Double extortion now the norm, says Group-IB

Read More

Authored by Jyothi Naveen and Kiran Raj

McAfee Labs have been observing a spike in phishing campaigns that utilize Microsoft office macro capabilities. These malicious documents reach victims via mass spam E-mail campaigns and generally invoke urgency, fear, or similar emotions, leading unsuspecting users to promptly open them. The purpose of these spam operations is to deliver malicious payloads to as many people as possible.

A recent spam campaign was using malicious word documents to download and execute the Ursnif trojan. Ursnif is a high-risk trojan designed to record various sensitive information. It typically archives this sensitive data and sends it back to a command-and-control server.

This blog describes how attackers use document properties and a few other techniques to download and execute the Ursnif trojan.

Threat Summary

The initial attack vector is a phishing email with a Microsoft Word document attachment.
Upon opening the document, VBA executes a malicious shellcode
Shellcode downloads the remote payload, Ursnif, and invokes rundll32.exe to execute it.

Infection Chain

The malware arrives through a phishing email containing a Microsoft Word document as an attachment. When the document is opened and macros are enabled, Word downloads a DLL (Ursnif payload). The Ursnif payload is then executed using rundll32.exe

Figure 1- flowchart of infection chain

Word Analysis

Macros are disabled by default and the malware authors are aware of this and hence present an image to entice the victims into enabling them.

Figure 2- Image of what the user sees upon opening the document

VBA Macro Analysis of Word Document

Analyzing the sample statically with ‘oleId’ and ‘olevba’ indicates the suspicious vectors..

Figure 3- Oleid output
Figure 4- Olevba output

The VBA Macro is compatible with x32 and x64 architectures and is highly obfuscated as seen in Figure-5

Figure 5- Obfuscated VBA macro

To get a better understanding of the functionality, we have de-obfuscated the contents in the 2 figures shown below.

Figure 6- De-obfuscated VBA macro (stage 1)
Figure 7- De-obfuscated VBA macro (stage 2)

An interesting characteristic of this sample is that some of the strings like CLSID, URL for downloading Ursnif, and environment variables names are stored in custom document properties in reverse. As shown in Figure-7, VBA function “ActiveDocument.CustomDocumentProperties()” is used to retrieve the properties and uses “StrReverse” to reverse the contents. 

We can see the document properties in Figure-8  

Figure 8- Document properties

Payload Download and Execution: 

The malicious macro retrieves hidden shellcode from a custom property named “Company” using the “cdec” function that converts the shellcode from string to decimal/hex value and executes it. The shellcode is shown below. 

Figure 9- Raw Company property

The shellcode is written to memory and the access protection is changed to PAGE_EXECUTE_READWRITE. 

Figure 10- Code of VirtualProtect
Figure 11- Shellcode’s memory and protection after calling VirtualProtect()

After adding the shellcode in memory, the environment variable containing the malicious URL of Ursnif payload is created. This Environment variable will be later used by the shellcode. 

Figure 12- Environment variable set in Winword.exe space

The shellcode is executed with the use of the SetTimer API. SetTimer creates a timer with the specified time-out value mentioned and notifies a function when the time is elapsed. The 4th parameter used to call SetTimer is the pointer to the shellcode in memory which will be invoked when the mentioned time is elapsed. 

Figure 13- SetTimer function (Execution of shellCode)

The shellcode downloads the file from the URL stored in the environmental variable and stores it as ” y9C4A.tmp.dll ” and executes it with rundll32.exe. 

URL 
hxxp://docmasterpassb.top/kdv/x7t1QUUADWPEIQyxM6DT3vtrornV4uJcP4GvD9vM/ 

CMD 
rundll32 “C:UsersuserAppDataLocalTempy9C4A.tmp.dll”,DllRegisterServer 

Figure 14- Exports of Downloaded DLL

After successful execution of the shellcode, the environment variable is removed. 

Figure 15- Removal of Environment Variable

IOC 

TYPE 
VALUE 
PRODUCT 
DETECTION NAME 

Main Word Document 
6cf97570d317b42ef8bfd4ee4df21d217d5f27b73ff236049d70c37c5337909f 
McAfee LiveSafe and Total Protection 
X97M/Downloader.CJG 

Downloaded dll 
41ae907a2bb73794bb2cff40b429e62305847a3e1a95f188b596f1cf925c4547 
McAfee LiveSafe and Total Protection 
Ursnif-FULJ 

URL to download dll 
hxxp://docmasterpassb.top/kdv/x7t1QUUADWPEIQyxM6DT3vtrornV4uJcP4GvD9vM/ 
WebAdvisor 
Blocked 

