Hackers Exploit Policy Loophole in Windows Kernel Drivers

/in /by

Using open source tools, attackers target Chinese speakers with malicious drivers with expired certificates, potentially allowing for full system takeover.

Hackers are using open source tools to exploit a Windows policy loophole for kernel mode drivers to load malicious and unverified drivers with expired certificates, researchers have found. The activity — primarily targeted at Chinese-speaking Windows users — potentially gives threat actors full access to victims’ systems.

Researchers from Cisco Talos discovered the malicious activity, which takes advantage of an exception in Microsoft’s Windows driver-signing policy that allows the signing and loading of cross-signed kernel mode drivers with signature timestamp prior to July 29, 2015, they revealed in a blog post July 11.

“Actors are leveraging multiple open source tools that alter the signing date of kernel mode drivers to load malicious and unverified drivers signed with expired certificates,” Chris Neal, outreach researcher for Cisco Talos, wrote in the post.

So far, the researchers have observed more than a dozen code-signing certificates with keys and passwords contained in a PFX file hosted on GitHub used together with these open source tools. Among these tools are signature timestamp forging tools HookSignTool and FuckCertVerifyTimeValidity, which have been publicly available since 2019 and 2018 respectively.

In a separate post, Cisco Talos outlined how one of the malicious drivers — dubbed RedDriver — uses HookSignTool to forge its signature timestamp to bypass Windows driver-signing policies. The threat actors used code from multiple open source tools in the development of RedDriver’s infection chain, including HP-Socket and a custom implementation of ReflectiveLoader, the researchers found. Moreover, the authors of RedDriver appear to be skilled in driver development and have deep knowledge of the Windows OS.

RedDriver — like most of the malicious drivers that the researchers discovered — contained a Simplified Chinese language code in its metadata, suggesting that actors are targeting native Chinese speakers. Cisco Talos also has identified an instance of one of the open source tools being used to alter signing dates performing the same task on cracked drivers to bypass digital rights management (DRM).

Complete Windows OS Takeover

Kernel mode drivers are part of the core layer of the Windows OS, providing the essential and necessary functions to run the system. Drivers facilitate communication between this layer and the user mode, where the files and applications with which users interact with reside.

“Splitting the operating system into two modes creates a highly controlled logical barrier between the average user and the Windows kernel,” Neal wrote. “This barrier is critical to maintaining the integrity and security of the OS, as access to the kernel provides complete access to a system.”

By loading a malicious kernel mode driver then, attackers can breach this secure barrier and compromise the entire system, manipulating system- and user-mode processes, he said. At the same time, they evade endpoint detection and can maintain persistence on an infected system.

“These advantages provide a significant incentive for attackers to discover ways to bypass the Windows driver signature policies,” Neal wrote.

Cisco Talos informed Microsoft of the researchers’ discovery and, in response, the company blocked all certificates that were identified as associated with malicious drivers. The company also issued an advisory informing its customers to be aware that drivers are being used to gain administrator privileges on compromised systems.

After an investigation, the company determined that “the activity was limited to the abuse of several developer program accounts,” and that no Microsoft account has been compromised. “We’ve suspended the partners’ seller accounts and implemented blocking detections for all the reported malicious drivers to help protect customers from this threat,” the company said.

Creating the Windows Driver Policy Loophole

Microsoft began requiring kernel-mode drivers to be digitally signed with a certificate from a verified certificate authority starting in Windows Vista 64-bit to combat the threat of malicious drivers. However, starting with Windows 10, version 1607, Microsoft updated its driver signing policy to forbid the use of new kernel-mode drivers that have not been submitted to, and signed by, its Developer Portal.

At the same time, the company had to ensure that older drivers still maintained functionality and compatibility, so it created a few exceptions — one of which created the problem at the core of the exploitation. It states that drivers signed with an end-entity certificate issued prior to July 29, 2015 that chains to a support cross-signed certificate authority are still valid.

This effectively created a loophole allowing a newly compiled driver to be signed with non-revoked certificates issued prior to or expired before that date, as long as it chains to a supported cross-signed certificate authority. A driver signed this way can be installed and started as a service in the OS kernel layer, activity that’s further facilitated by the availability of multiple open source tools to exploit this loophole, Neal said.

Mitigating the Windows Kernel Cyber Threat

Cisco Talos includes a list of the expired certificates associated with malicious drivers in its post and recommends that Windows users also block them, noting that malicious drivers are most effectively blocked based on file hashes or the certificates used to sign them. As previously mentioned, Microsoft also has taken action to block the certificates that Cisco Talos reported to them.

