Links

https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html

https://news.sophos.com/en-us/2023/07/26/into-the-tank-with-nitrogen/

https://www.infosecurity-magazine.com/news/education-sector-highest/

https://www.bleepingcomputer.com/news/security/breachforums-database-and-private-chats-for-sale-in-hacker-data-breach

A Novel Exploit for the “search-ms” Protocol

• Trellix
  • Advanced Research Center
  • blog post July 26
  • uncovered a novel attack technique leveraging the “search-ms” URI protocol handler.
    • emerged as a potent initial attack vector, it is important that security teams anticipate a potential increase in attacks using this method: it offers threat actors a convenient way to deliver malicious payloads while evading traditional security defenses.
• search-ms
  • Windows users conduct search operations via a URI.
    • Uniform Resource Identifier
  • it is a benign operation (usually)
    • combined with another vulnerability such as within Windows documents, attackers can potentially use it as a part of a broader phishing or malware campaign.
• Attack
  • Observed utilization in Phishing campaigns.
    • Usually, phishing language
    • Pretends to be an attachment in the email.
      • HTML or PDF
      • Shows with a trusted logo.
        • Adobe, Microsoft, Etc.
      • Link is really a link to another site.
  • threat actors create malicious Microsoft Word documents.
    • that exploit vulnerabilities in Microsoft Office and Windows
  • triggering the search-ms protocol handler to open a remote Windows Search window.
  • Window lists executables hosted on a remote SMB share.
    • disguised as something innocent like “Critical Updates.
    • unwittingly install malware onto their system
    • gives the user the illusion of trust.
    • user is more likely to open the file, assuming it is from their own system.
• Remediation
  • proposed is to remove the search-ms protocol handler from the Windows Registry. Doing so will prevent the malicious documents from triggering the “search-ms” command, thus protecting the user from this attack vector.

What is Nitrogen Malvertising

• Malware using Advertising Campaigns
  • New campaign
    • Exploiting Google Search and Bing Ads
  • Targets Technology and Non-Profits in North America
  • Pay-per-click.
    • Not new
    • As they are paid, they appear prominently on the page.
      • Mostly over the actual site
    • popular tactic among threat actors
• Campaign
  • Buy ads pretending to be popular brands.
    • AnyDesk, Cisco AnyConnect, TreeSize Free, and WinSCP
  • Taken to a compromised WordPress page.
    • Made to look like a legitimate site.
  • Download the file.
    • Run and Infected
• Nitrogen Malware
  • When installer is running
    • Side loads a NitrogenInstaller.DLL file.
      • Has a legitimate installer application.
      • Along with malicious phyton
    • Python package uses Dynamic Link Library (DLL) preloading.
      • execute the malicious NitrogenStager file.
        • connects to the command-and-control (C2) servers.
          • drop both a Meterpreter shell and Cobalt Strike Beacons
    • uncommon export forwarding and DLL preloading techniques to mask their malicious activity and hinder analysis.

Education Sector Has Highest Share of Ransomware Victims

• Sophos
  • The State of Ransomware in Education 2023
  • 400 IT and cybersecurity leaders globally
    • split evenly across schools and higher education institutions.
• Results
  • 79% of higher education institutions were compromised by ransomware in 2022.
    • up from 64% on 2021
  • 80% of “lower” education institutions were compromised by ransomware in the past year.
    • Was 56% in 2021
  • Exploits and compromised credentials accounted.
    • 77% of ransomware attacks against higher education organizations
    • 65% of attacks against lower education organizations
  • compromised credentials.
    • Higer Ed 37%
    • Lower Ed 36%
    • 29% average
• Glaring Problems
  • The lack of adoption of multi-factor authentication (MFA) technology in the education sector makes them even more at risk of this method of compromise.
  • High ransom payments
    • Higer Education – 56%
    • Lower Education – 47%
  • Not great on backups
    • 63%
      • 70% average

BreachForums database and private chats for sale

• Breach Forums
  • large hacking and data leak forum
    • notorious
      • hosting
      • leaking
      • selling data stolen
  • Clear web Was seized by multiple international agencies.
  • Site administrator Connor Brian Fitzpatrick was arrested.
  • Baphomet (other side admin) shut down.
    • Opened a clone site.
  • Redirected to sized domain banner page.
• HaveIBeenPwned
  • July 26
    • Visitors can check if their information was exposed in a data breach of the Breached cybercrime forum.
  • November 2022
    • “BreachForums” was itself, breached.
• Breached Breach Forum
  • 212k records
    • Usernames
    • IP
    • email addresses
    • private messages between site members
      • potentially revealing information on past attacks, identities, and other useful information.
    • Passwords
    • Payment information
      • payments made to purchase forum ranks (membership levels with extra benefits) and credits (a form of currency used on the forum)
      • These payments were processed through CoinBase Commerce or Sellix, with the Coinbase transactions including links to order confirmations containing sensitive information, such as cryptocurrency addresses and Coinbase payment IDs.
      • This cryptocurrency data can be useful to blockchain analytics companies, who can use the cryptocurrency addresses to link threat actors to criminal activity.
  • stored as argon2 hashes.
• Tables Turned
  • database is currently being sold.
    • they shared the database with Have I Been Pwned to prove its authenticity to potential buyers.
    • The seller said that only they, Baphomet, and Pompompurin have possession of the database.
    • Selling to only one person for $100,000 – $150,000 and that it contains a snapshot of the entire database taken on November 29th, 2022.
  • Previous Breached admin Baphomet has also confirmed the authenticity of the database, warning that its sale is part of a “continued campaign attempting to destroy the community.
    • Baphomet said, “Judging by the 212k users, this is likely an older database months before the closing of BFv1, seeing that my last backup of the forum has 336k users.”