Intel Reports

Activity Summary - Week Ending on 8 December 2023:

• Red Sky identified 32,696 connections from ‘new’ unique IP addresses
• Private Layer Inc. (Switzerland) hit 769x
• 75 ‘new’ Botnets hits
• Apache Active
• CVE-2023-46604
• Open Wire Protocol
• DePauw University
• Trellix’s Study
• CISOs report 67% increase in Technology Budgets
• Security Auditing and GRC for Cyber Resilience

Red Sky Alliance Compromised (C2) IP’s

On 6 December 2023, Red Sky Alliance identified 32,696 connections from new unique IP addresses, which are checking in with one of the many Red Sky Alliance sinkholed domains.

Red Sky Alliance Malware Activity 

For a full black list – contact analysts: info@redskyalliance.com

Red Sky Alliance Botnet Tracker

On 6 December 2023, analysts identified 75 new IP addresses participating in various botnets (call for full .csv Blacklists, below are only a small sampling of botnet trackers). 

Keylogger IOCs available upon request. 

MALICIOUS CYBER TRENDS:

Apache Active - This past October, Apache issued a critical advisory addressing CVE-2023-46604, a vulnerability involving the deserialization of untrusted data in Apache.  On 2 November, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2023-46604 to its known exploited list, KEV Catalog, indicating this vulnerability's high risk and impact. Fortiguard Labs also released an outbreak alert and a threat signal report about the active exploitation of CVE-2023-46604, providing more details and recommendations for mitigation.[1]

Technical details and proof-of-concept (PoC) code for CVE-2023-46604 are publicly available, making it easier for attackers to exploit this vulnerability. In recent weeks, Fortiguard Labs has detected numerous threat actors exploiting CVE-2023-46604 to disseminate diverse strains of malware.  Our analysis has unveiled the emergence of a newly discovered Golang-based botnet named GoTitan and a .NET program called "PrCtrl Rat," equipped with remote control capabilities.  Additionally, we have identified other well-known malware and tools in play. Initially developed as an advanced penetration testing tool and red teaming framework, Sliver supports various callback protocols, including DNS, TCP, and HTTP(S), streamlining egress processes. Kinsing has solidified its position in cryptojacking operations, showcasing its ability to quickly capitalize on newly discovered vulnerabilities.  Meanwhile, Ddostf, with a history dating back to 2016, continues to exhibit its proficiency in executing targeted Distributed Denial of Service (DDoS) attacks.

Below will detail the exploitation and provide insights into the malware associated with these recent attacks.

Exploitation - The attacker initiates a connection to ActiveMQ through the OpenWire protocol, typically on port 61616.  By transmitting a crafted packet, the attacker triggers the system to unmarshal a class under their control.  This action, in turn, prompts the vulnerable server to retrieve and load a class configuration XML file from a specified remote URL, requiring the presence of a predefined XML file hosted externally.

The known exploitation of this vulnerability involves leveraging the “ClassPathXmlApplicationContext” to load a malicious XML application configuration file from a network location via HTTP. Figure 1 shows the captured attacking traffic.  The malicious XML file defines the arbitrary code intended to execute on the compromised machine.  Attackers can set parameters like “cmd” or “bash” to achieve code execution on the remote vulnerable server (Figure 2).

In the following sections, we will explain how the malware works and what it does on infected systems.

Figure 1: Attacking traffic for CVE-2023-46604

Figure 2: Malicious XML files

GoTitan:

Figure 3: GoTitan's XML file

GoTitan is a new botnet discovered earlier this month.  It is written in the Go programming language and is downloaded from a malicious URL, “hxxp://91.92.242.14/main-linux-amd64s”.  The attacker only provides binaries for x64 architectures, and the malware performs some checks before running.  It also creates a file named "c.log" that records the execution time and program status.  This file seems to be a debug log for the developer, which suggests that GoTitan is still in an early stage of development.

Figure 4: Save the log file

It replicates itself as “/.mod” within the system and establishes a recurring execution by registering in the cron.  It then retrieves the C2 IP address and gathers essential information about the compromised endpoint, including architecture, memory, and CPU details.  Compiling all the collected data using “<==>” as separators, it transmits its collected information to the C2 server.  The C2 message initiates with the hard coded string “Titan<==>”.

