Genesis Market taken down. Proxyjackers exploit Log4j. Fast-encrypting Rorschach ransomware. More Killnet DDoS. Patch Zimbra now. Soft power and Russia’s hybrid war.

Dave Bittner: Genesis Market gets taken down. Proxyjackers exploit Log4j vulnerabilities. Fast-encrypting Rorschach ransomware uses DLL sideloading. Killnet attempts DDoS attacks against the German ministry. Carole Theriault ponders AI assisted cheating. Johannes Ullrich tracks malware injected in a popular tax filing website. And soft power and Russia's hybrid war.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, April 5, 2023.

Genesis Market taken down.

Dave Bittner: Popular online cybercriminal shop Genesis Market was seized by the FBI in an action that resulted in a takedown on Tuesday. The criminal operation has been linked to millions of cyber incidents across the world with over 80 million stolen credentials and fingerprints present on the site, Bleeping Computer reports. The record describes Genesis Market as a one-stop shop for criminals selling both stolen credentials and the tools to weaponize that data. Unlike other criminal marketplaces, Genesis was unique in that it provided criminals with access to bots and browser fingerprints. These enabled malicious actors to access a victim's subscription platforms and banking services in a way that bypasses security warnings.

Dave Bittner: Mathew Gracey-McMinn, head of Threat Research at Netacea, said, "The Genesis Market was an invite-only marketplace that sells only what the market owners term bots. However, you could still discover it through a normal search engine." CNN reports that the FBI's Operation Cookie Monster [Cookie Monster noise] was broad in scope with many international law enforcement agencies participating. It followed a series of law enforcement operations involving coordinated arrests and raids. In January of last year, the FBI and Europol seized computer servers involved in criminal activity, and more recently, the FBI raided BreachForums and arrested its alleged proprietor.

Proxyjackers exploiting Log4j vulnerabilities.

Dave Bittner: Sysdig reports a wave of proxyjacking against devices vulnerable to Log4j exploitation for remote code execution. It's a criminal-to-criminal play and illicit version of legitimate proxy sharing arrangements in which users agree to rent out their bandwidth. In proxyjacking, the arrangement is not only uncompensated but it's also forced into a device without the owner's consent. There's an obvious analogy with cryptojacking. As Sysdig explains, proxyjacking is a foil to cryptojacking in that it mainly aims to make use of network resources, leaving a minimal CPU footprint.

Dave Bittner: And, of course, the resources can be resold on the criminal market. Check Point is tracking a new strain of ransomware called Rorschach,

which is one of the fastest ransomware observed by speed of encryption. The researchers note that the ransomware was deployed using DLL sideloading of a Cortex XDR Dump Service Tool assigned commercial security product. A loading method which is not commonly used to load ransomware.

Fast-encrypting Rorschach ransomware uses DLL sideloading.

Dave Bittner: Check Point notified Palo Alto Networks and Palo Alto stated, "Palo Alto Networks has verified that Cortex XDR 7.7 and newer versions with content update version 240 released November 2021 and later content updates detect and block the ransomware. A new content update will be released next week to detect and prevent the usage of this DLL sideloading technique."

Killnet attempts DDoS attack against German ministry.

Dave Bittner: The Russian hacktivist auxiliaries of Killnet have attempted to disable a recently established German government website devoted to the economic reconstruction of Ukraine. The Distributed Denial of Service attacks have so far successfully been repelled. A representative of the Federal Ministry for Economic Cooperation and Development told Spiegel.

Dave Bittner: TVP World reports that the attacks began last week when the BMZ established the site and continued into yesterday. Proofpoints report last week on Winter Vivern, also known as TA473. Described the Russian threat actors exploitation of a Zimbra vulnerability, CVE-2022-27926, to gain access to Zimbra-hosted webmail portals. From which the threat actor can gain access to NATO organizations involved with support for Ukraine. Winter Vivern impersonates Western organizations to conduct highly-targeted, carefully- prepared phishing operations against its targets.

Zimbra vulnerability exploited by Winter Vivern added to CISA's KEV.

Dave Bittner: On Monday, CISA added CVE-2022-27926 to its known exploited vulnerabilities catalog. US federal civilian executive branch organizations have until April 24th to check their systems and secure them. Speaking of CISA, Director Jen Easterly told the Washington Examiner that surprising as it's been that Russia hasn't hit US targets harder to disrupt American support for Ukraine. Russia hasn't been idle in the cyberspace around Ukraine proper.

Dave Bittner: Easterly said, "Frankly, I'm surprised that we have not seen attacks against critical infrastructure at home. Russia's relative restraint seems," she suggests, "due to deterrence. Russia understands that the US would regard a major attack as highly escalatory." She added, "I also think they've been very, very busy in Ukraine. Though we very much focus on the kinetic activity because it's so horrific, there's been a lot of cyber activity against Ukraine's critical infrastructure, civilian infrastructure."