MITRE Attack Framework 

Technique ID 
Tactic 
Technique Details 
Description 

T1566.001 
Initial Access 
Spear phishing Attachment 
Manual execution by user 

T1059.005 
Execution 
Visual Basic 
Malicious VBA macros 

T1218.011 
Defense Evasion 
Signed binary abuse 
Rundll32.exe is used 

T1027 
Defense Evasion 
Obfuscation techniques 
VBA and powershell base64 executions 

T1086 
Execution 
Powershell execution 
PowerShell command abuse 

 Conclusion 

Macros are disabled by default in Microsoft Office applications, we suggest keeping it that way unless the document is received from a trusted source. The infection chain discussed in the blog is not limited to Word or Excel. Further threats may use other live-off-the-land tools to download its payloads.  

McAfee customers are protected against the malicious files and sites detailed in this blog with McAfee LiveSafe/Total Protection and McAfee Web Advisor. 

The post Phishing Campaigns featuring Ursnif Trojan on the Rise appeared first on McAfee Blog.

Read More

There’s a digital counterpart for nearly everything we do, which means more of our personal information is online. And although this tends to make our lives easier, it opens the door for information to land in the wrong hands. Identity theft happens when someone uses your personal identifiable information (PII) for their own monetary or personal gain. Sensitive data like credit card numbers and Social Security numbers can be incredibly valuable if it gets into the wrong hands.  

The good news is that you can take steps to minimize the risk of identity theft. This article breaks down some of the most interesting fraud statistics and trends about identity theft in the United States and offers ways to protect your personal data from cybercriminals. 

Identity theft by the numbers

The number of identity theft cases reported to the Federal Trade Commission (FTC) has increased in the last five years. According to the FTC’s Consumer Sentinel Network (CSN) report, the number of reported cases more than doubled from 2019 to 2020.  

One possible reason for this upward trend is the coronavirus pandemic. Congress passed legislation that included more than $5 trillion in various government benefits. This money was helpful to out-of-luck Americans, but it was also extremely attractive to scammers who used the opportunity to create fake identities and steal unemployment checks. In fact, the most common type of identity theft this past year was government documents and benefits fraud.  

What else do the numbers say about the rise in identity theft? Let’s take a closer look: 

An estimated 15 million Americans had their identity stolen in 2021, according to Javelin Strategy; however, a huge majority of cases went unreported (Source: Javelin Strategy & Research | 2022 Identity Fraud Study: The Virtual Battleground) 
Last year, the FTC received more than 1.4 million reports of identity theft (Source: Federal Trade Commission | Consumer Sentinel Network Data Book 2021)  
Identity thieves stole around $52 billion from Americans last year (Source: Javelin Strategy & Research | 2022 Identity Fraud Study: The Virtual Battleground) 
More than 40 million U.S. consumers fell victim to identity theft in 2021 (Source: Javelin Strategy & Research | 2022 Identity Fraud Study: The Virtual Battleground) 
The most likely victims of identity theft in 2021 were people from 30 to 39 years old (Source: Federal Trade Commission | Consumer Sentinel Network Data Book 2021)  
Criminals have stolen more than $750 million from taxpayers through COVID-19 stimulus scams since January 2020 (Source: Federal Trade Commission | FTC COVID-19 and Stimulus Reports)  

These statistics only scratch the surface, though. Keep reading to learn more about the latest identity theft data and what you can do to protect your personal information.  

How common is identity theft in the U.S.?

Identity theft is a huge issue in the United States, and it doesn’t seem to be going away anytime soon. Fraud reports show that the number of identity thefts in the U.S. continues to grow and grow. The graph below shows the number of identity theft reports from the first quarter of 2017 to the first quarter of 2021.  

The reported instances of identity theft have risen sharply from just over 100,000 in the first quarter of 2017 to well over 500,000 in the first quarter of 2021. 2020 had the sharpest increase in reports, as cybercriminals did their best to capitalize on the pandemic to take people’s government benefits.  

Identity theft, by state  

Not every state is affected by ID theft equally. Where you live can have a big impact on your likelihood of experiencing identity theft. The graph below shows the amount of identity theft cases reported to the FTC per 100,000 residents for each state in the U.S.  

With a closer look, the five states with the most identity theft reports include Georgia, Louisiana, Illinois, Kansas, and Rhode Island, which takes the top spot. The number of reports in Rhode Island more than doubled in 2021, from 1,191 in 2020 to 2,857.  

At the other end of the spectrum, South Dakota remained the state with the lowest occurrence of identity theft, with only 76 residents per 100,000 experiencing it.  

Here’s a list of the 20 metro cities where you have the highest chance of having your identity stolen. 

Who are the victims of identity theft?

