In WWDC22, Apple announced macOS Ventura 13.x, the next version of macOS. Apple has released the first Beta Version of the new operating system. Sentinel One is working to ensure that their macOS Agent is compatible with the new operating system and that a GA Agent is released as fast as possible after Apple announces the production release of the new OS, according to their macOS Agent support policy. Apple does not provide developers with the GA version before the release and tends to make changes between the Beta version (shared with developers) and the GA version.
We recommend that you suspend OS updates until Sentinel One formally supports the new macOS versions. Upon verification from Sentinel One of agent availability, SOC will advise on upgrading procedures
Please let us know of any MAC compatibility issues you may identify, for us to be able to provide to Sentinel One Support, so we can ensure they are resolved before the new GA Agent is ready.
If you have any questions or concerns please contact us in the following ways: 1. Email us at socir@cyflare.com 2. Contact your Customer Success Manager directly 3. Call us at 877-729-3527 Option 2
Oct 24, 2022 - 13:04 EDT
Update - We are continuing to monitor for any further issues.
Oct 05, 2022 - 13:51 EDT
Monitoring - Posted Date: 9/30/2022 Published Date: Source(s): GTSC, Microsoft Security Response Center Sector: Security Vulnerability Reported by: GTSC Date(s) Issued: Subject: Security researchers from GTSC Network Security firm have found a new zero-day vulnerability in Microsoft Exchange Server which is exploiting in wild. OVERVIEW: Security Researchers from GTSC Network Security discovered a critical vulnerability on Microsoft Exchange Servers that can be exploited by malicious actors to execute code remotely (RCE) on the compromised system SYSTEMS AFFECTED: • Microsoft Exchange Server 2013, 2016, 2019
RISK: Anyone who is currently using the Microsoft Exchange Servers listed THREAT SUMMARY: On September 29, 2022, a blog was released by GTSC outlining a new attack campaign that has been observed utilizing two yet undisclosed vulnerabilities (0-day) that were submitted to Microsoft via Trend Micro's Zero Day Initiative : ZDI-CAN-18333 (CVSS 8.8) and ZDI-CAN-18802 (CVSS 6.3), which could allow an attacker to the ability to perform remote code execution (RCE) on affected Microsoft Exchange servers. At this time, GTSC has no released any technical details regarding this new zero-day vulnerability, Microsoft is aware of these vulnerabilities however there is currently no patch for this exploit
Detection: To help organizations check if their Exchange Servers have been exploited by this 0day vulnerability, you can use the following PowerShell command to scan IIS log files: ”Get-ChildItem -Recurse -Path -Filter "*.log" | Select-String -Pattern 'powershell.*autodiscover\.json.*\@.*200”
Mitigations: The current mitigation is to add a blocking rule in “IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions” to block the known attack patterns. • Open the IIS Manager. • Expand the Default Web Site. • Select Autodiscover. • In the Feature View, click URL Rewrite. • In the Actions pane on the right-hand side, click Add Rules. • Select Request Blocking and click OK. • Add String “.*autodiscover\.json.*Powershell.*” (excluding quotes) and click OK. • Expand the rule and select the rule with the Pattern “.*autodiscover\.json.*\@.*Powershell.*” and click Edit under Conditions. • Change the condition input from {URL} to {REQUEST_URI}
Blocking the following ports used for Remote PowerShell can also help limit these attacks • HTTP: 5985 • HTTPS: 5986
CyFlare Actions Taken: • Stellar Cyber – BDS: The SOC is actively monitoring updates and working to create queries/ATH rules regarding the indicators of compromise as they’re released. • AlienVault USM Anywhere: AlienVault Open Threat Exchange or OTX has been updated with ‘OTX Pulses’ or information available on related indicators observed from both vendor and community.
