“Test files” associated with the XZ Utils backdoor have made their way to a Rust crate known as liblzma-sys, new findings from Phylum reveal.

liblzma-sys, which has been downloaded over 21,000 times to date, provides Rust developers with bindings to the liblzma implementation, an underlying library that is part of the XZ Utils data compression software. The impacted version in question is 0.3.2.

“The current distribution (v0.3.2) on Crates.io contains the test files for XZ that contain the backdoor,” Phylum noted in a GitHub issue raised on April 9, 2024.

“The test files themselves are not included in either the .tar.gz nor the .zip tags here on GitHub and are only present in liblzma-sys_0.3.2.crate that is installed from Crates.io.”

Following responsible disclosure, the files in question (“tests/files/bad-3-corrupt_lzma2.xz” and “tests/files/good-large_compressed.lzma”) have since been removed from liblzma-sys version 0.3.3 released on April 10. The previous version of the crate has been pulled from the registry.

“The malicious tests files were committed upstream, but due to the malicious build instructions not being present in the upstream repository, they were never called or executed,” Snyk said in an advisory of its own.

The backdoor in XZ Utils was discovered in late March when Microsoft engineer Andres Freund identified malicious commits to the command-line utility impacting versions 5.6.0 and 5.6.1 released in February and March 2024, respectively. The popular package is integrated into many Linux distributions.

The code commits, made by a now-suspended GitHub user named JiaT75 (aka Jia Tan), essentially made it possible to circumvent authentication controls within SSH to execute code remotely, potentially allowing the operators to take over the system.

“The overall compromise spanned over two years,” SentinelOne researchers Sarthak Misraa and Antonio Pirozzi said in an analysis published this week. “Under the alias Jia Tan, the actor began contributing to the xz project on October 29, 2021.”

“Initially, the commits were innocuous and minor. However, the actor gradually became a more active contributor to the project, steadily gaining reputation and trust within the community.”

According to Russian cybersecurity company Kaspersky, the trojanized changes take the form of a multi-stage operation.

“The source code of the build infrastructure that generated the final packages was slightly modified (by introducing an additional file build-to-host.m4) to extract the next stage script that was hidden in a test case file (bad-3-corrupt_lzma2.xz),” it said.

“These scripts in turn extracted a malicious binary component from another test case file (good-large_compressed.lzma) that was linked with the legitimate library during the compilation process to be shipped to Linux repositories.”

The payload, a shell script, is responsible for the extraction and the execution of the backdoor, which, in turn, hooks into specific functions – RSA_public_decrypt, EVP_PKEY_set1_RSA, and RSA_get0_key – that will allow it to monitor every SSH connection to the infected machine.

The primary goal of the backdoor slipped into liblzma is to manipulate Secure Shell Daemon (sshd) and monitor for commands sent by an attacker at the start of an SSH session, effectively introducing a way to achieve remote code execution.

While the early discovery of the backdoor averted what could have been a widespread compromise of the Linux ecosystem, the development is once again a sign that open-source package maintainers are being targeted by social engineering campaigns with the goal of staging software supply chain attacks.

In this case, it materialized in the form of a coordinated activity that presumably featured several sockpuppet accounts that orchestrated a pressure campaign aimed at forcing the project’s longtime maintainer to bring on board a co-maintainer to add more features and address issues.

“The flurry of open source code contributions and related pressure campaigns from previously unknown developer accounts suggests that a coordinated social engineering campaign using phony developer accounts was used to sneak malicious code into a widely used open-source project,” ReversingLabs said.

SentinelOne researchers revealed that the subtle code changes made by JiaT75 between versions 5.6.0 and 5.6.1 suggest that the modifications were engineered to enhance the backdoor’s modularity and plant more malware.

As of April 9, 2024, the source code repository associated with XZ Utils has been restored on GitHub, nearly two weeks after it was disabled for a violation of the company’s terms of service.

The attribution of the operation and the intended targets are currently unknown, although in light of the planning and sophistication behind it, the threat actor is suspected to be a state-sponsored entity.

“It’s evident that this backdoor is highly complex and employs sophisticated methods to evade detection,” Kaspersky said.

The banking trojan known as Mispadu has expanded its focus beyond Latin America (LATAM) and Spanish-speaking individuals to target users in Italy, Poland, and Sweden.

Targets of the ongoing campaign include entities spanning finance, services, motor vehicle manufacturing, law firms, and commercial facilities, according to Morphisec.

