Abyss Locker Ransomware Targets VMWare ESXi Servers

Abyss Locker, a new ransomware operation, has joined the growing list of threat actors developing Linux encryptors to target the popular VMware’s ESXi virtual machines platform. This latest trend poses a significant risk as organizations continue to adopt virtual machines for better resource management, performance, and disaster recovery.

Abyss Locker targets and breaches Virtual Machine infrastructures, steals data for double extortion, and encrypts and locks devices. Its operators then leverage the stolen data by threatening to leak files if a ransom is not paid. Abyss Locker is believed to have launched in March 2023, with fourteen victims listed on its dark web data leak site, ‘Abyss-data.’ The threat actors claim to have stolen from 35 GB of data to 700 GB from various organizations and agencies they have compromised.

The ransomware operation’s Tactics, Techniques, and Procedures (TTPs) include using a Linux ELF encryptor targeting VMware ESXi servers. The encryptor terminates all virtual machines, allowing associated virtual disks, snapshots, and metadata to be encrypted and locked up after the data has been stolen. In addition to targeting virtual machines, the ransomware encrypts all other files on other compromised devices.

Abyss Locker is a standalone threat, although there are similarities in its encryption technique to the HelloKitty ransomware, raising questions about possible links or affiliations. With VMware ESXi being one of the most popular virtual machine platforms, almost every ransomware gang has begun to release Linux encryptors to encrypt all virtual servers.

The consequences of this change are significant. As a result of these attacks, organizations that depend on VMware’s ESXi platform could experience substantial operational issues, financial loss, and reputational damage.

Acreto Solution

• Acreto offers comprehensive protection against threats like Abyss Locker by quickly isolating application access to only users, devices, systems and applications that need to interoperate.

• Acreto does this with the use of Ecosystems that provide a dedicated security infrastructure per application, use-case, project, or third-party.

• Ecosystems can be configured as open, closed, or hybrid, providing flexibility depending on the specific needs and risk profiles of the organization. The solution supports various technologies including devices, offices, Internet-of-Things (IoT), and third-party applications.

• Acreto’s ability to isolate individual or groups of systems on a shared network or entire networks can help limit the ransomware’s reach and propagation. The micro-segmentation and nano-segmentation features ensure that only systems that need to interoperate together have access to each other, reducing the potential attack surface.

• Acreto’s encrypted secure scan capabilities decrypt, scan, and re-encrypt communications inline and in real-time, blocking any malicious content embedded in the encrypted payload.

• Acreto offers a variety of controls, from access controls that use identity with multi-factor authentication (MFA) to content controls that manage communication based on content categories. It also controls the upload and download of sensitive data, preventing potential data leaks.

• Threat prevention capabilities are key in mitigating threats like Abyss Locker. Using threat signatures and zero-day behavioral analysis, Acreto identifies and mitigates known exploits, malware, botnets, and ransomware.

Ecosystems

Ecosystems deliver a dedicated security infrastructure that can be deployed per application, use-case, project or third-party. An Ecosystem inherently limits access only to users, devices, systems and applications that need to interoperate together.

Ecosystems support any technology, on any network, anywhere in the world. These include computers, mobile devices, IoTs, Offices, Clouds, SaaS and Data Centers.

Ecosystems can be configured as:

Open → With inbound or outbound access from or to the Internet or a third-party

Closed → Fully contained with access limited to Ecosystem members

Hybrid → Where some systems have inbound or outbound Internet access while others operate fully contained.

Assets Acreto Secures

Access Technologies

1. Devices
   1. Computers (Org Owned or BYOD)
   2. Mobile Phones / Tablets (Org Owned or BYOD)
2. Offices
   1. Headquarters
   2. Branches
   3. Small Office / Home Offices
3. Internet-of-Things (IoT)
   1. ATMs
   2. HVAC
   3. Elevator Controls
   4. Fire Safety Alarms
   5. Smart TVs
   6. Many more…
4. Third Parties
   1. Offices
   2. Devices
   3. Remote Users

Application Delivery Technologies

1. Data Centers
   1. Networks
   2. Servers
   3. Virtual Machines
   4. Containers
2. Clouds
   1. Cloud Instances
   2. Cloud VPCs / Cloud Networks
3. SaaS / Third Party Applications

Eliminate the Internet Attack Surface

Eliminates any and all access from the Internet while Ecosystem members can interoperate with authorized systems and applications.

Eliminate the Internal Attack Surface

Ecosystems can easily isolate individual or groups of systems on a shared network or entire networks, to limit access only to systems that need to interoperate together. This is done with:

• Micro-Segmentation Segmenting groups of systems on any shared network, including hostile networks or the entire network.
• Nano-Segmentation Isolating an individual system, device or application to limit access only to other authorized Ecosystem members.
• Isolated Data Flows Isolated data flows can be defined between two Ecosystem members to limit access to specified sources and destinations, network protocols and ports, application protocols as well as application programs.

Encrypted Secure Scan

Secure Scan addresses a key weakness in many security tools today. 90%+ of all communications is encrypted, yet only 10% of organizations have the means to secure these communications. Encrypted Secure Scan decrypts, scans, and re-encrypts communications inline and in real-time.

Any malicious content embedded in the encrypted payload is blocked, otherwise the clean and validated communication is delivered to its final destination.

Controls

Access Control

Identity with MFA

• User Authorizes access to the Ecosystem by a user’s identity, including MFA, as authenticated by the organizations’ Directory Services such as Active Directory or LDAP, as well as third-party Identity Service Providers such as Okta, Ping, Duo, and CloudJump among others.
• Device Specifies a unique identity to each device to validate that a specified device that does not rely on a user to operate – such as an autonomous application or IoT, is allowed to join the Ecosystem.

Network Protocol / Port

Control the network protocol (TCP, UDP, ICMP) and Port (1-65535) any Ecosystem member can use to communicate with any other Ecosystem member or Internet resource by IP, user or device identity. Both inbound and outbound Internet flows are supported.

Application Protocol

Control the application protocol (HTTP, DNS, SMTP, SMB, etc…) any Ecosystem member can use to communicate with any other Ecosystem members or Internet resource by IP, user or device identity. Both inbound and outbound Internet flows are supported.

Application Program

Control the application program (MS-Exchange, Oracle, Facebook, GMail, etc…) any Ecosystem member can use to communicate with any other Ecosystem members or Internet resource by IP, user or device identity. Both inbound and outbound Internet flows are supported.

Content

Content Category

Control communication based on content categories such as Adult, Gambling, Politics, Malware sites among 90+ category options.

