Hornetsecurity launched DMARC Manager, an advanced tool addresses the complex challenges organisations face in managing DMARC, DKIM, and SPF configurations, especially for those operating across multiple domains. As email threats such as fraud and impersonation attacks continue to rise, the need for robust email authentication practices has never been more critical. DMARC Manager is designed to empower administrators and CISOs by providing an intuitive solution for setting up and maintaining best practices in email authentication. … More →
The post Hornetsecurity DMARC Manager protects against fraud and phishing attacks appeared first on Help Net Security.
One of Google Cloud's major missions is to arm security professionals with modern tools to help them defend against the latest threats. Part of that mission involves moving closer to a more autonomous, adaptive approach in threat intelligence automation.
In our latest advancements in malware analysis, we’re equipping Gemini with new capabilities to address obfuscation techniques and obtain real-time insights on indicators of compromise (IOCs). By integrating the Code Interpreter extension, Gemini can now dynamically create and execute code to help deobfuscate specific strings or code sections, while Google Threat Intelligence (GTI) function calling enables it to query GTI for additional context on URLs, IPs, and domains found within malware samples. These tools are a step toward transforming Gemini into a more adaptive agent for malware analysis, enhancing its ability to interpret obfuscated elements and gather contextual information based on the unique characteristics of each sample.
Building on this foundation, we previously explored critical preparatory steps with Gemini 1.5 Pro, leveraging its expansive 2-million-token input window to process substantial sections of decompiled code in a single pass. To further enhance scalability, we introduced Gemini 1.5 Flash, incorporating automated binary unpacking through Mandiant Backscatter before the decompilation phase to tackle certain obfuscation techniques. Yet, as any seasoned malware analyst knows, the true challenge often begins once the code is exposed. Malware developers frequently employ obfuscation tactics to conceal critical IOCs and underlying logic. Malware may also download additional malicious code, making it challenging to fully understand the behavior of a given sample.
For large language models (LLMs), obfuscation techniques and additional payloads create unique challenges. When dealing with obfuscated strings such as URLs, IPs, domains, or file names, LLMs often “hallucinate” without explicit decoding methods. Additionally, LLMs cannot access, for example, URLs that host additional payloads, often resulting in speculative interpretations about the sample’s behavior.
To help with these challenges, Code Interpreter and GTI function calling tools provide targeted solutions. Code Interpreter enables Gemini to autonomously create and execute custom scripts, as needed, using its own judgment to decode obfuscated elements within a sample, such as strings encoded with XOR-based algorithms. This capability minimizes interpretation errors and enhances Gemini's ability to reveal hidden logic without requiring manual intervention.
Meanwhile, GTI function calling expands Gemini’s reach by retrieving contextualized information from Google Threat Intelligence on suspicious external resources such as URLs, IPs, or domains, providing verified insights without speculative guesses. Together, these tools equip Gemini to better handle obfuscated or externally hosted data, bringing it closer to the goal of functioning as an autonomous agent for malware analysis.
To illustrate how these enhancements boost Gemini's capabilities, let's look at a practical example. In this case, we’re analyzing a PowerShell script that contains an obfuscated URL that hosts a second-stage payload. This particular sample was previously analyzed with some of the most advanced publicly available LLM models, which incorporate code generation and execution as part of their reasoning process. Despite these capabilities, each model “hallucinated,” generating completely fabricated URLs instead of accurately revealing the correct one.
Obfuscated PowerShell code sample to be analyzed by Gemini
Utilizing Code Interpreter and GTI function calling as part of its reasoning process, Gemini autonomously generated the following report without any human intervention. When deemed necessary, it applies these tools to process and extract additional information from the sample.
Final Report: PowerShell Malware with URL DeobfuscationThis report analyzes a PowerShell script designed to download and execute a file from an obfuscated URL. The script employs a custom obfuscation routine resembling the RC4 stream cipher to conceal the malicious URL.