“Despite the geographic expansion, Mexico remains the primary target,” security researcher Arnold Osipov said in a report published last week.

“The campaign has resulted in thousands of stolen credentials, with records dating back to April 2023. The threat actor leverages these credentials to orchestrate malicious phishing emails, posing a significant threat to recipients.”

Mispadu, also called URSA, came to light in 2019, when it was observed carrying out credential theft activities aimed at financial institutions in Brazil and Mexico by displaying fake pop-up windows. The Delphi-based malware is also capable of taking screenshots and capturing keystrokes.

Typically distributed via spam emails, recent attack chains have leveraged a now-patched Windows SmartScreen security bypass flaw (CVE-2023-36025, CVSS score: 8.8) to compromise users in Mexico.

The infection sequence analyzed by Morphisec is a multi-stage process that commences with a PDF attachment present in invoice-themed emails that, when opened, prompts the recipient to click on a booby-trapped link to download the complete invoice, resulting in the download of a ZIP archive.

The ZIP comes with either an MSI installer or an HTA script that’s responsible for retrieving and executing a Visual Basic Script (VBScript) from a remote server, which, in turn, downloads a second VBScript that ultimately downloads and launches the Mispadu payload using an AutoIT script but after it’s decrypted and injected into memory by means of a loader.

“This [second] script is heavily obfuscated and employs the same decryption algorithm as mentioned in the DLL,” Osipov said.

“Before downloading and invoking the next stage, the script conducts several Anti-VM checks, including querying the computer’s model, manufacturer, and BIOS version, and comparing them to those associated with virtual machines.”

The Mispadu attacks are also characterized by the use of two distinct command-and-control (C2) servers, one for fetching the intermediate and final-stage payloads and another for exfiltrating the stolen credentials from over 200 services. There are currently more than 60,000 files in the server.

The development comes as the DFIR Report detailed a February 2023 intrusion that entailed the abuse of malicious Microsoft OneNote files to drop IcedID, using it to drop Cobalt Strike, AnyDesk, and the Nokoyawa ransomware.

Microsoft, exactly a year ago, announced that it would start blocking 120 extensions embedded within OneNote files to prevent its abuse for malware delivery.

YouTube Videos for Game Cracks Serve Malware

The findings also come as enterprise security firm Proofpoint said several YouTube channels promoting cracked and pirated video games are acting as a conduit to deliver information stealers such as Lumma Stealer, Stealc, and Vidar by adding malicious links to video descriptions.

“The videos purport to show an end user how to do things like download software or upgrade video games for free, but the link in the video descriptions leads to malware,” security researcher Isaac Shaughnessy said in an analysis published today.

There is evidence to suggest that such videos are posted from compromised accounts, but there is also the possibility that the threat actors behind the operation have created short-lived accounts for dissemination purposes.

All the videos include Discord and MediaFire URLs that point to password-protected archives that ultimately lead to the deployment of the stealer malware.

Proofpoint said it identified multiple distinct activity clusters propagating stealers via YouTube with an aim to single out non-enterprise users. The campaign has not been attributed to a single threat actor or group.

“The techniques used are similar, however, including the use of video descriptions to host URLs leading to malicious payloads and providing instructions on disabling antivirus, and using similar file sizes with bloating to attempt to bypass detections,” Shaughnessy said.

Mar 05, 2024NewsroomMalware / Artificial Intelligence

More than 225,000 logs containing compromised OpenAI ChatGPT credentials were made available for sale on underground markets between January and October 2023, new findings from Group-IB show.

These credentials were found within information stealer logs associated with LummaC2, Raccoon, and RedLine stealer malware.

“The number of infected devices decreased slightly in mid- and late summer but grew significantly between August and September,” the Singapore-headquartered cybersecurity company said in its Hi-Tech Crime Trends 2023/2024 report published last week.

Between June and October 2023, more than 130,000 unique hosts with access to OpenAI ChatGPT were infiltrated, a 36% increase over what was observed during the first five months of 2023. The breakdown by the top three stealer families is below –

• LummaC2 – 70,484 hosts
• Raccoon – 22,468 hosts
• RedLine – 15,970 hosts

“The sharp increase in the number of ChatGPT credentials for sale is due to the overall rise in the number of hosts infected with information stealers, data from which is then put up for sale on markets or in UCLs,” Group-IB said.