Figure 5: Construct C2 message

Figure 6: C2 traffic session for GoTitan

GoTitan communicates with its C2 server by sending “\xFE\xFE” as a heartbeat signal and waiting for further instructions.  When it receives a command, it passes it to a function named “handle_socket_func2” that determines an attack method.  GoTitan supports ten different methods of launching distributed denial-of-service (DDoS) attacks: UDP, UDP HEX, TCP, TLS, RAW, HTTP GET, HTTP POST, HTTP HEAD, and HTTP PUT.

Sliver

Figure 7: Sliver's XML file

Sliver, an open-source penetration testing tool developed in the Go language and available on GitHub, possesses the potential for misuse when wielded by threat actors due to its diverse features catering to each stage of penetration testing.  Threat actors can leverage Sliver to compromise and control multiple targets across various platforms and architectures.  The tool enables the generation of customized implants designed to elude detection, allowing for the execution of commands, file uploads and downloads, screenshot capture, and more on infected systems.  When communicating with the C2 server at “91[.]92[.]240[.]41” via HTTP requests, Sliver dynamically selects decoders for C2 messages based on parameters in the URI.  Additionally, Sliver supports various encoders, including Base32, Base58, Base64, English encoder, Gzip, Hex, and PNG. The encoded C2 communication in HTTP protocol is shown in Figure 8.

Figure 8: C2 session for Sliver

PrCtrl Rat

Figure 9: PrCtrl Rat’s XML file

The attacker retrieves the execution file from “hxxp://199[.]231[.]186[.]249:8000/unifo.dat” and stores it as “svc_veeam.exe”.  The file 'unifo.dat' is a .Net framework program initially labeled as “prcli.exe” that was created in August and still spread via CVE-2023-46604.  Figure 10 shows the PDB path and detailed information.

Figure 10: Information for uninfo.dat

For persistence, it adds “Security Service” with the current process into the registry “HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run.”

It then starts the connection to C2 server “173[.]214[.]167[.]155.” Once the command is received from a remote server, it checks for a length of four. If not, it exits the program. It supports five commands:

cmdc: Running cmd.exe with a specific command and returning the result to the server.

file: Get file system information on a target system, such as drives or the directory, and files.

upld: Upload file.

dnld: Download file.

ping: Heartbeat.

As of this writing, analysts have yet to receive any messages from the server, and the motive behind disseminating this tool remains unclear.  However, once it infiltrates a user's environment, the remote server gains control over the system.

Kinsing

Figure 11: Kinsing's XML file

• Kinsing fetches the bash script from “194[.]38[.]22[.]53/acb.sh.” It serves the following purposes:
• System Configuration: Modifies system parameters, such as disabling the firewall, flushing iptables rules, and turning off the NMI watchdog.
• Dependency Check: Verifies the existence of curl or wget and installs them if they are absent.
• Process Cleanup: Terminates processes associated with specific executable names and competing miners.

Binary Download and Verification: Downloads a main binary and a shared object file and then verifies the integrity of the downloaded binary using MD5 checksum.

System Configuration: Creates a system service configuration file for the downloaded binary.

Cronjob Setting: Removes specific entries from the crontab related to known malicious activities. Adds a new cronjob to periodically execute a command fetched from a remote server hxxp://185[.]122[.]204[.]197/acb.sh

Cleanup: Clears command history and removes bash history files.

Ddostf

Figure 12: Ddostf's XML file

The batch script used by Ddostf is retrieved from “hxxp://42[.]121[.]111[.]112:81/xml.sh.”  It configures the history log with “+o” to prevent the recording of the current session.  It then installs curl to download additional execution files and eliminate any traces.

Figure 13: Batch script to deploying Ddostf

The executable file “tomcat” includes the recognizable string “ddos.tf” and the Base64-encoded string for “v8.ter.tf.”  Its characteristics align with those of a threat actor who had targeted China in 2018.

Figure 14: Ddostf's binary data

It first verifies that it has root privilege and that the process is running on the device.  It then ensures that it will persist on the device by executing the command shown below.

Figure 15: Ddostf's setting

Ddostf includes a hard-coded string, “TF-Linux kernel…,” which appends either “SYN-“ or “UDP-“ in its C2 message, depending on whether the process runs with root privileges.

Figure 16: Send C2 message

Ddostf incorporates 13 attack methods: SYN_Flood, WZSYN_Flood, ICMP_Flood, GET_Flood, GETFT_Flood, HEAD_Flood, POST_Flood, xzcc_Flood, TCP_Flood, WZTCP_Flood, ack_Flood, WZUDP_Flood, and UDP_Flood.  Additionally, it defines a function called “DNS_Flood,” which is not included in the current switch cases and is possibly intended for future enhancements.

