VerSprite Cyberwatch

TikTok Takes A Stance on DeepFakes

Release Date: 8/18/2020

Concerns regarding disinformation campaigns and data privacy arise from the capabilities threat actors can exploit from Deepfakes. Generators and Discriminators, for example, allow people to create Deepfakes at low costs and which can resemble persons of interests at impressive quality. While biometric scanning capabilities may allow threat actors, including state governments, to collect information on persons of interest.

Last Wednesday (August 5th, 2020), TikTok, joined other social media companies such as Facebook and Twitter, and took steps to bar the use of Deepfakes against United States citizens. Specific steps mentioned by Vanessa Pappas, the General Manager of TikTok in the United States, included, “prohibits synthetic or manipulated content … in a way that could cause harm.” [1]

Earlier in the year, VerSprite released Envisions 2020 which predicted Deepfakes would be a central cybersecurity focus this year. As Russia seeks to continue to meddle in the United States election, an issue also covered in Envisions, Deepfakes on TikTok also presents China, as well as other threat actors, new opportunities, to collect data on United States citizens and public officials.

To stay in the know about cybersecurity and geopolitical issues that may affect your company, VerSprite recommends you subscribe to our security reel where we cover the latest security issues your company may face.

Get advice on how your organization can deal with deepfakes in our Envision 2020 Report Get Report →

—

Malware That Disappears for Eight Years Is Back on The FBI’s Radar

Release Date: 8/10/2020

On August 3, 2020, CISA (Cybersecurity and Infrastructure Security Agency), DOD, and the FBI published an alert (https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a) warning US private companies about new versions of the Remote Access Trojan Taidoor. The malware was first seen 12 years ago in 2008 and again in 2012 and 2013. The three government agencies reported attackers using Taidoor in new attacks against public and private organizations in the industries of research, manufacturing, and government institutions. According to the groups, the new Taidoor versions run 32- and 64-bit versions and install them on systems such as a DLL (dynamic link library).
Reports conclude the DLL to contain two files. “Attackers load the first file and start it as a service. The loader decrypts the second file and executes it in memory – which is the main Remote Access Trojan.” (ZDNet)

Once the DLL is on the victim system, the RAT is used by Chinese hackers to access the systems and exfiltrate data or deploy malware. The FBI states that attackers deploy Taidoor with proxy servers to hide the malware operator’s point of origin. The FBI has “high confidence” that Chinese actors are using the proxy servers to maintain their presence on the victim’s system and further their network exploitations.

The loader file observed took the name of “ml.dll” (taking the name of a legitimate DLL file) or rasautoex.dll. When run, the file uses the export function “MyStart” to decrypt and then load “svchost.dll” (another valid DLL name). The DLL loaded was identified as being the Taidoor malware. After loading the malware, it then uses GetProcessHeap, GetProcAddress, and LoadLibrary API calls to load KERNEL32.dll, ADVAPI.dll, WS2_32.dll which are used by Taidoor.

After the attackers load the DLLs, the loader uses the export function “Start” in its svchost.dll, which starts the process of decrypting import strings from the DLLs mentioned above. Once they finish the decryption process, it tries to connect to its C2 server (cnaweb.mrslove.com, 210.68.69.82), where it begins its handshake process. After connecting with the C2, it creates a Windows INI configuration file where it copies cmd.exe into it.

CISA recommends following security best practices such as keeping Windows and antivirus solutions up to date, maintaining email hygiene, and disabling unnecessary services.
Traffic to be aware of should include requests to 210.68.69.82 (cnaweb.mrslove.com) and 156.238.3.162 (infonew.dubya.net) which are the C2 domains used by Taidoor malware. Analysts should be mindful of ml.dll making requests to svchost.dll and making API calls to KERNEL32.dll, ADVAPI.dll, WS2_32.dll.

Learn more about VerSprite’s customized, and strategic approach to Incident Response Get Report →

—

Invisible Linux Malware Doki Targets Docker Servers

Release Date: 7/31/2020

On July 28, 2020 cybersecurity researchers at Intezer released a finding report for new backdoor malware “Doki” that is infecting Docker containers in cloud platforms with the Ngrok Mining Botnet. While Ngrok botnet is not new, the technique that uses the blockchain wallet Dogecoin to generate command-and-control domain names employed by Doki is. The new malware, Doki, provides a persistent capability for code-execution on the victim host.

