Threat Advisories

I. Targeted Entities

• Windows and Fortinet systems

II. Introduction

Several critical vulnerabilities were discovered in both Microsoft and Fortinet products, where remote code execution and arbitrary code execution can be leveraged, respectively.

For both companies, these vulnerabilities can allow an attacker to install programs; view, change, or delete data; or create new accounts with full user rights. User accounts configured with fewer user rights could be less impacted when compared to user accounts operating with administrative rights.

III. Background Information

Microsoft has revealed that their security update for the month of April consisted of an update to fix a total of 97 flaws; one being an actively exploited zero-day vulnerability. Microsoft reported seven vulnerabilities to be labeled as “critical,” the most serious classification that can be used. The types of vulnerabilities that were provided in Microsoft’s advisory are the following: elevation of privilege, security feature bypass, remote code execution, information disclosure, denial of service, and spoofing (Abrams, 2023).

As for the zero-day vulnerability, known as CVE-2023-28252, it is a Windows common log file system driver elevation privilege vulnerability; this allows for the user privilege to be escalated to SYSTEM, which is the highest privilige in Windows. Microsoft also reported that this vulnerability was seen in the wild before the security updates patched the vulnerability (MS-ISAC, 2023).

Moreover, a cybersecurity solutions provider, Fortinet, has announced their release of patch for several high-security flaws in products such as FortiOS, FortiProxy, FortiSandbox, FortiWeb, FortiClient, and FortiManager. These issues could allow for cross-site scripting attacks, unauthorized API calls, command execution, arbitrary code execution, privilege escalation, and man-in-the-middle attacks. Fortinet also reported a critical missing authentication vulnerability, tracked as CVE-2022-41331 with a CVSS score of 9.3, in the infrastructure server for FortiPresence. This could be exploited by a remote and unauthenticated attacker through crafted authentication requests to access Redis and MongoDB instances; (Arghire, 2023).

Affected Microsoft Systems:

• NET Core
• Azure Machine Learning
• Azure Service Connector
• Microsoft Bluetooth Driver
• Microsoft Defender for Endpoint
• Microsoft Dynamics
• Microsoft Dynamics 365 Customer Voice
• Microsoft Edge (Chromium-based)
• Microsoft Graphics Component
• Microsoft Message Queuing
• Microsoft Office
• Microsoft Office Publisher
• Microsoft Office SharePoint
• Microsoft Office Word
• Microsoft PostScript Printer Driver
• Microsoft Printer Drivers
• Microsoft WDAC OLE DB provider for SQL
• Microsoft Windows DNS
• Visual Studio
• Visual Studio Code
• Windows Active Directory
• Windows ALPC
• Windows Ancillary Function Driver for WinSock
• Windows Boot Manager
• Windows Clip Service
• Windows CNG Key Isolation Service
• Windows Common Log File System Driver
• Windows DHCP Server
• Windows Enroll Engine
• Windows Error Reporting
• Windows Group Policy
• Windows Internet Key Exchange (IKE) Protocol
• Windows Kerberos
• Windows Kernel
• Windows Layer 2 Tunneling Protocol
• Windows Lock Screen
• Windows Netlogon
• Windows Network Address Translation (NAT)
• Windows Network File System
• Windows Network Load Balancing
• Windows NTLM
• Windows PGM
• Windows Point-to-Point Protocol over Ethernet (PPPoE)
• Windows Point-to-Point Tunneling Protocol
• Windows Raw Image Extension
• Windows RDP Client
• Windows Registry
• Windows RPC API
• Windows Secure Boot
• Windows Secure Channel
• Windows Secure Socket Tunneling Protocol (SSTP)
• Windows Transport Security Layer (TLS)
• Windows Win32K

Affected Fortinet Systems:

• FortiDDoS-F versions prior to 6.4.1
• FortiDDoS versions prior to 5.7.0
• FortiADC versions prior to 7.2.0
• FortiAnalyzer versions prior to 7.2.2
• FortiManager versions prior to 7.2.2
• FortiAuthenticator versions prior to 6.5.0
• FortiClientMac versions prior to 7.2.0
• FortiClientWindows versions prior to 7.2.0
• FortiOS versions prior to 7.2.4
• FortiNAC-F versions prior to 7.2.0
• FortiNAC versions prior to 9.4.2
• FortiProxy versions prior to 7.2.3
• FortiPresence versions prior to 2.0.0
• FortiSOAR versions prior to 8.0.0
• FortiSandbox versions prior to 4.2.3
• FortiDeceptor versions prior to 4.2.0
• FortiWeb versions prior to 7.2.0
• FortiSIEM versions prior to 6.5.0