Developing Situation: The SOC will continue to research emerging related threats in the wild or from the cyber community. Furthermore, the SOC will hunt related indicators of compromise, as well as scan for the vulnerabilities within our clients that have the Vulnerability Management Service. Reference Links:
Monitoring - Posted Date: 9/16/2022 Published Date: Source(s): Vectra.AI Sector: Security Vulnerability Reported by: Vectra Protect Team Date(s) Issued: Subject: An attack path was discovered that would enable malicious actors with file system access to steal credentials for any Microsoft Teams user who is signed in OVERVIEW: Malicious actors can exploit a vulnerability in the current Microsoft Teams application that could allow access to authentication tokens and accounts with multi-factor authentication enabled SYSTEMS AFFECTED: • Windows Operating Systems (all versions) • Linux Operating Systems (all versions) • Mac Operating Systems (all versions)
RISK: Anyone who is currently using the Microsoft Teams desktop application THREAT SUMMARY: In August 2022, the Vectra Protect team discovered an attack path that would enable malicious actors access to authentication tokens and accounts even with multi-factor authentication enabled. Microsoft teams is an Electron app, the issue stems from the fact that Electron does not support encryption or protected file locations. The Vectra Protect Team discovered that the Microsoft Teams application stores these access tokens in clear text in an “ldb” file, as well as valid authentication tokens, account information, session data, and marketing tags in the “Cookies” folder. While this vulnerability is severe, it does require a malicious actor to already have access to an internal network to exploit.
A Microsoft spokesperson has stated that this does not meet the bar for immediate servicing as it requires an attacker to already have access to a target network
Mitigations: Currently the only recommended mitigation is to use the web-based Teams client inside of Microsoft Edge, which has multiple OS-level controls to protect token leaks.
Indicators of Compromise: Any process other than Teams.exe attempting to access the following file paths: • [Windows] %AppData%\Microsoft\Teams\Cookies • [Windows] %AppData%\Microsoft\Teams\Local Storage\leveldb • [macOS] ~/Library/Application Support/Microsoft/Teams/Cookies • [macOS] ~/Library/Application Support/Microsoft/Teams/Local Storage/leveldb • [Linux] ~/.config/Microsoft/Microsoft Teams/Cookies • [Linux] ~/.config/Microsoft/Microsoft Teams/Local Storage/leveldb
CyFlare Actions Taken: • Stellar Cyber – BDS: The SOC has created a global ATH rule in order to detect any access to the file paths listed in the indicators of compromise. • SentinelOne: A custom STAR query is being implemented to detect abnormal access to the file paths listed in the indicators of compromise section • AlienVault USM Anywhere: AlienVault Open Threat Exchange or OTX has been updated with ‘OTX Pulses’ or information available on related indicators observed from both vendor and community.
Developing Situation: The SOC will continue to research emerging related threats in the wild or from the cyber community. Furthermore, the SOC will hunt related indicators of compromise, as well as scan for the vulnerabilities within our clients that have the Vulnerability Management Service.
Source(s): US Cybersecurity and Infrastructure Agency (CISA)
Sector: Security Vulnerability
Reported by: CISA
Date(s) Issued: 03 September 2022
Subject: The US Cybersecurity and Infrastructure Security Agency (CISA) is warning that a high-severity security vulnerability in Palo Alto Networks firewalls is being actively exploited in the wild.
OVERVIEW Threat actors can exploit a bug in the PAN-OS operating system that runs the firewalls, allowing ability to deploy DDoS attacks
SYSTEMS AFFECTED: PAN-OS operating systems
RISK: Attackers can exploit the flaw to deploy both reflected and amplified versions of DDoS floods.
THREAT SUMMARY:
A PAN-OS URL filtering policy misconfiguration could allow a network-based attacker to conduct reflected and amplified TCP denial-of-service (RDoS) attacks. The DoS attack would appear to originate from a Palo Alto Networks PA-Series (hardware), VM-Series (virtual) and CN-Series (container) firewall against an attacker-specified target.
To be misused by an external attacker, the firewall configuration must have a URL filtering profile with one or more blocked categories assigned to a security rule with a source zone that has an external facing network interface. This configuration is not typical for URL filtering and, if set, is likely unintended by the administrator.
If exploited, this issue would not impact the confidentiality, integrity, or availability of our products. However, the resulting denial-of-service (DoS) attack may help obfuscate the identity of the attacker and implicate the firewall as the source of the attack.
Mitigation:
For the newly exploited PAN-OS bug, patches are available in the following versions: • PAN-OS 8.1.23-h1 • PAN-OS 9.0.16-h3 • PAN-OS 9.1.14-h4 • PAN-OS 10.0.11-h1 • PAN-OS 10.1.6-h6 • PAN-OS 10.2.2-h2 • And all later PAN-OS versions for PA-Series, VM-Series and CN-Series firewalls.