The attackers first look for misconfigured Docker API ports. Once they find publicly accessible Docker servers, they create their own Docker image using public images from Docker Hub. They take the image they created and then perform a “create API” request. The body of this request contains configuration parameters for the containers, one of which being “bind”. This parameter lets the user configure which file or directory on the host machine to mount into a container. In this attack, the container is configured to bind the /tmpXXXXXX directory to the root directory of the hosting server which then allows a Docker escape.

At this point, attackers use Ngrok to “craft unique URLs with a short lifetime and use them to download payloads during the attack by passing them to the curl-based image” (SOURCE). The Doki payload is included in this download and acts as a backdoor that allows the execution of code. It is used in the attack to contact its command and control domain using the Dogecoin blockchain by spinning off its own process and then performing queries to dogechain.info API. After contacting the API, the malware hashes the blockchain’s response to use as a subdomain. The name of the hash is appended with “ddns.net”.

To mitigate this threat, Intezer recommends Docker admins check for any exposed ports, verify there are no foreign or unknown containers among the existing ones and monitor resources to ensure no excessive use.

Leverage VerSprite’s extensive experience in digital forensics to properly analyze potential attacks on your organization s Get Report →

—

Cisco DCNM Critical and High Vulnerabilities

Release Date: 07/30/2020

On July 30th, 2020 Cisco released a warning of several critical and high-severity flaws in its DCNM (Data Center Network Manager) which is used for managing network platforms and switches that run NX-OS. NX-OS is the network operating system for Cisco’s Nexus-series ethernet switches and MDS-series fibre channel storage area network switches. The flaws that exist in the DCNM are in the REST API. Cisco mentioned the most severe vulnerability (CVE-2020-3382) exists because “different installations share a static encryption key. An attacker could exploit this vulnerability by using the static key to craft a valid session token. A successful exploit could allow the attacker to perform arbitrary actions through the REST API with administrative privileges”.

All installed deployment modes of Cisco DCNM devices using .ova or .iso installers are vulnerable. It affects software versions 11.0, 11.1, 11.2, 11.3. Cisco stated this vulnerability doesn’t impact DCNM instances that were installed on customer-provided OSes using the installer for Windows or Linux, or software releases 7.x-10.x. While Cisco did release software updates that address the vulnerability, there are no workarounds to address it.

Cisco stated they patched five high-severity flaws in the same devices that could allow an authenticated remote attacker to inject arbitrary commands. This discovery is a path traversal issue that allows remote attackers to conduct directory traversal attacks leading to an improper authorization flaw that allows low-privileged account bypass authorization on the API. It also leads to a bypass glitch that allows unauthenticated remote attackers to bypass authentication and execute arbitrary actions.
These vulnerabilities could impact companies using Cisco DCNM device (ones installed using .ova or .iso installers) or those that utilize Cisco’s SD-WAN vManage Network Management System. Security teams need to install the already existing vulnerability patches on the affected devices.

Get more information on our Cyber Threat Intelligence Tool (CTIP) and how executives can gain access to quick, real time reporting. Read More →

—

Evolving BEC Gangs Target Senior-Level Executives

Release Date: 07/27/2020

Cosmic Lynx, the BEC gang, has stepped up its game by conducting over 200 campaigns in over 46 countries since being discovered last July. Their defined target criteria are quite abnormal compared to most BEC, developing their targets around senior-level executives with around 75% being a vice president, director, or general manager. In contrast, most BEC impersonates Business Executives such as CEO, Managers, and directors. Since COVID-19, there have been 47 reported campaigns.

Cosmic Lynx emails their target by impersonating someone from within the company, informing the targeted executive with details about a merger and acquisition of another company. They request the potential merger is kept confidential. They ask the target to work with an external legal entity to coordinate payments for acquiring the new company. Once they have built a rapport with their victim, they begin to introduce them to the so-called legal counsel that they would be making payments too.

Attached below are two sample emails.

 

 

Learn how Threat intel can inform your company of these potential threats before they even happen. Read More →