The development comes as Microsoft and OpenAI revealed that nation-state actors from Russia, North Korea, Iran, and China are experimenting with artificial intelligence (AI) and large language models (LLMs) to complement their ongoing cyber attack operations.

Stating that LLMs can be used by adversaries to brainstorm new tradecraft, craft convincing scam and phishing attacks, and improve operational productivity, Group-IB said the technology could also speed up reconnaissance, execute hacking toolkits, and make scammer robocalls.

“In the past, [threat actors] were mainly interested in corporate computers and in systems with access that enabled movement across the network,” it noted. “Now, they also focus on devices with access to public AI systems.

“This gives them access to logs with the communication history between employees and systems, which they can use to search for confidential information (for espionage purposes), details about internal infrastructure, authentication data (for conducting even more damaging attacks), and information about application source code.”

Abuse of valid account credentials by threat actors has emerged as a top access technique, primarily fueled by the easy availability of such information via stealer malware.

“The combination of a rise in infostealers and the abuse of valid account credentials to gain initial access has exacerbated defenders’ identity and access management challenges,” IBM X-Force said.

“Enterprise credential data can be stolen from compromised devices through credential reuse, browser credential stores or accessing enterprise accounts directly from personal devices.”

Feb 23, 2024NewsroomSupply Chain Attack / Malware

A dormant package available on the Python Package Index (PyPI) repository was updated nearly after two years to propagate an information stealer malware called Nova Sentinel.

The package, named django-log-tracker, was first published to PyPI in April 2022, according to software supply chain security firm Phylum, which detected an anomalous update to the library on February 21, 2024.

While the linked GitHub repository hasn’t been updated since April 10, 2022, the introduction of a malicious update suggests a likely compromise of the PyPI account belonging to the developer.

Django-log-tracker has been downloaded 3,866 times to date, with the rogue version (1.0.4) downloaded 107 times on the date it was published. The package is no longer available for download from PyPI.

“In the malicious update, the attacker stripped the package of most of its original content, leaving only an __init__.py and example.py file behind,” the company said.

The changes, simple and self-explanatory, involve fetching an executable named “Updater_1.4.4_x64.exe” from a remote server (“45.88.180[.]54”), followed by launching it using the Python os.startfile() function.

The binary, for its part, comes embedded with Nova Sentinel, a stealer malware that was first documented by Sekoia in November 2023 as being distributed in the form of fake Electron apps on bogus sites offering video game downloads.

“What’s interesting about this particular case […] is that the attack vector appeared to be an attempted supply-chain attack via a compromised PyPI account,” Phylum said.

“If this had been a really popular package, any project with this package listed as a dependency without a version specified or a flexible version specified in their dependency file would have pulled the latest, malicious version of this package.”

Incident response (IR) is a race against time. You engage your internal or external team because there’s enough evidence that something bad is happening, but you’re still blind to the scope, the impact, and the root cause. The common set of IR tools and practices provides IR teams with the ability to discover malicious files and outbound network connections. However, the identity aspect – namely the pinpointing of compromised user accounts that were used to spread in your network – unfortunately remains unattended. This task proves to be the most time-consuming for IR teams and has become a challenging uphill battle that enables attackers to earn precious time in which they can still inflict damage.

In this article, we analyze the root cause of the identity of IR blind spots and provide sample IR scenarios in which it acts as an inhibitor to a rapid and efficient process. We then introduce Silverfort’s Unified Identity Protection Platform and show how its real-time MFA and identity segmentation can overcome this blind spot and make the difference between a contained incident and a costly breach.

IR 101: Knowledge is Power. Time is Everything

The triggering of an IR process can come in a million shapes. They all share a resemblance in that you think – or are even sure – that something is wrong, but you don’t know exactly what, where, and how. If you’re lucky, your team spotted the threat when it’s still building up its power inside but hasn’t yet executed its malicious objective. If you’re not so lucky, you become aware of the adversarial presence only after its impact has already broken out – encrypted machines, missing data, and any other form of malicious activity.

That way or the other, the most urgent task once the IR starts rolling is to dissolve the darkness and get clear insights into the compromised entities within your environment. Once located and validated, steps can be taken to contain the attacks by quarantining machines, blocking outbound traffic, removing malicious files, and resetting user accounts.

As it happens, the last task is far from trivial when dealing with compromised user accounts and introduces a yet unaddressed challenge. Let’s understand why that is.