File Type Upload / Download Controls

Control upload / download of files by type such .EXE, PDF, XLS, DOC, SCR, and MSI among hundreds of options.

Data Leak Prevention

Prevent data leaks by identifying and mitigating the upload or download of sensitive data such as:

• Credit Cards Upload / Download Controls
• Social Security Number Upload / Download Controls
• RegEx Pattern Upload / Download Controls

Threat Prevention

After verification of network protocol, port, application protocol and application program, a deep inspection is performed on all communications. The effectiveness of this method is amplified by inline Encrypted Secure Scan. Threat prevention capabilities utilize two key methods:

Threat Signature

Identifies and mitigates known bad exploits, malware, botnets and ransomware.

Zero-Day Behavioral Analysis

Looks for behavioral indication of threats based on how system functions react to the payload, immediately and over time.

Event Tracking & Management

Simplicity

Acreto Ecosystems are very easy to provision and deploy. There are no hardware dependencies or associated logistics.

Provisioning an Ecosystem takes 3-5 minutes. Simply provide a unique name to the Ecosystem then choose the bandwidth desired and within a few minutes your Ecosystem providing a dedicated security infrastructure is ready.

Depending on your connection options for Ecosystem members, deployment can take between 10 minutes to a few hours.

Sustainability

Acreto Ecosystems utilize a sustainable model without any dependency on products and their associated logistics. There are no more updates, upgrades or technology refreshes.

Change Management

Different Ecosystems operate completely independently from one-another. Therefore, change management impacts only members of a specified Ecosystem, not the entire organization. This simplifies the traditionally complex change management process.

Policy Management

Policy management also benefits from Ecosystems. Because Ecosystems are specific to a customer scenario such as an application, use-case, project or third-party, all policies apply to the scenario. Moreover, when its time for policy cleanup, when an application or use-case is retired, disabling or deleting the Ecosystem automatically prunes the policies. This has traditionally been a complex task that is at best inaccurate.

Mechanisms of Attack

• Abyss Locker ransomware targets VMware’s ESXi virtual machines platform, commonly used by enterprises. As enterprises shift from individual servers to virtual machines, ransomware gangs are focusing on these platforms.

• Abyss Locker is a relatively new operation, believed to have launched in March 2023. It targets companies in its attacks, breaching corporate networks, stealing data for double-extortion, and encrypting devices on the network.

• After breaching the network, the Abyss Locker threat actors steal data and use it as leverage, threatening to leak files if a ransom is not paid. To leak stolen files, the actors have created a Tor data leak site named ‘Abyss-data’.

• Abyss Locker targets VMware ESXi servers using a Linux ELF encryptor. It uses the ‘esxcli’ command-line VMware ESXi management tool to first list all available virtual machines and then terminates them.

• The ransomware uses the ‘vm process kill’ command to shut down virtual machines using one of the soft, hard, or forced options to allow the associated virtual disks, snapshots, and metadata to be properly encrypted.

• It encrypts all files with the .vmdk (virtual disks), .vmsd (metadata), and .vmsn (snapshots) extensions. Apart from targeting virtual machines, the ransomware also encrypts all other files on the device and appends the. crypt extension to their filenames.

• For each file encrypted, the encryptor creates a file with a .README_TO_RESTORE extension, which acts as the ransom note. This note contains information on what happened to the files and a unique link to the threat actor’s Tor negotiation site.

About Acreto

Acreto delivers full-stack cybersecurity without products, logistics or significant security expertise. It creates and consolidates the best of cybersecurity into a single plug-and-play platform with automated updates to stay ahead of threats. Acreto activates enterprise-grade security instantly, so organizations can run safely, easily, and without interruption.

New CISA Directive On Persistent Threats

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an order requiring all federal agencies to take additional precautions to restrict access to Internet-exposed networking equipment.

To limit potential breaches, the directive calls for restricting access so that only authorized users on an agency’s internal network can reach these devices’ management interfaces.

This decision comes in response to escalating cyber-attacks that capitalize on undiscovered vulnerabilities in commonly used security and networking devices.

The target of these attacks is federal agencies that use devices that allow remote authentication or administration. The attackers exploited zero-day vulnerabilities in popular networking products, such as those made by Barracuda Networks and Fortinet, to launch ransomware and cyber espionage attacks.

Hackers have been exploiting Barracuda Networks since at least October 2022, resulting in data breaches. As the company tried to fix the issue, the adversaries adjusted their tactics to bypass the mitigation efforts, forcing Barracuda to replace compromised devices.

As for Fortinet, a vulnerability in its FortiOS firmware allows an attacker to run malware on virtually any Fortinet SSL VPN appliance. Just gaining access to the administrative panel of a vulnerable Fortinet SSL VPN appliance is sufficient for an attacker to compromise the device fully.

It is clear that the threat actors who exploit these zero-day vulnerabilities are highly adaptive and respond quickly to changes in cybersecurity measures. This means that we cannot afford to let our guard down or become complacent. Instead, we must continue to refine and reinforce our cybersecurity infrastructures, focusing on both preventive measures and swift, effective response strategies.

Acreto Solution

Acreto provides a comprehensive and proactive approach to cybersecurity that could help organizations adhere to CISA’s directive and ensure the security of their digital assets.

• Acreto’s ‘Ecosystems’ inherently restrict access only to those users, devices, systems, and applications that need to interoperate together. It limits access so that only authorized members within an agency’s network can reach management interfaces. This significantly reduces the potential for security breaches.

• These Ecosystems can be configured as open, closed, or hybrid. This means they can be tailored to meet the specific needs and security requirements of the organization, providing both flexibility and robust protection.

• The Acreto Solution eliminates any and all access from the Internet to the Ecosystem, while still allowing its members to interoperate with authorized systems and applications. It offers effective micro-segmentation and nano-segmentation capabilities, thereby eliminating internal attack surfaces and isolating data flows.

• Acreto can decrypt, scan, and re-encrypt communications in real-time, blocking any malicious content embedded in the encrypted payload. This feature is particularly relevant in the context of vulnerabilities like those found in the FortiOS firmware, where an attacker can run malware on any Fortinet SSL VPN appliance by simply accessing the administrative panel.

• The Acreto Solution offers comprehensive control features, including access, network protocol/port, application protocol, application program, and content controls. These mechanisms give the organization granular control over the flow of data and the operation of applications within its network.

• The Acreto Ecosystems are easy to provision, deploy, and sustain, reducing the complexity and logistics often associated with cybersecurity management. It also simplifies traditionally complex tasks such as change management and policy management, making it an efficient and effective solution.

