NCSC vulnerability scanning
The National Cyber Security Centre (NCSC) launch the NCSC internet scanning capability across all UK internet facing devices. The NCSC has implemented UK wide vulnerability scanning to help better understand the UK’s vulnerability security risk. Understanding the vulnerabilities on the UK’s Internet facing infrastructure will help reduce the UK cyber risk by helping system owners understand their security posture as well as improve the UK’s response to zero-day vulnerabilities.
The information the NCSC collects during the vulnerability scanning includes all responses from active services and protocols, i.e., they will record the full HTTP response including the headers. Additionally, the date, time, and IP of the responding server will be recorded. If NCSC identify that personal or sensitive data has been collected during the scanning, they assure us that they will take steps to remove data and prevent it from being captured again.
You can identify the NCSC scanning traffic by the public IPs their scanners use (18.171.7.246 and 35.177.10.231) or the FQDN scanner.scanning.service.ncsc.gov.uk. Additionally, HTTP requests can be identified by the HTTP Header X-NCSC-Scan: NCSC Scanning agent – https://www.ncsc.gov.uk/scanning-information. If you wish to exclude some public services from the scanning, you can by emailing scanning@ncsc.gov.uk with a list of IP addresses you wish to exclude.
Rebirth of Emotet
VMware’s Threat Analysis Unit have released a detailed report showing evidence of the rebirth of Emotet, a Command-and-Control (C2) infrastructure controlled by the cyber crime group Mummy Spider, otherwise known as MealyBug, or TA542.1.
Emotet was first detected in 2014 operating as a banking trojan, intent on stealing banking credentials. It has since been updated to operate as a loader whereby the intent is to gain initial access and enable the operator to install additional payloads. The trojan is often delivered using macro enabled documents attached to a spam email. The malicious document lures the user into enabling macros, once enabled PowerShell is utilised to download the Emotet payload, then Emotet downloads additional modules such as TrickBot or QakBot.
The Emotet authors maintain access to the infected machines using them as a botnet and renting them out to ransomware operators; this is known as the Malware-as-a-Service (MaaS) model. Each botnet has periods of inactivity to avoid detection and remain undiscovered, historically there were three botnets, Epoch 1, Epoch 2, and Epoch 3. However, since the resurgence, there are two new botnets Epoch 4 and Epoch 5.
In January 2021, the Emotet infrastructure was pursued by authorities from the United Kingdom, United States, France, Germany, Lithuania, Netherlands, Canada, and Ukraine in an operation known as Ladybird. The result of operation Ladybird seen two individuals arrested by Ukraine law enforcement as well as the seizure of the Emotet infrastructure. Once law enforcement took control of the Emotet infrastructure they used it to push a new update that uninstalled it on a specific date. Soon after in November 2021 the TrickBot botnet was seen distributing the Emotet .DLL resulting in the reboot of the Emotet botnet, with the first attacks being observed in January 2022.
In January 2022 VMware’s Threat Analysis Unit first observed the Emotet Epoch 4/5 infrastructure traffic and began their investigation. They have since performed a full software lifecycle analysis of the C2 infrastructure, identifying how the payload is delivered, how the code is obfuscated, how several execution chains are used to avoid detection, how it propagates and moves laterally. Additionally, the research shows how the Emotet developers are utilising an agile-like software development strategy ensuring the malware strain is continuously improving.
Generally, the payload is delivered in a similar fashion to previous iterations of the malware, i.e., by attaching a macro enabled document to a spam email. The malicious document persuades the user to enable macros, once enabled the macro executes a series of PowerShell commands which can have several functions, such as download the Emotet payload, execute the payload running rundll32.exe, gain persistence using dllregisterserver. The payload uses several layers of obfuscation to avoid detection and static analysis, for instance the payload will identify the OS and environment so to not execute in a sandboxed environment and the payload is encoded using new lines and whitespace to hide the JavaScript file content.
Once Emotet is installed it will download additional modules and updates, such as TrickBot and QakBot. The paper outlines that the new Emotet malware strain incorporates several new modules in addition to the modules in previous iterations. Two of the new modules are a credit card information stealer which targets Google Chrome browsers and a lateral movement module that utilises the SMB protocol to propagate through the network; further highlighting that the malware strain is actively being developed and improved.
Mitigation
It is difficult to implement firewall rules to block the Emotet C2 infrastructure as it is constantly changing with new hosts being infected each day. Additionally, the most common port the researchers observed the C2 servers using was 8080, which is commonly used as a proxy port; this indicates that the C2 servers are likely legitimate servers that have been compromised and are being used to proxy traffic to the actual Emotet C2 servers.