Comparing the signature timestamp to the compilation date of a driver also can sometimes be an effective means of detecting instances of timestamp forging. However, as compilation dates can be altered to match signature timestamps, this defense method is not always comprehensive, according to Cisco Talos.

“Cisco Talos has created coverage for the certificates discussed in this blog and will continue to monitor this threat activity to inform future protections,” Neal wrote. “Additionally, we will report any future findings regarding this threat to Microsoft.”

 

(c) Elizabeth Montalbano

UK NCSC, ICO debunk 6 cyberattack reporting myths

/in /by

The UK National Cyber Security Centre (NCSC) and the UK’s data protection regulator the Information Commissioner’s Office (ICO) have published a rare joint article dispelling several myths about cyberattack reporting to tackle the problem of unreported data breaches. The pair argued that, while businesses may be tempted to hide data breaches to avoid negative scrutiny, cybercriminals enjoy greater success when attacks are not reported.

In contrast, greater transparency and open discussion around cyberattacks is a positive for everyone, giving victims access to support and advice, sharing lessons learned to help improve awareness and cyber resilience, and breaking the cycle of crime to prevent others from falling victim. It’s also likely to be viewed more favourably by data protection regulators.

The misconceptions include the belief that reporting cyberattacks to the authorities makes it more likely incidents will become public, and that paying ransoms automatically makes incidents go away.

Last year, a Freedom of Information (FOI) request from Veritas Technologies found that self-reported breaches to the ICO rose 29% to 12,314 in 2021/22, up from 9,535 in 2020/21. Meanwhile, nearly half of British companies (43%) have been the victim of a cyberattack in the past three years, with over a third of them more than once (17%), according to a new report from security awareness and training firm SoSafe.

The NCSC and ICO identified six myths that are not only generally inaccurate but also discourage organisations from reporting breaches.

Myth 1: It’s OK to cover-up a cyberattack

The first myth dispelled is the belief that covering up an attack will positively serve an organisation. “Every successful cyberattack that is hushed up, with no investigation or information sharing, makes other attacks more likely because no one learns from it.” For example, every ransom that is quietly paid gives criminals the message that these attacks work and it’s worth doing more, the article read.

“If attacks pass by without full investigation and information sharing, particularly with those who can help mitigate it, everything definitely won’t be OK. Keeping your cyber incident a secret doesn’t help anyone except the criminals.”

Myth 2: Reporting an attack to authorities makes it more likely it will go public

The next myth dispelled is the notion that reporting an attack to the authorities will increase the chance of the incident going public, with no positive outcome for the reporting business. “If your organisation experiences a cyberattack, reporting it to the NCSC or law enforcement means you can access the wealth of support available,” the pair wrote. One of the responsibilities of NCSC Incident Management is to provide direct support to affected organisations where there is a national impact, working with the appointed incident response provider. The NCSC also has extensive communications support available to help companies navigate incidents and manage media coverage and active communications.

As the UK’s data regulator, the ICO’s role is to provide guidance and support to the organisations it regulates, as well as to monitor and enforce the regulations it oversees. When it comes to deciding any regulatory response, the ICO considers how proactive an organisation is about getting the right support, which includes engaging with the NCSC and implementing any advice, the article read. “In our next process review, we’re [the ICO] even considering making explicit the amount saved in a fine when an organisation has positively engaged. Where information about an incident does need to be made public – not always the case – we will usually be in dialogue with a company about this so there aren’t any surprises.”

It’s important to remember that there may be a regulatory requirement to report an incident.

Myth 3: Paying a ransom makes the incident go away

In the event of a ransomware attack, organisations may be tempted to pay the ransom quickly to get the decryption key and restore services, but this is a misconception that can cause further problems for victims, the NCSC and ICO stated.

“Paying a ransom is basically accepting a pinky promise from criminals that they will decrypt your network or not leak stolen data. Nothing is guaranteed and bear in mind that organisations that pay the ransom are likely to be targeted again. Estimates vary but it’s suggested that around one-third of all organisations affected by ransomware are attacked again.”

It’s basically rewarding criminals for their efforts and makes it more likely they’ll carry out more attacks against other organisations, ultimately making the broader threat landscape worse. From the ICO’s point of view, paying ransoms doesn’t reduce the risk to individuals – it’s not a mitigation under data protection law, and isn’t considered a reasonable step to safeguarding data.