Contact Acreto today for more information or to evaluate Ecosystem security for your organization.

Ecosystem Security Isolation

Ecosystems deliver a dedicated security infrastructure that can be deployed per application, use-case, project or third-party. An Ecosystem inherently limits access only to users, devices, systems and applications that need to interoperate together.

Ecosystems support any technology, on any network, anywhere in the world. These include computers, mobile devices, IoTs, Offices, Clouds, SaaS and Data Centers.

Ecosystems can be configured as:

Eliminate the Internet Attack Surface

Eliminates any and all access from the Internet while Ecosystem members can interoperate with authorized systems and applications.

Eliminate the Internal Attack Surface

Ecosystems can easily isolate individual or groups of systems on a shared network or entire networks, to limit access only to systems that need to interoperate together. This is done with

• Micro-Segmentation Segmenting groups of systems on any shared network, including hostile networks or the entire network.

• Nano-Segmentation Isolating an individual system, device or application to limit access only to other authorized Ecosystem members.

Isolated Data Flows

Isolated data flows can be defined between two Ecosystem members to limit access to specified sources and destinations, network protocols and ports, application protocols as well as application programs.

Encrypted Secure Scan

Secure Scan addresses a key weakness in many security tools today. 90%+ of all communications are encrypted, yet only 10% of organizations have the means to secure these communications. Encrypted Secure Scan decrypts, scans, and re-encrypts communications inline and in real-time.

Any malicious content embedded in the encrypted payload is blocked, otherwise the clean and validated communication is delivered to its final destination.

Controls

• User Authorizes access to the Ecosystem by a user’s identity, including MFA, as authenticated by the organizations’ Directory Services such as Active Directory or LDAP, as well as third-party Identity Service Providers such as Okta, Ping, Duo, and CloudJump among others.

• Device Specifies a unique identity to each device to validate that a specified device that does not rely on a user to operate – such as an autonomous application or IoT, is allowed to join the Ecosystem.

• Credit Cards Upload / Download Controls

• Social Security Number Upload / Download Controls

• RegEx Pattern Upload / Download Controls

Threat Prevention

After verification of the network protocol, port, application protocol and application program, a deep inspection is performed on all communications. The effectiveness of this method is amplified by inline Encrypted Secure Scan. Threat prevention capabilities utilize two key methods:

Simplicity

Acreto Ecosystems are very easy to provision and deploy. There are no hardware dependencies or associated logistics.

Provisioning an Ecosystem takes 3-5 minutes. Simply provide a unique name to the Ecosystem then choose the bandwidth desired and within a few minutes your Ecosystem providing a dedicated security infrastructure is ready.

Depending on your connection options for Ecosystem members, deployment can take between 10 minutes to a few hours.

Sustainability

Acreto Ecosystems utilize a sustainable model without any dependency on products and their associated logistics. There are no more updates, upgrades or technology refreshes.

Change Management

Different Ecosystems operate completely independently from one another. Therefore, change management impacts only members of a specified Ecosystem, not the entire organization. This simplifies the traditionally complex change management process.

Policy Management

Policy management also benefits from Ecosystems. Because Ecosystems are specific to a customer scenario such as an application, use-case, project or third-party, all policies apply to the scenario. Moreover, when it’s time for policy cleanup, when an application or use-case is retired, disabling or deleting the Ecosystem automatically prunes the policies. This has traditionally been a complex task that is at best inaccurate.

About Acreto

Acreto delivers full-stack cybersecurity without products, logistics or significant security expertise. It creates and consolidates the best of cybersecurity into a single plug-and-play platform with automated updates to stay ahead of threats. Acreto activates enterprise-grade security instantly, so organizations can run safely, easily, and without interruption.

2.2 Million University Credentials Found on the Dark Web

A significant cybersecurity issue has emerged in the higher education sector. Security researchers have discovered 2.2 million breached credentials from the top 100 universities in the UK on the dark web.

The credentials are used to access the university’s systems, putting staff, students, and their sensitive data at risk. Cybercriminals would have access to user accounts and research information, including that of government-funded programs in areas like nuclear energy and defense.

More than half of these credentials are related to elite Russell Group institutions, which are comprised of 24 leading UK universities. These findings highlight the high risk of cybersecurity threats the UK’s higher education sector faces.

The U.S. educational sector has seen similar metrics in 2022, bringing 96 breaches that exposed almost 1.4 million records. So far, 2023 has seen 11 breaches. The breaches since 2005 were almost evenly split between the two education sectors where 51% was in K-12 schools and 49% in universities.

Based on this recent data, it is likely that the education sector will continue to be a significant target for cyberattacks.

Acreto Solution

How Acreto’s Ecosystems can help:

• Ecosystems Acreto’s Ecosystems provide a dedicated and scalable security infrastructure that can be deployed per application, use case, or third party. They limit access to only users, devices, systems, and applications that need to interoperate together, effectively reducing the attack surface. With Acreto, universities can have separate ecosystems for different departments, research groups, or even individual projects. This approach will not only increase the overall security of the system but will also isolate potential breaches, preventing them from spreading across the network.

• Acreto’s Asset Security Acreto’s solutions span a wide range of access and application delivery technologies. It ensures security for devices, offices, IoTs, and third parties, as well as data centers, clouds, and SaaS/Third-Party Applications. Regardless of the type of technology in use, Acreto can secure it, providing another layer of defense for universities against cyber threats.

• Minimizing the Attack Surface Acreto’s solution eliminates the Internet attack surface, and with micro-segmentation and nano-segmentation, it can isolate individual or groups of systems on a shared network, limiting access only to systems that need to interoperate together. Encrypted secure scan decrypts, scans, and re-encrypts communications inline and in real time, adding an extra level of security.

• Robust Access Control and Threat Prevention Acreto’s solutions offer robust access controls, with MFA for users and unique identity specifications for devices. It provides controls at the network protocol/port level, application protocol, and program level. It also offers threat prevention capabilities utilizing both threat signature identification and zero-day behavioral analysis.

• Simplified Event Tracking & Management Acreto Ecosystems are easy to provision, deploy, and manage. They do not depend on hardware, making them a sustainable solution for cybersecurity. They simplify change management and policy management due to their independent operation.

Contact Acreto today for more information or to evaluate Ecosystem security for your organization.

Ecosystem Security Isolation

Ecosystems deliver a dedicated security infrastructure that can be deployed per application, use-case, project or third party. An Ecosystem inherently limits access only to users, devices, systems and applications that need to interoperate together.

Ecosystems support any technology, on any network, anywhere in the world. These include computers, mobile devices, IoTs, Offices, Clouds, SaaS and Data Centers.

