Monthly Archives: October 2021

SquirrelWaffle Loader

I. Targeted Entities

  • Microsoft Office Documents

II. Introduction

A new malware loader, SquirrelWaffle, is malware-spamming malicious Microsoft Office documents to deliver Qakbot malware.

III. Background Information

Cisco Talos researchers discovered malspam campaigns beginning in mid-September when they noticed booby-trapped Office documents infecting systems with SquirrelWaffle in the initial stage of the infection chain.[1] The campaigns are using stolen email threads to come off as replies in those, legitimate, threads. The SquirrelWaffle emails typically contain hyperlinks to malicious ZIP folders hosted on attacker-controlled web servers, Cisco Talos researchers say.[1] 76% of the emails are written in English, but the language shifts to the language that was used in the original email thread. The top five languages used include English, French, German, Dutch, and Polish.[1]

Cisco Talos researchers say that SquirrelWaffle isn’t a towering and majestic oak tree, at least not yet. The researchers provided an example of an email in which an attacker replied to an extortion email, which the researchers say is, “ineffective in convincing the recipient to access the content in the body of the email”.[1] The Cisco Talos researchers also say that SquirrelWaffle isn’t as prolific as other campaigns, like Emotet, but is growing.[1]

The Cisco Talos researchers analyzed the SquirrelWaffle campaign and found characteristics that pointed to the malicious Office documents as likely having been crafted using an automated builder. For example, in this campaign, “the Microsoft Excel spreadsheets were crafted to make static analysis with tools like XLMDeobfuscator less effective.”[1] The researchers have also said that SquirrelWaffle has seen daily spam runs since September 10th. Another sign that SquirrelWaffle is being distributed with an automated builder is that the URL structure of its distribution servers is tied to the daily campaigns, and rotates every few days.[1]

Victims who click on the links in the malicious emails end up downloading a ZIP archive that contains infected Office files, specifically Word documents and Excel spreadsheets. However, researchers have noticed a shift away from Word documents and an almost exclusive use of Excel spreadsheets.[1] When Word documents were being used, the documents were spruced up in such a way to persuade users that the document was a Docusign document, a service used for sharing and signing documents. Whether a Word document or Excel spreadsheet is used, they are the vehicles that lead to the next stage: the SquirrelWaffle payload.

In all of the SquirrelWaffle campaigns seen, the links used to host the ZIP archives contain Latin words and follow a structure similar to this: abogados-en-medellin[.]com/odit-error/assumenda[.]zip.[1] Inside of the ZIP archives, the infected Office files often follow a naming convention like the following: chart-1187900052.xls or diagram-127.doc.[1]

The malware distributions are, seemingly, jumping on previously compromised web servers, primarily those running versions of WordPress, with the most prevalent compromised version being WordPress 5.8.1.[1] Cisco Talos researchers were unable to discern whether the responsible actor was the same threat or if the server had been attacked by multiple, different, actors. Although SquirrelWaffle is relatively new, researchers say that the implementations have a lot in common with those seen from other, more established threat actors. Cisco Talos recommends that organizations continue to use comprehensive defense security controls in order to prevent, detect, or respond to SquirrelWaffle campaigns that they may encounter.[1]

IV. MITRE ATT&CK

  • T1059 – Command and Scripting Interpreter
    SquirrelWaffle leverages access to scripts in order to initialize its attack vector.
  • T1137 – Office Application Startup
    Office Application Word can be set to startup, automatically providing a platform for malware drops.
  • T1055 – Process Injection
    Malicious processes run on top of the victim OS.
  • T1592 – Gather Victim Host Information
    SquirrelWaffle scans the host system for key information during the infection process.

V. Recommendations

  • Patch Systems and Keep Them Updated
    Make sure your systems are always updated with the latest patch to avoid any malware taking advantage of outdated systems and zero-day vulnerabilities
  • Set Antivirus Programs to Conduct Regular Scans
    Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures
  • Malware Monitoring
    Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.
  • Strong Cyber Hygiene
    Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified.
    Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
  • Turn on Endpoint Protection
    Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.