The NCSC, along with law enforcement, do not endorse, promote, or encourage the payment of ransoms, but recognise that an unprepared organisation, in the aftermath of an attack, may take the view that paying a ransom is the only way out. If that’s the case, businesses should still stay in touch with the NCSC and its law enforcement partners so they can understand the full picture.

Myth 4: Offline data backups mean there’s no need to pay a ransom

The next myth debunked is the belief that offline data backups mean a business will never need to consider paying a ransom. “Unfortunately, the data extortion angle adds a whole new level of complexity. If the attackers have access to sensitive data, they could threaten to leak it unless you pay the ransom.”

Organisation must carefully address the data they hold and how they protect it, the article read. “It’s a bit like storing someone else’s valuables in your house in a cardboard box with the words ‘valuable stuff in here!’ on it, and your window left unlocked for the thieves to get in. You are responsible for protecting the valuable items you hold – except in this case, it’s other people’s personal data.””

Myth 5: There’s no requirement to report an attack if there’s no evidence of data theft

A lack of evidence that data has been stolen should not prompt businesses to assume there’s no need to report an attack. “You might not be able to see in your logging data whether or not data was stolen, but if there is any suggestion that the actor has accessed the systems holding your data, you should start from the assumption that it has been taken.”

There have been many examples of organisations affected by ransomware that were convinced no data had been taken, only to find it in a dark web data leak weeks or months later, the article said. With early support and open communication, businesses can reduce the risk of an unpleasant surprise of future data leaks. “Remember that point about lack of evidence – poor situational awareness isn’t an adequate technical control. You could be living in blissful ignorance while also being in breach of data protection law.”

Myth 6: You’ll only get a fine if your data is leaked

The last myth dispelled by the NCSC and ICO is the belief that data breach regulatory fines are only handed out if data is leaked, but this is not always the case. “A data leak isn’t the only reason for a fine, and you won’t always be fined if data is leaked. A personal data breach is more than just a loss of data; it also includes its destruction, alteration, and unauthorised disclosure or access to it. The ICO looks at the context of each individual case – it’s not just about whether data was leaked.”

If the ICO finds serious, systemic, or negligent behaviour that puts people’s information at risk, enforcement action may be an option, but this isn’t a blanket approach. “If your organisation has raised the incident with the NCSC, and you can show you’ve followed guidance and support, it could positively impact our response,” the article read.

What’s more, cybercriminals can prey on the misconception that a data leak is the source of a fine, stating that if a company pays a ransom, they will avoid a hefty fine. “Don’t succumb to their techniques! Seek support and communicate early to avoid an investigation later into an incident you tried to hide.”

Cyberattack reporting “breaks cycle of crime”

The NCSC supports victims of cyber incidents every day, but it is increasingly concerned about the organisations that decide not to come forward, said Eleanor Fairford, NCSC deputy director for incident management. “By responding openly and sharing information, organisations can help mitigate the risk to their operations and reputation, as well break the cycle of crime to prevent others from falling victim.”

It’s crucial that businesses are aware of their own responsibilities when it comes to cybersecurity, but transparency is more than simply complying with the law, added Mihaela Jembei, ICO’s director of regulatory cyber. “Cybercrime is a borderless and global threat and it’s through knowledge sharing that we can help organisations help themselves.

 

(c) CSO staff

Kimsuky: North Korean hacker group attacks human rights activists and defectors

/in /by

In its latest investigation, SentinelLabs, the research arm of SentinelOne, shed light on a targeted campaign against information services and organizations that support human rights defenders and defectors in North Korea.

The campaign focuses on spying on files and exfiltrating system and hardware information to lay the groundwork for later attacks. Based on the infrastructure used, malware proliferation methods, and implementation, security researchers have a high probability that the campaign was carried out by threat actor Kimsuky.

Advertisement

This is a suspected North Korean APT (Advanced Persistent Threats) group known for targeting organizations and individuals worldwide. The group has been active since at least 2012 and regularly conducts targeted phishing and social engineering campaigns to gather information and gain unauthorized access to sensitive information serving the interests of the North Korean government. Lately, Kimsuky has been tailor-made again and againMalware distributed as part of reconnaissance campaigns to enable subsequent attacks. For example, SentinelLabs recently revealed that the group was distributing ReconShark via macro-enabled Office documents. Recent developments point to a shift towards a variant of the RandomQuery malware whose only goal is information exfiltration. 

