fbpx

Representative offices: 

Request callback
btn

WHAT'S NEW IN LABYRINTH DECEPTION PLATFORM: RELEASE 2.0.32

News

Labyrinth has released a new version of its more efficient solution for detecting and stopping hacking within corporate networks. This update offers a number of improved features that we will discuss in detail in this article.


New + Improved

Partial Generate/Terminate for Honeynets

Unlike the classic Generate/Terminateprocess, which creates Points globally for all Honeynets, the partial Generate / Terminate process allows to generate or delete Points for each Honeynet separately. This allows making changes to the configuration of Labyrinth much faster because there is no need to wait for the Points to be created for all Honeynets when making minor changes to a particular Honeynet.



Access to the web interface from Worker Node

Since this release, the web interface of Labyrinth is available not only from the Admin Consolebut also from every Worker Node. Now, it is enough to put an IP address of the Worker Node in the address bar of the browser and the main web interface of Labyrinth will be displayed.

This feature will be useful in case of distributed Labyrinth installations when one or more Worker Nodes are installed in different locations, and access to the location of Admin Console is limited.

NOTE The Web interface on Worker Node is enabled by default and cannot be disabled at this time. In the next release the possibility of disabling this feature.


Optional scanning of Honeynets networks

Before each Labyrinth generates process, scanning of all networks registered in the configuration of all Honeynets is performed. Network scanning is necessary to automatically find services (IP addresses and ports) for Universal Web Point (HTTP / HTTPS services), Windows 10 Host (RDP services), etc. This allows to start deployment of Labyrinth automatically or semi-automatically.

The scanning process significantly slows down Labyrinth generation process (depending on the number of networks and their size), and in some Honeynet configurations are not required. For example, if to specify web services for Universal Web Point in a Honeynet configuration in the Allowed IP Addresses (CSV)field, there is no need to scan the network for finding web services.

Starting from this release, it is possible to enable or disable scanning of Honeynet-related networks in the configuration of each Honeynet. This significantly speeds up generation process.

Along with the partial generation, this feature significantly reduces time needed to make changes to the configurations of Labyrinth.


Improved Universal WEB Point

The Universal Web Point type has been significantly redesigned. The main functions include the following:

  1. Automatic cloning of TLS / SSL certificate. That is, when starting this type of point, he tries to create a self-signed certificate, which is as similar as possible to the original.
  2. Ability to "listen" to more than one TCP port. Previously, Point of this type could "listen" on one TCP port. That is, if the original application, say, "listens" on port 80 with a redirect to HTTPS, then Universal Web Point would listen only to HTTPS.
  3. Added detection and simulation of Log4Shell vulnerability


Settings Integrations migration

The Settings -> Integrations options have been significantly redesigned and improved. These changes concern both the appearance (a more compact list of integrations) and fixing minor bugs.

NOTE We recommend checking the integration settings after the upgrade.

Wordlists forms and Honeynet refactoring

Wordlist (hostnames, usernames, passwords) has been significantly redesigned. In contrast to the global lists previously used to generate Labyrinth, these lists are customizable for each Honeynet. Now, there is an ability to specify different lists, for example hostnames, for each network segment.


List of available (downloaded Wordlist):


Honeynet settings:


The new Point type: VMWare vCenter Virtual Appliance

Added the new type of Point - VMWare vCenter Virtual Appliance. This is an imitation of the login form of VMWare vCenter 6.8 Virtual Appliance, which contains the Log4Shell vulnerability.

Fixes

Seeder Tasks: empty seeder tasks after generation

Fixed. Under certain circumstances, Seeder Tasks were not generated for Seeder Agents that connected after Generate. Expected Behavior: After Generate, Seeder Tasks should be created for new agents connected after Generate.


Seeder Tasks: empty related point_id

Fixed. At certain settings of the Labyrinth the following situation could arise:


TLS Certificate and Key Content-Type issue

Fixed. If the downloadable certificate or key is in the correct format, but with the wrong file extension, it was not possible to download it. Now it doesn't matter with which file extension, the main thing is to have the correct file format: PEM-encoded x509 certificate, and PEM-encoded RSA key.


Learn more about Labyrinth's innovative cyber solution.


iIT Distribution is the official distributor of the Labyrinth solutionwhich not only provides software, but also provides a full range of support and consulting services. Our company offers initial expertise and assessment of the state of IS of your company from qualified specialists, selection of equipment and software, as well as the implementation of comprehensive cybersecurity solutions in the existing infrastructure. In today's reality, it is very important to remain vigilant without postponing the issue of protecting your systems.

