IT NEWS

A week in security (July 17 – 23)

Last week on Malwarebytes Labs:

Stay safe!


Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Estée Lauder targeted by Cl0p and BlackCat ransomware groups

Estée Lauder is currently at the heart of a compromise storm, revealing a major security issue via a Security Exchange Commission (SEC) filing on Tuesday.

Although no detailed explanation of what has taken place is given, there is confirmation that an attack allowed access to some systems and involved potential data exfiltration. Meanwhile, two ransomware groups are taking credit for compromises unrelated to one another. Is one of the compromises the attack mentioned in the filing? It’s worth mentioning here that Estée Lauder does not name either ransomware group. With this in mind, the relevant section from the filing reads as follows:

The Estée Lauder Companies Inc. (NYSE: EL) has identified a cybersecurity incident, which involves an unauthorized third party that has gained access to some of the Company’s systems.  After becoming aware of the incident, the Company proactively took down some of its systems and promptly began an investigation with the assistance of leading third-party cybersecurity experts. The Company is also coordinating with law enforcement.  Based on the current status of the investigation, the Company believes the unauthorized party obtained some data from its systems, and the Company is working to understand the nature and scope of that data.

The Company is implementing measures to secure its business operations and will continue taking additional steps as appropriate. During this ongoing incident, the Company is focused on remediation, including efforts to restore impacted systems and services. The incident has caused, and is expected to continue to cause, disruption to parts of the Company’s business operations.

Bleeping Computer notes that the ALPHV/BlackCat and Cl0p groups are claiming responsibility for the two unrelated ransomware compromises specifically. Worse, both ransomware groups have what they claim to be Estée Lauder data up for grabs on their leak portals.

If you’re unfamiliar with such sites, they’re places where ransomware groups store stolen data. The compromised organisation is then threatened with the data being made public, traded, or sold off to the highest bidder unless a ransom is paid. This is a common tactic in so-called “double extortion” ransomware, where the encrypting of devices is merely the first step to extracting money.

The Cl0p group claims to have somewhere in the region of 131GB of data to hand. Meanwhile BlackCat is complaining of the lack of communication from Estée Lauder, sending multiple emails but receiving no replies. It also claims to still have network access despite various attempts to secure the network.

Supposedly, the information taken could “impact customers, employees, and suppliers”. There are no further details on the contents at this time. Regular readers will know that these attacks typically target confidential information, company secrets, personal data, payroll, and identity scans. The attackers could be bluffing, or it really could be as bad as they claim. We’ll have to wait and see.

The Cl0p compromise is said to have made use of a MOVEit Transfer vulnerability to gain access to the target systems. Both Cl0p and BlackCat tend to feature heavily in our ransomware review posts. In our June post, Cl0p was the most active group around with BlackCat falling suspiciously quiet. Perhaps it was focusing on heavy-hitter attacks such as this the whole time.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

CISA: You’ve got two weeks to patch Citrix NetScaler vulnerability CVE-2023-3519

The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical unauthenticated remote code execution (RCE) vulnerability in Citrix NetScaler ADC and Citrix NetScaler Gateway to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. This means that Federal Civilian Executive Branch (FCEB) agencies need to remediate this vulnerability by August 9, 2023 to protect their networks against active threats. We urge everyone else to take it seriously too.

The recommended actions are to apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. Given the active exploitation, we would advise to do this as soon as possible.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The actively exploited CVE patched in this update is CVE-2023-3519 a Citrix NetScaler ADC and NetScaler Gateway code injection vulnerability with a CVSS score of 9.8 out of 10. The vulnerability can lead to unauthenticated RCE. It affects appliances configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or as an authentication, authorization and accounting (AAA) virtual server.

Little information has been made available about the campaign that is exploiting this vulnerability. What we do know is that the criminals use web shells—a script that can be used by an attacker to run remote commands and maintain persistent access on an already compromised system. CISA has released a cybersecurity advisory about the tactics, techniques, and procedures (TTPs) of the currently active campaign.

Reportedly, there are around 38,000 Citrix Gateway appliances exposed to the public Internet and exploits against Citrix ADC have been discussed, including the sale of a Remote Code Execution (RCE) exploit, on a cybercrime forum.

Citrix acknowledges the urgency by stating:

“Exploits of CVE-2023-3519 on unmitigated appliances have been observed. Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.”