VI. CVEs (Common Vulnerabilities and Exposures)

• CVE-2023-28252 – Windows Common Log File System Driver Elevation of Privilege Vulnerability – Elevates privileges to SYSTEM, the highest user privilege level in Windows
• CVE-2022-40679 – FortiADC / FortiDDoS / FortiDDoS-F – Command injection in log & report module: An improper neutralization of special elements used in an OS command vulnerability in FortiADC, FortiDDoS and FortiDDoS-F may allow an authenticated attacker to execute unauthorized commands via specifically crafted arguments to existing commands.
• CVE-2022-41330 – FortiOS / FortiProxy – Cross Site Scripting vulnerabilities in administrative interface: Multiple improper neutralization of input during web page generation (‘Cross-site Scripting’) vulnerabilities in FortiOS & FortiProxy administrative interface may allow an unauthenticated attacker to perform an XSS attack via crafted HTTP or HTTPS GET requests.
• CVE-2022-43952 – FortiADC – Cross-Site Scripting in Fabric Connectors: An improper neutralization of input during web page generation (‘Cross-site Scripting’) vulnerability in FortiADC may allow an authenticated attacker to perform a cross-site scripting attack via crafted HTTP requests.
• CVE-2022-43955 – FortiNAC – FortiWeb – XSS vulnerability in HTML generated attack report files: An improper neutralization of input during web page generation in the FortiWeb web interface may allow an unauthenticated and remote attacker to perform a reflected cross site scripting attack (XSS) via injecting malicious payload in log entries used to build report.
• CVE-2022-30850 – FortiAuthenticator – Reflected XSS in the password reset page: An improper neutralization of script-related HTML tags in a web page vulnerability in FortiAuthenticator may allow a remote unauthenticated attacker to trigger a reflected cross site scripting (XSS) attack via the “reset-password” page.
• CVE-2023-27995 – FortiSOAR – Server-side Template Injection in playbook execution: An improper neutralization of special elements used in a template engine vulnerability in FortiSOAR management interface may allow a remote and authenticated attacker to execute arbitrary code via a crafted payload.

V. Recommendations

Microsoft Systems:

Apply appropriate patches or appropriate mitigations provided by Microsoft to vulnerable systems immediately after appropriate testing. (M1051: Update Software)

• Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
• Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
• Apply the Principle of Least Privilege to all systems and services, and run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
• Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
• Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
• Remind all users not to visit untrusted websites or follow links/open files provided by unknown or untrusted sources. (M1017: User Training)
• Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
• Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.
• Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040 : Behavior Prevention on Endpoint)
• Safeguard 13.2 : Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
• Safeguard 13.7 : Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.

Fortinet Systems:

Apply appropriate updates provided by FortiNet to vulnerable systems immediately after appropriate testing. (M1051: Update Software)

• Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
• Safeguard 7.2: Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
• Safeguard 7.3: Perform Automated Operating System Patch Management: Perform operating system updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
• Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
• Safeguard 7.6: Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets: Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis.
• Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
• Safeguard 12.1: Ensure Network Infrastructure is Up-to-Date: Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.
• Safeguard 18.1: Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
• Safeguard 18.2: Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
• Safeguard 18.3: Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.

• Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them. (M1016: Vulnerability Scanning)
  • Safeguard 16.13: Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing.Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.

• Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
  • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
  • Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
  • Safeguard 5.5: Establish and Maintain an Inventory of Service Accounts: Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.
  • Safeguard 6.8: Define and Maintain Role-Based Access Control: Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.
• Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. (M1030: Network Segmentation)
  • Safeguard 12.2: Establish and Maintain a Secure Network Architecture: Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum.
• Restrict execution of code to a virtual environment on or in transit to an endpoint system. (M1048: Application Isolation and Sandboxing)
  • Safeguard 16.8: Separate Production and Non-Production Systems: Maintain separate environments for production and non-production systems.

• Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
  • Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
• Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. (M1021: Restrict Web-Based Content)
  • Safeguard 9.2: Use DNS Filtering Services: Use DNS filtering services on all enterprise assets to block access to known malicious domains.
  • Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
  • Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.

• Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources. Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. (M1017: User Training)
  • Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.

VII. References

Arghire, I. (2023, April 12). Fortinet Patches Critical Vulnerability in Data Analytics Solution. SecurityWeek. Retrieved April 12, 2023, from https://www.securityweek.com/fortinet-patches-critical-vulnerability-in-data-analytics-solution/

Abrams, L. (2023, April 11). Microsoft April 2023 Patch Tuesday Fixes 1 Zero-day, 97 Flaws. BleepingComputer. Retrieved April 12, 2023, from https://www.bleepingcomputer.com/news/microsoft/microsoft-april-2023-patch-tuesday-fixes-1-zero-day-97-flaws/

MS-ISAC. (2023, April 11). MS-ISAC CYBERSECURITY ADVISORY – Critical Patches Issued for Microsoft Products April 11, 2023 – PATCH NOW – TLP: CLEAR

MS-ISAC. (2023, April 12). MS-ISAC CYBERSECURITY ADVISORY – Multiple Vulnerabilities in Fortinet Products Could Allow for Arbitrary Code Execution – PATCH NOW – TLP: CLEAR

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Sreten Dedic

I. Targeted Entities

• Opportunistic organizations

II. Introduction

Arechclient2 is a .NET remote access trojan (RAT) that has numerous capabilities. The RAT can profile victim systems, steal information like browser and crypto-wallet data, and launch a hidden secondary desktop to control browser sessions.