Technical background

RandomQuery is a staple in Kimsuky’s arsenal and comes in a variety of flavors. The recently discovered campaign uses a pure VBScript implementation. The malware’s ability to exfiltrate valuable information such as hardware, operating system, and file details points to its central role in the reconnaissance operations that enable tailored attacks. 

For example, the phishing emails, written in Korean, urge recipients to read an attached document allegedly written by Lee Kwang-baek, CEO of Daily NK. Daily NK is a well-known South Korean online news service that reports independently on North Korea, making it an ideal target for threat actors wanting to pose as legitimate. The attached document is a  CHM file stored in a password-protected archive. The document is entitled “Difficulties in the Activities of North Korean Human Rights Organizations and Measures to Stimulate Them” and contains a catalog of problems affecting human rights organizations.

Threat actors have made extensive use of less common top-level domains in their domain registrations. Previous reports from SentinelLabs on Kimsuky’s ReconShark activities have highlighted multiple clusters of malicious domains using the same technique. The latest campaign used the Japan-based domain registration service Onamae for the primary purchase of malicious domains. The conspicuous accumulation of activities started on May 5, 2023 and is still ongoing. 

Conclusion

The incidents underscore the ever-changing landscape of North Korea’s threat groups, whose remit includes not only political espionage, but also sabotage and financial threats. It is important for organizations to understand the TTPs deployed by suspected state-sponsored APTs and take appropriate measures to protect against such attacks. The connection between the recent malicious activities and a broader spectrum of previously undisclosed operations attributed to North Korea underscores the importance of constant vigilance and encouraging cooperation.

 

(c) it-daily

/in /by

 

 

(c) Bill Toulas

Andoryu Botnet Exploits Critical Ruckus Wireless Flaw for Widespread Attack

/in /by

A nascent botnet called Andoryu has been found to exploit a now-patched critical security flaw in the Ruckus Wireless Admin panel to break into vulnerable devices.

The flaw, tracked as CVE-2023-25717 (CVSS score: 9.8), stems from improper handling of HTTP requests, leading to unauthenticated remote code execution and a complete compromise of wireless Access Point (AP) equipment.

Andoryu was first documented by Chinese cybersecurity firm QiAnXin earlier this February, detailing its ability to communicate with command-and-control (C2) servers using the SOCKS5 protocol.

Cybersecurity

 

(c) Ravie Lakshmanan

How Cybercriminals Are Operationalizing Money Laundering and What to Do About It

/in /by

It’s time to share threat intelligence and prioritize digital literacy and cyber hygiene to stem the rising money laundering tide.

It’s almost impossible to pinpoint the amount of money that’s laundered globally, but conservative estimates put it at anywhere from $800 million to $2 trillion, according to the United Nations’ Office on Drug and Crimes — and that’s likely just the tip of the iceberg. It’s a crime that, in turn, fuels some of the world’s most heinous criminal activities. It’s also a tactic used by cybercriminals to help try to cover up the profits they’re making from things like wide-scale ransomware attacks. The rise of cryptocurrency also has made it easier for them to evade detection.

Financial institutions, cryptocurrency companies, and other organizations face increasing fines — sometimes ranging in the millions and billions of dollars — for failure to root out money laundering as government agencies and regulators worldwide seek to crack down on this scourge.

Here’s the bad news as we look toward 2023: Automation is going to make the problem worse. We will see the rise of money laundering-as-a-service. But the silver lining is there are ways to stem the tide — and collaboratively reduce bad actors’ ability to do so.

The Crypto-Money Laundering Connection

A preferred tactic by cybercriminal organizations looking to grow their ranks is to use what are known as money mules. These are individuals who are brought in to help launder money — sometimes, unknowingly. They’re often lured in under false pretenses and promises of legitimate jobs, only to discover that “job” is to help launder the profits from cybercrime.

Back in the day, this money shuffling was typically done through anonymous wire transfer services. While they often got away with it, such transfers are far easier for law enforcement and regulators to track. These days, most criminals have moved to using cryptocurrency. Its relative lack of regulatory oversight, coupled with often-anonymous transactions, make it almost the ideal vehicle for money laundering. In fact, a report by Chainalysis found that criminals laundered $8.6 billion in cryptocurrency in 2021. That’s a 30% increase from the prior year.

The Rise of Recruitment

Setting up recruitment campaigns for money mules takes time and energy. In their efforts to obfuscate their true purpose, cybercriminals will sometimes go to great lengths to build legit-looking websites for fake organizations and post fake job listings aimed at making those businesses seem aboveboard.

