Vercara’s Open-Source Intelligence (OSINT) Report – August 23 – August 29, 2024

Stealthy ‘sedexp’ Linux malware evaded detection for two years. 

(TLP: CLEAR) The article discusses the discovery of a stealthy Linux malware named “sedexp,” which has been evading detection since 2022. It uses a persistence technique involving udev rules, which is not yet documented in the MITRE ATT&CK framework. This technique allows the malware to remain hidden by exploiting the udev device management system in Linux, ensuring it is frequently executed by monitoring critical system components like /dev/random. Sedexp mimics legitimate system processes to blend in with normal operations, making it difficult to detect. It sets up a reverse shell for remote access and uses memory manipulation to hide its presence and inject malicious code. The malware has been used in financially motivated attacks, such as hiding credit card scraping code on compromised web servers. Despite being active since at least 2022, it has largely evaded detection by antivirus tools. 

(TLP: CLEAR) Comments: The ‘sedexp’ malware represents a significant threat to Linux systems due to its advanced persistence mechanism and its ability to evade detection. It is advised that any organization using Linux systems, especially those that are handling sensitive financial data remain vigilant and ensure that they have a robust network monitoring and response systems and policies in place to detect and mitigate against this threat. Regular updates, comprehensive threat detection systems, and adherence to security best practices are essential in defending against malware like ‘sedexp’. 

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) DE.CM-01: “Networks and network services are monitored to find potentially adverse events”  

One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport. 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), enforces malware filtering as a network service using 4 distinct malware detection engines, including a dynamic decision engine that compares domain details, DNS query details, query answers, and other data points to determine if a domain is malicious before endpoints can be infected by them. 

Source: https://www.bleepingcomputer.com/news/security/stealthy-sedexp-linux-malware-evaded-detection-for-two-years/  

Hackers now use AppDomain Injection to drop CobaltStrike beacons. 

(TLP: CLEAR) A wave of cyberattacks beginning in July 2024 uses AppDomain Manager Injection, a rarely-seen technique, to compromise Microsoft .NET applications on Windows. Though known since 2017, this method has been mainly used in red team exercises and is seldom monitored in real-world scenarios. The attacks, observed by NTT in Japan, targeted government agencies in Taiwan, the military in the Philippines, and energy organizations in Vietnam. While the Chinese state-sponsored group APT 41 is suspected, the attribution is uncertain. AppDomain Manager Injection exploits the .NET Framework’s AppDomainManager class to execute malicious code within legitimate applications, making detection difficult. The attacks start with a ZIP archive containing a malicious Microsoft Script Component (MSC) file, which uses the GrimResource technique to exploit a cross-site scripting (XSS) vulnerability in the Windows apds.dll library. The final stage involves deploying a CobaltStrike beacon for further malicious activity. 

(TLP: CLEAR) Comments: Malicious actors may attempt to broaden the impact of this threat beyond Asia if it proves effective, potentially marketing the malware for profit. APT 41, a Chinese state-sponsored threat group, is one notable organization that has recently employed this technique. This group has been associated with various campaigns that leverage AppDomain Manager Injection, often targeting government agencies and critical infrastructure across multiple regions, including Asia. AppDomain Manager Injection is an advanced technique that takes advantage of the capabilities of the .NET Framework for malicious purposes. Its stealthy nature poses significant challenges for detection and response efforts. Therefore, organizations must adopt comprehensive security measures, such as behavioral analysis, application whitelisting, and ongoing threat monitoring, to protect against these sophisticated threats. 

(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 5.2: “An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware.” Using a combination of agent-based and network-based detection, such as with a Protective DNS Solution, provides overlapping protection for conventional IT assets such as laptops, desktops, and some servers but also for non-standard IT assets such as IoT devices and some servers that cannot run anti-malware software. 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses a multi-petabyte data lake filled with DNS query history and indicators of compromise from multiple Cyber Threat Intelligence (CTI) data feeds to correlate an incoming DNS query in real-time with previously observed malicious activity. This ensures that users and devices only go to safe, policy-compliant Internet locations. 

