CyberSecurity News Byte

Hosted ByJim Guckin

Welcome to CyberSecurity News Byte with Jim Guckin, your one-stop resource for the latest cybersecurity news, updates, and discussions. Our podcast is a vital tool for CyberSecurity and IT professionals, as well as technology leaders, who need to stay on top of the ever-evolving digital landscape.

Episode 66: July 31 2023

Links

https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html

https://news.sophos.com/en-us/2023/07/26/into-the-tank-with-nitrogen/

https://www.infosecurity-magazine.com/news/education-sector-highest/

https://www.bleepingcomputer.com/news/security/breachforums-database-and-private-chats-for-sale-in-hacker-data-breach

A Novel Exploit for the “search-ms” Protocol

  • Trellix
    • Advanced Research Center
    • blog post July 26
    • uncovered a novel attack technique leveraging the “search-ms” URI protocol handler.
      • emerged as a potent initial attack vector, it is important that security teams anticipate a potential increase in attacks using this method: it offers threat actors a convenient way to deliver malicious payloads while evading traditional security defenses.
  • search-ms
    • Windows users conduct search operations via a URI.
      • Uniform Resource Identifier
    • it is a benign operation (usually)
      • combined with another vulnerability such as within Windows documents, attackers can potentially use it as a part of a broader phishing or malware campaign.
  • Attack
    • Observed utilization in Phishing campaigns.
      • Usually, phishing language
      • Pretends to be an attachment in the email.
        • HTML or PDF
        • Shows with a trusted logo.
          • Adobe, Microsoft, Etc.
        • Link is really a link to another site.
    • threat actors create malicious Microsoft Word documents.
      • that exploit vulnerabilities in Microsoft Office and Windows
    • triggering the search-ms protocol handler to open a remote Windows Search window.
    • Window lists executables hosted on a remote SMB share.
      • disguised as something innocent like “Critical Updates.
      • unwittingly install malware onto their system
      • gives the user the illusion of trust.
      • user is more likely to open the file, assuming it is from their own system.
  • Remediation
    • proposed is to remove the search-ms protocol handler from the Windows Registry. Doing so will prevent the malicious documents from triggering the “search-ms” command, thus protecting the user from this attack vector.

What is Nitrogen Malvertising

  • Malware using Advertising Campaigns
    • New campaign
      • Exploiting Google Search and Bing Ads
    • Targets Technology and Non-Profits in North America
    • Pay-per-click.
      • Not new
      • As they are paid, they appear prominently on the page.
        • Mostly over the actual site
      • popular tactic among threat actors
  • Campaign
    • Buy ads pretending to be popular brands.
      • AnyDesk, Cisco AnyConnect, TreeSize Free, and WinSCP
    • Taken to a compromised WordPress page.
      • Made to look like a legitimate site.
    • Download the file.
      • Run and Infected
  • Nitrogen Malware
    • When installer is running
      • Side loads a NitrogenInstaller.DLL file.
        • Has a legitimate installer application.
        • Along with malicious phyton
      • Python package uses Dynamic Link Library (DLL) preloading.
        • execute the malicious NitrogenStager file.
          • connects to the command-and-control (C2) servers.
            • drop both a Meterpreter shell and Cobalt Strike Beacons
      • uncommon export forwarding and DLL preloading techniques to mask their malicious activity and hinder analysis.

Education Sector Has Highest Share of Ransomware Victims

  • Sophos
    • The State of Ransomware in Education 2023
    • 400 IT and cybersecurity leaders globally
      • split evenly across schools and higher education institutions.
  • Results
    • 79% of higher education institutions were compromised by ransomware in 2022.
      • up from 64% on 2021
    • 80% of “lower” education institutions were compromised by ransomware in the past year.
      • Was 56% in 2021
    • Exploits and compromised credentials accounted.
      • 77% of ransomware attacks against higher education organizations
      • 65% of attacks against lower education organizations
    • compromised credentials.
      • Higer Ed 37%
      • Lower Ed 36%
      • 29% average
  • Glaring Problems
    • The lack of adoption of multi-factor authentication (MFA) technology in the education sector makes them even more at risk of this method of compromise.
    • High ransom payments
      • Higer Education – 56%
      • Lower Education – 47%
    • Not great on backups
      • 63%
        • 70% average

BreachForums database and private chats for sale

  • Breach Forums
    • large hacking and data leak forum
      • notorious
        • hosting
        • leaking
        • selling data stolen
    • Clear web Was seized by multiple international agencies.
    • Site administrator Connor Brian Fitzpatrick was arrested.
    • Baphomet (other side admin) shut down.
      • Opened a clone site.
    • Redirected to sized domain banner page.
  • HaveIBeenPwned
    • July 26
      • Visitors can check if their information was exposed in a data breach of the Breached cybercrime forum.
    • November 2022
      • “BreachForums” was itself, breached.
  • Breached Breach Forum
    • 212k records
      • Usernames
      • IP
      • email addresses
      • private messages between site members
        • potentially revealing information on past attacks, identities, and other useful information.
      • Passwords
      • Payment information
        • payments made to purchase forum ranks (membership levels with extra benefits) and credits (a form of currency used on the forum)
        • These payments were processed through CoinBase Commerce or Sellix, with the Coinbase transactions including links to order confirmations containing sensitive information, such as cryptocurrency addresses and Coinbase payment IDs.
        • This cryptocurrency data can be useful to blockchain analytics companies, who can use the cryptocurrency addresses to link threat actors to criminal activity.
    • stored as argon2 hashes.
  • Tables Turned
    • database is currently being sold.
      • they shared the database with Have I Been Pwned to prove its authenticity to potential buyers.
      • The seller said that only they, Baphomet, and Pompompurin have possession of the database.
      • Selling to only one person for $100,000 – $150,000 and that it contains a snapshot of the entire database taken on November 29th, 2022.
    • Previous Breached admin Baphomet has also confirmed the authenticity of the database, warning that its sale is part of a “continued campaign attempting to destroy the community.
      • Baphomet said, “Judging by the 212k users, this is likely an older database months before the closing of BFv1, seeing that my last backup of the forum has 336k users.”

Leave a Reply

Your email address will not be published. Required fields are marked *