Author: hello@alienvault.com

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

The installation of Active Directory (AD) on Windows Server 2019 calls for a thorough understanding of technical nuances and a steadfast dedication to security best practices. This guide will walk you through the process of securely implementing Active Directory, ensuring the highest level of protection for the information and resources within your company.

Planning and design

Start by carefully planning and designing. Analyze your organization’s requirements, network topology, and security requirements in great detail. Establish the necessary number of organizational units (OUs), domains, and user and group structures. Make a thorough design plan that complies with your organization’s compliance standards and security guidelines.

Installing Windows Server 2019

Install Windows Server 2019 on a dedicated system that satisfies the system minimums. Use the most recent Windows Server 2019 ISO and adhere to recommended procedures for a secure installation. Set a strong password for the Administrator account and enable Secure Boot if it is supported in the BIOS/UEFI settings for hardware security.

Choose the right deployment type

Select the domain controller (DC) installation as the Active Directory deployment type. By doing this, you can be confident that your server is a dedicated domain controller overseeing your domain’s directory services, authentication, and security policies.

Install Active Directory Domain Services (AD DS) role

Add the Active Directory Domain Services (AD DS) role to Windows Server 2019. For the installation, use Server Manager or PowerShell. Select the appropriate forest and domain functional levels during the procedure and specify the server as a domain controller.

Choose an appropriate Forest Functional Level (FFL)

Select the highest Forest Functional Level (FFL) compatible with your domain controllers. This enables access to the most recent AD features and security upgrades. Examine the FFL specifications and confirm that every domain controller currently in use can support the selected level.

Secure DNS configuration

AD heavily relies on DNS for name resolution and service location. Ensure that DNS is configured securely by:

a. Using Active Directory Integrated Zones for DNS storage, enabling secure updates and zone replication through AD.

b. Implementing DNSSEC to protect against DNS data tampering and for secure zone signing.

c. Restricting zone transfers to authorized servers only, preventing unauthorized access to DNS data.

d. Implementing DNS monitoring and logging for suspicious activities using tools like DNS auditing and query logging.

Use strong authentication protocols

Configure Active Directory to use strong authentication protocols such as Kerberos. To stop credential-based attacks, disable older, less secure protocols like NTLM and LM hashes. Ensure domain controllers are set up to favor robust authentication techniques over weak ones when performing authentication.

Securing administrative accounts

Safeguard administrative accounts by:

a. Creating complicated, one-of-a-kind passwords for each administrative account, following the password policy guidelines, and rotating passwords frequently.

b. Adding multi-factor authentication (MFA) to all administrative accounts to improve login security and reduce the risk of credential theft.

c. Enforcing the principle of least privilege, role-based access control (RBAC), and limiting the use of administrative accounts to authorized personnel only.

d. To reduce the attack surface and potential insider threats, administrative account privileges should be regularly reviewed, and extra access rights should be removed.

Applying group policies

Leverage Group Policy Objects (GPOs) to enforce security settings and standards across your Active Directory domain. Implement password policies, account lockout policies, and other security-related configurations to improve the overall security posture.

Protecting domain controllers

Domain controllers are the backbone of Active Directory. Safeguard them by:

a. Isolating domain controllers in a separate network segment or VLAN to minimize the attack surface and prevent lateral movement.

b. Enabling BitLocker Drive Encryption on the system volume of the domain controller to safeguard critical data from physical theft or unauthorized access.

c. Setting up Windows Firewall rules to restrict inbound traffic to critical AD services and thwart potential dangers.

d. Performing regular domain controller backups and securely storing those backups to protect data integrity and speed up disaster recovery. Create system state backups using the Windows Server Backup feature, and for redundancy, think about using off-site storage.

Monitor and audit

Implement a robust monitoring and auditing system to detect potential security breaches and unauthorized access. Employ Security Information and Event Management (SIEM) solutions for thorough threat monitoring, set up real-time alerts for crucial security events, and use Windows Event Forwarding to centralize log data for analysis.

Perform regular backups

Create regular system state backups of Active Directory to ensure data integrity and quick recovery in case of data loss or disaster. Periodically test the restoration procedure to confirm its efficacy and guarantee that backups are safely kept off-site.

Conclusion

By following this technical guide, you can confidently and securely implement Active Directory on Windows Server 2019, ensuring your organization has a robust, dependable, highly secure Active Directory environment that safeguards valuable assets and sensitive data from the constantly changing threat landscape. Always remember that security is a continuous process, and maintaining a resilient AD infrastructure requires staying current with the latest security measures.

The post Securely implementing Active Directory on Windows Server 2019 appeared first on Cybersecurity Insiders.

As cybersecurity becomes increasingly complex, having a centralized team of experts driving continuous innovation and improvement in their Zero Trust journey is invaluable. A Zero Trust Center of Excellence (CoE) can serve as the hub of expertise, driving the organization’s strategy in its focus area, standardizing best practices, fostering innovation, and providing training. It can also help organizations adapt to changes in the cybersecurity landscape, such as new regulations or technologies, ensuring they remain resilient and secure in the face of future challenges. The Zero Trust CoE also ensures that organization’s stay up-to-date with the latest security trends, technologies, and threats, while constantly applying and implementing the most effective security measures.

Zero Trust is a security concept that continues to evolve but is centered on the belief that organizations should not automatically trust anything inside or outside of their perimeters. Instead, organizations must verify and grant access to anything and everything trying to connect to their systems and data. This can be achieved through a unified strategy and approach by centralizing the organization’s Zero Trust initiatives into a CoE. Below are some of the benefits realized through a Zero Trust CoE.

A critical aspect of managing a Zero Trust CoE effectively is the use of Key Performance Indicators (KPIs). KPIs are quantifiable measurements that reflect the performance of an organization in achieving its objectives. In the context of a Zero Trust CoE, KPIs can help measure the effectiveness of the organization’s Zero Trust initiatives, providing valuable insights that can guide decision-making and strategy.

Creating a Zero Trust CoE involves identifying the key roles and responsibilities that will drive the organization’s Zero Trust initiatives. This typically includes a leadership team, a Zero Trust architecture team, a engineering team, a policy and compliance team, an education and training team, and a research and development team. These teams will need to be organized to support the cross-functional collaboration necessary for enhancing productivity.

A Zero Trust CoE should be organized in a way that aligns with the organization’s overall strategy and goals, while also ensuring effective collaboration and communication. AT&T Cybersecurity consultants can also provide valuable leadership and deep technical guidance for each of the teams. Below is an approach to structuring the different members of the CoE team:

• Leadership team: This team is responsible for setting the strategic direction of the CoE. It typically includes senior executives and leaders from various departments, such as IT, security, and business operations.
   
• Zero Trust architects: This individual or team is responsible for designing and implementing the Zero Trust architecture within the organization. They work closely with the leadership team to ensure that the architecture aligns with the organization’s strategic goals.
   
• Engineering team: This team is responsible for the technical implementation of the Zero Trust strategy. This includes network engineers, security analysts, and other IT professionals.
   
• Policy and compliance team: This team is responsible for developing and enforcing policies related to Zero Trust. They also ensure that the organization follows compliance with relevant regulations and standards.
   
• Education and training team: This team is responsible for educating and training staff members about Zero Trust principles and practices. They develop training materials, conduct workshops, and provide ongoing support.
   
• Research and lab team: This team stays abreast of the latest developments in Zero Trust and explores new technologies and approaches that could enhance the organization’s Zero Trust capabilities. AT&T Cybersecurity consultants, with their finger on the pulse of the latest trends and developments, can provide valuable insights to this team.

Each of these teams should have its own set of KPIs that align with the organization’s overall business goals. For example, the KPIs for the ‘Engineering Team’ could include the number of systems that have been migrated to the Zero Trust architecture, while the KPIs for the ‘Policy and Compliance Team’ could include the percentage of staff members who comply with the organization’s Zero Trust policies.

Monitoring and evaluating these KPIs regularly is crucial for ensuring the effectiveness of the CoE. This should be done at least quarterly but could be done more frequently depending on the specific KPI and the dynamics of the organization and the cybersecurity landscape. The results of this monitoring and evaluation should be used to adjust the CoE’s activities and strategies as needed.

There are challenges associated with monitoring and evaluating KPIs. It can be time-consuming and require specialized skills and tools. Additionally, it can be difficult to determine the cause of changes in KPIs, and there can be a lag between changes in activities and changes in KPIs. To overcome these challenges, it’s important to have clear processes and responsibilities for monitoring and evaluating KPIs, to use appropriate tools and techniques, and to be patient and persistent.