Functionality:
Obfuscation Routine: The script defines a function F that performs byte-level XOR encryption using a key derived from the string "tox2". This function is used to deobfuscate the malicious URL.
URL Decryption: The obfuscated URL, stored as a byte array, is decrypted using the F function with "tox2" as the key.
File Download: The script downloads a file from the decrypted URL (hxxps://filedn[.]eu/lODWTgN8sswHA6Pn8HXWe1J/tox2/Scan_docs%2398097960[.]msi) and saves it to the system's temporary directory under a randomly generated filename.
Execution: Finally, the script executes the downloaded file.
Indicators of Compromise (IOCs):
URL: hxxps://filedn[.]eu/lODWTgN8sswHA6Pn8HXWe1J/tox2/Scan_docs%2398097960[.]msi
Deobfuscation Code:
def deobfuscate(x, y): s = list(range(256)) j = 0 k = [ord(c) for c in y] for i in range(256): j = (j + s[i] + k[i % len(k)]) % 256 s[i], s[j] = s[j], s[i] i = 0 j = 0 output = [] for m in range(len(x)): i = (i + 1) % 256 j = (j + s[i]) % 256 s[i], s[j] = s[j], s[i] output.append(x[m] ^ s[(s[i] + s[j]) % 256]) return output a = [0x25, 0x7B, 0x5A, 0xD8, 0x9C, 0xFF, 0xC3, 0xA4, 0x95, 0xB7, 0x9D, 0x6E, 0x5F, 0x4D, 0x49, 0xFB, 0x78, 0x32, 0xB8, 0x17, 0x72, 0x01, 0x31, 0xFB, 0xC0, 0x58, 0x45, 0xCB, 0x5C, 0x3C, 0xDD, 0x00, 0x60, 0x87, 0x25, 0xB2, 0x44, 0xA6, 0xC5, 0xEA, 0x71, 0xAA, 0x9D, 0xA1, 0x05, 0x5F, 0xBD, 0x41, 0x28, 0x70, 0x30, 0x6B, 0x96, 0x24, 0x92, 0xA0, 0x9D, 0x92, 0x23, 0x79, 0x69, 0x2C, 0x1B, 0x1E, 0xEB, 0x69, 0x8F, 0x04, 0x10, 0x74, 0xBC] b = "tox2" c = deobfuscate(a, b) decoded_url = "".join(chr(i) for i in c) print(decoded_url)Google Threat Intelligence (GTI) Lookup:
The GTI lookup provides valuable context regarding the identified IOC:
Threat Actor: UNC5687, known for using MESHAGENT in phishing campaigns impersonating the Security Service of Ukraine.
Campaign: This specific URL is linked to a campaign spreading MESHAGENT via phishing emails with malicious links. The campaign involved a captcha page leading to the download of either a malicious MSI or EXE file.
Malware: The campaign delivers MESHAGENT, an open-source remote access framework, configured to communicate with C2 domains linked to a service called "AnonVNC."
Conclusion:
The analyzed PowerShell script is confirmed to be malicious, associated with a phishing campaign by UNC5687 distributing the MESHAGENT remote access tool.
Gemini identified that the script employs an XOR-based obfuscation algorithm that resembles RC4 to conceal the download URL. Recognizing this pattern, Gemini autonomously generates and executes a Python deobfuscation script within the Code Interpreter sandbox, successfully revealing the external resource.
With the URL in hand, Gemini then utilizes GTI function calling to query Google Threat Intelligence for further context. This analysis links the URL to UNC5687, a threat cluster known for using a remote access tool in phishing campaigns impersonating the Security Service of Ukraine.
As we’ve seen, the integration of these tools has strengthened Gemini’s ability to function as a malware analyst capable of adapting its approach to address obfuscation and gathering vital context on IOCs. By incorporating the Code Interpreter and GTI function calling, Gemini is better equipped to navigate complex samples by autonomously interpreting hidden elements and contextualizing external references.