III. Cyber Florida SOC Observations

Update 12/8/2022: 
Cyber Florida identified additional content in analysis that was not previously reported. This information pertains to network connections. Within utilizing the InstallUtil.exe binary to execute code, the InstallUtil.exe process was observed reaching out to a pastebin[.]com page. This page contained the CnC IP address. Additionally, the victim IP address (observed in the UIP parameter) appears to be ascertained from the InstallUtil.exe process from hxxp://eth0[.]me (which appears to be a site that identifies the visiting host’s IP address). 

Original Post: 
Cyber Florida has observed network payload data obfuscated via Base64 encoding and sent to what appears to be a command control server. The command and control server appears to be utilizing Google cloud services (googleusercontent.com). Within the Base64 data, exfiltrated usernames and passwords were observed. Based on observations, the exfiltrated data appears to be from cached browser credentials (Google Chrome profiles, Firefox profiles, Microsoft Edge profiles, etc.) In reviewing logs and network traffic there were parameters of interest within the data payload that would aid in identifying this activity. The following payload parameters were observed the network traffic: ConnectionType, Client, SessionID, BotName, Computer, BuildID, BotOS, URLData, UIP.

Based on observing network traffic for the command control communication, there may be similarities associated to the Redline Stealer malware. See CERT Italy article. https://cert-agid.gov.it/news/scoperto-il-malware-redline-stealer-veicolato-come-lastpass/

Screenshot samples of log and network traffic have been provided in the appendix of this report.

Some of the interesting evasion tactics Cyber Florida observed were the utilization of “sleep” functions and the usage of .NET Framework’s InstallUtil.exe binary to communicate with the command and control server. The “sleep” functionality appeared to delay the usage of InstallUtil.exe. In testing, the Installutil.exe appeared to run in perpetuity regularly communicating with the command and control server. In reviewing a few of the automated sandboxes, the Installutil.exe activity was not identified. This may be due to the “sleep” activity being utilized.

Another evasion tactic appears to be attempting to modify Windows Defender settings via the second observed PowerShell instance. The cmdlet Set-MpPreference with the options –ExclusionPath ‘C:’ was employed. This command appears to create a malware scan exclusion, which would prevent Windows Defender from scanning the entire C: volume.

The following links provide examples and context of InstallUtil.exe malware usage and abuse.

https://gbhackers.com/hiding-malware-legitimate-tool/ (not directly related to observed activity)

https://www.ired.team/offensive-security/code-execution/t1118-installutil (not directly related to observed activity)

https://attack.mitre.org/techniques/T1218/004/

During initial malicious binary execution, a persistence mechanism was observed via the common HKCUSoftwareMicrosoftWindowsCurrentVersionRun location.

IV. Additional Background Information

Blackpoint Cyber discovered an ISO file that contained a malicious Windows executable that was downloaded to a victim’s computer and was not detected by an antivirus program. A malicious executable, named Setup.exe, was observed using various defense evasion techniques including obfuscation, injection, and uncommon automation tools. These tools were used to drop a RAT named Arechclient2 (Blackpoint Cyber). The size of Setup.exe is over 300 megabytes (Blackpoint Cyber).

The initial attack vector that was used to send Setup.exe to the victim is unknown. This is the execution step. When Setup.iso is double-clicked, the ISO file can be mounted like a CD and, oftentimes, the contents of the file are automatically executed (Blackpoint Cyber). Running Setup.exe will start the extraction of three files and execute multiple child processes (Blackpoint Cyber). A new folder, IXP000.TMP, is made in the victim’s AppDataLocalTemp directory and three files are created into the newly created directory: Funding.mpeg, Mali.mpeg, and Dns.mpeg (Blackpoint Cyber).

The Dns.mpeg script is heavily obfuscated. The script searches for AvastUI.exe and AVGUI.exe running on the victim’s computer. The two executables are found in the Avast antivirus product line (Blackpoint Cyber). If those two executables are not found, Dns.mpeg sets Hole.exe.pif to the name AutoIT3.exe. In the script .au3 (or d.au3) there are over 3,000 references to a function named Xspci(). This function takes a string as its first argument and a number as its second argument. The function is responsible for decoding strings (Blackpoint Cyber).

