Discover how GitGuardian's latest product innovations enhance your secrets security, streamline remediation, and improve incident management for better protection of your software supply chain.
The post Elevating your secrets security hygiene: H1 roundup of our product innovations appeared first on Security Boulevard.
Authors/Presenters:Harun Oz, Ahmet Aris, Abbas Acar, Güliz Seray Tuncay, Leonardo Babun, Selcuk Uluagac
Many thanks to USENIX for publishing their outstanding USENIX Security ’23 Presenter’s content, and the organizations strong commitment to Open Access. Originating from the conference’s events situated at the Anaheim Marriott; and via the organizations YouTube channel.
The post USENIX Security ’23 – RøB: Ransomware over Modern Web Browsers appeared first on Security Boulevard.
Background Concerns have been raised by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) over the potential exploitation of a […]
The post CVE-2024-6800: A critical authentication bypass vulnerability affects the GitHub Enterprise Server appeared first on HawkEye.
The CPS 234 Information Standard, established by the Australian Prudential Regulation Authority (APRA), mandates that organizations in the financial and insurance industries bolster their information security frameworks to safeguard themselves and their customers from the growing threat of cyber attacks.
The post 4 Key Requirements for APRA CPS 234 Compliance [+ CHECKLIST] appeared first on Security Boulevard.
Rain Technology has introduced Laptop Switchable Privacy. Designed for tier one manufacturers and supply chain providers, the embedded screen technology protects against visual hackers and snoopers for enterprises and consumers — at the office or remotely in vulnerable settings like cafes, planes, trains, subways and taxis. “Manufacturers who utilize this technology will be providing the highest level of device data security on the market, building strong brand affinity and fostering trust and loyalty,” explained Robert … More →
The post Rain Technology Laptop Switchable Privacy protects against visual hackers and snoopers appeared first on Help Net Security.
Adrian McCabe, Ryan Tomcik, Stephen Clement
IntroductionDigital analytics tools are vital components of the vast domain that is modern cyberspace. From system administrators managing traffic load balancers to marketers and advertisers working to deliver relevant content to their brand’s biggest fan base, tools like link shorteners, location trackers, CAPTCHAs, and digital advertising platforms each play their part in making information universally accessible and useful to all.
However, just as these tools can be used for good, they can also be used for malicious purposes. Mandiant and Google Cloud researchers have witnessed threat actors cleverly repurposing digital analytics and advertising tools to evade detection and amplify the effectiveness of their malicious campaigns.
This blog post dives deep into the threat actor playbook, revealing how these tools can be weaponized by attackers to add malicious data analytics (“malnalytics”) capabilities to their threat campaigns. We'll expose the surprising effectiveness of these tactics and arm defenders with detection and mitigation strategies for their own environments.
Get Shor.tyFirst entering the scene around the year 2000 and steadily gaining in popularity ever since, link shorteners have become a fairly ubiquitous utility for life on the Internet. In addition to the popular link shortening services like bit.ly and rb.gy, large technology companies like Amazon (a.co) and Google (goo.gl) also have (or had, in Google’s case) their own link shortening structures and schemas. In the legitimate advertising and marketing sense, link shorteners are typically used as a mechanism to track things like click-through rates on advertisements, or to reduce the likelihood that a complicated URL with parameterized arguments will get mangled when being shared. However, link shorteners and link shortening services have also been used by threat actors (MITRE ATT&CK Technique T1608.005) to obscure the URLs of malicious landing pages, and Mandiant has observed threat actors using link shorteners to redirect victims during the initial access phase of an attack chain. Some recent examples include:
A link shortener service used by UNC1189 (also known as “MuddyWater”) in spring of 2022 to funnel users to a phishing lure document hosted on a cloud storage provider.
A set of SMS phishing campaigns orchestrated by a financially motivated threat actor between spring of 2021 and late 2022, which leveraged link shorteners to funnel users through a nested web of device, location, and browser checks to a set of forms that ultimately attempt to steal credit card information.