Identity IR Gap #1: No Playbook Move to Detect Compromised Accounts

Unlike malware files or malicious outbound network connections, a compromised account doesn’t do anything that is essentially malicious – it merely logs in to resources in the same manner a normal account would. If it’s an admin account that accesses multiple workstations and servers on a daily basis – which is the case in many attacks – its lateral movement won’t even seem anomalous.

The result is that the discovery of the compromised account takes place only after the compromised machines are located and quarantined, and even then, it entails manually checking all the accounts that are logged there. And again – when racing against time, the dependency on manual and error-prone investigation creates a critical delay.

Identity IR Gap #2: No Playbook Move to Immediately Contain the Attack and Prevent Further Spread

As in real life, there’s a stage of immediate first aid that precedes full treatment. The equivalent in the IR world is to contain the attack within its current boundaries and ensure it doesn’t spread further, even prior to discovering its active components. On the network level, it’s done by temporarily isolating segments that potentially host malicious activity from those that are not yet compromised. At the endpoint level, it’s done by quarantining machines where malware is located.

Here again, the identity aspect needs to catch up. The only available containment is disabling the user account in AD or resetting its password. The first option is a no-go due to the operational disruption it introduces, especially in the case of false positives. The second option is not good either; if the suspected account is a machine-to-machine service account, resetting its password is likely to break the critical processes it manages, ending up with additional damage on top of the one the attack has caused. If the adversary has managed to compromise the identity infrastructure itself, resetting the password will be immediately addressed by shifting to another account.

Identity IR Gap #3: No Playbook Move to Reduce Exposed Identity Attack Surfaces That Adversaries Target Within the Attack

The weaknesses that expose the identity attack surface to malicious credential access, privilege escalation, and lateral movement are blind spots for the posture and hygiene products in the security stack. This deprives the IR team of critical indications of compromise that could have significantly accelerated the process.

Prominent examples are vulnerable authentication protocols like NTLM (or, even worse, NTLMv1), misconfigurations like accounts set with unconstrained delegation, shadow admins, stale users, and many more. Adversaries feast on these weaknesses as they make their Living Off The Land route. The inability to locate and reconfigure or protect accounts and machines that feature these weaknesses turns the IR into a cat herding, where while the analyst is busy analyzing to see if Account A is compromised, the adversaries are already leveraging compromised Account B.

Bottom Line: No Tools. No Shortcuts. Just Slow and Manual Log Analysis While the Attack is in Full Gear

So, that’s the status quo: when the IR team needs to finally discover who the compromised user accounts are that the attacker is using to spread in your environment. This is a secret no one talks about and the true root cause as to why lateral movement attacks are so successful and hard to contain, even when the IR process is taking place.

This is the challenge Silverfort solves.

Silverfort Unified Identity Protection for IR Operations

Silverfort’s Unified Identity Protection platform integrates with the identity infrastructure on-prem and in the cloud (Active Directory, Entra ID, Okta, Ping, etc.). This integration enables Silverfort to have full visibility into any authentication and access attempt, real-time access enforcement to prevent malicious access with either MFA or access block, and automated discovery and protection of service accounts.

Let’s see how these capabilities accelerate and optimize the identity IR process:

Detection of Compromised Accounts with MFA with Zero Operational Disruption

Silverfort is the only solution that can enforce MFA protection on all AD authentication, including command line tools like PsExec and PowerShell. With this capability, a single policy that requires all user accounts to verify their identity with MFA can detect all compromised accounts in minutes.

Once the policy is configured, the flow is simple:

1. The adversary attempts to continue its malicious access and logs into a machine with the account’s compromised credentials.
2. The true user is prompted with MFA and denies that they have requested access to the specified resource.

Goal #1 achieved: There’s now evidence beyond doubt that this account is compromised.

Side Note: Now that there’s a validated compromised account, all we need to do is filter all the machines that this account has logged into in Silverfort’s log screen.

Contain the Attack with MFA and Block Access Policies

The MFA policy we’ve described above not only serves to detect which accounts are compromised but also to prevent any additional spread of the attack. This enables the IR team to freeze the adversary’s foothold where it is and ensure that all the yet non-compromised resources stay intact.

Protection with Operational Disruption Revisited: Zoom-in On Service Accounts

Special attention should be given to service accounts as they are heavily abused by threat actors. These machine-to-machine accounts are not associated with a human user and cannot be subject to MFA protection.

