Tag Archive for: Malware

Cyber News Roundup for May 9, 2024

Cuckoo malware, a paralyzed city of Wichita, and early cybersecurity preparations for the upcoming Olympics made headlines this week. RedSeal is here to keep you informed and equipped to fortify your cyber defenses in an ever-evolving digital landscape.


1. Cuckoo malware targets macOS systems

Cybersecurity researchers at Kandji have identified a new malware called Cuckoo targeting Apple macOS systems. It’s designed as a universal Mach-O binary, compatible with both Intel and ARM-based Macs, and found on websites offering music ripping and MP3 conversion tools. Cuckoo establishes persistence via a LaunchAgent and employs a locale check to avoid execution in Russia or Ukraine. It tricks users into providing system passwords through fake password prompts for escalated privileges and performs extensive data harvesting. This includes capturing hardware information, running processes, installed apps, screenshots, and sensitive data from iCloud Keychain, Apple Notes, web browsers, crypto wallets, and various applications like Discord and Steam. The associated malicious application bundles are signed with a valid developer ID. (Kandji)


2. Secretary of State Blinken is set to unveil a new international cybersecurity strategy at the RSA Conference in San Francisco

The Biden administration is set to introduce a new international cybersecurity strategy, marking the first U.S. global cyber strategy in over a decade, aimed at bolstering global cooperation against cyber threats. Secretary of State Antony Blinken will unveil the strategy at the RSA Conference in San Francisco. This strategic plan targets enhancing cybersecurity through four main pillars: establishing a secure digital ecosystem, promoting rights-respecting digital technology with allies, forming coalitions against cyberattacks, and boosting cybersecurity resilience among partner nations. A key element of this strategy is the allocation of $50 million to the newly formed Cyberspace and Digital Connectivity fund, aimed at supporting cybersecurity improvements in allied countries.

Additionally, the strategy emphasizes a proactive role in cyber diplomacy at the United Nations and seeks to develop global norms for emerging technologies like artificial intelligence (AI). The U.S. aims to foster international consensus on AI usage and cyber conduct. The strategy’s implementation is considered urgent, with efforts intensifying in the months leading up to the November presidential election, reflecting the need for consistent U.S. leadership in global cybersecurity irrespective of potential administration changes. (Politico)


3. Chinese-linked ArcaneDoor targets global network infrastructure

A new cyber espionage campaign named ArcaneDoor, potentially linked to Chinese actors, has targeted network devices from vendors like Cisco, starting in July 2023 with the first attack detected in January 2024, according Censys. The attacks involved custom malware, Line Runner and Line Dancer, and exploited patched vulnerabilities in Cisco Adaptive Security Appliances. The findings indicate the involvement of a China-based threat actor, given that key infrastructure used SSL certificates linked to Chinese networks and hosted services related to anti-censorship tools. (The Hacker News)


4. Largest city in Kansas paralyzed by ransomware attack

Another city government faces the implications of a ransomware attack. The city of Wichita, Kansas was forced to shut down portions of its network over the weekend after its IT systems were encrypted with ransomware. Bleeping Computer reports: payment systems for city water, court citations, and tickets are down. There is no additional information regarding whether any information was compromised or which ransomware group has claimed responsibility for the attack. (Bleeping Computer)


5. Microsoft warns Android developers to steer clear of the Dirty Stream

Microsoft has issued a warning to Android app users and developers about a new attack method called Dirty Stream, which exploits a path traversal vulnerability within Android’s content provider component, particularly the ‘FileProvider’ class. This vulnerability can lead to the takeover of apps and theft of sensitive data. Notably affected are popular apps like Xiaomi File Manager and WPS Office, which together boast over 1.5 billion installs. The vulnerability has been identified in applications totaling four billion installations and could potentially be present in other apps. Dirty Stream allows malicious apps to overwrite files in another app’s directory, facilitating arbitrary code execution and token theft. This can give attackers complete control over the app and access to user accounts. Microsoft has informed affected developers, who have patched their apps, and urges all developers to review their apps for this security flaw. Google has also published guidance for developers on handling this issue. (Security Week)


6. French cybersecurity teams prepare for “unprecedented” Olympic threat

Jérémy Couture, who is in charge of the cybersecurity hub for the event being held in Paris in July, says his goal is to have his team’s activities perceived as a “non-event” by successfully fending off attacks from nation state actors, hacktivists, thrill seekers, and everyone else. He adds that it’s not just the games themselves that need protecting, but also the infrastructure that supports them, such as transport networks and supply chains. Russia, which is banned from these games, is of particular focus, but, officials state, they are looking at everything. (Security Week)