The .au3 script accomplishes three things through injection: 1. establishing persistence using a URL file in the victim’s startup folder. 2. copying the ntdll.dll file from the C:WindowsSysWOW64 folder to avoid antivirus hooks. 3. injecting the embedded payload into jsc.exe (Blackpoint Cyber). The function that is responsible for the above tasks is KXsObHGILZNaOurxqSUainCYU() which takes a pointer to the binary to be injected, a string argument, and a string argument with the path to the binary that would be executed and injected into as arguments (Blackpoint Cyber). The script establishes persistence by adding a URL file to the victim’s startup folder that will execute a Microsoft Visual Basic Script (VBS) on every login (Blackpoint Cyber).

Arechclient2 has a decompilation phase. Test.exe, a C# binary, can be loaded into tools that statically and dynamically analyze code. One such tool is DnSpy (Blackpoint Cyber). The class names in Test.exe were minimized to single and double characters to add an additional layer of confusion for reverse engineers (Blackpoint Cyber). The actual name of Test.exe is 2qbarx12tqm.exe (Blackpoint Cyber). Arechclient2 also contains a command and control (C2) phase. When Arechclient2 is executed, it connects to https[:]//pastebin.com/raw/nJqnWX3u to collect C2 information (Blackpoint Cyber). The requested file, nJqnWX3u, contains the IP address 34[.]141[.]198[.]105 as a string. It also connects to http[:]//eth0.me to get its public IP address (Blackpoint Cyber). Arechclient2 connects to its C2 server on port 15647 to receive commands. The server responds with information to control the encryption status (“On” or “Off”) in JSON format (Blackpoint Cyber). If the communications are intercepted and the encryption is set to “Off,” further communications will be in plaintext (Blackpoint Cyber).

V. MITRE ATT&CK

• T1059.001 – Command and Scripting Interpreter: PowerShell
  Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code.
• T1555.003 – Credentials From Web Browsers
  Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.
• T1547.001 – Registry Run Keys / Startup Folder
  Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the “run keys” in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account’s associated permissions level.
• T1562.001 – Impair Defenses: Disable or Modify Tools
  Adversaries may modify and/or disable security tools to avoid possible detection of their malware, tools, and activities. Adversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events.
• T1218.004 – System Binary Proxy Execution: InstallUtil
  Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. The InstallUtil binary may also be digitally signed by Microsoft and located in the .NET directories on a Windows system: C:WindowsMicrosoft.NETFramework vInstallUtil.exe and C:WindowsMicrosoft.NETFramework64 vInstallUtil.exe.
• T1095 –Non-Application Layer Protocol
  Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.
• T1132.001 –Standard Encoding
  Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME.

VI. Recommendations

• Phishing awareness training
  Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should also be educated about new types of attacks and schemes to mitigate risk. Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
• Set antivirus programs to conduct regular scans
  Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures
• Malware monitoring
  Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.
• Strong cyber hygiene
  Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified. Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
• Turn on endpoint protection
  Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.
• Network Monitoring
  Review network logs, payload, etc. for related IP address and associated network parameters.

VII. Indicators of Compromise (IOCs)

VIII. Additional OSINT Information

• Embedded Binary
  https://www.virustotal.com/gui/file/9b2799e3fea7c214253ebba7a7cbb2b30ffe77dca6e92d8d7d25b539c4e9bd7c/details

• Main Binary
  https://www.virustotal.com/gui/file/b3eba1fcd0633a5ba27ba2715ad1e38943c2bf5e6e4182298a3bf39492f8eca4/details

• https://www.joesandbox.com/analysis/724055/0/htmL
• https://cert-agid.gov.it/news/scoperto-il-malware-redline-stealer-veicolato-come-lastpass/

IX. Appendix

This screenshot shows the payload sent to a victim, as seen by Cyber Florida. A portion of the Base64 and UIP fields have been redacted.

 The following screenshot is similar from the log above but was acquired via network packet capture. 

X. References

Blackpoint Cyber. “Ratting out arechclient2 – Blackpoint Whitepaper.” Blackpoint Cyber. Accessed November 15, 2022. https://blackpointcyber.com/lp/ratting-out-arechclient2/?utm_campaign=ratting_out_arechclient2_whitepaper&utm_source=resource_library.  

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Dorian Pope, Sreten Dedic, EJ Bulut, Uday Bilakhiya. 

I. Targeted Entities

• Colorado’s official website

II. Introduction

Colorado state officials say that on Wednesday, October 5, 2022, Colorado’s website was rendered unusable as the result of an apparent cyberattack after a known Russia-based hacker group made a Telegram post saying that it would be targeting U.S. state websites. While the U.S. election system is largely disconnected from the Internet, state websites are prime targets for hackers who want to undermine confidence in elections.