The security bulletin by Citrix about this vulnerability includes two more vulnerabilities. The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities:

  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
  • NetScaler ADC 13.1-FIPS before 13.1-37.159
  • NetScaler ADC 12.1-FIPS before 12.1-55.297
  • NetScaler ADC 12.1-NDcPP before 12.1-55.297

Citrix notes that NetScaler ADC and NetScaler Gateway version 12.1 have reached the end-of-life stage and customers should upgrade to a newer variant of the product.

Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action.

Malwarebytes blocks the IP addresses that are known indicators of compromise (IoCs) for the active campaign exploiting this vulnerability.

Malwarebytes blocks 216.41.162.172

216.41.162.172

Malwarebytes blocks 216.51.171.17

216.51.171.17

For administrators that would like to see whether their instance has been compromised and what they should do about it, I found this checklist.


We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Amazon in-van delivery driver footage makes its way online

Footage from technology used to monitor Amazon delivery drivers is leaking onto the internet. AI-enabled equipment which keeps an eye on the drivers’ speed, location, and other activities is part of the growing trend of workplace surveillance. In theory where drivers are concerned it could flag a lack of seat belt, or running red lights.

In practice the drivers aren’t too keen and insist that the companies using this tech can trust them without having a camera in their face all day long. There are other privacy issues to consider too.

When you receive a delivery nowadays, it’s not unusual for drivers to take a photo at the doorstep. You may or may not be present when these images are taken, but you’ll often see them on the web-based “parcel delivered” status page. If you’re lucky, your pyjamas are safely out of shot.

You may have wondered about the privacy issues related to these photographs. On the one hand, they’re attached to a URL online somewhere and they sometimes have your house number in shot. On the other hand, there’s a good chance nobody cares, those parcel delivered links tend to be temporary, and you’re not posing and waving alongside your delivery.

Why does this matter? Well, filmed footage takes in a lot more than a static, split-second shot of your doorstep. If a camera is rolling when a delivery person reaches your home, you could end up in the video footage or even just via the recorded audio should it exist. Ever had a casual chat with your driver? It could be in one of these recordings somewhere.

The cameras used are able to record both road and driver, with Vice reporting that drivers must consent to their biometric data being collected so their actions can be recorded “properly”. Despite this, there are examples of the cameras incorrectly penalising drivers.

Meanwhile the current clips are leaking to sites like Reddit, and nobody is sure who is doing it for the most part. Drivers claim they don’t have access to the footage: only Amazon, the technology maker, and the delivery service partner (DSP) which is the firm making the actual delivery.

On the Subreddit in question, drivers confirm that there is no live feed, but “dispatchers” on the other end can check-in, and drivers can request a pull up of specific footage as seems to be the case in this example. Whether the footage should be requested and dropped online is a different question. With drivers already worried about potential privacy issues of clips making their way to the internet, it’s probably not helpful if some drivers are contributing to the steady flow.

This isn’t the first time footage has appeared online, even if it seems to be more common now. Back in February of this year, one driver shared details of the AI system tracking her moments to a TikTok video which went viral. In that instance, she described the van’s four cameras (one forward facing, two on the side, and one facing her) and how they work together to “ding” her with a violation should she do something against the rules. Even there, she references a driver receiving a “distracted driver violation” for itching his beard which the system considered to be him using a phone while driving. Drivers can contest these supposed violations, but it all gives the impression of a system somewhat at war with itself.

Amazon’s stance on this technology is clear: It’s a valuable and necessary tool to ensure drivers are doing the right thing and not causing problems for other drivers. From Amazon’s comments to Business Insider:

“The safety technology in delivery vans help keep drivers and the communities where we deliver safe, and claims that these cameras are intended for anything else are incorrect. Since we started using them, we’ve seen a 35% reduction in collision rates across the network along with a reduction in distracted driving, speeding, tailgating, sign and signal violations, and drivers not wearing their seatbelts.”

As for people receiving the packages, this is more of a problem for drivers than the recipients for the most part. However, it would be a shame if this ends up encouraging a lack of interaction with the folks bringing you your packages on a daily basis. 


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Accidental VirusTotal upload is a valuable reminder to double check what you share

A document accidentally uploaded to Google’s VirusTotal service has resulted in the potential exposure of defence and intelligence agency names and email addresses. The service, used to scan files for signs of potential malicious activity, is used by security professionals and folks just interested in the files making their way to their systems.