VI. Indicators of Compromise (IOCs)

The link below has been included to assist with the download of some identified IOCs related to this Threat Advisory report. Be on the lookout for these IOCs, as well as anything that looks similar.

https://usf.app.box.com/file/878072989113

VII. References

(1) Vaas, Lisa. “Squirrelwaffle Loader Malspams, Packs Qakbot, Cobalt Strike.” Threatpost English Global, October 26, 2021. https://threatpost.com/squirrelwaffle-loader-malspams-packing-qakbot-cobalt-strike/175775/.

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: James Krepps, Dorian Pope

2021-12-01T14:54:11-05:00October 29, 2021|
Read More

CARVERCON 2021-Nov. 12

Cyber Florida is proud to be a sponsor for CARVERCON, a conference focused on the CARVER Target Analysis and Vulnerability Assessment Methodology to be held on November 12 at the University of South Florida Sarasota-Manatee Campus. Cyber Florida Staff Director Dr. Ron Sanders joins other esteemed speakers Leo “Godfather of CARVER” Labaj; General Edward Leacock, Former Deputy J2 of USAFRICOM; and Keynote Speaker Mark Kelton, former Chief of the CIA Counterintelligence Center and Deputy Director of the National Clandestine Service.

This year’s topics include

  • How COVID-19 – and other bio-threats – could be weaponized
  • The ever-growing cyber threat
  • Emerging geopolitical enemies
  • How security professionals can stay ahead of threats
  • What’s next for the coming decade?

CARVERCON provides attendees with an opportunity to hear from a wide variety of critical infrastructure protection and vulnerability assessment subject matter experts. In the security industry, it is especially vital to stay on top of the latest and most detrimental threats that face our communities. CARVERCON addresses these concerns by looking at them head-on and provides attendees the opportunity to interact directly with industry-leading professionals.

The convention spotlights how the CARVER Target Analysis and Vulnerability Assessment Methodology is one of the most effective and comprehensive vulnerability assessment tools available and serves as a “red thread” for the day’s many discussions.

CARVERCON attendees leave the convention with a more developed understanding of challenges facing both public and private secure security professionals, as well as offers strategies on prevention and response.

Proceeds will benefit the USF Office of Veterans Success.

2021-11-15T17:31:10-05:00October 25, 2021|
Read More

Lunch & Learn with BG Tina Boyd-Nov. 4

Cyber Florida and Women in Cybersecurity invite Tampa Bay students and professionals to spend an hour with an outstanding woman in cybersecurity: Brigadier General Tina B. Boyd, USA, Director, Headquarters United States Central Command. A graduate of West Point, the U.S. Army War College, and the Georgia Institute of Technology, BG Boyd will speak about her distinguished work in the field and the challenges and opportunities for women in cybersecurity. The event will be held from 11:30 am to 1:00 pm at the University of South Florida – St. Petersburg Campus University Student Center Ballroom. There is no cost and lunch is included; however, seating is limited and registration is required.

About Brigadier General Boyd

Brigadier General Tina Boyd received her commission as a Signal Officer from the United States Military Academy, West Point, NY. She is a graduate of the U.S. Army War College, Joint Professional Military Education, Joint Combined Warfighter School, NATO Senior Officer Strategic Course, Command and General Staff College, Combined Arms Staff Service School, the Battalion Brigade Signal Officer Course, the Signal Officer Basic and Advanced Courses, and Airborne School.