Ecosystems can be configured as:

Eliminate the Internet Attack Surface

Eliminates any and all access from the Internet while Ecosystem members can interoperate with authorized systems and applications.

Eliminate the Internal Attack Surface

Ecosystems can easily isolate individual or groups of systems on a shared network or entire networks, to limit access only to systems that need to interoperate together. This is done with

• Micro-Segmentation Segmenting groups of systems on any shared network, including hostile networks or the entire network.

• Nano-Segmentation Isolating an individual system, device or application to limit access only to other authorized Ecosystem members.

Isolated Data Flows

Isolated data flows can be defined between two Ecosystem members to limit access to specified sources and destinations, network protocols and ports, application protocols as well as application programs.

Encrypted Secure Scan

Secure Scan addresses a key weakness in many security tools today. 90%+ of all communications are encrypted, yet only 10% of organizations have the means to secure these communications. Encrypted Secure Scan decrypts, scans, and re-encrypts communications inline and in real-time.

Any malicious content embedded in the encrypted payload is blocked, otherwise the clean and validated communication is delivered to its final destination.

Controls

• User Authorizes access to the Ecosystem by a user’s identity, including MFA, as authenticated by the organizations’ Directory Services such as Active Directory or LDAP, as well as third-party Identity Service Providers such as Okta, Ping, Duo, and CloudJump among others.

• Device Specifies a unique identity to each device to validate that a specified device that does not rely on a user to operate – such as an autonomous application or IoT, is allowed to join the Ecosystem.

• Credit Cards Upload / Download Controls

• Social Security Number Upload / Download Controls

• RegEx Pattern Upload / Download Controls

Threat Prevention

After verification of network protocol, port, application protocol and application program, a deep inspection is performed on all communications. The effectiveness of this method is amplified by inline Encrypted Secure Scan. Threat prevention capabilities utilize two key methods:

Simplicity

Acreto Ecosystems are very easy to provision and deploy. There are no hardware dependencies or associated logistics.

Provisioning an Ecosystem takes 3-5 minutes. Simply provide a unique name to the Ecosystem then choose the bandwidth desired and within a few minutes your Ecosystem providing a dedicated security infrastructure is ready.

Depending on your connection options for Ecosystem members, deployment can take between 10 minutes to a few hours.

Sustainability

Acreto Ecosystems utilize a sustainable model without any dependency on products and their associated logistics. There are no more updates, upgrades or technology refreshes.

Change Management

Different Ecosystems operate completely independently from one-another. Therefore, change management impacts only members of a specified Ecosystem, not the entire organization. This simplifies the traditionally complex change management process.

Policy Management

Policy management also benefits from Ecosystems. Because Ecosystems are specific to a customer scenario such as an application, use-case, project or third party, all policies apply to the scenario. Moreover, when it’s time for policy cleanup, when an application or use-case is retired, disabling or deleting the Ecosystem automatically prunes the policies. This has traditionally been a complex task that is at best inaccurate.

About Acreto

Acreto delivers full-stack cybersecurity without products, logistics or significant security expertise. It creates and consolidates the best of cybersecurity into a single plug-and-play platform with automated updates to stay ahead of threats. Acreto activates enterprise-grade security instantly, so organizations can run safely, easily, and without interruption.

China-Centric RedClouds Campaign Targeting RDP

A new hacking campaign being tracked as ‘RedClouds’ uses a custom ‘RDStealer’ malware to steal data from drives shared through RDP connections automatically. Security researchers have been tracking these threat actors targeting systems since 2022.

RedClouds’ tactic involves stealing data from drives shared via Remote Desktop Protocol (RDP), a widely used technology in workplaces, IT support, and system administration. What’s intriguing is that the malware’s interests seem to align with China and display sophistication typical of a state-sponsored Advanced Persistent Threat (APT) operation.

The RDStealer malware is deployed to infect remote desktop servers. It operates in an infinite loop, continually checking for available drives on the network shares. Upon finding drives, the malware notifies the control server and initiates data exfiltration. This operation allows for a significant data breach, focusing particularly on credentials that could enable lateral movement within a network.

This threat campaign initially focused on East Asia but is expanding. Considering the extensive usage of RDP globally, the threat is extended across all regions. The nature of the data they target, SSH keys and password databases, suggests an intention to perform cyber espionage or potentially trigger ransomware attacks.

Acreto Solution

Acreto’s Ecosystem solution can be used against an attack such as RedClouds in the following ways:

• Ecosystem Segmentation By limiting access only to users, devices, systems, and applications that need to interoperate together, Acreto’s ecosystems can limit the possible exposure to attacks.

• Eliminate Attack Surface Acreto’s ecosystems can eliminate any and all access from the Internet while still allowing ecosystem members to interoperate with authorized systems and applications. This can prevent direct attacks from the Internet on sensitive RDP servers.

• Micro and Nano-Segmentation Isolating individual or groups of systems on a shared network or entire networks, can limit access only to systems that need to interoperate together, making it more difficult for threat actors to move laterally in a network once they gain access.

• Secure Scan Acreto’s Encrypted Secure Scan decrypts, scans, and re-encrypts communications inline and in real-time, blocking any malicious content embedded in the encrypted payload.

• Access Control Acreto’s solution provides a variety of access controls based on user and device identity, network protocols, application protocols, and application programs.

• Content Control Controls can be applied based on content categories and file type uploads/downloads, aiding in preventing data leaks.

• Change and Policy Management Different Ecosystems operate completely independently from one another, simplifying change management and policy management processes. This can help in faster response and adaptation to emerging threats.

Contact Acreto today for more information or to evaluate Ecosystem security for your organization.

Ecosystem Security Isolation

Ecosystems deliver a dedicated security infrastructure that can be deployed per application, use-case, project or third-party. An Ecosystem inherently limits access only to users, devices, systems and applications that need to interoperate together.

Ecosystems support any technology, on any network, anywhere in the world. These include computers, mobile devices, IoTs, Offices, Clouds, SaaS and Data Centers.

Ecosystems can be configured as:

Eliminate the Internet Attack Surface

Eliminates any and all access from the Internet while Ecosystem members can interoperate with authorized systems and applications.

Eliminate the Internal Attack Surface

Ecosystems can easily isolate individual or groups of systems on a shared network or entire networks, to limit access only to systems that need to interoperate together. This is done with

• Micro-Segmentation Segmenting groups of systems on any shared network, including hostile networks or the entire network.

• Nano-Segmentation Isolating an individual system, device or application to limit access only to other authorized Ecosystem members.