A malvertising campaign in spring of 2023 that leveraged a link shortener to track click-through data for Dropbox URLs hosting malware payloads.
To demonstrate the capabilities of a link shortener service from a threat actor perspective, the service bit.ly will be featured in this blog post. Originally made popular on X (formerly Twitter) around 2008, bit.ly remains a popular link shortening solution. Like most modern software-as-a-service (SaaS) platforms, bit.ly offers multiple subscription levels based around levels of usage and feature availability (Figure 1).
Figure 1: bit.ly subscription page
In an attempt to avoid direct attribution, threat actors may use fake or stolen personal and/or payment information to complete the registration for such a subscription or service. Once the setup process has been completed, attackers can begin to generate shortened links (Figure 2).
Figure 2: bit.ly destination URL configuration
Figure 3: bit.ly customized URL configuration
As part of some bit.ly subscription levels, custom fields can be appended to URLs as parameters to gain further insights into their associated activity (see the “Custom URL parameter name” field and value pair in Figure 4). This feature set is obviously quite beneficial for social media brand influencers, marketers, and advertisers, but attackers can use this functionality to get added insights into their campaign activities.
In this fictitious example, let’s say an attacker intends to use a shortened bit.ly link as part of a larger SMS phishing campaign targeting phone numbers within the “703” area code. When opened, the link will direct users to an attacker-controlled fake payment site enticing the user to pay urgent outstanding invoices.
The attacker can configure parameters (Figure 4) to generate an Urchin Tracking Module (UTM) URL specific to this component of the phishing campaign (Figure 5) for tracking purposes. This bit.ly article contains more information on the legitimate use of these types of URL data fields.
Figure 4: Customized UTM parameter configuration
Figure 5: Parameterized URL structure with UTM fields
Though attackers typically would not have such fields in the URL parameters for their campaign infrastructure as overtly labeled as the example in Figure 5, the effectiveness of leveraging such online marketing integrations and data fields is readily apparent. In this scenario:
After these parameters are selected and the bit.ly links are fully configured, attackers can put their links into action. Once a campaign is underway and links are distributed through their medium of choice, attackers can monitor the activity to their shortened links using a dashboard interface (Figure 6).
Figure 6: bit.ly click-through analytics dashboard
Defending Against Attacks Leveraging Link ShortenersGiven the fairly ubiquitous nature of link shorteners, unilaterally blocking them from use within an environment is generally inadvisable as this decision would likely impact both productivity and user experience. Instead, defenders should consider implementing some form of automated analysis around them that has the ability to detect behavioral conditions, such as:
Additionally, it’s possible to identify suspicious behavioral patterns in network telemetry that may indicate link shortener abuse. As part of this exercise, we reviewed the network telemetry associated with two simulated attack chains leveraging a bit.ly URL as an Initial Infection Vector (IIV) and identified some viable elements of the traffic around which to potentially build detections or hunting strategies:
Attack Configuration
Network Requests
Hunting Strategy
bit.ly -> Credential Harvesting Page (afakeloginpage[.]xyz)
00:00:00 - init Client Hello (TLS), bit.ly
00:00:00 - init DNS resolution request, afakeloginpage[.]xyz
In bit.ly’s particular case, there is minimal delay (milliseconds) between the time a host initiates a connection via Client Hello and the time that the host initiates the DNS resolution for its final destination. If any DNS resolution telemetry is evident for a suspicious domain within such close proximity to bit.ly traffic (particularly for domains with non-standard TLDs like “.site,” “.xyz,” “.top,” or “.lol”), consider investigating the activity further.
bit.ly -> zip file hosted on Google Drive
00:00:00 - init Client Hello (TLS), bit.ly
00:00:00 - DNS resolution request, drive.google[.]com
00:00:00 - Client Hello, drive.google[.]com
00:00:00 - DNS resolution request, drive[.]usercontent[.]google[.]com
Similar to the aforementioned example, there is minimal delay (milliseconds) between the time a host initiates a connection via Client Hello for bit.ly and when it attempts to connect to and/or make domain resolutions for the domains drive.google.com and drive.usercontent.google.com. Any occurrence of these three domains being accessed from a given host in quick succession likely means that a remote file was accessed via bit.ly link and additional investigation into the associated host may be warranted. This detection approach can also be generalized by looking for the co-occurence of network requests for a bit.ly URL followed by a domain categorized by a firewall or proxy device as online storage or file sharing.