Back

Palo Alto Networks проінформувала про вразливості, які можуть дозволити зловмиснику відключити платформу Cortex XDR

News

Palo Alto Networks проінформувала клієнтів про вразливості, які можуть дозволити зловмиснику відключити її продукти, а саме Cortex XDR – свою топову платформу з виявлення та реагування на комп’ютерні загрози з великим покриттям – від захисту кінцевих точок до мережевого та хмарного захисту!


Про проблеми стало відомо від ентузіаста з ніком mr.d0x, який повідомив, що агент Cortex XDR може обійти зловмисник з підвищеними привілеями. Дослідник виявив, що агент може бути відключений локальним зловмисником із правами адміністратора шляхом простої зміни ключа реєстру, що залишить кінцеву точку вразливою до атак. Причому функція захисту від несанкціонованого доступу не запобігає використанню цього метода.


Крім того, mr.d0x виявив, що за замовчуванням існує "пароль для видалення", який (якщо він не був змінений адміністратором) також може використовуватися для відключення агента XDR. А якщо пароль за замовчуванням все ж таки був змінений, хеш нового пароля можна отримати з файлу, що дає можливість зловмиснику спробувати зламати пароль.

Щобільше, зловмисник, який не має прав адміністратора, також може отримати цей хеш. Фахівець розповів, що виявив ці вразливості ще влітку 2021 року, але лише зараз опублікував повідомлення у блозі з докладним описом результатів, щоб дати постачальнику достатньо часу для ухвалення відповідних заходів. Однак Palo Alto Networks все ще працює над виправленнями та засобами захисту від цих проблем.


Незважаючи на це все, кіберкомпанія проінформувала клієнтів про вразливість відмови в обслуговуванні (DoS), що стосується функції DNS-проксі в її програмному забезпеченні PAN-OS. Під час реалізації сценарію MitM-атаки (людина посередині) зловмисник може використовувати спеціально створений трафік для порушення роботи вразливих брандмауерів. Патчі оновлень доступні для всіх підтримуваних версій PAN-OS.

Також під час реалізації MitM зловмисник може запустити DoS-атаку на PAN-OS, додатку GlobalProtect та агенті Cortex XDR, використовуючи нещодавно виправлену вразливість OpenSSL, відстежувану як CVE-2022-0778.


У Palo Alto Networks заявили, що для компанії не є відомими атаки з використанням цих вразливостей у дикій природі і, на її думку, ці помилки мають рейтинг серйозності «середній», «низький»» або «інформаційний».

Back

Advanced anti-DDoS solutions from A10 Networks are available for installation!

News

Whether we like it or not, our systems are in the zone of cyber warfare to one degree or another in today's environment. You must be prepared for the worst, as threats are waiting for their potential victims at every turn, and that' s why the iIT Distribution team understands how important it is to be committed to an ongoing process of customer protection.


Due to the temporary constraints on the supply of hardware from the leader in developing solutions for balancing traffic, network perimeter protection and optimization of IP addressing A10 Networks, we would like to draw your attention to high-performance anti-DDoS solutions A10 Thunder TPS, available for seamless and fast deployment in a virtual environment.

High scalability, performance and deployment flexibility make the vThunder TPS a leader among other cyber products for detecting / preventing DDoS attacks., This solution, depending on the type of license and hardware capabilities of the virtual environment, can work with up to 100 Gbps, supporting flow detection of up to 1.5 million frames per second.A wide range of implementations on any virtual platform (ESXi, KVM, Hyper-V) makes vThunder TPS easily adapted to all possible deployment options.

Learn more about solutions from A10 Networks.


We are ready to provide our customers with A10 Thunder TPS trial licenses with full functionality for the required term (pilot period, setup, and start-up periods). Please pay attention that after signing the contract for purchasing the solution, the license replacement will take minutes without causing the customer's system to stop. This also applies to other products from A10 (A10 Thunder ADC and A10 Thunder CGN).

iIT Distribution is an official distributor of A10 Networksproviding distribution and promotion of vendor's solutions in Ukraine, Kazakhstan, Uzbekistan, and Georgia, as well as professional support in their design and implementation.

Back

Inspur Information Rated Gartner Hype Cycle Sample Vendor of Cloud-Optimized Hardware for Second Year

News

Inspur, a leading provider of server equipment, storage systems and cloud computing services, has once again been selected by Gartner as a Sample Vendor of cloud-optimized hardware for its “Hype Cycle for Cloud Computing".


Gartner mentions Inspur in its reports for the second year in a row, highlighting the benefits of the company's main cloud technologies in active use today, as well as innovations that are emerging to support future needs.

According to Gartner, a world-leading information technology research and consulting firm, large-scale mature applications will be introduced in the next 2-5 years due to an increasing number of Сloud-Оptimized hardware innovations for large-scale cloud data centers.