To prevent denial-of-service (DoS) attacks resulting from this issue from all sources, you can configure your Palo Alto Networks firewalls by enabling one of two zone protection mitigations on all Security zones with an assigned Security policy that includes a URL filtering profile:
1. Packet-based attack protection including both (Packet Based Attack Protection > TCP Drop > TCP SYN with Data) and (Packet Based Attack Protection > TCP Drop > Strip TCP Options > TCP Fast Open)
OR
2. Flood protection (Flood Protection > SYN > Action > SYN Cookie) with an activation threshold of 0 connections. Developing Situation:
The SOC will continue to research emerging related threats in the wild or from the cyber community. Furthermore, the SOC will hunt related indicators of compromise, as well as scan for the vulnerabilities within our clients that have the Vulnerability Management Service.
Update - Just a reminder that starting next week on 9/7/22, we will begin the migration process. Please ensure the aforementioned firewalls rules are put in place if outbound communications are restricted. Of course, as always, if you have any issues or questions, please contact your customer success manager or the SOC utilizing the below methods:
At CyFlare, our goal is to protect you 100% of the time. Therefore, in an ongoing effort to enhance our resilience, we will strengthen our cloud infrastructure and architecture. These infrastructure changes will go into effect on September 7, 2022. Customers will be migrated in batches between September 7 and September 30.
When Will the Changes Go Into Effect? The infrastructure changes will go into effect on September 7, 2022
What Does It Mean For Me? Between September 7 and September 30, CyFlare will migrate your account to our new infrastructure. Therefore, we ask that you make the following changes before September 7 on your end to ensure no loss of service:
New Firewall Rules To Be Added (do not remove old rules)
The following BDS Firewall Rules will be needed to allow your appliances and the security sensors to communicate outbound. No inbound ports or rules need to be configured.
A. Outbound From the appliance Static IP:
● To destination IP address 91.189.89.90 over TCP port 80 ● To destination IP address 91.189.90.173 over TCP port 80
B. Outbound from the sensor and Linux Agent static IP:
Addresses to be added ● 6640-6648 TCP to cm-cyflare.stellarcyber.cloud, 141.148.147.188 ● 8443 TCP to cm-cyflare.stellarcyber.cloud, 141.148.147.188 ● 8888 TCP to receiver-cyflare.stellarcyber.cloud, 152.70.135.38 ● 8472 UDP to 54.176.232.64 ● 4789 UDP to 54.176.232.64
C. Outbound from any Windows Servers with SIEM agents deployed:
● TCP on port 8888 to receiver-cyflare.stellarcyber.cloud, 152.70.135.38 ● TCP on port 8443 to cm-cyflare.stellarcyber.cloud, 141.148.147.188 ● TCP on ports 6640-6648 to cm-cyflare.stellarcyber.cloud, 141.148.147.188
NOTE: IP addresses are provided in case your firewall will not allow an FQDN. Use FQDN where allowed.
After the migration, you will need to use this link to access the XDR Management Platform: https://cyflare.stellarcyber.cloud. Your credentials will remain the same.
What If I Have Questions or Concerns? Please reach out to us with any questions in the following ways:
OVERVIEW: Identification of an emerging ransomware family known as “BlueSky” that is speculated to be connected to Conti ransomware group
SYSTEMS AFFECTED: Predominantly windows hosts
RISK: Businesses that are hit with ransomware can face several risks, including financial loss, data loss, and reputational damage
THREAT SUMMARY: BlueSky ransomware is an emerging family that is utilizing multithreading in order to encrypt files on the host. An analysis of this ransomware shows that it may be connected to the Conti ransomware group. The initial dropper for this ransomware is dropped by a PowerShell script from “hxxps://kmsauto[.]us/someone/start.ps1”, from there it preforms local privilege escalation techniques to download the final payload. This ransomware uses a multithreaded queue for faster encryption on its host. Encryption is preformed by using Curve25519 to generate a key pair, then uses the hash of this key to generate a file encryption key for the encryption algorithm ChaCha20. Like with all ransomware, once the files are encrypted a ransom note will be created in order to demand payment to restore the encrypted files. This note is dropped in a directory where it has encrypted the files and will have the file extension “.bluesky”. However, it is strongly discouraged to pay the ransom in these situations, organizations like the Conti ransomware group don’t always restore files once payment is received. Companies that paid a ransom are frequently hit again and for a higher price.
