Vercara’s Open-Source Intelligence (OSINT) Report – May 24 – May 30, 2024

Mystery malware destroys 600,000 routers from a single ISP during 72-hour span.

(TLP: CLEAR) The attack targeted a staggering number of routers, indicating a well-coordinated and potentially sophisticated campaign. The fact that it focused on a single ISP suggests a deliberate effort to disrupt or compromise a specific network. While the specific technical details of the malware are not fully disclosed in the article, it mentions that the attack involved targeting vulnerabilities in the routers’ firmware or software. This indicates that the attackers likely exploited known security weaknesses to gain unauthorized access and execute their malicious code. The ISP and relevant cybersecurity authorities are likely conducting thorough investigations to determine the source and motives behind the attack. Additionally, efforts to contain and mitigate the damage caused by the malware are likely underway, including patching vulnerable systems and implementing enhanced security measures. 

(TLP: CLEAR) Comments: The incident underscores the persistent threat posed by malware and the critical importance of robust cybersecurity practices, particularly for critical network infrastructure. It also serves as a reminder for ISPs and other organizations to remain vigilant and proactive in identifying and addressing security vulnerabilities to protect against similar attacks in the future. 

(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 5.2: “An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that conclude the system components are not at risk from malware.” 

Using a combination of agent-based and network-based detection, such as with a Protective DNS Solution, provides overlapping protection for conventional IT assets such as laptops, desktops, and some servers but also for non-standard IT assets such as IoT devices and some servers that cannot run anti-malware software. 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories, including botnet Command and Control (C2) as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation. 
Source: https://arstechnica.com/security/2024/05/mystery-malware-destroys-600000-routers-from-a-single-isp-during-72-hour-span/   

U.S. dismantles world’s largest 911 S5 botnet with 19 million infected devices. 

(TLP: CLEAR) The article reports on a significant cybersecurity development involving the dismantling of the “world’s largest” 911 S5 proxy service by U.S. authorities. The 911 S5 service was a widely used proxy network that provided anonymity and evasion capabilities for cybercriminal activities, including fraud, hacking, and illicit online operations. The proxy service provided users with the ability to conceal their true identities and locations while engaging in various cybercriminal activities. By routing internet traffic through proxy servers located in different geographic regions, users could evade detection and circumvent restrictions imposed by law enforcement or other security measures. 

(TLP: CLEAR) Comments: While the dismantling of the 911 S5 proxy service is a notable achievement, it underscores the ongoing need for vigilance and collaboration in combating cybercrime. Cybercriminals are likely to adapt and seek alternative means of anonymity and evasion, and necessitating continued efforts by law enforcement and cybersecurity professionals to stay ahead of evolving threats. 

(TLP: CLEAR) Recommended best practices/regulations: “Domain generation algorithms: Sites with programmatically generated domain names that are used by malware to circumvent static blocking. Advanced malware – including some botnets – depends on the ability to communicate with command and control (C2) infrastructure. Cyber threat actors use domain generation algorithms (DGAs) for malware to circumvent static blocking – either by domain name or IP – through programmatically generating domain names according to a pre-set seed. PDNS can offer protection from malware DGAs by analyzing every domain’s textual attributes and tagging those associated with known DGA attributes, such as high entropy.  

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories, including botnet Command and Control (C2) as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation. 

Source: https://thehackernews.com/2024/05/us-dismantles-worlds-largest-911-s5.html  

Okta warns once again of credential-stuffing attacks.

(TLP: CLEAR) Okta, a leading identity and access management company, reiterated the prevalence and severity of these attacks, emphasizing their potential to compromise user accounts across multiple services. Credential stuffing attacks pose significant risks to organizations and individuals alike, leading to data breaches, financial losses, and reputational damage. Credential stuffing attacks are typically automated, utilizing bots to rapidly test stolen credentials against various online services. This automation enables attackers to scale their efforts efficiently, targeting many accounts across different platforms simultaneously. 

(TLP: CLEAR) Comments: Overall, the article underscores the ongoing threat posed by credential stuffing attacks and the critical importance of proactive cybersecurity measures to safeguard against them. Okta’s warning serves as a reminder for organizations to remain vigilant and prioritize the protection of user accounts and sensitive data. 

