Cybersecurity Update for September 23, 2022
About the “Cybersecurity Update:”
The Cybersecurity Update is a periodic post in Medium and contains news about Cybersecurity, Information Technology, Network Security, and Securing our IoT/SCADA Networks and Databases. Updates are selected items taken from publicly available resources and present a select set of items to support learning about Cybersecurity.
Aside from the news being presented, a discussion of approaches that a cybersecurity professional (or individual) can take pertaining to the updates is also discussed. The intention is to not only bring you the cybersecurity news, but to also discuss with your possible strategies of addressing items posted in the cybersecurity update.
Please follow along. Please send me any additional suggestions for addressing any of the updates, suggestions for videos/content that you’d like to see/read, or just keep in contact. My info is provided in the “About the Author” section at the end of this article.
TOPICS TODAY INCLUDE:
1. Emotet Botnet Started Distributing Quantum and BlackCat Ransomware
2. Microsoft Warns of Large-Scale Click Fraud Campaign Targeting Gamers
3. Microsoft Teams’ GIFShell Attack: What Is It and How You Can Protect Yourself from It
Item 1: Emotet Botnet Started Distributing Quantum and BlackCat Ransomware
The Emotet malware (as a botnet) is now being leveraged by ransomware-as-a-service (RaaS) groups, including Quantum and BlackCat, after Conti’s official retirement from the threat landscape this year. As a note, the Conti Ransomware Operation was Shut Down in January 2021 and split into Smaller Groups. Conti, the notorious cybercrime gang, officially took down its attack infrastructure (in conjunction with law enforcement activity) in favor of migrating their malicious cyber activities to other ancillary operations, including Karakurt and BlackByte.
Emotet started off as a banking trojan in 2014, but updates added to it over time have transformed the malware into a highly potent threat that’s capable of downloading other payloads onto the victim’s machine, which would allow the attacker to control it remotely. Emotet is designed to siphon credit card information stored in the Chrome web browser. The notorious Conti ransomware gang may have dissolved, but several of its members remain as active as ever either as part of other ransomware crews like BlackCat and Hive or as independent groups focused on data extortion and other criminal endeavors.
Emotet infection chain is currently attributed to Quantum and BlackCat hacking groups. The typical attack sequences entail the use of Emotet (aka SpmTools) as an initial access vector to drop Cobalt Strike, which then is used as a post-exploitation tool for ransomware operations. Recorded Future noted in a report published last month that “Conti affiliates use a variety of initial access vectors including phishing, compromised credentials, malware distribution, and exploiting vulnerabilities.”
ESET, a security company with a research arm, previously reported a 100-fold jump in Emotet detections during the first four months of 2022 in comparison to the preceding four months from September to December 2021. According to Israeli cybersecurity company Check Point, Emotet dropped from first to fifth place in the list of most prevalent malware for August 2022, coming behind FormBook, Agent Tesla, XMRig, and GuLoader.
Item 1 Key terms
1. RaaS: Ransomware as a Service (RaaS) is a business model between ransomware operators and affiliates in which affiliates pay to launch ransomware attacks developed by operators. Think of ransomware as a service as a variation of software as a service (SaaS) business model.
2. C&C: A command-and-control [C&C] server is a computer controlled by an attacker or cybercriminal which is used to send commands to systems compromised by malware and receive stolen data from a target network.
3. Data Extortion: Data Extortion means to directly or indirectly demand or accept a bribe, facilitating payment or kickback or other payment by threat of force, intimidation or exercise of authority.
4. Phishing: Phishing is a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.
5. Compromised credentials (attack): Compromised credential attacks are a kind of cyber-attack in which malicious actors use lists of compromised credentials to attempt to log into a wide range of online accounts. The goal of the attack, like so many others, is to steal personal/financial information from the compromised account or to take it over altogether.
6. Malware distribution: Malicious software, or malware, can be distributed in many different ways. Malware may be sent via email attachments, may be placed in downloadable files on the Internet, or may be installed when a computer user follows a link to a website.
7. Exploiting vulnerabilities: An exploit is the specially crafted code adversaries use to take advantage of a certain vulnerability and compromise a resource. Exploit Kits Exploit Kits are tools embedded in compromised web pages which automatically scan a visitor’s machine for vulnerabilities and attempt to exploit them.
8. Post exploitation tool: Post Exploitation refers to any actions taken after a session is opened. A session is an open shell from a successful exploit or bruteforce attack.
Item 2: Microsoft Warns of Large-Scale Click Fraud Campaign Targeting Gamers
Microsoft said it’s tracking an ongoing large-scale click fraud campaign targeting gamers by means of stealthily deployed browser extensions on compromised systems. Microsoft noted, “[The] attackers monetize clicks generated by a browser node-webkit or malicious browser extension secretly installed on devices,” Microsoft Security Intelligence said in a sequence of tweets over the weekend. Microsoft’s cybersecurity division is tracking the developing threat cluster under the name DEV-0796.