7. Ascension health system disrupted by cyberattack

 US health system Ascension has sustained a cyberattack that disrupted some of its systems, the Record reports. The organization, which runs 140 hospitals across the country, stated, “Our care teams are trained for these kinds of disruptions and have initiated procedures to ensure patient care delivery continues to be safe and as minimally impacted as possible. There has been a disruption to clinical operations, and we continue to assess the impact and duration of the disruption.” The nonprofit is working with Mandiant to respond to the incident. (The Record)


8. Mobile medical provider DocGo discloses data breach

Mobile health service provider DocGo has disclosed a cyberattack that led to the theft of patient health information, BleepingComputer reports. The company stated in an SEC filing, “Promptly after detecting unauthorized activity, the Company took steps to contain and respond to the incident, including launching an investigation, with assistance from leading third-party cybersecurity experts, and notifying relevant law enforcement. As part of its investigation, the Company has determined that the threat actor accessed and acquired data, including certain protected health information, from a limited number of healthcare records within the Company’s U.S.-based ambulance transportation business, and that no other business lines have been involved.”(Bleepingcomputer)


9. MedStar Health sustains breach

Maryland-based healthcare organization MedStar Health sustained a data breach affecting more than 183,000 patients, the Record reports. A hacker gained access to the data through email accounts belonging to three MedStar employees. The threat actor was able to access “patients’ names, mailing addresses, dates of birth, date(s) of service, provider name(s), and/or health insurance information.”The company said in a breach notification, “Patients whose information may have been involved are encouraged to review statements they receive related to their healthcare. If they identify anything unusual related to the healthcare services or the charges for services, they should contact the healthcare entity or health insurer immediately.” (The Record, MedStar Health)


10. US indicts LockBit ransomware ringleader

On Tuesday, the U.S. Department of Justice (DoJ) charged the mastermind behind the notorious LockBit ransomware-as-a-service (RaaS) operation. The DoJ unmasked 31-year-old Russian National, Dimitry Yuryevich Khoroshev (also known as LockBitSupp, LockBit, and putinkrab) in a 26-count indictment that includes charges of fraud, extortion, and damaging protected computers. The charges carry a combined maximum penalty of 185 years in prison. Khoroshev is accused of designing LockBit, recruiting affiliates and maintaining LockBit’s infrastructure and leak site. Khoroshev allegedly received over $100 million in proceeds from the ransom payments. The US is offering a reward of up to $10 million for information leading to Khoroshev’s arrest. Sanctions were also announced on Tuesday by the United Kingdom and Australia. (SecurityWeek)


11. CISA is moving the needle on vulnerability remediation

CISA launched its Ransomware Vulnerability Warning Pilot in January 2023, and issued 1,754  warning notices to entities with vulnerable internet-accessible devices in its first year. The agency said that nearly half (for a total of 852) of these notifications resulted in organizations either patching, briefly taking systems offline to fix the issue, or otherwise mitigating exploitable flaws. The pilot program is set to launch as a fully automated warning system by the end of next year.

Another CISA-led initiative called Known Exploited Vulnerabilities (KEV), which the agency introduced in 2021, is also speeding up vuln remediation times. The KEV is designed to notify government agencies and enterprises of high-risk threats in the wild. Bitsight reported that critical KEVs are remediated 2.6 times faster than a non-KEV threats, while high-severity KEVs are fixed 1.8 times faster. Non-profits and NGOs are the slowest to remediate, while tech companies and insurance and financial firms are the fastest.(The Register and Dark Reading)


12. Lockbit takes credit for Wichita attack

The pernicious ransomware organization added the city of Wichita to its leak site, giving officials until May 15th to pay an unspecified ransom. We previously covered the city’s announcement of the attack over the weekend. In the wake of the attack, city officials say it can only accept cash or checks for all city services, although the city will not shut off water services as a result until regular payment methods come back online. This attack also comes on the heels of the US law enforcement agencies publicly naming the suspected leader of LockBit, Dmitry Khoroshev. (The Record)


Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts.

Being Digitally Resilient in the Face of HIDDEN COBRA

Watch Video: RedSeal and Hidden Cobra Overview, Use Cases and Demo


On November 17th, the United States Computer Emergency Ready Team (US-CERT), in conjunction with the FBI, released a pair of advisories about the North Korean hacking and espionage campaign code named HIDDEN COBRA. The latest advisories describe two pieces of malware called Volgmer and FALLCHILL, which have been actively used to attack enterprises and other commercial entities in the US. Since 2013, organizations in the aerospace, telecommunications, and finance industries have been targeted with spear phishing campaigns.

The US-CERT advisories provide both a detailed analysis of how the underlying malware packages function as well as the detection signatures and the observed IP addresses of the command and control (C2) infrastructure. This data can be used to detect the malware on your network and sever access to its controllers (Volgmer C2 IP Addresses: CSV STIX; FALL CHILL C2 IP addresses: CSV STIX). US-CERT’s previous HIDDEN COBRA advisories from June also reveal several vulnerabilities (CVEs) that North Korean threat actors are known to target and exploit.

This article will describe how the Volgmer and FALLCHILL malware operate, what they target, how they infect those targets, the potential impacts of these infections, and effective mitigation and remediation strategies to protect your enterprise.

Summary of Suggested Actions:

  1. Identify and eliminate outbound network traffic to the C2 infrastructure.
  2. Perform a risk-based prioritization of vulnerabilities to patch on accessible and high-risk endpoints
  3. Run RedSeal’s incident response query to efficiently isolate and contain any observed indicators of compromise.

About the Volgmer and FALLCHILL Malware

Both malware packages are Windows binaries consisting of executable files and DLL counterparts able to be run as a Windows service. The primary method of attack has been through targeted spear phishing campaigns that trick victims into opening malicious attachments or clicking links leading to malicious websites exploiting browser-based vulnerabilities.


The Volgmer package contains four distinct modules, a “dropper”, two remote administration tools (RATs), and a botnet controller.

  • The Volgmer dropper, a Windows executable, creates a Windows registry key containing the IP address of external C2 servers. It then installs its payload (either a RAT or the botnet controller), achieving stealthy persistence by overwriting an existing Windows service DLL with the payload. Finally, it can clean up after itself and remove all traces.
  • The RAT payload, after achieving persistence on the infected Windows machine, communicates back to its C2 infrastructure over ports 8080 or 8088. The RAT enables the attacker to take over the infected computer, executing arbitrary code and exfiltrating data.
  • The botnet controller can direct the activity of other compromised computers to orchestrate DDoS attacks.


The FALLCHILL malware is a remote administration tool demonstrating a heightened degree of sophistication in its ability to remain hidden, as well as an advanced communication mechanism with its C2 infrastructure. FALLCHILL masquerades as a legitimate Windows service randomizing across seemingly innocuous service names. It generates fake TLS traffic over port 443, hiding the C2 commands and communications in the TLS packet headers, which then get routed through a network of proxy servers.

Figure 1: US-CERT visualization of how FALLCHILL communicates with HIDDEN COBRA threat actors


How the Malware Spreads and Impact of Infection

Although both malware packages are primarily distributed via targeted spear phishing campaigns, they have also been observed on malicious websites. This increases the chances for opportunistic drive-by-download infections. These targeted attacks have been seen in the US aerospace, telecommunications, and financial services.

A successful infection will result in the HIDDEN COBRA threat actors having persistent access to and control over compromised computers. The remote administration tools allow them to modify the local file system, upload files, execute files or any arbitrary code, as well as download anything on the file system. The result is that attackers will have a hidden backdoor to your system and can execute any arbitrary code. Thus, in addition to being able to exfiltrate local files such as documents directories or Outlook databases, the infection establishes a beachhead into the rest of the network from which future breaches can be staged.

General Mitigation Advice

Enterprise security organizations can take several steps to mitigate the risk of a successful spear phishing or drive-by-download infection. In the past few years, attackers have, with increasing frequency targeted end user workstations to exfiltrate local data and establish a beachhead into the rest of the corporate network. As a result, it is increasingly important to expand vulnerability management programs to include regular scans of workstations and laptops followed by timely patching of any discovered vulnerabilities. Employees, particularly executives and those exposed to sensitive or proprietary data, should be trained on practicing good email hygiene and being vigilant for possible phishing attacks. User workstations should be configured according to the principle of least privilege, avoiding local administrator level access where possible. Additionally, the US-CERT also advises limiting the applications allowed to execute on a host to an approved whitelist, to prevent malware masquerading as legitimate software.

RedSeal Can Increase Resilience and Decrease Risk

RedSeal users can decrease their risk of exposure by identifying, closing, and monitoring access from their networks to the HIDDEN COBRA C2 infrastructure. Moreover, in the event of a detected IOC, RedSeal allows you to accelerate incident investigation and containment to mitigate the impact of an infection.

1. Identify and close any existing outbound access to the C2 infrastructure

The first step is to make sure you eliminate or minimize outbound access from your networks to the HIDDEN COBRA C2 infrastructure. Since the C2 IP addresses point at proxies across the world that relay commands and data to and from the threat actors, many are associated with legitimate entities whose servers have been exploited, or commercial hosting providers whose servers have been rented. To locate access from the inside of your network to any given C2 address from the advisory, use RedSeal’s security intelligence center to perform an access query from an internal region to the internet, and in the IPs filter box, enter the IP address from the US-CERT data.


Figure 2: Running an Access Query from the Security Intelligence Center from internal to C2 Infrastructure


Figure 3: Access query results shown on map, showing existing access from internal assets to external THREAT COBRA infrastructure


With the results of the access query, the next step is to create additional controls such as firewall or routing rules to block access to the relevant IP address at your perimeter. To decide where to introduce such controls, you can run a RedSeal detailed path query to generate a visual traceroute of the offending access path(s) and identify which devices are along those paths and can be used to close access.


Figure 4: Detailed Path result identifying all network devices and relevant config locations mediating access from an internal asset to the HIDDEN COBRA infrastructure


2. Verify vulnerability scan coverage and perform a risk-based prioritization of vulnerabilities

The HIDDEN COBRA campaign has been known to use a set of five CVEs (CVE-2015-6585; CVE-2015-8651; CVE-2016-0034; CVE-2016-1019; CVE-2016-4117) as the vector for infection. These CVEs include several browser-based vulnerabilities for the Adobe Flash and Microsoft Silverlight plugins as well as a Korean word processing application. It is important to note that while these are the vulnerabilities known to be targeted in the wild to deliver Volgmer or FALLCHILL, any known or unknown Windows-based vulnerability that allows arbitrary code execution and/or privilege escalation can be used as part of a future spear phishing campaign. While it is crucial to locate and remediate the above CVEs first, it is important to perform a vulnerability scan of user workstations for all such vulnerabilities, not just the five enumerated ones.


Figure 5: Using the Security Intelligence Center to execute a Threat Query to reveal which vulnerable assets are directly exploitable from the Internet


After importing the results of a vulnerability scan, vulnerability managers can first verify whether the scanner’s coverage was complete and identify any areas on the network missed by the scanner. This is accomplished by looking for all “Unscanned Subnets” model issues (MI-7) within your RedSeal model. A subsequent detailed path query from the scanner to the unscanned subnet will reveal whether and why access is blocked.

Next, you can perform a risk-based prioritization of the vulnerable hosts to ensure that the highest risk vulnerabilities are remediated first. The CVEs known to be actively exploited by the HIDDEN COBRA threat actors should be patched or otherwise mitigated first. A good start is to target the vulnerabilities that are on hosts that are accessible from untrusted networks, such as the Internet or a vendor’s network.

Since the malware attempts to establish a hidden Windows service with RAT capabilities, the next vulnerabilities to target for remediation are those that are directly or indirectly accessible and exploitable from any potentially compromised host. To find them, a RedSeal threat query can reveal all vulnerable hosts exploitable from a compromised endpoint on your network.


Figure 6: Visual results showing direct (red) and indirect (yellow) threats to the rest of the enterprise from a compromised host.


Figure 7: Threat Query results identifying vulnerable hosts threatened by the compromised endpoint

3. Investigate and contain existing IOCs

Finally, you can achieve greater resilience by accelerating your response to detected indicators of compromise and contain compromised systems while working to eliminate the infection. UC-CERT released several detection signatures to identify potentially compromised systems. By leveraging RedSeal’s incident response query directly or from our integrations with major SIEMs like QRadar, ArcSight, and Splunk, you can quickly assess the potential impact of a compromise and identify the mitigating controls necessary to isolate and contain it. The query allows incident responders to rapidly discover and prioritize by value all assets that are accessible from the vulnerable endpoint. A subsequent detailed path query between the vulnerable endpoint and a downstream critical asset will reveal all network devices mediating access and where controls such as firewall rules can be deployed to reduce downstream risk.


Figure 8: Incident Response query showing accessible groups and assets from the source of an indicator of compromise



The HIDDEN COBRA campaign is sophisticated, recently showing increases in intensity and variety of methods used. Defenders need to be resilient to minimize enterprise risk, efficiently mitigate damage, and recover from a successful compromise.  RedSeal can help you achieve resilience in the face of these changing threats — by assessing ways to block outbound access to C2 nodes, by locating vulnerable and high risk internal machines, and by speeding the investigation of any detected indicators of compromise.


Calling in the security experts – your network engineers

I’ve talked about the need to consider your network as the key to improving cyber defenses.  Here’s why.

Today’s attacks are “system-level”, supplanting specific server or host exploitations.  Cybercriminals today develop sophisticated attack strategies by:

  1. Finding PATHWAYS INTO the network through phishing emails, third parties, or other creative ways.
  2. MOVING MALWARE AROUND the network while masquerading as legitimate traffic.
  3. Identifying legitimate PATHWAYS OUT.
  4. Exfiltrating company assets through these pathways.

Notice this is all about TRAFFIC and PATHWAYS, and who knows the most about these?   Your network team.

They know your network and why it is built the way it is.   What is their priority?    Performance and uptime.   They have a wealth of tools that already help them manage to these priorities.  So if a security solution gave them additional knowledge about their network that helped manage performance and uptime, they would likely embrace and use it.  Although they are now working with firewalls and other security devices by necessity, they still focus on performance.  They’ve segmented the network for management and performance reasons, but are now expected to further segment for security.

And they care about one other thing:  Access.   Access to data and applications by their end users.

Access?  Pathways?  This is EXACTLY what attackers are exploiting.

So your best bet to combat cybercrime?  Bring in the experts who know about access in your network, and leverage their knowledge and experience.

Securing Your Network, or Networking for Security?

Every day we hear about another breach, and most of the time the information we get is fairly consistent – the breach started and finished long before it was discovered.    It’s not always clear exactly how or where the attackers were able to get access because they’ve had ample time to cover their tracks.   Whatever log or history data we have is massive, and sifting through it to figure out anything about the attack is very difficult and time consuming.  We don’t quite know what we’re looking for and much of the evidence has come and gone.

As I survey the cybersecurity market and media coverage, I notice that:

  1.   We’ve thrown in the towel, it’s “not if, but when” you’ll be breached.
  2.   Many security vendors are now talking about analytics, dashboards, and big data instead of prevention.

person-thinking-networkNotably absent is the acknowledgement that the attack did not happen at a single point or computer, and that the actual theft of data was allowed because the data looked like legitimate network traffic using allowed routes through and out of the network.

We hear a lot about not having enough “security expertise”.  Is that really the problem?  Or is the problem that the security experts don’t really understand the full complexity of their networks?  The network experts understand.  These attacks are happening via network traffic – not on a device, nor with a known signature.   And what do networking professionals care about?  Traffic, and how it’s flowing.   I maintain that there’s a lot more expertise that could help in this breach analysis and prevention than we think – we’re just not asking the right people.

In subsequent posts I’ll talk about why the networking team is becoming vital to security efforts, and why understanding how a network is constructed and performs is the best chance we have of improving our defenses.

The Weakest Link

Today, TrendMicro announced their discovery of Emmental, proof that “…online banking may be full of holes.” The focus of the attack is on users of online banking, and it, like many of the current attacks, starts with a phishing attack on consumers. The New York Times Bits Blog covered the report, as well, providing a high-level view of the attack on two-factor authentication used by many online financial sites.

weakest-linkThis attack unimagederscores two vital truths:


  1. The weakest link in security is the human factor, and
  2. Trust is the key to security

In Emmental, the cyber-criminals used the combination of fear for their finances and trust of consumer brands to convince consumers to open attachments and visit financial sites that had been created to capture their usernames, passwords, and PINs. The holes exploited in this process are many, including email systems, operating systems, web browsers, and the wide variety of multi-factor authentication in use.

It can be easy for enterprise technology specialists to write this off as simple error on the part of the unwashed consumer masses. Yet, these issues and truths exist within enterprise environments, and we see this consistently: simple typos and conceptual errors in device configurations lead to violations of security policy and potential breach paths, misunderstandings of policy intentions result in open access, and IT organizations trust more widely than is prudent.

How do you protect your enterprise from these risks while recognizing these two vital truths?