Anyone can become the victim of identity theft, in large part because so much of our information is online. However, certain age groups are more likely to experience different types of scams.  

For example, baby boomers are more likely than Generation Z to benefit from government programs. This makes them more susceptible to scams like benefits fraud (where a criminal poses as someone else to steal government benefits).  

On the other hand, younger generations like millennials have grown up with the internet, and activities like shopping online are more frequent. This makes them more susceptible to identity theft through credit card fraud.  

Here’s a breakdown of the most common identity theft types from various generations:  

Types of identity theft

There are several different types of identity theft, ranging from stolen financial information to compromised health care data. Some forms are pretty straightforward. For instance, credit card fraud occurs when somebody steals your credit card number and uses it to buy things. Others, like medical identity theft, might be a bit harder to recognize.  

Here’s a list of five of the most common types of identity theft:  

Financial identity theft: This form of identity theft is exactly what it sounds like and involves a criminal stealing your financial information. For instance, your credit card number can be stolen and used to make a purchase.  
Medical identity theft: With medical identity theft, someone steals your personal information to obtain health care services. An example is someone else using your identity to obtain prescription drugs. 
Criminal identity theft: This form of identity theft occurs when someone else uses your name when arrested. You’ll know this has happened to you if you receive a court summons, for instance, that you had no involvement with. 
Synthetic identity theft: A rising form of identity theft, synthetic identity theft is when someone creates a fake identity using someone’s real information. For instance, an imposter might create a fake identity using someone else’s real birthdate and Social Security number to apply for a loan. 
Child identity theft: With child identity theft, a criminal uses a minor’s personal information to commit bank fraud or another form of identity theft. 

Although these are five of the most common types of identity theft, they can serve as umbrella terms for more specific forms of fraud. The diagram below shows the number of reported fraud cases of these various types of identity theft In 2021. 

While the internet has made our day-to-day lives more convenient, it’s also made it much easier for scammers to steal our personal information. Identity theft has become increasingly more common in the United States over the past five years.  

The more you use the internet, the more opportunities scammers have to steal your data and sell it on places like the dark web. Social media platforms, e-commerce businesses, banking companies, and a host of other online businesses can store your information for a variety of reasons.  

If you use the internet for online shopping, for instance, there’s a good chance a large number of databases stored your personal and financial data. While businesses use your information to give you a better online experience, scammers can also access it to steal your identity.  

The graph below shows the growth of different types of identity theft from 2017 to 2021.  

What should I do if I think I’m a victim of identity theft?

Criminals use many tricks to get your information. Scammers or hackers might send phishing emails pretending to be the IRS, snoop around social media pages for password clues, get info through a data breach, or simply buy information on the dark web.  

Here are a few things you can do if you believe you are the victim of identity theft:  

Be on the lookout: To avoid identity theft, you’ll want to be alert for signs that someone has stolen your identity. Check your bank statement and credit report regularly to ensure no extra charges to your account. Pay attention to red flags like bills that arrive at your home with your information but someone else’s name, mysterious calls from debt collectors, or emails from new accounts for online services you don’t remember starting.  
Reach out to local law enforcement: Some banks may make you show them a police report before they reimburse you for any fraudulent charges or withdrawals. 
Contact the company where your ID is being used: Let the businesses where your information is being used know what’s happened. For instance, you’ll want to contact your bank and cancel your credit cards if you find out a criminal is using them. 
Get in touch with the three big credit bureaus: Call or message TransUnion, Equifax, and Experian right away. They may be able to diminish the impact an identity thief has on your credit score.  
File a report with the FTC: Reporting identity fraud to the FTC can help spread awareness of scams and identity theft tactics so others don’t fall victim to them.  
Visit the Identity Theft Resource Center: The ITRC has tools and information to help you protect yourself against identity theft and recover from it.  

We’re here to help protect your personal information

The internet makes our lives easier in many ways. Although identity theft is rising, you shouldn’t let online scams prevent you from enjoying these digital conveniences. Identity thieves are an unavoidable part of using the internet, but you can greatly limit your risk of falling victim to cybercrime if you know what to watch out for and you’re smart online.  

Recognizing the signs of identity theft can help you stay ahead of fraudsters, and investing in McAfee Identity Protection services can offer another layer of protection. When you sign up for our identity protection services, you get perks like $1 million in identity theft protection insurance and email address and bank account monitoring. With our help, you can continue to use the internet with confidence. 

The post A Guide to Identity Theft Statistics for 2022 appeared first on McAfee Blog.

Read More

A man hacks his employer to prove its security sucks, Telegram provides a helping hand to the Eternity Project malware, and what the heck do mental health apps think they’re up to?