Attack chains mounted by the adversary commence with an ISO file that’s downloaded onto a victim’s machine upon clicking on a malicious ad or comments on YouTubem (see Figure 3). The ISO file, when opened, is designed to install a browser node-webkit (aka NW.js) or rogue browser extension.
The ISO file masquerades as hacks and cheats for the Krunker first-person shooter game. Cheats are programs that help gamers gain an added advantage beyond the available capabilities during gameplay. Also, Apple Disk Image files DMG files are used to distribute software on macOS. A campaign that lures gamers looking for cheats on YouTube into downloading self-propagating malware capable of installing crypto miners and other information stealers. “Malware and unwanted software distributed as cheat programs stand out as a particular threat to gamers’ security, especially for those who are keen on popular game series,” Kaspersky
Item 2 Key Terms
1. Stealthily deployed browser extensions: browser extension can add a feature to an existing site or change how the site displays. “Stealth” is a hidden way of deployment.
2. Browser node-webkit: WebKit is an open source web browser engine.
3. Malicious browser extension: Browsers are one of the most used methods of accessing organization and personal online resources. As more resources move to the cloud, the use of browsers to access sensitive information steadily increases. Attackers often take advantage of this via the use of malicious browser extensions. Managing extension use across an organization is a critical part of any security program.
4. Browser node-webkit: Node-webkit.exe is not a Windows core file. The process starts when Windows starts (see Registry key: Run ). The program has no visible window. Node-webkit.exe is able to manipulate other programs, monitor applications and record keyboard and mouse inputs.
5. NW.js: NW.js is a framework for building desktop applications with HTML, CSS, and JavaScript.
6. ISO file: An ISO file, often called an ISO image, is a single file that’s a perfect representation of an entire CD, DVD, or BD. The entire contents of a disc can be precisely duplicated in a single ISO file.
7. DMG file: A DMG file stands for Disk Image File. Any file with the extension of “.dmg” is an Apple Disk Image File. This image format is commonly used by macOS operating system. It is also referred to as a macOS X Disk Image file that is a digital reconstruction of a physical disc.
Item 3: Microsoft Teams’ GIFShell Attack: What Is It and How You Can Protect Yourself from It
Risk is also brought on by configurations in their SaaS apps that have not been hardened. The newly published GIFShell attack method, which occurs through Microsoft Teams, is an example of how threat actors can exploit legitimate features and configurations that haven’t been correctly set.
The GifShell Attack Method
GIFShell attack technique enables bad actors to exploit several Microsoft Teams features to act as a C&C for malware, and exfiltrate data using GIFs without being detected by EDR and other network monitoring tools. This attack method requires a device or user that is already compromised. The main component of this attack allows an attacker to create a reverse shell that delivers malicious commands via base64 encoded GIFs in Teams, and exfiltrates the output through GIFs retrieved by Microsoft’s own infrastructure.
How does it work?
1. Compromise a computer to plant the malware — which means the bad actor needs to convince the user to install a malicious stager, like with phishing, that executes commands and uploads command output via a GIF url to a Microsoft Teams web hook.
2. The threat actor creates their own Microsoft Teams tenant and contacts other Microsoft Teams users outside of the organization. The threat actor can then use a GIFShell Python script to send a message to a Microsoft Teams user that contains a specially crafted GIF. This legitimate GIF image has been modified to include commands to execute on a target’s machine.
3. When the target receives the message, the message and the GIF will be stored in Microsoft Team’s logs. Important to note: Microsoft Teams runs as a background process, so the GIF does not even need to be opened by the user to receive the attacker’s commands to execute. The stager monitors the Teams logs and when it finds a GIF, it extracts and runs the commands.
4. Microsoft’s servers will connect back to the attacker’s server URL to retrieve the GIF, which is named using the base64 encoded output (binary to text) of the executed command. The GIFShell server running on the attacker’s server will receive this request and automatically decode the data allowing the attackers to see the output of the command run on the victim’s device.
Microsoft’s response
Microsoft states that the attack “does not meet the bar for an urgent security fix” since no security boundaries have been bypassed. Also, MS states “For this case… these all are post exploitation and rely on a target already being compromised.” Microsoft is asserting that this technique is using legitimate features from the Teams platform and not something they can mitigate currently. There are configurations and features that threat actors can exploit if not hardened. A few changes to your tenant’s configurations can prevent these inbound attacks from unknown Teams tenants.
How to Protect Against the GIFShell Attack
First, Disable External Access:
Microsoft Teams, by default, allows for all external senders to send messages to users within that tenant. Many organization admins likely are not even aware that their organization allows for External Teams collaboration.
Also, Disable external domain access — Prevent people in your organization from finding, calling, chatting, and setting up meetings with people external to your organization in any domain.