Cloud computing has pushed the limits of hyperscale cloud services in terms of agility and elasticity. Gartner’s report shows that in the field of infrastructure, hyperscale cloud service providers need more agile and innovative products and services to reduce power consumption and operating costs of data centers, and to optimize specific workloads. Hyperscale cloud service providers are working with device manufacturers to adopt cloud-optimized hardware, and an increasing number of IT teams are using Сloud-Оptimized hardware in their large-scale data centers.

This hardware mainly includes servers, networks, storage, and customized chips. Gartner pointed out that cloud-optimized racks and server designs can reduce power consumption based on loads, simplify physical installation, and speed up delivery. For example, Тhe Open Compute Project (OCP), which Inspur has an active role in, defines standards for all-in-one rack servers in data centers. The data shows that by using cloud-optimized open computing all-in-one rack servers, a large-scale data center customer of Inspur Information decreased its power consumption by 30%, reduced system failure rates by 90%, increased the ROI by 33% and increased OPS efficiency more than threefold. Inspur Information was able to deliver 10,000 servers to the customer each day.


To date, open computing technologies have been applied on a large scale in Internet companies, which operate the most advanced data centers. Top companies in key industries such as communications, finance, and energy around the world have also joined open computing organizations and make full use of open computing technologies in building their data centers.

As the world’s only server vendor that has joined all the three open computing organizations (OCP, ODCC, Open19)), Inspur Information actively contributes product specs, participates in the development of standards, and leads project implementation. By leveraging open computing, an innovative way to enable global collaboration, Inspur Information works with the upstream and downstream enterprises in the industry to explore sustainable innovative solutions for the infrastructure of large-scale data centers, such as liquid-cooled servers, high-speed network communication, and intelligent OPS.

Gartner recently released its global server market data for the third quarter of 2021. Inspur Information ranked second in the world with a market share of 11.3%. With its global presence expanding rapidly, Inspur Information has a rising market share across many industries, which it attributes to its contribution to open computing organizations.


iIT Distribution is the official distributor of reliable and competitive Inspur products in Ukraine, Georgia, Kazakhstanand Uzbekistan, offering its support in implementing the company's intelligent solutions in many production areas. iITD strives to provide its customers with only high-tech and efficient equipment to build a reliable enterprise IT infrastructure.

Get to know Inspur products better! The product line will be supplemented with new products, so stay tuned.

Back

FAST DELIVERY OF INFINIDAT AND INSPUR SOLUTIONS AVAILABLE NOW!

News

iIT Distribution announces that, despite all the external circumstances, the company's logistics is working intensively!

You can simply take advantage of fast delivery of multi-petabyte enterprise-class DSS solutions from INFINIDAT, as well as Inspur high-end server hardware on demand. We are ready to deliver your selected products in a MAXIMUM of 45 days after you submit your order.

To order, contact infinidat@iitd.com.ua and inspur@iitd.com.ua respectively.


As a reminder, INFINIDAT is the market leader in storage systems according to the Gartner 2021 Magic Quadrant for core storage systems! The company has developed its own innovative storage technologies (both primary - InfiniGuardsolutions, and disk backup - Built using the market-leading InfiniBox solution) and reliable protection of thousands of terabytes of data at the lowest possible price.

Learn more about INFINIDAT solutions.


We are excited to introduce you the products of Inspur, the company that is the absolute leader in the Chinese AI server market and the No. 3 server provider in the world (according to IDC and Gartner estimates).Inspur's high-end storage solutions have set more than 80 records in various tests, such as TPC-E, TPC-H, SPECAppServer and SPECPower!

Check out products from Inspur to suit all tastes!


If you have delayed this before, now is the time to focus on the selection and purchase of truly high-quality equipment for reliable storage of data from world leaders in the industry.

iIT Distribution is constantly concerned about the security and efficient, uninterrupted operation of our customers' IT infrastructures. In wartime, we feel a special responsibility for the security and digital comfort of every customer. That is why iITD, as an official distributor of INFINIDAT and Inspur, will continue to offer its support in selecting, designing and implementing the most effective cyber solutions of these vendors.

Back

Decryptable PartyTicket Ransomware Reportedly Targeting Ukrainian Entities

Release

On Feb. 23, 2022, destructive attacks were conducted against Ukrainian entities. Industry reporting has claimed the Go-based ransomware dubbed PartyTicket (or HermeticRansom) was identified at several organizations affected by the attack, among other families including a sophisticated wiper CrowdStrike Intelligence tracks as DriveSlayer (HermeticWiper).

Analysis of the PartyTicket ransomware indicates it superficially encrypts files and does not properly initialize the encryption key, making the encrypted file with the associated .encryptedJB extension recoverable.


Technical Analysis

A PartyTicket ransomware sample has a hash SHA256 4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382. It has been observed associated with the file names cdir.exe, cname.exe, connh.exe and intpub.exe.

