The Feed 2025-01-14

  • Abusing AWS Native Services: Ransomware Encrypting S3 Buckets with SSE-C: A new ransomware campaign called Codefinger is targeting Amazon S3 buckets using Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt data and demanding ransom payments for decryption keys. Original Link: https://www.halcyon.ai/blog/abusing-aws-native-services-ransomware-encrypting-s3-buckets-with-sse-c

  • Analyzing CVE-2024-44243, a macOS System Integrity Protection bypass through kernel extensions | Microsoft Security Blog: A macOS vulnerability, CVE-2024-44243, allowed attackers to bypass System Integrity Protection (SIP) by loading third-party kernel extensions. Original Link: https://www.microsoft.com/en-us/security/blog/2025/01/13/analyzing-cve-2024-44243-a-macos-system-integrity-protection-bypass-through-kernel-extensions/

  • Double-Tap Campaign: Russia-nexus APT possibly related to APT28 conducts cyber espionage on Central Asia and Kazakhstan diplomatic relations: A cyber espionage campaign, possibly conducted by Russia-nexus intrusion set UAC-0063, targeted Central Asian countries using weaponized documents likely stolen from the Ministry of Foreign Affairs of the Republic of Kazakhstan. Original Link: https://blog.sekoia.io/double-tap-campaign-russia-nexus-apt-possibly-related-to-apt28-conducts-cyber-espionage-on-central-asia-and-kazakhstan-diplomatic-relations/

  • Triaging Triada: Understanding an Advanced Mobile Trojan and How it Targets Communication and Banking Applications: Agent-based and agentless cloud security approaches can be combined to achieve comprehensive security coverage. Original Link: https://darktrace.com/blog/triaging-triada-understanding-an-advanced-mobile-trojan-and-how-it-targets-communication-and-banking-applications

  • Wiz Research Identifies Exploitation in the Wild of Aviatrix Controller RCE (CVE-2024-50603) | Wiz Blog: Exploitation of a critical code execution vulnerability, CVE-2024-50603, in the Aviatrix Controller has been observed, leading to cryptojacking and backdoor deployment. Original Link: https://www.wiz.io/blog/wiz-research-identifies-exploitation-in-the-wild-of-aviatrix-cve-2024-50603

    Abusing AWS Native Services: Ransomware Encrypting S3 Buckets with SSE-C

    Summary

    A new ransomware campaign dubbed Codefinger is targeting Amazon S3 buckets by abusing Server-Side Encryption with Customer Provided Keys (SSE-C). The attackers obtain compromised AWS keys with read and write permissions to S3 buckets. They leverage these keys to encrypt the data in the S3 buckets using SSE-C with a unique AES-256 encryption key that they generate and store locally. The attacker then sets a lifecycle policy on the affected files to be deleted within seven days and leaves a ransom note in each affected directory. AWS logs only an HMAC of the encryption key used, which is not enough to recover the data.

    Technical Details

    The attacker utilizes compromised AWS keys to perform the following actions:

  • Use the keys to locate and access S3 buckets.
  • Generate a unique AES-256 encryption key and store it locally.
  • Encrypt files in S3 buckets using SSE-C.
  • Set a lifecycle policy to delete the encrypted data after seven days.
  • Leave a ransom note that contains their bitcoin address and a client ID associated with the encrypted data.

    Recommendations

  • Restrict SSE-C usage through the use of IAM policies.
  • Monitor and audit AWS keys and their permissions.
  • Disable unused keys and rotate active keys frequently.
  • Enable detailed logging for S3 operations.
  • Engage AWS support for tailored security measures.
  • Implement the principle of least privilege.
  • Use IAM Roles to enable applications to securely make signed API requests using short-term credentials.
  • Use Roles Anywhere for compute nodes outside the AWS cloud to make authenticated calls without long-term AWS credentials.
  • Utilize Identity Center for developer workstations to obtain short-term credentials backed by longer-term user identities protected by MFA tokens.
  • Protect non-AWS credentials with AWS Secrets Manager.