III. Background Information

The cyberattack flooded the state’s website with web traffic, and is a common and simple way to disable websites. There is no indication that any of Colorado’s internal systems were accessed or that its election systems were compromised.[1] However, given how close this attack is to the U.S. midterms, experts say that the attack could give the false impression that U.S. elections are vulnerable to foreign interference.[1]

Killnet, the group responsible for the attack, is a Russian-aligned group that claims to be made up of amateur hacktivists who support Russian’s international interests. Killnet adheres to the same model that Ukraine’s IT Army (the IT Army is a Ukrainian government-affiliated movement that frequently posts a list of Russian websites on Telegram for supporters around the globe to try to overwhelm with traffic). The tactic Killnet uses to overwhelm websites with traffic is known as a distributed denial of service, or DDoS.[1] On Wednesday, KillNet posted a list of 12 target states to its Telegram channel: Alabama, Alaska, Colorado, Connecticut, Delaware, Florida, Hawaii, Idaho, Indiana, Kansas, Kentucky, and Mississippi.[1]

It is unclear if other states were affected, but federal officials have repeatedly stated that they do not expect a cyberattack to affect the midterm elections. The Cybersecurity and Infrastructure Security Agency (CISA), which oversees federal cybersecurity support for election infrastructure, released a joint announcement with the FBI saying, “any attempts by cyber actors to compromise election infrastructure are unlikely to result in large-scale disruptions or prevent voting.”[2]

Because DDoS attacks are simple to conduct and don’t inflict lasting damage or give criminals access to hidden information, cybersecurity professionals and other hackers generally regard them as unimpressive. However, Killnet has started becoming more effective at making websites unreachable, and has the potential to cause significant disruptions.[1]

IV. MITRE ATT&CK

• T1498 – Network Denial of Service
  Killnet performed a DDoS attack to degrade and block the availability of targeted websites. Network DoS can be performed by exhausting the network bandwidth services rely on.

V. Recommendations

• Set antivirus programs to conduct regular scans
  Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures
• Monitor malware
  Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.
• Turn on endpoint protection
  Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.

VI. Indicators of Compromise (IOCs)

Because of the nature of this threat advisory, there are no IOCs. However, it is important that businesses and entities create a business continuity and disaster recovery plan in case a DDoS attack were to occur.

VII. References

(1) Collier, Kevin. “Cyberattack on Colorado State Website Follows Russian Hacktivist Threat.” NBCNews.com. NBCUniversal News Group, October 6, 2022. https://www.nbcnews.com/tech/security/colorado-state-websites-struggle-russian-hackers-vow-attack-rcna51012.

(2) “Malicious Cyber Activity Against Election Infrastructure Unlikely to Disrupt or Prevent Voting.” FBI & CISA Public Service Announcement, October 4, 2022. https://www.cisa.gov/uscert/sites/default/files/publications/PSA_cyber-activity_508.pdf.

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Dorian Pope, Sreten Dedic, EJ Bulut, and Uday Bilakhiya.

I. Targeted Entities

• Edfinancial and Oklahoma Student Loan Authority loanees

II. Introduction

Oklahoma Student Loan Authority (OSLA) and EdFinancial are notifying over 2.5 million people that their personal data was leaked in a data breach that could lead to more trouble.

III. Background Information

Nelnet Servicing, a Lincoln, Nebraska-based servicing system and web portal provider for the two loan providers, was the target of the breach. Nelnet made the breach known to affected loan recipients on July 21^st via letter.[1]

By August 17^th, the investigation found that the personal user information, including the names, home addresses, email addresses, phone numbers, and social security numbers, of 2,501,324 student loan account holders had been accessed by an unauthorized party. However, the users’ financial information was not leaked.[2] In the breach disclosure filing submitted to the state of Maine by Bill Munn, Nelnet’s general counsel, the breach occurred between June 1, 2022 and July 22, 2022. But the letter sent to affected users pinpoints the breach to July 21, 2022.[3]

Although loanees’ sensitive financial data was not leaked, the personal information that was leaked “has [the] potential to be leveraged in future social engineering and phishing campaigns,” says Melissa Bischoping of Tanium. With the Biden administration’s recent announcement of a plan to cancel $10,000 of student loan debt for low- and middle-income loanees, it should be expected that this breach could be used by scammers for criminal activity. Bischoping warns that the recently leaked data can be used to impersonate affected brands in phishing campaigns that target students and recent college graduates.[4]

According to the breach disclosure, Nelnet informed Edfinancial and OSLA that Nelnet’s cybersecurity team “took immediate action to secure the information system, block the suspicious activity, fix the issue, and launched an investigation with third-party forensic experts to determine the nature and scope of the activity.” Also in the breach disclosure sent to the state of Maine is a statement that remediation will include two years of free credit monitoring, credit reports, and up to $1 million in identity theft insurance.[1]

IV. MITRE ATT&CK

• T1586 – Compromise Accounts
  Adversaries may compromise accounts with services that can be used during targeting with information gained from the data breach.