However, automation and machine learning (ML) will make this process far easier — and quicker. ML can be used to better target potential recruits in a faster manner, for one thing. We also expect to see some of the manual campaigns replaced with automated services that enable bad actors to move dirty money through the layers of crypto exchanges — that’s going to make the process faster and harder to trace. And that means it also will be more difficult to recover stolen funds.

Collectively, these efforts comprise what we’re calling money-laundering-as-a-service (MLaaS), and it’s going to become another tool in the cybercrime tool chest.

Cutting ‘Em Off at Their Knees

While cybercriminals are going to look for any methodology possible to make money laundering easier, that doesn’t mean we have to accept this as a foregone conclusion.

The biggest factor in combating the rise of MLaaS is going to involve public-private collaboration on a much larger scale. Organizations across the map can share threat intelligence with one another, contributing to building a better defense all around.

It must be reiterated that cyber hygiene and education must be prioritized as well. No matter the type of organization you’re in or the role you’re in, this is essential for everyone. Everyone can play a key role in helping keep organizations safe from bad actors. This includes things like more digital literacy — and how to recognize a too-good-to-be-true job ad for the scam it really is. And of course, there’s the concept of fighting fire with fire — as bad actors adopt more automation and ML-based approaches, so, too, must defenders.

 

(c) Derek Manky

Cyber ​​attack in NRW: Hochschule Ruhr West hacked

/in /by

Once again, a university in North Rhine-Westphalia was targeted by hackers. The Ruhr West University of Applied Sciences had to take its systems offline for security reasons.

On Wednesday morning there was a cyber attack on the IT systems of the Ruhr West University (HRW): both locations in Mülheim an der Ruhr and Bottrop were affected . This is said to be an external attack, according to a statement by the German Press Agency.

For security reasons, the systems have been completely separated from the Internet. A spokeswoman for the university said that the most important information is still being sent via the website. Nevertheless, employees of the university are encouraged to switch off their office computers.

The university reacts to the attack and exonerates students

The following applies to students: On-site examinations will take place as planned, while online examinations have been canceled up to and including Saturday. In addition, the “Westdeutscher Rundfunk” refers to some special regulations: This means that the obligation to obtain a medical certificate is temporarily suspended, submission deadlines are extended and it is possible to cancel exams at short notice.

  • After ransom demand Cyber ​​attack: Hackers publish data
  • Rail traffic in NRW signal box sabotage motivated by terrorism?
  • Speeding Cars impounded after illegal racing

At the end of last year, the University of Duisburg-Essen was the target of two cyber attacks: hackers published stolen data on the dark web and tried to blackmail the university, which did not respond to the ransom demands. It is still unclear whether the current case of HRW is also a case of blackmail.

 

(c) t-online

After hacker attacks: Students at the University of Duisburg-Essen demonstrate

/in /by

Students from the University of Duisburg-Essen demonstrated on the Essen campus on Thursday. They demand more accommodation from the university after the hacker attack – especially with regard to upcoming exams.

The University of Duisburg – Essen has been the target of hackers twice in the past few months . Among other things, learning platforms and examination systems were paralyzed. For the students, this meant: Normal learning was not possible. Therefore, they are demanding more attempts or later dates for their upcoming exams.

Uni doesn’t want to postpone exams

The university counters that it is not possible to postpone exams and examinations at such short notice. After all, there are around 4,000 tests. The students criticize the handling of the restrictions and warn of a lack of flexibility.

Fewer demonstrators on site than expected

150 to 300 students were expected to attend the rally. But far fewer came. Only around 50 students vented their anger on a stage on Thursday (02.02.).

One of them was Masters student Laura. She says there were effectively six weeks missing in the exam preparation. She was told “that’s your job, you could have caught up on that during the Christmas holidays.” She felt left alone. From her point of view, there was no concession on the part of the university.

Blackmailers publish data

The university is only slowly recovering from the cyber attacks. IT is still not running as usual. It is still unclear when the university system will be able to run completely normally again.

The unknown perpetrators had demanded a ransom from the University of Duisburg-Essen. When no payment was made, the blackmailers published the captured data on the dark web .

Cyber ​​attack also at the Ruhr West University

Most recently, the Ruhr West University of Applied Sciences in Mülheim and Bottrop was also the target of a suspected hacker attack. Staff and students were asked to turn off all computers. A crisis team was set up. IT experts are working on a solution.

 

(c) WDR