Galaxy Store Remote XSS

Summary: The threat actor known as “InTheBox” has launched a malware marketplace on the dark web that offers threat actors subscription models to professionally developed webinjects. Over 400 webinjects are available in the marketplace and could be purchased for as little as $100 a month to as much as $5888 a month for unlimited number of injections. These plans offer basic support and customization options.

This marketplace is easily available through the Tor network; however, access to the marketplace requires vetting from the developer via Telegram or Jabber. The use of subscription-based webinject offerings by threat actors is generally cheaper than selling the malware itself, however, it provides increased revenue through increased customers. “InTheBox” provides existing webinjects such as Alien, Cerberus, Ermac, Hydra, Octopus (aka “Octo”), Poison, and MetaDroid.  These webinjects specifically target mobile apps, social media, and financial institutions and use overlays on the apps to steal user credentials. These overlays are worked on and improved by the malware developers to match with those released by the official websites and apps.

Why it matters: The appearance of this marketplace on the dark web is another sign of the growing Malware-as-a-Service offerings by threat actors. These threat actors simplify the attack process for other threat actors and provide them with capabilities that are normally beyond their reach. Not only does it open up avenues for the less-skilled threat actors, but the various offerings allow for those threat actors within different financial brackets to become threats themselves. The “InTheBox” marketplace specifically presents a threat to the wider population as it targets mobile apps, and thus could affect the majority of the population. This threat takes advantage of the residual risks in mobile app development and will continue to improve as the apps themselves improve.

Black Basta Hackers Steal Power Utility Customer Data

Summary: Black Basta is a ransomware group that emerged in April 2022 and, as of December 2022, is actively targeting US-based companies with QakBot (also known as QBot or Pinkslipbot) malware. The attack begins with a spear-phishing email that has a malicious disk image file that executes QBot, which connects to a remote server to retrieve the Cobalt Strike payload. Once infected, the group uses “double extortion” to steal sensitive data from its targets and uses that data as extortion for cryptocurrency payments by threatening the release of sensitive data.

Black Basta (as well as other QakBot infections) are delivered via a phishing email that contains a malicious HTML file as the initial infection point. Once the payload has been delivered to the host, Cobalt Strike is launched and deploys an agent known as “Beacon” on the system. “Beacon gives an attacker an arsenal of capabilities including command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. With Cobalt Strike successfully deployed, the third and final step is executed.” Once compromised, a ransom note is delivered to the victim with instructions on how to contact Black Basta via their TOR site.

Why it matters: Although other countries and businesses have been targeted, this latest batch of malware seems to be specifically targeting the power utility sector. It is not presently known if these attacks could compromise power output, but as the group’s activity seems to be increasing, it is prudent for all business sectors to ensure detection methodologies are in place for ransomware and users are vigilant for spear phishing emails that contain attachments from unknown senders – in particular, HTML attachments.

Signed Microsoft Drivers used in Malicious Attacks

Summary: Researchers at SentinelOne, Sophos, and Mandiant have discovered malicious actors using signed Microsoft drivers in malicious attacks. These drivers are being used by multiple threat actors in post-exploitation activity. They were not detected as the main tools used for exploitation as attackers use them after receiving administrative privileges on the compromised system. The drivers are associated with toolkits that disable security in the system as well as download additional malicious tools.

It is currently not known how the threat actors managed to get malicious drivers signed. It is thought that a supplier or service provides attackers with the code signing service. Although, the source of the signing is unknown, Microsoft has begun to take safety precautions by suspending the accounts that requested the tickets to be signed as well as updating Defender’s signatures to help detect signed drivers. However, these vulnerabilities will continue to exist as Microsoft and its partners will continue to search for the origin of the maliciously signed Microsoft drivers.

Why it matters: Normally, signed software drivers are commonly used to reassure people that they are using legitimate files. The use of digital signatures guarantees that the files downloaded belong to the expected creator and not a malicious attacker. It is through file signatures that many security products can help ensure the safety and security of the user and their devices. By creating signed malicious drivers, threat actors can thus bypass the scrutiny of the system and its defenders. Doing so has led to the successful usage of these drivers in post-exploitation attacks. These signed drivers from Microsoft so far appear to be accessible to multiple threat actors and their usage only appears to be growing. It is thus important to update security defenses so that discovered malicious but signed products are detected.