The list makes up roughly 5,600 of the site’s customers, and identities multiple security-centric entities. The Record cites individuals affiliated with the NSA, FBI, Pentagon, and other US military service branches. Meanwhile, the UK tally includes “a dozen Ministry of Defence personnel”, and emails tied to CERT-UK/National Cyber Security Centre, a part of the UK’s Government Communications Headquarters (GCHQ).

Sadly the emails listed are not entirely anonymous. There are full names tied to emails from the Ministry of Defence, Pensions Regulator, and the Cabinet Office, among others.

The file was removed by VirusTotal within an hour of it being uploaded. Commentary from some of the impacted organisations suggest this isn’t that big of a deal. The UK’s Ministry of Defence told The Record that they consider the data to be non-sensitive, and also low risk. This is of course good news, and much better than everyone running around yelling that the sky is falling.

While there is some element of risk here, it’s important not to get carried away. Someone genuinely determined to pull up a name or email address can usually do it by checking relevant websites or simply asking around. After all, what use is an email address if you can’t email people?

As for VirusTotal itself, submitted files can be shared and analysed via the security organisations tied to the scanning service. The results are often findable online via search engine, or hunting for specific file characteristics while on the VirusTotal website. You may also sometimes see VirusTotal pages linked directly from security blogs such as our own. Accidents of this nature tend to come about because folks making use of the service don’t quite realise the way data is used once submitted.

In March of last year, semi-automated uploads to VirusTotal were flagged by the German Bundesamt für Sicherheit in der Informationstechnik (BSI). This translates as the Federal Office for Security in Information Technology. In some cases, the documents being uploaded were confidential and should not have made their way to the VirusTotal service.

As we said at the time, files uploaded are not only shared with the 70 or so security vendors making up the bulk of the visible scanning service. They’re also potentially accessible to those making use of the premium features. If you make a mistake when uploading, it could be a costly one. In fact, a mistake uploading can be costly anywhere.

I’d be surprised if there’s anyone reading this who hasn’t, at some point, hit publish when they shouldn’t have, mailed a file that should have stayed where it is, or posted a message publicly when it was supposed to be private. It happens!

There is almost never a need to rush a process, and plenty of need to double check whatever you happen to have in the “about to send” box. Some organisations will restrict what can (and cannot) be uploaded. In most cases though, the onus will be on the uploader to get it right the first time.

We have some tips with regard to VirusTotal below:

Receivers:

  • If you are in the least bit uncertain about the safety of an attachment, contact the sender and ask them about it.
  • Don’t use VirusTotal if you want to check whether an attachment is malicious. The result is not conclusive and you may breach confidentiality.
  • Never click on links in emails or email attachments.
  • Never “Enable Editing” in a document, unless the sender in person assured you it was safe.

Senders:

  • Only use attachments that could be perceived as dangerous when it’s absolutely necessary.
  • Inform recipients about the fact that you are sending them an attachment and for what reason.

Malwarebytes EDR and MDR remove all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Google fixes “Bad.Build” Cloud Build flaw, researchers say it’s not enough

Researchers at Orca Security have found a design flaw in the Google Cloud Build service. Attackers would have been able to gain Privilege Escalation resulting in unauthorized access to code repositories in Google’s Artifact Registry.

The researchers dubbed the vulnerability Bad.Build and say it could have far reaching consequences comparable to supply chain attacks like those caused by exploitation of flaws in 3CX, MOVEit, and SolarWinds.

The vulnerability was fixed in June and according to Google no further user action is required. But the security researchers claim that Google’s fix only limits the discovered Privilege Escalation (PE) vector and organizations are still vulnerable to the larger supply chain risk.

Since the researchers go on to explain how the Bad.Build design flaw can be exploited, users of Google Cloud Build are under advice to take action. We’ll let you know what to do below (under Mitigation).

First, let’s have a look at the problem.

In traditional software development, programmers code an application in one computing environment only to find bugs or errors when deployed in another environment. To account for this, developers bundle their application together with all its related configuration files, libraries, and dependencies required to run in containers hosted in the cloud. This method is called containerization.

Google Cloud Build is a managed continuous integration and delivery (CI/CD) service provided by Google Cloud that makes it easy getting container images on the cloud. Cloud Build also provides pre-built images that you can reference in a Cloud Build config file to execute your tasks.