While these are significant advancements, many challenges remain, especially given the vast diversity of malware and scenarios that exist in the threat landscape. We’re committed to making steady progress, and future updates will continue to enhance Gemini's capabilities, moving us closer to a more autonomous, adaptive approach in threat intelligence automation.
Volt Typhoon, a state-sponsored actor linked to the People’s Republic of China, has consistently targeted U.S. critical infrastructure with the intent to maintain persistent access. Tenable Research examines the tactics, techniques and procedures of this threat actor.
BackgroundThe cyberthreat landscape is always evolving, with security teams continuously facing new threats and attacks from a myriad of malicious groups, including ransomware gangs and small collectives chasing financial gain or even clout in the hacking community. Meanwhile, advanced persistent threat (APT) actors continue to loom in the shadows, carefully planning and executing their next attack. One such APT group is Volt Typhoon, a People’s Republic of China (PRC) state-sponsored actor. Volt Typhoon has been the subject of multiple cybersecurity advisories (CSA) from the Cybersecurity and Infrastructure Security Agency (CISA) along with joint partners, including international cybersecurity agencies, with warnings of the threat group targeting critical infrastructure in the U.S. and beyond. According to multiple reports, Volt Typhoon operates by pre-positioning themselves, actively working to maintain persistence in anticipation of conducting future attacks targeting U.S critical infrastructure, showing a specific interest in operational technology (OT) environments. Targeted sectors include communications, energy, transportation systems and water and wastewater systems. Volt Typhoon, historically associated with BRONZE SILHOUETTE, has been categorized under various aliases by different threat intelligence teams. These include Voltzite and Insidious Taurus in certain intelligence circles, DEV-0391 by Microsoft and UNC3236 by Mandiant (FireEye) before its formal attribution as Volt Typhoon. Additionally, CrowdStrike tracks the group under the name Vanguard Panda. As we examine the tactics, techniques and procedures (TTPs) employed by Volt Typhoon, we will also discuss known vulnerabilities associated with this threat actor.
AnalysisVolt Typhoon is a sophisticated threat group whose expertise lies in maintaining persistence for as long as possible. They achieve this by blending in with seemingly normal-looking traffic using living off the land (LOTL) techniques, meaning they’ll utilize an operating system’s (OS) built-in tools. Additionally, this group works using hands-on-keyboard attacks, rather than relying on automated malware scripts. This allows them to customize their attacks and conduct reconnaissance of a target in a stealthy manner. Volt Typhoon typically gains initial access to targets by exploiting unpatched vulnerabilities including zero-day flaws. In an effort to make traffic to their targets seem more benign, they utilize compromised small-office home-office (SOHO) routers and network devices as intermediary devices to proxy their traffic. This makes their network traffic seem legitimate and helps to avoid any geolocation firewall rules. For more information, read the blog Volt Typhoon: What State and Local Government Officials Should Know.
Source: Microsoft Threat Intelligence
Initial access
Volt Typhoon typically gains initial access to targeted systems by exploiting vulnerabilities in publicly exposed systems, specifically firewalls, VPN appliances and web servers. The group takes advantage of weak credentials and unpatched vulnerabilities in perimeter devices. Once inside, Volt Typhoon leverages legitimate tools already present within the system to avoid detection.
SOHO devices: unsecured, unpatched and misconfigured
Thanks to unpatched, end-of-life (EOL) or misconfigured network devices that are internet accessible, Volt Typhoon capitalizes on compromising these devices in order to proxy their traffic and utilize the devices as launch points for their attacks. This includes devices from ASUS, Cisco RV, Draytek Vigor, FatPipe IPVPN/MPVPN/WARP, Fortinet Fortigate, Netgear Prosafe and Zyxel USG. These network devices are widely used and many EOL devices have known and exploitable vulnerabilities with readily available exploit code. Others may be misconfigured, leaving administrative portals internet accessible and utilizing default credentials. Once compromised, these devices are then implanted with the KV Botnet malware.
