Week 48, November 27-December 3, 2023

Week 48, November 27-December 3, 2023. Cybersecurity Weekly Updates.

This week in the world of cybersecurity:

A design flaw in Google Workspace has raised concerns about potential unauthorized access, while a new variant of DJVU Ransomware, named ‘Xaro’, has been found disguised as cracked software. The United States, United Kingdom, and global partners have come together to release guidelines for secure AI system development, highlighting the increasing importance of AI in cyber security.

In terms of cybercriminal activities, key hackers behind notorious ransomware families were arrested in Ukraine, and the North Korean hacker group known as Lazarus has reportedly amassed over $3 billion from cryptocurrency hacks. Meanwhile, Iranian hackers have been reported to exploit PLCs in an attack on a U.S. water authority, showing the diverse range of targets and tactics used in cyber warfare.

Google has taken steps to improve security, unveiling RETVec, a new defense mechanism for Gmail against spam and malicious emails. Additionally, the U.S. Treasury has imposed sanctions on a cryptocurrency mixer used by North Korean hackers, demonstrating the intertwining of cyber security and international politics.

On the tech front, a zero-day alert was issued for Google Chrome, which is under active attack due to a new vulnerability. Similarly, Apple has rolled out patches for iOS, macOS, and Safari to address two actively exploited flaws, indicating the ongoing battle against cyber threats.

In terms of malware developments, the GoTitan Botnet was spotted exploiting a recent vulnerability in Apache ActiveMQ, and the new FjordPhantom Android Malware targets banking apps in Southeast Asia.

Recent Tools and Techniques

These are some of the recent tools and techniques in the cyber-security sphere that have captured my attention.

DynastyPersist is a Linux persistence tool designed for Capture The Flag (CTF) challenges, including King of the Hill (KOTH) and Battlegrounds modes. This script is crafted to aid in security assessments and testing, offering a range of techniques for maintaining access to a Linux system. Key features include SSH key generation for hidden access, setting up cronjobs for recurring tasks, and creating a custom user with root privileges. It also includes methods for persistence through remote code execution, demonstrating Linux Kernel Module (LKM) based rootkit methods, and modifying user shell initialization files for continuous access. Additionally, it can set up a systemd service for root-level persistence, configure LD_PRELOAD for privilege escalation, backdoor message displays, and alter existing systemd services for sustained access.

Jomungand is a shellcode loader designed to evade memory detection. It operates by hooking into three key functions: VirtualAlloc, Sleep, and LoadLibraryA. The tool leverages these hooks for different purposes. By hooking VirtualAlloc, Jomungand captures the actual memory address of shellcodes like CobaltStrike and Meterpreter. The Sleep function is intercepted to encrypt the shellcode in memory during its inactive period, using a technique called KrakenMask. The hook on LoadLibraryA involves redirecting to LdrLoadDll with return address spoofing, which helps in evading certain detection mechanisms that flag malicious LoadLibraryA calls originating from non-disk-backed memory regions. Jomungand executes all NT API calls through indirect syscalls and spoofs the return addresses for additional stealth. Once the shellcode executes its first sleep call, the tool frees the virtual memory allocated for reading the shellcode from the file. In terms of evading memory scanners, Jomungand has shown effectiveness against tools like PE-Sieve, Moneta, Hunt Sleeping Beacons, and Patriot, with varying degrees of detection avoidance.

MaccaroniC2 is a Command and Control framework designed for cybersecurity applications. It incorporates the AsyncSSH Python library for asynchronous client and server functionality using the SSHv2 protocol, along with the PyNgrok wrapper for integrating ngrok. The tool is tailored for scenarios where a victim’s machine runs an AsyncSSH server, connecting through a tunnel for receiving commands. Attackers use Ngrok’s API to obtain the tunnel’s hostname and port, enabling a secure connection. This setup allows the execution of system commands via a SOCKS proxy, with optional TOR usage for increased anonymity. However, Ngrok’s free account limits users to a single tunnel, and upgrading the account is necessary for controlling multiple SSH instances. The setup involves generating SSH keys, configuring the AsyncSSH server script with the public key, and integrating Ngrok’s AUTH token and API key for tunnel management and endpoint information retrieval.

That’s a wrap on this week’s edition of the Cyber-Security Update. Remember, the cyber-security landscape is ever-changing, and staying informed is your primary defense. Hopefully, the insights and information shared today will assist in navigating this complex domain and in strengthening defenses against potential threats. Stay vigilant, stay informed, and look forward to more insights into the world of cyber-security in next week’s edition.

To stay in sync with the weekly cyber-security roundups, remember to subscribe to the newsletter and follow on social media platforms. If there are any questions or specific topics you’d like to see covered, don’t hesitate to get in touch.