BG Boyd recently was the Commanding General of the 335th Signal Command (Theater) (Provisional). Her previous assignments include Deputy Commanding General – Cyber, 335th Signal Command (Theater), East Point, Georgia; Chief of Staff for the 335th Signal Command (T); Commander, Joint Enabling Capabilities Command Army Reserve Element, Norfolk, Virginia; Deputy Chief of Staff G-6, 84th Training Command (Unit Readiness), Fort Knox, Kentucky; Deputy Chief of Staff G-6, Great Lakes Division, Fort Sheridan, Illinois; Deputy Chief of Staff G-6, 100th Division, Fort Knox, Kentucky; Garrison S-6, Fort Campbell, Kentucky; S-3, United States Army Forces Command Augmentation Unit, Fort McPherson, Georgia; Battle Command Staff Training Project Manager, 87th Division, Birmingham, Alabama; Executive Officer Current Operations C3, Coalition Forces land Component Command, Camp Doha, Kuwait; Chief Air Defense Signal Officer, G-3, Third Army, Fort McPherson, Georgia; Assistant S-1, Platoon Leader, and Signal Company Executive Officer 11th Air Defense Signal Battalion, Darmstadt, Germany.

Brigadier General Boyd holds a master’s degree in Strategic Studies from the U.S. Army War College, Carlisle Barracks, Pennsylvania; a Master of Business Administration from the Georgia Institute of Technology, Atlanta, Georgia; and a Bachelor of Science Degree from the United States Military Academy, West Point, New York.

2023-01-19T13:58:54-05:00October 25, 2021|
Read More

Exploring the Cyber Citizenship Hub-Oct. 28

Come learn about the recently launched Cyber Citizenship Hub with 100 resources for educators to teach about misinformation online. Join in on the conversation with a panel of media literacy resource developers and get a closer look at the tools featured in the hub by Common Sense Education, Stanford History Education Group (SHEG) COR curriculum, and Teach Cyber.

This hub is part of the Cyber Citizenship Initiative, a project created in partnership with Cyber Florida, the Florida Center for Instructional Technology, New America, and the National Association for Media Literacy Education.

Visit the Hub at www.cybercitizenshipeducation.org.

Panelists:
Joel Breakstone, Stanford History Education Group
Kelly Mendoza, Common Sense Education
Melissa Dark, Teach Cyber

Moderator:
Nathan Fisk, Ph.D., University of South Florida

2023-01-19T13:58:28-05:00October 23, 2021|
Read More

FreakOut Botnet

I. Targeted Entities

  • Visual Tools DVRs

II. Introduction

A new exploit from cybercrime group FreakOut, also known as Necro Python and Python.IRCBot, has been found infecting Visual Tools DVRs with a Monero miner.

III. Background Information

Juniper Threat Labs researchers have written a report detailing the new activities from FreakOut. The team noticed in late September that the botnets started targeting Visual Tools DVR VX16 4.2.28.0 models with cryptomining attacks.[1] Visual Tools DVRs are generally used as part of a professional-grade surveillance system. A command injection vulnerability was found in the same devices last July.[1] FreakOut has been around since at least January of 2021, exploiting recently identified and unpatched vulnerabilities to launch DDoS and cryptomining attacks.[1] The researchers at Juniper report that the group has developed several iterations of the Necro bot, making steady improvements to its performance and persistence over the months.[1]

Juniper researchers say that the script can run in both Windows and Linux environments, and that the script has its own polymorphic engine to morph itself every execution, giving it the ability to bypass signature-based defenses. This happens, the researchers say, by reading every string in its code and encrypting it using a hardcoded key.[2]

The team at Juniper have also said that there have been a few changes to this bot from the previous version, notably that the SMB scanner, which was observed in a May 2021 attack, had been removed; the bot changed the URL that it injects to script files on the compromised system; and that more recent versions of the Necro bot scrapped previous reliance on a hardcoded URL in favor of a domain generation algorithm (DGA) for added persistence and harder detection.[2]

The Necro bot works in the following way: first, the bot scans for the target port (22, 80, 443, 8081, 7001). If the port is detected, it will launch an XMRig (a high performance Monero (XMR) miner) linked to a specific wallet. Juniper researchers say that the bot is also actively trying to exploit the following previously identified vulnerabilities:

  • CVE-2020-15568 – TerraMaster TOS before 4.1.29
  • CVE-2021-2900 – Genexis PLATINUM 4410 2.1 P4410-V2-1.28
  • CVE-2020-25494 – Xinuos (formerly SCO) Openserver v5 and v6
  • CVE-2020-28188 – TerraMaster TOS <= 4.2.06
  • CVE-2019-12725 – Zeroshell 3.9.0[2]

Mounir Hahad, head of Juniper Threat Labs, says that security teams need security that is equipped to handle DGA domain attempts. Hahad also said, “The very existence of this kind of botnet highlights the need for a connected security approach where DNS security capabilities on the network identify connection attempts to DGA domains behind public dynamic DNS services, as well as routers, switches, and firewalls that are capable of immediately isolating the compromised host from the rest of the network.”[1]

IV. MITRE ATT&CK

  • T1190 – Exploit Public-Facing Application
    Threat actor Necro Python have been targeting Visual Tools DVR VX16 4.2.28.0
  • T1064 – Scripting
    A combination of standalone Python interpreter and a malicious script are used by the malware upon successful infection
  • T1059.001 – PowerShell
    The malware uses PowerShell functions in order to download and run Python that includes all required modules
  • T1055 – Process Injection
    The bot involved will also download a JavaScript-based miner that if clicked will run within the browser’s process space
  • T1571 – Non-Standard Port
    Several non-standard ports were observed to be in use. These include but aren’t limited to ports: 5870, 42066, 52566, and 6697
  • T1219 – Remote Access Software
    Necro Python bots are remotely controlled via C2 channels
  • T1056 – Input Capture
    The JavaScript-based bot can be configured from the C2 channel to steal clipboard data and even log keystrokes
  • T1027 – Obfuscated Files or Information
    Setup.py, which is downloaded via PowerShell commands, is an obfuscated bot
  • T1547.001 – Registry Run Keys/Startup FolderUpon successful infection, several registry values are updated that point to the pyinstaller or the standalone setup.py

V. Recommendations

  • Patch Systems and Keep Them Updated
    Make sure your systems are always updated with the latest patch to avoid any malware taking advantage of outdated systems and zero-day vulnerabilities
  • Set Antivirus Programs to Conduct Regular Scans
    Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures
  • Malware Monitoring
    Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.
  • Strong Cyber Hygiene
    Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified.
    Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
  • Turn on Endpoint Protection
    Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.

VI. Indicators of Compromise (IOCs)

The link below has been included to assist with the download of some identified IOCs related to this Threat Advisory report. Be on the lookout for these IOCs, as well as anything that looks similar.

https://usf.box.com/s/iaptndxys8jy0g7hiok9ee85ijzwdnue

VII. References

(1) Bracken, Becky. “FreakOut Botnet Turns DVRs Into Monero Cryptominers.” Threatpost English Global threatpostcom, October 13, 2021. https://threatpost.com/freakout-botnet-dvrs-monero-cryptominers/175467/.

(2) Kimayong, Paul. “Necro Python Botnet Goes After Vulnerable VisualTools DVR.” Official Juniper Networks Blogs. Juniper Networks, October 11, 2021. https://blogs.juniper.net/en-us/threat-research/necro-python-botnet-goes-after-vulnerable-visualtools-dvr.

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: James Krepps, Orlando Huertas, Dorian Pope, Sreten Dedic, EJ Bulut, Uday Bilakhiya, Tural Hagverdiyev, and Ipsa Bhatt.