While the CoE offers many benefits, it can also present challenges. Without leadership and oversight, it can become resource-intensive, create silos, slow down decision-making, and be resistant to change. To overcome these challenges, it’s important to ensure that the CoE is aligned with the organization’s overall strategy and goals, promotes collaboration and communication, and remains flexible and adaptable. AT&T Cybersecurity consultants, with their deep expertise and broad perspective, can provide valuable leadership in each of these areas. They can help consolidate expertise, develop and enforce standards, drive innovation, and provide education and training.

The CoE should drive Zero Trust related projects, such as developing a Zero Trust Architecture that includes components such as Zero Trust Network Access (ZTNA), a capability of Secure Access Service Edge (SASE). The CoE can provide the expertise, resources, and guidance needed to successfully implement these types of projects. Implementing ZTNA requires a structured, multi-phased project that would have a plan similar to the following:

• Project initiation: Develop a project plan with timelines, resources, and budget. Identify the scope, objectives, and deliverables as well as the key stakeholders and project team members.
   
• Assessment and planning: Develop a detailed plan for implementing ZTNA. Conduct a thorough assessment of the current network infrastructure and security environment looking for vulnerabilities and areas of improvement.
   
• Design and develop: Design the ZTNA architecture, taking into account the organization’s specific needs and constraints. Create test plans to be used in the lab, pilot sites, and during deployment.
   
• Implementation: Deploy and monitor the ZTNA program in a phased manner, starting with less critical systems and gradually expanding to more critical ones.
   
• Education and training: Develop and distribute user guides and other training materials. Conduct training sessions on how to use the new system.
   
• Monitoring: Continuously monitor the performance of the platform, report on the assigned KPIs, and conduct regular audits to identify areas for improvement.
   
• Maintenance and support: Regularly update and improve the solution based on feedback and technical innovations. Provide ongoing technical support for users of the ZTNA platform.

Throughout the ZTNA implementation, the Zero Trust CoE plays a central role in coordinating activities, providing expertise, and ensuring alignment with the organization’s overall Zero Trust strategy. The CoE is responsible for communicating with stakeholders, managing risk, and ensuring the project stays on track and achieves the stated objectives.

In conclusion, a Zero Trust Center of Excellence is a powerful tool that can help organizations enhance their cybersecurity posture, stay ahead of evolving threats, and drive continuous improvement in their Zero Trust initiatives. By centralizing expertise, standardizing practices, fostering innovation, and providing education and training, a Zero Trust CoE can provide a strategic, coordinated approach to managing Zero Trust initiatives.

As cyber threats continue to evolve, the importance and potential of a Zero Trust CoE, led by AT&T cybersecurity consultants, will only increase. Contact AT&T Cybersecurity for more information on the Zero Trust journey and how to establish a Center of Excellence.

The post Leveraging AT&T Cybersecurity Consulting for a robust Zero Trust Center of Excellence appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

The supply chain, already fragile in the USA, is at severe and significant risk of damage by cyberattacks. According to research analyzed by Forbes, supply chain attacks now account for a huge 62% of all commercial attacks, a clear indication of the scale of the challenge faced by the supply chain and the logistics industry as a whole. There are solutions out there, however, and the most simple of these concerns a simple upskilling of supply chain professionals to be aware of cybersecurity systems and threats. In an industry dominated by the need for trust, this is something that perhaps can come naturally for the supply chain.

Building trust and awareness

At the heart of a successful supply chain relationship is trust between partners. Building that trust, and securing high quality business partners, relies on a few factors. Cybersecurity experts and responsible officers will see some familiarity – due diligence, scrutiny over figures, and continuous monitoring. In simple terms, an effective framework of checking and rechecking work, monitored for compliance on all sides.

These factors are a key part of new federal cybersecurity rules, according to news agency Reuters. Among other measures are a requirement for companies to have rigorous control over system patching, and measures that would require cloud hosted services to identify foreign customers. These are simple but important steps, and give a hint to supply chain businesses as to what they should be doing; putting in measures to monitor, control, and enact compliance on cybersecurity threats. That being said, it can be the case that the software isn’t in place within individual businesses to ensure that level of control. The right tools, and the right personnel, is also essential.

The importance of software

Back in April, the UK’s National Cyber Security Centre released details of specific threats made by Russian actors against business infrastructure in the USA and UK. Highlighted in this were specific weaknesses in business systems, and that includes in hardware and software used by millions of businesses worldwide. The message is simple – even industry standard software and devices have their problems, and businesses have to keep track of that.

There are two arms to ensure this is completed. Firstly, the business should have a cybersecurity officer in place whose role it is to monitor current measures and ensure they are kept up to date. Secondly, budget and time must be allocated at an executive level firstly to promote networking between the business and cybersecurity firms, and between partner businesses to ensure that even cybersecurity measures are implemented across the chain.

Utilizing AI

There is something of a digital arms race when it comes to artificial intelligence. As ZDNet notes, the lack of clear regulation is providing a lot of leeway for malicious actors to innovate, but for businesses to act, too. While regulations are now coming in, it remains that there is a clear role for AI in prevention.

According to an expert interviewed by ZDNet in their profile of the current situation, digital threat hunters are already using sophisticated AI to look for patterns, patches and unusual actions on the network, and are then using these large data sets to join up the dots and provide reports to cyber security officers. Where the challenge arrives is in that weapons race; as AI models become more sophisticated and powerful, they will ‘hack’ faster than humans can. The defensive models need to stay caught up but will struggle with needing to act within regulatory guidelines. The key here will be in proactive regulation from the government, to enable businesses to deploy these measures with assurance as to their legality and safety. 

With the supply chain involving so many different partners, there are a wider number of wildcards that can potentially upset the balance of the system. However, businesses that are willing to take a proactive step forward and be an example within their own supply chain ecosystem stand to benefit. By building resilience into their own part of the process, and influencing partners to do the same, they can make serious inroads in fighting back against the overwhelming number of supply chain oriented cybersecurity threats.

The post Building Cybersecurity into the supply chain is essential as threats mount appeared first on Cybersecurity Insiders.

Today, SC Media announced the winners of its annual cybersecurity awards for excellence and achievements.

At AT&T Cybersecurity we are thrilled that AT&T Alien Labs was awarded Best Threat Intelligence in this prestigious competition. The Alien Labs team works closely with the Open Threat Exchange (OTX), an open and free platform that lets security professionals easily share, research, and validate the latest threats, trends and techniques.

With more than 200,000 global security and IT professionals submitting data daily, OTX has become one of the world’s largest open threat intelligence communities. It offers context and details on threats, including threat actors, organizations and industries targeted, and related indicators of compromise.

The full list of winners is here.

The post AT&T Cybersecurity wins SC Media Award for Best Threat Intelligence appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Memory forensics plays a crucial role in digital investigations, allowing forensic analysts to extract valuable information from a computer’s volatile memory. Two popular tools in this field are Volatility Workbench and Volatility Framework. This article aims to compare and explore these tools, highlighting their features and differences to help investigators choose the right one for their needs.

Volatility Workbench, a powerful tool built on the Volatility Framework, is specifically designed to simplify and enhance the process of memory forensics. This article explores the capabilities of Volatility Workbench, highlighting its importance in uncovering critical evidence and facilitating comprehensive memory analysis.

Understanding Volatility Framework:

Volatility Framework is a robust tool used for memory analysis. It operates through a command-line interface and offers a wide range of commands and plugins. It enables investigators to extract essential data from memory dumps – including running processes, network connections, and passwords. However, it requires technical expertise to utilize effectively.

Volatility introduced people to the power of analyzing the runtime state of a system using the data found in volatile storage (RAM). It also provided a cross-platform, modular, and extensible platform to encourage further work into this exciting area of research. Volatility framework can be downloaded here. The Volativity Foundation provides these tools.

Introducing Volatility Workbench:

Volatility Workbench is a user-friendly graphical interface built on the Volatility Framework. It simplifies memory analysis by providing a visual interface that is more accessible, even for users with limited command-line experience. With Volatility Workbench, investigators can perform memory analysis tasks without the need for extensive command-line knowledge. Volatility Workbench can be downloaded here.

One of the key advantages of Volatility Workbench is its user-friendly interface, designed to simplify the complex process of memory forensics. With its graphical interface, investigators can navigate through various analysis options and settings effortlessly. The tool presents information in a visually appealing manner – with graphs, charts, and timelines, making it easier to interpret and draw insights from extracted data.

The initial interface when the Volatility Workbench is started looks like this:

 

The Volatility Workbench offers options to browse and select memory dump files in formats such as *.bin, *.raw, *.dmp, and *.mem. Once a memory dump file is chosen, the next step is to select the platform or operating system that the system being analyzed is using.

Once the memory image file and platform is selected, click on Get Process List in Volatility Workbench.

It will begin memory scanning. After that, you can use the multiple option in the command tab by selecting a valid command. The description of the command will be available in the dialog box on the side pane.

When the Get Process list is finished, the interface will like this:

Now we can select the command we want to use – let’s try using the command drop down menu.

Voila, we have commands available for analyzing the Windows memory dump.

Let’s try a command which lists process memory ranges that potentially contain injected code.

As seen in image above you can see the command as well as its description. You also have an option to select specific process IDs from the dropdown menu for the processes associated with the findings.

Let’s use the Malfind command to list process memory ranges that potentially contain injected code. It will take some time to process.

The analysis of the Malfind output requires a combination of technical skills, knowledge of malware behavior, and understanding of memory forensics. Continuously updating your knowledge in these areas and leveraging available resources can enhance your ability to effectively analyze the output and identify potential threats within memory dumps.

Look for process names associated with the identified memory regions. Determine if they are familiar or potentially malicious. Cross-reference them with known processes or conduct further research if necessary.

Some of the features of Volatility Workbench:

• It streamlines memory forensics workflow by automating tasks and providing pre-configured settings.
• It offers comprehensive analysis capabilities, including examining processes, network connections, and recovering artifacts.
• It seamlessly integrates with plugins for additional analysis options and features.
• It lets you generate comprehensive reports for documentation and collaboration.

Conclusion

By leveraging the capabilities of the underlying Volatility Framework, Volatility Workbench provides a streamlined workflow, comprehensive analysis options, and flexibility through plugin integration. With its user-friendly interface, investigators can efficiently extract valuable evidence from memory dumps, uncover hidden activities, and contribute to successful digital investigations. Volatility Workbench is an indispensable tool in the field of memory forensics, enabling investigators to unravel the secrets stored within a computer’s volatile memory.

The post Volatility Workbench: Empowering memory forensics investigations appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

What exactly is resilience? According to the U.S. National Institute of Standards and Technology, the goal of cyber resilience is to “enable mission or business objectives that depend on cyber resources to be achieved in a contested cyber environment.” In other words, when you’re at odds with cybercriminals and nation-state actors, can you still get your job done? If not, how quickly can you get back up and running? In this article, we outline steps to ensure that if your cloud networks fail, your business won’t fail along with them.

Take stock of what you can’t (and can) live without

Being resilient during and post-cyber-attack means being able to continue business operations either leanly or back to full throttle soon after. While resources are being pooled to respond and recover from an incident, what data must be protected and what operations must go on?

Data that must be protected include those defined by regulation (e.g., personal identifiable information), intellectual property, and financial data. Data itself must be protected in multiple forms: at rest, in transit, and in use. The type of business you’re in may already dictate what’s essential; critical infrastructure sectors with essential operations include telecommunications, healthcare, food, and energy. Anything that your business relies on to survive and sustain should be treated as highest priority for security.

Ensure required availability from your cloud provider

An essential part of resilience is the ability to stay online despite what happens. Part of the cloud provider’s responsibility is to keep resources online, performing at the agreed level of service. Depending on the needs of your business, you will require certain levels of service to maintain operations.

Your cloud provider promises availability of resources in a service-level agreement (SLA), a legal document between the two parties. Uptime, the measure of availability, ranges from 99.9% to 99% in the top tiers of publicly available clouds from Amazon and Microsoft. A difference of 0.9% may not seem like much, but that translates from roughly 9 hours of downtime to over 3.5 days annually—which might be unacceptable for some types of businesses.

Store backups—even better, automate

As ransomware proliferates, enterprises need to protect themselves against attackers who block access to critical data or threaten to expose it to the world. One of the most fundamental ways to continue business operations during such an incident is to rely on backups of critical data. After you’ve identified which data is necessary for business operations and legal compliance, it’s time to have a backup plan.

While your cloud service provider provides options for backup, spreading the function across more than one vendor will reduce your risk—assuming they’re also secure. As Betsy Doughty, Vice President of Corporate Marketing of Spectra Logic says, “it’s smart to adhere to the 3-2-1-1 rule: Make three copies of data, on two different mediums, with one offsite and online, and one offsite and offline.” Automated snapshots and data backup can run in the background, preparing you in the event of a worst-case scenario.

Expose and secure your blind spots

A recent report from the U.S. Securities and Exchange Commission observes that resilience strategies include “mapping the systems and process that support business services, including those which the organization may not have direct control.” Cloud networks certainly apply here, as with any outsourced services, you relinquish some control.

Relinquishing control does not have to mean lack of visibility. To gain visibility into what data is being transferred and how people are using cloud applications, consider the services of cloud access service brokers (CASBs), who sit between a cloud user and cloud provider. CASBs can improve your resilience providing detail into your cloud network traffic, enabling assessment for both prevention of attack and impact on business operations in the event of an incident. They also enforce security policies in place such as authentication and encryption.

Test your preparedness periodically

After all the hard work of putting components and plans into place, it’s time to put things to the test. Incident response tests can range from the theoretical to a simulated real-world attack. As processes and people change, performing these tests periodically will ensure you have an updated assessment of preparedness. You could run more cost-effective paper tests more frequently to catch obvious gaps and invest in realistic simulations at a longer interval. Spending the resources to verify and test your infrastructure will pay off when an attack happens and the public spotlight is on you.

Towards a resilient cloud

Being able to withstand a cyber-attack or quickly bring operations back online can be key to the success of a business. While some responsibility lies in the cloud provider to execute on their  redundancy and contingency plans per the SLA, some of it also lies in you. By knowing what’s important, securing your vulnerabilities, and having a tested process in place, you are well on your way to a secure and resilient cloud network.

The post Securing your cloud networks: Strategies for a resilient infrastructure appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

In the realm of information security and covert communication, image steganography serves as a powerful technique for hiding sensitive data within innocent-looking images. By embedding secret messages or files within the pixels of an image, steganography enables covert transmission without arousing suspicion. This article aims to delve into the world of image steganography, exploring its principles, techniques, and real-world applications.

Understanding image steganography

• Image steganography is the practice of concealing information within the data of digital images without altering their visual appearance. The hidden data can include text, images, audio, or any other form of binary information.
• Image steganography serves as a clandestine communication method, providing a means to transmit sensitive information without arousing the suspicion of adversaries or unauthorized individuals. It offers an additional layer of security and confidentiality in digital communication.
• Steganography vs. Cryptography: While cryptography focuses on encrypting data to render it unreadable, steganography aims to hide the existence of the data itself, making it inconspicuous within an image. Steganography can be used in conjunction with encryption to further enhance the security of covert communication.

Techniques of image steganography

• LSB substitution: The Least Significant Bit (LSB) substitution method involves replacing the least significant bits of pixel values with secret data. As the least significant bits have minimal impact on the visual appearance of the image, this technique allows for the hiding of information without noticeably altering the image.
• Spatial domain techniques: Various spatial domain techniques involve modifying the pixel values directly to embed secret data. These techniques include modifying pixel intensities, color values, or rearranging pixels based on a predefined pattern.
• Transform domain techniques: Transform domain techniques, such as Discrete Cosine Transform (DCT) or Discrete Fourier Transform (DFT), manipulate the frequency domain representation of an image to embed secret data. This allows for the concealment of information within the frequency components of an image.
• Spread spectrum techniques: Inspired by radio frequency communication, spread spectrum techniques spread the secret data across multiple pixels by slightly modifying their values. This method makes the hidden data more robust against detection and extraction attempts.
• Adaptive steganography: Adaptive techniques dynamically adjust the embedding process based on the image content and local characteristics, making the hidden data even more resistant to detection. This approach enhances security and makes it harder for adversaries to identify stego images.

Let’s see a working example of image steganography using a free tool called OpenStego, the same can be downloaded from here. You will be required to have Java Runtime Environment for OpenStego to work on your system.

Once, you’ve installed OpenStego, you will see its interface as shown below:

It has multiple options including Hide Data and Extract Data – more about these options can be found at official documentation of the tool.

We need to have two files, Message File (Which will be hidden data or data we want to hide) and Cover File (The file which we will use as a cover to hide the message file.)

I have downloaded two image files for the same.

Now, let’s hide the message file which is a quote inside the cover file which is “Hello” image.

After that, you will have to provide the directory and name for the output file. The same can be seen in the snapshot below:

You can also choose to encrypt the hidden data so that it is not accessible without a password. Click Hide data once you have followed all the steps.

After the process is completed, a success popup will appear on Openstego screen.

Now, we have 3 files and output file is the one which has the hidden image.

If we compare the properties of the output file and cover file, we will notice certain differences – like the size value will be different.

Now, let’s delete the cover file and message file and try to extract the data. If you open the output file you won’t notice any difference as it appears the same as any other image file. However, let’s try to extract data using OpenStego.

We have to select the path of the file we wish to extract data from and provide a destination folder for extraction. We also have to provide the password if any was chosen at the time of hiding the data.

Let’s select Extract data. Once, the extraction is done, a confirmation pop-up will appear on your screen.

Let us check the extracted file by going to the destination folder we assigned for the extraction of the message file.

As visible in the snapshot above, the message file is successfully extracted.

Real-world applications of steganography

• Covert communication: Image steganography finds applications in covert communication where parties need to exchange sensitive information discreetly. This includes intelligence agencies, law enforcement, and whistleblowers who require secure channels for sharing classified or confidential data.
• Digital watermarking: Steganography techniques can be employed for digital watermarking to embed copyright information, ownership details, or authentication codes within images. This allows for tracking and protecting intellectual property rights.
• Information hiding in multimedia: Image steganography can be extended to other forms of multimedia, including audio and video, allowing for the concealment of information within these media formats. This can be used for copyright protection, digital rights management, or covert messaging.
• Steganalysis and forensics: Image steganalysis focuses on detecting the presence of hidden information within images. Forensic investigators can employ steganalysis techniques to identify potential steganographic content, aiding in digital investigations.

Conclusion

Image steganography has emerged as a sophisticated method for covert communication and secure data transmission. By exploiting the subtle nuances of digital images, sensitive information can be hidden from prying eyes. As technology advances, the field of steganography continues to evolve, with new techniques and algorithms being developed to enhance the security and robustness of data hiding.

However, it is essential to balance the use of steganography with ethical considerations and adhere to legal frameworks to ensure its responsible and lawful application. As information security remains a critical concern in the digital age, image steganography serves as a valuable tool in safeguarding sensitive data and enabling secure communications.

The post Image steganography: Concealing secrets within pixels appeared first on Cybersecurity Insiders.

Executive summary

On April 21st, 2023, AT&T Managed Extended Detection and Response (MXDR) investigated an attempted ransomware attack on one of our clients, a home improvement business. The investigation revealed the attacker used AuKill malware on the client’s print server to disable the server’s installed EDR solution, SentinelOne, by brute forcing an administrator account and downgrading a driver to a vulnerable version.

AuKill, first identified by Sophos X-Ops researchers in June 2021, is a sophisticated malware designed to target and neutralize specific EDR solutions, including SentinelOne and Sophos. Distributed as a dropper, AuKill drops a vulnerable driver named PROCEXP.SYS (from Process Explorer release version 16.32) into the system’s C:WindowsSystem32drivers folder. This malware has been observed in the wild, utilized by ransomware groups to bypass endpoint security measures and effectively spread ransomware variants such as Medusa Locker and Lockbit on vulnerable systems.

In this case, SentinelOne managed to isolate most of the malicious files before being disabled, preventing a full-scale ransomware incident. As a result, AT&T MXDR found no evidence of data exfiltration or encryption. Despite this, the client opted to rebuild the print server as a precautionary measure. This study provides an in-depth analysis of the attack and offers recommendations to mitigate the risk of future attacks.

Investigating the first phase of the attack

Initial intrusion

The targeted asset was the print server, which we found unusual. However, upon further investigation we concluded the attacker misidentified the asset as a Domain Controller (DC), as it had recently been repurposed from a DC to a print server. The attacker needed both local administrator credentials and kernel-level access to successfully run AuKill and disable SentinelOne on the asset. To gain those local administrator credentials, the attacker successfully brute-forced an administrator account. Shortly after the compromise, this account was observed making unauthorized registry changes.

  

Establishing a beachhead

After compromising the local administrator account, the attackers used the “UsersAdministratorMusicaSentinel” folder as a staging area for subsequent phases of their attack. All AuKill-related binaries and scripts were executed from this path, with the innocuous “Music” folder name helping to conceal their malicious activities.

AuKill malware has been found to operate using two Windows services named “aSentinel.exe” and “aSentinelX.exe” in its SentinelOne variant. In other variants, it targets different EDRs, such as Sophos, by utilizing corresponding Windows services like “aSophos.exe” and “aSophosX.exe”. 

Establishing persistence

We also discovered “aSentinel.exe” running from “C:Windowssystem32”, indicating that the attackers attempted to establish a foothold on the compromised server. Malware authors frequently target the system32 folder because it is a trusted location, and security software may not scrutinize files within it as closely as those in other locations. This can help malware bypass security measures and remain hidden. It is likely that the malware was initially placed in the “UsersAdministratorMusicaSentinel” directory and later copied to the system32 directory for persistence.

Network reconnaissance

Our investigation also revealed that PCHunter, a publicly accessible utility previously exploited in ransomware incidents like Dharma, was running from the “UsersAdministratorMusicaSentinel” directory. This suggests that the attackers used PCHunter as a reconnaissance tool to survey the client’s network before deploying the EDR killer malware. Additionally, PCHunter enables threat actors to terminate programs and interface directly with the Windows kernel, which aligns with the needs of the attacker. We observed PCHunter generating several randomly named .sys files, as illustrated below:

Preventing data recovery

We found that the attacker deleted shadow volume copies from the print server. Windows creates these copies to restore files and folders to previous versions in case of data loss. By removing the shadow copies, the attacker was attempting to make it more challenging for our client to recover their files if they were successfully encrypted. Although no ransomware was deployed, the deletion of shadow copies reveals the attackers’ intentions. This information, together with the usage of PCHunter and the staging of the EDR killer malware, paints a more complete picture of the attacker’s objectives and tactics.

Bypassing native Windows protection

With all these pieces in place, the attacker last needed to acquire kernel-level access. Despite gaining administrator rights early on, the attacker did not have enough control over the system to kill SentinelOne at this time. EDR solutions are classified as essential by Windows and are protected from being turned off by attackers when they escalate privileges. To successfully circumvent these safeguards, the attacker would need to travel one level deeper into the operating system and gain kernel-level access to the machine.

Investigating the second phase of the attack

Dropping the vulnerable driver

Our team discovered that AuKill had replaced the current Process Explorer driver, PROCEXP152.sys, with an outdated and vulnerable version named PROCEXP.SYS (from Process Explorer release version 16.32), located in the C:WindowsSystem32drivers directory. The alarm screenshot below demonstrates how AuKill swapped the existing driver with this older version, making the system susceptible to further exploitation.

 

Windows incorporates a security feature called Driver Signature Enforcement, which ensures that kernel-mode drivers are signed by a valid code signing authority before they can run. To bypass this security measure, the attackers exploited the insecure PROCEXP.SYS driver, which was produced and signed by Microsoft at an earlier date. As demonstrated in the SentinelOne screenshot below, the driver is signed and verified by Microsoft. Furthermore, the originating process was aSentinel.exe, an executable created to disable SentinelOne.

Acquiring kernel-level access

Process Explorer, a legitimate system monitoring tool developed by Microsoft’s Sysinternals team, enables administrators to examine and manage applications’ ongoing processes, as well as their associated threads, handles, and DLLs.

Upon startup, Process Explorer loads a signed kernel-mode driver, facilitating interaction with the system’s kernel, which is responsible for managing hardware and resources. Normally, that driver is PROCEXP152.sys. The attacker replaced the PROCEXP152.sys driver on the print server with the exploitable PROCEXP.SYS, employing what is known as a BYOVD (Bring Your Own Vulnerable Driver) attack. The attacker used this method to exploit the now vulnerable kernel mode driver to gain the kernel-level access they needed to successfully kill SentinelOne.

Killing SentinelOne

The kernel-mode driver used by Process Explorer has the unique ability to terminate handles that are inaccessible even to administrators. A handle is an identifier that corresponds to a specific resource opened by a process, such as a file or a registry key. At this point, AuKill hijacked Process Explorer’s kernel driver to specifically target protected handles associated with SentinelOne processes running on the print server. The SentinelOne processes were killed when the protected process handles were closed, rendering the EDR powerless. AuKill then generated several threads to ensure that these EDR processes remained disabled and did not resume. Each thread concentrated on a certain SentinelOne component and regularly checked to see if the targeted processes were active. If they were, AuKill would terminate them. SentinelOne was out of the way and no longer an obstacle to the attacker.

Response

Customer interaction

At this point, the attacker had gained privileged access to the asset, deployed their malware, and successfully killed the endpoint protection solution, SentinelOne. Based on the Cyber Kill Chain methodology developed by Lockheed Martin, we can conclude that the attacker had now successfully reached the “Command and Control” stage. However, the attacker did not reach the “Actions on Objectives” stage, as SentinelOne managed to disrupt ransomware deployment enough before it was killed to prevent any additional damage.

Any attempts to re-deploy malware or move laterally following the disablement of the EDR were thwarted by our team, who swiftly alerted the client to the activity and advised that the asset be taken offline and isolated from the rest of the network. Our team informed the client that the shadow copies had been deleted and SentinelOne had been turned off on their print server. After having our threat hunters thoroughly review their environment, w e reassured the client that no sensitive information was exfiltrated or encrypted. In response to the attack, the client moved to rebuild their print server and reinstall SentinelOne.

Recommendations

As BYOVD attacks to bypass EDR software become more widespread, we strongly advise blacklisting outdated drivers with a known history of exploitation. Furthermore, we encourage our clients to maintain an inventory of the drivers installed on their systems, ensuring they remain current and secure. Lastly, we recommend bolstering the security of administrator accounts to defend against brute force attacks, as the incident detailed in this blog post could not have transpired without the initial privileged user compromise.

The post Stories from the SOC – Unveiling the stealthy tactics of Aukill malware appeared first on Cybersecurity Insiders.

This blog was jointly written by Fernando Martinez Sidera and Ofer Caspi, AT&T Alien Labs threat intelligence researchers.

Executive summary 

AdLoad malware is still infecting Mac systems years after its first appearance in 2017. AdLoad, a package bundler, has been observed delivering a wide range of payloads throughout its existence. During AT&T Alien Labs’ investigation of its most recent payload, it was discovered that the most common component dropped by AdLoad during the past year has been a proxy application turning MacOS AdLoad victims into a giant, residential proxy botnet.

Key takeaways: 

• AdLoad malware is still present and infecting systems, with a previously unreported payload.
• At least 150 samples have been observed in the wild during the last year.
• AT&T Alien Labs has observed thousands of IPs behaving as proxy exit nodes in a manner similar to AdLoad infected systems. This behavior could indicate that thousands of Mac systems have been hijacked to act as proxy exit nodes.
• The samples analyzed in this blog are unique to MacOS, but Windows samples have also been observed in the wild.

Analysis 

AdLoad is one of several widespread adware and bundleware loaders currently impacting macOS. The OSX malware has been present since 2017, with big campaigns in the last two years as reported by SentinelOne in 2021 and Microsoft in 2022. As stated in Microsoft’s report on UpdateAgent, a malware delivering AdLoad through drive-by compromise, AdLoad redirected users’ traffic through the adware operators’ servers, injecting advertisements and promotions into webpages and search results with a Person-in-The-Middle (PiTM) attack.

These two previous campaigns, together with the campaign described in this blog, support the theory that AdLoad could be running a pay-per-Install campaign in the infected systems.

• The main purpose of the malware has always been to act as a downloader for subsequent payloads.
• It has been identified delivering a wide range of payloads (adware, bundleware, PiTM, backdoors, proxy applications, etc.) every few months to a year, sometimes conveying different payloads depending on the system settings such as geolocation, device make and model, operating system version, or language settings, as reported by SentinelOne.
• In all observed samples, regardless of payload, they report an Adload server during execution on the victim’s system.
• This beacon (analyzed later in Figure 3 & 4) includes system information in the user agent and the body, without any relevant response aside from a 200 HTTP response code.
• This activity probably represents AdLoad’s method of keeping count of the number of infected systems, supporting the pay-per-Install scheme.

AT&T Alien Labs has observed similar activity in our threat analysis systems throughout the last year, with the AdLoad malware being installed in the infected systems. However, Alien Labs is now observing a previously unreported payload being delivered to the victims. The payload corresponds to a proxy application, converting its targets into proxy exit nodes after infection. As seen in Figure 1, the threat actors behind this campaign have been very active since the beginning of 2022.

Figure 1. Histogram of AdLoad samples identified by Alien Labs.

The vast number of samples in the wild have consequently led to many devices becoming infected. Alien Labs has identified over 10,000 IPs reaching out to the proxy servers each week that have the potential to be proxy exit nodes. It is unclear if all these systems have been infected or are voluntarily offering their systems as proxies, but it could be indicative of a bigger infection globally.

The intentions behind the users of this botnet for residential proxy systems is still unclear, but so far it has already been detected delivering SPAM campaigns. A campaign was suffered by the University of Illinois, who had to release an internal alert to notify their students of this thread.

Figure 2. University of Illinois alert at https://answers.uillinois.edu/illinois/page.php?id=120871.

This blog will focus on a sample of AdLoad, which AT&T Alien Labs observed in the wild during the month of June: 6587e61a8a7edb312da5798ffccf4a5ef227d3834389993b4df3ef0b173443dc. This sample was named “app_assistant”. Together with ‘main_helper’ or ‘mh’ are the most common filenames observed for this malware.

The sample initiates the execution with a system profiler. The system profiler pulls system information focusing in on the UUID (Universally Unique Identifier) that can be used later to identify the system with the Command and Control (C&C) on the proxy servers.

It then reaches out to an AdLoad server to report the infection. The URL is hardcoded in the sample. Alien Labs has observed two different patterns thus far:

Pattern 1 includes:

• POST request to a URL with path “/l”.
• Host with api. Subdomain.
• Content Type is “application/x-www-form-urlencoded”.
• The body starts with “cs=” and is followed by around 300 base64 characters.

This behavior had already been observed in the wild and is detected by ET (Emerging Threats) with a public rule attributing the activity to OSX/SHLAYER (Rule in the appendix).

Figure 3: Example from Alien Labs of network traffic of sample 54efc69cb6ee7fde00c0320202371dcdad127d0e7c8babce4659be8230d81a81.

Pattern 2 includes:

• POST request to a URL with path “/a/rep”
• Host with m. subdomain
• Content Type is charset=utf-8
• The body starts with “smc” and is followed by encrypted data.

No public rules were identified for this behavior as of the publishing of this blog, however Alien Labs has provided a rule in the appendix.

In both cases, the User Agent is formed by the filename of the executed file followed by “(unknown version) CFNetwork/$version” plus the Darwin version number.

Figure 4: Example from Alien Labs: network traffic of sample 6587e61a8a7edb312da5798ffccf4a5ef227d3834389993b4df3ef0b173443dc.

After beaconing to the AdLoad server, the sample reaches out to a different domain, usually vpnservices[.]live or upgrader[.]live, appearing to be a proxy server’s C&C. The request carries as a parameter the UUID of the infected machine among other encoded parameters. This request responds with a link of the file to download, usually in digitaloceanspaces[.]com. It also includes the environment to use and the version number of the payload.

Figure 5 summarizes the different connections Alien Labs has observed as of the publishing of this article (steps 1-5), and the activity we will describe next (steps 5-8).

Figure 5: Infection process as analyzed by Alien Labs.

Attack chain, Steps 5-8

• Once the malware downloads the proxy app, it is unzipped with a password, and xattr -rd is executed on the files to remove the quarantine attribute from them. This bypasses Gatekeeper’s security.
• The existing files are copied to ‘/Users/$user/Library/Application Support/$randomstring’. Any unnecessary files placed in the system, the /tmp directory, and the original zip file are deleted.
• At this point, the newly generated folder under Application Support has two files: the first is a version control named ‘pcyx.ver’ and the second contains the proxy application, usually named ‘helper’ or ‘main’. If the proxy application is already running, the malware kills it, and then executes it in the background. During its execution, AdLoad gains persistence by installing itself as a Launch Agent with organization name usually formed by org.[random long string].plist, which points at the proxy application executable in the Application Support folder.
• The application is already running, and the hosts start operating as a proxy server. Its initial configuration is usually hardcoded (figure 6), but it can be modified through the previous request to the proxy C&C, modifying the used domain, port, environment, etc. The communication with proxy servers usually occurs over port 7001, but it has also been seen over port 7000 and 7002, probably alternatives in case 7001 is taken.

Figure 6: As observed by Alien Labs: the malware configuration includes C&C address, certificate, malware version and more.

• As the application runs, its first action is to beacon system information and status to the proxy server. It sends a registration message to its C&C after collecting the machine’s information. This data includes macOS version, hardware stats like CPU, memory, and battery status. Additionally, it extracts the machine’s UUID, labeled as “peer_id”, that is used as identifier of the machine with the C&C (figure 7).
• After registration with its C&C, the malware receives the proxy manager server to which it forwards proxy requests.

Figure 7: Collecting system information before registering as new peer.

Many of the proxy requests immediately issued after an infection appear to be testing queries, i.e., iplookups or access to streaming services like Netflix, HBO or Disney, from specific locations. Figure 8 shows the beacon and the response from the server, together with the request for an IP Lookup, which arrived at the infected system through port 7001.

Figure 9 shows more clearly how the IP Lookup is forwarded to its actual destination and the received response is sent back to the proxy server.

Figure 8: Beacon and and IPlookup as observed by Alien Labs, d94f62ec4b6ffcec35d5e639d02a52ce226629a5eb3e2a7190174ea8d3b40b5b.

Figure 9: Proxy flow, as observed by Alien Labs, d94f62ec4b6ffcec35d5e639d02a52ce226629a5eb3e2a7190174ea8d3b40b5b.

The beacon message shown in figure 8 is sent every few seconds to get further instructions from the C&C. This includes requests for updated hardware information to check if the machine may be running into issues soon and should not be loaded as proxy (low battery or high CPU usage) (Figure 10).

Figure 10: Pinging C&C for further instructions, observed by Alien Labs.

Alien Labs has identified several domains as proxy server nodes that were relaying the proxy requests to the infected systems. These domains all had generic randomly generated names, like bapp.pictureworld[.]co and were hosted in usually reliable cloud services, like Amazon or Oracle. However, they appeared to only be used as DNS resolvers, since those IPs happened to all resolve to a private company domain around the time of infection. The company name also showed up in the certificates of some of these generic domains.

Based on the above information, a small business selling proxy services appears to be behind the proxy activity. The list of prices published in this private company webpage, does include residential IP proxys as an offered service.

In addition to the Mac samples analyzed in this blog, Alien Labs has also identified other Windows samples replicating the behavior just explained. These Windows samples also end up acting as proxies through the known ports 7000, 7001 and 7002, with traffic coming from the same domains. AT&T Alien Labs will be releasing a new blog in the upcoming weeks with that analysis.

Recommended actions 

To remove AdLoad samples from the system:

1. AdLoad samples can be identified with the Yara rule included in the Appendix, originally created by SentinelOne in a previous AdLoad report.
2. Analyze any system matching suricata rules 4002758 and 2038612.

To remove the proxy application from the system:

1. Review ‘/Users/X/Library/Application Support/’ and look for a folder named with a string of over 20 randomly generated characters, which contains files like: main, helper, pcyx.ver; and are currently running in your system in the background.
2. Understand the need for all the existing Launch Agents plists in /Library/LaunchAgents/. Especially looking for another long string of random characters, and identify the existing agents, deleting the unnecessary ones.
3. Analyze any systems communicating though port 7000, 7001 or 7002 to suspicious IPs (or matching suricata rules 4002756 and 4002757).

Conclusion 

The pervasive nature of AdLoad potentially infecting thousands of devices worldwide — indicates that users of MacOS devices are a lucrative target for the adversaries behind this malware and are being tricked to download and install unwanted applications. The underreporting of MacOS based threats may lead users to a false sense of security and underscores that any popular operating system can become a target for skilled adversaries.

AT&T Alien Labs is not aware whether the private company relaying the proxy requests is actively infecting the systems, or they are buying what they believe to be legitimate systems. However, their proxy servers are accessing these systems and selling a similar service to their clients. Buyers are leveraging the benefits of a residential proxy botnet: anonymity, wide geolocation availability and high IP rotation; to deliver SPAM campaigns through the last year.

Detection methods

The following associated detection methods are in use by Alien Labs. They can be used by readers to tune or deploy detections in their own environments or for aiding additional research. 

SURICATA IDS SIGNATURES

alert tcp $HOME_NET any -> $EXTERNAL_NET [7000:7002] (msg:”AV TROJAN AdLoad Proxy Node Beacon”; flow:to_server,established; content:”|7B 22|peer_id|22 3A|”; offset:0; depth:11; content:”|22 2C 22|connect_version|22|”; distance:0; content:”|22|action|22|”; distance:0; classtype:bad-unknown; sid:4002756; rev:2;)

alert tcp $EXTERNAL_NET [7000:7002] -> $HOME_NET any (msg:”AV TROJAN AdLoad Proxy Node Response”; flow:established; content:”|7B 22|result|22 3A|”; offset:0; depth:10; content:”|22|error|22 3A 22|”; distance:0; content:”|22 2C 22|action|22 3A 22|result|22|”; distance:0; content:”|22|uuid4|22|”; distance:0; content:”|22|version|22|”; distance:0; classtype:bad-unknown; sid:4002757; rev:2;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:”AV TROJAN OSX AdLoad CnC Beacon”; flow:established,to_server; content:”POST”; http_method; content:”/a/rep”; http_uri; depth:6; isdataat:!1,relative; content:”m.”; depth:2; http_host; content:”|20 28|unknown|20|version|29 20|CFNetwork|2f|”; http_user_agent; fast_pattern; content:”charset=utf-8″; http_content_type; pkt_data; content:”smc”; http_client_body; depth:3; content:”$”; distance:7; within:1; http_client_body; isdataat:200,relative; threshold:type limit, count 1, seconds 600, track by_dst; classtype:trojan-activity; sid:4002758; rev:1;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:”ET TROJAN OSX/SHLAYER CnC Activity M2″; flow:established,to_server; content:”POST”; http_method; content:”/l”; http_uri; depth:2; isdataat:!1,relative; content:”|20 28|unknown|20|version|29 20|CFNetwork|2f|”; http_user_agent; fast_pattern; content:”cs=”; http_client_body; depth:3; pcre:”/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/PR”; http_content_type; content:”application/x-www-form-urlencoded”; depth:33; isdataat:!1,relative; threshold:type limit, count 1, seconds 600, track by_dst; classtype:trojan-activity; sid:2038612; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2022_08_25, deployment Perimeter, former_category MALWARE, malware_family Shlayer, performance_impact Low, signature_severity Major, updated_at 2022_08_25;)

 

YARA RULES

private rule Macho {        meta:               description = “private rule to match Mach-O binaries”        condition:               uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca }   rule adload_2021_system_service {        meta:               description = “rule to catch Adload .system .service variant”               author = “Phil Stokes, SentinelLabs”               version = “1.0”               last_modified = “2021-08-10”               reference = “https://s1.ai/adload”        strings:               $a = { 48 8D 35 ?? ?? 00 00 48 8D 5D B8 BA B8 00 00 00 48 89 DF E8 ?? ?? FB FF 48 8B 43 08 48 2B 03 66 48 0F 6E C0 66 0F 62 05 ?? ?? 00 00 66 0F 5C 05 ?? ?? 00 00 0F 57 C9 66 0F 7C C0 48 8D 7D A0 0F 29 0F F2 0F 59 05 }        condition:               Macho and all of them }

 

Associated indicators (IOCs) 

The following technical indicators are associated with the reported intelligence. A list of indicators is also available in the OTX Pulse. Please note, the pulse may include other activities related but out of the scope of the report. 

TYPE	INDICATOR	DESCRIPTION
SHA256	d94f62ec4b6ffcec35d5e639d02a52ce226629a5eb3e2a7190174ea8d3b40b5b	AdLoad sample
SHA256	956aae546af632ea20123bfe659d57e0d5134e39cdb5489bd6f1ba5d8bbd0472	AdLoad sample
SHA256	6587e61a8a7edb312da5798ffccf4a5ef227d3834389993b4df3ef0b173443dc	AdLoad sample
SHA256	3d063efde737b7b2e393926358cbb32469b76395e1a05e8c127a12e47550f264	AdLoad sample
SHA256	2d595880cfb1691dd43de02d1a90273919f62311a7668ef078709eff2fd6bd87	AdLoad sample
SHA256	7cb10a70fd25645a708c81f44bb1de2b6de39d583ae3a71df0913917ad1dffc3	AdLoad sample
SHA256	4a7c9829590e1230a448dd7a4272b9fbfbafccf7043441967c2f68f6082dde32	AdLoad sample
SHA256	68b6beb70bd547b75f2d36d70ca49f8b18542874480d39e33b09ee69eb1048b3	AdLoad sample
SHA256	1904b705105db4550371d678f8161826b98b1a9fca139fa41628214ed816d2f5	AdLoad sample
SHA256	2fb1d8e6454f43522f42675dcf415569e5df5d731e1d1390f793c282cce4a7aa	AdLoad sample
SHA256	ee9ebdb1d9a7424cd64905d39820b343c5f76e29c9cd60c0cdd3bfe069fb7d51	AdLoad sample
SHA256	c7721ab85bad163576c166a0a71c0dbe4cc491dda68c5a5907fd1d8cac50780d	AdLoad sample
URL	hxxp://m.skilledobject[.]com/a/rep	AdLoad beacon
URL	hxxp://m.browseractivity[.]com/a/rep	AdLoad beacon
URL	hxxp://m.enchantedreign[.]com/a/rep	AdLoad beacon
URL	hxxp://m.activitycache[.]com/a/rep	AdLoad beacon
URL	hxxp://m.activityinput[.]com/a/rep	AdLoad beacon
URL	hxxp://m.opticalupdater[.]com/a/rep	AdLoad beacon
URL	hxxp://m.connectioncache[.]com/a/rep	AdLoad beacon
URL	hxxp://m.analyzerstate[.]com/a/rep	AdLoad beacon
URL	hxxp://m.essencecuration[.]com/a/rep	AdLoad beacon
URL	hxxp://m.microrotator[.]com/a/rep	AdLoad beacon
URL	hxxp://m.articlesagile[.]com/a/rep	AdLoad beacon
URL	hxxp://m.progresshandler[.]com/a/rep	AdLoad beacon
URL	hxxp://m.originalrotator[.]com/a/rep	AdLoad beacon
URL	hxxp://m.productiveunit[.]com/a/rep	AdLoad beacon
URL	hxxp://api.toolenviroment[.]com/l	AdLoad beacon
URL	hxxp://api.inetfield[.]com/l	AdLoad beacon
URL	hxxp://api.operativeeng[.]com/l	AdLoad beacon
URL	hxxp://api.launchertasks[.]com/l	AdLoad beacon
URL	hxxp://api.launchelemnt[.]com/l	AdLoad beacon
URL	hxxp://api.validexplorer[.]com/l	AdLoad beacon
URL	hxxp://api.majorsprint[.]com/l	AdLoad beacon
URL	hxxp://api.essentialenumerator[.]com/l	AdLoad beacon
URL	hxxp://api.transactioneng[.]com/l	AdLoad beacon
URL	hxxp://api.macreationsapp[.]com/l	AdLoad beacon
URL	hxxp://api.commondevice[.]com/l	AdLoad beacon
URL	hxxp://api.compellingagent[.]com/l	AdLoad beacon
URL	hxxp://api.lookupindex[.]com/l	AdLoad beacon
URL	hxxp://api.practicalsync[.]com/l	AdLoad beacon
URL	hxxp://api.accessiblelist[.]com/l	AdLoad beacon
URL	hxxp://api.functionconfig[.]com/l	AdLoad beacon
Domain	hxxps://vpnservices[.]live	Proxy C&C to report infected systems
Domain	hxxps:// upgrader[.]live	Proxy C&C to report infected systems
Domain	hxxp://bapp.pictureworld[.]co	Proxy Node

 

Mapped to MITRE ATT&CK

The findings of this report are mapped to the following MITRE ATT&CK Matrix techniques: 

• • TA0001: Initial Access
    • T1189: Drive-by Compromise
  • TA0003: Persistence
    • T1543: Create or Modify System Process
      • T1543.001: Launch Agent
  • TA0005: Defense Evasion
    • T1140: Deobfuscate/Decode Files or Information
    • T1497: Virtualization/Sandbox Evasion
      • T1497.001: System Checks
    • T1222: File and Directory Permissions Modification
      • T1222.002: Linux and Mac File and Directory Permissions Modification
    • T1553: Subvert Trust Controls
      • T1553.001: Gatekeeper Bypass
    • T1562: Impair Defenses
      • T1562.001: Disable or Modify Tools
  • TA0007: Discovery
    • T1082: System Information Discovery
  • TA0011: Command and Control
    • T1090: Proxy
    • T1571: Non-Standard Port
  • TA0040: Impact
    • T1496: Resource Hijacking

The post Mac systems turned into proxy exit nodes by AdLoad appeared first on Cybersecurity Insiders.

Executive summary

AT&T Alien Labs researchers recently discovered a massive campaign of threats delivering a proxy server application to Windows machines. A company is charging for proxy service on traffic that goes through those machines. This is a continuation of research described in our blog on Mac systems turned into proxy exit nodes by AdLoad.

In this research, Alien Labs identified a company that offers proxy services, wherein proxy requests are rerouted through compromised systems that have been transformed into residential exit nodes due to malware infiltration. Although the proxy website claims that its exit nodes come only from users who have been informed and agreed to the use of their device, Alien Labs has evidence that malware writers are installing the proxy silently in infected systems. In addition, as the proxy application is signed, it has no anti-virus detection, going under the radar of security companies.

In this follow up article we explore the dramatic rise in Windows malware delivering the same payload to create a 400,000 proxy botnet.

Key takeaways:

• In just one week AT&T Alien Labs researchers observed more than a thousand new malware samples in the wild delivering the proxy application.
• According to the proxy website, there are more than 400,000 proxy exit nodes, and it is not clear how many of them were installed by malware.
• The application is silently installed by malware on infected machines without user knowledge and interaction.
• The proxy application is signed and has zero anti-virus detection.
• The proxy is written in Go programming language and is spread by malware both on Windows and macOS.

Analysis

In the constantly evolving landscape of cyber threats, malicious actors continuously find new and ingenious ways to exploit technology for their own gain. Recently Alien Labs has observed an emerging trend where malware creators are utilizing proxy applications as their tool of choice. Different malware strains are delivering the proxy – relying on users looking for interesting things, like cracked software and games.

The proxy is written in the Go programming language, giving it the flexibility to be compiled into binaries compatible with various operating systems, including macOS and Windows. Despite the fact that the binaries originated from the same source code, macOS samples are detected by numerous security checks while the Windows proxy application skirts around these measures unseen. This lack of detection is most likely due to the application being signed. (Figure 1) 

 

Figure 1. As  on Virus Total: Proxy application – zero detections.

After being executed on a compromised system, the malware proceeds to quietly download and install the proxy application. This covert process takes place without requiring any user interaction and often occurs alongside the installation of additional malware or adware elements. The proxy application and most of the malware delivering it are packed using Inno Setup, a free and popular Windows installer.

Figure 2. As observed by Alien Labs: Malware embedded script to install the proxy silently.

As shown in the figure 2 above, the malware uses specific Inno Setup parameters to silently install the proxy by executing it with the following instructions:

• “/SP-” – Disables the pop up “This will install… Do you wish to continue?” that usually prompts at the beginning of the windows Setup.
• “/VERYSILENT” – When a setup is very silent the installation progress bar window is not displayed.
• “/SUPPRESSMSGBOXES” – Instructs Setup to suppress message boxes. The setup automatically answers common interaction messages box with the user.

Furthermore, the malware transmits specific parameters directly to the proxy installation process, subsequently relaying them to the proxy’s command and control server (C&C) as part of the new peer registration process. These parameters play a crucial role in identifying the origin of the proxy propagation within the proxy command and control infrastructure.

The monetization of malware propagating proxy server through an affiliate program is troublesome, as it creates a formal structure to increase the speed at which this threat will spread. The downloaded proxy application is packed with Inno Setup as well, and the installation script is responsible both for installing its files and persistence. (Figure 3)

Figure 3. As observed by Alien Labs: Proxy installation script.

The setup file drops two executable files:

• “DigitalPulseService.exe” – Is the proxy server itself that communicates constantly with its exit node operator for further instructions.
• “DigitalPulseUpdater” – Check and download for new proxy applications available.

