Cyber security News
From Search Results to Malware Lures: SEO Poisoning
Qakbot: The Evil Duck Reappears
Structural Foundations of Windows Architecture
LockBit 3.0 and Citrix Bleed Vulnerability (CVE-2023-4966)
Generative AI and Cybersecurity: New Threat Landscape
LockBit Ransomware Surge in 2023: A Record-Breaking Menace
Microsoft’s November 2023 Patch:Confronts Five Zero-Day Threats
Threat of Malvertising in the Cybersecurity Landscape
Cybersecurity News: Nov 5-Nov 11
What it takes to be a proficient threat hunter

Secknowers

The one who knows Security

Threat Intel

News Threat Intel

Qakbot: The Evil Duck Reappears

Qakbot malware also known as Qbot has remained a persistent and formidable adversary since mid-2000s, it emerged as a banking Trojan. It has evolved and adapted itself against cyber defences to remain in the list of top malwares over a decade.

The Genesis of Qakbot

First identified in 2008, Qakbot was designed to steal financial data and confidential information from compromised system. Earlier versions used key-logging and web traffic analysis to get hold of these sensitive data. It’s also known as Pinkslipbot. It is a second stage malware which requires an initial access technique like phishing as a first stage .

Infrastructure

Qakbot uses a layered infrastructure for its Command and Control servers. Threat actors typically host these servers through providers who lease them out; consequently, these providers generally avoid cooperating with law enforcement agencies to shut them down. The graph below depicts the malware’s C2 structure. Tier1 nodes represent a subset of infected systems chosen as supernodes to establish communication with victim computers. Supernodes had it’s presence in 63 countries. The intermediary nodes acts as proxies between the main C2 server and the infected machines to cover the tracks.

Qakbot malware
Qakbot C2 Server Tires (CISA)

Evolutionary Phases

Over the years, the malware has undergone several evolutionary phases, showcasing its adaptability and resilience to security measures. It evolved from a basic banking Trojan to a multifunctional threat capable of employing various attack vectors, including exploit kits, phishing emails, and lateral movement within networks. One significant evolutionary leap involved the integration of worm-like capabilities, enabling Qakbot to propagate across networks swiftly. It utilized brute force techniques to spread laterally, infecting interconnected devices and networks, amplifying its impact and complicating mitigation efforts.

Ransomware Gangs using Qakbot

Various financially motivated ransomware groups are known to utilize Qakbot as an infection vector. These list includes Conti, ProLock, Egregor, REvil, MegaCortex, Black Basta, Royal.

FBI-Led Law Agencies takes down Qakbot

In August 2023, FBI in collaboration with other Law enforcement agencies were able to take down the infrastructure of Qakbot and seize bitcoins worth about $8.6 million. The operation identified over 700,000 infected machines with the malware, of which 200,000 were in the US. Redirecting the malicious traffic to a controlled environment facilitated taking down the malware network, instructing the infected machines to download an uninstaller.

Qakbot Returns

About 3 months after the take down in December 2023, Microsoft Threat intelligence reported phishing campaigns connected to Qakbot. On it’s return the primary targets were hospitality sector. The phishing email was masquerading IRS as shown in the image below.

Qakbot phishing Email

Qakbot Phishing Email (Microsoft)

Conclusion

Qakbot has been around for a long time and it’s roots are strong. Cyber criminals from Eastern European operates it. According to a report published by Checkpoint, Qakbot was the most prevalent malware in multiple regions globally.

Qakbot attack regions

Top Malware Groups (Checkpoint)

The Maware targeted multiple sectors.

Qakbot attack sectors

Impacted Sectors (Checkpoint)

Although the infrastructure has been taken down, the individuals responsible for the malware and their connections continue to persist. They will learn their lessons and make a comeback. As cybercriminals grow stronger, the security solutions also advance. Therefore, prepare for such attacks by implementing and maintaining robust security measures.