Isolated Data Flows

Isolated data flows can be defined between two Ecosystem members to limit access to specified sources and destinations, network protocols and ports, application protocols as well as application programs.

Encrypted Secure Scan

Secure Scan addresses a key weakness in many security tools today. 90%+ of all communications is encrypted, yet only 10% of organizations have the means to secure these communications. Encrypted Secure Scan decrypts, scans, and re-encrypts communications inline and in real-time.

Any malicious content embedded in the encrypted payload is blocked, otherwise the clean and validated communication is delivered to its final destination.

Controls

• User Authorizes access to the Ecosystem by a user’s identity, including MFA, as authenticated by the organizations’ Directory Services such as Active Directory or LDAP, as well as third-party Identity Service Providers such as Okta, Ping, Duo, and CloudJump among others.

• Device Specifies a unique identity to each device to validate that a specified device that does not rely on a user to operate – such as an autonomous application or IoT, is allowed to join the Ecosystem.

• Credit Cards Upload / Download Controls

• Social Security Number Upload / Download Controls

• RegEx Pattern Upload / Download Controls

Threat Prevention

After verification of network protocol, port, application protocol and application program, a deep inspection is performed on all communications. The effectiveness of this method is amplified by inline Encrypted Secure Scan. Threat prevention capabilities utilize two key methods:

Simplicity

Acreto Ecosystems are very easy to provision and deploy. There are no hardware dependencies or associated logistics.

Provisioning an Ecosystem takes 3-5 minutes. Simply provide a unique name to the Ecosystem then choose the bandwidth desired and within a few minutes your Ecosystem providing a dedicated security infrastructure is ready.

Depending on your connection options for Ecosystem members, deployment can take between 10 minutes to a few hours.

Sustainability

Acreto Ecosystems utilize a sustainable model without any dependency on products and their associated logistics. There are no more updates, upgrades or technology refreshes.

Change Management

Different Ecosystems operate completely independently from one-another. Therefore, change management impacts only members of a specified Ecosystem, not the entire organization. This simplifies the traditionally complex change management process.

Policy Management

Policy management also benefits from Ecosystems. Because Ecosystems are specific to a customer scenario such as an application, use-case, project or third-party, all policies apply to the scenario. Moreover, when its time for policy cleanup, when an application or use-case is retired, disabling or deleting the Ecosystem automatically prunes the policies. This has traditionally been a complex task that is at best inaccurate.

Mechanisms of Attack

• The attack exploits the Remote Desktop Protocol (RDP), a Microsoft protocol that allows users to remotely connect to Windows desktops.

• The protocol includes a feature called ‘device redirection’, which allows local drives, printers, and other devices to connect with the remote host.

• These shared resources can be accessed via a ‘\tsclient’ network share, which can then be mapped to drive letters in the RDP connection.

• Threat actors infect remote desktop servers with RDStealer malware which monitors RDP connections and automatically steals data from local drives once they’re connected to the RDP server.

• RDStealer comprises five modules: a keylogger, a persistence establisher, a data theft and exfiltration staging module, a clipboard content capturing tool, and a module controlling encryption/decryption functions, logging, and file manipulation utilities.

• Upon activation, RDStealer continually checks for the availability of drives on the \tsclient network shares. If it finds any, it notifies the C2 server and starts exfiltrating data.

• RDStealer specifically targets locations and filename extensions that include the KeePass password database, SSH private keys, Bitvise SSH client, MobaXterm, mRemoteNG connections, aiming for credentials that can be used for lateral movement.

• On other drives, RDStealer will scan everything, except certain locations unlikely to host valuable data.

• The malware is found in specific folders, often excluded from scanning by security solutions.

• Stolen data are stored locally as encrypted strings in the “C:\users\public\log.log” file until they are transmitted to the attackers’ servers.

• The final stage of RDStealer’s execution is to activate two DLL files, the Logutil backdoor (“bithostw.dll”) and its loader (“ncobjapi.dll”).

• The campaign also uses a custom Go-based backdoor named Logutil allowing remote execution of commands and file manipulation on an infected device.

• Logutil uses passive and active DLL sideloading flaws to run on a breached system undetected and uses the Windows Management Instrumentation (WMI) as an activation trigger.

• Logutil communicates directly with the C2, and obtains commands to execute. The C2 contains references to ESXi and Linux, suggesting multi-platform backdoor capabilities.

 

About Acreto

Acreto delivers full-stack cybersecurity without products, logistics or significant security expertise. It creates and consolidates the best of cybersecurity into a single plug-and-play platform with automated updates to stay ahead of threats. Acreto activates enterprise-grade security instantly, so organizations can run safely, easily, and without interruption.

New Mirai Botnet Variant Targets IoT Devices

A new variant of the well-known Mirai botnet has been identified as IZ1H9. This variant specifically targets Internet of Things (IoT) devices that operate on the Linux platform. What sets IZ1H9 apart is its unique capability to cannibalize devices already infected with previous versions of the Mirai botnet.

The botnet targets IoT devices that use the Linux operating system. The creators of IZ1H9’s actions suggest the intent to gain control over a vast network of IoT devices to execute powerful Distributed Denial of Service (DDoS) attacks. These attacks can render targeted online services, like websites, inaccessible by flooding them with an overwhelming amount of traffic.

IZ1H9 employs HTTP, SSH, and Telnet protocols to infect devices. It is equipped with a unique function that ensures only one instance of this malware operates on a device at a time. If another botnet process is detected, IZ1H9 terminates it, allowing it to erase not just other botnet families but also other variants of Mirai from the device.

This Mirai variant has been tracked since August 2018. Research revealed that a single threat actor has been actively deploying IZ1H9 since November 2021. It was not until mid-April of this year that the campaign was spotted. During that time, the threat actor targeted endpoints already infected with Mirai to replace previous iterations with IZ1H9.

The emergence of this new Mirai variant brings with it severe implications. Its focus on IoT devices, many of which are not updated or may not have the capability to be updated, means there is significant potential for widespread compromise.

Acreto Solution

Acreto’s innovative solution offers a comprehensive approach to tackle cyber threats such as the Mirai IZ1H9 variant, specifically designed for complex environments that involve various types of devices and network configurations.

• Ecosystems Acreto’s Ecosystems can limit access to a specific application, use-case, project, or third-party, delivering a dedicated security infrastructure that supports any technology, on any network, anywhere in the world. This includes not only conventional devices like computers and mobile phones but also IoT devices and third-party applications. Such an approach could effectively mitigate threats like IZ1H9, confining its spread within a limited ecosystem and preventing it from infecting other systems.