The Artifact Registry provides an overview of the packages you use while continuously monitoring and updating the state of those artifacts. This provides insight and control over the packages, images, and other dependencies used in your software development and delivery process.

The flaw uncovered by the researchers enables the impersonation of the default Cloud Build service account. By exploiting the flaw, an attacker can manipulate images in Google’s Artifact Registry and inject malicious code. If these images are intended to be used by customers of the supplying organization, the risk crosses from the supplying organization’s environment to their customers’ environments, constituting a supply chain attack.

When notified about the problem, Google revoked the logging.privateLogEntries.list IAM permission from the Cloud Build service account to adhere to the security principle of least privilege. When you enable the Cloud Build API in a project, Cloud Build automatically creates a default service account to execute builds on your behalf. This Cloud Build service account previously had the permission, which allowed the build to have access to list private logs by default. But, the revoked permission wasn’t related to Artifact Registry.

As a result, an attacker could use the artifactregistry permissions to download and exfiltrate an image that is being used inside Google Kubernetes Engine (GKE). They could then inject malicious code into the image and push it back to the artifact registry, which is then deployed once again to the GKE. Once the malicious image is deployed, the attacker can exploit it and run code on the docker container as root.

Mitigation

If there is anything the researchers made clear, is that it’s important that organizations pay close attention to the behavior of the default Google Cloud Build service account. Some important elements to keep in mind:

  • Principle of least privilege. Limit permissions to what’s needed and keep track of given permissions.
  • Implement cloud detection and response. If something goes wrong, it’s important to learn about it as early as possible.
  • Prioritize risks, but don’t lose sight of the fact that a combination of two or more seemingly harmless vulnerabilities can be chained into a fatal attack.

Google denied Orca Security’s assessment, explaining that the access given to service accounts is the “nature of automated systems that run independently,” but both agreed that it’s important to check permissions and adjust them as you see fit, depending on your threat model.


Malwarebytes EDR and MDR removepage break line all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Plane sailing for ticket scammers: How to keep your flight plans safe

You may be getting ready to jump on a plane and head off for a few days or weeks of rest and relaxation. So the last thing you need before flying is a technology related horror show. Sadly, scammers are aware of families getting ready to hit the skies, and have tailored their threats accordingly. Several trip-related scams are doing the rounds right now, and we’re going to highlight some of the more prevalent ones.

Fake customer support on social media is one current major area of concern. This is often aimed at banking customers looking for assistance. The risk of this has increased since Twitter started charging for blue checkmarks, as many legitimate accounts now sport no visible means of authentication. 

With popular airline easyJet cancelling 1,700 flights between July and September due to air traffic control delays, fraudsters have been busy creating fake support accounts. For people stuck in an airport and hearing the flight is off, or getting ready to make the trip, their first reaction may be to hop onto social media for breaking advice and information.

Bogus airline accounts are directing potential victims to fake airline websites and other portals in an effort to steal credentials (and most likely any payment data they can scoop up along the way).  There’s currently somewhere in the realm of 100+ Twitter accounts using the easyJet branding. Of those, at least two have a gold verified check mark which are used exclusively for approved business accounts. Here’s the main easyJet account, for example.

The rest are a combination of “temporarily restricted” accounts, accounts set to private (and so not visible to non-followers), private individuals, video game themed(!), and more. Many of the accounts claim to be customer support and ask Twitter users to send them their mobile number for assistance. If you’re not talking to the verified account, or directed somewhere by that account, you may end up running into trouble.

Meanwhile, scammers elsewhere are targeting folks looking to dodge some of the Arizona heat. Phony travel agents lie in wait with fake websites and non-existent plane tickets. These sites appear in search engine results or random emails promising fantastic prices. Once you’ve paid and turned up on the day of the flight, or even just tried to check in online the day before, you’re in for a nasty surprise.

The fraudster has merely reserved a seat, as opposed to booking the desired ticket. Meanwhile, they were off using your payment details to try and buy who knows what. A fraught call to your bank or credit card’s customer service department now beckons.

If you’re looking for good deals, airlines and travel agents will be able to direct you to legitimate ticket sources. If you stumble upon a site you’ve not heard of, look up reviews and keep an eye out for any reference to wrong doing. One word of caution: you may also have to check the legitimacy of the reviews, too.