However, Silverfort automatically discovers these accounts and gains insights into their repetitive behavioral patterns. With this visibility, Silverfort enables the configuration of policies that block access whenever a service account deviates from its behavior. In that manner, all of the standard service account activity is not disrupted, while any malicious attempt to abuse it is blocked.

Goal #2 achieved: Attack is contained and the IR team can rapidly move to investigation

Eliminating Exposed Weaknesses in the Identity Attack Surface

Silverfort’s visibility into all authentications and access attempts within the environment enables it to discover and mitigate common weaknesses that attackers take advantage of. Here are a few examples:

• Setting MFA policies for all shadow admins
• Setting block access policies for any NTLMv1 authentications
• Discover all accounts that were configured without pre-authentication
• Discover all accounts that were configured with unconstrained delegation

This attack surface reduction will usually take place during the initial’ first aid’ stage.

Goal #3 achieved: Identity weaknesses are mitigated and cannot be used for malicious propagation.

Conclusion: Gaining Identity IR Capabilities is Imperative – Are You Ready?

Compromised accounts are a key component in over 80% of cyber attacks, making the risk of getting hit an almost certainty. Security stakeholders should invest in having IR tools that can address this aspect in order to ensure their ability to respond efficiently when such an attack happens.

To learn more about the Silverfort platform’s IR capabilities, reach out to one of our experts to schedule a quick demo.

Dec 19, 2023The Hacker NewsSoftware Security / Threat intelligence

Threat actors are increasingly making use of GitHub for malicious purposes through novel methods, including abusing secret Gists and issuing malicious commands via git commit messages.

“Malware authors occasionally place their samples in services like Dropbox, Google Drive, OneDrive, and Discord to host second stage malware and sidestep detection tools,” ReversingLabs researcher Karlo Zanki said in a report shared with The Hacker News.

“But lately, we have observed the increasing use of the GitHub open-source development platform for hosting malware.”

Legitimate public services are known to be used by threat actors for hosting malware and acting as dead drop resolvers to fetch the actual command-and-control (C2) address.

While using public sources for C2 does not make them immune to takedowns, they do offer the benefit of allowing threat actors to easily create attack infrastructure that’s both inexpensive and reliable.

This technique is sneaky as it allows threat actors to blend their malicious network traffic with genuine communications within a compromised network, making it challenging to detect and respond to threats in an effective manner. As a result, the chances that an infected endpoint communicating with a GitHub repository will be flagged as suspicious is less likely.

The abuse of GitHub gists points to an evolution of this trend. Gists, which are nothing but repositories themselves, offer an easy way for developers to share code snippets with others.

It’s worth noting at this stage that public gists show up in GitHub’s Discover feed, while secret gists, although not accessible via Discover, can be shared with others by sharing their URL.

“However, if someone you don’t know discovers the URL, they’ll also be able to see your gist,” GitHub notes in its documentation. “If you need to keep your code away from prying eyes, you may want to create a private repository instead.”

Another interesting aspect of secret gists is that they are not displayed in the GitHub profile page of the author, enabling threat actors to leverage them as some sort of a pastebin service.

ReversingLabs said it identified several PyPI packages – namely, httprequesthub, pyhttpproxifier, libsock, libproxy, and libsocks5 – that masqueraded as libraries for handling network proxying, but contained a Base64-encoded URL pointing to a secret gist hosted in a throwaway GitHub account without any public-facing projects.

The gist, for its part, features Base64-encoded commands that are parsed and executed in a new process through malicious code present in the setup.py file of the counterfeit packages.

The use of secret gists to deliver malicious commands to compromised hosts was previously highlighted by Trend Micro in 2019 as part of a campaign distributing a backdoor called SLUB (short for SLack and githUB).

A second technique observed by the software supply chain security firm entails the exploitation of version control system features, relying on git commit messages to extract commands for execution on the system.

The PyPI package, named easyhttprequest, incorporates malicious code that “clones a specific git repository from GitHub and checks if the ‘head’ commit of this repository contains a commit message that starts with a specific string,” Zanki said.

“If it does, it strips that magic string and decodes the rest of the Base64-encoded commit message, executing it as a Python command in a new process.” The GitHub repository that gets cloned is a fork of a seemingly legitimate PySocks project, and it does not have any malicious git commit messages.

All the fraudulent packages have now been taken down from the Python Package Index (PyPI) repository.

“Using GitHub as C2 infrastructure isn’t new on its own, but abuse of features like Git Gists and commit messages for command delivery are novel approaches used by malicious actors,” Zanki said.