News Threat Intel

LockBit 3.0 and Citrix Bleed Vulnerability (CVE-2023-4966)

The Cybersecurity and Infrastructure Security Agency (CISA) issued an important advisory. It focuses on LockBit 3.0 ransomware. This ransomware exploits the CVE-2023-4966 vulnerability, also known as Citrix Bleed​​. LockBit 3.0 targets various critical sectors. It uses Citrix Bleed to bypass multifactor authentication (MFA). This vulnerability is in Citrix NetScaler ADC and Gateway appliances.

Citrix Bleed vulnerability is exploited by affiliates of LockBit 3.0. This vulnerability enables attackers to circumvent password protocols and multifactor authentication (MFA). As a result, they can hijack legitimate user sessions on Citrix NetScaler ADC and Gateway systems. By gaining control of these sessions, the attackers obtain higher access levels, allowing them to gather credentials, navigate across the network, and access various data and resources.

Affected Citrix NetScaler Versions

  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
  • NetScaler ADC and NetScaler Gateway version 12.1 (EOL)
  • NetScaler ADC 13.1FIPS before 13.1-37.163
  • NetScaler ADC 12.1-FIPS before 12.1-55.300
  • NetScaler ADC 12.1-NDcPP before 12.1-55.300

Indicators of Compromise (IOC)

IP Addresses

  • 192.229.221[.]95: Calls out to this IP address are made by Mag.dll. It ties back to dns0.org.
  • 193.201.9[.]224: An FTP to this Russian geolocated IP from a compromised system.
  • 62.233.50[.]25: Another Russian geolocated IP.
  • 51.91.79[.]17: Associated with Temp.sh IP.
  • 70.37.82[.]20: Seen from a known compromised account reaching out to an Altera IP address.
  • 185.17.40[.]178: Teamviewer LockBit C2, linked to a Polish service provider.
  • 172.67.129[.]176 and 104.21.1[.]180: Used to download obfuscated toolsets

Tools

Remote Administration : Teamviewer, AnyDesk, Splashtop.

Network Scanning and Command Execution: Plink.exe, Netscan.exe.

PowerShell Scripts:123.ps1

Persistence Mechanism

Scheduled Tasks: \MEGA\MEGAcmd, UpdateAdobeTask

MITRE ATT&CK Tactics AND Techniques

Technique IDTechnique Name Use
T1082System Information
Discovery		Threat actors will attempt to obtain information
about the operating system and hardware,
including versions, and patches.
T1556.006 Modify Authentication Process: Multi-Factor AuthenticationThreat actors leverage vulnerabilities found within
CVE- to compromise, modify, and/or bypass
multifactor authentication to hijack user sessions,
harvest credentials, and move laterally, which
enables persistent access.
T1539Steal Web Session CookieThreat actors with access to valid cookies can
establish an authenticated session within the
NetScaler appliance without a username,
password, or access to multifactor authentication
(MFA) tokens.

More actionable intelligence can be obtained from the Alienvault OTX Pulse.

Threat Intel

LockBit Ransomware Surge in 2023: A Record-Breaking Menace

LockBit has become one of the most prominent ransomware threats globally, maintaining a high profile into 2023. Originally emerging as a ransomware variant, it has evolved into a Ransomware-as-a-Service (RaaS) model, which allows affiliates to deploy the LockBit ransomware in exchange for a share of the ransom payments​. This has led to a proliferation of attacks by various unconnected threat actors using LockBit to execute their operations. This business model has attracted numerous affiliates. It allows for a decentralized network of attackers. These attackers execute a wide range of attacks globally. This transition marks a shift in cybercriminals’ methods. They are now leveraging the ‘service’ aspect. This approach scales operations and maximizes impact.

LockBit 3.0: The New Face of Affiliate-Based Ransomware

The advent of LockBit 3.0 is a testament to the ransomware’s enduring adaptability and sophistication. As a continuation of its predecessors, this version comes with enhanced encryption algorithms and more robust mechanisms to avoid detection. Its affiliate program further incentivizes cybercriminals to join their ranks, offering a cut of the ransom profits in exchange for spreading the ransomware, thereby increasing its reach and potency. Reports also indicate that this version includes a self-spreading feature, potentially increasing the infection’s speed and scale across networks.