2021-10-22T14:25:51-04:00October 22, 2021|
Read More

Complaints about spam texts were up 146% last year. Now, the FCC wants to take action

Even as the federal government has worked to crack down on robocalls, scam texts have boomed in recent years, and that has captured growing attention inside the Federal Communications Commission. More than 47 billion spam texts have been sent so far in 2021, up 55% from the year before, according to an August report from RoboKiller, a spam-blocking company. In 2020, the report estimates, scam texts cost Americans $86 million. The FCC received roughly 14,000 complaints about unwanted text messages in 2020, up 146% from the year before. Already in 2021, the commission has received nearly 10,000 complaints about scam texts.


Read the Full Story
2021-10-20T16:42:04-04:00October 20, 2021|
Read More

Apply Now for Spring 2022 CyberWorks Program

Cyber Florida is pleased to announce that we are now accepting applications for our Spring 2022 CyberWorks program! CyberWorks builds on the success of our New Skills for a New Fight program, which was designed to help veterans, first-responders, and others transition into cybersecurity careers, by adding a Community Cohort that is tailored to meet the needs of historically underrepresented groups such as women, people of color, and people with disabilities.

CyberWorks is a 12-week, hybrid course delivered through pre-recorded seminars; hands-on exercises in a virtual lab; and live, instructor-led discussions. Participants enjoy ongoing support from a dedicated program advisor who helps learners stay on track and weekly opportunities to interact with industry professionals through guest speaker sessions. Included in the program are various career readiness experiences such as professional resume and interview guidance as well as a closing networking reception that connects participants to potential employers. Students who successfully complete the course will receive a voucher to take the CompTIA Cybersecurity Analyst  (CySA+) exam at no cost.

A limited number of full-tuition grants are available to those who qualify (application required) thanks to generous funding by JPMorgan Chase & Co. and the National Security Agency. Priority consideration for the New Skills for a New Fight cohort will be given to applicants who are veterans, transitioning military, and first-responders. Priority consideration for the Community Cohort will be given to applicants who are members of historically underrepresented groups, such as women, people of color, and people with disabilities. Each cohort has approximately 20 seats available.

Visit the program page to learn more and apply.

2022-07-11T17:36:45-04:00October 18, 2021|
Read More

NSA to Pentagon: Lock Down Your Weapons Before Hackers Get to Them

The NSA wants the military to take cyber vulnerabilities seriously. Almost all American weapons, with the exception of small arms and crew-served weapons (like machine guns), include built-in computer systems. The computers add functionality, including fire control (correcting and adjusting aim against distant or fast-moving targets), navigation (receiving GPS signals), and communications (voice and data transmission). These computers often tie into large, sometimes globe-spanning networks to issue orders, collect data, report enemy sightings, and even coordinate attack or defense among geographically disparate forces. In a world where the Pentagon wants advanced weapons that can wirelessly transfer data to one another, nearly all of them rely on computers, networks, and data links that hackers could exploit.


Read the Full Story
2021-10-14T14:28:48-04:00October 14, 2021|
Read More

Working from Home Cybersecurity Checklist

Over the past year and half, many organizations have transitioned to remote work. While remote work has many benefits for both employees and employers, it poses specific problems for organizational cybersecurity by introducing a host of new potential points of entry for cybercriminals in the form of personal devices and home internet service. Working from Home Cybersecurity Checklist, provided by Cyber Florida community partner Scarlett Cybersecurity, offers guidance to help ensure that your remote staff are implementing good cybersecurity practices and doing their part to protect the organization from cybercrime.

 

n

2022-02-12T16:11:15-05:00October 12, 2021|
Read More

Hosted by the University of South Florida
4202 E. Fowler Avenue, ISA7020
Tampa, FL 33620
outreach@cyberflorida.org
813-974-2604

Office meetings by appointment only

CONTACT US

PRIVACY POLICY

Copyright 2024 The Florida Center for Cybersecurity. Information on this website is made available for general educational purposes only and should not be used in lieu of obtaining competent legal advice from a licensed attorney or cybersecurity professional with sufficient expertise necessary to address your specific needs. Use of this website does not create any special or fiduciary relationship between you and the Florida Center for Cybersecurity or the University of South Florida.