According to Kaspersky, the message triggers a vulnerability that leads to code execution, and the code within the exploit downloads several subsequent stages from the command-and-control server that include additional exploits for privilege escalation.

After successful exploitation, a final payload is downloaded from the C&C server, which Kaspersky calls a “fully featured APT platform.” The initial message and the exploit in the attachment is then deleted.

How Kaspersky discovered the exploit

Researchers for Kaspersky, which is the subject of a federal government ban and potential enforcement actions due to its alleged ties to the Russian government, say the company was monitoring network traffic of its own corporate WiFi network dedicated for mobile devices when they noticed suspicious activity coming from iOS devices.

“Since it is impossible to inspect modern iOS devices from the inside, we created offline backups of the devices in question, inspected them using the Mobile Verification Toolkit’s mvt-ios and discovered traces of compromise,” researchers say.

The company says its mobile device backups provided a partial copy of the filesystem, including some user data and service databases. Timestamps of files, folders and the database records helped the company reconstruct the events leading to compromise.

According to Kaspersky, the malicious toolset does not support persistence, likely due to the limitations of the operating system.

Based on timelines of infected devices, devices may be reinfected after being rebooted.

The oldest traces of infection discovered by researchers happened in 2019, and the attack is ongoing, as the most recent version of devices successfully targeted is iOS15.7, which was released in September 2022.

While analysis of the final payload is not finished yet, Kaspersky researchers say the code is run with root privileges, implements a set of commands for collecting system and user information, and can run arbitrary code downloaded as plugin modules from the C&C server.

Disabling iMessage would prevent iOS devices from compromise, the company says.

The vulnerabilities used, while not disclosed in the Kaspersky blog, were apparently zero days before they were patched in February.

Who is behind these attacks?

Kaspersky (neither the company nor the CEO of the same name) did not attribute the attacks to any specific group, but Russia’s Federal Security Service (FSB) in a separate statement (which didn’t specifically mention the Kaspersky report) accused the U.S. National Security Agency and Apple of having a “close cooperation” to spy on Russian diplomats.

In a statement provided to Reuters and other media outlets, Apple denied the claims, saying the company has “never worked with any government to insert a backdoor into any Apple product and never will.”

In a series of Tweets, CEO Eugene Kaspersky says successful exploitation can result in transmitting private information, including microphone recordings, photos from instant messages, geolocation and data about a number of other activities.

We’ve discovered a new cyberattack against iOS called Triangulation.

The attack starts with iMessage with a malicious attachment, which, using a number of vulnerabilities in iOS installs spyware. No user action is required.#IOSTriangulation pic.twitter.com/daxEYZwXwD

— Eugene Kaspersky (@e_kaspersky) June 1, 2023

The spyware infected “several dozen iPhones” of Kaspersky employees, but the CEO says the threat has been neutralized and the company is now operating normally.

In other Tweets, Kaspersky says the campaign is not related to other iOS attacks, such as Pegasus, Predator, or Reign. In addition, the Russia-based cybersecurity firm was not the main target of the attacks, the CEO says.

The company calls this campaign “Operation Triangulation” and has set up a webpage containing all related information. The company is asking anyone with additional details to contact the company at triangulation[at]kaspersky.com.

How to find out if you’ve been affected by Operation Triangulation

Kaspersky on Friday released a tool designed to automate the process of checking iOS device backups for possible indicators of compromise.

This article has been updated on June 2, 2023 to reflect a statement from Apple. 

The post Kaspersky Discovers New 0-Click iOS Exploit appeared first on My TechDecisions.

According to the Redmond, Wash. IT giant, the new ransomware labels itself as “Prestige ranusomeware” and features an enterprise-wide deployment model that is not common in attacks seen in Ukraine thus far. In addition, this activity does not appear to be connected to any of the 90-plus ransomware activity groups that Microsoft tracks.

In fact, this is the first time Microsoft has ever observed this ransomware strain in the wild.

The company says the activity shares some similarities with Russian state-aligned activity since its victims are Russia’s adversaries. Additionally, some of the victims of the ransomware overlap with victims of FoxBlade, a destructive malware deployed against Ukraine also known as HermeticWiper. Like other mass-deployment ransomware campaigns, the attacks all occurred within an hour of each other across all victims, Microsoft says.

However, this campaign is much different from recent wiper attacks that have impacted multiple critical infrastructure organizations in Ukraine, and it’s unclear which threat group is behind these ransomware attacks.

According to Microsoft, the threat actor behind these attacks uses two widely available remote execution tools, including the commercially available RemoteExec for agentless remote code execution and the open-source script-based remote code execution tool Impacket WMIExec.

