Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label SentineLabs. Show all posts

Microsoft's Rise as a Cybersecurity Powerhouse

Tech titan Microsoft has emerged as an unexpected yet potent competitor in the cybersecurity industry in a time of rapid digital transformation and rising cyber threats. The company has quickly evolved from its conventional position to become a cybersecurity juggernaut, meeting the urgent demands of both consumers and enterprises in terms of digital security thanks to its broad suite of software and cloud services.

Microsoft entered the field of cybersecurity gradually and strategically. A whopping $20 billion in security-related revenue has been produced by the corporation, according to recent reports, underlining its dedication to protecting its clients from an increasingly complicated cyber scenario. This unexpected change was brought on by many strategic acquisitions and a paradigm shift that prioritized security in all of its services.

The business has considerably improved its capacity to deliver cutting-edge threat information and improved security solutions as a result of its acquisition of cybersecurity businesses like RiskIQ and ReFirm Labs. Microsoft has been able to offer a comprehensive package of services that cover threat detection, prevention, and response by incorporating these cutting-edge technologies into its current portfolio.

The Azure cloud platform is one of the main factors contributing to Microsoft's success in the cybersecurity industry. As more companies move their operations to the cloud, it is crucial to protect the cloud infrastructure. Azure has been used by Microsoft to provide strong security solutions that protect networks, programs, and data. For instance, its Azure Sentinel service uses machine learning and artificial intelligence to analyze enormous volumes of data and find anomalies that could point to possible security breaches.

Furthermore, Microsoft's commitment to addressing cybersecurity issues goes beyond its own products. The business has taken the initiative to work with the larger cybersecurity community in order to exchange threat intelligence and best practices. Its participation in efforts like the Cybersecurity Tech Accord, which combines international tech companies to safeguard clients from cyber dangers, is an example of this collaborative approach.

Microsoft's success in the field of cybersecurity is not without its difficulties, though. The broader cybersecurity sector continues to be beset by a chronic spending issue as it works to strengthen digital defenses. Microsoft makes large investments in security, but many other companies find it difficult to set aside enough funding to properly combat attacks that are always developing.



Installing Software via Google Poses Concerns

Researchers and a keystream sample of inquiries claim that while browsing Google for downloads of well-known software has always had certain dangers, in recent months it has become downright risky. 
On Thursday, volunteers at Spamhaus stated that threat researchers were accustomed to receiving a moderate volume of malicious advertising through Google Ads. 

Multiple malware groups, including AuroraStealer, IcedID, Meta Stealer, RedLine Stealer, Vidar, Formbook, and XLoader, are responsible for the rise. In the past, these groups frequently depended on spam attachments with malicious Microsoft Word papers that had booby-trapped macros. The past month has seen Google Ads develop into the preferred channel for thieves to disseminate their malicious software, which is disguising itself as a legitimate download by mimicking well-known companies including Adobe Reader, Gimp, Microsoft Teams, OBS, Slack, and Thunderbird.

This week, researchers from the security firm Saiflow discovered two flaws in older versions of the Open Charge Point Standard, an open-source protocol used to operate many electric vehicle charging stations (OCPP). An attacker might take control of a charger, disable groups of chargers, or steal electricity from a charger for their own use by utilizing weak instances of the OCPP standard, which is used to communicate between charges and management software. To reduce the risks posed by the vulnerabilities, Saiflow claims to be collaborating with manufacturers of EV chargers.

Hegel from Sentinel One provides one case: Real C2 traffic is masked by Formbook and XLoader's HTTP requests to several sites that are randomly chosen from an embedded list and sent with encoded and encrypted content. The rest of the domains are merely ruses; only one is the actual C2 server. A sample that we examined sent HTTP GET and/or POST requests to the 17 domains (16 endpoints) specified in the IOC table below while encoding and encrypting the HTTP data. The implementation of this technology in particular by XLoader is covered in length in prior research.

The strategy of disguising the genuine C2 domain by beaconing to many domains continues to be supported by earlier studies. The malicious software sends beacons to websites that have valid or unregistered domains. The accompanying figure, which is a snapshot of some of the domains the virus contacts, demonstrates the vast range of domain ages, hosting companies, and registration dates.

The use of decoy domains or other obfuscation techniques to hide the real control servers used in the pervasive MalVirt and other malvertising campaigns continues to be effective unless Google develops new protections. MalVirt also spreads malware that is difficult to detect.


Metador APT is Lurking ISPs and Telecom Entities

Researchers at SentinelLabs have discovered a threat actor identified as Metador which primarily targets universities, ISPs, and telecommunications in various Middle Eastern and African nations.

SentintelLabs researchers dubbed the organization Metador after the phrase 'I am meta' that exists in the malicious code as well as the fact that the server messages are often in Spanish. As per the findings revealed at the first-ever LabsCon security conference, the group is thought to have started operating in December 2020, but throughout the past few years, it has managed to remain undetected. 

SentinelLabs senior director Juan Andrés Guerrero-Saade claimed that despite sharing information on Metador with experts at other security companies and government partners, no one was aware of the group.

SentinelLabs researchers found Metador in a Middle Eastern telecommunications business that had been hacked by roughly ten threat actors, including Moshen Dragon and MuddyWater, who all hail from China and Iran. Metador's goal appears to be long-term espionage inventiveness. 

Along with two incredibly complex Windows-based viruses  "metaMain" and "Mafalda," that the gang uses – there are clues of Linux malware, according to the researchers at SentinelLabs.