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Dr Jessica Barker.

Plus don’t miss our featured interview with Rumble’s Chris Kirsch.

Read More

Organizations and government agencies are strongly advised to patch two newly disclosed vulnerabilities in VMware products, following warnings from VMware and the Cybersecurity and Infrastructure Security Agency.

Background

On May 18, VMware published an advisory (VMSA-2022-0014) to address two vulnerabilities across several VMware products:

Affected products include:

VMware Workspace ONE Access (Access)
VMware Identity Manager (vIDM)
vRealize Lifecycle Manager
VMware vRealize Automation (vRA)
VMware Cloud Foundation

This advisory follows a similar advisory from April (VMSA-2022-0011), where VMware patched multiple vulnerabilities across the same set of products.

Today, the Cybersecurity and Infrastructure Security Agency (CISA) published Emergency Directive 22-03 for all Federal Civilian Executive Branch (FCEB) agencies to address two flaws from VMSA-2022-0011 (CVE 2022-22954 and CVE 2022-22960) as well as the two flaws patched today based on the expectation that threat actors will “quickly develop a capability to exploit these newly released vulnerabilities.”

Additionally, CISA published an alert (AA22-138B) highlighting how threat actors are chaining these VMware vulnerabilities to gain “full system control.” The alert also includes indicators of compromise and detection methods for defenders and incident responders.

Analysis

CVE-2022-22972 is an authentication bypass vulnerability in VMware Workspace ONE Access, Identity Manager and vRealize Automation that affects local domain users. In order to exploit this vulnerability, a remote attacker capable of accessing the respective user interface could bypass the authentication for these various products. It is the most severe of the two flaws patched today, as it was assigned a CVSSv3 score of 9.8. This vulnerability was credited to security researcher Bruno López of Innotec Security.

CVE-2022-22973 is a local privilege escalation vulnerability in the VMware Workspace ONE Access and Identity Manager. In order to exploit this vulnerability, an attacker would need to have local access to the vulnerable instances of Workspace ONE Access and Identity Manager. Successful exploitation would allow an attacker to gain “root” privileges.

Last month’s VMware bugs prompt cause for concern for today’s advisory

Within two days of VMware publishing its advisory for VMSA-2022-0011, researchers at GreyNoise began to observe exploitation attempts targeting CVE-2022-22954, a server-side template injection vulnerability:

We’re seeing ~10 IPs exploiting the VMWare Workspace ONE RCE (CVE-2022-22954) at-scale across the internet in @GreyNoiseIO. FW Blocks + Tags available to all users and customers now. https://t.co/uvRpXl7QYf

Insanely quick work by @kimb3r__, #Konstantin, @_mattata, @nathanqthai pic.twitter.com/XEQOmWKg6C

— Andrew Morris (afk) (@Andrew___Morris) April 13, 2022

In addition to CVE-2022-22954, VMware confirmed in the wild exploitation of CVE-2022-22960, a local privilege escalation vulnerability.

Considering the swiftness with which attackers began to exploit these two flaws from VMSA-2022-0011, the expectation is that attackers will be able to quickly develop a proof-of-concept (PoC) exploit for CVE-2022-22972 and begin scanning for vulnerable instances across the internet. This appears to be CISA’s expectation, prompting the agency to publish the Emergency Directive for FCEBs to quickly remediate these flaws.

Proof of concept

At the time this blog post was published, there were no public PoC exploits for either of the flaws addressed in VMware’s VMSA-2022-0014 advisory.

Solution

VMware released patches for the vulnerabilities in the following affected products:

VMware publishes second FAQ document for Workspace ONE flaws

For the second straight month, VMware has published a companion frequently asked questions (FAQ) document to provide additional clarification for the flaws addressed in VMSA-2022-0014. Once again, VMware underscores the importance of patching these flaws, stressing that the ramifications are “serious.”

Because VMware updates are cumulative, applying the fixes for VMSA-2022-0014 will also address the flaws in VMSA-2022-0011. VMware has provided a workaround for organizations that are not able to immediately patch, however applying the workaround would prevent admins from logging into the Workspace ONE Access console. VMware strongly recommends patching as it’s the “only way to remove the vulnerabilities from your environment.”

VMware notes that vSphere as well as the connectors for Workspace ONE Access and VMware Identity Manager are not affected.

Identifying affected systems

A list of Tenable plugins covering the CVEs outlined in this blog can be found here. This link uses a search filter to ensure that all matching plugin coverage will appear.

Get more information

VMWare Advisory: VMSA-2022-0014
VMware VMSA-2022-0014 FAQ
Workaround instructions to address CVE-2022-22972

Join Tenable’s Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Read More