The ransomware sample — written using Go версії 1.10.1— contains many symbols that reference the U.S. political system, including voteFor403, C:/projects/403forBiden/wHiteHousE and primaryElectionProcess.

The ransomware iterates over all drive letters and recursively enumerates the files in each drive and its subfolders, excluding file paths that contain the strings Windows and Program Files, and the folder path C:\Documents and Settings (the latter folder was replaced in Windows versions later than Windows XP with C:\Users). Files with the following extensions are selected for encryption:


acl, avi, bat, bmp, cab, cfg, chm, cmd, com, contact, crt, css, dat, dip, dll, doc, docx, dot, encryptedjb, epub, exe, gif, htm, html, ico, in, iso, jpeg, jpg, mp3, msi, odt, one, ova, pdf, pgsql, png, ppt, pptx, pub, rar, rtf, sfx, sql, txt, url, vdi, vsd, wma, wmv, wtv, xls, xlsx, xml, xps, zip


For each file path that passes the previously described path and extension checks, the ransomware copies an instance of itself to the same directory it was executed from and executes via the command line, passing the file path as an argument. The parent ransomware process names its clones with a random UUID generated by a public library2 that uses the current timestamp and MAC addresses of the infected host’s network adapters.

The malware developer attempted to use Go’s WaitGroup types to implement concurrency; however, due to a likely coding error, the ransomware creates a very large number of threads (one per enumerated file path) and copies its own binary into the current directory as many times as there are selected files. After all encryption threads have ended, the original binary deletes itself via the command line.

When the sample receives a file path as an argument, it encrypts the file using AES in Galois/Counter Mode (GCM). The AES key is generated using the Go rand package’s Intn function to select offsets in the character array 1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ, generating a 32-byte key. Due to another likely coding error, the seed for the Intn function is updated after the key is generated, meaning the same AES key is generated each time the binary and its clones are run. All of the files encrypted on a host are encrypted with the same key, and knowledge of the corresponding PartyTicket sample’s key enables their decryption. A script using this flaw to recover the encrypted files is available on the CrowdStrike Git Repository.

For each file, the AES encryption key is itself encrypted with RSA-OAEP, using a public RSA key that has the following parameters:

Modulus (N): 0xcbb94cb189a638b51e7cfe161cd92edb7145ecbd93989e78c94f8c15c61829286fd834d80c931daed4acaba14835fd3a6721602bcaa7193245fc6cf8e1d3261460ff3f1cbae3d44690beb989adee69ac486a932ee44dbdf0a44e772ab9822a16753cd08bdbb169f866f722114ee69c0cf1588fdaf8f7efd1c3ed243786078593f9b0cd867bab2b170c1843660d16e2181ae679137e2650551a41631398e027206e22a55858c741079ceafd50d5bd69546d4d52f5a33b0a576e1750d3f83afa1ce4403d768cbd670b443f61794b44705a8b1132c0c0ce77dbd04053ba20aec9baf23944270f10d16ad0727ed490c91c7f469278827c20a3e560f7c84015f7e1b
Exponent (E): 0x10001


Before encryption, the ransomware renames the file using the format <original file name>.[[email protected][.]com].encryptedJB (“JB” very likely stands for the initials of the United States president Joseph Biden, given the other political content in the binary). The ransomware then overwrites the content with the encrypted data. PartyTicket will only encrypt the first 9437184 bytes (9.44 MB) of a file. If the file passed as an argument is larger than this limit, any data above it is left unencrypted. After the file contents are encrypted, PartyTicket appends the RSA-encrypted AES key at the end of the file.

The ransomware also writes an HTML ransom note on the user’s desktop directory with the name read_me.html (Figure 1). Unless they are intentional mistakes, grammar constructs within the note suggest it was likely not written or proofread by a fluent English speaker.

Figure 1. Ransom note


Assessment

CrowdStrike Intelligence does not attribute the CrowdStrike products activity to a named adversary at the time of writing.

The ransomware contains implementation errors, making its encryption breakable and slow. This flaw suggests that the malware author was either inexperienced writing in Go or invested limited efforts in testing the malware, possibly because the available development time was limited. In particular, PartyTicket is not as advanced as DriveSlayer, which implements low-level NTFS parsing logic. The relative immaturity and political messaging of the ransomware, the deployment timing and the targeting of Ukrainian entities are consistent with its use as an additional payload alongside DriveSlayer activity, rather than as a legitimate ransomware extortion attempt.