Exploiting Vulnerabilities: The Citrix Bleed Case

LockBit exploited vulnerabilities in Citrix systems. They specifically targeted unauthenticated remote buffer overflow vulnerabilities. This allowed for arbitrary code execution on vulnerable Citrix devices. The ransomware group used this exploit to gain initial network access. They then pivoted to critical assets and deployed their payload. This situation emphasizes the need for robust intrusion detection systems. It also highlights the importance of rapid incident response protocols.

High-Profile Targets: The Boeing Data Breach

The breach of aerospace giant Boeing highlighted LockBit’s capabilities. It showed their ability to perform extensive network reconnaissance. They maintained persistence and exfiltrated large volumes of data undetected over time. The leak of proprietary engineering schematics and project files was significant. It underscored LockBit’s status as an advanced persistent threat (APT). This incident demonstrated their skill in planning and executing targeted attacks.

Defensive Strategies: Mitigating the Ransomware Threat

To counteract LockBit’s technical prowess, enterprises must employ several strategies. They should implement endpoint detection and response (EDR) solutions. Regularly updating their intrusion prevention systems (IPS) is also crucial. Additionally, using network segmentation can limit lateral movement. LockBit’s affiliate program incentivizes cybercriminals to spread the ransomware. They offer a share of the ransom profits. This strategy increases the ransomware’s reach and potency. Furthermore, recent reports suggest this version includes a self-spreading feature. This could escalate the infection’s speed and scale across networks.

Learning Threat Intel

Threat of Malvertising in the Cybersecurity Landscape

A complex threat known as “Malvertising” (a blend of malicious and advertising) has emerged as internet advertising has grown . This tactic exploits digital ad networks to distribute malware.

The Mechanism of Malvertising

Malvertising involves injecting malicious code into legitimate advertising networks and websites. Unlike traditional malware distribution methods, malvertising does not require user interaction such as clicking on the ad. Simply loading an infected webpage can trigger the download of malware, making it an insidiously passive attack vector.

Key Techniques

  • Exploit Kits: Used to scan for vulnerabilities in browsers, plugins, and applications, and then exploit these to deliver malware.
  • Drive-by Downloads: Unwittingly downloading malware by visiting a compromised website.
  • Phishing via Ads: Displaying ads that mimic legitimate services to deceive users into providing sensitive information.

Indicators of Compromise (IOC)

  • Suspicious Ad Traffic: Anomalies in ad traffic, such as unexpected redirections or spikes in ad requests.
  • Unusual Domain Generation Algorithms (DGA): Use of dynamically generated domain names often associated with botnet communications.
  • Uncommon JavaScript: Presence of obfuscated JavaScript code in ads or on web pages.

Indicators of Attack (IOA)

  • Browser Vulnerabilities: Attempts to exploit browser or plugin vulnerabilities.
  • Spear Phishing: Targeted phishing campaigns using malvertising as the delivery mechanism.
  • Anomalous Network Patterns: Unusual outbound network traffic patterns or connections to known bad domains.

Implications and Risks

Malvertising poses a significant threat as it:

  • Bypasses Traditional Security Measures: It can evade antivirus software and web filters since it originates from legitimate sites.
  • Affects Reputed Websites: High-traffic, reputable websites can unknowingly host malvertising, affecting a wide user base.
  • Facilitates Multiple Attack Vectors: It can serve as a launchpad for various attacks, including ransomware, spyware, and financial fraud.

Recent attacks using Malvertising

Media Trust Malvertising Incident(2022): In this incident, a significant malvertising campaign targeted multiple high-traffic websites. The attackers cleverly manipulated ad content to bypass traditional security measures. Upon clicking the malicious ads, users were redirected to websites hosting phishing schemes and malware, showcasing the continuous innovation in tactics.

‘Fallback’ Campaign(2023): Early in 2023, a sophisticated operation, dubbed the ‘Fallback’ campaign, emerged. It involved exploiting vulnerabilities in popular content management systems. This campaign was notable for its use of polymorphic malware – malware that changes its identifiable features to evade detection – making it particularly challenging to track and mitigate.