A final warning: be careful what you post online. We’ve previously talked about how posting up a photograph of your home environment can reveal important information. An envelope with your address on it, a box with your full name, even being geolocated because of traceable landmarks outside of your window. Well, the same warning applies to your airplane tickets too. If you’re getting into the holiday swing of things, keep all the small bits and pieces of data related to your trip out of shot. Using the information on your boarding ticket, or even your passport, people up to no good can get a good handle on who you are and what you’re doing.

If you’re revealing your name, frequent flyer number, and passport information online then you’re a possible meal ticket for scammers. This isn’t even necessarily a case of stealing your banking data. They can potentially social engineer their way into accessing your account under the guise of you having “forgotten” your login details. Maybe they’ll sell your frequent flyer account on, or do something else to cause you a headache. They may even just wait a few months and then send a targeted phish. The sky really is the limit with scams, so keep your personal info private.


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Docker Hub images found to expose secrets and private keys

Numerous Docker images shared on Docker Hub are exposing sensitive data, according to a study conducted by researchers at the German university RWTH Aachen. Needless to say, this poses a significant security risk.

In traditional software development, programmers code an application in one computing environment only to find bugs or errors when it’s deployed in another environment. To solve this, developers bundle their application together with all its related configuration files, libraries, and dependencies required to run in containers hosted in the cloud. This method is called containerization.

Docker images are one of the most common methods used in containerization. Docker is an open-source project that automates the deployment of applications inside software containers. Docker Hub is a cloud-based repository which facilitates the widespread use and sharing of Docker images. Docker Hub comprises more than 9,000,000 images anybody can use.

Since containerization started out as a means for efficient development and cost savings and quickly ballooned into adoption and implementation, security was unfortunately a low priority in its design—as it often is in tech innovation.

The researchers analyzed 337,171 images from Docker Hub and 8,076 private registries and found that more than 1 in 12 of these images contained sensitive information, including private keys and API secrets. To be precise, they found 52,107 private keys and 3,158 leaked API secrets. This is not just a huge security risk, the researchers documented that the leaked keys were actually used in the wild.

The researchers discovered that some of the exposed keys were in use, which means elements such as certificates were also at risk. In fact, more than 22,000 compromised certificates were found to be relying on the exposed private keys. That includes more than 7,500 private and more than 1,000 public certification authority (CA) signed certificates.

Most of the secrets were found in images of single owners, which makes sense assuming users do not share their secrets intentionally. The researchers also found that image creators upload secrets to Docker Hub more often than to private registries (9% vs 6.3%). This could be an indication that private registry users have a better security understanding, maybe due to a deeper technical understanding required for hosting a registry.

To highlight the security implications around internet communications, the researchers found 216 Session Initiation Protocol (SIP) hosts used for telephony as well as 8,165 SMTP, 1,516 POP3, and 1,798 IMAP servers used for email. Since these hosts are susceptible to impersonation attacks due to their leaked private keys, attackers can eavesdrop, relay, or alter the sensitive data transmitted here.

All in all it poses a massive problem when image creators are unaware or careless about sharing secrets. Together these exposed secrets create a huge attack surface.

Mitigation

Secrets can be copied:

  • Actively, when copying secrets from their local file system into the image.
  • Passively, by using images with secrets included during creation of the image.

Both behaviors lead to compromised secrets and affect the security of both image creators and users, but they need a different approach for mitigation.

On the one hand, image creators and editors must be warned that they are uploading their secrets to publicly reachable Docker registries. On the other hand, when deploying containers based on downloaded images, users should be informed about included secrets, especially private keys, which might already be compromised, putting the authentication of deployed services at stake. When uploading or downloading an image, tools like TruffleHog or SecretScanner could then scan all layers of the image for included secrets.


Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Microsoft validation error allowed state actor to access user email of government agencies and others

Microsoft is getting criticized for the way in which it handled a serious security incident that allowed a suspected Chinese espionage group to access user email from approximately 25 organizations, including government agencies and related consumer accounts in the public cloud. The attacks were targeted and lasted for about a month before they were first discovered.

The investigation started on Jun 16, 2023, when Microsoft was notified by a customer about an anomalous Exchange Online data access. Investigation learned that the customer’s Exchange Online data was accessed using Outlook Web Access (OWA).

