China and Russia, with small contingents in Southeast Asia and Africa. In some cases, the North Korean scammers themselves sub-contract with other more legitimate workers to enhance their credibility.

“DPRK IT workers can individually earn more than USD 300,000 a year in some cases, and teams of IT workers can collectively earn more than USD 3 million annually,” the alert warns. “DPRK IT workers provide a critical stream of revenue that helps fund the DPRK regime’s highest economic and security priorities, such as its weapons development program.”

When US businesses unknowingly contract with North Koreans, they are violating government sanctions and face legal risk. But the scams are challenging to deal with, since workers typically complete the assignments to earn their compensation. Without vigilance, businesses could be unaware that anything shady is going on.

The alert emphasizes that while businesses need to be aware of the issue so they can comply with sanctions, North Korean IT contractors also sometimes use their access to plant malware and facilitate espionage and intellectual property theft.

“There have been a lot of cases where we’re seeing North Korean actors interviewing for jobs and using that to try to ultimately deploy malware or get into an environment,” says Adam Meyers, vice president of intelligence at the cybersecurity firm CrowdStrike. “The reason this is important is a lot of people don’t consider this threat or write it off as, ‘Oh, North Korea, they’re crazy. They’re not sophisticated.’ And if you’re talking to an actual person, it feels like there’s not going to be a cyber threat in that, but these are human-enabled operations that the North Koreans have gotten really good at, so bringing awareness to this issue is really important.”

North Korean IT workers have thorough training, making detection more difficult, and the alert notes that they have developed software, websites, and other platforms for a variety of sectors, including health and fitness, social networking, sports, entertainment, and lifestyle, along with cryptocurrency and decentralized finance. The workers have the expertise to do IT support and database management, build mobile and web apps, develop cryptocurrency platforms, work in artificial intelligence and virtual reality or augmented reality, and develop facial recognition and biometric authentication tools.

The alert lists a number of “red flag indicators” of a North Korean IT worker scam. Many overlap with general best practices for avoiding online scams, like monitoring for unusual logins or IP addresses and contractors who use suspicious digital accounts to collect payments or require payment in cryptocurrency, submit formulaic job applications and documents rather than personalized ones, and have perfect reviews on hiring websites that were all written within a short time span. 

Incident responders note that while the US government alert offers a helpful level of detail and transparency, it’s still difficult for potential victims to respond meaningfully. 

“The issue is always, whose responsibility is it to protect against these attacks? That’s on individuals and businesses, which often sorely lack the ability to ingest this type of information and make actionable improvements,” says David Kennedy, CEO of the corporate incident response consultancy TrustedSec. “Large companies that have dedicated security teams can use these warnings, but I do really feel that there needs to be a shift toward security for all and helping smaller organizations with defensive positions.”

The alert and other recent government disclosures about North Korean hacking and financial crimes do help raise awareness and likely indicate that the activity is a real and urgent threat. But as Jake Williams, director of cyber threat intelligence at the security firm Scythe puts it, “They have been what I believe to be intentionally vague in recommendations. The more specific they get to businesses, the easier it is for businesses to say that they followed the letter of the instructions and hence have no liability.”

Good Luck Not Accidentally Hiring a North Korean Scammer

DPRK hackers are tricking their way into jobs with Western firms. A US government alert reminds employers they're on the front lines—and potentially on the hook.

For more than a decade, North Korean hackers and digital scammers have run wild, pilfering hundreds of millions of dollars to raise funds for the Hermit Kingdom and often leaving chaos in their wake. But while the United States and other governments regularly call out North Korea’s digital espionage operations and issue indictments against their hackers, it has proved more difficult to bring charges for rogue theft and profiteering. North Korea has been under extensive sanctions by the US and other governments for years, but efforts to address the regime’s financial crimes have met with obstacles.

Last week, the US Treasury, State Department, and Federal Bureau of Investigation jointly issued a 16-page alert warning businesses to guard against a particular scam in which North Korean IT workers apply for freelance contracts—often with wealthy North American, European, and East Asian firms—to generate revenue for their country. The workers pose as IT workers of other nationalities, pretending to be remote workers from South Korea, China, Japan, Eastern Europe, or the US. The alert notes that there are thousands of North Korean IT workers taking on such contracts. Some conduct their work from North Korea itself and others work overseas, mainly out of China and Russia, with small contingents in Southeast Asia and Africa. In some cases, the North Korean scammers themselves sub-contract with other more legitimate workers to enhance their credibility.

“DPRK IT workers can individually earn more than USD 300,000 a year in some cases, and teams of IT workers can collectively earn more than USD 3 million annually,” the alert warns. “DPRK IT workers provide a critical stream of revenue that helps fund the DPRK regime’s highest economic and security priorities, such as its weapons development program.”