Figure 17: DNS flood function

Conclusion - Despite the release of a patch for CVE-2023-46604 over a month ago, threat actors persist in exploiting this vulnerability to distribute malware on susceptible servers.  This report introduces newly discovered threats, including the Golang-based botnet GoTitan and the .NET program “PrCtrl Rat,” which have emerged because of this exploitation.  Additionally, users should remain vigilant against ongoing exploits by Sliver, Kinsing, and Ddostf.  It is crucial to prioritize system updates and patching and regularly monitor security advisories to effectively mitigate the risk of exploitation.

IOCs / IP List

185[.]122[.]204[.]197
194[.]38[.]22[.]53
42[.]121[.]111[.]112
91[.]92[.]242[.]14
199[.]231[.]186[.]249
173[.]214[.]167[.]155
91[.]92[.]240[.]41

Files

f75cb3e540b96cd54a966c512c854c832807e354772ae1a326b758394b01b607
dbf8ba47a5973c86fef32c2d696b09e1930a8384087c62ace1aa5c4084ee1a3f
1a3d9960a1685707f8cc2bc447c88f5c3278454fbf0a35a7959717ad835348cd
d8f55bbbcc20e81e46b9bf78f93b73f002c76a8fcdb4dc2ae21b8609445c14f9
0cc60a0c480e4d898fa77ab501bbd2afaf3f5fb89a2917a31e7f5fdaa6c3879c
ed09f95f4b4b482207bb300ff6ec15ed8ca5fdde97af02fa9fbe01adaaf7673b
bfce7938591dd9fa3e1368d7eb86fc7f11e935349437fc11de4f124bbbc16dee
f5a36570506bfaff60b684cd26dde3a64a3db4eaa9da78a1434cfd4b390ef3d5
5acf5ce55678519cd65e001d3f600fa1de288f1cd3e203b4c9439979f4b67175
923f2be3d55fcdab7da5cb2be3c16dfcc1582b83d1e4a831236445a52ca81878
b90abde8f449bbe6bec9495386fab1833c0654f83c7b2f5ebcf5b14743c30600

GLOBAL TRENDS:

US - DePauw University warned students this week that their personal information may have been accessed by hackers who attacked the school.  The school newspaper reported that on 27 November, current and prospective students were sent letters notifying them of a data leak and providing them with one year of free identity protection services.  The liberal arts school, which is located in Greencastle, Indiana and services about 1,700 students, published its own advisory about the incident.  IT officials said they detected the cyberattack on 31 October and worked with federal law enforcement agencies as well as cybersecurity experts to investigate the incident.[2]

“Although the investigation is ongoing, the preliminary investigation has revealed that a limited amount of data on specific individuals was accessed. Those individuals whose data was compromised have received a notification via mail and we will provide them with resources to protect their identity,” they said.  “We regret the impact this incident has had on our community, and we are reviewing all our current security protocols and adding additional measures to enhance security as needed.”  The school added that the reason it had the information was because it “maintains certain personal information for standard enrollment and administrative purposes.”  Officials did not say what information was accessed and did not respond to requests for comment.

This past week, the Black Suit ransomware gang said it was behind the attack, claiming to have stolen 214 GB of data.  The public became aware of the attack on 1 November,  when the campus Internet went down.  Students lost access to campus printers, email, the internet and the university network.

The attack on DePauw University adds yet another school to the lengthy list of educational institutions attacked by ransomware gangs this year.  An Emsisoft ransomware expert said at least 76 post-secondary schools have been impacted by ransomware so far in 2023, far outpacing the 44 colleges and universities attacked in 2022.  There are a variety of reasons why attacks on universities and colleges increased this year.  “There are definitely more reporting requirements for schools than in the past, but I do think the attacks on schools are driven by the increased number of ransomware groups out there, combined with the fact that schools are seen as an ‘easy target,’” he said.  “There are also certain ransomware groups that like to target schools specifically.”  Some ransomware groups almost exclusively target schools, like Rhysida and LostTrust.

Analysts were also seeing a stark increase in attacks on all types of schools worldwide, including K-12, colleges and universities.  Overall, he has tracked 246 of those ransomware attacks in 2023, up from 189 attacks last year.

