Episode 66: July 31 2023

July 31, 2023
Season 2023
Episode 66
 Jim Guckin CyberSecurity News Byte 39:1355.54M Comments Off on Episode 66: July 31 2023

Links

https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html

https://news.sophos.com/en-us/2023/07/26/into-the-tank-with-nitrogen/

https://www.infosecurity-magazine.com/news/education-sector-highest/

https://www.bleepingcomputer.com/news/security/breachforums-database-and-private-chats-for-sale-in-hacker-data-breach

A Novel Exploit for the “search-ms” Protocol

  • Trellix
    • Advanced Research Center
    • blog post July 26
    • uncovered a novel attack technique leveraging the “search-ms” URI protocol handler.
      • emerged as a potent initial attack vector, it is important that security teams anticipate a potential increase in attacks using this method: it offers threat actors a convenient way to deliver malicious payloads while evading traditional security defenses.
  • search-ms
    • Windows users conduct search operations via a URI.
      • Uniform Resource Identifier
    • it is a benign operation (usually)
      • combined with another vulnerability such as within Windows documents, attackers can potentially use it as a part of a broader phishing or malware campaign.
  • Attack
    • Observed utilization in Phishing campaigns.
      • Usually, phishing language
      • Pretends to be an attachment in the email.
        • HTML or PDF
        • Shows with a trusted logo.
          • Adobe, Microsoft, Etc.
        • Link is really a link to another site.
    • threat actors create malicious Microsoft Word documents.
      • that exploit vulnerabilities in Microsoft Office and Windows
    • triggering the search-ms protocol handler to open a remote Windows Search window.
    • Window lists executables hosted on a remote SMB share.
      • disguised as something innocent like “Critical Updates.
      • unwittingly install malware onto their system
      • gives the user the illusion of trust.
      • user is more likely to open the file, assuming it is from their own system.
  • Remediation
    • proposed is to remove the search-ms protocol handler from the Windows Registry. Doing so will prevent the malicious documents from triggering the “search-ms” command, thus protecting the user from this attack vector.

What is Nitrogen Malvertising

  • Malware using Advertising Campaigns
    • New campaign
      • Exploiting Google Search and Bing Ads
    • Targets Technology and Non-Profits in North America
    • Pay-per-click.
      • Not new
      • As they are paid, they appear prominently on the page.
        • Mostly over the actual site
      • popular tactic among threat actors
  • Campaign
    • Buy ads pretending to be popular brands.
      • AnyDesk, Cisco AnyConnect, TreeSize Free, and WinSCP
    • Taken to a compromised WordPress page.
      • Made to look like a legitimate site.
    • Download the file.
      • Run and Infected
  • Nitrogen Malware
    • When installer is running
      • Side loads a NitrogenInstaller.DLL file.
        • Has a legitimate installer application.
        • Along with malicious phyton
      • Python package uses Dynamic Link Library (DLL) preloading.
        • execute the malicious NitrogenStager file.
          • connects to the command-and-control (C2) servers.
            • drop both a Meterpreter shell and Cobalt Strike Beacons
      • uncommon export forwarding and DLL preloading techniques to mask their malicious activity and hinder analysis.

Education Sector Has Highest Share of Ransomware Victims

  • Sophos
    • The State of Ransomware in Education 2023
    • 400 IT and cybersecurity leaders globally
      • split evenly across schools and higher education institutions.
  • Results
    • 79% of higher education institutions were compromised by ransomware in 2022.
      • up from 64% on 2021
    • 80% of “lower” education institutions were compromised by ransomware in the past year.
      • Was 56% in 2021
    • Exploits and compromised credentials accounted.
      • 77% of ransomware attacks against higher education organizations
      • 65% of attacks against lower education organizations
    • compromised credentials.
      • Higer Ed 37%
      • Lower Ed 36%
      • 29% average
  • Glaring Problems
    • The lack of adoption of multi-factor authentication (MFA) technology in the education sector makes them even more at risk of this method of compromise.
    • High ransom payments
      • Higer Education – 56%
      • Lower Education – 47%
    • Not great on backups
      • 63%
        • 70% average

BreachForums database and private chats for sale

  • Breach Forums
    • large hacking and data leak forum
      • notorious
        • hosting
        • leaking
        • selling data stolen
    • Clear web Was seized by multiple international agencies.
    • Site administrator Connor Brian Fitzpatrick was arrested.
    • Baphomet (other side admin) shut down.
      • Opened a clone site.
    • Redirected to sized domain banner page.
  • HaveIBeenPwned
    • July 26
      • Visitors can check if their information was exposed in a data breach of the Breached cybercrime forum.
    • November 2022
      • “BreachForums” was itself, breached.
  • Breached Breach Forum
    • 212k records
      • Usernames
      • IP
      • email addresses
      • private messages between site members
        • potentially revealing information on past attacks, identities, and other useful information.
      • Passwords
      • Payment information
        • payments made to purchase forum ranks (membership levels with extra benefits) and credits (a form of currency used on the forum)
        • These payments were processed through CoinBase Commerce or Sellix, with the Coinbase transactions including links to order confirmations containing sensitive information, such as cryptocurrency addresses and Coinbase payment IDs.
        • This cryptocurrency data can be useful to blockchain analytics companies, who can use the cryptocurrency addresses to link threat actors to criminal activity.
    • stored as argon2 hashes.
  • Tables Turned
    • database is currently being sold.
      • they shared the database with Have I Been Pwned to prove its authenticity to potential buyers.
      • The seller said that only they, Baphomet, and Pompompurin have possession of the database.
      • Selling to only one person for $100,000 – $150,000 and that it contains a snapshot of the entire database taken on November 29th, 2022.
    • Previous Breached admin Baphomet has also confirmed the authenticity of the database, warning that its sale is part of a “continued campaign attempting to destroy the community.
      • Baphomet said, “Judging by the 212k users, this is likely an older database months before the closing of BFv1, seeing that my last backup of the forum has 336k users.”