Exploit Kit Resurgence(2023): In a notable return to classic techniques, several high-profile websites fell victim to exploit kits delivered through malicious ads in 2023. These kits actively exploited browser vulnerabilities, especially in users who were not keeping their software up-to-date, underscoring the persistent threat posed by exploit kits in malvertising.

Mobile Malvertising Surge (2023): A surge in targeting mobile devices was observed, exploiting the increasing use of smartphones for web browsing. These attacks often masqueraded as legitimate mobile ads but redirected users to malicious sites or initiated unwanted app downloads, highlighting the shift in malvertising strategies towards mobile users.

Strategic Countermeasures against malvertising

Enhancing Awareness and Training

  • Educating users on the signs of malvertising and the importance of updating software.

Robust Network Defense Strategies

  • Implementing advanced intrusion detection systems (IDS) and intrusion prevention systems (IPS) capable of detecting anomalies in web traffic.
  • Utilizing threat intelligence platforms for real-time data on emerging threats.

Application of the MITRE ATT&CK Framework

  • Tactic T1184: Understanding the ‘Masquerading’ tactic, where malvertising disguises as benign ads.
  • Technique T1195: Analyzing ‘Supply Chain Compromise’ techniques that could include ad network infiltration.

Regular Auditing and Monitoring

  • Continuous monitoring of ad traffic and network activity for early detection of suspicious patterns.

This represents a sophisticated and stealthy cybersecurity threat. Vigilance, continuous monitoring, and education remain key in combating the threat, ensuring a proactive stance against this covert avenue of cyber attacks.

News Threat Intel

StripedFly:Malware Hidden as a Cryptominer

StripedFly malware is a highly sophisticated and stealthy maware that has been in operation since at least 2017, affecting over a million victims globally. Initially masquerading as a cryptocurrency miner, deeper analysis unveiled its multifaceted capabilities extending far beyond cryptocurrency mining. Here are the key aspects of StripedFly malware based on various reports and additional insights.

Architecture

Based on the report published by Kaspersky, StripedFly operates as a monolithic binary executable with pluggable modules. This design allows for operational versatility often found in Advanced Persistent Threat (APT) operations. The modular nature of StripedFly enables the addition of various functionalities without altering the core structure of the malware, making it a flexible and adaptable threat.

StripedFly Windows execution flow (Kaspersky)

StripedFly Windows execution flow (Kaspersky)

Evolution

Initially functioning as a cryptocurrency miner, StripedFly was later discovered to have a complex, multifunctional wormable framework. This framework enables the malware to function as an APT, a crypto miner, and potentially even as a ransomware group, indicating a possible evolution in motives from financial gain to espionage over time.

Impact

StripedFly has had a significant impact with a global reach, affecting over a million Windows and Linux computers worldwide since 2016 or 2017. This global reach illustrates the significant threat posed by StripedFly to both individual and organizational cybersecurity, transcending geographical and platform boundaries.

Modus Operandi

StripedFly harvests credentials every two hours, collecting a range of sensitive data including site and WiFi login credentials, and personal information. It can capture screenshots, exert significant control over infected machines, and even record microphone input without detection, underlining its invasive and persistent nature.

Infection Vector

The initial infection vector was uncovered as a custom-made EternalBlue ‘SMBv1′ exploit used to infiltrate victims’ systems. Despite the public disclosure of the EternalBlue vulnerability in 2017 and the subsequent release of a patch by Microsoft, many users failed to update their systems, leaving a significant number of computers vulnerable to StripedFly exploitation.

Discovery and Analysis

StripedFly’s sophisticated nature allowed it to evade detection for a prolonged period, being misclassified as a mere cryptocurrency miner. The extensive analysis conducted by cybersecurity researchers unveiled the remarkable effort invested in creating this malicious framework and highlighted the necessity for continuous research and vigilance in the cybersecurity domain.