Dave Bittner: The Council on Foreign Relations has an essay on one lesson that might be easily overlooked. In the piece, author Jason Healey argues that Ukrainian resilience in the face of Russian cyberattacks is evidence of the importance of soft power in cyber conflict.

Dave Bittner: Stating, "Ukraine's cyber defenses have been remarkably resilient. There are multiple sources of this defensive strength. In particular, the savvy energy and determination of Ukrainian cyber organizations who've been adapting to Russian offensive campaigns since at least 2014 has been critical. Heeve [assumed spelling] has also been backed by cyber defense assistance from the private sector and offensive and defensive cyber interventions by US cyber command. These advantages were driven in large part by the strength of Ukrainian soft power, connections to allies, global tech firms. And networks of information security researchers allow states to mobilize defenses unavailable to others."

Dave Bittner: So alliances, commerce, diplomacy, regular back and forth, all of these lend important resilience in cyberspace. And that's not a lesson out of the grand illusion, either, but right off of the virtual battlefield.

Dave Bittner: Coming up after the break, Carole Theriault ponders AI assisted cheating. Johannes Ullrich tracks malware injected into a popular tax filing website. Stay with us.

Dave Bittner: I think many of us of a certain age are glad that the Internet wasn't around when we were foolish youths in high school, in middle school. That not everyone was carrying a camera around or there's a permanent record of every message you sent to each other. But what about school work? What about cheating in class and artificial intelligence? Carole Theriault has been pondering that question and she files this report.

Carole Theriault: Today, we have Vanja Svajcer, Vanja being a threat researcher at Cisco with 20 years under his belt in the industry. What he thought about the industry and how it's going to respond to this whole new ChatGPT, and OpenAI, and Microsoft's version, and Google's version, and how does the security industry respond to that?

Vanja Svajcer: Yes, it's certainly interesting times and I think security industry is one of the industries which is very happy to adopt kind of machine learning and artificial intelligence, let's call them. But we started very early, you know, with, you know, antispam classification with Bayesian filtering, which is basically a probability filtering. Where you would get by- if you receive an e- mail, you would get a probability whether some e-mail is spam or not. So it's a kind of a machine learning, let's say. And from then on, we move onwards to different models or different ways of classifying malicious content. And, I think, you know, that will definitely continue in the future.

Vanja Svajcer: There's almost no product today on the market which won't use the machine learning and artificial intelligence technology in one way or

another. So with ChatGPT, I think we were all kind of surprised by the simplicity of it and how well it can generate text that's much more user-friendly as opposed to let's say Googling in a search engine. I mean, we are so much used to Google, and how we create those queries, and what kind of results do we get.

Vanja Svajcer: That now this sort of fundamental change of being able to describe what you want to some bot that comes back that essentially has the knowledge of the Internet, at some point. And generates the most probable text and the most probably output of what you described in the input is very fascinating.

Carole Theriault: So do you think we might see a world where we're gonna have basically automated threats being fought with automated security tools? That's what we're go- that's the road we're going down, isn't it, really? And we're gonna sit back eating popcorn.

Vanja Svajcer: It's difficult to say. We certainly are not yet there. And even if you can convince ChatGPT to write some malicious code, that code is actually quite basic compared to the state of the art of the malware code we are seeing today.

Carole Theriault: Right.

Vanja Svajcer: And a lot of time, when you write something, you really as a user of it, you need to have such a good experience because the generated code is not always up to scratch. And generated text, for example, with certainly with some fact, is misleading and some of the facts are not- certainly not correct. And the same way is with the code. So far, it's able to create some code. It needs a lot of handholding to create a little bit more advanced code, but a lot of user intervention is required. Now how it's going to develop by the ChatGPT 10 or whichever version comes will have this ability. And certainly the whole artificial intelligence community is working on new algorithms and so you never know when a new revolution and transform will appear, again.

Carole Theriault: Yeah. I think that's the big concern I have. There's a lot of players in the market all playing with quite powerful little tools and who knows what's going to spring up where. So we're all watching the everything, all the time.

Vanja Svajcer: Yeah. We see now that the ChatGPT API is included in many kind of security research and defending side little projects. But also on the offensive side and trying to kind of reuse the knowledge there in adopting to the environment and the- attacking some organization. We'll see what will happen, but the fact is that the technology they already have is still pretty reasonably effective for them, so they don't have to go and reinvent something completely new at the time.

Carole Theriault: Yeah. Well, as you say, it's interesting times. Vanja Svajcer: Absolutely.