Known BlueSky Artifacts: • A generated user ID by computing MD5 hash over combined Volume Information, Machine GUID, Product ID and Install Date values • HKCU\Software\\completed • HKCU\Software\\recoveryblob • HKCU\Software\\x25519_public
Indicators of Compromise: • BlueSky Ransomware Payloads
o 2280898cb29faf1785e782596d8029cb471537ec38352e5c17cc263f1f52b8ef o 3e035f2d7d30869ce53171ef5a0f761bfb9c14d94d9fe6da385e20b8d96dc2fb o 840af927adbfdeb7070e1cf73ed195cf48c8d5f35b6de12f58b73898d7056d3d o b5b105751a2bf965a6b78eeff100fe4c75282ad6f37f98b9adcd15d8c64283ec o c75748dc544629a8a5d08c0d8ba7fda3508a3efdaed905ad800ffddbc8d3b8df o e75717be1633b5e3602827dc3b5788ff691dd325b0eddd2d0d9ddcee29de364f
• Obfuscated PowerShell Downloader o 08f491d46a9d05f1aebc83d724ca32c8063a2613250d50ce5b7e8ba469680605
• PowerShell Downloader (decoded) o 969a4a55bb5cabc96ff003467bd8468b3079f5c95c5823985416c019eb8abe2f
• CVE-2020-0796 SMBGhost Privilege Escalation Exploit o c4e47cba1c5fedf9ba522bc2d2de54a482e0ac29c98358390af6dadc0a7d65ce
• JuicyPotato o cf64c08d97e6dfa5588c5fa016c25c4131ccc61b8deada7f9c8b2a41d8f5a32c
• CVE-2021-1732 Privilege Escalation Exploit o 6c94a1bc67af21cedb0bffac03019dbf870649a182e58cc5960969adf4fbdd48
• URLs o hxxps://kmsauto[.]us/someone/l.exe o hxxps://kmsauto[.]us/app1.bin o hxxps://kmsauto[.]us/server.txt o hxxps://kmsauto[.]us/encoding.txt o hxxps://kmsauto[.]us/all.txt o hxxps://kmsauto[.]us/someone/spooler.exe o hxxps://kmsauto[.]us/sti/sti.bin o hxxps://kmsauto[.]us/someone/potato.exe o hxxps://kmsauto[.]us/someone/ghost.exe o hxxps://kmsauto[.]us/someone/start.ps1
• Registry Paths o HKCU\Software\\completed o HKCU\Software\\recoveryblob o HKCU\Software\\x25519_public
CyFlare Actions Taken: • Stellar Cyber – BDS: The SOC has implemented custom detections in order to detect any currently known indicators of compromise listed in this advisory. • SentinelOne: A custom STAR query has been developed to detect any of the currently known hash values listed in the indicators of compromise • AlienVault USM Anywhere: AlienVault Open Threat Exchange or OTX has been updated with ‘OTX Pulses’ or information available on related indicators observed from both vendor and community.
Developing Situation: The SOC will continue to research emerging related threats in the wild or from the cyber community. Furthermore, the SOC will hunt related indicators of compromise, as well as scan for the vulnerabilities within our clients that have the Vulnerability Management Service.
Subject: LockBit Ransomware Sideloads Cobalt Strike Through Microsoft Security Tool
OVERVIEW Threat actors can abuse the command line tool MPCmdRun.exe to decrypt and load Cobalt Strike payloads.
SYSTEMS AFFECTED: Systems running Windows Defender
RISK: Threat actors can use the legitimate Windows Defender command line tool MpCmdRun.exe to decrypt and load Cobalt Strike payloads
THREAT SUMMARY:
Overview On July 28, 2022 SentinelLabs revealed that threat actors have been using the legitimate Windows Defender command line tool MPCmdRun.exe to sideload a malicious mpclient.dll. Once an actor has sufficient privileges they download a malicious DLL, the encrypted payload, and the legitimate tool from their controlled C2 using PowerShell. MpCmdRun.exe is then used to decrypt and load Cobalt Strike payloads.