Cross-Platform Nature

StripedFly is identified as a cross-platform malware capable of infecting both Windows and Linux systems. Its cross-platform nature broadens the scope of potential victims and presents a challenge for cybersecurity measures across different operating environments .

Attack Mitre Techniques

Att&ck IDs
T1210 – Exploitation of Remote Services 
 T1564 – Hide Artifacts 
 TA0004 – Privilege Escalation 
 T1053 – Scheduled Task/Job 
 T1060 – Registry Run Keys / Startup Folder 
 T1094 – Custom Command and Control Protocol 
 T1573 – Encrypted Channel 

Alientvault OTX Pulse

Virustoatal Analysis

Threat Intel

MITRE ATT&CK: A Roadmap to Effective Cybersecurity Defence

In an age where digital threats and cyberattacks continue to evolve, organizations and security professionals need effective tools and strategies to defend against adversaries. One such tool that has gained prominence in the world of cybersecurity is MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge). ATT&CK is not just a framework but a comprehensive resource that empowers defenders to better understand and mitigate threats by adopting a proactive and adversary-focused approach. This article explores the essence of MITRE ATT&CK, its importance, and its role in enhancing cybersecurity.

Understanding MITRE ATT&CK

MITRE ATT&CK is a knowledge base and framework that catalogues tactics, techniques, and procedures employed by adversaries in their campaigns. It was developed by MITRE Corporation, a not-for-profit organization, and is widely recognized and adopted in the cybersecurity community.

The ATT&CK framework is structured into two primary matrices: Enterprise and Mobile. Each matrix consists of a range of tactics and techniques employed by adversaries during different stages of a cyberattack. The tactics represent the adversary’s goals, while the techniques are specific methods or procedures used to achieve those goals. ATT&CK also provides information on how the tactics and techniques have been observed in real-world attacks.

Why is MITRE ATT&CK Important?

  1. Common Language: ATT&CK serves as a common language for security teams, enabling them to communicate more effectively about threats and vulnerabilities. By referencing specific tactics and techniques, security professionals can better understand and address security issues.
  2. Proactive Threat Mitigation: Rather than focusing solely on known vulnerabilities or malware signatures, ATT&CK encourages a proactive approach. Organizations can identify potential threats and vulnerabilities based on the tactics and techniques used by adversaries.
  3. Knowledge Sharing: The MITRE ATT&CK framework encourages knowledge sharing within the cybersecurity community. Security researchers, vendors, and organizations can contribute to the framework, ensuring that it remains up-to-date and reflective of the evolving threat landscape.
  4. Improved Defenses: By understanding how adversaries operate, organizations can enhance their defenses. They can design more effective security strategies, create better threat detection rules, and prioritize security measures based on the likelihood of specific tactics being employed.
  5. Red and Blue Teaming: ATT&CK supports red teaming (simulated adversarial attacks) and blue teaming (defensive exercises). These activities help organizations assess their security posture, identify weaknesses, and improve their incident response capabilities.

Practical Applications of MITRE ATT&CK

  1. Threat Intelligence: Security teams can use ATT&CK to better understand threat intelligence reports. By mapping reported threats to the framework, organizations can assess the relevance and potential impact of the threat.
  2. Security Assessments: During security assessments, organizations can use the framework to evaluate their security controls and identify gaps in their defenses. This helps in creating more robust security postures.
  3. Incident Response: ATT&CK aids in incident response by allowing organizations to trace the tactics and techniques used by adversaries during an attack. This information can guide the response efforts and improve recovery procedures.
  4. Cybersecurity Training and Education: ATT&CK is a valuable resource for training security professionals. It provides a structured way to learn about adversary behaviors and tactics.

MITRE ATT&CK is a powerful resource in the fight against evolving cyber threats. By providing a common language, fostering a proactive approach to defense, and facilitating knowledge sharing, it enhances the capabilities of organizations and security professionals. As cyber adversaries continue to adapt and innovate, MITRE ATT&CK remains an invaluable tool for understanding and mitigating their tactics and techniques, making the digital world a safer place for all.