F5 SIRT This Week In Security - Jan 21st-27th-LNKs & XLLs for malware, CVE-2022-34689, FBI on APT28
F5 SIRT This Week In Security
Jan 21st - 27th, 2023
LNKs & XLLs for malware, CVE-2022-34689, FBI on APT28
Hello! Arvin is your editor for F5 SIRT's This Week In Security (TWIS) covering 21-27 January 2023, my first for this year.
First on the list, Windows LNK files - the common Windows shortcut - has become the alternate to "Office Macros" previously used by Threat Actors to deliver malware to a victim device. As observed in the past Threat Actors and Malware campaigns, the initial delivery of first stage malware usually thru email phishing and spreading malicious links that downloads a malicious file. In recent years, using Office Documents with Macros enabled, when opened, will execute code that downloads malware. As Microsoft disabled Macros by default, threat actors now need an alternative way of delivering the initial commands to download malware, and this they found in Windows LNK files. Windows LNK files are deceptive and easy to trust as one might think it is relatively harmless, however, research by the security community brings light on how these LNK files might have more sinister use.
Another MS Office based file which threat actors used as an alternate to Office Macros, the XLL, an MS Excel add-in, is a file we should be aware of. Similar to windows LNK file, this file type can be easily ignored but may also contain potentially malicious code.
In general and mentioned a few times in previous TWIS editions, take care when opening url links and files from emails. A healthy level of awareness goes a long way when dealing with the amount of information we receive every day, phishing emails may be one of them, and recognizing one would help cut off the malware's initial delivery.
Akamai released their analysis on CVE-2022-34689 - a Windows spoofing bug in CryptoAPI, particularly, the root of the issue, their research on Certificate thumbprint MD5 collisions. In the past, MD5 collisions were exploited where 2 files with the same MD5 hashes - which in essence, breaks MD5 and any cryptographic hash function promise - NO two distinct message ( in most cases "files", "certificates", "executables" ) should have the same MD5 hash. Microsoft has fixed this vulnerability back in August 2022, however, per the research, a recent scan of previously scanned endpoints are still unpatched. Applications and Web Browsers which uses the Windows Crypto API are potential victims should this CVE is leveraged by an attacker, example, a man in the middle scenario where an attacker presents a spoofed certificate thumbprint. Promptly, it is recommended to update vulnerable systems to mitigate this CVE.
FBI confirmed Lazarus Group (APT28) was behind the $100 million worth in crypto assets stolen from the Harmony blockchain - which was what the infosec and crypto communities have been saying for a while now. Back in June 2022, security incident in the Harmony Horizon Ethereum Bridge where closely protected private keys were decrypted by attackers and were able to execute unauthorized transactions and steal crypto assets. It was speculated that the attack was executed using a server/key compromise or thru social engineering. Tracking Lazarus Group (APT28) crypto transactions, it used Tornado Cash – a mixer used to launder stolen crypto assets. The FBI and US agencies will continue to attack Lazarus Group activities. Crypto exchanges and projects should closely secure sensitive assets/keys to prevent future incidents. Borrowing this from a Crypto Expert: Use of multi-signatures to manage high-value assets is best practice. Requiring more validators and ensuring that the compromise of a single private key does not place others at risk.
I hope you find these security news educational and informative. See you on my next TWIS edition!
Threat Actors and malware's alternative to Office Macros
Windows LNK files
Microsoft took its macros and went home, so miscreants turned to Windows LNK files
Microsoft's move last year to block macros by default in Office applications is forcing miscreants to find other tools with which to launch cyberattacks, including the software vendor's LNK files – the shortcuts Windows uses to point to other files.
"When Microsoft announced the changes to macro behavior in Office at the end of 2021, very few of the most prevalent malware families used LNK files as part of their initial infection chain," Guilherme Venere, threat researcher at Talos, wrote in a report dated January 19. "In general, LNK files are used by worm type malware like Raspberry Robin in order to spread to removable disks or network shares."
The files are also helping criminals gain initial access into victims' systems before running such threats as the Qakbot backdoor malware, malware loader Bumblebee, and IcedID, a malware dropper, according to the Talos researchers.
The advanced persistent threat (APT) group Gamaredon has also put LNK files to work, including a campaign that started in August 2022 against organizations in Ukraine.
The shift to other techniques and tools in the wake of Microsoft's VBA macros move was swift. Soon after the macros were blocked, Proofpoint researchers noted that cybercriminals were looking for alternatives, including ISO and RAR attachments, plus LNK files.
In LNK file, the target part reveals that LNK invokes a process - examople, the Windows Command Processor (cmd.exe). The target path has only 255 characters visible. However, command-line arguments can be up to 4096, so malicious actors can take advantage of this and pass on long arguments as they will be not visible in the properties.
The warhawk backdoor initial delivery was thru a Windows LNK file
XLL files, MS Excel Add-in
Microsoft closes another door to attackers by blocking Excel XLL files from the internet
In December, Cisco's Talos threat intelligence group detailed another tool that cybercriminals were targeting: Excel XLL files. The Talos researchers not only broke down how the crooks use the XLL files but detailed a sharp increase in their use since Microsoft shut the VBA macros door, noting that the first malicious samples were submitted to VirusTotal in 2017.