The attackers loaded both malware into memory and decrypted it using the Windows debugging tool "cdb.exe."

Mafalda is a versatile implant that can support up to 67 commands. Threat actors have regularly updated it, and the more recent iterations of the threat are heavily disguised. The attacker can maintain a persistent connection, log keystrokes, download and upload arbitrary files, and run shellcode thanks to the robust feature set of metaMain, which is used independently.

Mafalda gained support for 13 new commands among two variations that were produced in April and December 2021, adding possibilities for credential theft, network espionage, and file system manipulation. This is proof that Mafalda is being actively developed by its developers.

Attack chains have also included unidentified Linux malware that is used to collect data from the infected environment and send it back to Mafalda. The intrusions' entrance vector has not yet been identified.

Running into Metador is a serious reminder that another category of threat actors still operates covertly and without consequence. Security product creators should seize the chance to actively design their products to keep an eye out for the most sophisticated, well-funded hackers.



The Hacking Group 'ModifiedElephant' Remained Undetected

 

SentinelLabs' IT security researchers have discovered information of growing cyber-attacks (APT) wherein the threat actors have been targeting human rights activists, free speech advocates, professors, and lawyers in India using readily available trojans via spear-phishing since 2012. The group known as ModifiedElephant has been found to be planting 'incriminating evidence' on the devices of its targets. 

"The goal for ModifiedElephant is long-term espionage which sometimes ends with the transmission of evidence – files that implicate the victim in criminal offenses – prior to conveniently synchronized arrests," stated Tom Hegel, a threat researcher at SentinelOne. According to the research, over the previous decade, ModifiedElephant hackers have been attacking their victims with spearphishing emails containing malicious file attachments, with their methods becoming more complex over time. 

Spearphishing is the technique of emailing victims that appear to come from a trustworthy source in order to either divulge sensitive information or install malware on their computers. ModifiedElephant usually uses infected Files to spread malware to its victims. The particular mechanism and content included in malicious files have varied over time, according to SentinelOne, the timeline has been given below: 
  • 2013 – An adversary sends malware via email attachments with phony double extensions (file.pdf.exe). 
  • 2015 – The group switches to encryption key RAR attachments including legitimate luring documents that hide malware execution signals. 
  • 2019 – Updated Elephant begins hosting malware-distribution sites and takes advantage of cloud hosting capabilities, transitioning from phony papers to malicious URLs.
  • 2020 – attackers circumvent identification by skipping scans by using big RAR files (300 MB).

The CVE-2012-0158, CVE-2014-1761, CVE-2013-3906, and CVE-2015-1641 exploits, according to SentinelOne, were frequently utilized in luring documents, which attacked Microsoft Office Suite programs. 

Modified Elephant is not seen using any customized backdoors in its operational history, indicating the group isn't particularly sophisticated. NetWire and DarkComet, two publicly available remote access trojans extensively utilized by lower-tier hackers, were the principal malware used in the campaigns. 

ModifiedElephant's Visual Basic keylogger hasn't changed since 2012, and it's been open-source on hacking forums all that time. SentinelLabs remarks on the tool's history, pointing out that it no longer works on recent OS versions. The Android virus is likewise a commodity trojan that is distributed to users in order of an APK, luring them in by appearing like a news app or a secure messaging tool.

NTLM Relay Attack Exploits Windows RPC Flaws

 

Security researchers at SentinelLabs revealed the details of a newly identified NTLM (New Technology LAN Manager) relay attack that exploits a remote procedure call (RPC) flaw to enable elevation of privilege.

This new vulnerability in RPC, which apparently impacts all versions of Windows, enables an attacker to escalate privileges from User to Domain Admin, all without requiring interaction from the user (NTLM relay attacks typically do require user intervention). 

The researchers used a DCOM client that was instructed to connect to an RPC server, operation that involved two NTLM authentications, one without the sign flag being set, and also leveraged the fact that the DCOM activation service can be abused to trigger RPC authentication. 

According to SentinelLabs, the motive behind the attack was that a shell in Session 0, even as a low privileged user, combined with triggering some CLSIDs, could allow the attacker to obtain “an NTLM authentication from the user who is interactively connected.”

Methodology used by cybercriminals 

Threat actors have a shell in Session 0 on the target machine, even with a low privileges account, user with high privileges (such as Domain Admin) logs in interactively, then the attacker triggers the DCOM activation service to impersonate the high-privileged user and then implements a man-in-the-middle to receive an authenticated call, the binding of the RPC under the attacker’s control takes place and then the victim machine makes an authenticated call, authentication is relayed to a privileged resource such as LDAP, SMB, HTTP or other, lastly the authentication is forwarded for privilege escalation.

Researchers at SentinelLabs also published proof-of-concept code to demonstrate how the exploit works, and revealed that, although Microsoft has acknowledged the vulnerability, a patch won’t be released. The researchers, however, did publish a series of mitigations that should help prevent attacks that would trigger an authenticated RPC/DCOM call and then relay the NTLM authentication. 

“This is different from other known techniques such as CVE-2020-1113 and CVE-2021-1678, where relaying happens between a generic ‘client’ protocol vs. an RPC server. In this case, we had an RPC client whose authentication was relayed to other ‘server’ protocols and without ‘victim’ interaction. Therefore, we hope that MS reconsider their decision not to fix this serious vulnerability,” SentinelLabs concludes.