    Hunting Methods

  • Monitor for unusual S3 operations, such as bulk encryption or lifecycle policy changes.

    IOC


    Original Link: https://www.halcyon.ai/blog/abusing-aws-native-services-ransomware-encrypting-s3-buckets-with-sse-c

Analyzing CVE-2024-44243, a macOS System Integrity Protection bypass through kernel extensions | Microsoft Security Blog

Summary

This article details how a vulnerability (CVE-2024-44243) in macOS could be exploited to bypass System Integrity Protection (SIP) by loading third-party kernel extensions. Attackers could exploit a flaw in the Storage Kit daemon (storagekitd) to load and execute arbitrary code. The storagekitd daemon, which handles disk management, could be tricked into executing malicious code disguised as file system utilities. This bypass could lead to the installation of rootkits, persistent malware, and bypasses of Transparency, Consent, and Control (TCC), significantly compromising system security.

Technical Details

The vulnerability leverages the way macOS handles user-space file systems (UserFS). The Disk Arbitration daemon (diskarbitrationd) interacts with UserFS, which are often implemented as bundles (.fs). These bundles contain executable files and arguments used for mounting, repairing, and probing file systems. An attacker can create a malicious file system bundle and place it in the /Library/Filesystems directory. By triggering a disk operation (e.g., disk repair) on this malicious file system, they can force storagekitd to execute the malicious code within the bundle, thereby bypassing SIP.

Recommendations

  • Update macOS systems to patch CVE-2024-44243.
  • Monitor for anomalous child processes of specially entitled processes, particularly those related to disk management.
  • Implement security solutions capable of detecting and alerting on the execution of unauthorized kernel extensions and anomalous behavior from processes with special entitlements.

