Highly classified security data pertaining to British military and intelligence installations has been illicitly disclosed on the internet by hackers with ties to Russia. These hackers have disseminated a vast repository of documents that could potentially provide malefactors with insights into accessing strategic locations such as the HMNB Clyde nuclear submarine base, the Porton Down chemical weapons laboratory, and a GCHQ surveillance outpost.
The breach orchestrated by the hacking group known as LockBit also resulted in the pilfering of information concerning high-security penitentiaries and a military installation crucial to our cyber defence efforts. The perpetrators specifically targeted the databases of Zaun, a company specialising in the production of security fences for maximum-security facilities. Subsequently, this purloined information found its way onto the clandestine corners of the internet, commonly referred to as the dark web, which necessitates specialised software for access.
Last evening, Labour MP Kevan Jones, a member of the Commons Defence Select Committee, expressed his concern, stating, "This poses a potentially severe threat to the security of some of our most sensitive facilities. The government must elucidate why the computer systems of this company were susceptible to such an attack. Any data that divulges security arrangements to potential adversaries is a matter of grave concern."
Our investigation reveals that this breach occurred last month during a significant assault on Zaun, a West Midlands-based company that manufactures security fences and perimeter protection solutions for high-risk locations. Notably, Zaun had previously been responsible for providing security barriers during the London 2012 Olympics. LockBit, recognized as one of the world's most formidable hacking groups, has earned notoriety by targeting over 1,400 global entities. Mikhail Matveev, a key suspect associated with LockBit, has found a place on the FBI's Most Wanted list following a series of attacks, including a failed £66 million extortion attempt against the Royal Mail, which staunchly refused to comply with their demands.
Cybercriminals linked to the Vietnamese cybercrime ecosystem are exploiting social media platforms, including Facebook, owned by Meta, for malware distribution. They are utilising deceptive advertisements to target victims, and this tactic has gained popularity in the past year, with groups like Ducktail and NodeStealer being involved in attacks on businesses and individuals on Facebook.
Social engineering plays a significant role in these attacks, with cybercriminals approaching victims through various platforms, including Facebook, LinkedIn, WhatsApp, and freelance job portals. They also use search engine poisoning to promote malicious software such as CapCut, Notepad++, OpenAI ChatGPT, Google Bard, and Meta Threads.
These cybercriminal groups abuse URL shorteners, Telegram for command-and-control, and legitimate cloud services like Trello, Discord, Dropbox, iCloud, OneDrive, and Mediafire to host malicious payloads. Ducktail, for example, targets individuals and businesses on Meta's Business platform through job-related lures.
The Ducktail malware is designed to steal session cookies from browsers and take over Facebook business accounts. These compromised accounts are sold on the underground market. The attackers continue to evolve their tactics, including using shortcuts and PowerShell files for malware deployment and harvesting personal information from various platforms.
One method to take over a victim's compromised account involves adding the attacker's email address, changing the password, and locking the victim out of their Facebook account. The malware also employs techniques to hinder analysis and detection evasion.
LinkedIn accounts with a large number of connections and followers are used for social engineering purposes, and the Ducktail malware can propagate by using stolen LinkedIn credentials to contact other targets.
The Vietnamese cybercrime ecosystem appears to involve multiple threat actors sharing tactics, techniques, and tooling. A variant known as Duckport has also emerged with its own features, expanding on information-stealing and account-hijacking capabilities. These threats highlight the complex and evolving nature of cybercriminal activities centred around social media platforms like Facebook.
Recent discoveries suggest that malicious actors may exploit a covert method for evading malware detection and bypassing endpoint security solutions by manipulating the Windows Container Isolation Framework. These findings were unveiled by security researcher Daniel Avinoam from Deep Instinct during the DEFCON security conference held earlier this month.
Microsoft's container architecture, including Windows Sandbox, utilises dynamically generated images to separate the file system within each container from the host system.
This approach aims to prevent duplications of system files, reducing the overall size of a full OS. Essentially, it creates "ghost files" that contain no actual data but instead point to different volumes on the system. Avinoam pondered whether this redirection mechanism could be used to obfuscate file system operations and confuse security products.
This is where the Windows Container Isolation FS (wcifs.sys) minifilter driver comes into play. Its primary function is to manage file system separation between Windows containers and their host system. The driver handles ghost files' redirection by parsing attached reparse points and associated reparse tags, which identify the owner or implementer of the file system filter driver performing additional processing during I/O operations.
The core idea is to run a process within a fabricated container and utilise the mini-filter driver to manage I/O requests discreetly, allowing file creation, reading, writing, and deletion without triggering security software alerts. Notably, the mini-filter attaches to the file system stack indirectly by registering with the filter manager for specific I/O operations.
The wcifs.sys driver operates at a lower altitude range (specifically 189900), while antivirus filters, including third-party ones, function at a higher altitude range. This distinction enables various file operations to occur without triggering callbacks from antivirus drivers.
However, it's crucial to emphasise that executing this attack necessitates administrative permissions to communicate with the wcifs.sys driver and cannot be used to override files on the host system.
These revelations coincide with the cybersecurity company's demonstration of a technique called NoFilter, which exploits the Windows Filtering Platform (WFP) to elevate a user's privileges to SYSTEM level and potentially execute malicious code. These attacks leverage WFP to duplicate access tokens, trigger IPSec connections, manipulate the Print Spooler service, and access another user's token on a compromised system for lateral movement.
*Subscribe to our newsletter
.svg)
.png)
.png)
