Vercara’s Open-Source Intelligence (OSINT) Report – July 19 – July 25, 2024

France announces major operation to fight cyber-spying ahead of Olympics.  

(TLP: CLEAR) French authorities initiated a widespread cyber operation to purge the country’s computer systems of malware suspected of espionage. This “disinfection operation” began about a week ago and is set to continue for several months, targeting malware that has compromised several thousand users, primarily for espionage purposes. Recent reporting has highlighted that the Paris prosecutor’s office confirmed the internal investigation of a botnet network, particularly PlugX malware, which has affected millions of users globally, including at least 3,000 devices in France. According to the office, the primary objective of the malware campaign is to conduct espionage operations on the country’s computer systems. PlugX, a remote access malware first identified in 2008, has predominantly been utilized by Chinese state-sponsored hacker groups. Back in 2020, the China-linked group Mustang Panda enhanced PlugX by enabling it to propagate via USB flash drives. Additionally, in April of this year, investigators seized a command-and-control server (c2) linked to PlugX, later discovering its spread to over 170 countries. Reporting further indicates that the researchers investigating PlugX constructed a solution to remotely clean the infected devices of the botnet malware. According to recent reporting, this solution is now employed by France and other affected nations in order to purge their networks of the botnet. Within hours of implementation, hundreds of machines in France, Malta, Portugal, Croatia, Slovakia, and Austria were disinfected. 

(TLP: CLEAR) Comments: On the dawn of the Olympics just hours prior to the opening ceremony, France’s high-speed railway was targeted by a series of coordinated sabotage attacks. Malicious acts, including arson, disrupted several high-speed lines throughout the city of Paris. According to reporting, the national rail company, SNCF, canceled numerous train rides and later advised travelers to avoid train stations. According to SNCF’s president, nearly 800,000 people were impacted by the malicious operations. 

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency Selecting a Protective DNS (PDNS) Service: “A core capability of PDNS is the ability to categorize domain names based on threat intelligence. PDNS services typically leverage open source, commercial, and governmental information feeds of known malicious domains. These feeds enable coverage of domain names found at numerous points of the network exploitation lifecycle. Some solutions may also detect novel malicious domains based on pattern recognition. The types of domains typically addressed by a PDNS system include the following:  

“Phishing: Sites known to host applications that maliciously collect personal or organizational information, including credential harvesting scams. These domains may include typosquats – or close lookalikes of common domains. PDNS can protect users from accidentally connecting to a potentially malicious link.  

“Malware distribution and command and control: Sites known to serve malicious content or used by threat actors to command-and-control malware. For example, these may include sites hosting malicious JavaScript® files or domains that host advertisements that collect information for undesired profiling. PDNS can block and alert on known malicious connection attempts.  

“Domain generation algorithms: Sites with programmatically generated domain names that are used by malware to circumvent static blocking. Advanced malware – including some botnets – depends on the ability to communicate with command and control (C2) infrastructure. Cyber threat actors use domain generation algorithms (DGAs) for malware to circumvent static blocking – either by domain name or IP – through programmatically generating domain names according to a pre-set seed. PDNS can offer protection from malware DGAs by analyzing every domain’s textual attributes and tagging those associated with known DGA attributes, such as high entropy.   

“Content filtering: Sites whose content is in certain categories that are against an organization’s access policies. Although an ancillary benefit to malware protection, PDNS can use a categorization of various domains’ use cases (e.g., ‘gambling’) and warn or block on those that are deemed a risk for a given environment.” 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories including botnet Command and Control (C2) as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation. 

Source: https://www.ndtv.com/world-news/paris-olympics-france-announces-major-operation-to-fight-cyber-spying-6183970 

Source: https://therecord.media/france-combat-cyber-spying-operation-olympics 

Source: https://www.reuters.com/world/europe/vandals-target-frances-high-speed-rail-network-olympics-get-underway-2024-07-26/  

Hacktivists claims [sic] to have Leaked CrowdStrike threat intelligence data. 