• Elimination of Internet and Internal Attack Surfaces Acreto’s solution eliminates any and all access from the Internet, which is instrumental in curbing the spread of IZ1H9, which relies on HTTP, SSH, and Telnet protocols. By utilizing micro-segmentation and nano-segmentation, Acreto isolates individual or groups of systems on a shared network or the entire network, limiting access only to systems that need to interoperate together.

• Encrypted Secure Scan The Encrypted Secure Scan feature allows you to decrypt, scan, and re-encrypt communications inline and in real-time. This feature can detect and block any malicious content embedded in encrypted payloads, a vital feature given that IZ1H9 is a form of malware.

• Access Controls Acreto employs a multi-faceted approach to access controls, encompassing user and device identities, network protocols, application protocols, and even specific application programs. These stringent controls effectively inhibit the spread of IZ1H9 by limiting its ability to communicate with other systems and networks.

• Content Controls By applying content category controls and file type upload/download controls, Acreto can further enhance the security of its ecosystems. For instance, the prevention of uploading or downloading executable files (.exe) is instrumental in stopping the spread of botnets like IZ1H9.

• Threat Prevention Acreto’s threat prevention capabilities incorporate threat signature identification and zero-day behavioral analysis. These methods, in combination with Encrypted Secure Scan, effectively identify and mitigate known threats like botnets and malware, as well as new, unknown threats.

• Event Tracking & Management Lastly, the ease of provision, sustainability, and change management provided by Acreto’s solutions can ensure that the organization’s security posture remains robust and adaptable to new threats. This simplified management reduces the complexity of traditional security approaches, making it easier to respond to threats like IZ1H9 in a timely and effective manner.

Contact Acreto today for more information or to evaluate Ecosystem security for your organization.

Ecosystem Security Isolation

Ecosystems deliver a dedicated security infrastructure that can be deployed per application, use-case, project or third-party. An Ecosystem inherently limits access only to users, devices, systems and applications that need to interoperate together.

Ecosystems support any technology, on any network, anywhere in the world. These include computers, mobile devices, IoTs, Offices, Clouds, SaaS and Data Centers.

Ecosystems can be configured as:

Eliminate the Internet Attack Surface

Eliminates any and all access from the Internet while Ecosystem members can interoperate with authorized systems and applications.

Eliminate the Internal Attack Surface

Ecosystems can easily isolate individual or groups of systems on a shared network or entire networks, to limit access only to systems that need to interoperate together. This is done with

• Micro-Segmentation Segmenting groups of systems on any shared network, including hostile networks or the entire network.

• Nano-Segmentation Isolating an individual system, device or application to limit access only to other authorized Ecosystem members.

Isolated Data Flows

Isolated data flows can be defined between two Ecosystem members to limit access to specified sources and destinations, network protocols and ports, application protocols as well as application programs.

Encrypted Secure Scan

Secure Scan addresses a key weakness in many security tools today. 90%+ of all communications is encrypted, yet only 10% of organizations have the means to secure these communications. Encrypted Secure Scan decrypts, scans, and re-encrypts communications inline and in real-time.

Any malicious content embedded in the encrypted payload is blocked, otherwise the clean and validated communication is delivered to its final destination.

Controls

• User Authorizes access to the Ecosystem by a user’s identity, including MFA, as authenticated by the organizations’ Directory Services such as Active Directory or LDAP, as well as third-party Identity Service Providers such as Okta, Ping, Duo, and CloudJump among others.

• Device Specifies a unique identity to each device to validate that a specified device that does not rely on a user to operate – such as an autonomous application or IoT, is allowed to join the Ecosystem.

• Credit Cards Upload / Download Controls

• Social Security Number Upload / Download Controls

• RegEx Pattern Upload / Download Controls

Threat Prevention

After verification of network protocol, port, application protocol and application program, a deep inspection is performed on all communications. The effectiveness of this method is amplified by inline Encrypted Secure Scan. Threat prevention capabilities utilize two key methods:

Simplicity

Acreto Ecosystems are very easy to provision and deploy. There are no hardware dependencies or associated logistics.

Provisioning an Ecosystem takes 3-5 minutes. Simply provide a unique name to the Ecosystem then choose the bandwidth desired and within a few minutes your Ecosystem providing a dedicated security infrastructure is ready.

Depending on your connection options for Ecosystem members, deployment can take between 10 minutes to a few hours.

Sustainability

Acreto Ecosystems utilize a sustainable model without any dependency on products and their associated logistics. There are no more updates, upgrades or technology refreshes.

Change Management

Different Ecosystems operate completely independently from one-another. Therefore, change management impacts only members of a specified Ecosystem, not the entire organization. This simplifies the traditionally complex change management process.

Policy Management

Policy management also benefits from Ecosystems. Because Ecosystems are specific to a customer scenario such as an application, use-case, project or third-party, all policies apply to the scenario. Moreover, when its time for policy cleanup, when an application or use-case is retired, disabling or deleting the Ecosystem automatically prunes the policies. This has traditionally been a complex task that is at best inaccurate.

About Acreto

Acreto delivers full-stack cybersecurity without products, logistics or significant security expertise. It creates and consolidates the best of cybersecurity into a single plug-and-play platform with automated updates to stay ahead of threats. Acreto activates enterprise-grade security instantly, so organizations can run safely, easily, and without interruption.

Fortinet RCE Vulnerability Effects FortiGate Firewalls

Fortinet has announced that a critical FortiOS SSL VPN vulnerability may have been exploited in recent cyber-attacks. The Remote Code Execution (RCE) vulnerability enables attackers to control a device remotely with the execution of arbitrary code.

Fortinet’s FortiGate firewalls are widely used across a range of organizations, including government, business, and infrastructure sectors, which all have become targets of this vulnerability.

Security researchers identified and are tracking the vulnerability as CVE-2023-27997. It was discovered during a code audit of the SSL-VPN module following another recent set of attacks against government organizations exploiting a FortiOS SSL-VPN zero-day vulnerability.

The RCE (CVE-2023-27997) affects the SSL VPN functionalities of FortiGate firewalls. It can be exploited if Multi-Factor Authentication (MFA) is used or not.

An SSL VPN (Secure Sockets Layer Virtual Private Network) allows remote users to access restricted network resources via an authenticated private pathway by encrypting all communication to and from particular destinations. This makes SSL VPNs critical for businesses that require remote and private access for their employees.

Fortinet has reported active exploitation of this vulnerability. Although a patch is now available, many devices remain vulnerable. These include older devices and units where the owners are not aware a patch is required.