"For quite some time after that, the usage of XLL files is only sporadic and it does not increase significantly until the end of 2021, when commodity malware families such as Dridex and Formbook started using it," Vanja Svajcer, outreach researcher for Talos, wrote in the report.
That shouldn't come as a surprise, Dave Storie, adversarial collaboration engineer at LARES Consulting, told The Register.
"When organizations like Microsoft reduce the attack surface or otherwise increase the effort required to execute an attack on their product offerings, it forces threat actors to explore alternate avenues," Storie said. "This often leads to exploring previously known, perhaps less ideal, options for threat actors to achieve their objectives."
Even before this year, some researchers were seeing miscreants make their way to XLL files. Researchers with HP's Wolf Security said that in Q4 2021, there was a 588 percent year-over-year jump in attackers using the files to compromise systems, adding that they expected the trend to continue in 2022, though it was unclear at the time if Excel add-ins would replace Office macros as the cyber-weapon of choice.
XLL files are a type of DLL file that are only opened in Excel and enable third-party applications to add more functionality to spreadsheets. In Excel, if a user wants to open a file with a .XLL extension in Windows Explorer, the system will automatically try to launch Excel and open the file, triggering Excel to display a warning about possible dangerous code, similar to that shown when an Office document containing VBA macro code is opened.
And as with VBA macros, users often will disregard the warning.
"XLL files can be sent by email, and even with the usual anti-malware scanning measures, users may be able to open them not knowing that they may contain malicious code," Svajcer wrote.
Andrew Barratt, vice president at Coalfire, told The Register that reducing the number of dialog boxes which users have to deal with – and that cybercriminals know will be ignored by many – is a win for security teams.
"To steal a typical infosec buzzword, the best way to think of these are like 'next-gen' macro attacks," Barratt said. "As with many of these types of attacks, the best position for the software to take is to disable the capability and have a prompt-and-alert process. The challenge is that over time we see the 'are you sure, you're sure' fatigue set in."
Use of XLL files in delivery of Agent Tesla malware
Chains of Infection
Two possible chains of infection
A victim receives an email with a malicious attachment.
The attachment is either a malicious XLL or XLM file.
In the case of an XLL, when run it will either:
Drop an intermediate dropper that in turn will drop an Agent Tesla payload.
Download Agent Tesla payload from Discord.
Download Dridex payload from Discord.
In the case of an XLM, when run it will drop a VBS downloader that downloads and executes a Dridex sample from Discord.
While Agent Tesla and Dridex infection chains are not necessarily distributed by the same actor, they seem to be part of a new trend of infection vectors.
MD5 Collissions application - Certificate MD5 thumbprint collisions
Months after NSA disclosed Microsoft cert bug, datacenters remain unpatched
Most Windows-powered datacenter systems and applications remain vulnerable to a spoofing bug in CryptoAPI that was disclosed by the NSA and the UK National Cyber Security Center (NCSC) and patched by Microsoft last year, according to Akamai's researchers.
CryptoAPI helps developers secure Windows-based apps using cryptography; the API can be used, for instance, to validate certificates and verify identities.
The vulnerability in question (CVE-2022-34689) can be exploited by miscreants to digitally sign malicious executables in a way that tricks Windows and apps into believing the files are from trusted, legitimate sources and can be opened or installed. Exploiting this will involve getting said files onto victims' machines and run.
Alternatively, an attacker can craft a TLS certificate that appears to belong to another organization and trick an application into trusting the cert, if that application uses CryptoAPI to analyze the certificate. The app believes the attacker is the spoofed organization. The bug isn't a remote code execution flaw; it's a vulnerability that allows someone to pretend to be another to an application or operating system, in the context of identity and certificate cryptography checks on Windows.
There's a video [MP4] you can watch demonstrating exploitation against Chrome but here's the short version of that spoofing attack simply put.
At the heart of it, Microsoft used the hashing algorithm MD5 to index and compare security certificates. It's trivial to break MD5 with what's called a collision: a situation where two different blocks of data result in the same MD5 hash value. What's more, Microsoft used the four least-significant bytes of a certificate's MD5 thumbprint to index it.
So what you need to do is this: trick an application such as Chrome 48, which uses the Windows CryptoAPI, into connecting to a man-in-the-middle server that wants to pretend to be the website the user actually wanted. The malicious server sends the impersonated website's legit HTTPS cert to the browser, which passes it to CryptoAPI for processing and the cert is cached in memory on the user's PC.
The cert is stored in this cache using part of the MD5 thumbprint of the cert's data as the index. The malicious server meanwhile modifies the legit certificate so it can masquerade as the website, and ensures this new tampered-with evil certificate results in the same MD5-computed cache index as the real one. The server causes the browser to ask for the website's certificate again, at which point the server hands over the evil cert.