CyFlare Actions Taken: • Stellar Cyber – BDS: We have implemented a custom rule to detect command line activity related to this exploit • SentinelOne: We have implemented a custom STAR query to detect currently known indicators of compromise regarding this vulnerability
Developing Situation: The SOC will continue to research emerging related threats in the wild or from the cyber community. Furthermore, the SOC will hunt related indicators of compromise, as well as scan for the vulnerabilities within our clients that have the Vulnerability Management Service.
Monitoring - A fix has been implemented and we are monitoring the results.
Aug 02, 2022 - 18:16 EDT
Investigating - SentinelOne released SP1 version of its 22.1 GA codebase on June 16, 2022. By policy, the CyFlare MDR service releases agent updates to customers after vendor releases have been internally reviewed for impact and have been in the field for a month.
This ensures a stable agent release for our customers.
Our Technical Operations Center will be scheduling the agent upgrades during the weekend of August 26th with a maintenance window on August 27th starting at 0000 and ending at 0500 (midnight to 5 AM Eastern). For those agents that are not connected at the time of the upgrade, they will be upgraded the next time they report into the management platform.
This process is generally non-intrusive, and there is nothing required from our partners or customers, during this time. If you experience any issues, please open a ticket so we can investigate and provide a quick resolution.
In our Trust Post on March 1, 2022 we notified you about the opportunity for you to “opt out” of this automatic upgrade process. If you have already opted out, we have your choice on file. If you haven’t opted out but wish to now, please open a ticket through our ticketing portal with the following subject line: " – Upgrade Process: Opt Out.” We will mark your account accordingly.
Please note that if you choose to do so, you will need to open a ticket to request an upgrade when you are ready.
Cyflare appreciates the opportunity to be your trusted MDR provider.
Aug 02, 2022 - 09:22 EDT
Source: Known reputed Security Agencies/Reports/Articles
Sector: All – including Government agencies
Reported by: ARS Technica Blog post and Lenovo Support CVE: CVE-2022-1890, CVE-2022-1891 and CVE-2022-1892
DATE(S) ISSUED: 07/13/2022
SUBJECT: Vulnerabilities that could allow undetectable infections affect 70 Lenovo laptop models
OVERVIEW:
The vulnerabilities can be exploited to achieve arbitrary code execution in the early phases of the platform boot, possibly allowing the attackers to hijack the OS execution flow and disable some important security features. These vulnerabilities were caused by insufficient validation of DataSize parameter passed to the UEFI Runtime Services function GetVariable. An attacker could create a specially crafted NVRAM variable, causing buffer overflow of the Data buffer in the second GetVariable call. THREAT INTELLIGENCE: Per recent updates on Lenovo, the vulnerability is actively being exploited in attacks – targets are unknown now.
SYSTEMS AFFECTED: • Laptop model lines are: • Yoga • ThinkBook • IdeaPad • ThinkPad
RISK: Government and their entities: High Impact Businesses and their entities: High Impact
TECHNICAL SUMMARY:
Lenovo has assigned a medium severity rating to the vulnerabilities, which are tracked CVE-2022-1890, CVE-2022-1891, and CVE-2022-1892 and affect the ReadyBootDxe, SystemLoadDefaultDxe, and SystemBootManagerDxe drivers, respectively. CVE-2022-1890: A buffer overflow has been identified in the ReadyBootDxe driver in some Lenovo notebook products which may allow an attacker with local privileges to execute arbitrary code. CVE-2022-1891: A buffer overflow has been identified in the SystemLoadDefaultDxe driver in some Lenovo notebook products which may allow an attacker with local privileges to execute arbitrary code. CVE-2022-1892: A buffer overflow has been identified in the SystemBootManagerDxe driver in some Lenovo notebook products which may allow an attacker with local privileges to execute arbitrary code. RECOMMENDATIONS:
OVERVIEW The SessionManager backdoor enables threat actors to keep persistent, update-resistant and rather stealth access to the IT infrastructure of a targeted organization.
SYSTEMS AFFECTED: Microsoft Exchange servers vulnerable to ProxyLogon-type exploits
RISK: The SessionManager backdoor enables threat actors to keep persistent, update-resistant and rather stealth access to the IT infrastructure of a targeted organization.