SVG Files Used to Smuggle QBot Malware

Summary: The malicious phishing campaign known as “Emotet” has once again returned after a four-month hiatus. Emotet is a malware phishing campaign that is worldwide in scope. It targets users in various countries and contains files in various languages. Its return uses stolen reply chain emails to distribute its malware.

The nature of Emotet uses Microsoft Excel and Word documents containing macros that will download the Emotet DLL and load it into memory. From there, additional payloads such as Cobalt Strike or Ryuk will also be downloaded for other malicious purposes. Additionally, it would steal emails from the infected host for future campaigns. The initial Excel and Word documents are normally prevented from running by Word and Excel, however, the new Emotet campaign instructs users to move the files into the administrator-protected Templates folder. Doing so would allow the malicious files to run completely and execute the Emotet DLL.

Why it matters: Phishing is one of the most common attack methods by malicious actors. The Emotet campaign specifically was at one point the world’s most distributed malware. The widespread use of Emotet allows every company and any individual to be a target. It is commonly used to gain access into one system and move laterally from there. The danger Emotet presents is more than just remote access into a system, it is the malware’s commonly attributed bundle ransomware such as Ryuk and Quantum. The lateral access granted to the threat actor as well as the combination of ransomware gives Emotet the potential to infect individuals to large enterprises. It is thus important to train everyone in security awareness regarding downloading and opening files from emails as ransomware incidents can be costly.

Generic Bypass of Web Application Firewalls (WAF)

Summary: A team at Claroty (a SaaS-powered industrial cybersecurity platform) has recently demonstrated a way to circumvent the protections of web application firewalls (WAFs). Claroty was able to leverage a vulnerability with JSON syntax in SQL commands. The attack works by appending JSON syntax or code to SQL injection payloads that the WAFs are unable to parse. WAFs are very good at recognizing SQL code and typically flag that as malicious, however most WAFs do not support JSON (a standard file and data exchange format and is commonly used when data is sent from a server to a web application). The WAF is unable to decipher the code and passes it to the SQL server.

Unfortunately, JSON support in SQL servers was implemented approximately 10 years ago, which means the server runs the commands and sends the data back to the adversary. Attackers using this technique could access a database and leverage additional vulnerabilities to exfiltrate information via either direct access to the server or over the cloud. This attack was found to be successful against Palo Alto, Amazon Web Services (AWS), Cloudflare, F5, and Imperva. These vendors have been notified and patches have since been issued to protect against this vulnerability. Claroty states that many other vendors not tested may be vulnerable as well as JSON is not supported by most WAF platforms.

Why it matters: According to Claroty, this simple attack yielded real-world results. By adding a JSON script in front of SQL commands, they were able to avoid detection by the WAF and exfiltrate data that is internal to a corporate network. It is exceedingly important to ensure WAFs are up to date and ensure that they can parse JSON commands to mitigate this threat before it is exploited by adversaries.

Security Tip of the Month

Summary: As the holiday season is upon us, so is an increase in shipping and free returns offered by retailers. Along with this increase in spending, the secondhand merchandise market is burgeoning as a direct result of the increase of returned items. It’s cheaper for major retailers to offload their unsold or returned product to other outlets in bulk instead of repackaging and restocking them. This in turn has created a market for scammers offering shoppers the chance to buy large quantities of returned items at bargain prices.

Scammers specifically target holiday shoppers looking for deals on “mystery boxes” of returned Amazon items for prices as low as $1. An example of the “sales” designed to entice shoppers is shown above in the “Box-Electronic Lucky Gift Box Clearance Boxes Returns Pallets for Sale”. The opportunity provided in the article redirects shoppers to the scammers’ websites to steal the buyer’s credit card and bank information. A key way to identify most of these scams is to look for the same tell-tale signs observed in phishing emails: poor grammar and spelling. Also, check the registrar information for the popup sites; most of them have been created within the last two months.

Why it matters: Scammers have always preyed upon people during hard times, and as inflation increases during the busiest shopping season of the year, this is prime time for scammers to take advantage of shoppers looking for the best deals. In pursuit of savings, people are more prone to ignoring common sense and best practices that they typically exercise throughout the year. They forget the most important rule when shopping online: if it sounds too good to be true, it usually is. The best advice is to purchase products from known retailers and avoid unknown secondary sites.