Check Point highlights the persistent threat of malicious Word/Excel Documents (maldocs):
Old Vulnerabilities Still Pose Risks: Despite being several years old, CVEs from 2017 and 2018 in Microsoft Word and Excel remain active threats in the cybersecurity landscape. Examples include CVE-2017-11882, CVE-2017-0199, and CVE-2018-0802.
Widespread Use by Cybercriminals: These vulnerabilities are exploited by well-known malware such as GuLoader, Agent Tesla, Formbook, and others. APT groups also got on the list, with Gamaredon APT being a notable example. They target lucrative sectors like finance, government, and healthcare, indicating a strategic approach by attackers.
Challenges in Detection: Despite their age, these MalDocs can evade detection due to their sophisticated construction and the use of various tricks to bypass security measures.
A recent advisory from the Dutch #MIVD & #AIVD has exposed a new threat lurking within #FortiGate appliances: the #COATHANGER malware, a remote access trojan (RAT) that's as elusive as it is persistent. Here are the highlights taken from their released TLP-CLEAR advisory:
Incident response uncovered previously unpublished malware, a remote access trojan (RAT) designed specifically for Fortigate appliances.
refer to the malware as COATHANGER based on a string present in the code.
It hides itself by hooking system calls that could reveal its presence.
It survives reboots and firmware upgrades. Even fully patched FortiGate devices may therefore be infected, if they were compromised before the latest patch was applied.
high confidence that the malicious activity was conducted by a statesponsored actor from the People’s Republic of China
The Chinese threat actor(s) scan for vulnerable edge devices at scale and gain access opportunistically, and likely introduce COATHANGER as a communication channel for select victims.
initial access occurred through exploitation of the CVE-2022-42475 vulnerability
Although this incident started with abuse of CVE-2022- 42475, the COATHANGER malware could conceivably be used in combination with any present or future software vulnerability in FortiGate devices.
MIVD & AIVD refer to this RAT as COATHANGER. The name is derived from the peculiar phrase that the malware uses to encrypt the configuration on disk: ‘She took his coat and hung it up’.
Please note that second-stage malware like COATHANGER are used in tandem with a vulnerability: the malware is used for persistence to a victim network after the actor gained access.
The implant connects back periodically to a Command & Control server over SSL, providing a BusyBox reverse shell.
It hides itself by hooking most system calls that could reveal its presence, such as stat and opendir. It does so by replacing them for any process that is forced to load preload.so.
Section 3.2 of the PDF has a detailed description of how COATHANGER malware behaves and interacts.
Communication to the C2 server is done over a TLS tunnel. COATHANGER first sends the following request to the HTTP GET request to the C2 server: GET / HTTP/2nHost: www.google.comnn
The COATHANGER malware drops the following files;
/bin/smartctl or /data/bin/smartctl<br></br>/data2/.bd.key/authd<br></br>/data2/.bd.key/httpsd<br></br>/data2/.bd.key/newcli<br></br>/data2/.bd.key/preload.so<br></br>/data2/.bd.key/sh<br></br>/lib/liblog.so<br></br>
Several methods have been identified to detect COATHANGER implants. A script was released by them for automated detection HERE These include a YARA-rule, a JA3-hash, different CLI commands, file checksums and a network traffic heuristic.
Two YARA rules are provided for detection on the COATHANGER samples.
The COATHANGER implant communicates to the C2 server using TLS. This TLS connection is fingerprintable using the following JA3-hash: 339f6adf54e6076d069dcaac54fddc25
With access to the CLI of a FortiGate device, the presence of COATHANGER can be detected in three ways.
Check if the files /bin/smartctl or /data/bin/smartctl exist and inspect the timestamps of smartctl and other files in the same directory. If smartctl was modified later than the majority of other files or is not a symlink, it is likely that the smartctl binary was tampered with.
Use the following command:
fnsysctl ls -la /bin<br></br>fnsysctl ls -la /data/bin<br></br>
The following command shows a list of active TCP sockets. Whenever the FortiGate device has internet access and the malware is active, the outgoing connection will appear in the results. Check the reputation of all outgoing contection IP's.diagnose sys tcpsock
The specific version of COATHANGER that this report describes uses the process name 'httpsd' to obfuscate itself. Therefore, any suspicious outgoing connections to external IP addresses from a process called httpsd is a strong indicator of the presence of COATHANGER:
The specific version of COATHANGER that this report describes uses the process name httpsd to obfuscate itself. All active processes can be listed using the following command:fnsysctl ps
Running the following command returns all PID's named 'httpsd'
diagnose sys process pidof httpsd<br></br>
Using the retrieved process IDs from the previous command yields process information for the processes named httpsd.
diagnose sys process dump <PID><br></br>
When the process has a GID set to 90, the device is infected with COATHANGER.
Cloudflare blog on Thanksgiving 2023 security incident:
"Based on our collaboration with colleagues in the industry and government, we believe that this attack was performed by a nation state attacker with the goal of obtaining persistent and widespread access to Cloudflare’s global network."
Hey friends! After a long hiatus, I'm starting #streaming again - as mentioned in an earlier post, I'm going to be figuring out how to create #apt / #yum repos. I've done some very simple #pypi in the past, and may do some work on that, too. We'll see what we can get done in the time I'll be spending.
🔐 #Microsoft discloses Russian #APT infiltrated its systems through a test account, stealing emails and attachments of senior executives and others in #cybersecurity and legal departments.