THREAT SUMMARY: SessionManager IIS Backdoor On June 30,2022 Kaspersky researchers discovered backdoor that was set up as a malicious module within IIS. This backdoor is deployed by threat actors who previously exploited of the ProxyLogon-type vulnerabilities in Microsoft Exchange servers. Once dropped into the victim’s system, cybercriminals behind the backdoor can gain access to company emails, update further malicious access by installing other types of malware.
CyFlare Actions Taken: • Stellar Cyber – BDS: Stellar Cyber’s Machine Learning-IDS engine, as well as built-in threat intelligence is also consistently updated with the latest threats identified by the open-source cyber threat intelligence community. • SentinelOne: We have implemented a custom STAR query to detect currently known indicators of compromise regarding this vulnerability. This vulnerability is also being analyzed by the SentinelOne Analysis team.
If a malicious module is identified, we recommend the following template of actions (merely deleting the malicious module file will not be enough to get rid of it): • Take a volatile memory snapshot on the currently running system where IIS is executed. Request assistance from forensics and incident response experts if required. • Stop the IIS server, and ideally disconnect the underlying system from publicly reachable networks. • Back up all files and logs from your IIS environment, to retain data for further incident response. Check that the backups can be opened or extracted successfully. • Using IIS Manager or the appcmd command tool, remove every reference of the identified module from apps and server configurations. Manually review associated IIS XML configuration files to make sure any reference to the malicious modules have been removed – manually remove the references in XML files otherwise. • Update the IIS server and underlying operating system to make sure no known vulnerabilities remain exposed to attackers. • Restart the IIS server and bring the system online again.
Developing Situation: The SOC will continue to research emerging related threats in the wild or from the cyber community. Furthermore, the SOC will hunt related indicators of compromise, as well as scan for the vulnerabilities within our clients that have the Vulnerability Management Service.
Monitoring - Published Date: 7/5/2022 Source(s): Chrome Security Sector: Security Vulnerability Reported by: Google Chrome Date(s) Issued: 7/4/2022 Subject CVE-2022-2294 – Google Chrome WebRTC Heap Buffer Overflow
OVERVIEW WebRTC heap based buffer overflow allowing Remote Code execution and DoS related to Google Chrome Browser. Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program's implicit security policy. Besides important user data, heap-based overflows can be used to overwrite function pointers that may be living in memory, pointing it to the attacker's code.
SYSTEMS AFFECTED: The vulnerability has been proved in Windows and Android Google Chrome.
RISK:
Potential for remote code execution, denial of service (DoS) just by visiting a malicious site, as well as decreased browser performance.
THREAT SUMMARY:
Little is known at this time in regards to the technical details behind the zero-day exploitation. We will continue to monitor and provide additional updates as more is known.
Recommendations: • Go to settings in Chrome Browser About Chrome Check for Updates Click on RELAUNCH to apply security fix. • Chrome Browser should be on Version 103.0.5060.114 (Official Build) (64-bit) post update.
Monitoring - Published Date: 6/3/2022 Source(s): Nao_Sec, Microsoft Security Response Center Sector: Security Vulnerability Reported by: Nao_sec, Microsoft Security Response Center, SentinelLabs Date(s) Issued: Subject CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability
OVERVIEW
A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word
SYSTEMS AFFECTED:
The vulnerability has been proved in Office 2013, 2016, 2019, 2021, Office ProPlus and Office 365.
RISK:
Remote Code execution in Office Products
THREAT SUMMARY: Follina — a Microsoft Office code execution vulnerability
On May 27th 2022 Nao_sec identified this zero day vulnerability in Office products. This document used the Word remote template feature to retrieve an HTML file from a remote webserver, which then would use the ms-msdt MSProtocol to load and execute malicious PowerShell code. This vulnerability has been successfully tested in Office 2013, 2016, 2019, 2021, Office ProPlus and Office 365.
CyFlare Actions Taken:
• Stellar Cyber – BDS: Stellar Cyber’s Machine Learning-IDS engine, as well as built-in threat intelligence is also consistently updated with the latest threats identified by the open-source cyber threat intelligence community.
• SentinelOne: SentinelOne currently detects the execution of known “Follina” samples exploiting the CVE-2022-30190, they have also provided ‘Deep Visibility’ queries that the SOC will leverage to search for related indicators of compromise across customer’s SentinelOne environments.