Carole Theriault: Thank you for sharing your world view with us Vanja Svajcer, threat researcher at Cisco Talos. This was Carole Theriault for the CyberWire.

Dave Bittner: And it is always my pleasure to welcome back to the show Johannes Ullrich. He is the Dean of Research at the SANS Technology Institute and also the host of the ISC Stormcast podcast. Johannes, welcome back.

Johannes Ullrich: Great to be here, Dave.

Dave Bittner: So you and your colleagues are tracking an interesting development with a tax filing online service. What can you share with us today?

Johannes Ullrich: Yes, of course, interesting that it has happened sort of right in the midst of tax season. efile.com, a website that offers e-filing services, as the name implies, was apparently compromised and was compromised around mid-March. Stayed compromised at least until of the first weekend in April here. What happened was that malicious code was added to a JavaScript file on this site that directed users to an error page that looked fairly good. It looked like any other browser error page, but it told the user that, "Hey, you know, you can't connect to this website because your browser is out of date. And, by the way, here we have an update for you." Of course, this update turned out to be malicious and implemented a simple back door on victim systems.

Dave Bittner: So how do you suppose efile could have found themselves victim of this sort of thing?

Johannes Ullrich: I think it falls in the category of a supply chain attack. Some other people noticed that the file actually was modified beginning of March, but that modification looked benign, something that a developer may have done. It was just simply a couple of lines being added to the file. The file itself is legit. It's called popper.js. It's part of sort of the larger Bootstrap framework, so many sites have a file by that name with that content minus the malicious lines.

Johannes Ullrich: A couple of options here. Maybe a developer copied the file from the wrong location that was sort of already sort of preponed, essentially, or a developer's workstation got compromised. And an attacker noticed how developer was experimenting with this file and then figured out that, "Hey, I can add my own code here. Developer will probably not notice."

Dave Bittner: And what does it seem like the bad guys are after here?

Johannes Ullrich: The bad guys pretty much are after remote control of victim systems. It's a fairly generic, if somewhat cumbersome back door. What's almost more scary about it is based on the way the back door is coded, we're not dealing with advanced, sophisticated adversaries here. Let's call them the not-so-advanced persistent threat, someone who probably stumbled over the ability to edit that file more or less by accident. Then figured out, "Hey, you know, let me experiment with a back door here." That's sort of what it looked like.

Dave Bittner: Any response from the folks at efile?

Johannes Ullrich: I reported to them at the site first and via their support page. They basically asked for details but that's where it stopped. I haven't heard from them at all. They removed the malicious part of the JavaScript on Monday that- or Tuesday, Tuesday morning, so it was the April the 4th. And that on April the 5th, so Wednesday, they actually reverted to an older version of the website. If you're going to the website now with that older version, it's had lots of references to 2021. Also, a lot of the additional content has been gone, so they're probably in some form of instant response mode while still trying to keep the business running. That's sort of what it appears to me.

Dave Bittner: Mm-hmm.

Johannes Ullrich: The website is still not configured right, like there's still very verbose error messages and a couple of things like this. efile.com, the company itself, actually if you try to figure out anything about them, there isn't really much to them. They don't hire people, it appears. They don't really have any sort of named executives that I could find. It's, I don't know, it's sort of a company with like there's no LinkedIn presence or so from [inaudible 00:17:59] And we tried to reach out to them. Yes, of course, how we sort of- how you try to get in contact with something, alert them of this issue. It was kind of hard to figure out, you know, how to get in touch with them at all.

Dave Bittner: But it's fair to say that efile, itself, is a legit business, and the service they provide is the real deal?

Johannes Ullrich: Yeah, it's a perfectly legit website. It's certified by the IRS to provide e-filing services, so it's not that it's an outright malicious website. That's not the case. It's a perfectly legit website, and like I said, it's authorized by the IRS. I verified this. And that's not- it's not that easy to verify on the IRS website, but yes, there is a note that efile.com does business with the IRS and so they didn't just copy and paste the logo to their website.

Dave Bittner: Hm. Is the lesson here to be cautious of a site telling you that you need to update your browser?

Johannes Ullrich: Definitely. So that's something that you definitely should never do if a site does that. If that ever happens, close your browser and then, you know, use the browser's built-in update mechanism to verify if the browser is indeed out of date. This can happen, but you should never just download anything because a website tells you to. That's- that would definitely be odd. The tricky part here, of course, is that if a trusted website like this is compromised, the attacker could tell you, "Hey, this is tax filling software that you need for efile.com." And that, of course, would be more difficult to figure out for a victim, not to give any attackers any ideas. But it- this attack was definitely not sort of used to its full potential.