Since November 2023, Microsoft has observed a distinct subset of Mint Sandstorm (PHOSPHORUS) targeting high-profile individuals working on Middle Eastern affairs at universities and research organizations in Belgium, France, Gaza, Israel, the United Kingdom, and the United States. In this campaign, Mint Sandstorm used bespoke phishing lures in an attempt to socially engineer targets into downloading malicious files. In a handful of cases, Microsoft observed new post-intrusion tradecraft including the use of a new, custom backdoor called MediaPl.
🔗 https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
More #inxi / #pinxi CPU issues, it looks like #fedora / #rhel have changed a default standard path in /sys for unknown reasons, thus breaking inxi cpu speed collection. This tripped need to do more refactors, this time to the fake cpu data debugger logic, it was not complete.
Also, a new codeberg issue pointed out that in many #Linux I can get basic RAM/RAM array data from udevadm, which appears to dump some dmi data into itself, available to user.
@adamw@mjgardner again, I was literally just last month testing distro ID for official fedora spins, and had to install modules to do it. So whatever sources you have are not reflected in material reality that we can all particpate in. Thanks for proving my choice of #debian has been right for the last 18 years. And #apt.
We just published our annual adversary #infrastructure report for 2023, which provides an in-depth analysis of infrastructure belonging to the most prevalent #malware families we track, analyses the impact of infrastructure takedowns (e.g., Qakbot), and discusses #APT infrastructure trends, among others: https://go.recordedfuture.com/hubfs/reports/cta-2024-1209.pdf
We currently can't confirm whether this is a stolen certificate, an impersonation or a shell/front corporation. The website for "d2innovation[.]jp" has been inactive/HTTP403 since early 2023 according to the Internet Archive.
So far we have found five samples signed with this certificate. The earliest compilation timestamps go back to the 13th of December 2023. One sample has a header timestamp set to 0 (1970-01-01). Using a cutoff date in the rule might limit hunting results.
Some samples are already available on @abuse_ch Malware Bazaar. We'll share the missing ones in a minute.
Polskie DKWOC we współpracy z Microsoftem ukróciło nową kampanię grupy Forest Blizzard, identyfikowanej też jako APT28 czy Fancy Bear i łączonej z rosyjskimi służbami
The Polish Cyber Command (DKWOC) partnered with Microsoft to take action against a Russian-based nation-state threat actor tracked as Forest Blizzard (also known as APT28 and Fancy Bear)
📨 Latest issue of my curated #cybersecurity and #infosec list of resources for week #47/2023 is out! It includes the following and much more:
➝ 🔓 🇬🇧 University of Manchester #CISO Speaks Out on Summer Cyber-Attack
➝ 🔓 🇺🇸 Hacktivists breach U.S. nuclear research lab, steal employee data
➝ 🔓 👀 Sumo Logic Completes Investigation Into Recent Security #Breach
➝ 🔓 🇺🇸 Auto parts giant AutoZone warns of #MOVEit data breach
➝ 🔓 🇨🇦 Canadian government discloses data breach after contractor hacks
➝ 🇦🇫 New 'HrServ.dll' Web Shell Detected in #APT Attack Targeting Afghan Government
➝ 🇬🇧 🇰🇷 UK and South Korea: Hackers use zero-day in supply-chain attack
➝ 🇵🇸 🇮🇱 #Hamas-Linked #Cyberattacks Using Rust-Powered SysJoker #Backdoor Against #Israel
➝ 🇷🇺 😱 “They are tired of him, but they are afraid”: what is known about the leader of the hacker group Killnet
➝ 🇰🇵 N. Korean Hackers Distribute Trojanized #CyberLink Software in Supply Chain Attack
➝ ▶️ 🛒 Play #Ransomware Goes Commercial - Now Offered as a Service to Cybercriminals
➝ 🇮🇳 Indian Hack-for-Hire Group Targeted U.S., #China, and More for Over 10 Years
➝ 🇷🇺 Russian hackers use #Ngrok feature and #WinRAR exploit to attack embassies
➝ 🇺🇸 🩺 #CISA Releases Cybersecurity Guidance for #Healthcare, Public Health Organizations
➝ 🇬🇧 🙏🏻 Thanking the vulnerability research community with #NCSC Challenge Coins
➝ 🧅 #Tor Network Removes Risky Relays Associated With #Cryptocurrency Scheme
➝ 🇺🇦 👋🏻 #Ukraine fires top cybersecurity officials
➝ 🩹 Johnson Controls Patches Critical #Vulnerability in Industrial Refrigeration Products
➝ 🦠 🦀 New WailingCrab #Malware Loader Spreading via Shipping-Themed Emails
➝ 🦠 📨 New Agent Tesla Malware Variant Using ZPAQ Compression in Email Attacks
➝ 🦠 🎠 NetSupport #RAT Infections on the Rise - Targeting Government and Business Sectors
➝ 🚫 Google #Chrome will limit ad blockers starting June 2024
➝ 🐛 ☁️ 3 Critical Vulnerabilities Expose #ownCloud Users to Data Breaches
➝ 🔓 ☁️ Researchers Discover Dangerous Exposure of Sensitive #Kubernetes Secrets
➝ 🔓 ☝🏻 New Flaws in Fingerprint Sensors Let Attackers Bypass #Windows Hello Login
➝ 🔓 🩸 ‘#CitrixBleed’ vulnerability targeted by nation-state and criminal hackers: CISA
➝ 🐡 Researchers extract RSA keys from #SSH server signing errors
📚 This week's recommended reading is: "How I Rob Banks: And Other Such Places" by FC a.k.a. Freakyclown
Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end ⬇️
🕵️♂️ New Threat Alert: A new web shell called HrServ is part of a suspected #APT attack in Afghanistan. HrServ can erase tracks and execute code in memory, increasing the threat's complexity.