Maze infects via VM đŸž

The gang responsible for the Maze ransomware family conducted an attack in which they distributed their malware payload inside of a virtual machine (VM).

The attackers packaged the ransomware payload inside of a Windows .msi installer file that was more than 700MB in size and distributed it onto the VM’s virtual hard drive.

A look inside the Maze-delivered VM, with the 495KB ransomware payload clearly visible. (Source: Sophos MTR)

An investigation into the attack revealed that the malicious actors had been present on the targeted organization’s network for at least six days prior to distributing their ransomware payload. During that period, they had built lists of internal IP addresses, used one of the organization’s domain controller servers and exfiltrated information to data leak site

This dwell time could explain the existence of certain configurations of the Maze-delivered VM. As quoted by Sophos’ MTR in its research:

The virtual machine was, apparently, configured in advance by someone who knew something about the victim’s network, because its configuration file (“micro.xml”) maps two drive letters that are used as shared network drives in this particular organization, presumably so it can encrypt the files on those shares as well as on the local machine. It also creates a folder in C:\SDRSMLINK\ and shares this folder with the rest of the network.

The campaign described above wasn’t the first instance in which attackers have delivered ransomware inside a virtual machine. Sophos’ MTR spotted the Ragner locker crypto-malware family pull the same trick.

The virtual machine in that attack ran Windows XP as opposed to the Windows 7 instance on the VM containing Maze. Furthermore, the latter VM was larger in size in order to support additional functionality.

Backup ! Backup ! Backup ! Not only required … Hygienic cyber policy required.

Ngrok Abused

Cybercriminals have been using ngrok—a cross-platform application to expose local development servers to the internet, for malicious purposes for years now.

An organization was targeted by a keylogger, where malicious actors installed a copy of the ngrok tool to obtain specific details about the environment.

Crispy Recent campaigns

  • Recently, threats actors were seen using ngrok to expose several machines within the victim’s networks, making them visible to the outside world.
  • It is believed that the attackers had three requirements: ngrok installed on the internal machine; an administrator account; and the ngrok server domain and port, already in place.
  • Since the attacker had the knowledge of the ngrok-assigned public address, it could connect to the compromised system at any time.

How it’s been used

The service can be abused by threat actors to get unauthorized access to the targeted network, download payloads, exfilteration of data, and crafting unique URLs. In addition, the tunneling service allows cybercriminals to evade detection. It can generate random URLs, making it harder to track, detect, or block.

Recent attacks using the ngrok tool

  • An Iran-based APT Pioneer Kitten was found selling network credentials of corporates on hacker forums. The group is known for its regular use of ngrok.
  • Fox Kitten was observed attacking the US private and government sector. The group is known for using ngrok to target on-premise BIG-IP devices.

Way to mitigate

Organizations must be aware of ngrok and other tunneling services, as these services can be abused by hackers. Experts suggest that organizations using tunneling services should have a secure authorization mechanism for every access level, and its setup should include approval from security teams. In addition to this, the tunnel should be password-protected and IP whitelisting should be enabled.

BLESA .. Bluetooth Disguised

The improper BLE reconnection procedure has made billions of Android and iOS devices vulnerable to the new attack dubbed Bluetooth Low Energy Spoofing Attack (BLESA).

Two critical security flaws in the BLE link-layer authentication mechanism expose Bluetooth devices to the BLESA attack.
These weaknesses allow an attacker to impersonate a BLE server device and provide spoofed data to another previously paired device.

Researchers have found that multiple software stacks (more than one billion BLE devices and 16,000 BLE apps) such as BlueZ (Linux-based IoT devices), Fluoride (Android), and the iOS BLE stack could be exploited using the BLESA flaw.
Additionally, researchers found a related implementation vulnerability (CVE-2020-9770) in the Android and iOS BLE stacks that makes these two stacks vulnerable against BLESA.

Earlier this month, another vulnerability dubbed BLURtooth was found in a Cross-Transport Key Derivation (CTKD) component of Bluetooth. By setting up two different sets of authentication keys for both the BLE and Basic Rate/Enhanced Data Rate (BR/EDR) standard, it lets attackers overwrite Bluetooth authentication keys.

In July, researchers reported an authentication bypass in BLE reconnections using two critical design weaknesses in BLE stack implementations in Linux, Android, and iOS. Google and Apple also confirmed the flaw.

Escape route

The BLESA attack targets more often-occurring reconnection processes, therefore it is hard to defend against this attack. Purdue’s team has released a report related to possible improvements in the reconnection procedure. According to them, there is a need to improve the BLE stack implementations and update the BLE specification.

Crowdstrike joins hand with ServiceNow for IR

CrowdStrike has today announced it has joined the ServiceNowÂŽ Service Graph Connector Program, a new designation within the Technology Partner Program.

Users can now integrate device data from the CrowdStrike Falcon platform into their incident response process, allowing for the improvement of both the security and IT operation outcomes.

The Service Graph Connector program leverages the ServiceNow’s tech and engineering to provide a means of bringing third-party data into the Configuration Management Database (CMDB).

“ServiceNow is leading the future of work by creating great experiences for businesses,” says ServiceNow vice president and general manager of IT operations management, security, and CMDB Jeff Hausman.

“We are pleased to have CrowdStrike integrate its Service Graph Connector to improve visibility of attack surface and device inventory so that customers can easily leverage ServiceNow for better security and IT response.”

CrowdStrike’s Service Graph Connector enables customers to:

Gain control and visibility

Shorten time to response

Improve efficiency with API

ServiceNow Service Graph, the next-generation system of record for digital products and services addresses the entire technology stack from infrastructure to the application layer.

It includes ServiceNow’s CMDB, the repository for all infrastructure, relationships and configuration management information.

With Service Graph, IT organisations can leverage a broad and deep data foundation for managing the entire lifecycle of digital products and services.

This connected approach enables customers to leverage their existing CMDB investments to rationalise portfolios, automate development, streamline cloud and security operations, manage risk, and understand ROI, driving high-value business outcomes.

“Accessing and operationalising endpoint device data is critical to accelerating the response to security-related incidents,”

“CrowdStrike’s Service Graph Connector on ServiceNow offers a seamless bridge between device data, asset management, and incident response processes, enabling customers to stay one step ahead of threats.”