(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 6.4.2: “For public-facing web applications, an automated technical solution is deployed that continually detects and prevents web-based attacks, with at least the following:  
“Is installed in front of public-facing web applications and is configured to detect and prevent web-based attacks. 
“Actively running and up to date as applicable.  
“Generating audit logs.  
“Configured to either block web-based attacks or generate an alert that is immediately investigated.” 

(TLP: CLEAR) Vercara: Vercara’s Web Application Firewall, UltraWAF, helps prevent common exploits of vulnerabilities in web applications that could lead to the insertion of malware. Signatures for new vulnerabilities are constantly updated, along with granular input validation controls and traffic filtering measures for flexibility.  UltraWAF includes a number of tools for managing both benign and malicious bots, including bot signatures and device fingerprinting. UltraWAF can also prevent some layer 7 DDoS attacks. 
Source: https://www.darkreading.com/cyberattacks-data-breaches/okta-warns-once-again-of-credential-stuffing-attacks  

Experts find flaw in replicate AI service exposing customers’ models and data. 

(TLP: CLEAR) Security researchers have identified a flaw in Replicate AI that could potentially allow attackers to manipulate the synthetic data generated by the platform. This flaw could have significant implications for the accuracy and integrity of ML and AI models trained on such data. The vulnerability raises concerns about the reliability and trustworthiness of ML and AI models trained on synthetic data generated by Replicate AI. If exploited, attackers could inject malicious data or biases into the training datasets, leading to skewed or compromised model outputs. 

(TLP: CLEAR) Comments: Overall, the discovery of a vulnerability in Replicate AI drives the importance of robust security measures in the development and deployment of AI technologies. It highlights the need for ongoing vigilance and collaboration between security researchers, vendors, and end-users to safeguard against potential threats to AI model integrity and reliability. 

(TLP: CLEAR) Recommended best practices/regulations: Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence 4.2(C): “The results of any developed dual-use foundation model’s performance in relevant AI red-team testing based on guidance developed by NIST pursuant to subsection 4.1(a)(ii) of this section, and a description of any associated measures the company has taken to meet safety objectives, such as mitigations to improve performance on these red-team tests and strengthen overall model security.  Prior to the development of guidance on red-team testing standards by NIST pursuant to subsection 4.1(a)(ii) of this section, this description shall include the results of any red-team testing that the company has conducted relating to lowering the barrier to entry for the development, acquisition, and use of biological weapons by non-state actors; the discovery of software vulnerabilities and development of associated exploits; the use of software or tools to influence real or virtual events; the possibility for self-replication or propagation; and associated measures to meet safety objectives” 
Source: https://thehackernews.com/2024/05/experts-find-flaw-in-replicate-ai.html   

Microsoft: ‘Moonstone Sleet’ APT melds espionage, financial goals. 

(TLP: CLEAR) Moonlight Sleet is an APT campaign that combines traditional espionage objectives with financial motivations. The campaign primarily targets organizations in the defense, government, and financial sectors across multiple countries, including the United States, Europe, and Southeast Asia. The APT group behind Moonlight Sleet employs a range of sophisticated tactics to infiltrate target networks and achieve its objectives. These tactics include spear-phishing emails, social engineering techniques, and the use of custom malware and hacking tools tailored to bypass security defenses. 

(TLP: CLEAR) Comments: Given the persistent and evolving nature of APT campaigns, organizations must remain vigilant and continuously monitor their networks for signs of compromise. Rapid incident response and threat-hunting capabilities are crucial for detecting and mitigating APT activities before they can cause significant damage. 

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) DE.CM-01: “Networks and network services are monitored to find potentially adverse events” 

One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport. 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), receives DNS queries from enterprise users and other on-LAN devices, inspects the DNS response for indicators of malicious activity such as phishing, ransomware, and acceptable usage policy violations 
Source: https://www.darkreading.com/threat-intelligence/microsoft-moonlight-sleet-apt-melds-espionage-financial-goals