The CryptoAPI library computes the MD5 fingerprint for the evil cert and its index in the cache, sees that there's already a valid cert in the cache for that index, and thus trusts the evil certificate. Now you've tricked the system into thinking the malicious cert is real. How this is exploited in the real world to cause actual harm... well, you need to be a skilled and determined miscreant, and there are probably easier security weaknesses to target. See the above link to Akamai's write-up for full technical details.
"The root cause of the bug is the assumption that the certificate cache index key, which is MD5-based, is collision-free," the researcher duo explained. "Since 2009, MD5's collision resistance is known to be broken."
Certificate spoofing via MD5 collisions
MD5 collisions were first used to spoof SSL certificates. There is one major difference between that first attack and the scenario we deal with today: the previous scenario attacked MD5 signatures, but in the current vulnerability we are dealing with MD5 thumbprints.
Certificate MD5 thumbprint collisions
Now, we can piece things together and provide a recipe for manipulating an existing, already-signed certificate to collide with a malicious certificate’s MD5 thumbprint.
Take a legitimate RSA-signed end certificate, such as a website’s TLS certificate (our “target certificate”).
Modify any interesting fields (subject, extensions, EKU, public key, etc.) in the TBS part of the certificate to create the malicious certificate. Note: We don’t touch the signature, so the malicious certificate is incorrectly signed. Modifying the public key is important here — this allows the attacker to sign as the malicious certificate.
Modify the parameters field of the signatureAlgorithm field of both certificates, so that there is enough space to put MD5 collision blocks starting in the same offset of both certificates.
Truncate both certificates at the position where MD5 collision blocks are to be placed.
Perform an MD5 chosen prefix collision computation and copy the result into the certificates.
Concatenate the legitimate certificate’s signature value (suffix E in the explanation above) to both incomplete certificates.
One basic requirement of any cryptographic hash function is that it should be computationally infeasible to find two distinct messages that hash to the same value. MD5 fails this requirement catastrophically; such collisions can be found in seconds on an ordinary home computer.
FBI catches up with infosec and crypto communities, blames Lazarus Group for $100 million heist
The FBI has confirmed what cybersecurity researchers have been saying for months: the North Korean-sponsored Lazarus Group (APT28) was behind the theft last year of $100 million in crypto assets from blockchain startup Harmony.
Attackers on June 22, 2022, hit Harmony's Horizon Bridge – a cross-chain service used to transfer assets between Harmony's blockchain and other blockchains – and stole Ethereum, Wrapped Bitcoin, Binance Coin, and Tether.
In its January 23 statement on the matter, the FBI said the attack on Harmony was part of a North Korean malware campaign named "TraderTraitor."
The federal investigators said that on January 13, unnamed North Korean criminals used the privacy protocol Railgun to launder more than $60 million of Ethereum stolen during the Horizon Bridge hack and that a portion of the stolen Ethereum was then sent to several virtual asset service providers and converted to Bitcoin.
Some of the funds were frozen, while the remaining Bitcoin was sent to almost a dozen addresses. Two crypto exchanges – Binance and Huobi – froze the accounts used by Lazarus Group to launder the stolen Harmony assets.
The FBI said it and other US agencies will continue to attack North Korea's cyber crime activities. The Treasury Department last year slapped sanctions on both Tornado Cash and another crypto mixer, Blender – in large part for their work helping the Lazarus Group launder stolen crypto assets.
Our incident response team has discovered evidence that private keys were compromised, leading to the breach of the Horizon bridge. Funds were stolen on the Ethereum side of the bridge. The private keys were encrypted and stored by Harmony, with the keys doubly encrypted via passphrase and a key management service, and no single machine had access to multiple plaintext keys.
The attacker was able to access and decrypt a number of these keys, including those used to sign the unauthorized transactions and take assets in the form of BUSB, USDC, ETH and WBTC. All assets were then swapped to ETH and currently remain on the hacker’s account on the Ethereum network. No steps have currently been taken by the hacker to anonymize ownership of these assets.
Next steps and remedial actions taken by the Harmony Protocol
The Harmony Protocol team stated that they have upgraded the Ethereum side of the Horizon bridge to a 4-of-5 MultiSig in the wake of the incident, and are working continuously to enhance their operations and infrastructure security. Furthermore, the team emphasized that it is working closely with law enforcement officials and blockchain tracing partners as a part of ongoing investigations.
They have also offered $1 million for the return of Horizon bridge funds and any information about the exploit. The Harmony Protocol team also claimed that they will advocate for no criminal charges after the funds are returned. Reportedly, the cryptosphere has raised concerns about the size of the bounty, which is just 1% of the total amount stolen. It has been suggested that the bounty fee may be insufficient to incentivize the attackers to return the stolen funds, particularly considering that our analysis shows funds have already been laundered through Tornado Cash.
LESSONS LEARNED FROM THE ATTACK
The use of multi-signatures to manage high-value assets is best practice, but a 2 of 5 signature scheme provides little security. Requiring more validators and ensuring that the compromise of a single private key does not place others at risk (i.e. storing keys on separate systems, protecting them with unique passphrases or keys, etc.) can help to prevent similar attacks in the future.