Table 1: Simulated bit.ly attack telemetry analysis The World in a String: Weaponized IP Geolocation UtilitiesIP geolocation utilities can be used legitimately by advertisers and marketers to gauge the geo-dispersed impact of advertising reach and the effectiveness of marketing funnels (albeit with varying levels of granularity and data availability). However, Mandiant has observed IP geolocation utilities used by attackers (MITRE ATT&CK Technique T1614). Some real-world attack patterns that Mandiant has observed leveraging IP geolocation utilities include:
Though elegantly simple, these capabilities are vital for attackers to gain insights into their active campaigns and to prolong their campaigns’ duration and effectiveness.
How2DoUn2OthersThough there are many examples of IP-based geolocation utilities that have been used by attackers, for illustrative purposes the example shown here will use ip2location.io.
Figure 7: Ip2Location.io subscription page
ip2location.io has a fairly robust feature set (Figure 7) with a free version offering a dedicated API key with respectable limits and upper tier subscriptions offering progressively granular insights into the IP address query results that would be useful to attackers. Using ip2location.io, it is possible to determine things like:
From an attacker perspective, a primary function of leveraging this type of tooling is integrating it with programmatic actions to both optimize targeting and evade detection. In the following example code snippet, a simple webpage can be configured with Javascript to perform a lookup using the ip2location API and redirect users to different pages based on their locale or connection type. If the user is connecting from a country outside the United States, it will show them an otherwise innocuous page. If the user is connecting from inside the U.S. and is not using a VPN or Tor (in contrast to some analysis sandbox environments), then they will be directed to a malicious webpage. If they are using a VPN or Tor, they will be shown an error page.
<script type="module"> let raw_response = await fetch('https://api.ip2location.io/?key=<key>&format=json'); let response_text = await raw_response.text(); var parsed_json = JSON.parse(response_text); if(parsed["country_code"]=="US") { if(parsed["proxy"]["is_tor"] == true || parsed["proxy"]["is_vpn"] == true) document.location = 'error.html'; else document.location = 'evilpage.html'; } else document.location = 'nothingburger.html'; </script>Though the previously shown example is configured to simply route connecting users to different pages based on their connection attributes, it also has the potential to be surprisingly effective at thwarting automated analysis tools. This sort of technique is particularly applicable to regional phishing attacks that target specific geo-dispersed companies or campaigns that target users in certain geographic regions.
Defending Against Attacks Leveraging IP Geolocation UtilitiesWhile IP geolocation utilities commonly appear on legitimate websites, it is less likely that such a methodology would be used programmatically by non-browser processes on endpoints, such as individual workstations. This is good news for defenders, as detection and hunting efforts can primarily focus on correlating observed URL-based telemetry data with anomalous events in endpoint telemetry.
For example, a simulated attack script can be seen in the following PowerShell code snippet using the ip2location.io service:
$Response = Invoke-WebRequest -UseBasicParsing -URI https://api.ip2location.io/?key=<key> if ($Response.Content.IndexOf('"country_code":"US"') -ne "0"){ $EvilScript = 'echo "<raw bytes of evil file to drop on disk>" >> C:\TEMP\out.tmp' iex $EvilScript }This command leverages PowerShell to programmatically connect to ip2location.io, determine if the host is connecting via a U.S.-based IP address, and, if so, drop the file “C:\TEMP\out.tmp” to disk.