V. Recommendations

• Phishing Awareness Training
  Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should also be educated about new types of attacks and schemes to mitigate risk. Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
• Strong Cyber Hygiene
  Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified. Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a

VI. Indicators of Compromise (IOCs)

Because of the nature of the event, this threat advisory has no indicators of compromise. However, users should continue to remain vigilant.

VII. References

(1) Nelson, Nate. “Student Loan Breach Exposes 2.5M Records.” Threatpost English Global, August 31, 2022. https://threatpost.com/student-loan-breach-exposes-2-5m-records/180492/.

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Dorian Pope, Sreten Dedic, EJ Bulut.

I. Targeted Entities

• Coinbase accounts

II. Introduction

Attackers are bypassing two-factor authentication (2FA) and using other evasion tactics in a campaign that is trying to take over Coinbase accounts to defraud users of their cryptocurrency.

III. Background Information

Researchers at PIXM Software say that the threat actors are using emails that spoof Coinbase to trick users into logging into their accounts so that the attackers can gain access to the accounts and steal funds.[2] The researchers say that the cybercriminals will distribute these stolen funds through a network of “burner” accounts, in an automated way, via hundreds or thousands of transactions. The cybercriminals do this in an effort to shroud the original wallet from their destination wallet.[2]

The attackers employ a range of tactics to avoid detection. One such tactic is what researchers call “short-lived domains.” These domains are only up for extremely short periods of time (less than two hours), which is a deviation from typical phishing practices.[1] Another tactic used is context awareness. Context awareness allows cybercriminals to know either the IP, CIDR Range, or geolocation from which they anticipate their target to be connecting. The attackers can then create something similar to an Access Control List (ACL) on the phishing page to restrict connections to only be allowed from the IP, CIDR Range, or region of their intended target.[1]

The Coinbase attacks begin with criminals targeting users with a malicious email that spoofs Coinbase so that victims think that they are receiving a legitimate message. The email uses a variety of reasons to persuade the user into logging into their account. For example, the account might be locked due to suspicious activity or a transaction needs to be confirmed. Like a typical phishing campaign, if the user is persuaded to follow the link in the phony message, they are taken to a fake login page and they are prompted to enter their credentials. If the user enters their credentials, the cybercriminal receives them in real-time and uses them to log in to the legitimate Coinbase website. Because the attacker logged into the legitimate Coinbase website, the victim is sent a 2FA code from Coinbase. Thinking that they are logging into the legitimate Coinbase website, the victim enters the 2FA code they received. However, like the login credentials, the cybercriminal receives the 2FA code and gains control of the victim’s account.[1]

Once the criminal has access to the account, they divert the victim’s funds to the aforementioned network of accounts in order to evade detection or suspicion. According to researchers, the funds are often embezzled through unregulated and illegal online cryptocurrency services, like cryptocurrency casinos, betting applications, and illegal online marketplaces.[1] At this point, the victim is told that their account is locked or restricted, and is prompted to talk to customer service to rectify their problem. This prompt is the second phase of the attack, where the cybercriminal poses as a Coinbase employee trying to help the victim regain access to their account, but in reality, is stalling so that the fund transfer can be completed before the victim becomes suspicious. Once the transfer is complete, the cybercriminal will abruptly close the session and then shut down the phishing page, leaving the victim without their funds.[1]

IV. MITRE ATT&CK

• T1566 – Phishing
  The threat actors will send phishing messages to gain access to a victim’s Coinbase account.

• T1111 – Multi-Factor Authentication Interception
  The threat actors target multi-factor authentication mechanisms to gain access to credentials that are used to access Coinbase systems and services.

V. Recommendations

• Phishing Awareness Training
  Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should also be educated about new types of attacks and schemes to mitigate risk. Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
• Set Antivirus Programs to Conduct Regular Scans
  Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures.
• Strong Cyber Hygiene
  Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified. Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
• Turn on Endpoint Protection
  Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.
• Malware Monitoring
  Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.

VI. Indicators of Compromise (IOCs)

This threat advisory has no indicators of compromise, but users should ensure that they are only interacting with legitimate communications from Coinbase and other services.

VII. References

(1) Montalbano, Elizabeth. “Phishers Swim Around 2FA in Coinbase Account Heists.” Threatpost English Global, August 8, 2022. https://threatpost.com/phishers-2fa-coinbase/180356/.

(2) PIXM Software, ed. “Coinbase Attacks Bypass 2FA.” Pixm Anti-Phishing, August 8, 2022. https://pixmsecurity.com/blog/phish/coinbase-attacks-bypass-2fa/.

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Dorian Pope, Sreten Dedic, EJ Bulut.

I. Targeted Entities

• Microsoft, Facebook, and other large tech brands

II. Introduction

Phishing attacks exploiting the Microsoft and Facebook brands, among others, have increased between 2021 and 2022.

III. Background Information

According to researchers at Vade, Microsoft, Facebook, and the French bank Crédit Agricole are the top abused brands.[1] The report also says that phishing attacks exploiting the Microsoft brand increased 266% in the first quarter of 2022 compared to 2021. Phony Facebook messages are up 177% in the second quarter of 2022, also compared to 2021.[1]

The research done by Vade analyzed unique instances of phishing URLs used by threat actors carrying out phishing attacks and not the number of phishing emails associated with the URLs. Their report listed the 25 most commonly phished companies, along with the most targeted industries and days of the week for phishing emails.[1] Other brands at the top of the list include Crédit Agricole, WhatsApp, and French telecommunications company Orange. PayPal, Google, and Apple also made the list.[1]

The report by Vade found that through the first half of 2022, 34% of all unique phishing attacks, that were tracked by the researchers at Vade, impersonated financial services brands. The next most popular sector was cloud service providers, with Microsoft, Google, and Adobe being prime targets. The social media sector was also popular with Facebook, WhatsApp, and Instagram at the top of the list of brands exploited in the attacks.[1] The researchers also found that the most popular days for sending phishing emails were Monday through Wednesday. The weekend did not see a lot of phishing emails sent with only 20% of the phishing emails being sent during the weekend.[1]

IV. MITRE ATT&CK

• T1566 – Phishing
  Adversaries will send phishing messages to gain access to a victim’s machine. These phishing attempts may come via link or attachment, and typically execute malicious code on victim machines.

V. Recommendations

• Phishing Awareness Training
  Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should also be educated about new types of attacks and schemes to mitigate risk. Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
• Set Antivirus Programs to Conduct Regular Scans
  Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures.
• Strong Cyber Hygiene
  Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified. Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
• Turn on Endpoint Protection
  Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.
• Malware Monitoring
  Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.

VI. Indicators of Compromise (IOCs)

This threat advisory has no indicators of compromise, but it is recommended that readers be aware of the links and attachments that they are sent to ensure their safety.

VII. References

(1) Nelson, Nate. “Phishing Attacks Skyrocket with Microsoft and Facebook as Most Abused Brands.” Threatpost English Global, July 26, 2022. https://threatpost.com/popular-bait-in-phishing-attacks/180281/.

(2) Petitto, Natalie. “Phishers’ Favorites Top 25, H1 2022: Microsoft Is the Most Impersonated Brand in Phishing Attacks.” Vade, July 26, 2022. https://www.vadesecure.com/en/blog/phishers-favorites-top-25-h1-2022.

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Dorian Pope, Sreten Dedic, EJ Bulut, and Tural Hagverdiyev

I. Targeted Entities

• Google Chrome

II. Introduction

On July 4, Google quietly released a stable channel update for Google Chrome to patch an actively exploited zero-day vulnerability. This is the fourth flaw Google has released for Google Chrome this year.

III. Background Information

Chrome 103 (103.0.5060.71 for Android and 103.0.5060.114 for Windows and Mac) fixes a heap buffer overflow flaw in WebRTC. WebRTC is the engine that gives the browser its real-time communications capability.[1] The vulnerability, given the moniker CVE-2022-2294 and reported by Jan Vojtesek from the Avast Threat Intelligence team, is described as a buffer overflow, “where the buffer that can be overwritten is allocated in the heap portion of memory.”[1]

Google did not reveal any specific details about the vulnerability, but they did recommend that users upgrade their Google Chrome browsers. Because there are so few known details about the flaw, users’ most feasible protection is to upgrade their browser. Fortunately, Google Chrome updates are pushed without user intervention so most users will be protected once an update is available.[1]

Buffer overflows can lead to crashes and other attacks that make the affected program unavailable, like putting the program into an infinite loop. Attackers can take advantage of the attack by using the crash to execute arbitrary code usually outside of the scope of the program’s security policy.[1]

Along with fixing the zero-day buffer overflow flaw, the fix also patches a confusion flaw in the V8 JavaScript engine (CVE-2022-2295), which was reported on June 16^th by researchers at S.S.L.[1] This is the third flaw of this nature found in the open-source engine used by Google Chrome and Chromium-based web browsers that has been patched this year. In March, a different type-confusion issue in the V8 JavaScript engine (CVE-2022-1096) required a hasty patch from Google. And in April, Google patched another type-confusion flaw (CVE-2022-1364) which affected Google Chrome’s use of V8, which attackers had already pounced on.[1]

Another flaw patched the July 4 Google Chrome update is a use-after-free flaw in Chrome OS Shell, which was reported by Khalil Zhani on May 19^th and was given the moniker CVE-2022-2296, according to Google. Prior to patching the Chrome V8 JavaScript engine flaws in March and April, Google, in February, patched a zero-day use-after-free flaw in Chrome’s Animation component (CVE-2022-0609) that was under attack.[1]

IV. MITRE ATT&CK

Because the specific details of this flaw have not been announced, there are currently no MITRE ATT&CKs associated with this flaw.

V. Recommendations

• Phishing Awareness Training
  Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should also be educated about new types of attacks and schemes to mitigate risk. Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
• Set Antivirus Programs to Conduct Regular Scans
  Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures.
• Strong Cyber Hygiene
  Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified. Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
• Turn on Endpoint Protection
  Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.
• Malware Monitoring
  Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.

VI. Indicators of Compromise (IOCs)

Because the specific details of this flaw have not been announced, there are currently no IOCs associated with this flaw.

VII. References

(1) Montalbano, Elizabeth. “Google Patches Actively Exploited Chrome Bug.” Threatpost English Global, July 5, 2022. https://threatpost.com/actively-exploited-chrome-bug/180118/.

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Dorian Pope, Sreten Dedic, EJ Bulut, Tural Hagverdiyev, Uday Bilakhiya.

I. Targeted Entities

• Travel Industry

II. Introduction

As people begin to travel more post-COVID, researchers are warning that the travel industry is a prime target for an increase in cyber-related crimes. Criminal activity ranges from an uptick in adversaries targeting airline mileage reward points to website credentials for travel websites. The continued increase of these types of cybercrimes can have major impacts that may include flight delays and cancelations. The impact of these attacks is accounts that have been hacked and are stripped of their value.

III. Background Information

Since January, researchers at Intel 471 have found multiple hacks used by threat actors to trade the credentials linked to travel websites. The threat actors were specifically interested in “mileage rewards accounts with at least 100,000 miles.” These accounts are used to earn certain rewards on every dollar spent.[1] The credentials that were listed in February come from U.K. users from a major travel website and two U.S. airlines. The researchers at Intel 471 say, “access to these accounts allowed actors to leverage the rewards to book travel reservations for themselves and other customers. The accounts and their respective rewards points could be resold to other actors looking to conduct similar types of travel fraud activity.”[1]

The exploitation of rewards programs, especially those associated with travel, is not new. In 2018, two Russian teens were arrested for infiltrating more than a half-million online accounts, targeting services that offer reward points.[2] Researchers say that as the travel industry bounces back from its COVID-related slump, the industry once again becomes a target for criminals.[2]

Other nefarious activity includes the targeting of travel-related databases. These databases contain employee and traveler personal identifiable information (PII), which the criminals can sell for money. Intel 471 researchers noticed threat actors had exploited a travel-related database of 40,000 employees in Illinois. The researchers say that this leaked information plays a role in travel-related fraud, allowing a criminal to generate new identities that can be used to cross borders or evade authorities.[1]

Researchers at Intel 471 suggest that customers stay vigilant while making travel arrangements, should book flights from reliable sources, handle payment cautiously, and be on the lookout for any out-of-place offers.

IV. MITRE ATT&CK

• T1566 – Phishing
  Adversaries may utilize methods, like phishing, that involve social engineering techniques, such as posing as a trusted source.
• T1555 – Credentials from Password Stores
  Adversaries may search common password storage locations to obtain user credentials.

V. Recommendations

• Phishing Awareness Training
  Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should also be educated about new types of attacks and schemes to mitigate risk. Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
• Set Antivirus Programs to Conduct Regular Scans
  Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures.
• Strong Cyber Hygiene
  Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified. Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
• Turn on Endpoint Protection
  Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.

VI. Indicators of Compromise (IOCs)

There are no IOCs for this threat advisory. However, users should remain vigilant of things that don’t seem right, and take the necessary precautions as they browse the Internet.

VII. References

(1) Intel 471, ed. “Cybercriminals Preying on Travel Surge with a Host of Different Scams.” Intel471, June 15, 2022. https://intel471.com/blog/travel-fraud-cybercrime-ransomware-pii.

(2) Tiwari, Sagar. “Travel-Related Cybercrime Takes Off as Industry Rebounds.” Threatpost English Global, June 15, 2022. https://threatpost.com/travel-related-cybercrime-takes-off/179962/.

Threat Advisory created by the Cyber Florida Security Operations Center. Contributing Security Analysts: Dorian Pope, Sreten Dedic, EJ Bulut, Tural Hagverdiyev, Uday Bilakhiya.