Microsoft analysis attributed the activity to a group called Storm-0558 based on established prior tactics, techniques, and procedures (TTPs). Attribution is based on Microsoft Threat Intelligence assessment that Storm-0558 is a China-based threat actor with activities and methods consistent with espionage objectives.

At first Microsoft assumed that the spies were using legitimate Azure Active Directory (Azure AD) tokens stolen by malware. But further analysis showed that Storm-0558 was forging Azure AD tokens using an acquired Microsoft account (MSA) consumer signing key to access OWA and Outlook.com.

This was only possible because of a validation error in Microsoft code. MSA (consumer) keys and Azure AD (enterprise) keys are issued and managed from separate systems and should only be valid for their respective systems. Microsoft says it still doesn’t know how Storm-0558 stole the inactive MSA signing key.

An authentication token allows internet users to access applications, services, websites, and application programming interfaces (APIs) without having to enter their login credentials each time they visit. Instead, the user logs in once, and a unique token is generated and shared with connected applications or websites to verify their identity.

These tokens are validated with a signing key, so with access to such a key an attacker is able to create valid tokens to access the associated services. Storm-0558 was able to obtain new access tokens by presenting one previously issued from GetAccessTokenForResource Application Programming Interface (API) due to a design flaw. This flaw in this API has since been fixed.

When asked, China denied it was involved and basically said people in glass houses shouldn’t throw stones.

tweeted quote

“We noted the reports saying that the spokesman for the White House National Security Council claimed that US officials found hackers linked to China took advantage of a security weakness in Microsoft’s cloud-computing to break into unclassified email accounts of the US, and the US has notified Microsoft about this. I would like to say that in the past, it was usually the world’s No.1 hacking group–the US National Security Agency, which also serves as the US Cyber Force Command, that released such kind of disinformation. This time it was the US National Security Council that made a public statement. Whatever agency spoke, it does not change the fact that the US is the world’s biggest hacking empire and global cyber thief.”

What has been done

Microsoft says it has completed mitigation of this attack for all customers and has not found any evidence of further access. The impacted customers have been contacted so no additional customer action is needed to prevent hackers from using the same tactics to access their Exchange or Outlook accounts.

On June 26, OWA stopped accepting tokens issued from GetAccessTokensForResource for renewal, which stopped Storm-0556 ‘s ability to use tokens issued from the Azure program.

On June 27, Microsoft blocked the usage of tokens signed with the acquired MSA key in OWA, blocking the usage of tokens signed with the key that had been acquired.

On June 29, Microsoft completed replacement of the key to prevent the threat actor from using it to forge new tokens.

Microsoft blocked the use of the stolen private signing key for all impacted customers on July 3, 2023 and says it has “substantially hardened key issuance systems since the acquired MSA key was initially issued.”


Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

FakeSG enters the ‘FakeUpdates’ arena to deliver NetSupport RAT

Over 5 years ago, we began tracking a new campaign that we called FakeUpdates (also known as SocGholish) that used compromised websites to trick users into running a fake browser update. Instead, victims would end up infecting their computers with the NetSupport RAT, allowing threat actors to gain remote access and deliver additional payloads. As we have seen over the years, SocGholish is an established player that has managed to compromise countless victims and deliver ransomware after facilitating the installation of tools like Cobalt Strike or Mimikatz.

Now, there is a potential new competitor in the “fake updates” landscape that looks strangely familiar. The new campaign, which we call FakeSG, also relies on hacked WordPress websites to display a custom landing page mimicking the victim’s browser. The threat actors are distributing NetSupport RAT either as a zipped download or via an Internet shortcut. While FakeSG appears to be a newcomer, it uses different layers of obfuscation and delivery techniques that make it a threat to take seriously and which could rival potentially rival with SocGholish.  

Campaign similarities

We first heard of this new campaign thanks to a Mastodon post by Randy McEoin. The tactics, techniques and procedures (TTPs) are very similar to those of SocGholish and it would be easy to think the two are related. In fact, this chain also leads to NetSupport RAT. However, the template source code is quite different and the payload delivery uses different infrastructure. As a result, we decided to call this variant FakeSG.

Original public discovery

Templates

FakeSG has different browser templates depending on which browser the victim is running. The themed “updates” look very professional and are more up to date than its SocGholish counterpart.

