The Good | Bulletproof Hosting Operator Enabling Major Crimeware Convicted
A Romanian national was sentenced this week to three years in prison for running a bulletproof hosting service used by cybercriminals in various cyberattack operations. Mihai Ionut Paunescu, also known online as “Virus”, has been charged with conspiracy to commit computer intrusion for his involvement enabling a variety of cybercrimes from DDoS and spam-based attacks to info-stealers and banking malware.
Bulletproof hosting services enable cybercriminals to spread malware focused on stealing confidential information. These sites are unlawfully lenient about what material they allow their users to upload and are strategically located outside law enforcement jurisdictions, giving criminals the anonymity needed to host malware kits, data stashes, hidden dark markets, and more.
In a statement by the DoJ, Paunescu’s bulletproof hosting service played an intrinsic role in distributing some of the world’s most harmful malware including the Gozi virus, Zeus trojan, SpyEye trojan, and BlackEnergy malware. These are notorious names in the infosec world. Gozi, for example, is said to have infected more than a million systems, stealing banking information and passwords from government entities and businesses globally.
Court documents say that Paunescu was well-aware of the illegal doings of his criminal customer base. Not only did he shield paying customers from law enforcement groups by renting IP addresses from legitimate internet service providers (ISPs), he also provided C2 infrastructure for botnet operations and proxies to hide malicious traffic. Paunescu also monitored IP address spam lists for those under his control to stop them from being blocked and maintained a database of all rented servers – many of which were attached to known malware.
Paunescu has pleaded guilty to all charges and ordered to forfeit $3,510,000 and pay $18,945 in restitution and will face another three years of supervision after serving his term in prison.
The Bad | Critical RCE Flaw In Fortinet SSL VPN Opens the Door to Further Attacks
After releasing a patch for a critical remote code execution (RCE) vulnerability in its FortiOS SSL VPN, Fortinet is now warning customers that the flaw may have been exploited in emerging attacks on government and critical infrastructure entities. The flaw, tracked as CVE-2023-27997, is described as a heap-based buffer overflow weakness in both the FortiOS and FortiProxy SSL VPN that could allow threat actors to gain RCE through malicious requests.
Fortinet’s latest report on the flaw found that one issue tracked as FG-IR-23-097 was likely to have been exploited in a number of cases and that the company was working closely with its customers to monitor the developing situation. Fortinet also touched on the possibility that the Chinese-based threat actors linked to the recent Volt Typhoon attacks could have their eyes set on the CVE-2023-27997 flaw. No confirmed link has been made between the two at the time of this writing, but the company does expect any unpatched vulnerabilities to continue facing exploitation in popular software and devices. Fortinet urges all its customers to continue prioritizing patching immediately upon release.
Confirmed: Volt Typhoon used an auth bypass CVE-2022-40684 in FortiOS products for initial access
Unconfirmed: If Volt Typhoon used the new CVE-2023-27997 in SSL VPNs – but Fortinet expects many threat actors, including Volt Typhoon, may have a go at it https://t.co/y9Dlbjw9dY https://t.co/tbZDOfDGHU
— Will (@BushidoToken) June 13, 2023
Due to their internet-facing nature and access to enterprise intranets, SSL VPNs continue to be a lucrative target for threat actors. Pre-authentication flaws such as CVE-2023-27997 are especially valuable to actors since they bypass the need for valid credentials. Additionally to following stringent patch management processes, organizations can proactively protect themselves against new vulnerabilities by implementing zero trust policies and advanced security solutions such as EDR and XDR.
The Ugly | BatCloak Obfuscation Tool Evading Static Antivirus Engines
Security researchers this week warn the community about an obfuscation tool called “BatCloak” allowing actors to deliver malicious code under the guise of batch (.BAT) files. Having a high success rate, tools that leverage the BatCloak component have become increasingly popular amongst threat actors of all skill levels for its ease of use.
BatCloak is currently promoted as “fully undetectable malware”, or “FUD”, by its authors. FUD status is supposed to signify to buyers that the malware is sophisticated enough to remain completely undetectable in compromised systems. Slipping past legacy AV detection suites, FUD malware allows threat actors to carry out a variety of malicious activities. Though tools of this nature are tuned to evade static detection engines, they are readily detectable by modern behavioral and AI-powered solutions like SentinelOne.
According to the latest research on BatCloak, the tool is said to demonstrate a remarkable ability to persistently avoid static detection. Samples going back to 2022 show that, through BatCloak, threat actors have been able to load numerous malware families and exploits easily with highly obfuscated batch files.
BAT files are text files that contain a sequence of commands used to run legitimate Windows-based applications and routines. Cybercriminals can exploit BAT files to execute malicious scripts and infiltrate vulnerable networks and systems. Since BAT files are extremely variable, they pose a regular challenge for antivirus engines. In fact, many static detection engines do not scan BAT files. If crafted using obfuscation techniques, these files can be difficult for traditional antivirus software to detect. In environments with robust behavioral detection technologies in place, however, they pose no threat.
Tools like Jlaive Crypter, Madera, ScrubCrypt and the like integrate tactics associated with the BatCloak engine. All these tools use various interactions of BatCloak’s feature set to process and generate uniquely obfuscated payloads. All SentinelOne customers are protected against payloads generated via Jlaive or similar BatCloak-centric obfuscation utilities.