YARA Signatures

The following YARA rule can be used to detect PartyTicket:


Script to Decrypt PartyTicket Encrypted Files

Due to the previously discussed implementation errors in the AES key generation, it is possible to recover the AES key used for encryption by PartyTicket. The below Go script decrypts files encrypted by PartyTicket sample 4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382. The script takes the file to be decrypted as an argument via the “-p” flag and saves the decrypted output to “decrypted.bin” in the same directory. The script can be built as an executable or run via the Go run package; it was tested using Go version go1.16.6.


Learn how to protect your organization from modern cyberattacks by using CrowdStrike products.


iIT Distribution as the official distributor of CrowdStrike solutionsthat enable companies to use advanced technologies to build uninterrupted protection of their IT infrastructures. We work closely with our clients, providing a full range of project support services.


Back

HOW NOT TO BECOME AN "UNWITTING ACCOMPLICE" OF RUSSIAN CYBER ATTACKS ON UKRAINIAN SYSTEMS (PART 3)

News

Take active steps to protect your organization from becoming a puppet in the hands of Russian cyber intruders


What good does revealing the information in the previous two articles in our series do? It clearly shows that many organizations worldwide may have services that are contributing to attacks on Ukrainian digital infrastructure. While these are not intentional as they are legitimate systems that have been manipulated into becoming DDoS weapons, IT professionals should look at their systems and act, using all their tools, not just DDoS protection systems.


Steps to address this issue can include:

  • Turning off any non-essential services that might generate potential attacks
  • Investigating unusual traffic flows from their organizations around these protocols which could be used in amplification and reflection attacks, specifically UDP services (e.g., traditional protocols like DNS, NTP etc. and less common protocols like ARD, CLDAP etc.)
  • Turn on available access controls on firewalls and networking equipment to prevent systems from being weaponized
  • Ensure all systems are patched and up to date to combat known CVEs
  • Review guidelines from multiple sources: CISA, vendors, and other security resources to keep up to date on the evolving situation, and then take steps to ensure systems are secure
  • Check that procedures are in place in the case of cyberattacks. It is especially important when DDoS attacks have often been used as smokescreens to distract for other attacks


Specialized DDoS protection systems also provide an enhanced level of protection, specifically enabling techniques to mitigate these attacks, such as actionable (large-scale) threat lists pulling from multiple threat databases, traffic anomaly inspection, finding traffic baseline violations, using artificial intelligence (AI) and machine learning (ML), and more.

It is important to note that organizations should cross reference multiple observability and reporting capabilities to get a comprehensive picture of the network status to ensure the previously mentioned anomalous behaviors are thwarted.


Larger and More Frequent DDoS Attacks Illustrate Action Should be Taken Now

The examples above illustrate that DDoS amplification and reflection attacks continue to be fast, cheap and easy to perform. Evidence from the A10 DDoS Attack Mitigation: A Threat Intelligence Report, points to a new record for the largest reported attack when Microsoft reported in Jan 2022 a3.47 Tbps and 340 million packets per secondbreaking last year’s record. This brings home the scale these coordinated attacks can be. It also shows that attacks can potentially be much larger. Microsoft mitigated these attacks by being prepared, both to detect and mitigate these attacks.

Increasingly, organizations are falling into the prepared and unprepared categories. Unprepared organizations are the ones more likely to make the headlines or contribute to the spread of problems. Increased public reporting and visibility will lead to more awareness of cyber threats and will help the IT and security communities better plan to mitigate threats and limit disruption. As an example, the 2016 Mirai DDoS attacks increased awareness and caused defenses to be shored up, resulting in some of the successful mitigations we see today.


Summary: Be One of the Prepared with the Right Protection in Place

By implementing the above steps to protect systems, organizations can rest assured that they will not become a destructive puppet in the hands of Russian criminal actors seeking to disrupt Internet services and other critical infrastructure in Ukraine. As illustrated from A10 Networks, threat research, there are certain organization types and regions have been targeted. Due to this changing threat landscape, it is also advisable for organizations in sensitive sectors worldwide, whether government, military or critical commercial infrastructure to reassess their services to ensure adequate defenses are in place to avoid being an unwitting participant of malicious activity.


iIT Distribution is an official distributor of advanced solutions from A10 Networks in Ukraine, Georgia, Kazakhstan and Uzbekistan. We are grateful to A10 company for broadcasting anti-tamper position by implementing measures to suppress Russian attacks on Ukrainian systems!

For our part, iITD will continue to help its customers in the selection and implementation of security products of this vendor.

Back

CrowdStrike Falcon protects against new Wiper malware used in cyberattacks against Ukraine

News

CrowdStrike products is a company that can be proud not only for its high-quality and powerful endpoint protection solutions, but also about its well-developed corporate policy. Since its first day, the company has cooperated only with countries that demonstrate their commitment to European values and non-violent policies. The CrowdStrike team does not divide business and morality. While many IT companies, in light of today's violent events in Ukraine, are only beginning to realize the immorality of the shadow side of the aggressor country, CrowdStrike has never cooperated with such countries as Russia, Iran, China, North Korea, etc. in its existence. We encourage other IT companies to break their partnership with the aggressor country, and we are sincerely glad that more and more of our vendors have already done so.


