The REST API TO MiniProgram WordPress plugin through 4.6.1 does not have authorisation and CSRF checks in an AJAX action, allowing ay authenticated users, such as subscriber to call and delete arbitrary attachments
Monthly Archives: August 2023
CVE-2023-0274
The URL Params WordPress plugin before 2.5 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
CVE-2023-0058
The Tiempo.com WordPress plugin through 0.1.2 does not have CSRF check when creating and editing its shortcode, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack
CVE-2022-4782
The ClickFunnels WordPress plugin through 3.1.1 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack.
USN-6292-1: Ceph vulnerability
It was discovered that Ceph incorrectly handled crash dumps. A local
attacker could possibly use this issue to escalate privileges to root.
How to Spot Fake News in Your Social Media Feed
Spotting fake news in your feed has always been tough. Now it just got tougher, thanks to AI.
Fake news crops up in plenty of places on social media. And it has for some time now. In years past, it took the form of misleading posts, image captions, quotes, and the sharing of outright false information in graphs and charts. Now with the advent of AI, we see fake news taken to new levels of deception:
Deepfake videos that mimic the looks and parrot the words of well-known public figures.
AI-generated voice clones that sound spooky close to the voices they mimic.
Also, entire news websites generated by AI, rife with bogus stories and imagery.
All of it’s out there. And knowing how to separate truth from fact has never been of more importance, particularly as more and more people get their news via social media.
Pew Research found that about a third of Americans say they regularly get their news from Facebook and nearly 1 in 4 say they regularly get it from YouTube. Moreover, global research from Reuters uncovered that more people primarily get their news from social media (30%) rather than from an established news site or app (22%). This marks the first time that social media has toppled direct access to news.
Yet, you can spot fake news. Plenty of it.
The process starts with a crisp definition of what fake news is, followed by the forms it takes, and then a sense of what the goals behind it are. With that, you can apply a critical eye and pick out the telltale signs.
We’ll cover it all here.
What is fake news?
A textbook definition of fake news goes something like this:
A false news story, fabricated with no verifiable facts, and presented in a way to appear as legitimate news.
As for its intent, fake news often seeks to damage the reputation of an individual, institution, or organization. It might also spout propaganda or attempt to undermine established facts.
That provides a broad definition. Yet, like much fake news itself, the full definition is much more nuanced. Within fake news, you’ll find two categories: disinformation and misinformation:
Disinformation: This is intentionally misleading information that’s been manipulated to create a flat-out lie—typically with an ulterior motive in mind. Here, the creator knows that the information is false.
Example: As a bad joke, a person concocts a phony news story that a much-anticipated video game release just got canceled. However, the game will certainly see its release. In the meantime, word spreads and online fans whip up into a frenzy.
Misinformation: This simply involves getting the facts wrong. Unknowingly so, which separates itself from disinformation. We’re only human, and sometimes that means we forget details or recall things incorrectly. Likewise, when a person shares disinformation, that’s a form of misinformation as well, if the person shares it without fact-checking.
Example: A person sees a post that a celebrity has died and shares that post with their friends and followers—when in fact, that celebrity is still very much alive.
From there, fake news gets more nuanced still. Misinformation and disinformation fall within a range. Some of it might appear comical, while other types might have the potential to do actual harm.
Dr. Claire Wardle, the co-director of the Information Futures Lab at Brown University, cites seven types of misinformation and disinformation on a scale as visualized below:
Source – FirstDraftNews.org and Brown University
Put in a real-life context, you can probably conjure up plenty of examples where you’ve seen. Like clickbait-y headlines that link to letdown articles with little substance. Maybe you’ve seen a quote pasted on the image of a public figure, a quote that person never made. Perhaps an infographic, loaded with bogus statistics and attributed to an organization that doesn’t even exist. It can take all forms.
Who’s behind fake news? And why?
The answers here vary as well. Greatly so. Fake news can begin with a single individual, groups of like-minded individuals with an agenda, and it can even come from operatives for various nation-states. As for why, they might want to poke fun at someone, drive ad revenue through clickbait articles, or spout propaganda.
Once more, a visualization provides clarity in this sometimes-murky mix of fake news:
Source – FirstDraftNews.org and Brown University
In the wild, some examples of fake news and the reasons behind it might look like this:
Imposter sites that pose as legitimate news outlets yet post entirely unfounded pieces of propaganda.