Source: https://www.bleepingcomputer.com/news/security/hackers-now-use-appdomain-injection-to-drop-cobaltstrike-beacons/  

New malware employs crazy obfuscation techniques to evade Anti-Virus detection. 

(TLP: CLEAR) Security researchers have identified a new malware strain using advanced obfuscation techniques to evade detection by antivirus software. The malware, found in a file named “crypted.bat,” was completely undetectable by major antivirus engines, raising concerns about the increasing complexity of cybersecurity threats. Initially discovered by a security analyst, the malware utilized UTF-16 encoding as an initial obfuscation layer, making it challenging for reverse engineers to analyze. It also employed empty environment variables in batch scripts and dynamically generated labels, further complicating detection and analysis. Upon execution, the malware deploys a static Python environment and establishes persistence through a scheduled task, ensuring it runs at every system logon. The payload, downloaded from a remote server, consists of heavily obfuscated Python code that performs code injection via the process hollowing technique, disguising its operations under legitimate Windows processes like “notepad.exe.” The malware communicates with a command and control (C2) server at 15[.]235[.]176[.]64:7000, using AES encryption to secure data exchanges. This discovery highlights the growing sophistication of modern malware and the need for more robust cybersecurity measures to counter these evolving threats. 

(TLP: CLEAR) Comments: Malicious actors are persistently creating advanced malware designed to evade detection and achieve persistence within targeted networks. Since most malware is introduced into networks through social engineering attacks, it is strongly recommended that organizations implement a comprehensive and ongoing cybersecurity training program. Such programs should educate employees on how to recognize malicious emails and other social engineering tactics. 

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.PS-05: “Installation and execution of unauthorized software are prevented”  

By enforcing a content filtering policy to block typical software download sites in addition to hacker tools and P2P services, organizations reduce the amount of malware and trojan horses that are introduced into their organization unknowingly by their users.  This can be done via a protective DNS or forward web proxy solution with website categories feeds. 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories, including botnet Command and Control (C2) as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation. 

Source: https://cybersecuritynews.com/obfuscation-techniques-to-evade-anti-virus-detection/ 

WordPress plugin flaw exposes 1,000,000 WordPress sites to remote code attacks. 

(TLP: CLEAR) A critical vulnerability in the WPML (WordPress Multilingual) plugin has exposed over a million WordPress sites to remote code execution (RCE) attacks. Identified as CVE-2024-6386, this flaw allows authenticated users with contributor-level access or higher to execute arbitrary code, potentially leading to a complete site takeover. The vulnerability affects all WPML versions up to 4.6.12. Discovered by a security researcher known as “stealth copter” and reported through the Wordfence Bug Bounty Program, the issue stems from inadequate input validation and sanitization in the plugin’s use of the Twig templating engine, specifically in the render() function of the WPML_LS_Public_API class. This oversight allows server-side template injection, enabling attackers to inject and execute malicious code. A proof-of-concept exploit demonstrates how attackers can use the [wpml_language_switcher] shortcode to inject harmful Twig code, executing PHP functions like phpinfo(). Wordfence released a firewall rule to protect users, and WPML patched the vulnerability in version 4.6.13 on August 20, 2024. Users are urged to update immediately due to the vulnerability’s critical CVSS score of 9.9. This incident emphasizes the need for robust security practices and timely updates in the WordPress ecosystem. 

(TLP: CLEAR) Comments: WordPress Multilingual (WPML) is a widely used plugin for WordPress that allows users to create and manage multilingual websites. It offers a comprehensive solution for translating content into various languages, enabling website owners to connect with a global audience. WPML is particularly beneficial for businesses, organizations, and individuals aiming to expand their reach by providing content in multiple languages, thereby enhancing user experience and improving accessibility for non-English speaking users. Organizations should include regular reviews of their IT infrastructure, including applications, in their security policies to ensure they are updated with the latest security patches. If known vulnerabilities do not receive security patches, organizations should consider either replacing outdated systems or implementing additional security measures to safeguard non-updated systems. 

(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 6.4.2: “For public-facing web applications, an automated technical solution is deployed that continually detects and prevents web-based attacks, with at least the following:   
“Is installed in front of public-facing web applications and is configured to detect and prevent web-based attacks.  
“Actively running and up to date as applicable.   
“Generating audit logs.   
“Configured to either block web-based attacks or generate an alert that is immediately investigated.” 

(TLP: CLEAR) Vercara: Vercara’s Web Application Firewall, UltraWAF, helps prevent common exploits of vulnerabilities in web applications that could lead to insertion of malware. Signatures for new vulnerabilities are constantly updated, along with granular input validation controls and traffic filtering measures for flexibility.  UltraWAF includes a number of tools for managing both benign and malicious bots, including bot signatures and device fingerprinting. UltraWAF can also prevent some layer 7 DDoS attacks. 

Source: https://cybersecuritynews.com/wordpress-plugin-flaw-exposes/  

Microsoft Copilot prompt injection vulnerability let hackers exfiltrate personal data. 

(TLP: CLEAR) Researchers identified a critical security flaw in Microsoft 365 Copilot that enabled attackers to exfiltrate sensitive user information through a sophisticated exploit chain. Discovered by security researcher Johann Rehberger, the vulnerability combined prompt injection, automatic tool invocation, and a novel technique called ASCII smuggling. The exploit began with a malicious email or document containing a prompt injection payload that directed Copilot to retrieve sensitive content like emails and MFA codes without user interaction. The exfiltrated data was hidden using ASCII smuggling, where special Unicode characters concealed the information within seemingly harmless hyperlinks. When clicked, this data was sent to an attacker-controlled server. Microsoft patched the vulnerability after responsible disclosure in January 2024. The specific details of the fix remain unclear, but the original exploits no longer work, and hyperlink rendering has been modified to prevent such attacks. 

(TLP: CLEAR) Comments: ASCII smuggling is a technique used by attackers to evade detection and exfiltrate sensitive data by embedding hidden information within seemingly innocuous content. This method typically exploits differences in how text is rendered and interpreted by different systems or applications, particularly by utilizing special Unicode characters that resemble standard ASCII characters but are not visible in the user interface. Four key characteristics of ASCII smuggling are: 

• Data Exfiltration: ASCII smuggling can be used to covertly send sensitive information, such as credentials or other confidential data, to an attacker’s server without raising suspicion. 

• Unicode Characters: Attackers leverage Unicode characters that can represent the same visual appearance as ASCII characters but have different underlying binary representations. This allows the hidden data to pass through filters and security mechanisms that may not recognize the Unicode characters as threats. 

• Manipulation of Hyperlinks: In many cases, ASCII smuggling is implemented through hyperlinks, where the hidden data is included in the URL. When a user clicks on the link, the concealed information is sent to the attacker’s server. 

• Evasion of Security Measures: Because the hidden data is not visibly distinguishable from legitimate content, ASCII smuggling can bypass security measures that rely on standard text analysis, making it a stealthy method for data exfiltration. 

(TLP: CLEAR) Recommended best practices/regulations: Request For Comment 9424 “Indicators of Compromise (IoCs) and Their Role in Attack Defence” Section 3.4.2: “Deployment: IoCs can be particularly effective at mitigating malicious activity when deployed in security controls with the broadest impact. This could be achieved by developers of security products or firewalls adding support for the distribution and consumption of IoCs directly to their products, without each user having to do it, thus addressing the threat for the whole user base at once in a machine-scalable and automated manner. This could also be achieved within an enterprise by ensuring those control points with the widest aperture (for example, enterprise-wide DNS resolvers) are able to act automatically based on IoC feeds.” Protective DNS solutions incorporate a wide variety of IoC feeds to detect and block malware and other abuse at the network level for many users. 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), enforces malware filtering as a network service using 4 distinct malware detection engines, including a dynamic decision engine that compares domain details, DNS query details, query answers, and other data points to determine if a domain is malicious before endpoints can be infected by them. 

Source: https://cybersecuritynews.com/copilot-prompt-injection-vulnerability/