In network-based telemetry, the User-Agent for the PowerShell Invoke-Webrequest function is clearly identified. Thus, a behavioral network detection for the PowerShell User Agent connecting to ip2location.io could be created to identify this activity. While this is a fairly narrow detection, the concept can be widened by defenders based on the size of their environment and their level of noise tolerance.
Doing the CAPTCHA-cha Slide: Evading Detection with Bot Classification ToolsCAPTCHA, which is short for Completely Automated Public Turing test to tell Computers and Humans Apart, was developed to prevent bots and automated activity from accessing and interacting with web forms and hosted resources. Implementations of CAPTCHA technology, such as Google’s reCAPTCHA or CloudFlare’s Turnstile, are used as a security measure to filter out unwanted bot activity while permitting human users to access websites and interact with forms and other elements of a webpage (e.g., HTML buttons). Traditionally, CAPTCHA security challenges have required users to solve a visual puzzle or perform a brief interactive task. More recent implementations perform passive score-based detection to identify bot activity based on behavioral characteristics.
Figure 8: Evolution of reCAPTCHA
While intended to address the issue of malicious activity, CAPTCHA technology has been co-opted for use by threat actors to evade detection and scanning of their malicious infrastructure and payloads by security tools (MITRE ATT&CK T1633.001). For example, threat actors have been observed using free CAPTCHA services to prevent dynamic access and detonation actions that are typically performed by email security technologies to determine if a URL is malicious. This provides threat actors with the ability to allow human users to access a phishing page while screening out programmatic activity and the usage of data transfer tools like cURL (Figure 9).
Figure 9: CAPTCHA victim flow
Mandiant has tracked UNC5296 abusing Google Sites services as early as January 2024 to host CAPTCHA challenges that redirect users to download a ZIP archive. The ZIP archive contains a malicious LNK file masquerading as a PDF file from a financial institution that, once executed, leads to the deployment of either AZORULT or DANCEFLOOR. Mandiant has also identified FIN11 using CAPTCHA challenges as part of a phishing campaign in June 2020 to deliver the FRIENDSPEAK downloader and MIXLABEL backdoor.
Defending Against Attacks Using Bot Classification ToolsCAPTCHA tools have an extensive, legitimate use on the Internet, which makes it challenging to detect when they’re being used for malicious purposes. CAPTCHA widgets are easily implemented within a website using a few lines of HTML to reference the corresponding JavaScript resource and a unique site key that’s associated with the user who registered the CAPTCHA challenge.
<html> <head> <title>reCAPTCHA Test</title> <script src="https://www.google.com/recaptcha/api.js"></script> <script> function passRedirect() { window.location.href = "https://www.youtube.com/watch?v=dQw4w9WgXcQ"; } </script> <div class="g-recaptcha" data-sitekey="<removed>" data-callback="passRedirect"></div> </html>When the CAPTCHA challenge is implemented within an intermediate webpage, defenders can use the network requests for the CAPTCHA JavaScript API files as potential detection or enrichment opportunities.
CAPTCHA Technology
Network Requests
Detection Strategy
reCAPTCHA v2
00:00:00 - screening website accessed
00:00:00 - www.google.com/recaptcha/api.js
00:00:00 - www.gstatic.com/recaptcha/releases/vjbW55
W42X033PfTdVf6Ft4q/recaptcha__en.js
00:00:20 - www.google.com/recaptcha/api2/anchor?ar=1&k=<unique reCAPTCHA sitekey>&co=<snip>
00:00:52 - redirection to website after passing CAPTCHA
Look for suspicious proxy or firewall events occurring within 1 second of requests for www.google.com and www.gstatic.com, further refine based on the URI(s) if TLS decryption is available. Potentially include a suspicious proxy or firewall event for the redirection domain occurring within 1 minute of the previous sequence.