When US businesses unknowingly contract with North Koreans, they are violating government sanctions and face legal risk. But the scams are challenging to deal with, since workers typically complete the assignments to earn their compensation. Without vigilance, businesses could be unaware that anything shady is going on.

The alert emphasizes that while businesses need to be aware of the issue so they can comply with sanctions, North Korean IT contractors also sometimes use their access to plant malware and facilitate espionage and intellectual property theft.

“There have been a lot of cases where we’re seeing North Korean actors interviewing for jobs and using that to try to ultimately deploy malware or get into an environment,” says Adam Meyers, senior vice president of intelligence at the cybersecurity firm CrowdStrike. “The reason this is important is a lot of people don’t consider this threat or write it off as, ‘Oh, North Korea, they’re crazy. They’re not sophisticated.’ And if you’re talking to an actual person, it feels like there’s not going to be a cyber threat in that, but these are human-enabled operations that the North Koreans have gotten really good at, so bringing awareness to this issue is really important.”

North Korean IT workers have thorough training, making detection more difficult, and the alert notes that they have developed software, websites, and other platforms for a variety of sectors, including health and fitness, social networking, sports, entertainment, and lifestyle, along with cryptocurrency and decentralized finance. The workers have the expertise to do IT support and database management, build mobile and web apps, develop cryptocurrency platforms, work in artificial intelligence and virtual reality or augmented reality, and develop facial recognition and biometric authentication tools.

The alert lists a number of “red flag indicators” of a North Korean IT worker scam. Many overlap with general best practices for avoiding online scams, like monitoring for unusual logins or IP addresses and contractors who use suspicious digital accounts to collect payments or require payment in cryptocurrency, submit formulaic job applications and documents rather than personalized ones, and have perfect reviews on hiring websites that were all written within a short time span.

Incident responders note that while the US government alert offers a helpful level of detail and transparency, it’s still difficult for potential victims to respond meaningfully.

“The issue is always, whose responsibility is it to protect against these attacks? That’s on individuals and businesses, which often sorely lack the ability to ingest this type of information and make actionable improvements,” says David Kennedy, CEO of the corporate incident response consultancy TrustedSec. “Large companies that have dedicated security teams can use these warnings, but I do really feel that there needs to be a shift toward security for all and helping smaller organizations with defensive positions.”

The alert and other recent government disclosures about North Korean hacking and financial crimes do help raise awareness and likely indicate that the activity is a real and urgent threat. But as Jake Williams, director of cyber threat intelligence at the security firm Scythe puts it, “They have been what I believe to be intentionally vague in recommendations. The more specific they get to businesses, the easier it is for businesses to say that they followed the letter of the instructions and hence have no liability.”

UPDATE July 12, 2022: As part of the response by Microsoft, a defense in depth variant has been found and fixed in the Windows July cumulative updates. Microsoft recommends installing the July updates as soon as possible.
Windows Version Link to KB article LInk to Catalog Windows 8.1, Windows Server 2012 R2 5015805 Download Windows Server 2012 5015805 Download Windows 7, Windows Server 2008 R2 5015805 Download Windows Server 2008 SP2 5015805 Download On Monday May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability.

**UPDATE July 12, 2022: As part of the response by Microsoft, a defense in depth variant has been found and fixed in the Windows July cumulative updates. Microsoft recommends installing the July updates as soon as possible.**

Windows Version

Link to KB article

LInk to Catalog

Windows 8.1, Windows Server 2012 R2

5015805

Download

Windows Server 2012

5015805

Download

Windows 7, Windows Server 2008 R2

5015805

Download

Windows Server 2008 SP2

5015805

Download

On Monday May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability. On Tuesday June 14, 2022, Microsoft issued Windows updates to address this vulnerability. Microsoft recommends installing the following KB5015805 for Windows 8.1 and below according to the following table. The defense in depth fix is incorporated into the cumulative updates for Windows 10 and newer.

A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.

**Workarounds Workarounds**

**To disable the MSDT URL Protocol**

Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system. Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters. Follow these steps to disable:

1.  Run **Command Prompt** as **Administrator**.
2.  To back up the registry key, execute the command “reg export HKEY_CLASSES\_ROOT\\ms-msdt \_filename_”
3.  Execute the command “reg delete HKEY\_CLASSES\_ROOT\\ms-msdt /f”.

**How to undo the workaround**

1.  Run **Command Prompt** as **Administrator**.
2.  To restore the registry key, execute the command “reg import _filename”_

**Microsoft Defender Detections & Protections Microsoft Defender Detections & Protections****Microsoft Defender Antivirus (MDAV) Microsoft Defender Antivirus (MDAV)**

Microsoft Defender Antivirus provides detections and protections for possible vulnerability exploitation under the following signatures using detection build **1.367.851.0** or higher:

*   **Trojan:Win32/Mesdetty.A**
*   **Trojan:Win32/Mesdetty.B**
*   **Behavior:Win32/MesdettyLaunch.A!blk**
*   **Trojan:Win32/MesdettyScript.A**
*   **Trojan:Win32/MesdettyScript.B**
*   **Behavior:Win32/MesdettyPayload.B**
*   **Behavior:Win32/MesdettyLaunch.D**

Customers with Microsoft Defender Antivirus (MDAV) should turn-on cloud-delivered protection and automatic sample submission. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.

**Microsoft Defender for Endpoint (MDE) Microsoft Defender for Endpoint (MDE)**

Microsoft Defender for Endpoint provides customers detections and alerts. The following alert title in the Microsoft 365 Defender portal can indicate threat activity on your network:

*   **Suspicious behavior by an Office application**
*   **Suspicious behavior by Msdt.exe**

Microsoft Defender for Endpoint through its network inspection capabilities created a network-based detection to intercept any possible exploits for this vulnerability over the internal network.

*   **Possible exploitation attempt of CVE-2022-30190**

and since the signatures above for Antivirus are getting expanded to include more scenarios I like to remove the sentences between brackets for each signature

*   **Trojan:Win32/Mesdetty.A** (blocks msdt command line)
*   **Trojan:Win32/Mesdetty.B** (blocks msdt command line)
*   **Behavior:Win32/MesdettyLaunch.A!blk** (terminates the process that launched msdt command line)
*   **Trojan:Win32/MesdettyScript.A** (to detect HTML files that contain msdt suspicious command being dropped)
*   **Trojan:Win32/MesdettyScript.B** (to detect HTML files that contain msdt suspicious command being dropped)

**Microsoft Defender for Office 365 (MDO) Microsoft Defender for Office 365 (MDO)**

Microsoft Defender for Office 365 provides detections and protection for emails containing malicious documents or URL used to exploit this vulnerability:

*   Trojan\_DOCX\_OLEAnomaly\_AC
*   Trojan\_DOCX\_OLEAnomaly\_AD
*   Trojan\_DOCX\_OLEAnomaly\_AE
*   Trojan\_DOCX\_OLEAnomaly\_AF
*   Exploit\_UIA\_CVE\_2022\_30190
*   Exploit\_CVE\_2022\_30190\_ShellExec
*   Exploit\_HTML\_CVE\_2022\_30190\_A
*   Exploit\_Win32\_CVE\_2022\_30190\_B

**FAQ FAQ**

**Q:** Does Protected View and Application Guard for Office provide protection from this vulnerability?

**A:** If the calling application is a Microsoft Office application, by default, Microsoft Office opens documents from the internet in Protected View or Application Guard for Office, both of which prevent the current attack.

*   For information about Protected View, see What is Protected View?
*   For information about Application Guard for Office, see Application Guard for Office.

**Q:** Is configuring the GPO setting **Computer Configuration\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Microsoft Support Diagnostic Tool\\“Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider”** to **“Disabled”** another workaround?

Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy\ Value Name: DisableQueryRemoteServer Type: REG_DWORD Value: 0

**A:** No, this GPO does not provide protection against this vulnerability. “Interactive communication with support provider” is a special mode MSDT runs in when launched with no parameters which has no impact on MSDT support for URL protocol.

**Q:** Is configuring the GPO setting **Computer Configuration - Administrative Templates - System - Troubleshooting and Diagnostics - Microsoft Support Diagnostic Tool\\“Troubleshooting: Allow users to access recommended troubleshooting for known problems”** to " **Disabled**" another workaround?

**A:** No, enabling or disabling this group policy has no effect on the vulnerable part of Troubleshooter functionality, so it is not a viable workaround.

**Q:** Is blocking MSDT using technologies such as Windows Defender Application Control (WDAC) equivalent to removing MSDT handler “HKEY\_CLASSES\_ROOT\\ms-msdt” a viable workaround?

**A:** Blocking MSDT will prevent all MSDT-based Windows Troubleshooters from launching, such as the Network Troubleshooter, and the Printer Troubleshooter. The recommended workaround disables support for clicking on MSDT links and users can continue to use the familiar Windows Troubleshooters.

**Q** : What Windows versions require the workaround?

**A** : The MSDT URL protocol is available in Windows Server 2019 & Windows 10 version 1809 and later supported versions of Windows. The registry key mentioned in the workaround section will not exist in earlier supported versions of Windows, so the workaround is not required.

We will update CVE-2022-30190 with further information.

The MSRC Team

Revisions:  
06/06/2022 - Added more FAQs.  
06/07/2022 - Added one more question and answer.  
06/07/2022 - Added additional detection information.  
06/14/2022 - Announced updates that address the vulnerability.  
07/12/2022 - Announced defense in depth update availability.

Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability

Plus: A $150 million Twitter fine, a massive leak from a Chinese prison in Xinjiang, and an ISIS plot to assassinate George W. Bush.

After another week of dismally tragic news and moral failures by the powerful, it's good to know that you can at least depend on the small things, like "privacy-focused" search engine and browser DuckDuckGo resisting the temptation to sell out and help corporations to surveil its users. Oh, wait.

Yes, a security researcher revealed this week that even DuckDuckGo, which markets itself as "the internet privacy company," made an exception for its business partner Microsoft to its browser's blocking of some advertising trackers on websites, sparking accusations of betraying its purported privacy ethos. The milkshake-ducking of DuckDuckGo comes amid a rising awareness of how the stakes of online surveillance are rising as signs grow that the US Supreme Court will overturn _Roe v. Wade_’s protections on abortion rights: A new report this week from the Surveillance Technology Oversight Project laid out all the technological means available to law enforcement and private litigants to surveil those seeking abortions, should _Roe_ be struck down. And more than 40 members of Congress called on Google to stop tracking location data in Android ahead of a potential _Roe_ reversal.

In other privacy news, we looked at how the European Union's General Data Protection Regulation has failed to meaningfully curb Big Tech's privacy abuses four years after its passage. Australia's digital driver’s licenses turn out to be far too easy to forge. China has been saber-rattling with accusations about American cyberespionage. We spoke to the inventor of the browser "cookie" about how to handle cookie settings for privacy—and those ubiquitous cookie-related pop-ups on websites. And we also interviewed the CEO of Protonmail, now rebranded as just Proton, about its ambitions to offer a broader range of privacy-focused services beyond email—hopefully without, ahem, surveillance exceptions for its business partners.

But there's more. As usual, we’ve rounded up all the news that we didn’t break or cover in-depth this week. Click on the headlines to read the full stories. And stay safe out there.

Cybersecurity and privacy researcher Zach Edwards discovered a glaring hole in the privacy protections of DuckDuckGo's purportedly privacy-focused browser: By examining the browser's data flows on Facebook-owned website Workplace.com, Edwards found that the site's Microsoft-placed tracking scripts continued to communicate back to Microsoft-owned domains like Bing and LinkedIn. DuckDuckGo CEO Gabriel Weinberg responded to Edwards on Twitter, admitting that "our search syndication agreement prevents us from stopping Microsoft-owned scripts from loading"—essentially admitting that a partnership deal DuckDuckGo struck with Microsoft includes creating a carveout that lets Microsoft track users of its browsers. Weinberg added that DuckDuckGo is "working to change that." (A company spokesperson reiterated in an email to WIRED Weinberg's assertion that none of this applies to DuckDuckGo search, adding that both its search and its browser offer more privacy protections than the competition.) In the meantime, the revelation blew a glaring hole of its own in the company's reputation as a rare privacy-preserving tech firm. Turns out this surveillance capitalism thing is pretty hard to escape.

Staying on that surveillance capitalism theme, Twitter agreed this week to pay a $150 million fine after the Federal Trade Commission and the US Department of Justice accused it of selling user data that it had collected under the guise of security. Twitter had asked users to share the emails and phone numbers for security purposes, such as two-factor authentication and account recovery, but had ultimately sold the data to advertisers seeking to target ads to its users. That bait-and-switch violated an agreement Twitter made with the FTC in 2011 after earlier privacy misbehavior.

If the world had any doubts that China's"re-education camps" for Muslim minorities in its Xinjiang region were in fact prisons with euphemistic names, a massive leak known as the Xinjiang Police Files should correct that delusion. The leak, provided by an unknown source to researcher Adrien Zenz, who in turn provided the info to a group of global media outlets, includes a vast collection of tens of thousands of internal files, manuals, and even detailed photos revealing life in one of Xinjiang's prisons. The files reveal, for instance, shoot-to-kill orders for any prisoner attempting to escape the camps, and guidelines for shackling the inmates when they're transferred between different parts of the facility—hardly the practices of a "vocational school," as China describes the camps to the world. It also includes photos of the camp's detainees, who were as young as 15 and as old as 73, often jailed for years without trial for offenses as simple as studying Islamic texts.

In a strange replay of events from 2016, Google researchers and the UK government revealed that a site publishing leaked documents from a group of pro-Brexit UK politicians was, in fact, created by Russia-based hackers. The site, called Very English Coop d'Etat, described its collection of leaked emails as coming from an influential group of hardline right-wing Brexit supporters, including former MI6 head Richard Dearlove. But Google's Threat Analysis Group told Reuters that the site appears to have been created by a Russian hacker group it calls Cold River. Former UK intelligence head Dearlove cautioned that the leak of his emails should be understood to be a Russian influence operation, especially given the West's current icy relations with Russia over its illegal and unprovoked invasion of Ukraine.

An accidentally unsealed warrant, spotted by Forbes, revealed that an Iraqi man had allegedly sought to assassinate former president George W. Bush in Dallas, going so far as to take video of Bush's home in November. According to the warrant, the FBI says it foiled the plot through the use of a confidential informant and surveillance of the would-be assassin's WhatsApp messages' metadata. The case shows how, despite law enforcement's claims that end-to-end encryption can stymy its investigations, the FBI has managed to monitor encrypted apps like WhatsApp and even penetrate communications on them through the use of undercover informants.

DuckDuckGo Isn’t as Private as You Think

The Chaos ransomware-builder was known for creating destructor malware that overwrote files and made them unrecoverable -- but the new Yashma version finally generates binaries that can encrypt files of all sizes.

The Chaos malware-builder, which climbed up as a wiper from the underground murk nearly a year ago, has shape-shifted with a rebranded binary dubbed Yashma that incorporates fully fledged ransomware capabilities.

That's according to researchers at BlackBerry, who say that Chaos is on track to become a significant threat to businesses of every size.

Chaos began life last June purporting to be a builder for a .NET version of the Ryuk ransomware – a ruse its operators leaned into hard, even using Ryuk branding on its user interface. However, a Trend Micro analysis at the time showed that binaries created with this initial version shared very little heritage with the well-known ransomware baddie. Instead, the sample was “more akin to a destructive trojan than to traditional ransomware,” the firm noted – mainly overwriting files and rendering them unrecoverable.  

BlackBerry researchers noted the same. Rather than using Ryuk’s AES/RSA-256 encryption process, the "initial edition of Chaos overwrites the targeted file with a randomized Base64 string," according to BlackBerry's new report. "Because the original contents of the files are lost during this process, recovery is not possible, thus making Chaos a wiper rather than true ransomware."

After putting the builder out in underground forums and catching plenty of snark and flak by fellow Dark Web denizens for hijacking the Ryuk brand, the group consequently named itself Chaos. The malware also cycled rapidly through several different versions, each with incremental changes that gave it more and more true ransomware capabilities. However, the wiper functionality persisted through version four.

"Based on the forums, the original ransomware is believed to be developed by a solo author," Ismael Valenzuela, vice president of threat research & intelligence at BlackBerry’s Cybersecurity Business Unit, tells Dark Reading. "This author appears new to the ransomware scene, as they were requesting feedback, bug reports, and feature requests, and the early releases were missing basic features, such as multi-threading, which are common in other ransomware."

**Inside the Chaos**

Chaos targets more than 100 default file extensions for encryption and also has a list of files it avoids targeting, including .DLL, .EXE, .LNK, and .INI – presumably to prevent crashing a victim’s device by locking up system files.

In each folder affected by the malware, it drops the ransom note as “read\_it.txt.”

"This option is highly customizable within all iterations of the builder, giving malware operators the ability to include any text they want as the ransom note," according to BlackBerry's analysis. "In all versions of Chaos Ransomware Builder, the default note stays relatively unchanged, and it includes references to the Bitcoin wallet of the apparent creator of this threat."

Over time, the malware has added more sophisticated capabilities, such as the ability to:

*   Delete shadow copies
*   Delete backup catalogs
*   Disable Windows recovery mode
*   Change the victim’s desktop wallpaper
*   Customizable file-extension lists
*   Better encryption compatibility
*   Run on startup
*   Drop the malware as a different process
*   Sleep prior to execution
*   Disrupt recovery systems
*   Propagate the malware over network connections
*   Choose a custom encryption file-extension
*   Disable the Windows Task Manager

Actual encryption capabilities (using AES-256) have been included only since the third version of the malware; even then, the builder could only encrypt files smaller than 1MB. It was still acting as a destructor for large files (such as photos or videos).

"The code is written in such a way that the wiper function is certainly not accidental. It's unclear why the authors made this choice," Valenzuela says. "It's possible the malware authors made the decision for performance reasons. If the malware was working slowly through a directory of multi-GB videos or database files, there's a small chance the user might notice and be able to power off the device."

**Chaos, Version Four: 'Onyx' Ransomware, Still With Wiper**

Though version four of the Chaos builder was released late last year, it got a boost when a threat group named Onyx created its own ransomware with it last month. This version quickly became the most common Chaos edition directly observed in the wild today, according to the firm. Notably, while the ransomware was improved to be able to encrypt slightly larger files – up to 2.1MB in size – larger files are still overwritten and destroyed.

The latest attacks have been directed toward US-based services and industries, including emergency services, medical, finance, construction, and agriculture, according to BlackBerry.

"This particular threat group \[infiltrates\] a victim organization's network, \[steals\] any valuable data it found, then would unleash 'Onyx ransomware,' their own branded creation based on Chaos Builder v4.0," researchers said – something researchers were able to verify with sample tests that showed a 98% code match to a test sample generated via Chaos v4.0. The only changes were a customized ransom note and a refined list of file extensions.

Onyx has also implemented a leak site called “Onyx News” hosted on the Tor network, with information about its victims and publicly viewable stolen data. The site is also used to give victims more information on how to recover their data.

"The best advice we could offer companies \[targeted with the Onyx wiper\] is to maintain regular backups, which are stored separately, and to not pay the ransom as most of their files are not recoverable due to design," says Valenzuela. "Again, proper incident command is paramount, something that is always better planned in advance."

**Chaos Wiper Reined in With Yashma**

In early 2022, Chaos released a fifth version of its builder, which finally generated ransomware binaries capable of encrypting large files without irretrievably corrupting them.

"Though slower to complete its malicious tasks on the victim device than when it was simply destroying files, the malware finally operates as expected, with files of all sizes being properly encrypted by the malware and retaining the potential to be restored to their former unencrypted state," researchers noted.

A nearly identical sixth iteration soon followed in mid-2022 – renamed Yashma.

"Malware-as-a-service \[MaaS\] is a popular model these days; however, a unique selling point for Chaos is that up until the rebrand to Yashma, all releases have been free," Valenzuela notes. "That said, the Yashma versions are still only $17, making the ransomware widely accessible."

Yashma incorporates two advances over the fifth version: the ability to prevent the ransomware from running depending on the language set on the victim device, and the ability to stop various services.

Regarding the latter, Yashma terminates the following:

*   Antivirus (AV) solutions
*   Vault services
*   Backup services
*   Storage services
*   Remote Desktop services

Both of these versions have seen little action in the wild to date – meaning that Chaos ransomware attacks will most often incorporate a destructive wiper dimension. But it's likely that binaries based on all of the iterations of the builder will become more common over time.

"What makes Chaos/Yashma dangerous going forward is its flexibility and its widespread availability," researchers noted in the report. "As the malware is initially sold and distributed as a malware builder, any threat actor who purchases the malware can replicate the actions of the threat group behind Onyx, developing their own ransomware strains and targeting chosen victims."

**Every Business Is a Target**

Valenzuela points out that with Chaos, the level of technical expertise required to use it is relatively low, the builder is free, and the steps required to generate a binary of one's own are straightforward.

"No organization or industry is exempt from this risk," he said. "Every business needs to have a good defensive strategy – including a tested defensible architecture with a combination of technologies that provide prevention, visibility, and detection coverage, as well as continuous monitoring augmented with up-to-date threat intelligence – to respond early in the attack chain."

Valenzuela adds, "We have seen how many businesses have been compromised for days or weeks before the detonation of the ransomware payloads, so being able to respond to threats quickly is paramount to lessen the impact of these attacks."

New Chaos Malware Variant Ditches Wiper for Encryption

The Colonial Pipeline attack highlighted the risks of convergence. Unified security provides a safer way to proceed.

This month marks the first anniversary of the Colonial Pipeline shutdown — a hugely impactful ransomware attack against critical US infrastructure that has had significant diplomatic and legislative consequences. Among the numerous talking points the attack raised was the issue of IT/OT convergence.

The attack, orchestrated by ransomware group DarkSide, targeted the pipeline's IT billing systems rather than its operation technology (OT), but Colonial was still forced to shut down physical operations for several days. Despite its oil-pumping systems retaining functionality, Colonial believed the risk of continuing operations with an IT compromise was too great. This was largely due to the proximity of its IT and OT systems: Had the attackers moved laterally to the company's operational networks, they could have imposed a longer and more costly shutdown, potentially tampering with safety mechanisms and damaging equipment — even endangering the pipeline's employees.

The risk of IT attacks spilling over into OT has grown as the organizations operating these systems look to gain an edge over their competitors. IT/OT convergence makes industrial control systems (ICS) cheaper, easier to manage, and more rapidly available to different administrators. At the same time, as the Colonial Pipeline instance showed us, it presents new risks and avenues for cyber disruption.

This is partly because most OT security tools today look at industrial systems in isolation — as a disconnected silo, separate to the rest of the business. The same is true of network security, email systems, and the cloud. And when many of these tools were being developed, there was nothing wrong with this approach. But as these digital environments converge, relying on disjointed point solutions to stop cyberattacks isn't effective, especially because a single attack can now target and traverse multiple fields of operation.

By unifying their security stack, defenders can use IT/OT convergence to their advantage and turn vulnerability into strength.

This requires a move away from tools trained on historical attacks and toward self-learning technology that can learn its digital surroundings from scratch, without any prior assumptions. By understanding the unique behavior of every IT and OT device — no matter how bespoke or complex the technology — this approach enables the detection of novel threats. By definition, a cyberattack causes a machine or user account to behave in a way it normally does not, and these deviations can be picked up, no matter where they appear.

**How Ransomware Groups Exploit IT/OT Convergence**

The risk of connecting cloud platforms to ICS was demonstrated in an attack against a European OT R&D investment firm last year.

Two of the firm's Industrial Internet of Things (IIoT) devices, which ran Windows OS and made regular connections to an industrial cloud platform, were compromised when they used the server message block (SMB) protocol to connect to an infected domain controller and read a malicious executable file. Security teams are often stymied by IIoT devices, which can lack CPUs, traditional operating systems, or sufficient disk space for putting security measures in place.

A malicious payload lay dormant for almost a month within the two IIoT devices, one of which was a human-machine interface (HMI) and the other an ICS historian. Darktrace's investigation showed that, while network segregation was sufficient to stop the attack's command-and-control (C2) communications on the HMI device, connections from the ICS historian reached around 40 unique external endpoints.

Both devices then wrote suspicious shell scripts to network servers and, finally, used SMB to encrypt files stored in network shares. A ransomware note was written by the ICS to targeted devices, and the attack was complete. This kind of attack life cycle, which demonstrates the limitations of network segregation and air-gapping, has been the basis for widespread concerns around IT/OT convergence.

No signatures or threat intelligence were associated with this attack, and so it flew under the radar of the company's traditional security tools. Only through self-learning technology from Darktrace was the security team able to gain full visibility into the attack.

**Riding the Changing Tides**

Reference architectures that rely on air-gapping ICS from IT are increasingly incompatible with the technological advancements many organizations are making in order to remain competitive. If attackers no longer view IT and OT as distinct, partitioned regions, neither should security teams.

It is possible for businesses to safely embrace interconnectivity, with all of its advantages, by adopting security that learns the business from the ground up to address sophisticated threats across both their IT and OT environments.

Unified security efforts reflect the reality of converging systems and ensure that no gaps are left for attackers to exploit. When the entire digital environment can be viewed through a single pane of glass and no single, exploitable system is left without protection, organizations will be able to interconnect systems without taking on undue risk.

Taking the Danger Out of IT/OT Convergence

Cisco Talos discovered eight vulnerabilities in the Open Automation Software, two of them critical, that pose risk for critical infrastructure networks.

Cisco Talos discovered eight vulnerabilities in the Open Automation Software, two of them critical, that pose risk for critical infrastructure networks.

Critical flaws in a popular platform used by industrial control systems (ICS) that allow for unauthorized device access, remote code execution (RCE) or denial of service (DoS) could threaten the security of critical infrastructure.

Researchers Jared Rittle of Cisco Talos discovered a total of eight vulnerabilities—two of them critical–in the Open Automation Software (OAS) Platform, the most serious of which allows an attacker to execute arbitrary code on a targeted machine, according to a blog post published this week. The flaws affect Open Automation Software OAS Platform, version 16.00.0112.

OAS—offered by a company of the same name–makes it easy to transfer data between proprietary devices and applications, including both software and hardware. At its core is what’s called a Universal Data Connector, which allows the “movement and transformation of data for critical business processes like machine learning, data mining, reporting and data visualization,” according to the OAS website.

The OAS Platform is widely used in systems in which a range of disparate devices and software need to communicate, which is why it’s often found in ICS to connect industrial and IoT devices, SCADA systems, network points, and custom apps and APIs, among other software and hardware. Some companies using the platform include Intel, Mack Trucks, the U.S. Navy, JBT AeroTech and Michelin.

****Critical Infrastructure at Risk****

The OAS Platform’s presence in these systems is why the flaws can be incredibly dangerous, observed one security professional, noting that these devices are often those responsible for the operation of highly sensitive processes involved in critical industries like utilities and manufacturing.

“An attacker with the ability to disrupt or alter the function of those devices can inflict catastrophic damage on critical infrastructure facilities,” Chris Clements, vice president of solutions architecture at security firm Cerberus Sentinel, wrote in an email to Threatpost.

What can be especially dangerous in ICS attacks is that they may not be immediately obvious, which can make them hard to detect and allow them to inflict significant damage while operators are none the wiser, he said.

Clements cited the now-infamous Stuxnet worm that propagated more than 10 years ago as an example of how much destruction an ICS threat can cause if it flies under the radar.

Stuxnet “was a case study on these risks, as it didn’t immediately break the industrial control devices it targeted but altered their function in such a way to cause critical industrial components to eventually catastrophically fail, all while falsely reporting back to monitoring systems that everything was operating normally,” he said.

** **The Vulnerabilities****

Of the flaws in OAS discovered by Cisco Talos, the one with the most critical rating on the CVSS (9.4) is being tracked as CVE-2022-26833, or TALOS-2022-1513. It’s an improper authentication flaw in the REST API in OAS which could allow an attacker to send a series of HTTP requests to gain unauthenticated use of the API, researchers said.

However, what’s being deemed by researchers as the most serious of the flaws earned a 9.1 rating on the CVSS and is being tracked as CVE-2022-26082, or TALOS-2022-1493. CVE-2022-26082 is a file write vulnerability in the OAS Engine SecureTransferFiles functionality that could allow an attacker to execute arbitrary code on the targeted machine through a specially-crafted series of network requests.

The other vulnerabilities that Cisco Talos discovered earned ratings of high severity. The flaw that could lead to DoS is being tracked as CVE-2022-26026 or TALOS-2022-1491, and is found in the OAS Engine SecureConfigValues functionality of the platform. It can allow an attacker to create a specially-crafted network request that can lead to loss of communications.

Two other vulnerabilities, CVE-2022-27169 or TALOS-2022-1494 and CVE-2022-26067 or TALOS-2022-1492, can allow an attacker to obtain a directory listing at any location permissible by the underlying user by sending a specific network request, researchers wrote.

Another information disclosure vulnerability tracked as CVE-2022-26077 or TALOS-2022-1490, works in the same way, researchers said. However, this flaw also provides the attacker with a list of usernames and passwords for the platform that could be used in future attacks, they said.

The other two vulnerabilities could allow an attacker to make external configuration changes, including the ability to create a new security group and/or new user accounts arbitrarily on the platform. They are being tracked as CVE-2022-26303 or TALOS-2022-1488, and CVE-2022-26043 or TALOS-2022-1489.

****Updates Urged, but May Take Time****

Cisco Talos worked with OAS to resolve the issues and urged those affected to update as soon as possible. Affected users also can mitigate the flaws by ensuring that proper network segmentation is in place which will give adversaries a low level of access to the network on which the OAS Platform communicates, researchers noted.

Although updating systems is the best way to protect against potential attacks when vulnerabilities exist, it’s not often a quick and easy task, especially for ICS operators, security experts noted.

In fact, due to the nature of the systems, it’s an “immensely disruptive” task to take industrial systems offline, which is why ICS patches are often delayed for months or years, Clements said.

Critical Flaws in Popular ICS Platform Can Trigger RCE

Microsoft Dev Box will make it easier for developers and hybrid teams to get up and running with workstations already preconfigured with required applications and tools.

Microsoft's cloud-based developer workstation comes preconfigured with all of the required applications so that developers and hybrid teams have access to everything they need directly through the Web browser.

Microsoft Dev Box is a virtual machine that provides developers with a "ready-to-code" workstation, Microsoft said this week during Build 2022, its annual developer conference. Teams can configure images, assign or remove team members, and start coding on a new project without first dealing with a complex and time-consuming set-up process.

Application testing becomes easier, since each Dev Box can be set up to re-create a specific customer environment. Developers who have to support multiple versions of the same software can have multiple Dev Boxes and switch back and forth between different environments. There is no need to worry about software conflicts and dependency issues, the company says.

Dev Box is based on the same cloud foundations as Windows 365, which offers users Windows machines in the cloud. As a result, Dev Box has similar security benefits as Windows 365 Cloud PC, such as the fact that workstations will automatically be fixed up with the latest security updates and administrators can apply Azure’s access control and authentication policies to control how developers access Dev Box. IT administrators can manage Dev Boxes and Cloud PCs together in Microsoft Intune and Microsoft Endpoint Manager, wrote Kathleen Mitford, corporate vice president of Azure Marketing, on the Azure blog.

Dev Box can wind up making it easier to securely manage remote development teams. Since the developer is going through the Web browser to access the workstation, security teams don’t have to worry about the security of the physical device the developer is using or whether source code and other corporate intellectual property are being downloaded onto a personal device.

While Microsoft did not announce an exact release data for Dev Box, there is a waiting list for private preview.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Tag

#intel