North Korea or Russia is Lazarus belongs

North Korean state-sponsored cybercriminals have been time and again accused of buying access to pre-hacked servers from other threat actors. However, lately, connections have emerged between the North Korea-based Lazarus APT group and some of the prominent Russian-speaking cybercriminal groups.

TrickBot, Dridex, and TA505 are threat groups linked to various Russian-speaking threat actors who sell access to victims’ systems on the dark web. Lazarus has been found to be infrequently using TrickBot’s codes in its attacks.

TrickBot is a privately-run Malware-as-a-Service (Maas) offering, which can be accessed by only top-tier threat actors.

TA505 is a cybercriminal group that has purchased a huge number of tools from the underground.

According to a report by LEXFO, past Lazarus infections have been spotted to coexist with TrickBot and Emotet.
TA505 and Lazarus IOCs were found together in bank networks.

North Korea-based hackers may “be working with or contracting out to criminal hacking groups, like TA505, for initial access development.”

Based on the different incidents, experts assess that there is a connection between Lazarus and Russian-speaking cybercriminals.

TrickBot appears to possess a treasure trove of compromised accesses that Lazarus can definitely leverage.

It is very likely that threat actors with access to TrickBot infections are in touch with North Korean state-sponsored hackers. Knowing that there is a link between different threat actors provides defenders an opportunity to identify a potential second problem when the first one occurs.

Maze infects via VM 🐾

The gang responsible for the Maze ransomware family conducted an attack in which they distributed their malware payload inside of a virtual machine (VM).

The attackers packaged the ransomware payload inside of a Windows .msi installer file that was more than 700MB in size and distributed it onto the VM’s virtual hard drive.

A look inside the Maze-delivered VM, with the 495KB ransomware payload clearly visible. (Source: Sophos MTR)

An investigation into the attack revealed that the malicious actors had been present on the targeted organization’s network for at least six days prior to distributing their ransomware payload. During that period, they had built lists of internal IP addresses, used one of the organization’s domain controller servers and exfiltrated information to data leak site

This dwell time could explain the existence of certain configurations of the Maze-delivered VM. As quoted by Sophos’ MTR in its research:

The virtual machine was, apparently, configured in advance by someone who knew something about the victim’s network, because its configuration file (“micro.xml”) maps two drive letters that are used as shared network drives in this particular organization, presumably so it can encrypt the files on those shares as well as on the local machine. It also creates a folder in C:\SDRSMLINK\ and shares this folder with the rest of the network.

The campaign described above wasn’t the first instance in which attackers have delivered ransomware inside a virtual machine. Sophos’ MTR spotted the Ragner locker crypto-malware family pull the same trick.

The virtual machine in that attack ran Windows XP as opposed to the Windows 7 instance on the VM containing Maze. Furthermore, the latter VM was larger in size in order to support additional functionality.

Backup ! Backup ! Backup ! Not only required … Hygienic cyber policy required.

Crowdstrike joins hand with ServiceNow for IR

CrowdStrike has today announced it has joined the ServiceNow® Service Graph Connector Program, a new designation within the Technology Partner Program.

Users can now integrate device data from the CrowdStrike Falcon platform into their incident response process, allowing for the improvement of both the security and IT operation outcomes.

The Service Graph Connector program leverages the ServiceNow’s tech and engineering to provide a means of bringing third-party data into the Configuration Management Database (CMDB).

“ServiceNow is leading the future of work by creating great experiences for businesses,” says ServiceNow vice president and general manager of IT operations management, security, and CMDB Jeff Hausman.

“We are pleased to have CrowdStrike integrate its Service Graph Connector to improve visibility of attack surface and device inventory so that customers can easily leverage ServiceNow for better security and IT response.”

CrowdStrike’s Service Graph Connector enables customers to:

Gain control and visibility

Shorten time to response

Improve efficiency with API

ServiceNow Service Graph, the next-generation system of record for digital products and services addresses the entire technology stack from infrastructure to the application layer.

It includes ServiceNow’s CMDB, the repository for all infrastructure, relationships and configuration management information.

With Service Graph, IT organisations can leverage a broad and deep data foundation for managing the entire lifecycle of digital products and services.

This connected approach enables customers to leverage their existing CMDB investments to rationalise portfolios, automate development, streamline cloud and security operations, manage risk, and understand ROI, driving high-value business outcomes.

“Accessing and operationalising endpoint device data is critical to accelerating the response to security-related incidents,”

“CrowdStrike’s Service Graph Connector on ServiceNow offers a seamless bridge between device data, asset management, and incident response processes, enabling customers to stay one step ahead of threats.”

CVE 2020-1472 – Exploit goes wild

The CVE-2020-1472 flaw is an elevation of privilege that resides in the Netlogon. The Netlogon service is an Authentication Mechanism used in the Windows Client Authentication Architecture which verifies logon requests, and it registers, authenticates, and locates Domain Controllers.

“An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC).

An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network.” reads the advisory published by Microsoft.

“To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.”

“By forging an authentication token for specific Netlogon functionality, he was able to call a function to set the computer password of the Domain Controller to a known value. After that, the attacker can use this new password to take control over the domain controller and steal credentials of a domain admin.”

“The vulnerability stems from a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol, which among other things can be used to update computer passwords.”

An attacker could exploit the vulnerability to impersonate any computer, including the domain controller itself, and execute remote procedure calls on their behalf.

An attacker could also exploit the flaw to disable security features in the Netlogon authentication process and change a computer’s password on the domain controller’s Active Directory.

“By simply sending a number of Netlogon messages in which various fields are filled with zeroes, an attacker can change the computer password of the domain controller that is stored in the AD. This can then be used to obtain domain admin credentials and then restore the original DC password.”

“This attack has a huge impact: it basically allows any attacker on the local network to completely compromise the Windows domain. The attack is completely unauthenticated”

The ZeroLogon attack could be exploited by threat actors to deliver malware and ransomware on the target network.

The only limitation on how to carry out a Zerologon attack is that the attacker must have access to the target network.

Researchers released a Python script that uses the Impacket library to test vulnerability for the Zerologon exploit, it could be used by admins to determine if their domain controller is still vulnerable.

August 2020 Patch Tuesday security updates only temporarily address the vulnerability making Netlogon security features mandatory for the Netlogon authentication process. This has the severity score of 10