Next, Disable unmanaged external teams start conversation — Block Teams users in your organization from communicating with external Teams users whose accounts are not managed by an organization.
Next, Gain Device Inventory Insight:
Ensure that organization’s devices are secured by XDR / EDR / Vulnerability Management solution, like Crowdstrike or Tenable. Note: Endpoint security tools are your first line of defense against suspicious activity such as accessing the device’s local teams log folder which is used for data exfiltration in GIFShell. Further: Integrate a SSPM (SaaS Security Posture Management) solution, like Adaptive Shield, with your endpoint security tools to gain visibility and context to easily see and manage the risks that stem from these types of configurations, your SaaS users, and their associated devices.
How to Automate Protection Against These Attacks
Use manual detection and remediation (argh) or an automated SaaS Security Posture Management (SSPM) solution.
With the multitudes of configurations, users, devices, and new threats, the manual method is an unsustainable drain on resources, leaving security teams overwhelmed. An SSPM solution, such as Adaptive Shield, enables security teams to gain complete control over their SaaS apps and configurations. The right SSPM automates and streamlines the process of monitoring, detection and remediation for SaaS misconfigurations, SaaS-to-SaaS access, SaaS related IAM, and Device-to-SaaS user risk in compliance with both industry and company standards. As an example, Adaptive Shield’s Device Inventory feature (see figure) can monitor devices being used company-wide and flag any Device-to-SaaS risk while correlating that information with the user roles and permissions and the SaaS apps in use. This enables security teams to gain a holistic view of user-device posture to protect and secure high-risk devices that can serve as a critical threat in their SaaS environment.
Item 3 Key Terms
1. SaaS: Software as a Service is a cloud-based software delivery model in which the cloud provider develops and maintains cloud application software, provides automatic software updates, and makes software available to its customers via the internet on a pay-as-you-go basis.
2. Hardening: Hardening refers to providing various means of protection in a computer system. Protection is provided in various layers and is often referred to as defense in depth.
3. GIFShell attack: A new attack technique, GIFShell, has surfaced that allows an attacker to abuse Microsoft Teams. The attackers can use this technique in phishing attacks and execute commands using GIFs.
4. C&C for malware: A command-and-control [C&C] server is a computer controlled by an attacker or cybercriminal which is used to send commands to systems compromised by malware and receive stolen data from a target network.
5. IAM: IAM is a framework of policies, processes, and technologies that enable organizations to manage digital identities and control user access to critical corporate information.
6. XDR / EDR / Vulnerability Management: (1) XDR Definition Extended detection and response or XDR is a new approach to threat detection and response that provides holistic protection against cyberattacks, unauthorized access and misuse. (2) Endpoint detection and response (EDR) can detect threats that exist in your networking environment and then respond to them.
7. IAM: IAM (Identity and Access Management) is a framework of policies, processes, and technologies that enable organizations to manage digital identities and control user access to critical corporate information.
8. XDR / EDR / Vulnerability Management:
9. XDR — Extended detection and response is a new approach to threat detection and response that provides holistic protection against cyberattacks, unauthorized access and misuse.
10. EDR — Endpoint detection and response can detect threats that exist in your networking environment and then respond to them.
References
• Item 1: Emotet Botnet Started Distributing Quantum and BlackCat Ransomware: https://thehackernews.com/2022/09/emotet-botnet-started-distributing.html
• Item 2: Microsoft Warns of Large-Scale Click Fraud Campaign Targeting Gamers: https://thehackernews.com/2022/09/microsoft-warns-of-large-scale-click.html
• Item 3: Microsoft Teams’ GIFShell Attack: What Is It and How You Can Protect Yourself from It: https://thehackernews.com/2022/09/microsoft-teams-gifshell-attack-what-is.html
About the Author
Ron McFarland, PhD, CISSP is a Senior Cybersecurity Consultant at CMTC (California Manufacturing Technology Consulting) in Torrance, CA. He received his doctorate from NSU’s School of Engineering and Computer Science, MSc in Computer Science from Arizona State University, and a Post-Doc graduate research program in Cyber Security Technologies from the University of Maryland. He taught Cisco CCNA (Cisco Certified Network Associate), CCNP (Cisco Certified Network Professional), CCDA (Design), CCNA-Security and other Cisco courses and was honored with the Cisco Academy Instructor (CAI) Excellence Award in 2010, 2011, and 2012 for excellence in teaching. He also holds multiple security certifications including the prestigious Certified Information Systems Security Professional (CISSP) certification and several Cisco certifications.
CONTACT Dr. Ron McFarland, PhD, MSc, CDNA, CISSP
· CMTC Email: rmcfarland@cmtc.com
· Email: highervista@gmail.com
· LinkedIn: https://www.linkedin.com/in/highervista/
· Website: https://www.highervista.com
· YouTube Channel: https://www.youtube.com/channel/UCJ57_1OgZ5H1nMVdGElcvrw