Acreto Solution

Acreto addresses this challenge with:

• Acreto’s solution eliminates internet and internal attack surfaces by providing segmented and isolated data flows among authorized systems and applications. It supports Micro-Segmentation and Nano-Segmentation to limit access only to other authorized Ecosystem members, effectively controlling who can interoperate with the systems.

• Acreto’s Encrypted Secure Scan decrypts, scans, and re-encrypts communications inline and in real-time. This functionality ensures that even if a vulnerability like CVE-2023-27997 exists, any malicious content within encrypted communications is blocked before reaching its final destination.

• Acreto’s solution also provides access control. It authorizes access based on the user’s identity with MFA, device identity, network protocol, application protocol, and even application program. This comprehensive approach to access control further strengthens the defense against any possible exploits of the RCE vulnerability.

• Implementing Acreto’s solution is both simple and sustainable. The provision of an Ecosystem takes only a few minutes and doesn’t have hardware dependencies or related logistical challenges. This makes it an excellent solution for addressing immediate security concerns like CVE-2023-27997 and future-proofing your organization’s security.

Contact Acreto today for more information or to evaluate Ecosystem security for your organization.

Ecosystem Security Isolation

Ecosystems deliver a dedicated security infrastructure that can be deployed per application, use-case, project or third-party. An Ecosystem inherently limits access only to users, devices, systems and applications that need to interoperate together.

Ecosystems support any technology, on any network, anywhere in the world. These include computers, mobile devices, IoTs, Offices, Clouds, SaaS and Data Centers.

Ecosystems can be configured as:

Eliminate the Internet Attack Surface

Eliminates any and all access from the Internet while Ecosystem members can interoperate with authorized systems and applications.

Eliminate the Internal Attack Surface

Ecosystems can easily isolate individual or groups of systems on a shared network or entire networks, to limit access only to systems that need to interoperate together. This is done with

• Micro-Segmentation Segmenting groups of systems on any shared network, including hostile networks or the entire network.

• Nano-Segmentation Isolating an individual system, device or application to limit access only to other authorized Ecosystem members.

Isolated Data Flows

Isolated data flows can be defined between two Ecosystem members to limit access to specified sources and destinations, network protocols and ports, application protocols as well as application programs.

Encrypted Secure Scan

Secure Scan addresses a key weakness in many security tools today. 90%+ of all communications is encrypted, yet only 10% of organizations have the means to secure these communications. Encrypted Secure Scan decrypts, scans, and re-encrypts communications inline and in real-time.

Any malicious content embedded in the encrypted payload is blocked, otherwise the clean and validated communication is delivered to its final destination.

Controls

• User Authorizes access to the Ecosystem by a user’s identity, including MFA, as authenticated by the organizations’ Directory Services such as Active Directory or LDAP, as well as third-party Identity Service Providers such as Okta, Ping, Duo, and CloudJump among others.

• Device Specifies a unique identity to each device to validate that a specified device that does not rely on a user to operate – such as an autonomous application or IoT, is allowed to join the Ecosystem.

• Credit Cards Upload / Download Controls

• Social Security Number Upload / Download Controls

• RegEx Pattern Upload / Download Controls

Threat Prevention

After verification of the network protocol, port, application protocol and application program, a deep inspection is performed on all communications. The effectiveness of this method is amplified by inline Encrypted Secure Scan. Threat prevention capabilities utilize two key methods:

Simplicity

Acreto Ecosystems are very easy to provision and deploy. There are no hardware dependencies or associated logistics.

Provisioning an Ecosystem takes 3-5 minutes. Simply provide a unique name to the Ecosystem then choose the bandwidth desired and within a few minutes your Ecosystem providing a dedicated security infrastructure is ready.

Depending on your connection options for Ecosystem members, deployment can take between 10 minutes to a few hours.

Sustainability

Acreto Ecosystems utilize a sustainable model without any dependency on products and their associated logistics. There are no more updates, upgrades or technology refreshes.

Change Management

Different Ecosystems operate completely independently from one another. Therefore, change management impacts only members of a specified Ecosystem, not the entire organization. This simplifies the traditionally complex change management process.

Policy Management

Policy management also benefits from Ecosystems. Because Ecosystems are specific to a customer scenario such as an application, use-case, project or third-party, all policies apply to the scenario. Moreover, when it’s time for policy cleanup, when an application or use-case is retired, disabling or deleting the Ecosystem automatically prunes the policies. This has traditionally been a complex task that is at best inaccurate.

Mechanism of Attack

• CVE-2023-27997 A heap-based buffer overflow vulnerability [CWE-122] in FortiOS version 7.2.4 and below, version 7.0.11 and below, version 6.4.12 and below, version 6.0.16 and below and FortiProxy version 7.2.3 and below, version 7.0.9 and below, version 2.0.12 and below, version 1.2 all versions, version 1.1 all versions SSL-VPN may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests.

About Acreto

Acreto delivers full-stack cybersecurity without products, logistics or significant security expertise. It creates and consolidates the best of cybersecurity into a single plug-and-play platform with automated updates to stay ahead of threats. Acreto activates enterprise-grade security instantly, so organizations can run safely, easily, and without interruption.

Windows Malware Targets Defense & Aerospace

A new PowerShell malware script named ‘PowerDrop’ has been discovered being used to attack the U.S. Defense & Aerospace industry. The cyber threat was discovered by security researchers during a routine analysis of a U.S. Defense contractor’s network.

PowerDrop is a stealthy Windows PowerShell script that can drop into networks undetected. It leverages the Windows Management Instrumentation (WMI) service, a legitimate system tool on Windows computers, and encodes itself using Base64. This allows PowerDrop to function as a persistent Remote Access Trojan (RAT) within compromised networks.

The insidious nature of PowerDrop lies in its clever misuse of the WMI system. By pre-registering itself as an ‘event filter and consumer’, it sets up a trigger-action system, where a specific event initiates the execution of its malicious PowerShell script. Like a wolf in sheep’s clothing, this tactic enables PowerDrop to frequently run its script using standard system processes, evading detection. The malware uses AES (Advanced Encryption Standard) encryption for its communications, combined with its strategy of evading detection by not manifesting as a “.ps1” script file on disk, to significantly enhance its stealth capabilities.

Few details are available on the number of PowerDrop infestations, however, there have been reports of widespread instances where this malware has been found. It appears there may be a common piece of software that this is associated with, but further information is required to confirm this.

Its focus on a highly sensitive sector combined with its timing suggests that a state-sponsored actor might be behind these strings of attacks. Given its stealth capabilities and its focus on a highly sensitive sector, PowerDrop can cause significant damage, both in terms of data loss and potential service disruptions.