CloudFlare Turnstile
00:00:00 - screening website accessed
00:00:00 - challenges.cloudflare.com/turnstile/v0/api.js
00:00:20 - redirection to website after passing CAPTCHA
Look for suspicious proxy or firewall events occurring within 1 second of a request for challenges.cloudflare.com
Table 2: Simulated CAPTCHA telemetry analysis A Real Jack-Ads: Stealing What Works for Loopholes and ProfitIn practice, marketers have many variables to consider when running an ad campaign. There is the content of the ad itself (e.g., text, video, images), the demographics of the intended audience, the geolocation of where the ad will be displayed, and the time of day it will be displayed, among many other factors. Starting a new ad campaign often requires experimentation and refinement on the part of the marketers to find an ad “formula” that best aligns with the product or service they are trying to advertise.
To get a head start on the process of digital advertising refinement, marketers can use competitive intelligence tools to see what ads their competitors are running. Depending on the tool, marketers can see keywords tied to their competition’s ads, the websites and applications the ad appeared on, media types associated with the ads (e.g., video, text, images), the landing pages users were shown after they clicked the ad, and many other notable advertising insights. One of the more well-known and robust tools for this includes AdBeat. Google and Meta also have repositories. These Search Engine Marketing (SEM) tools can provide insights to threat actors looking to set up malicious or dubious advertising campaigns (MITRE ATT&CK Technique T1583.008), including advertisement geolocation and effective keyword usage to circumvent Google Ads policies (Figure 10 and Figure 11).
Figure 10: Geolocation competitive intel tool functionality mentioned on the blackhatworld.com forum
Figure 11: Recommendation for competitive intel tools to assist with keyword refinement mentioned on the blackhatworld.com forum
Crafting a Malvertising Victim FlowTo illustrate how competitive intelligence tools can be used by threat actors, we’ll explore the steps involved in planning, staging, and executing a malvertising campaign based on a real-life campaign that was investigated and actioned by Google Ads threat researchers. An example of a process threat actors can use to create malvertising campaigns is outlined in Figure 12.
Figure 12: Steps for setting up a malvertising campaign
Copying an Ad That Works — What Can Marketers See?Much like their legitimate marketer counterparts, a typical starting point for attackers looking to launch a malvertising campaign is deciding which advertising keywords will attract the highest number of potential victims. Using keyword research features available in some Search Engine Marketing tools, a threat actor would be able to see how many users have historically interacted with ads related to specific keywords.
For example, based on the data available within one competitive intelligence tool, in June 2024, an estimated 220,000 clicks originated from relevant ads associated with the keywords “advanced ip scanner” from multiple domains, including two — “ktgotit[.]com” and “advanced-ip-scanner[.]com” — that did not have any associated traffic in June 2024 but have historically been associated with the same keywords. Then, in correlating this data with historical ads featuring the domain ktgotit[.]com, the following ad could be identified as a viable one for mimicking by an attacker*:
Figure 13: Ad snippet, ktgotit[.]com
*Using one of the competitive intelligence tools, SEM data associated with ktgotit[.]com indicates that the ad in Figure 13 may have generated an estimated 3,000 visits at a cost of just under $7,000.Typically, malicious advertisers employ several techniques in crafting their malicious ad content, including:
Additional insights like whether other malvertising campaigns are making it past moderation filters with misspellings of an official or legitimate website or using entirely unrelated web domains can also be helpful to attackers. Attackers can use this information to craft a convincing landing page that is shown to the user immediately after the ad is clicked to entice the user to move further into the victim flow.
The Clone WarsArmed with the strategic insights gathered from competitive intelligence tools, a would-be attacker could confirm that mirroring the victim flow previously used by the ktgotit[.]com malvertising campaign would be an effective strategy to expose their malicious ads to a high number of potential victims for a reasonable price. Thus, the attacker may then decide to:
At that point all that would be left for the attacker to do is to watch their analytics traffic and wait for victims!