On February 23, 2022 it was reported about new Wiper malware which attacked Ukrainian systems. After a series of denial-of-service attacks and hacking a number of Ukrainian websites, the new malware breached the master boot record (MBR), as well as all accessible physical disk partitions and the file system on Windows machines.

Intelligence of CrowdStrike products has named this new destructive software — DriveSlayer, and it is the second Wiper-type program to hit Ukraine in terms of recent attacks using the WhisperGate. DriveSlayer is digitally signed using a valid certificate. The software exploits the legitimate EaseUS Partition Master driver to access and control the disk in order to make the system non-functional.


The CrowdStrike Falcon platform can provide reliable and continuous protection against DriveSlayer and wiper-type threats, providing real-time workload monitoring to protect customers.

Test the effectiveness of CrowdStrike products solution in person by sending us a request to test the high-performance platform Falcon.


Technical Analysis

Unlike WhisperGate, which uses higher-level API calls, DriveSlayer uses raw disk access to destroy data.

During initialization, two additional command-line parameters can be used to indicate when the malware is asleep before starting the destruction process and rebooting the system. If they are not specified, the default values are 20 and 35 minutes.

After that, the malware makes sure that it has the appropriate privileges to perform its destructive actions. It uses the API AdjustTokenPrivileges to assign itself the following privileges: SeShutdownPrivilege, SeBackupPrivilege and SeLoadDriverPrivilege.

Privilege Name Description
SeShutdownPrivilege Provides the ability to shut down a local system
SeBackupPrivilege Provides the ability to perform system backup operations
SeLoadDriverPrivilege Provides the ability to load or unload a device driver


A variety of drivers will be loaded depending on the system version. The malware uses IsWow64Process to determine the version of the driver to be loaded. These drivers are located in the resources section of the binary file and are compressed using the Lempel-Ziv algorithm. The driver file is written to system32\drivers with a 4-character, pseudorandomly generated name. This file is then unpacked with LZCopy into a new file with the extension ".sys".

Example File Name Description
C:\Windows\System32\drivers\bpdr Lempel-Ziv compressed driver
C:\Windows\System32\drivers\bpdr.sys Decompressed driver


Before the driver is loaded, the malware disables the emergency dump by setting the following registry key:

Registry Value Description
HKLM:\SYSTEM\CurrentControlSet\Control\CrashControl\CrashDumpEnabled 0 Disables crash dump

To load the driver, a new service is created using the API CreateServiceW. The name and display name for this service is the 4-character name used for the file name. Next, StartServiceW is called in a loop five times to ensure the driver is loaded. Immediately after the driver is loaded, the service is removed by deleting the entire registry key.

After the driver is loaded, the VSS service is disabled using the Control Service Manager. Following this, a number of additional threads are created. A thread is created to handle the system reboot. It will sleep for the time specified by a command line parameter of 35 minutes, at which point the system will be restarted by an API call to InitializeSystemShutdownExW.

Another thread disables features in the UI that could alert the user of suspicious activity occurring on the system before iterating through attached drives.

Registry Value Description
HKU\Software\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\ShowCompColor
0 Disables colors for compressed and encrypted NTFS files
HKU\Software\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\ShowInfoTip
0 Disables pop-up information about folders and desktop items


Finally, the malware begins its destructive routine by spawning multiple additional threads that overwrite the files on disk and destroy the partition tables. Once the system is rebooted, the user will see a blank screen with the words “Missing operating system.”


The Falcon Platform’s Continuous Monitoring and Visibility Stop Destructive Malware

The Falcon platform takes a layered approach to protect workloads. Using on-sensor and cloud-based machine learning, behavior-based detection using indicators of attack (IOAs), and intelligence related to tactics, techniques and procedures (TTPs) employed by threats and threat actors, the Falcon platform enables visibility, threat detection and continuous monitoring for any environment, reducing time to detect and mitigate threats including destructive malware.

As shown in Figure 1, the Falcon platform uses cloud-based machine learning to detect DriveSlayer and prevent the malware from performing additional malicious actions, such as loading additional components.


Figure 1. The Falcon platform’s cloud-based machine learning detects DriveSlayer wiper


The Falcon platform’s behavior-based IOAs can detect and prevent suspicious processes from executing or loading additional components, as well as other behaviors that indicate malicious intent. For example, Falcon detects and prevents DriveSlayer behavior such as tampering with specific registry keys. The behavior-based detection is further layered with a traditional indicator of compromise (IOC)-based hash detection (see Figure 2).