Acreto Solution

Acreto’s Ecosystem solution can offer a comprehensive defense against the PowerDrop malware attack.

• Reduced Attack Surface By delivering dedicated security infrastructure per application, use-case, project, or third party, Acreto inherently limits access only to those entities that need to interoperate together. This significantly reduces the attack surface which attackers could exploit.

• Isolation Using micro-segmentation and nano-segmentation, Acreto isolates individual or groups of systems on a shared network or entire networks, limiting access only to systems that need to interoperate together. This approach could prevent the lateral movement of PowerDrop within your infrastructure.

• Encrypted Secure Scan As PowerDrop sends encrypted commands, Acreto’s Encrypted Secure Scan can decrypt, scan, and re-encrypt communications in real-time. This feature would allow it to detect and block malicious payloads embedded in the encrypted command from the C2 server.

• Access Control PowerDrop uses the ICMP protocol for its beaconing process, and with Acreto, you can control network protocols and ports that any ecosystem member can use. Limiting or scrutinizing ICMP usage could help in detecting PowerDrop’s beaconing process. Additionally, Acreto controls the application program and application protocol access, adding another layer of security.

Contact Acreto today for more information or to evaluate Ecosystem security for your organization.

Ecosystem Security Isolation

Ecosystems deliver a dedicated security infrastructure that can be deployed per application, use-case, project or third-party. An Ecosystem inherently limits access only to users, devices, systems and applications that need to interoperate together.

Ecosystems support any technology, on any network, anywhere in the world. These include computers, mobile devices, IoTs, Offices, Clouds, SaaS and Data Centers.

Ecosystems can be configured as:

Eliminate the Internet Attack Surface

Eliminates any and all access from the Internet while Ecosystem members can interoperate with authorized systems and applications.

Eliminate the Internal Attack Surface

Ecosystems can easily isolate individual or groups of systems on a shared network or entire networks, to limit access only to systems that need to interoperate together. This is done with

• Micro-Segmentation Segmenting groups of systems on any shared network, including hostile networks or the entire network.

• Nano-Segmentation Isolating an individual system, device or application to limit access only to other authorized Ecosystem members.

Isolated Data Flows

Isolated data flows can be defined between two Ecosystem members to limit access to specified sources and destinations, network protocols and ports, application protocols as well as application programs.

Encrypted Secure Scan

Secure Scan addresses a key weakness in many security tools today. 90%+ of all communications is encrypted, yet only 10% of organizations have the means to secure these communications. Encrypted Secure Scan decrypts, scans, and re-encrypts communications inline and in real-time.

Any malicious content embedded in the encrypted payload is blocked, otherwise the clean and validated communication is delivered to its final destination.

Controls

• User Authorizes access to the Ecosystem by a user’s identity, including MFA, as authenticated by the organizations’ Directory Services such as Active Directory or LDAP, as well as third-party Identity Service Providers such as Okta, Ping, Duo, and CloudJump among others.

• Device Specifies a unique identity to each device to validate that a specified device that does not rely on a user to operate – such as an autonomous application or IoT, is allowed to join the Ecosystem.

• Credit Cards Upload / Download Controls

• Social Security Number Upload / Download Controls

• RegEx Pattern Upload / Download Controls

Threat Prevention

After verification of network protocol, port, application protocol and application program, a deep inspection is performed on all communications. The effectiveness of this method is amplified by inline Encrypted Secure Scan. Threat prevention capabilities utilize two key methods:

Simplicity

Acreto Ecosystems are very easy to provision and deploy. There are no hardware dependencies or associated logistics.

Provisioning an Ecosystem takes 3-5 minutes. Simply provide a unique name to the Ecosystem then choose the bandwidth desired and within a few minutes your Ecosystem providing a dedicated security infrastructure is ready.

Depending on your connection options for Ecosystem members, deployment can take between 10 minutes to a few hours.

Sustainability

Acreto Ecosystems utilize a sustainable model without any dependency on products and their associated logistics. There are no more updates, upgrades or technology refreshes.

Change Management

Different Ecosystems operate completely independently from one-another. Therefore, change management impacts only members of a specified Ecosystem, not the entire organization. This simplifies the traditionally complex change management process.

Policy Management

Policy management also benefits from Ecosystems. Because Ecosystems are specific to a customer scenario such as an application, use-case, project or third-party, all policies apply to the scenario. Moreover, when its time for policy cleanup, when an application or use-case is retired, disabling or deleting the Ecosystem automatically prunes the policies. This has traditionally been a complex task that is at best inaccurate.

Mechanisms of Attack

• Infection The initial compromise is unclear, but the attackers might deploy the PowerDrop script using an exploit, phishing emails, or spoofed software download sites.

• Execution PowerDrop is a PowerShell script that is executed by the Windows Management Instrumentation (WMI) service. It’s encoded using Base64 and functions as a backdoor or Remote Access Trojan (RAT).

• Registration PowerDrop registers previously created WMI event filters and consumers named ‘SystemPowerManager’ using the ‘wmic.exe’ command-line tool. This is done upon system compromise.

• Triggering WMI, a built-in Windows feature, is used to trigger PowerShell command queries for updates to a performance-monitoring class. This class is frequently updated with performance-related information, and the WMI event filter is triggered when the class is updated, leading to the execution of the PowerShell script. The filter is throttled to once every 120 seconds as long as the WMI class has been updated.

• Beaconing After the script is activated, PowerDrop sends a hardcoded ICMP echo to its Command and Control (C2) server address to indicate that a new infection is active. The payload of this ICMP echo is an unobfuscated UTF16-LE encoded string, which allows the C2 infrastructure to distinguish it from random probes.

• Command Reception and Execution After the beacon is sent, PowerDrop waits for a response from the C2 server, typically an encrypted and padded payload containing a command. The malware decrypts the payload using a hardcoded 128-bit AES key and a 128-bit initialization vector and executes the command on the infected host.

• Feedback The malware sends the results of the command execution back to the C2 server. If the results are too large, they’re split into 128-byte chunks and transmitted in a stream of multiple messages.

This strategy allows PowerDrop to stealthily infiltrate systems, execute commands remotely, and send valuable data back to attackers.

About Acreto

Acreto delivers full-stack cybersecurity without products, logistics or significant security expertise. It creates and consolidates the best of cybersecurity into a single plug-and-play platform with automated updates to stay ahead of threats. Acreto activates enterprise-grade security instantly, so organizations can run safely, easily, and without interruption.