Epilogue: We Done ktgotitIn the case of the ad directing users to ktgotit[.]com (Figure 13), the malware author used an e-commerce “decoy” page with cloaking to circumvent traditional automated analysis techniques and to conceal the final destination URL serving the malicious content. However, even cloaking mechanisms can be defeated (much to the lament of the Romulans), and in the case of ktgotit[.]com, Google threat researchers were able to determine the final destination URL for the page was hxxps://aadvanced-ip-scanner[.]com.
Figure 14: Landing page linked to ad, ktgotit[.]com
Figure 15: Recreated lure page shown only to connections that successfully pass the verification checks on ktgotit[.]com
In this scenario, the "Free Download" link in Figure 15 led to a download for a malicious archive file named “Advanced_IP_Scanner_v.3.5.2.1.zip” (MD5: “5310d6b73d19592860e81e4e3a5459eb”) from the URL “hxxps://britanniaeat[.]com/wp-includes/Advanced_IP_Scanner_v.3.5.2.1.zip”.
Defending Against Advertising AttacksAd networks should aim to respond quickly to new abuse tactics. Once an abuse methodology is known by one threat actor, it will soon become known by many.
For enterprises, an elegantly simple and proactive solution would be to consider elevating your environment’s current default browser security settings for everyday browsing. Most modern browsers seek to optimize a balance between usability and security when it comes to automated protective measures enabled by default (such as in Google SafeBrowsing). For some enterprise environments these can be elevated past default levels without much noticeable impact to overall user experience.
For individual users, when clicking on ads or links in ads, users should double-check the website address (URL) of the destination to make sure it matches the company or product in the ad and doesn’t contain typos. This is especially important on phones where the URL bar might be hidden. In the example shown in Figure 13, the URL for the ad was ”ktgotit[.]com” and the landing page content matched the domain shown in the ad (i.e., ktgotit). Yet, the content of the benign landing page showed dubiously formatted product details for loosely related products that all purported to be affiliated with different manufacturers, and the content of the malicious page (protected by cloaking mechanisms) did not have a domain that matched the one shown in the ad (Figure 13).
Users are also encouraged to double-check URLs prior to downloading files from domains that were sponsored by web advertisements. As demonstrated in Mandiant's "Opening a Can of Whoop Ads: Detecting and Disrupting a Malvertising Campaign Distributing Backdoors," users were led to believe the files they were downloading were affiliated with unclaimed funds from the “Treasury Department.”
Google encourages users to report any ads they think may violate their policies or harm users so they can review and take action as needed. This article contains more guidance on how to report ads.
Indicators of CompromiseFilename
MD5
Description
Advanced_IP_Scanner_v.3.5.2.1.zip
5310d6b73d19592860e81e4e3a5459eb
Malicious archive file
URL
IP Address
Description
hxxps://ktgotit[.]com
172.67.216[.]166
(Cloudflare Netblock)
Malvertising landing page
hxxps://aadvanced-ip-scanner[.]com
82.221.136[.]1
Cloaked lure page
hxxps://britanniaeat[.]com/wp-includes
/Advanced_IP_Scanner_v.3.5.2.1.zip
3.11.24[.]22
(Amazon Netblock)
Malware download URL
ConclusionIn a digital world where every click leaves a trace, the line between data analytics tooling around marketing demographics and malware attack campaign optimization has become dangerously blurred to some degree. As the capabilities of legitimate tooling increases, so too will the capabilities of threat actors who choose to use them for nefarious purposes. However, as we have demonstrated through the practical examples shown throughout this blog post, by demonstrating how attackers use these tools and providing insights on ways defenders can proactively take steps to mitigate or eliminate their effects, mounting a viable and impactful defense against them is achievable.
Special AcknowledgmentsAdrian McCabe would like to thank Joseph Flattery for his subject matter expertise on digital marketing tools.
The authors would like to thank Mandiant Advanced Practices for their in-depth review of associated threat indicators.