Living-off-the-land tactics
Rather than deploying custom malware or tools, Volt Typhoon uses native Windows tools like cmd.exe, netsh and PowerShell to execute commands and conduct lateral movement across compromised networks. By avoiding the use of external tools, the group minimizes their digital footprint, making detection through traditional signature-based antivirus systems more challenging. Many of these commands are not logged by the OS and, in cases where logging is enabled, the threat actors can rotate or delete the logs to hide evidence of the commands they executed.
Credential harvesting and lateral movement
Volt Typhoon utilizes credential dumping techniques to extract valuable login information from compromised systems. Tools like Mimikatz are deployed to extract credentials from memory, which are used to move laterally across the network. Remote desktop protocol (RDP) and other remote desktop tools are often used to facilitate further access to internal systems.
Once inside, Volt Typhoon maintains persistence by modifying legitimate software and using the built-in Windows Task Scheduler to establish scheduled tasks for regular access, ensuring long-term surveillance capabilities. The threat actor focuses on exfiltrating sensitive data and monitoring critical infrastructure communications.
Volt Typhoon has been observed creating a shadow copy of ntds.dit, the main Active Directory (AD) database. This file contains password hashes which the threat actor can attempt to crack offline and utilize any stolen passwords to continue exploitation of a network. Because they rely on using built-in OS commands, they are able to keep a low profile and evade endpoint detection and response (EDR) solutions in what seems like benign system activity.
Known CVEs commonly exploited by Volt Typhoon
While not an exhaustive list, the table below highlights some of the CVEs known to have been exploited by Volt Typhoon.
CVEDescriptionCVSSv3 ScoreVPRCVE-2021-27860FatPipe WARP, IPVPN, MPVPN Unrestricted Upload of File with Dangerous Type8.87.4CVE-2021-40539Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability9.89CVE-2022-42475Fortinet FortiOS and FortiProxy Heap-Based Buffer Overflow Vulnerability9.88.9CVE-2023-27997Fortinet FortiOS and FortiProxy Heap-Based Buffer Overflow Vulnerability9.89CVE-2024-39717Versa Director File Upload Vulnerability7.28.4*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on November 19 and reflects VPR at that time.
Unpatched VPNs targeted — a recurring trend
Volt Typhoon’s exploitation of unpatched vulnerabilities in Virtual Private Network (VPN) solutions is part of a broader trend seen across many APT groups. Threat actors leverage these VPN flaws to bypass security controls and establish long-term access within networks. Their focus on exploiting unpatched VPNs mirrors tactics of other state-sponsored actors, such as the Iranian threat actors detailed in the AA24-241A Joint Cybersecurity Advisory, who similarly target and exploit known VPN vulnerabilities to gain initial access and carry out espionage or disruptive campaigns. This recurring pattern underscores the critical need for organizations, particularly those in critical infrastructure, to prioritize patch management and ensure robust security for VPN systems.
Proof of conceptThe availability of proof-of-concept (PoC) exploits for the vulnerabilities exploited by Volt Typhoon varies across different CVEs. For CVE-2021-27860, there is no known public PoC currently available. In contrast, CVE-2021-40539, a vulnerability in Zoho ADSelfService Plus, has a partial PoC provided by Synacktiv, both in the form of a technical analysis and a working exploit shared on GitHub. This resource offers detailed guidance on how to achieve remote code execution by manipulating requests to the vulnerable service.
For CVE-2022-42475 and CVE-2023-27997 impacting Fortinet’s FortiOS and FortiProxy SSL-VPN systems, public PoCs are readily available on platforms like GitHub (CVE-2023-27997 for example) and have been widely shared on X (formerly Twitter). These PoCs demonstrate how attackers can exploit heap-based buffer overflows to achieve remote code execution, highlighting the criticality of patching affected systems.