International / Reoccurring Cyber Attacks – A recent Trellix’s study reveals a common pattern among CISOs, which is their reactive approach until boards take a proactive one.  Following a cyberattack, a staggering 97% of CISOs report that their boards have become more cooperative.  Modifications to plan (70%) and increased technology budgets (67%), as well as ongoing assessments of workforce, architecture, and capabilities, are frequently the results of this reactive approach. 

But the question arises here: Should organizations not take the initiative to promote cybersecurity measures before an attack?

How Diverse are Cyber Attacks in 2023?  Organizations face a wide range of cyber-attacks in 2023 due to the complicated field of cybersecurity.  Among them, malware poses the biggest threat of about 70% and so does data theft at a similar worrisome number.  These figures highlight the necessity of security auditing and a comprehensive cyber security strategy for your organization. This addresses more than just technical vulnerabilities.  Organizations must adopt a comprehensive approach.  This strategy should consider the interpersonal and operational factors in addition to technological ones if they are to successfully address these complex issues. Modern firewalls and security controls are essential.  Training employees about the risks of digital scams (for instance in applications, web browsers, etc.) is even more crucial. Successful hacking attempts are still mostly the result of human error, which makes ongoing training and awareness outreach efforts essential.

Challenges and Impacts of Cyber Attacks for CISOs - Chief Information Security Officers (CISOs)  encounter numerous challenges during and after cyber risks, navigating a complex landscape that demands strategic resilience and adaptability.  Here are key difficulties faced by CISOs in the wake of cyber incidents:

1. Reactive Board Support:

Challenge: CISOs often face the challenge of garnering board support before a cyber attack occurs.

Impact: Boards tend to become proactive in supporting cybersecurity measures only after an incident, hindering proactive risk mitigation.

2. Diverse Attack Vectors:

Challenge: Cyber threats manifest in various forms, including malware, application vulnerabilities, and data theft.

Impact: CISOs must develop comprehensive defense strategies that cover a broad spectrum of attack vectors, requiring a multifaceted approach.

3. Technology and Process Improvement

Challenge: Identifying technology gaps and process weaknesses after an attack.

Impact: CISOs need to swiftly enhance both technological infrastructure and procedural frameworks to prevent future incidents.

Why are vCISOs Significant to Protect Organizations?  The aftermath of a cyber incident extends beyond monetary losses and rising insurance premiums. The top three repercussions are company downtime (67%), data loss (67%), and stress on Security Operations (SecOps) teams (83%). It is at this point that virtual chief information security officers, or vCISOs, become crucial.  By offering strategic guidance, these cyber specialists make sure that businesses are equipped to deal with the consequences of cyber risks.  Employing a Virtual Chief Information Security Officer (vCISO) offers businesses convenient access to experienced cybersecurity expertise, easing the financial burden of a full-time CISO role.  This would ensure a piece of ongoing strategic advice and insight to successfully detect and manage cyber-attacks.  Moreover, vCISOs contribute an array of varied sector experiences, providing a new outlook and customized solutions to tackle the ever-changing cybersecurity issues. This helps in strengthening an organization’s defenses against cyber threats.

Role of Security Auditing and GRC for Cyber Resilience - Security auditing thoroughly finds vulnerabilities in an organization’s digital infrastructure. This acts as an alert for businesses to secure their frameworks. Audits reveal hidden vulnerabilities in networks, apps, and procedures by use of methodical evaluations. This procedure offers a comprehensive assessment of the organization’s cybersecurity posture and goes above and beyond standard security measures. Organizations that undertake security audits regularly can prevent cyber risks before they materialize by acquiring a proactive understanding of potential threats.

The key components of an organization’s regulatory adherence and risk management approach are Governance, Risk, and Compliance (GRC).  Maintaining compliance is essential in a time marked by strict industrial standards and data protection laws.  Through the effective management of risks, the alignment of policies with industry standards, and the assurance of legal compliance, GRC frameworks help organizations optimize their operations. This promotes an organizational culture of accountability and transparency while protecting sensitive data.  Security auditing and GRC work together to produce an effective combination that enables organizations to successfully anticipate, avoid, and respond to cyber-attacks. 

Conclusion - Businesses must take proactive and strategic steps to strengthen their cybersecurity defenses due to the problems they encounter.  It is important for companies to understand that the recurring cyber-attacks would stop with the right approach and under the correct guidance of cyber experts.  

[1] https://www.fortinet.com/blog/threat-research/gotitan-botnet-exploitation-on-apache-activemq?lctg=141970831

[2] https://therecord.media/depauw-university-warns-of-data-breach-ransomware-attack/