Fake Chrome update

Fake Edge update

Fake Firefox update

Website injections

Compromised websites (WordPress appears to be the top target) are injected with a code snippet that replaces the current webpage with the aforementioned fake updates templates. The source code is loaded from one of several domains impersonating Google (google-analytiks[.]com) or Adobe (updateadobeflash[.]website):

Malicious code injected into hacked websites

That code contains all the web elements (images, fonts, text) needed to render the fake browser update page. We should note that SocGholish used to retrieve media files from separate web requests until more recently when it started using self-contained Base64 encoded images.

Source code for Chrome template

Installation flow

There are different installation flows for this campaign, but we will focus on the one that uses a URL shortcut. The decoy installer (Install%20Updater%20(V104.25.151)-stable.url) is an Internet shortcut downloaded from another compromised WordPress site.

Malicious URL shortcutThis shorcut uses the WebDav HTTP protocol extension to retrieve the file launcher-upd.hta from a remote server:

WebDav malicious HTA

This heavily obfuscated script is responsible for the execution of PowerShell that downloads the final malware payload (NetSupport RAT).

Source of malicious HTA file

Malwarebytes’s EDR shows the full attack chain (please click to enlarge):

Killchain viewed by Malwarebytes EDR

The NetSupport RAT files are hosted on the same compromised WordPress site used earlier to download the Internet shortcut. The RAT’s main binary is launched from “C:Users%username%AppDataRoamingBranScaleclient32.exe“.

NetSupport RAT

Following a successful infection, callbacks are made to the RAT’s command and control server at 94.158.247[.]27.

Web traffic from full infection

Roomates

Fake browser updates are a very common decoy used by malware authors. In addition to SocGholish, the Domen toolkit was a well-built framework that emerged in 2019 while another campaign known as sczriptzzbn dropped SolarMarker leading to the NetSupport RAT in both cases. Initial access brokers use tools like NetSupport RAT to gather information and perform additional actions on victims of interest. Stolen credentials can be resold to other threat actors tied to ransomware gangs.

It is interesting to see another contender in this relatively small space. While there is a very large number of vulnerable websites, we already see some that have been injected with multiple different malicious code. From a visitor’s point of view, this means there could be more than one redirect but the “winner” will be the one who is able to execute their malicious JavaScript code first.

We will continue to monitor these campaigns and in particular SocGholish to see if the web delivery landscape changes. Malwarebytes customers are protected as we detect the infrastructure and final payload used in these attacks.

EDR detection

Indicators of Compromise (IOCs)

FakeSG infrastructure

178.159.37[.]73
google-analytiks[.]com
googletagmanagar[.]com
updateadobeflash[.]website

WebDav launcher

206[.]71[.]148[.]110
206[.]71[.]148[.]110/Downloads/launcher-upd[.]hta

NetSupport RAT

pietrangelo[.]it/wp-content/uploads/2014/04/BranScale[.]zip
pietrangelo[.]it/wp-content/uploads/2014/04/client32[.]exe

NetSupport RAT C2

94[.]158[.]247[.]27

MITRE ATT&CK techniques

Tactic ID Name Details
Execution T1059 Command and Scripting Interpreter Powershell used to download payload
T1059.001 Powershell Starts POWERSHELL.EXE for commands execution
T1059.003 Windows Command Shell Starts CMD.EXE for commands execution
Privilege escalation T1548 Abuse Elevation Control Mechanism Encoded PowerShell
T1548.002 Bypass User Account Control  
Defense evasion T1564 Hide Artifacts  Encoded PowerShell
T1218 System Binary Proxy Execution  Drops CMSTP.inf in %temp%
T1027 Obfuscated Files or Information  Drops th5epzxc.cmdline in %temp%
T1112 Modify Registry Adds key to registry: HKEY_CLASSES_ROOTCLSID{645FF040-5081-101B-9F08-00AA002F954E}shellopencommand /f /ve /t REG_SZ /d C:UsersadminAppDataRoamingBranScaleclient32.exe
T1548 Abuse Elevation Control Mechanism  
T1140 Deobfuscate/Decode Files or Information  Encoded PowerShell
Discovery T1082 System Information Discovery Gets computer name
C&C T1071 Application Layer Protocol NetSupport RAT C2 communication
T1571 Non-Standard Port Port destination: 5051

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW