Here is your weekly summary of news and other public coverage relevant to Vercara, the market leader in DNS, DDoS Mitigation, Web Application Firewalls, and Bot Management. Keep reading to learn about the week’s interesting and informative stories. To see all the OSINT reports, click here.
NOTE: Except where indicated, this report is released as TLP: CLEAR and items in it may be shared but not attributed to Vercara. For more information on the Traffic Light Protocol, the definitions and usage are at https://www.first.org/tlp/.
Ransomware threat actors introduce new EDR killer to their arsenal.
(TLP: CLEAR) Recent reporting highlights the discovery of a sophisticated ransomware tool specializing in circumventing Endpoint Detection and Response (EDR) systems defensive mechanisms. Back in May 2024, during a post-investigation of a recently successfully mitigated ransomware attack, Sophos analysts discovered “EDRKillShifter,” a malicious loader executable meticulously engineered to deploy legitimate but vulnerable drivers to targeted systems. As observed with the currently trending malicious process, Bring Your Own Vulnerable Driver (BYOVD), threat actors can effectively bypass security controls and gain unrestricted access to targeted systems by leveraging these compromised drivers. Furthermore, EDRKillShifter’s execution sequence is initiated when the malicious loader is deployed via the command line, along with an encoded password string. The executable uses the password string to decrypt an embedded resource (in this case, a file or code-named BIN), which then runs that decrypted content directly in memory, bypassing the need for writing it to disk, ultimately obfuscating the malicious activity. Once unpacked, the BIN code triggers the deployment of the final payload. This payload strategically targets and exploits a range of legitimate yet vulnerable drivers, enabling the attacker to elevate privileges and effectively bypass the EDR software’s protective defenses. According to investigators, the attack only becomes achievable when the attacker obtains elevated or administrator privileges. This development coincides with recent intelligence indicating that threat actors are distributing a new, stealthy malware known as SbaProxy. In this campaign, attackers have manipulated legitimate antivirus binaries from BitDefender, Malwarebytes, and Sophos, re-signing them with counterfeit certificates to establish covert proxy connections to a command-and-control (C2) server. In closing, SbaProxy is specifically designed to create a proxy connection between the client and the intended target, routing traffic through both the C2 server and the compromised machine. The malware, at present, is limited to supporting TCP connections.
(TLP: CLEAR) Comments: Various iterations of EDRKillShifter’s final payload have been uncovered, each deploying a distinct EDR killer variant directly in memory. These payloads, all developed in the Go programming language, are heavily obfuscated—likely through the use of the open-source tool gobfuscate—posing significant challenges for analysis. Additionally, It is advised that the organization’s security policy includes routine reviews of all IT infrastructure, including applications, to ensure they are up to date with the latest security patches. If no security patches are being released for known vulnerabilities, organizations should look at either replacing the outdated systems or establishing extra security-in-depth measures to protect non-updated systems.
(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency #StopRansomware Guide: “Implement Protective Domain Name System (DNS). By blocking malicious internet activity at the source, Protective DNS services can provide high network security for remote workers. These security services analyze DNS queries and take action to mitigate threats—such as malware, ransomware, phishing attacks, viruses, malicious sites, and spyware—leveraging the existing DNS protocol and architecture.”
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 24 distinct detection engines to provide Defense in Depth against malware, phishing, and other abuses:
- The Lists Engine allows UltraDDR customers the ability to bring their own block lists and allow lists for FQDNs, domains, IP addresses, CIDR blocks, and registrars.
- The Categories Engine uses Vercara-provided Cyber Threat Intelligence feeds in 17 categories. Administrators can enable blocking on a category with just one button click.
- The Decision Engine uses a multi-petabyte adversarial infrastructure data lake and artificial intelligence techniques to determine if a previously unseen or recently changed domain is malicious in nature.
- The Ruleset Engine allows administrators the ability to build custom rules to augment and extend the other engines of UltraDDR.
Source: https://thehackernews.com/2024/08/ransomhub-group-deploys-new-edr-killing.html
Source: https://news.sophos.com/en-us/2024/08/14/edr-kill-shifter/
Iranian backed group steps up phishing campaigns against Israel, U.S.
(TLP: CLEAR) Recent intelligence reporting provides insight on an Iranian state-sponsored threat actor, identified as APT42, actively engaging in operations targeting individuals affiliated with the Harris and Trump Presidential campaigns. The group has been observed launching precision spear phishing attacks aimed at compromising the personal email accounts of key personnel linked to these campaigns, including both current and former U.S. government officials. Notably, in May and June 2024, APT42 successfully breached several accounts, including that of a prominent political consultant, signaling a significant escalation in their activities. Additionally, APT42’s operational scope extends beyond U.S. presidential campaigns, now honing in on key individuals within Israel’s military, defense, and diplomatic circles, alongside academics and NGOs. Since April 2024, the group has escalated its phishing operations, with 60% of its activities between February and July 2024 targeting assets within the U.S. and Israel. APT42 leverages advanced phishing methodologies, deploying a mix of malware-laden emails, counterfeit phishing pages, and strategic malicious redirects. Their approach is marked by the creation of highly convincing spoofed accounts and domains, often mirroring legitimate entities like political think tanks. APT42 frequently employs typo squatting—registering domains with slight misspellings of legitimate sites—to ensnare unwary victims. The group’s ability to craft such credible deceptions underscores their sophisticated understanding of their target profiles and the geopolitical stakes at play. Given APT42’s strategic focus on high-value targets within the U.S. and Israel, their operations suggest a calculated effort to influence geopolitical dynamics and gather critical intelligence.
(TLP: CLEAR) Comments: In certain cases, APT42 leverages convincing PDF attachments to establish credibility in its social engineering efforts. These seemingly authentic documents are the first step to establishing and building rapport with their targets. Once trust is established, APT42 subtly shifts the communication to encrypted platforms such as Signal, Telegram, or WhatsApp. On these channels, they deploy sophisticated phishing kits engineered to extract credentials, capitalizing on the perceived security of these platforms to lower the target’s defenses. Furthermore, the timing of these activities, particularly in the lead-up to U.S. elections, likely suggests a deliberate effort to influence political processes and destabilize key diplomatic relationships.
(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) DE.CM-01: “Networks and network services are monitored to find potentially adverse events”
One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport.
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses Cyber Threat Intelligence feeds, domain categories, and other detection engines to assess DNS queries in realtime and block domains that are being used for phishing, malware delivery, and malware Command and Control (C2). This reduces the quantity and impact of malware infections.
Source: https://www.infosecurity-magazine.com/news/google-iranian-attacks/
FBI shuts down Dispossessor Ransomware Group’s servers across U.S. and U.K.
(TLP: CLEAR) The FBI recently issued a public advisory detailing the successful dismantling of the Radar/Dispossessor ransomware infrastructure through a coordinated international law enforcement effort. This operation, executed in partnership with the U.K.’s National Crime Agency, the Bamberg Public Prosecutor’s Office, and the Bavarian State Criminal Police Office (BLKA), led to the seizure of critical assets linked to the ransomware group. Recently, reports have indicated that amongst the assets seized were three servers located in the United States, three in the United Kingdom, and 18 in Germany. Additionally, eight U.S.-based domains and one German-based domain were taken offline. These domains included radar[.]tld, dispossessor[.]com, cybernewsint[.]com (a fake news outlet), cybertube[.]video (a spoof video platform), and dispossessor-cloud[.]com. The operation marks a significant disruption in the group’s ability to carry out cybercriminal activities. Dispossessor, reportedly operational since August 2023, has established itself as a significant threat in its campaign to target small to mid-sized enterprises on a global scale. The FBI has identified 43 confirmed victims across multiple countries, including the United States, Argentina, Australia, Belgium, Brazil, Honduras, India, Canada, Croatia, Peru, Poland, the United Kingdom, the United Arab Emirates, and Germany. Dispossessor’s tactics, techniques, and procedures (TTPs) involve exploiting known network vulnerabilities, leveraging weak or compromised passwords, and infiltrating accounts that lack robust two-factor authentication. Consistent with sophisticated ransomware tactics, Dispossessor employs a double extortion strategy, wherein they not only encrypt critical files but also exfiltrate sensitive data, holding it hostage to pressure victims into making ransom payments.
(TLP: CLEAR) Comments: The latest developments underscore the concerted efforts by law enforcement to disrupt the operational capabilities of ransomware groups. Notably, in December 2023, a targeted operation successfully dismantled key servers associated with the BlackCat ransomware group. This was followed by a similar initiative in February 2024, where authorities seized multiple servers and websites linked to LockBit. While ransomware continues to be a pervasive threat across all sectors, these strategic takedowns have significantly impacted groups like LockBit, which has seen a marked decrease in its operations in recent months.
(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency #StopRansomware Guide: “Implement Protective Domain Name System (DNS). By blocking malicious internet activity at the source, Protective DNS services can provide high network security for remote workers. These security services analyze DNS queries and take action to mitigate threats—such as malware, ransomware, phishing attacks, viruses, malicious sites, and spyware—leveraging the existing DNS protocol and architecture.”
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), receives DNS queries from enterprise users and other on-LAN devices and inspects the DNS response for indicators of malicious activity such as phishing, ransomware, and acceptable usage policy violations.
Source: https://thehackernews.com/2024/08/fbi-shuts-down-dispossessor-ransomware.html
Malware Force-installs Chrome extensions on 300,000 browsers, patches DLLs.
(TLP: CLEAR) Recent reporting highlights the identification of a widespread and ongoing malware campaign that is aggressively deploying malicious browser extensions across compromised systems. The campaign has already affected an estimated 300,000 users, primarily targeting those using Google Chrome and Microsoft Edge. According to reporting, the threat actors behind this operation are leveraging domains that host counterfeit installers for popular software, including Roblox FPS Unlocker, TikTok Video Downloader, YouTube Downloader, VLC Media Player, Dolphin Emulator, and KeePass Password Manager. These fraudulent installers serve as an attack vector for delivering trojans, which then surreptitiously install the malicious browser extensions, compromising the security of unsuspecting users. Investigators have stressed that the executables downloaded from these counterfeit websites bypass any legitimate installation process entirely. In some of the more recent iterations, multiple instances have been observed where the malware retrieves the original software from a Google storage link via API, obfuscating its intent. Upon downloading the software from these deceptive sites, the program immediately schedules a task under a pseudonym, often mimicking PowerShell script file names such as Updater_PrivacyBlocker_PR1, MicrosoftWindowsOptimizerUpdateTask_PR1, and NvOptimizerTaskUpdater_V2. Furthermore, the software in question is engineered to execute a PowerShell script at specified intervals through a scheduled task. This script is meticulously crafted to modify registry values, compelling the installation of malicious extensions via the following paths: HKLM:\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist and HKLM:\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallForcelist. Once installed, these extensions enable threat actors to hijack user search queries, redirecting them to malicious websites or ad-laden pages. Following redirection, the extensions possess the capability to harvest login credentials, track browsing history, and exfiltrate other sensitive data, all while monitoring the victim’s online activities. Additionally, they can execute commands from a remote command and control (C2) server. Significantly, these extensions remain concealed within the browser’s extension management interface, evading detection even when developer mode is enabled, which complicates removal efforts.
(TLP: CLEAR) Comments: Affected users are strongly advised to take immediate action by removing the associated scheduled tasks from the Windows Task Scheduler, eliminating the malicious registry entries that enforce the installation of the rogue extensions in their browsers, and thoroughly deleting the following files and directories from their system: C:\Windows\system32\Privacyblockerwindows.ps1, C:\Windows\system32\Windowsupdater1.ps1, C:\Windows\system32\WindowsUpdater1Script.ps1, C:\Windows\system32\Optimizerwindows.ps1, C:\Windows\system32\Printworkflowservice.ps1, C:\Windows\system32\NvWinSearchOptimizer.ps1 – 2024 version, C:\Windows\system32\kondserp_optimizer.ps1 – May 2024 version, C:\Windows\InternalKernelGrid, C:\Windows\InternalKernelGrid3, C:\Windows\InternalKernelGrid4, C:\Windows\ShellServiceLog, C:\windows\privacyprotectorlog, C:\Windows\NvOptimizerLog. Additional mitigation instructions can be found at the following link – https://reasonlabs.com/research/new-widespread-extension-trojan-malware-campaign
(TLP: CLEAR) Recommended best practices/regulations: NIST Special Publication 800-41 Revision 1, “Guidelines on Firewalls and Firewall Policy”: “The HTTP protocol used in web servers has been exploited by attackers in many ways, such as to place malicious software on the computer of someone browsing the web, or to fool a person into revealing private information that they might not have otherwise. Many of these exploits can be detected by specialized application firewalls called web application firewalls that reside in front of the web server.
(TLP: CLEAR) Vercara: Vercara’s Web Application Firewall, UltraWAF, helps prevent common exploits of vulnerabilities in web applications that could lead to the insertion of malware. Signatures for new vulnerabilities are constantly updated, along with granular input validation controls and traffic filtering measures for flexibility. UltraWAF includes a number of tools for managing both benign and malicious bots, including bot signatures and device fingerprinting. UltraWAF can also prevent some layer 7 DDoS attacks. Vercara’s UltraAPI Discover continuously assesses your application footprint to provide a complete inventory of your external APIs. UltraAPI Discover provides a continuous mechanism to surface new APIs or domains that are created so that security teams are aware of their existence.
Microsoft warns of unpatched Office bug leading to potential data exposure.
(TLP: CLEAR) Microsoft recently disclosed a critical zero-day vulnerability in Office, currently unpatched, that poses a significant risk of unauthorized sensitive information disclosure upon exploitation. Designated as CVE-2024-38200 and assigned a CVSS score of 7.5, this vulnerability is categorized as a spoofing flaw and affects several versions of Office, including Microsoft Office 2016 for 32-bit and 64-bit editions, Microsoft Office LTSC 2021 for 32-bit and 64-bit editions, Microsoft 365 Apps for Enterprise for 32-bit and 64-bit systems, Microsoft Office 2019 for 32-bit and 64-bit editions. As detailed in Microsft’s published advisory, the vulnerability could be exploited by an attacker hosting a malicious website or compromising a legitimate one that accepts user-uploaded content. This site would contain a specially crafted file engineered to exploit the vulnerability. Notably, the attacker cannot directly force the victim to visit the compromised site. Instead, the attacker must employ social engineering tactics, typically using email or instant messaging, to persuade the target to click on a link and subsequently open the malicious file, thereby triggering the exploit.
(TLP: CLEAR) Comments: Microsoft has confirmed that an official patch will be deployed on August 13, 2024, coinciding with its monthly Patch Tuesday release. According to Microsoft, they have implemented an interim mitigation strategy through a process known as Feature Flighting, which was activated on July 30, 2024. This temporary measure offers a degree of protection across all supported versions of Microsoft Office and Microsoft 365 until the comprehensive fix is available.
(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 6.4.1: “For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis, and these applications are protected against known attacks as follows:
- “Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods as follows:
- “”– By an entity that specializes in application security. – Including, at a minimum, all common software attacks in Requirement 6.2.4.
- “– All vulnerabilities are ranked in accordance with requirement 6.3.1.
- “– All vulnerabilities are corrected.
- “– The application is re-evaluated after the corrections
“OR
- “Installing an automated technical solution(s) that continually detects and prevents web-based attacks as follows:
- “– Installed in front of public-facing web applications to detect and prevent web-based attacks. – Actively running and up to date as applicable.
- “– Generating audit logs.
- “– Configured to either block web-based attacks or generate an alert that is immediately investigated.”
(TLP: CLEAR) Vercara: Vercara’s Web Application Firewall, UltraWAF, equips your company with adaptable security features to counteract the most significant network and application-layer threats, including SQL injection, XSS, and DDoS attacks. Its always-on security posture, combined with cloud-based scalability, ensures comprehensive protection against the OWASP top 10, advanced bot management, and vulnerability scanning, allowing you to effectively shield your critical and customer-facing applications from emerging threats.
Source: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38200
About Vercara.
The world’s top brands depend on Vercara to safeguard their digital infrastructure and online presence. Vercara offers a suite of cloud-delivered services that are always secure, reliable, and available and enable global businesses to thrive online. UltraSecure protects organizations’ networks and applications against risks and downtime, ensuring that businesses and their customers enjoy exceptional and uninterrupted interactions all day, every day. Delivering the industry’s best performance and always-on service, Vercara’s mission-critical security portfolio provides best-in-class DNS, application, and network security, including DDoS, WAF, and Bot management services to its global 5000 customers and beyond.
To learn more about Vercara solutions, please contact us.