    Hunting Methods

    Use advanced hunting query language to look for all child processes of the storagekitd daemon: ``` DeviceProcessEvents
    | where InitiatingProcessFileName == “storagekitd”
    and FolderPath !startswith “/System”
    and FolderPath !startswith “/sbin”
    and FolderPath !startswith “/bin”
    and FolderPath !startswith “/usr”
    | summarize by ProcessCommandLine

```

Original Link: https://www.microsoft.com/en-us/security/blog/2025/01/13/analyzing-cve-2024-44243-a-macos-system-integrity-protection-bypass-through-kernel-extensions/

Summary

Sekoia investigated a cyber espionage campaign using weaponized Microsoft Office documents containing a unique, previously unknown malicious code. The documents were likely exfiltrated from the Ministry of Foreign Affairs of the Republic of Kazakhstan and used to target diplomatic-related entities in Central Asia. The campaign, dubbed Double-Tap, involved the use of macros to deliver the HATVIBE backdoor, which downloads and executes the CHERRYSPY backdoor. The infection chain shares similarities with previous campaigns attributed to Zebrocy, an alleged subgroup of APT28. The targets and the information contained in the documents suggest that the objective of the campaign is to collect strategic intelligence on Kazakhstan’s relations with Western and Central Asian countries to maintain Russia’s influence in the region. The campaign was still ongoing in November 2024.

Technical Details

The Double-Tap infection chain utilizes weaponized Microsoft Office documents with malicious macros. Once the document is opened, the user is prompted to enable macros. Upon execution, the macro performs a series of actions designed to bypass security and deliver the payload. \

  • It modifies the HKCU\Software\Microsoft\Office[VERSION]\Word\Security\AccessVBOM registry key, downgrading security settings and allowing subsequent macros to execute without user interaction.
  • It unprotects the document using a hardcoded password and removes shapes used for social engineering to trick the user into enabling macros.
  • It creates a second blank document in the C:\Users[USER]\AppData\Local\Temp directory. The content of this document, including a new malicious macro, is populated from variables stored in the settings.xml file of the initial document.

  • The second malicious document is then launched in a hidden instance of Microsoft Word, and its macro executes silently due to the previously altered registry key.
    The macro in the second document retrieves malicious VBA code from its settings.xml file and executes two methods:

  • It extracts the content of an HTA file, which contains the HATVIBE backdoor, and saves it to C:\Users[USER]\AppData\Local\Settings\locale (without an extension).
  • It creates a scheduled task named “Settings\ServiceDispatch” using RegisterTaskDefinition, designed to execute the HTA file containing HATVIBE every four minutes by launching mshta.exe.

The HATVIBE backdoor functions as follows:

  • It receives VBS modules for execution from a remote C2 server.
  • It decrypts each received module using a simple XOR algorithm.
  • It injects the decrypted module between <script> tags in the HTA file’s HTML body, leading to automatic execution.
  • The modules operate in a chained manner, with each module likely originating from different C2 endpoints (e.g., “/setup.php”, “/local.php”, “/upset.php”).
  • HATVIBE is known to download and execute a more complex Python backdoor called CHERRYSPY, which was not observed in this analysis.

Recommendations

The sources don’t provide explicit recommendations, but they do describe the tactics and techniques used in the attack.

Hunting methods

The article provides several YARA rules to detect different components and stages of the Double-Tap attack, such as:

  • Detecting obfuscated HATVIBE HTA files (rules apt_UAC0063_HATVIBE_loader_obfuscated_VBA and apt_UAC0063_HATVIBE_loader_deobfuscated_VBA).
  • Identifying suspected APT28 document settings.xml files (rule apt_UAC0063_HATVIBE_loader_malicious_xml_content1).
  • Detecting malicious macros used in Stage 1 and Stage 2 of the attack (rules apt_UAC0063_Stage_1_Malicious_Macro_compiled, apt_UAC0063_Stage_1_Malicious_Macro_clear, and apt_UAC0063_Stage_2_Malicious_Macro_clear).
  • Identifying settings.xml files containing a VBE encoded in hexadecimal (rule apt_UAC0063_Settings_xml_containing_VBE).
  • Detecting the HATVIBE header in VBE format (rule apt_UAC0063_HATVIBE_vbe).
  • Identifying decoded versions of HATVIBE VBE and modules (rules apt_UAC0063_HATVIBE_decoded and apt_UAC0063_HATVIBE_module_decoded).

The article provides Sigma rules for detecting two key aspects of the attack:

  1. Registry Key Modification for Persistent Macro Execution: This rule focuses on the modification of the “AccessVBOM” registry key, which attackers commonly use to enable macros to run without user prompts. The rule checks for the presence of this key with a specific value (“DWORD (0x00000001)”) and also looks for command-line executions related to adding the “AccessVBOM” or “VbaWarnings” keys.

    detection:
  registry:
    registry.value:
      - AccessVBOM
      - VbaWarnings
    registry.data.strings: 'DWORD (0x00000001)'
  cmdline_vbom:
    process.command_line|contains|all:
      - 'reg'
      - 'add'
      - '\SOFTWARE\Microsoft\Office\'
      - 'AccessVBOM'
  cmdline_warning:
    process.command_line|contains|all:
      - 'reg'
      - 'add'
      - '\SOFTWARE\Microsoft\Office\'
      - 'VbaWarnings'
  condition: registry or 1 of cmdline_*

  2. Execution of “mshta.exe” from a Scheduled Task: This rule targets the unusual execution of “mshta.exe” (Microsoft HTML Application Host) by a scheduled task, which can be indicative of malicious activity. It specifically checks for “mshta.exe” processes whose parent is “svchost.exe” with specific command-line arguments related to scheduled tasks (“-k netsvcs -p -s Schedule”).

    detection:
  selection:
    process.name: mshta.exe
    process.command_line: '*'
    process.parent.name: svchost.exe
    process.parent.command_line|contains|all:
       - "-k"
       - "netsvcs"
       - "-p"
       - "-s"
       - "Schedule"
  condition: selection

    Additionally, a second Sigma rule can be used to detect network connections initiated by “mshta.exe,” which further strengthens the detection capabilities:

    detection:
  selection:
    process.name: mshta.exe
    process.command_line: '*'
    event.type: connection
  condition: selection

IOC

IPs:
38.180.207[.]137
38.180.206[.]61
2.58.15[.]158
213.159.79[.]56
Domains:
background-services[.]net
lookup[.]ink
download-resourses[.]info
File Hashes:
06e4084e2d043f216c0bc7931781ce3e1cea4eca1b6092c0e34b01a89e2a6dea
3b87dc25a11b6268019d5eae49a6b93271dfdc262f2607cfefa35d196f724997
47092548660d5200ea368aacbfe03435c88b6674b0975bb87a124736052bd7c3
6edf3d03bd38c800d5d1e297d59c2496968202358f4be47e1f07e57a52485e0c
c61e9326421d05d62cafd6c04041ab1a8f57c0a21d424b9ca04b6a1fc275af19
e3a0be8852d77771dc3f44f3e9a051e7fe56547b569aad5a178ae44ef31713b9
e440bad60823642e8976528bd450364ce2542d15a69778ff20996eb107158b8d
efc99e6f3cdd10313c52a8ad099424e3f39ab85b75375b8db82717d61c7f0118
fd78051817b5e2375c92d14588f9a4ba1adc92cc1564e55e6150ae350ed6c889
Original link: https://blog.sekoia.io/double-tap-campaign-russia-nexus-apt-possibly-related-to-apt28-conducts-cyber-espionage-on-central-asia-and-kazakhstan-diplomatic-relations/

Triaging Triada: Understanding an Advanced Mobile Trojan and How it Targets Communication and Banking Applications

Summary

The article discusses the advantages and challenges of agent-based and agentless cloud security and proposes a combined approach that utilizes both. Agent-based solutions are favored for their in-depth monitoring and real-time protection capabilities, particularly suitable for environments requiring tight security controls. Agentless solutions offer broader visibility, scalability, and minimal performance impact, making them ideal for dynamic cloud environments. The combined approach offers comprehensive coverage, reduces overhead and enhances scalability, allowing organizations to tailor their security strategies based on the specific needs and risk profiles of different assets and environments. This strategy enables holistic security posture, targeted protection where needed, and maximized security efficacy. The article further details use cases for a combined approach, highlighting how agent-based security excels in deep monitoring and real-time protection of critical infrastructure, while agentless solutions provide broad visibility and rapid environmental assessment.

Technical Details

The article does not detail specific techniques or tactics, but rather different approaches to cloud security:

  • Agent-based cloud security involves deploying software agents on each device, enabling real-time threat detection and response, deep visibility into system behavior, and comprehensive coverage across hybrid environments.
  • Agentless cloud security utilizes cloud infrastructure and APIs to perform security checks, offering scalability, ease of deployment, reduced system overhead, and broad visibility via cloud provider APIs.
  • A combined approach leverages both methods. Agent-based solutions are used for deep monitoring and real-time protection of critical systems while agentless solutions provide broader visibility and easier scalability for dynamic cloud assets.