• Rapid7: InsightIDR customers have a new detection rule added to their library to identify attacks related to this vulnerability: Suspicious Process - Microsoft Office App Spawns MSDT.exe
Workarounds:
Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system. Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters. Follow these steps to disable:
1. Run Command Prompt as Administrator. 2. To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“ 3. Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.
How to undo the workaround
1. Run Command Prompt as Administrator. 2. To restore the registry key, execute the command “reg import filename”
Developing Situation:
The SOC will continue to research emerging related threats in the wild or from the cyber community. Furthermore, the SOC will hunt related indicators of compromise, as well as scan for the vulnerabilities within our clients that have the Vulnerability Management Service.
Monitoring - Source(s): Microsoft Threat Intelligence Center, SentinelLabs, Symantec Sector: Security Vulnerability Reported by: Microsoft Threat Intelligence Center (MTIC), SentinelLabs
Subject: Emerging threats: WhisperGate, HermeticWiper, and Party ticket which were used by threat actors leading up to the recent Russia Ukraine conflict
OVERVIEW Leading up to the current Russia-Ukraine conflict, threat actors deployed the following malware that was designated to target and destroy computer systems in Ukraine: WhisperGate, HermeticWiper, and PartyTicket.
SYSTEMS AFFECTED: • Windows Operating System (all versions) • Windows Server (all versions)
RISK: Sectors targeted so far: Financial, defense, aviation, and IT services
THREAT SUMMARY: Conti Ransomware group: Conti, a Russian tied ransomware-as-a-service, pledged their support to the Russian government. This group announced that any cyberattack or war activities against Russia would result in a counterattack at any critical infrastructures of an enemy. However, after making this statement an external or internal actor to the group leaked information regarding the organization's internal activities including the source code of their locker software. This leaked source code could be used by less experienced criminals to create their own ransomware. This situation is ongoing and any relevant indicators of compromise from the analysis of the source code will be updated in our tools***
Mitigations****: Mitigations CISA, FBI, and NSA recommend that network defenders apply the following mitigations to reduce the risk of compromise by Conti ransomware attacks. Use multi-factor authentication. • Require multi-factor authentication to remotely access networks from external sources. Implement network segmentation and filter traffic. • Implement and ensure robust network segmentation between networks and functions to reduce the spread of ransomware. Define a demilitarized zone that eliminates unregulated communication between networks. • Filter network traffic to prohibit ingress and egress communications with known malicious IP addresses. • Enable strong spam filters to prevent phishing emails from reaching end users. Implement a user training program to discourage users from visiting malicious websites or opening malicious attachments. Filter emails containing executable files to prevent them from reaching end users. • Implement a URL blocklist and/or allow the list to prevent users from accessing malicious websites. Scan for vulnerabilities and keep software updated. • Set antivirus/antimalware programs to conduct regular scans of network assets using up-to-date signatures. • Upgrade software and operating systems, applications, and firmware on network assets in a timely manner. Consider using a centralized patch management system. Remove unnecessary applications and apply controls. • Remove any application not deemed necessary for day-to-day operations. Conti threat actors leverage legitimate applications- such as remote monitoring and management software and remote desktop software applications to aid in the malicious exploitation of an organization's enterprise. • Investigate any unauthorized software, particularly remote desktop or remote monitoring and management software. • Implement application allow listing, which only allows systems to execute programs known and permitted by the organization's security policy. Implement software restriction policies (SRPs) or other controls to prevent programs from executing from common ransomware locations, such as temporary folders supporting popular Internet browsers or compression/decompression programs. • Implement execution prevention by disabling macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Microsoft Office suite applications. • See the joint Alert, Publicly Available Tools Seen in Cyber Incidents Worldwide developed by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom for guidance on detection and protection against malicious use of publicly available tools. - Implement endpoint and detection response tools. • Endpoint and detection response tools allow a high degree of visibility into the security status of endpoints and can help effectively protect against malicious cyber actors. - Limit access to resources over the network, especially by restricting RDP. • After assessing risks, if ROP is deemed operationally necessary, restrict the originating sources and require multi-factor authentication. - Secure user accounts. • Regularly audit administrative user accounts and configure access controls under the principles of least privilege and separation of duties. • Regularly audit logs to ensure new accounts are legitimate users.