To gain access to highly privileged credentials, the attackers use three main tools for privilege escalation and credential extraction, including:

• winPEAS – an open-source collection of scripts to perform privilege escalation on Windows
• comsvcs.dll – used to dump the memory of the LSASS process and steal credentials
• ntdsutil.exe – used to back up the Active Directory database, likely for later use credentials

In all deployments observed by Microsoft, the attacker already had advanced privileges, including Domain Admin. Administrator privileges are required to run the ransomware. However, an initial access vector has not yet been identified, suggesting the threat actor had access from a prior compromise.

Also different with this ransomware campaign is the difference in methods used to deploy the ransomware.

In one method, the payload is copied to the ADMIN$ share of a remote system, and Impacket is used to remotely create a Windows Scheduled Task on target systems to execute the payload. In another, the ransomware payload is copied to the ADMIN$ share of a remote system, and Impacket is used to remotely invoke an encoded PowerShell command on target systems to execute the payload. Another deployment leverages an Active Directory Domain Controller and the Default Domain Group Policy Object.

Like other ransomware, Prestige attempts to stop the MSSQL Windows service to ensure successful encryption using the command C:\Windows\System32\net.exe stop MSSQLSERVER. The ransomware creates C:\Users\Public\README and stores the ransom note in the file. The same file is also created in the root directory of each drive, Microsoft says.

The ransomware then traverses the files on the file system and encrypts the contents of files while avoiding encrypting files in the C:\Windows\ and C:\ProgramData\Microsoft\ directories, according to the company.

To encrypt files, Prestige leverages the CryptoPP C++ library to AES-encrypt each eligible file. After encrypting each file, the ransomware appends the extension .enc to the existing extension of the file. For example, changes.txt is encrypted and then renamed to changes.txt.enc, Microsoft security experts say.

The ransomware then runs other commands to delete the backup catalog form the system to hinder system and file recovery, and also deletes all volume shadow copies on the system.

In addition to using multifactor authentication and enabling tamper protection and cloud-delivered protection in Microsoft Defender, Microsoft suggests blocking process creations originating from PSExec and WMI commands.

Read Microsoft’s blog on the Prestige ransomware for more information, including indicators of compromise, detections and advanced hunting queries.

The post Microsoft Discovers Novel, Previously Unidentified Ransomware Strain appeared first on My TechDecisions.

In a statement by President Joe Biden and a related fact sheet, the administration says there is “evolving intelligence that the Russian Government is exploring options for potential cyberattacks,” purportedly in response for U.S. support of Ukraine and economic sanctions that have impacted the Russian economy.

Russia has allegedly used a variety of cyberattack tactics against Ukraine, including destructive malware and other attacks masked by ransomware, but the U.S. and other western nations have largely been unscathed thus far. However, that may change as tensions escalate with the U.S. and other western countries continuing to provide assistance to Ukraine.

In Biden’s announcement, the president calls for the private sector to harden defenses immediately by implementing best practices that the administration, CISA and other entities have developed over the last year.

The White House is urging companies to take these steps to harden their IT environments, and they are largely standard best practices that organizations should be observing, regardless of the threat of a Russian cyberattack, including:

• Implementing multi-factor authentication
• Deploying modern endpoint protection tools on computers and devices
• Consulting cybersecurity professionals to make sure systems are patched against known vulnerabilities
• Changing passwords if they are ever compromised
• Backing up data to offline backups
• Creating and test emergency response plans
• Encrypting data so it can’t be used if it is stolen
• Training and educating employees on modern cybersecurity protocols
• Engaging with FBI or CISA offices to establish relationships in advance of cyber incidents and encouraging IT to review those resources

In addition to urging organizations to take those immediate steps, the White House is also urging technology and software companies to do their part to help protect their customers and the IT supply chain from a Russian cyberattack, including:

• Building security into products from the ground up
• Developing software only on a secure system accessible to only developers working on the project
• Using modern tools to scan for vulnerabilities in software
• Developing software bills of materials that include the ingredients in the software so IT can respond quickly if there are vulnerabilities

In addition, the White House urges organizations to implement the security practices mandated in Biden’s executive order, Improving Our Nation’s Cybersecurity. Under that executive order, software the U.S. government uses is required to meet specific security baselines.

For more information, read Biden’s statement and the White House’s fact sheet.

The post Russian Cyberattack Threat Evolves, Spurs New White House Warning To Harden IT Environments appeared first on My TechDecisions.

The cybersecurity firm released its findings from the first few days of the conflict, finding that attacks against Ukraine far outweighed any other region, as the same sectors globally and in Russia did not show a similar increase.

Cyber attacks against Russian organizations increased by 4%, compared to the same days in the previous week, according to data from Check Point.

Compared to the Ukraine, the overall number of cyber attacks per organization increased by .2%. Regions across the world are experiencing a new decreases in cyber attacks per organization, the company says.