Parody sites that can look legitimate, so much so that people might mistake their content for actual news.
AI deepfakes, images, recordings, and videos of public figures in embarrassing situations, yet that get presented as “real news” to damage their reputation.
Perhaps a few of these examples ring a bell. You might have come across some where you weren’t exactly sure if it was fake news or not.
The following tools can help you know for sure.
Spotting what’s real and fake in your social media feed.
Consider the source
Some of the oldest advice is the best advice, and that holds true here: consider the source. Take time to examine the information you come across. Look at its source. Does that source have a track record of honesty and dealing plainly with the facts?
For an infographic, you can search for the name of its author or the institution that’s attributed to it. Are they even real in the first place?
For news websites, check out their “About Us” pages. Many bogus sites skimp on information here, whereas legitimate sites will go to lengths about their editorial history and staff.
For any content that has any citation listed to legitimize it as fact, search on it. Plenty of fake news uses sources and citations that are just as fake too.
Check the date
This falls under a similar category as “consider the source.” Plenty of fake news will take an old story and repost it or alter it in some way to make it appear relevant to current events. In recent years, we’ve seen fake news creators slap a new headline on a new photo, all to make it seem like it’s something current. Once again, a quick search can help you tell if it’s fake or not. Try a reverse image search and see what comes up. Is the photo indeed current? Who took it? When? Where?
Check your emotions too
Has a news story you’ve read or watched ever made you shake your fist at the screen or want to clap and cheer? How about something that made you fearful or simply laugh? Bits of content that evoke strong emotional responses tend to spread quickly, whether they’re articles, a post, or even a tweet. That’s a ready sign that a quick fact check might be in order. The content is clearly playing to your biases.
There’s a good reason for that. Bad actors who wish to foment unrest, unease, or spread disinformation use emotionally driven content to plant a seed. Whether or not their original story gets picked up and viewed firsthand doesn’t matter to these bad actors. Their aim is to get some manner of disinformation out into the ecosystem. They rely on others who will re-post, re-tweet, or otherwise pass it along on their behalf—to the point where the original source of the information gets completely lost. This is one instance where people readily begin to accept certain information as fact, even if it’s not factual at all.
Certainly, some legitimate articles will generate a response as well, yet it’s a good habit to do a quick fact check and confirm what you’ve read.
Expand your media diet
A single information source or story won’t provide a complete picture. It might only cover a topic from a certain angle or narrow focus. Likewise, information sources are helmed by editors and stories are written by people—all of whom have their biases, whether overt or subtle. It’s for this reason that expanding your media diet to include a broad range of information sources is so important.
So, see what other information sources have to say on the same topic. Consuming news across a spectrum will expose you to thoughts and coverage you might not otherwise get if you keep your consumption to a handful of sources. The result is that you’re more broadly informed and can compare different sources and points of view. Using the tips above, you can find other reputable sources to round out your media diet.
Additionally, for a list of reputable information sources, along with the reasons they’re reputable, check out “10 Journalism Brands Where You Find Real Facts Rather Than Alternative Facts” published by Forbes and authored by an associate professor at The King’s College in New York City. It certainly isn’t the end all, be all of lists, yet it should provide you with a good starting point.
Let an expert do the fact-checking for you
De-bunking fake news takes time and effort. Often a bit of digging and research too. Professional fact-checkers at news and media organizations do this work daily. Posted for all to see, they provide a quick way to get your answers. Some fact-checking groups include:
Politifact.com
Snopes.com
FactCheck.org
Reuters Fact Check
Three ways to spot AI-generated fakes
As AI continues its evolution, it gets trickier and trickier to spot it in images, video, and audio. Advances in AI give images a clarity and crispness that they didn’t have before, deepfake videos play more smoothly, and voice cloning gets uncannily accurate.
Yet even with the best AI, scammers often leave their fingerprints all over the fake news content they create. Look for the following:
1) Consider the context
AI fakes usually don’t appear by themselves. There’s often text or a larger article around them. Inspect the text for typos, poor grammar, and overall poor composition. Look to see if the text even makes sense. And like legitimate news articles, does it include identifying information—like date, time, and place of publication, along with the author’s name.
2) Evaluate the claim
Does the image seem too bizarre to be real? Too good to be true? Today, “Don’t believe everything you read on the internet,” now includes “Don’t believe everything you see on the internet.” If a fake news story is claiming to be real, search for the headline elsewhere. If it’s truly noteworthy, other known and reputable sites will report on the event—and have done their own fact-checking.
3) Check for distortions
The bulk of AI technology still renders fingers and hands poorly. It often creates eyes that might have a soulless or dead look to them—or that show irregularities between them. Also, shadows might appear in places where they look unnatural. Further, the skin tone might look uneven. In deepfaked videos, the voice and facial expressions might not exactly line up, making the subject look robotic and stiff.
Be safe out there
The fact is that fake news isn’t going anywhere. It’s a reality of going online. And AI makes it tougher to spot.
At least at first glance. The best tool for spotting fake news is a fact-check. You can do the work yourself, or you can rely on trusted resources that have already done the work.
This takes time, which people don’t always spend because social platforms make it so quick and easy to share. If we can point to one reason fake news spreads so quickly, that’s it. In fact, social media platforms reward such behavior.
With that, keep an eye on your own habits. We forward news in our social media feeds too—so make sure that what you share is truthful too.
Be safe out there
Plenty of fake news can lure you into sketchy corners of the internet. Places where malware and phishing sites take root. Consider using comprehensive online protection software to keep safe. In addition to several features that protect your devices, privacy, and identity, they can warn you of unsafe sites too. While it might not sniff out AI content (yet), it offers strong protection against bad actors who might use fake news to steal your information or harm your data and devices.
The post How to Spot Fake News in Your Social Media Feed appeared first on McAfee Blog.
UK Electoral Commission Hacked
The UK Electoral Commission discovered last year that it was hacked the year before. That’s fourteen months between the hack and the discovery. It doesn’t know who was behind the hack.
We worked with external security experts and the National Cyber Security Centre to investigate and secure our systems.
If the hack was by a major government, the odds are really low that it has resecured its systems—unless it burned the network to the ground and rebuilt it from scratch (which seems unlikely).
ProxyNation: The dark nexus between proxy apps and malware
Executive summary
AT&T Alien Labs researchers recently discovered a massive campaign of threats delivering a proxy server application to Windows machines. A company is charging for proxy service on traffic that goes through those machines. This is a continuation of research described in our blog on Mac systems turned into proxy exit nodes by AdLoad.
In this research, Alien Labs identified a company that offers proxy services, wherein proxy requests are rerouted through compromised systems that have been transformed into residential exit nodes due to malware infiltration. Although the proxy website claims that its exit nodes come only from users who have been informed and agreed to the use of their device, Alien Labs has evidence that malware writers are installing the proxy silently in infected systems. In addition, as the proxy application is signed, it has no anti-virus detection, going under the radar of security companies.
In this follow up article we explore the dramatic rise in Windows malware delivering the same payload to create a 400,000 proxy botnet.
Key takeaways:
In just one week AT&T Alien Labs researchers observed more than a thousand new malware samples in the wild delivering the proxy application.
According to the proxy website, there are more than 400,000 proxy exit nodes, and it is not clear how many of them were installed by malware.
The application is silently installed by malware on infected machines without user knowledge and interaction.
The proxy application is signed and has zero anti-virus detection.
The proxy is written in Go programming language and is spread by malware both on Windows and macOS.
Analysis
In the constantly evolving landscape of cyber threats, malicious actors continuously find new and ingenious ways to exploit technology for their own gain. Recently Alien Labs has observed an emerging trend where malware creators are utilizing proxy applications as their tool of choice. Different malware strains are delivering the proxy – relying on users looking for interesting things, like cracked software and games.
The proxy is written in the Go programming language, giving it the flexibility to be compiled into binaries compatible with various operating systems, including macOS and Windows. Despite the fact that the binaries originated from the same source code, macOS samples are detected by numerous security checks while the Windows proxy application skirts around these measures unseen. This lack of detection is most likely due to the application being signed. (Figure 1)
Figure 1. As on Virus Total: Proxy application – zero detections.
After being executed on a compromised system, the malware proceeds to quietly download and install the proxy application. This covert process takes place without requiring any user interaction and often occurs alongside the installation of additional malware or adware elements. The proxy application and most of the malware delivering it are packed using Inno Setup, a free and popular Windows installer.
Figure 2. As observed by Alien Labs: Malware embedded script to install the proxy silently.
As shown in the figure 2 above, the malware uses specific Inno Setup parameters to silently install the proxy by executing it with the following instructions:
“/SP-” – Disables the pop up “This will install… Do you wish to continue?” that usually prompts at the beginning of the windows Setup.
“/VERYSILENT” – When a setup is very silent the installation progress bar window is not displayed.
“/SUPPRESSMSGBOXES” – Instructs Setup to suppress message boxes. The setup automatically answers common interaction messages box with the user.
Furthermore, the malware transmits specific parameters directly to the proxy installation process, subsequently relaying them to the proxy’s command and control server (C&C) as part of the new peer registration process. These parameters play a crucial role in identifying the origin of the proxy propagation within the proxy command and control infrastructure.
The monetization of malware propagating proxy server through an affiliate program is troublesome, as it creates a formal structure to increase the speed at which this threat will spread. The downloaded proxy application is packed with Inno Setup as well, and the installation script is responsible both for installing its files and persistence. (Figure 3)
Figure 3. As observed by Alien Labs: Proxy installation script.
The setup file drops two executable files:
“DigitalPulseService.exe” – Is the proxy server itself that communicates constantly with its exit node operator for further instructions.
“DigitalPulseUpdater” – Check and download for new proxy applications available.
The proxy persists in the system in two ways:
Run registry key: HKCUSoftwareMicrosoftWindowsCurrentVersionRunDigitalPulse
Windows schedule task named “DigitalPulseUpdateTask” that will be executed each hour: %AppData%DigitalPulseDigitalPulseUpdate.exe
The updater, which is executed through the schedule task, queries the server along with the machine unique GUID on hourly basis, to check for the presence of any update versions. (Figure 4)
Figure 4. As observed by Alien Labs: Proxy updater service.
A response from the server will include the version and download link:
{“dd”:”https://digitalpulsedata.s3.amazonaws[.]com/update/pp/0.16.14/DigitalPulseService.exe”,”vv”:”0.0.16.14″}
The proxy then continuously gathers vital information from the machine to ensure optimal performance and responsiveness. This includes everything from process list and monitoring CPU to memory utilization and even tracking battery status. This dynamic data collection underscores its capability to manage the demands of proxy requests while evading suspicion by adapting to the system’s operational context. (Figure 5)
Figure 5. As observed by Alien Labs: Sending collected machine information to the command and control.
The proxy communicates with its command and control on port 7001 to receive further instructions. Figure 6 shows an example request from a proxy node server to get information from “www.google.de” from an infected device.
Figure 6. As observed by Alien Labs: Proxy exit node communication with its C&C.
Recommended actions
To remove the proxy application from the system, delete the following entities:
Type
Data
Instructions
Folder
“%AppData%DigitalPulse”
To find current user “AppData” folder:
Run -> %AppData% -> ENTER
Registry
HKCUSoftwareMicrosoftWindowsCurrentVersionRunDigitalPulse
Schedule task
DigitalPulseUpdateTask
Conclusion
In the constantly changing world of cyber threats, the intertwined relationship between innovation and malicious intent propels new strategies by nefarious actors. The rise of malware delivering proxy applications as a lucrative investment, facilitated by affiliate programs, highlights the cunning nature of adversaries’ tactics. These proxies, covertly installed via alluring offers or compromised software, serve as channels for unauthorized financial gains. As we have examined, this underscores the importance of remaining vigilant and adaptive in the face of ever-evolving cyber threats.
Associated Indicators (IOCs)
The following technical indicators are associated with the reported intelligence. A list of indicators is also available in the OTX Pulse. Please note, the pulse may include other activities related but out of the scope of the report.
TYPE
INDICATOR
DESCRIPTION
SHA256
33585aed3e7c4387a3512b93612932718e9dff2358867ba8c4ad1e8073bbce31
Malware dropper hash
SHA256
2b79d98043030645f27bd1b061ffa27eab19462dff356e6b4a89bb1d3c9bf02d
Malware dropper hash
SHA256
b0692f201e6dfdbe1b920849a31f2b9fb73db19779fdb77c660c28fa22b70a38
Malware dropper hash
SHA256
424d35bc945ea2deda177b46978bbb45af74109a988450ea4ed5fe16c1f629f9
Malware dropper hash
SHA256
518bc3b96a97a573c61934ff65cc284c3e5545c7823318918a7cb05cbb5518b1
Malware dropper hash
SHA256
417cf3f959e1040ffe13fcf21691b05ea96da5849010b0a4d17c6cecbeaef621
Malware dropper hash
SHA256
611ce42b0866c085d751c579f00b9e76c412a7d1e1ebcf998be6b666edc22416
Malware dropper hash
SHA256
801ecf29bee98e3b942de85e08ec227373a15b0a253c9c3eb870af33709f3d8d
Malware dropper hash
SHA256
7926a84dcb6ffbe93893477f7f3ad52516cfedf8def5c43686dd6737926146a7
Malware dropper hash
SHA256
3aaaa01bdd20981fdc94d52c5ac0ed762a124b0a08c22d760ab7e43554ee84dd
Malware dropper hash
SHA256
7a33d3f5ca81cdcfe5c38f9a4e5bbf3f900aa8f376693957261cdbe21832c110
Malware dropper hash
SHA256
5a11065473b9a1e47d256d8737c2952da1293f858fc399157ab34bbaadff6cb8
Malware dropper hash
SHA256
de97da00ed54a1f021019852a23b50c82408ab7a71dc0f3e6fef3680ac884842
Malware dropper hash
SHA256
dad35cdd6213381cc350688f6c287f4f3e1192526f78b9b62779acc4b03495f9
Malware dropper hash
SHA256
42ae669786b19556de65eeb1c45ec4685016b69384c21f3bbc30aaf2cddb2126
Malware dropper hash
SHA256
e79c37dc791d1bdb01524d158421efa29dcebde250f7571e9e30714496b3c06f
Malware dropper hash
SHA256
f22452a13635e4651b51c1491312a74891ca1dcd1b5072cbb978c06dc0a560ca
Malware dropper hash
SHA256
6c3f24ff26c5d2f16ae6aa8842e97d402c2e203d0aa2798a40f4dc000554dbca
Malware dropper hash
SHA256
aad7a088f309c1e0671f327db2428a470c14d08d5f6489fcb628071d2361b6a7
Malware dropper hash
SHA256
0e364d219192854032767476173c91c3d61230990597b52e5c36ebadd0fd96d8
Malware dropper hash
SHA256
331cf0f8049fc0e68e8bd75f8efed629b41459425a971cbcec53485ba2bf4521
Malware dropper hash
SHA256
0ca119c7be4ec67355b47d8d197361e730d93153a87d09e00a68ceda340fabb0
Malware dropper hash
SHA256
db115eff8d8b013e89f398b922294b248d5d6be51d7ab60cbde3b6ff2ff3f219
Malware dropper hash
SHA256
1cff1d3a10cc36338803e37cc3c9e9121bdd8c5189ca4533d1c585715561bc4a
Malware dropper hash
SHA256
530e59f9bd99b191b54ec18eb92d6b44005e56c1dd877b4e4ce0370d3d917fb4
Malware dropper hash
SHA256
9a416904a4d942c77177770ea0680c48e5d5eddba793af3c434e4ff733daab56
Malware dropper hash
SHA256
aeeccab5b4712f4c7d75c0606fc4587f13df7a04aa4941bb6599f328ee67d950
Malware dropper hash
SHA256
3ff5e3932ba4a438c12c253ec6b00416ac6ce250173bac6be0bb8d619cea47bd
Malware dropper hash
SHA256
a10d023b10b878a09697563155799bd088ed2f797aff489b732959f917414f97
Malware dropper hash
SHA256
65a9895f5e49f8e18727fe16744c6631c0676e08499f4407b9d8c11634aae5e0
Malware dropper hash
SHA256
e07aa2d15520c6f0ab9bbbe049f48402e4b91fde59b22b5668daef2ec924a68b
Malware dropper hash
SHA256
cc3cbc8ad7f71223230a457aa2664d77b43b7f7a4988b42609ad707f0385aee3
Malware dropper hash
SHA256
cba34f77ca2a5d4dc56f4567ff1f0b2242105d532353d2868d7b2c42f1a37551
Malware dropper hash
SHA256
153de6a7d78bcce8a0cec446cdc20ec4b18ee72b74f59e76780ec5c76efddc52
Malware dropper hash
SHA256
8505c4c3d6406cc55a9492cf1a3285de9c0357691112b2ab787faa57d55d304b
Malware dropper hash
SHA256
c202911529293052006fa6bc6a87c66bbd5621738190dbd75a5b3a150fed5c41
Malware dropper hash
SHA256
550c4839f26bf81f480c5e4210be3ded43d4f8027d5d689a6fe8692c42235940
Malware dropper hash
5324f5aae565ddc8dc2a4b574bc690cba6b35bd4bf3f63e6df14d613b68ac769
Malware dropper hash
DOMAIN
bapp.digitalpulsedata[.]com
Proxy node server
Mapped to MITRE ATT&CK
The findings of this report are mapped to the following MITRE ATT&CK Matrix techniques:
TA0001: Initial Access
T1189: Drive-by Compromise
TA0003: Persistence
T1547: Boot or Logon Autostart Execution
T1547.001: Registry Run Keys / Startup Folder
T1053: Scheduled Task/Job
T1053.005: Scheduled Task
TTA0007: Discovery
T1082: System Information Discovery
TA0011: Command and Control
T1090: Proxy
T1571: Non-Standard Port
TA0040: Impact
T1496: Resource Hijacking
Stories from the SOC – Unveiling the stealthy tactics of Aukill malware
Executive summary
On April 21st, 2023, AT&T Managed Extended Detection and Response (MXDR) investigated an attempted ransomware attack on one of our clients, a home improvement business. The investigation revealed the attacker used AuKill malware on the client’s print server to disable the server’s installed EDR solution, SentinelOne, by brute forcing an administrator account and downgrading a driver to a vulnerable version.