Figure 2. CrowdStrike Falcon detects and prevents DriveSlayer destructive behavior


Because DriveSlayer has no built-in propagation methods for spreading across infrastructures, and because reports of it being used to target Ukraine have so far been limited, the risk of organizations encountering this data-wiping threat may be low at present. CrowdStrike will continue to monitor and report on the situation as it unfolds.

Customers of CrowdStrike Falcon can proactively monitor their environments with hunting queries to identify indicators of DriveSlayer presence. Check the CrowdStrike Support Portal for a brief description.

iIT Distribution as the official distributor of CrowdStrike solutions strongly encourages organizations that are facing the risk of cyber incidents to take steps to improve their operational resilience. CrowdStrike security solutions can protect against malware and the threat of data destruction by providing full visibility of the environment and intelligence monitoring of cloud resources to detect and respond to potential threats - including destructive ones - and limit potential damage.

Back

HOW TO NOT BECOME AN "UNCONSCIOUS ACCOMPLICE" TO RUSSIAN CYBER ATTACKS ON UKRAINIAN SYSTEMS (PART 2)

News

A10 Networks research monitors attacks on Ukrainian systems.


In the previous article in this series, we looked at data from A10 to understand the nature of recent Russian government-sponsored cybercrimes aimed at Ukrainian targets. The massive spike in attacks on Ukrainian government systems occurred on the first day of the Russian-Ukrainian war.


Recall the two main targets aimed by the Russian coordinated DDoS Amplification and Reflection Attacks:

  • Private Company "Infoservice-Link" with more than two million requested responses to AppleRemoteDesktop (ARD). This target is included in the block of IP addresses 194.79.8.0, which are tied by their geolocation to one of the largest cities of Ukraine - Kharkiv. At the same time, whois information identifies it as Severodonetsk, Lugansk region, Ukraine, Lugansk.
  • Secretariat of the Cabinet of Ministers of Ukraine – more than 600 000 requests to NetworkTimeProtocol (NTP).


Studying these attacks, we can see that they were similar, but not identical. For example, the second target was requesting Network Time Protocol (NTP) for a DDoS amplification and reflection attack on UDP port 123, which is quite common, while the first target had requests for the less common Apple Remote Desktop (ARD) protocol on UDP port 3.283.


Figure 1: Protocols directed to Ukrainian registered ASNs via UDP on February 24, 2022 to a single honeypot. Accordingly, ARD, NTP and CLDAP are the most requested. During the next six days, NTP became the largest protocol observed on the same honeypot after a spike in activity during the first day of the war


Since UDP ports have no connection (unlike connection-oriented TCP), they allow to substitute the source address, masking the requestor and, at the same time, reflecting the response to the assigned victim, which receives a large, boosted payload. This is why attackers prefer Amplification and Reflection techniques.


ARD, for example, can have an amplification factor of more than 34 times higher than the original request. For the ARD attack on the first target, A10 Networks⠀estimated that most of the requested packets were 370 bytes (70%). However, considering the large number of packets of 1,014 bytes (23%), we can calculate an average of ~500 bytes. If we multiply 500 bytes by 2,099,092 requests, we get 1049546000 bytes⠀of just over 1 gigabyte, and they were all requested from the same machine.


In the "A10 DDoS Attack Mitigation: A Threat Intelligence Report," none of these protocols are in the top five. According to the research, there are 30,622 potential DDoS weapons for ARD that A10 monitors. Using only 10 percent of them could theoretically generate 3.2 terabytes of traffic, while using 50 percent could generate 16 terabytes of traffic.

Figure 2: Top 10 ARD UDP Locations of Potential DDoS Weapons Tracked by A10 (by Country and Overall)


Comparing the ARD protocol identified against the first cyber attack target, we see that there are 30,622 weapons tracked by A10, but 18,290 (59%) are in the US. Although there are many such weapons, that clearly illustrates that IT organizations outside of the warring nations may be actively involved in cyber conflicts. These organizations can directly help minimize the damage to Ukraine. The honeypot we analyzed was based in the United States.


As mentioned above, the two examples highlighted on February 24 were extremely large-scale. However, we have seen a steady increase in the number of smaller attacks on targets in Ukraine using various UDP protocols. The mix of these protocols has varied over time. ARD dominated the first day, and NTP dominated the next six days. Thus, owners need to ensure that their systems are not used to carry out Russian cyber attacks and illegal activities aimed at Ukrainian targets.


Learn more about А10 Networks and its high-performance solutions.

More to come. Stay tuned for updates so you don't miss Part 3 of the series from iIT Distribution and A10 Networks!!