Lastly, there is no publicly available PoC for CVE-2024-39717, a newly disclosed file upload vulnerability in Versa Director.
The varying availability of these PoCs stresses the need for organizations to proactively patch and monitor for signs of exploitation.
SolutionEach of the vulnerabilities flagged as targeted by Volt Typhoon have patches and mitigations released by the respective vendors. We recommend reviewing each of the vendors’ advisories shown below:
Tenable offers several solutions to help identify potential exposures and attack paths as well as identifying systems vulnerable to the CVEs mentioned in this blog. For a holistic approach, we recommend Tenable One. The Tenable One Exposure Management Platform extends beyond traditional vulnerability management, which concentrates on the discovery and remediation of publicly disclosed CVEs. A foundational part of any exposure management program, Tenable One includes data about configuration issues, vulnerabilities and attack paths across a spectrum of assets and technologies — including identity solutions (e.g., Active Directory); cloud configurations and deployments; and web applications.
Tenable Plugin Coverage
A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages for CVE-2021-40539, CVE-2021-27860, CVE-2022-42475, CVE-2023-27997 and CVE-2024-39717. These links will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.
Tenable attach path techniques
MITRE ATT&CK IDDescriptionTenable attack path techniquesT1003.001OS Credential Dumping: LSASS MemoryT1003.001_WindowsT1003.003OS Credential Dumping: NTDST1003.003_WindowsT1012Query RegistryT1012_WindowsT1059.001Command and Scripting Interpreter: PowerShellT1059.001_WindowsT1059.003Command and Scripting Interpreter: Windows Command ShellT1059.003_WindowsT1069.001Permission Groups Discovery: Local GroupsT1069.001_WindowsT1069.002Permission Groups Discovery: Domain GroupsT1069.002_WindowsT1078.002Valid Accounts: Domain AccountsT1078.002_WindowsT1053Scheduled Task/Job: Scheduled TaskT1053.005_WindowsT1110.003Brute Force: Password SprayingT1110.003_WindowsT1518Software DiscoveryT1518.001_WindowsTenable Identity Exposure Indicators of Exposure and Indicators of Attack
MITRE ATT&CK IDDescriptionIndicatorsT1003OS Credential DumpingC-ADM-ACC-USAGET1003.001OS Credential Dumping: LSASS MemoryC-PROTECTED-USERS-GROUP-UNUSEDI-ProcessInjectionLsassT1003.003OS Credential Dumping: NTDSI-NtdsExtractionT1069.001Permission Groups Discovery: Local GroupsI-ReconAdminsEnumT1110Brute ForceC-PASSWORD-HASHES-ANALYSISC-PASSWORD-POLICYMISSING-MFA-FOR-NON-PRIVILEGED-ACCOUNTMISSING-MFA-FOR-PRIVILEGED-ACCOUNTT1110.003Brute Force: Password SprayingI-PasswordSprayingTenable Web App Scanning
MITRE ATT&CK IDDescriptionIndicatorsT1190Exploit Public-Facing ApplicationT1190_WASGet more informationJoin Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Splunk announced its enterprise security, observability and platform offerings on Microsoft Azure. In partnering with Microsoft, Splunk empowers organizations to scale their digital transformation on Azure with unified solutions that accelerate innovation and strengthen security. “Splunk’s strategic partnership with Microsoft to build Splunk natively on Azure demonstrates our commitment to advancing digital resilience to help our customers and partners remain secure and up and running at every step of their cloud journey,” said Tom Casey, … More →
The post Splunk simplifies infrastructure requirements for Microsoft Azure customers appeared first on Help Net Security.
The third quarter threat report is here—and it’s packed with answers. Our Threat Labs team had uncovered some heavy stories behind the stats, exposing the relentless tactics shaping today’s threat landscape. Here’s what you need to know: This is just the surface. Read the full report and see how our Threat Labs team is relentlessly […]
The post Gen Q3/2024 Threat Report appeared first on Avast Threat Labs.