Whisper Gate: On January 15, 2022, Microsoft Threat Intelligence Center announced the identification of this malware operation used to target Ukrainian organizations. This malware has two stages, The two-stage malware overwrites the Master Boot Record (MBR) on victim systems with a ransom note. This ransom note will contain a Bitcoin wallet and Tox ID. The malware will execute when the device is powered down. It overwrites the MBR of the system, rendering it inoperable. Whether the ransom is paid or not, the malware will execute and overwrite the MBR.
Indicators of Compromise: Indicator #1: a196c6b8ffcb97ffb276d04f354696e2391311 db3841ae16c8c9f56f36a38e92 Indicator #1 Type: SHA-256 Indicator #1 Description: Hash of destructive malware stage1.exe
Indicator #3: cmd.exe /Q /c start c:\stage1.exe 1 > \\ 127.0.0.1\ADMIN$\_[TIMESTAMP] 2>&1 Indicator #3 Type: Command line Indicator #3 Description: Example lmpacket command line showing the execution of the destructive malware. The working directory has varied in observed intrusions.
Hermetic Wiper: February 23, 2022, researchers disclosed this was being used against Ukraine organizations. This malware is named after the digital certificate used to sign the sample ‘Hermetica Digital Ltd’. This malware contains 32 and 64-bit driver files compressed by Lempel-Ziv algorithm. Driver file names are generated using the Process ID of the wiper. The driver is loaded into the wiper’s process memory space, decompressed, and written to disk at “C:\Windows\System32\drivers\.sys” Once run this is like the WhisperGate malware in the sense that it damages the Master Boot Record (MBR). HermeticWiper enumerates a range of Physical Drives multiple times, from 0-100. For each Physical Drive, the \\.\EPMNTDRV\ device is called for a device number. The malware focuses on corrupting the first 512 bytes of the Master Boot Record for every Physical Drive.
Indicators of Compromise:
Indicator #1 Name: Win32/Ki11Disk.NCV Indicator #1 File Category: Trojan Indicator #1 File Hash: 912342F1C840A42F6B74132FSA7C4FFE7D40FB77 61B25D11392172E587D8DA3045812A66C3385451 Indicator #1 Source: ESET research
PartyTicket: Discovered by Symantec researchers on February 24th. This is decoy ransomware used alongside the deployment of HermeticWiper. Function naming convention and ransom note after the execution of this ransomware shows intent for taunting the US government. File names used by the ransomware included client.exe, cdir.exe, cname.exe, connh.exe, and intpub.exe. It appears likely that the ransomware was used as a decoy or distraction from the wiper attacks.
CyFlare Actions Taken: • XDRaaS: Request submitted to the vendor to update the ‘Emerging Threat’ security detection by adding provided Yara rules to the tool’s IDS Engine to trigger on recent related activity observed, if not preemptively added/updated already. The Machine Learning-IDS engine, as well as built-in threat intelligence, is also consistently updated with the latest threats identified by the open-source cyber threat intelligence community. https://github.com/SentineLabs/yara/blob/main/APT_ZZ_Unknown_HermeticWiper.yar • SentinelOne: SentinelLabs provided a list of Yara detection rules, as well as ‘Deep Visibility’ queries that the SOC will leverage to search for related indicators of compromise across customers’ SentinelOne environments. • AlienVault USM Anywhere: AlienVault Open Threat Exchange or OTX has been updated with ‘OTX Pulses’ or information available on related indicators observed from both vendor and community. Any OTX indicators, such as those related to emerging Russian Cyber-attacks will trigger security alarms if observed in any customer’s environment. https://otx.alienvault.com/pulse/621802d015d213ff12c78818 • Sophos: Sophos released recent news articles & blog posts highlighting the emerging activity related to Russia’s invasion of Ukraine, as well as general best-practice cyber security tips. Moreover, the Austrian IT-Security testing lab – “AV-Comparatives” has tested the protection of recently-emerged Hermetic Wiper malware across multiple vendors. Sophos was one enterprise endpoint security vendor tested and identified as having full detection for Hermetic Wiper malware variants and was able to protect systems effectively against its multiple variants.
Developing Situation: With a full-scale invasion now underway in Ukraine, the likelihood of further cyberattacks from Russia remains high. The SOC will continue to research emerging related threats in the wild or from the cyber community. Furthermore, the SOC will hunt related indicators of compromise, as well as scan for the vulnerabilities within our clients that have the Vulnerability Management Service.