(TLP: CLEAR) Recent intelligence reporting sheds light on the hacktivist group USDoD, which has claimed to have leaked CrowdStrike’s internal threat actor list, including additional indicators of compromise (IoCs). On July 25, 2024, CrowdStrike confirmed the aforementioned breach, acknowledging that USDoD shared a download link and sample data on BreachForums. This follows a critical IT outage on July 19 due to a bug in the Falcon platform, affecting various sectors such as airlines, banks, healthcare, media, and financial institutions. According to reporting, the leaked data includes adversary aliases, statuses, last active dates, and regions. USDoD also claims to possess CrowdStrike’s complete IoC list, planning further disclosures soon. CrowdStrike indicated that the sample data released by USDoD included comprehensive intelligence on threat actors, such as adversary aliases, statuses, last active dates, regions, targeted industries, and motivations. The aliases corresponded to those on the Falcon platform, albeit in a different order. The data, with “LastActive” dates up to June 2024, indicates recent acquisition, as some threat actors that are listed as active in July 2024 on the Falcon portal. Reporting also highlighted USDoDs claim to be in possession of CrowdStrike’s full IoC list, data that is critical for identifying hacker tactics, techniques, and procedures (TTPs). Furthermore, CrowdStrike confirmed that the threat actors claims did not represent a breach, as the threat intelligence data is accessible to thousands of customers, partners, and prospects. The company later emphasized, “There is no CrowdStrike breach. This threat intel data is available to tens of thousands of customers, partners, and prospects.” In their blog post, CrowdStrike reiterated, “The threat intel data noted in this report is available to tens of thousands of customers, partners, and prospects – and hundreds of thousands of users. Adversaries exploit current events for attention and gain. We remain committed to sharing data with the community.” 

(TLP: CLEAR) Comments: Intelligence reporting indicate USDoD has been active since at least 2020, conducting both hacktivist and financially motivated cyber campaigns against various organizations. Over the past two years, the group has shifted focus to high-profile intrusion campaigns and recently began administering eCrime forums. In September 2023, USDoD claimed responsibility for stealing personal data from TransUnion and breaching Airbus. Primarily employing social-engineering tactics, the group is known to exaggerate claims to enhance its reputation within hacktivist and eCrime communities. USDoD’s claims of hacking CrowdStrike are likely exaggerated, as the threat intelligence data they’ve claimed to have harvested is publicly available. 

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency #StopRansomware Guide: “Implement Protective Domain Name System (DNS). By blocking malicious internet activity at the source, Protective DNS services can provide high network security for remote workers. These security services analyze DNS queries and take action to mitigate threats—such as malware, ransomware, phishing attacks, viruses, malicious sites, and spyware—leveraging the existing DNS protocol and architecture.” 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), receives DNS queries from enterprise users and other on-LAN devices, inspects the DNS response for indicators of malicious activity such as phishing, ransomware, and acceptable usage policy violations. 

Source: https://www.crowdstrike.com/blog/hacktivist-usdod-claims-to-have-leaked-threat-actor-list/ 

Source: https://www.infosecurity-magazine.com/news/hacktivists-leak-crowdstrike/   

CrowdStrike: ‘Content Validator’ bug let faulty update pass checks. 

(TLP: CLEAR) CrowdStrike recently issued a Preliminary Post Incident Review (PIR) on the faulty Falcon update that caused widespread system crashes on July 19, 2024. According to CrowdStrike, the bug stemmed from a content configuration update that bypassed the Content Validator, leading to out-of-bounds memory reads on approximately 8.5 million Windows systems. Furthermore, this error occurred due to misplaced trust in the IPC Template Type, which is used for detecting suspicious behaviours. CrowdStrike indicates the issue was identified and the update reverted within an hour, but not before causing significant disruption to customer networks. In the case of this particular update, CrowdStrike attempted to push a new configuration to detect malicious abuse of Named Pipes in common command and control (c2) frameworks. According to reporting, CrowdStrike has not disclosed the specific c2 frameworks targeted in the recent Falcon update. However, it is assessed that the update aimed to detect new named pipe features in Cobalt Strike. Additionally, despite comprehensive testing the security firm underwent for resource utilization, performance, event volume, and system interactions, the bug in the Content Validator allowed the faulty configuration to slip through. CrowdStrike insinuated that since previous successful tests and deployments fostered baseline trust, it eliminated the need for additional dynamic checks. Consequently, the flawed update was disseminated to clients, resulting in widespread system issues. 

(TLP: CLEAR) Comments: Since the CrowdStrike incident, the company has implemented several additional measures to prevent future incidents. Additionally, the security firm has outlined specific steps for testing Rapid Response Content, including local developer testing, content update and rollback testing, stress testing, fuzzing, fault injection, stability testing, and content interface testing. 

(TLP: CLEAR) Recommended best practices/regulations: To bolster security, it is advised that the organization’s security policy includes regular reviews of all IT infrastructure, including applications, to ensure they are updated with the latest security patches. If no patches are available for known vulnerabilities, organizations should consider either replacing outdated systems or implementing additional security-in-depth measures to protect non-updated systems. In conjunction with these measures, CrowdStrike will enhance its Rapid Response Content deployment by incorporating extensive testing phases and improving validation and error handling processes to prevent similar issues in the future. 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), can detect and block malware delivery and command and control (C2) techniques such as phishing, domain generation algorithms, and DNS tunneling to reduce both the quantity and impact of infections. 

Source: https://www.bleepingcomputer.com/news/security/crowdstrike-content-validator-bug-let-faulty-update-pass-checks/   

Spain arrests three in pro-Russian DDoS crew takedown. 

(TLP: CLEAR) Intelligence reporting has revealed a recent coordinated operation in Spain resulting in the arrest of three individuals associated with the pro-Russia hacktivist group NoName057(16). These arrests, executed across multiple regions, are part of an investigation into the hacktivists group’s politically motivated denial-of-service (DDoS) attacks targeting government agencies and critical infrastructure. Reporting further indicates that authorities have seized potential evidence during the raids, though the identities of the detainees remain undisclosed. Initially created in response to Russia’s invasion of Ukraine, NoName057(16) targets NATO-aligned nations supporting Ukraine. The group’s custom DDoS tool, “DDoSia,” has effectively disrupted business services in the past, highlighting the ongoing global concerns over increased DDoS activities linked to geopolitical tensions. 

(TLP: CLEAR) Comments: Recent intelligence reporting reveals that NoName057(16) has recently declared a “holy war” on Spain in response to the arrest of the three alleged members. Additionally, they have joined a coalition of over 70 hacktivist groups under the banner “holy league,” resulting in a surge of DDoS attacks against Spanish websites. These attacks primarily target government and transportation sectors, aiming to retaliate against Spain’s support for Ukraine. Despite the increase in activity, the overall impact remains within normal attack levels for the country. 

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.IR-04: “Adequate resource capacity to ensure availability is maintained.”  

Businesses, particularly those located within NATO and allies, should maintain constant vigilance and regularly test and enhance their cybersecurity defensive capabilities, specifically DDoS mitigation strategies, architecture, monitoring, and procedures. 

(TLP: CLEAR) Vercara: Vercara’s DDoS protection, UltraDDoS Protect, is overseen by a 24/7 Security Operations Center (SOC) staffed by senior-level DDoS mitigation professionals who have the expertise, skills, and tools to thwart even the most sophisticated DDoS attacks. 

Source: https://therecord.media/spain-arrest-noname-russia-hackers 

Source: https://www.scmagazine.com/news/spain-arrests-three-in-pro-russian-ddos-crew-takedown 

Source: https://www.netscout.com/blog/asert/ddos-attacks-spain  

Over 3,000 GitHub accounts used by malware distribution service. 

(TLP: CLEAR) Security researchers have recently uncovered a network of over 3,000 GitHub Ghost accounts, known as the Stargazers Ghost Network, used for distributing malware through various phishing repositories. According to reporting, this network functions as a Distribution as a Service (DaaS) for threat actors, primarily spreading infostealers malware like Atlantida Stealer, Rhadamanthys, RisePro, Lumma Stealer, and RedLine. Additionally, the group behind this operation, dubbed ‘Stargazer Goblin’, has been observed promoting the service on the dark web since June 2023, although evidence recently obtained suggests activity since August 2022. The operation has netted approximately $100,000 by tricking thousands of victims into installing malicious software from seemingly legitimate repositories. Researchers have noted that the tailored phishing templates enhance the value of infections by targeting specific profiles and online accounts. It was later assessed that Stargazer Goblin operators have either created ‘Ghost’ GitHub accounts or taken control of existing ones. Security researchers observed these accounts engaging in various suspicious activities such as forking, starring, and peering into malicious repositories. These actions are likely intended to enhance the accounts’ legitimacy and increase their visibility on GitHub’s trending section. 

(TLP: CLEAR) Comments: Reporting indicates that security researchers assess the repositories linked to these Ghost accounts do not prompt users to directly download or execute payloads from the repository. Instead, they contain scripts that download payloads from seemingly legitimate sources. These scripts are often embedded within password-protected ZIP archives, complicating detection and scanning efforts. Additionally, GitHub has frequently been exploited for malicious activities, complicating the identification of suspicious repositories. To mitigate these risks, it is essential to ensure operating systems and applications are regularly updated, exercise caution with unexpected emails or messages containing links, especially from unknown sources, and increase cybersecurity awareness among employees. 

(TLP: CLEAR) Recommended best practices/regulations: OWASP NIST Cybersecurity Framework (CSF) DE.CM-01: “Networks and network services are monitored to find potentially adverse events”   

One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport. 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports two modes of onboarding DNS queries and protecting endpoints from phishing and malware: forwarding from an on-network resolver such as a firewall or Active Directory domain controller or via an endpoint client that captures and forwards DNS queries to UltraDDR’s servers. 

Source: https://www.bleepingcomputer.com/news/security/over-3-000-github-accounts-used-by-malware-distribution-service/  

North Korean hackers targeted KnowBe4 with fake IT employee. 

(TLP: CLEAR) Recent intelligence reports highlight an attempted sophisticated cyber campaign targeting KnowBe4, a cybersecurity awareness training company. According to the company, the attack commenced when KnowBe4 unknowingly hired a North Korean operative posing as an IT worker. Utilizing a stolen identity with an AI-enhanced photo, the attacker successfully navigated interviews and background checks. The operative’s malicious activities, including malware downloads and unauthorized software execution on a company-provided Mac workstation, were swiftly detected and neutralized, preventing data compromise. According to KnowBe4, they were alerted to potential insider threat activities and assessed the situation, identifying the new hire as suspicious. When contacted, the worker attributed the suspicious activity to troubleshooting a router issue. However, the worker became unresponsive when asked to join a call, prompting the Security Operations Center (SOC) to contain the device around. This decisive action ensured that any further potential malicious activities were immediately halted, safeguarding the company’s data integrity and security. Reporting further indicated that KnowBe4 then collaborated with Mandiant and the FBI, revealing that the fake employee was linked to a North Korean-backed criminal network specializing in IT worker scams. These fraudulent workers arrange for their workstations to be sent to “IT mule laptop farms” and use VPNs to access the devices from North Korea or China. The fraud workers then perform legitimate work, receive payment, and then channel a significant portion of the earnings to finance North Korea’s illicit activities. 

(TLP: CLEAR) Comments: The aforementioned incident underscores the persistent efforts of North Korean actors to infiltrate Western companies for cyber espionage. Additionally, based on its past experiences, KnowBe4 offered recommendations to help companies avoid hiring fraudulent North Korean IT workers. They further emphasized the importance of conducting thorough background checks, paying close attention to minor inconsistencies such as variations in addresses or dates of birth across different sources. 

(TLP: CLEAR) Recommended best practices/regulations: OWASP NIST Cybersecurity Framework (CSF) PR.PS-05: “Installation and execution of unauthorized software are prevented”  

By enforcing a content filtering policy to block typical software download sites in addition to hacker tools and P2P services, organizations reduce the amount of malware and trojan horses that are introduced into their organization unknowingly by their users.  This can be done via a protective DNS or forward web proxy solution with website categories feeds. 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 24 distinct detection engines to provide Defense in Depth against malware, phishing, and other abuses:  

• The Lists Engine allows UltraDDR customers the ability to bring their own block lists and allow lists for FQDNs, domains, IP addresses, CIDR blocks, and registrars.  
• The Categories Engine uses Vercara-provided Cyber Threat Intelligence feeds in 17 categories. Administrators can enable blocking on a category with just one button click.  
• The Decision Engine uses a multi-petabyte adversarial infrastructure data lake and artificial intelligence techniques to determine if a previously unseen or recently changed domain is malicious in nature.  
• The Ruleset Engine allows administrators the ability to build custom rules to augment and extend the other engines of UltraDDR. 

Source: https://www.infosecurity-magazine.com/news/north-korean-hackers-targeted/  

The Vercara OSINT Report is published every week. To see the current and past OSINT reports, click here.