Recommendations

The article does not provide explicit technical recommendations, but instead advocates for a combined approach to cloud security that leverages the strengths of both agent-based and agentless solutions. The article highlights the importance of:

  • Understanding the specific security requirements of different assets and environments.
  • Deploying agent-based solutions for critical systems and sensitive workloads that require real-time protection and in-depth monitoring.
  • Utilizing agentless solutions for broader visibility, scalability, and rapid deployment across dynamic cloud environments.
  • Tailoring security strategies to match the risk profile and functional requirements of different parts of the cloud environment.

Original link: https://darktrace.com/blog/triaging-triada-understanding-an-advanced-mobile-trojan-and-how-it-targets-communication-and-banking-applications

Wiz Research Identifies Exploitation in the Wild of Aviatrix Controller RCE (CVE-2024-50603)

Summary

This article details the exploitation of a critical remote code execution (RCE) vulnerability (CVE-2024-50603, CVSS 10.0) in Aviatrix Controller, impacting versions before 7.1.4191 and 7.2.x before 7.2.4996. The vulnerability arises from improper sanitization of user input in the list_flightpath_destination_instances and flightpath_connection_test API endpoints. This allows unauthenticated attackers to execute arbitrary commands on vulnerable systems. Wiz Research observed exploitation in the wild leading to cryptojacking using XMRig and the deployment of Sliver backdoors. This vulnerability is particularly concerning due to the potential for privilege escalation in AWS environments, where Aviatrix Controller often has lateral movement paths to administrative cloud control plane permissions.

Technical Details

  • Initial Access: Exploiting CVE-2024-50603 via the list_flightpath_destination_instances and flightpath_connection_test API endpoints with injected commands.
  • Execution: Successful exploitation allows the execution of arbitrary commands on the vulnerable Aviatrix Controller.
  • Persistence: Sliver backdoors deployed for persistence.
  • Defense Evasion: Attackers may exploit the vulnerability to enumerate cloud permissions and pivot to other systems or exfiltrate data.
  • Discovery: Publicly available proof-of-concept exploit code and Nuclei templates aid in exploitation.
  • Lateral Movement: In AWS environments, Aviatrix Controller is often granted high IAM privileges and may have lateral movement paths to administrative cloud control plane permissions.

Recommendations

  • Upgrade Aviatrix Controller to patched versions 7.1.4191 or 7.2.4996.
  • Implement network restrictions to prevent public access to Aviatrix Controller.
  • Conduct forensic investigation on potentially compromised devices.
  • Proactively hunt for evidence of lateral movement attempts to the cloud control plane.

Hunting methods

  • Review threat pages for threats associated with compute resources hosting Aviatrix Controller.
  • Use the Security Graph to search for malware findings on compute resources hosting Aviatrix technologies.
  • Utilize the Cloud Events Explorer to search for:
    • Network-based IOCs in IP address fields.
    • Cloud provider security alerts where the principal is the compute resource hosting Aviatrix Controller.
    • AWS CloudTrail events where the “Acting As” field is set to one of the default Aviatrix roles (aviatrix-role-ec2 or aviatrix-role-app), and the principal IP address hasn’t been previously observed, or is performing abnormal API calls.
    • Abnormal DNS requests or outgoing IP connections from Aviatrix Controller devices in network logs.

IOC

IP Addresses
91.193.19[.]109:13333 - Sliver C2 Server IP address
107.172.43[.]186:3939 - Cryptocurrency mining pool IP address

File Hashes (SHA1)
1ce0c293f2042b677cd55a393913ec052eded4b9 - XMRig
68d88d1918676c87dcd39c7581c3910a9eb94882 - XMRig
c4f63a3a6cb6b8aae133bd4c5ac6f2fc9020c349 - XMRig
c63f646edfddb4232afa5618e3fac4eee1b4b115 - XMRig
e10e750115bf2ae29a8ce8f9fa14e09e66534a15 - Sliver
41d589a077038048c4b120494719c905e71485ba - Sliver

File Paths
/tmp/systemd-private-[0-9a-f]{32}-apache2.service-[0-9a-zA-Z]{6}/tmp/.system_logs/momika233-2024-04-29-xmrig.zip - XMRig
/tmp/systemd-private-[0-9a-f]{32}-apache2.service-[0-9a-zA-Z]{6}/tmp/moneroocean/xmrig - XMRig
/tmp/systemd-private-[0-9a-f]{32}-apache2.service-[0-9a-zA-Z]{6}/tmp/.uid/udiskssd - XMRig
/tmp/systemd-private-[0-9a-f]{32}-apache2.service-[0-9a-zA-Z]{6}/tmp/config - Sliver

Original link: https://www.wiz.io/blog/wiz-research-identifies-exploitation-in-the-wild-of-aviatrix-cve-2024-50603