The proxy persists in the system in two ways:

• Run registry key: HKCUSoftwareMicrosoftWindowsCurrentVersionRunDigitalPulse
• Windows schedule task named “DigitalPulseUpdateTask” that will be executed each hour: %AppData%DigitalPulseDigitalPulseUpdate.exe

The updater, which is executed through the schedule task, queries the server along with the machine unique GUID on hourly basis, to check for the presence of any update versions. (Figure 4)

Figure 4. As observed by Alien Labs: Proxy updater service.

A response from the server will include the version and download link:

{“dd”:”https://digitalpulsedata.s3.amazonaws[.]com/update/pp/0.16.14/DigitalPulseService.exe”,”vv”:”0.0.16.14″}

The proxy then continuously gathers vital information from the machine to ensure optimal performance and responsiveness. This includes everything from process list and monitoring CPU to memory utilization and even tracking battery status. This dynamic data collection underscores its capability to manage the demands of proxy requests while evading suspicion by adapting to the system’s operational context. (Figure 5)

Figure 5. As observed by Alien Labs: Sending collected machine information to the command and control.

The proxy communicates with its command and control on port 7001 to receive further instructions. Figure 6 shows an example request from a proxy node server to get information from “www.google.de” from an infected device.

Figure 6. As observed by Alien Labs: Proxy exit node communication with its C&C.

Recommended actions

To remove the proxy application from the system, delete the following entities:

Type	Data	Instructions
Folder	“%AppData%DigitalPulse”	To find current user “AppData” folder: Run -> %AppData% -> ENTER
Registry	HKCUSoftwareMicrosoftWindowsCurrentVersionRunDigitalPulse
Schedule task	DigitalPulseUpdateTask

 

Conclusion

In the constantly changing world of cyber threats, the intertwined relationship between innovation and malicious intent propels new strategies by nefarious actors. The rise of malware delivering proxy applications as a lucrative investment, facilitated by affiliate programs, highlights the cunning nature of adversaries’ tactics. These proxies, covertly installed via alluring offers or compromised software, serve as channels for unauthorized financial gains. As we have examined, this underscores the importance of remaining vigilant and adaptive in the face of ever-evolving cyber threats.

Associated Indicators (IOCs)

The following technical indicators are associated with the reported intelligence. A list of indicators is also available in the OTX Pulse. Please note, the pulse may include other activities related but out of the scope of the report.

TYPE	INDICATOR	DESCRIPTION
SHA256	33585aed3e7c4387a3512b93612932718e9dff2358867ba8c4ad1e8073bbce31	Malware dropper hash
SHA256	2b79d98043030645f27bd1b061ffa27eab19462dff356e6b4a89bb1d3c9bf02d	Malware dropper hash
SHA256	b0692f201e6dfdbe1b920849a31f2b9fb73db19779fdb77c660c28fa22b70a38	Malware dropper hash
SHA256	424d35bc945ea2deda177b46978bbb45af74109a988450ea4ed5fe16c1f629f9	Malware dropper hash
SHA256	518bc3b96a97a573c61934ff65cc284c3e5545c7823318918a7cb05cbb5518b1	Malware dropper hash
SHA256	417cf3f959e1040ffe13fcf21691b05ea96da5849010b0a4d17c6cecbeaef621	Malware dropper hash
SHA256	611ce42b0866c085d751c579f00b9e76c412a7d1e1ebcf998be6b666edc22416	Malware dropper hash
SHA256	801ecf29bee98e3b942de85e08ec227373a15b0a253c9c3eb870af33709f3d8d	Malware dropper hash
SHA256	7926a84dcb6ffbe93893477f7f3ad52516cfedf8def5c43686dd6737926146a7	Malware dropper hash
SHA256	3aaaa01bdd20981fdc94d52c5ac0ed762a124b0a08c22d760ab7e43554ee84dd	Malware dropper hash
SHA256	7a33d3f5ca81cdcfe5c38f9a4e5bbf3f900aa8f376693957261cdbe21832c110	Malware dropper hash
SHA256	5a11065473b9a1e47d256d8737c2952da1293f858fc399157ab34bbaadff6cb8	Malware dropper hash
SHA256	de97da00ed54a1f021019852a23b50c82408ab7a71dc0f3e6fef3680ac884842	Malware dropper hash
SHA256	dad35cdd6213381cc350688f6c287f4f3e1192526f78b9b62779acc4b03495f9	Malware dropper hash
SHA256	42ae669786b19556de65eeb1c45ec4685016b69384c21f3bbc30aaf2cddb2126	Malware dropper hash
SHA256	e79c37dc791d1bdb01524d158421efa29dcebde250f7571e9e30714496b3c06f	Malware dropper hash
SHA256	f22452a13635e4651b51c1491312a74891ca1dcd1b5072cbb978c06dc0a560ca	Malware dropper hash
SHA256	6c3f24ff26c5d2f16ae6aa8842e97d402c2e203d0aa2798a40f4dc000554dbca	Malware dropper hash
SHA256	aad7a088f309c1e0671f327db2428a470c14d08d5f6489fcb628071d2361b6a7	Malware dropper hash
SHA256	0e364d219192854032767476173c91c3d61230990597b52e5c36ebadd0fd96d8	Malware dropper hash
SHA256	331cf0f8049fc0e68e8bd75f8efed629b41459425a971cbcec53485ba2bf4521	Malware dropper hash
SHA256	0ca119c7be4ec67355b47d8d197361e730d93153a87d09e00a68ceda340fabb0	Malware dropper hash
SHA256	db115eff8d8b013e89f398b922294b248d5d6be51d7ab60cbde3b6ff2ff3f219	Malware dropper hash
SHA256	1cff1d3a10cc36338803e37cc3c9e9121bdd8c5189ca4533d1c585715561bc4a	Malware dropper hash
SHA256	530e59f9bd99b191b54ec18eb92d6b44005e56c1dd877b4e4ce0370d3d917fb4	Malware dropper hash
SHA256	9a416904a4d942c77177770ea0680c48e5d5eddba793af3c434e4ff733daab56	Malware dropper hash
SHA256	aeeccab5b4712f4c7d75c0606fc4587f13df7a04aa4941bb6599f328ee67d950	Malware dropper hash
SHA256	3ff5e3932ba4a438c12c253ec6b00416ac6ce250173bac6be0bb8d619cea47bd	Malware dropper hash
SHA256	a10d023b10b878a09697563155799bd088ed2f797aff489b732959f917414f97	Malware dropper hash
SHA256	65a9895f5e49f8e18727fe16744c6631c0676e08499f4407b9d8c11634aae5e0	Malware dropper hash
SHA256	e07aa2d15520c6f0ab9bbbe049f48402e4b91fde59b22b5668daef2ec924a68b	Malware dropper hash
SHA256	cc3cbc8ad7f71223230a457aa2664d77b43b7f7a4988b42609ad707f0385aee3	Malware dropper hash
SHA256	cba34f77ca2a5d4dc56f4567ff1f0b2242105d532353d2868d7b2c42f1a37551	Malware dropper hash
SHA256	153de6a7d78bcce8a0cec446cdc20ec4b18ee72b74f59e76780ec5c76efddc52	Malware dropper hash
SHA256	8505c4c3d6406cc55a9492cf1a3285de9c0357691112b2ab787faa57d55d304b	Malware dropper hash
SHA256	c202911529293052006fa6bc6a87c66bbd5621738190dbd75a5b3a150fed5c41	Malware dropper hash
SHA256	550c4839f26bf81f480c5e4210be3ded43d4f8027d5d689a6fe8692c42235940	Malware dropper hash
	5324f5aae565ddc8dc2a4b574bc690cba6b35bd4bf3f63e6df14d613b68ac769	Malware dropper hash
DOMAIN	bapp.digitalpulsedata[.]com	Proxy node server

 

Mapped to MITRE ATT&CK

The findings of this report are mapped to the following MITRE ATT&CK Matrix techniques:

• • TA0001: Initial Access
    • T1189: Drive-by Compromise
  • TA0003: Persistence
    • T1547: Boot or Logon Autostart Execution
      • T1547.001: Registry Run Keys / Startup Folder
    • T1053: Scheduled Task/Job
      • T1053.005: Scheduled Task
  • TTA0007: Discovery
    • T1082: System Information Discovery
  • TA0011: Command and Control
    • T1090: Proxy
    • T1571: Non-Standard Port
  • TA0040: Impact
    • T1496: Resource Hijacking

The post ProxyNation: The dark nexus between proxy apps and malware appeared first on Cybersecurity Insiders.