Interestingly, cyber attacks against the U.S. and North America have declined 12% and 13%, respectively, despite both the U.S. and Canada taking part in sanctions against Russia and supplying aid to Ukraine.

Read Next: Cybersecurity Experts: Ukraine, Russia Crisis Could Result in U.S. Cyberattacks

Increase in Phishing Emails  

Check Point also notes phishing emails in Russian and Ukrainian languages have increased by seven times. A third of the malicious phishing emails were directed at Russian recipients sent from Ukrainian email addresses, either real or spoofed.

Check Point says it is also observing an increase of fraudulent emails taking advantage of the situation, luring recipients to donate money to fake-Ukrainian aide organizations to gain financial profit.

WhisperGate & HermeticWiper Malware

The Cybersecurity and Infrastructure Agency (CISA) and the FBI issued a joint advisory on the destructive malware,  WhisperGate and HermeticWiper, both used to target organizations in Ukraine. The malware is capable of destroying computer systems and rendering them inoperable. It targets Windows devices, manipulating the master boot record, displays a fake ransomware note, and encrypts files based on certain file extension, which results in subsequent boot failure, according to SentinelLabs.

CISA and FBI notes that there is no credible threat to the U.S. at this time, but urges organizations to assess and bolster its cybersecurity.

How to Spot a Phishing Email

With any phishing email, it is imperative to look for the following, according to Check Point:

1. Fake domains
2. Unusual attachments
3. Incorrect Grammar or tone
4. Suspicious requests

The post Cyber Attack Trends Amid Russia-Ukraine Conflict appeared first on My TechDecisions.

These attacks have targeted government websites, infrastructure and more with DDoS attacks and destructive malware. Cybersecurity firm Symantec has a detailed writeup of the latter, calling it a new form of disk-wiping malware that has targeted finance, defense, aviation and IT services.

Now, U.S. agencies and cybersecurity experts say those Russian cyberthreats against Ukraine may very well make their way to elsewhere in Europe or the U.S. if retaliatory sanctions and other non-military actions provoke them. There are no specific threats, but officials and experts are issuing warnings nonetheless.

Especially for critical infrastructure organizations including IT, healthcare, transportation, financial services, energy, defense, water and more as defined by the U.S. government, IT and security personnel should take these steps immediately.

1. Scrutinize information. CISA is warning critical infrastructure organizations to be wary of misinformation, disinformation and malformation (MDM) as a means to compromise specific sectors and lead to social engineering attacks against sensitive accounts.
2. Accelerate security projects now. The Krebs Stamos Group, headed by former CISA Director Chris Krebs, recommends switching from long-term goals to short-term priorities. Security projects like multifactor authentication should be accelerated by adding resources and removing bureaucratic barriers.
3. Ensure systems are up to date. CISA keeps a list of vulnerabilities that it knows to be actively exploited, and it continues to grow. Many of the vulnerabilities listed are several years old, which highlights the importance of implementing security patches as soon as possible.
4. Conduct vulnerability scans. CISA says a handful of vulnerabilities are routinely leveraged by Russian state-sponsored hackers, so prioritize those specific patches.
5. Deploy antivirus/antimalware solutions. Confirm that an organization’s IT environment is completely protected by antivirus/antimalware tools and that signatures in the tools are updated.
6. Develop and test an incident response plan. Identify key stakeholders and IT/security personnel who will be responsible for responding to a cybersecurity incident. Conduct penetration tests and simulations to test those plans.
7. Ensure your backups are secure and operational. There have been reports that ransomware is accompanying that destructive malware used on Ukrainian systems, and notorious Russia-based ransomware group Conti has reportedly pledged to support the Russian government and retaliate in the event of a cyberattack against Russia.
8. Implement log collection and retention. CISA and other agencies recommend using native tools such as Microsoft 365 Sentinel, Sparrow, Hawk or CrowdStrike’s Azure Reporting Tool.
9. Prioritize protection of critical systems. One of CISA’s recommendations during this period in history includes prioritizing critical business systems to maintain operational continuity. Conduct tests against those systems to ensure they remain available in the event of a cyberattack.
10. It is no longer just IT’s job to be aware of cybersecurity threats. Conduct hands-on training on obvious signs of a hacking attempt, deploy phishing tests and share recent cybersecurity news with staff.

For more information on potential attacks, we recommend visiting CISA’s website. For more information on the details of specific attacks, follow this ongoing blog and the Twitter thread below from cybersecurity leader Sophos.

NEW

Sophos principal research scientist @chetwisniewski reviews the history of known or suspected Russian state activities in the cyber realm to assess what types of activities to expect and how organizations can be prepared.

Read more: https://t.co/zLlPFtADnu pic.twitter.com/ooZAe1frLW

— Sophos (@Sophos) February 23, 2022

The post 10 Things IT Can Do To Harden Cyber Defenses Amid The Russia-Ukraine Conflict appeared first on My TechDecisions.