The researchers recommend implementing a strong security foundation using the technologies, processes, and programs listed below to reduce the likelihood of your organisation being infected with the Emotet malware strain. Not only will this reduce your risk of being infected by the Emotet malware strain it will greatly increase your organisations overall security posture and position you strongly against most threats. For more information, please download your copy of the paper here.
- Security Awareness and training programs
- Network Detection and Response (NDR)
- Email Security
- Next-Generation Firewalls
- Intrusion Detection and Prevention Systems (IDS/IPS)
- Endpoint Detection and Response (EDR)
- Patch Management
- Penetration and Vulnerability Testing
- Segment the network
- Inspect east-west traffic
- Scan network artifacts
- Log aggregation
- Apply Zero Trust principles
- Implement robust password policies and best practices
- Active threat hunting
- Lateral security
CISA joint security advisory – Daixin
The Cybersecurity & Infrastructure Security Agency (CISA) have released a joint advisory as part of their ongoing #stopransomware campaign whereby they publish details on the TTPs and IOCs of ransomware variants and threat actors to help network defenders. The most recent advisory outlines the TTPs and IOCs of the Daixin Team, a ransomware group known to target the Healthcare and Public Health (HPH) sector with ransomware.
The Daixin group have been observed targeting Virtual Private Network (VPN) servers. In one instance they attacked a publicly facing VPN server that was not patched and in another they used compromised credentials to access a VPN server that did not have MFA enabled. It is thought the group obtain credentials using credential harvesting phishing emails.
Once access to the VPN server is achieved the group begin the next stage of their attack and move laterally using Secure Shell (SSH) or Remote Desktop Protocol (RDP). Next, they escalate their privileges using credential dumping and pass the hash with the aim of gaining access to the VMware VCenter Server. After access to the VCenter server is achieved the Daixin group will reset the account passwords for the ESXi host and deploy the ransomware. In some cases, the group have been seen exfiltrating data using Rclone or Ngrok.
The ransomware strain is believed to be based on the leaked Babuk Locker source code which targets vulnerable ESXi servers and encrypts files in /vmfs/volumes/ that use the file extensions: .vmdk, .vmem, .vswp, .vmsd, .vmx, and .vmsn. After the files are encrypted a ransomware note is placed in /vmfs/volumes/ instructing the organisation how to pay the ransom.
The advisory outlines three steps you should take immediately to mitigate ransomware cyber threats; ensure all your software, operating systems, and firmware are up to date, implement phishing-resistant MFA for all services, and train employees to recognise phishing attempts. Furthermore, the advisory specifies more generalised advice on preparing, mitigating, preventing, and responding to ransomware attacks. For more information, please review the article aa22-294a as well as the #StopRansomware site.
NCSC release guidance on supply chain attacks
The NCSC have published a 29-page advisory intended to help medium to large organisations assess and gain confidence in their supply-chain. Supply chains are complex and can be exploited in various ways, often with the attacker chaining multiple techniques. One instance of a supply-chain risk is when organisations re-use public code/software libraries. When an organisation relies upon code that is written and published to public code repositories they cannot guarantee the integrity of the code, i.e., it could be vulnerable, could have been written by an attacker, or could contain sensitive information such as passwords.
Log4Shell is a prime example of a code/software library re-use vulnerability which in turn led to many attacks. The Log4Shell zero-day enabled an attacker to perform an unauthenticated remote code execution (RCE) attack on a vulnerable server. The Log4j library is/was used in many applications to provide the logging capability, some of which were/are public facing products like Apache webservers or VMware vCenter admin portals. Within hours of the zero-day being made public the attack traffic on the internet surged. There have since been several patches released for the log4j library, however, many organisations have still not applied them. Thus, the Log4j library is still being exploited by several ransomware gangs.
Despite the fact supply-chain attacks can be so damaging, the latest government data suggests that only one in ten organisations are reviewing their supply-chain risk; if your organisation falls into this statistic, it is strongly advised that you review the NCSC’s guidance. The advisory is very granular and is a good starting point for any procurement specialist, risk manager, or cyber security professional looking to improve or learn how to assess their organisations supply chain risk.
Aspire can help
With the threat landscape always changing, an effective cyber security strategy utilising the best and latest threat prevention technologies is vital to protect your organisation and clients.
At Aspire we help organisations stay ahead of emerging security threats. Our RealProtect Managed Cyber Security Services provide 24/7/365 managed detection and response, via our UK based Cyber Security Operations Centre.
Do you have any questions about our products? Head over to our Contact page and get in touch. Or visit our managed cyber security services page to discover our range of products and solutions.
Dean Wright