AuKill, first identified by Sophos X-Ops researchers in June 2021, is a sophisticated malware designed to target and neutralize specific EDR solutions, including SentinelOne and Sophos. Distributed as a dropper, AuKill drops a vulnerable driver named PROCEXP.SYS (from Process Explorer release version 16.32) into the system’s C:WindowsSystem32drivers folder. This malware has been observed in the wild, utilized by ransomware groups to bypass endpoint security measures and effectively spread ransomware variants such as Medusa Locker and Lockbit on vulnerable systems.
In this case, SentinelOne managed to isolate most of the malicious files before being disabled, preventing a full-scale ransomware incident. As a result, AT&T MXDR found no evidence of data exfiltration or encryption. Despite this, the client opted to rebuild the print server as a precautionary measure. This study provides an in-depth analysis of the attack and offers recommendations to mitigate the risk of future attacks.
Investigating the first phase of the attack
Initial intrusion
The targeted asset was the print server, which we found unusual. However, upon further investigation we concluded the attacker misidentified the asset as a Domain Controller (DC), as it had recently been repurposed from a DC to a print server. The attacker needed both local administrator credentials and kernel-level access to successfully run AuKill and disable SentinelOne on the asset. To gain those local administrator credentials, the attacker successfully brute-forced an administrator account. Shortly after the compromise, this account was observed making unauthorized registry changes.
Establishing a beachhead
After compromising the local administrator account, the attackers used the “UsersAdministratorMusicaSentinel” folder as a staging area for subsequent phases of their attack. All AuKill-related binaries and scripts were executed from this path, with the innocuous “Music” folder name helping to conceal their malicious activities.
AuKill malware has been found to operate using two Windows services named “aSentinel.exe” and “aSentinelX.exe” in its SentinelOne variant. In other variants, it targets different EDRs, such as Sophos, by utilizing corresponding Windows services like “aSophos.exe” and “aSophosX.exe”.
Establishing persistence
We also discovered “aSentinel.exe” running from “C:Windowssystem32”, indicating that the attackers attempted to establish a foothold on the compromised server. Malware authors frequently target the system32 folder because it is a trusted location, and security software may not scrutinize files within it as closely as those in other locations. This can help malware bypass security measures and remain hidden. It is likely that the malware was initially placed in the “UsersAdministratorMusicaSentinel” directory and later copied to the system32 directory for persistence.
Network reconnaissance
Our investigation also revealed that PCHunter, a publicly accessible utility previously exploited in ransomware incidents like Dharma, was running from the “UsersAdministratorMusicaSentinel” directory. This suggests that the attackers used PCHunter as a reconnaissance tool to survey the client’s network before deploying the EDR killer malware. Additionally, PCHunter enables threat actors to terminate programs and interface directly with the Windows kernel, which aligns with the needs of the attacker. We observed PCHunter generating several randomly named .sys files, as illustrated below:
Preventing data recovery
We found that the attacker deleted shadow volume copies from the print server. Windows creates these copies to restore files and folders to previous versions in case of data loss. By removing the shadow copies, the attacker was attempting to make it more challenging for our client to recover their files if they were successfully encrypted. Although no ransomware was deployed, the deletion of shadow copies reveals the attackers’ intentions. This information, together with the usage of PCHunter and the staging of the EDR killer malware, paints a more complete picture of the attacker’s objectives and tactics.
Bypassing native Windows protection
With all these pieces in place, the attacker last needed to acquire kernel-level access. Despite gaining administrator rights early on, the attacker did not have enough control over the system to kill SentinelOne at this time. EDR solutions are classified as essential by Windows and are protected from being turned off by attackers when they escalate privileges. To successfully circumvent these safeguards, the attacker would need to travel one level deeper into the operating system and gain kernel-level access to the machine.
Investigating the second phase of the attack
Dropping the vulnerable driver
Our team discovered that AuKill had replaced the current Process Explorer driver, PROCEXP152.sys, with an outdated and vulnerable version named PROCEXP.SYS (from Process Explorer release version 16.32), located in the C:WindowsSystem32drivers directory. The alarm screenshot below demonstrates how AuKill swapped the existing driver with this older version, making the system susceptible to further exploitation.
Windows incorporates a security feature called Driver Signature Enforcement, which ensures that kernel-mode drivers are signed by a valid code signing authority before they can run. To bypass this security measure, the attackers exploited the insecure PROCEXP.SYS driver, which was produced and signed by Microsoft at an earlier date. As demonstrated in the SentinelOne screenshot below, the driver is signed and verified by Microsoft. Furthermore, the originating process was aSentinel.exe, an executable created to disable SentinelOne.
Acquiring kernel-level access
Process Explorer, a legitimate system monitoring tool developed by Microsoft’s Sysinternals team, enables administrators to examine and manage applications’ ongoing processes, as well as their associated threads, handles, and DLLs.
Upon startup, Process Explorer loads a signed kernel-mode driver, facilitating interaction with the system’s kernel, which is responsible for managing hardware and resources. Normally, that driver is PROCEXP152.sys. The attacker replaced the PROCEXP152.sys driver on the print server with the exploitable PROCEXP.SYS, employing what is known as a BYOVD (Bring Your Own Vulnerable Driver) attack. The attacker used this method to exploit the now vulnerable kernel mode driver to gain the kernel-level access they needed to successfully kill SentinelOne.
Killing SentinelOne
The kernel-mode driver used by Process Explorer has the unique ability to terminate handles that are inaccessible even to administrators. A handle is an identifier that corresponds to a specific resource opened by a process, such as a file or a registry key. At this point, AuKill hijacked Process Explorer’s kernel driver to specifically target protected handles associated with SentinelOne processes running on the print server. The SentinelOne processes were killed when the protected process handles were closed, rendering the EDR powerless. AuKill then generated several threads to ensure that these EDR processes remained disabled and did not resume. Each thread concentrated on a certain SentinelOne component and regularly checked to see if the targeted processes were active. If they were, AuKill would terminate them. SentinelOne was out of the way and no longer an obstacle to the attacker.
Response
Customer interaction
At this point, the attacker had gained privileged access to the asset, deployed their malware, and successfully killed the endpoint protection solution, SentinelOne. Based on the Cyber Kill Chain methodology developed by Lockheed Martin, we can conclude that the attacker had now successfully reached the “Command and Control” stage. However, the attacker did not reach the “Actions on Objectives” stage, as SentinelOne managed to disrupt ransomware deployment enough before it was killed to prevent any additional damage.
Any attempts to re-deploy malware or move laterally following the disablement of the EDR were thwarted by our team, who swiftly alerted the client to the activity and advised that the asset be taken offline and isolated from the rest of the network. Our team informed the client that the shadow copies had been deleted and SentinelOne had been turned off on their print server. After having our threat hunters thoroughly review their environment, w e reassured the client that no sensitive information was exfiltrated or encrypted. In response to the attack, the client moved to rebuild their print server and reinstall SentinelOne.
Recommendations
As BYOVD attacks to bypass EDR software become more widespread, we strongly advise blacklisting outdated drivers with a known history of exploitation. Furthermore, we encourage our clients to maintain an inventory of the drivers installed on their systems, ensuring they remain current and secure. Lastly, we recommend bolstering the security of administrator accounts to defend against brute force attacks, as the incident detailed in this blog post could not have transpired without the initial privileged user compromise.
GitPython-3.1.18-2.el8
FEDORA-EPEL-2023-9a26de25cf
Packages in this update:
GitPython-3.1.18-2.el8
Update description:
Backport a patch to fully fix CVE-2022-24439