Now, due to increasing tensions between Russia, Ukraine and western countries, IT and cybersecurity professionals should be on the lookout for sophisticated threat actors associated with the former Soviet Union. To help defenders be prepared for those threats, several U.S. agencies have released information and guides to help spot those potential attacks.

That includes a joint cybersecurity advisory from the Cybersecurity and Infrastructure Security Agency, FBI and NSA on commonly observed tactics, techniques and procedures of a typical Russian threat actor along with actions defenders should take.

According to the advisory, Russian state-sponsored actors use common techniques to gain initial access to target networks, including spearphishing, brute force and exploiting these known vulnerabilities:

• CVE-2018-13379 FortiGate VPNs
• CVE-2019-1653 Cisco router
• CVE-2019-2725 Oracle WebLogic Server
• CVE-2019-7609 Kibana
• CVE-2019-9670 Zimbra software
• CVE-2019-10149 Exim Simple Mail Transfer Protocol
• CVE-2019-11510 Pulse Secure
• CVE-2019-19781 Citrix
• CVE-2020-0688 Microsoft Exchange
• CVE-2020-4006 VMWare (note: this was a zero-day at time.)
• CVE-2020-5902 F5 Big-IP
• CVE-2020-14882 Oracle WebLogic
• CVE-2021-26855 Microsoft Exchange. The agencies note this vulnerability is frequently observed used in conjunction with CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065)

The advisory also included several recent examples of Russian state-sponsored operations compromising third-party software, deploying their own custom malware and targeting industrial control systems networks with destructive malware.

Below are some common tactics and techniques employed by Russian state-sponsored hackers, per the advisory:

• Reconnaissance. Hackers perform large-scale vulnerability scans in an attempt to find severs that contain known vulnerabilities that haven’t yet been patched. They also conduct spearphishing campaigns to gain credentials to target networks.
• Resource Development. Russian actors develop and deploy their own custom malware, much of which is designed to disrupt industrial control systems.
• Initial access. In addition to phishing campaigns and vulnerability scanning, Russian actors exploit vulnerable internet-facing applications and compromise the build environments of trusted third-party software. An example of this was the compromise of the SolarWinds Orion IT management software discovered in December 2020.
• Execution. Agencies say hackers backed by the Russian government use cmd.exe to execute commands on remote machines and use PowerShell to create new tasks on remote machines, identity configuration settings, exfiltrate data and execute other commands.
• To maintain persistence, threat actors use credentials of valid accounts, giving them unfettered, long-term access to victim IT environments.
• Credential access. To gain credentials, Russian threat actors use a variety of tactics, including brute force, credential dumping, stealing or forging Kerberos tickets, compromising account credentials to access Group Managed Service Account passwords, exploiting Windows Netlogon via CVE-2020-1472 to gain access to Windows Active Directory Servers and obtaining private encryption keys from the Active Directory Federation Services container to decrypt corresponding SAML singing certificates.
• Command and Control. Russian-state sponsored hackers have been observed using virtual private servers to route traffic to targets, using IP addresses in the home country of the victim to hide their activity.

Given the advanced tools and techniques used by Russian hackers, detecting that activity can be difficult. However, the agencies lay out some steps to take to help organizations identify malicious activity, including:

• Implementing robust log collection and retention. The agencies suggest using native tools such as Microsoft 365 Sentinel in addition to other tools such as Sparrow, Hawk or CrowdStrike’s Azure Reporting Tool.
• Searching for behavioral evidence or network and host-based artifacts. The agencies suggest reviewing authentication logs for multiple login failures of valid accounts and other suspicious activity, including:
  • Changing usernames and strange IP addresses that don’t match the expected user’s location.
  • One IP address used for multiple accounts.
  • Logins from multiple IP addresses that are a significant geographical distance apart.
  • signs of credential dumping, suspicious privileged account activity, activity in typically dormant accounts and unusual user agent strings.

If malicious activity is detected, organizations should immediately isolate affected stems, secure backups, collect and review relevant data, contact a third-party security team, ensure the actor is eradicated from the network and avoid residual issues that could enable follow-on exploitation.

Organizations are urged to contact CISA, the FBI and law enforcement when malicious activity is discovered in the corporate network.

Agencies also urge organizations to be vigilant and practice good cybersecurity hygiene and take continuous steps to harden their network against compromise. That includes multi-factor authentication, practicing good password security habits, securing credentials, a strong patch management program, segmenting networks, leverage monitoring tools and endpoint protection and response tools and deploy strong email security tools to prevent phishing attacks.

Read the advisory here for more information. 

The post This is What A Russian Cyberattack Looks Like appeared first on My TechDecisions.