Back

A10 NETWORKS SECURITY RESEARCH: HOW NOT TO BECOME AN "UNCONSCIOUS ACCOMPLICE" TO RUSSIAN CYBERATTACKS ON UKRAINIAN SYSTEMS

News

A10 Networks research monitors attacks on Ukrainian systems.

A A10 Networks Networks is one of those vendors who actively supports Ukraine during this very difficult time, condemning in every way Russia's crimes against the Ukrainian nation. The Russian-Ukrainian war is shocking in the scale of its bloodshed. Russian terrorists are focusing not only on territorial offensives, but also on destabilizing cyber-attacks on Ukrainian systems which are sponsored by the Russian state. To stop these destructive activities and, as well as the potential harmful effects on other countries, immediate action is required. We need to act now. In this series of articles, we'll explain in detail the characteristics and specifics of new cyber-attacks detected by A10 Networks' security research group. A10 NetworksLearn what actions you can take to reduce the impact of Russian cyber-attacks and how exactly you can make sure that you are not "unconscious accomplices" of the aggressor.


Threat Vectors Reports and Recommendations

State-sponsored attacks are not a novelty. The world has seen occasions in which a number of major enterprises in fields such as banking, healthcare, and government agencies have been subjected to massive DDoS attacks, making headlines. But as for the current cyberconflict, it is being waged on multiple fronts.Recent reports have included malware, DDoS attacks and damage to Ukrainian websites. Executives at the Cybersecurity and Infrastructure Protection Agency (CISA), part of the U.S. Department of Homeland Security, are warning of a new threat:

«Further disruptive cyberattacks against Ukrainian organizations are likely and could unintentionally affect organizations in other countries. Companies should increase their vigilance and re-evaluate their capabilities to plan, prepare, detect and respond to such threats».


Today, we can observe the results of preparations for the current cyber conflict. For example, in 2020 it was revealed that the Russian FSB was aiming to create a massive IoT botnet. We have also seen reports of malware with multiple variations, such as Wiper, causing damage by removing sensitive data from target computer systems. In addition, state-sponsored DDoS attacks target government, banking, and educational services, in other words, organizations that serve ordinary people. We are also seeing reports of revenge attacks by hacktivists. For example, the Anonymous group have hacked into prominent Russian websites to post the group's anti-war messages. This clearly demonstrates that both offensive and defensive measures and countermeasures are actively being pursued.


DDoS Amplification and Reflection Attacks were and still are targeting Ukraine

The systems of security research group A10 recorded powerful and sustained attacks on Ukrainian state networks and, as a result, on commercial Internet resources. The massive spike was observed on the first day of the military conflict.

Studying one of our research honeypots and focusing on the spike in first-day breaches, we can see that hackers are trying to engage legitimate systems in a coordinated DDoS Amplification/Reflection attack. The first attempt to breach the honeypot node was made several hours after the initial territorial attacks against Ukraine started on February 24. Taking into account the answers to the requests of the systems concerning Ukrainian targets, two main goals can be identified:


1) Private Company "Infoservice-Link" with more than two million requested responses to AppleRemoteDesktop (ARD).

2) Secretariat of the Cabinet of Ministers of Ukraine – more than 600 000 requests to NetworkTimeProtocol (NTP).


The first target is slightly unclear at first because of its name, which we were able to find out as a result of an automatic search. When we get the in-depth information of the “Infoservice-Link”, we see that it refers to the block of IP addresses 194.79.8.0. Checking where it was bound to, we see that in one source it is indicated as geolocation to one of the largest cities of Ukraine - Kharkiv, while the whois information shows it as Severodonetsk, Lugansk region, Ukraine, Lugansk. Flooding a block, although not on a specific host, still creates a DDoS attack, which the network equipment should in theory be able to handle if it is not weakened. Thus, we can conclude that the goal of the attack is to damage multiple applications, servers and the core infrastructure served by the block and equipment.


The second target – a government department, looks like an obvious source of opportunity for attackers:

"The main task of the Secretariat is organizational, expert-analytical, legal, informational, logistical support of the Cabinet of Ministers of Ukraine, government committees of the Prime Minister of Ukraine, First Deputy Prime Minister, Deputy Prime Ministers, Minister of the Cabinet of Ministers of Ukraine ", - Wikipedia.


Figure 1: Location information from ipinfo.io


Figure 2: 645 248 attempts to amplification-request to one honeypot in 15 minutes


To be continued. Stay tuned for more updates!

iIT Distribution is an official distributor of A10 Networks products in Ukraine, Kazakhstan, Georgia and Uzbekistan. We are sincerely thankful to A10 for active broadcasting the anti-tamper position by implementing measures to crack down Russian attacks on Ukrainian systems! For our part, iITD will continue to help our partners in selecting and implementing the most effective cyber solutions of this vendor.

Back

Mobile Marketing
+