ARTICLES July 2023H MARCH(103) APRIL(113) MAY(110) JUNE(93) July(113) November(58) December(100)
New P2PInfect Worm Targets Redis Servers with Undocumented Breach Methods
31.7.23 Virus The Hacker News
The P2PInfect peer-to-peer (P2) worm has been observed employing previously undocumented initial access methods to breach susceptible Redis servers and rope them into a botnet.
"The malware compromises exposed instances of the Redis data store by exploiting the replication feature," Cado Security researchers Nate Bill and Matt Muir said in a report shared with The Hacker News.
"A common attack pattern against Redis in cloud environments is to exploit this feature using a malicious instance to enable replication. This is achieved via connecting to an exposed Redis instance and issuing the SLAVEOF command."
The Rust-based malware was first documented by Palo Alto Networks Unit 42, calling out the malware's ability to exploit a critical Lua sandbox escape vulnerability (CVE-2022-0543, CVSS score: 10.0) to obtain a foothold into Redis instances. The campaign is believed to have commenced on or after June 29, 2023.
However, the latest discovery suggests that the threat actors behind the campaign are leveraging multiple exploits for initial access.
This is not the first time the SLAVEOF command has been abused in the wild. Previously, threat actors associated with malware families such as H2Miner and HeadCrab have abused the attack technique to illicitly mine cryptocurrency on compromised hosts.
In doing so, the goal is to replicate a malicious instance and load a malicious module to activate the infection.
Another initial access vector entails the registration of a malicious cron job on the Redis host to download the malware from a remote server upon execution, a method previously observed in attacks mounted by the WatchDog cryptojacking group.
A successful breach is followed by the distribution of next-stage payloads that allow the malware to alter iptables firewall rules at will, upgrade itself, and potentially deploy cryptocurrency miners at a later date once the botnet has grown to a specific size.
"The P2Pinfect malware makes use of a peer-to-peer botnet," the researchers said. "Each infected server is treated as a node, which then connects to other infected servers. This allows the entire botnet to gossip with each other without using a centralized C2 server."
A notable trait of the botnet is its worming behavior, enabling it to expand its reach by using a list of passwords to brute-force SSH servers and attempting to exploit the Lua sandbox escape vulnerability or use the SLAVEOF command in the case of Redis servers.
"P2Pinfect is well-designed and utilizes sophisticated techniques for replication and C2," the researchers concluded. "The choice of using Rust also allows for easier portability of code across platforms (with the Windows and Linux binaries sharing a lot of the same code), while also making static analysis of the code significantly harder."
Patchwork Hackers Target Chinese Research Organizations Using EyeShell Backdoor
31.7.23 Virus The Hacker News
Threat actors associated with the hacking crew known as Patchwork have been spotted targeting universities and research organizations in China as part of a recently observed campaign.
The activity, according to KnownSec 404 Team, entailed the use of a backdoor codenamed EyeShell.
Patchwork, also known by the names Operation Hangover and Zinc Emerson, is suspected to be a threat group that operates on behalf of India. Active since at least December 2015, attack chains mounted by the outfit have a narrow focus and tend to single out Pakistan and China with custom implants such as BADNEWS via spear-phishing and watering hole attacks.
The adversarial collective has been found to share tactical overlaps with other cyber-espionage groups with an Indian connection, including SideWinder and the DoNot Team.
Earlier this May, Meta disclosed that it took down 50 accounts on Facebook and Instagram operated by Patchwork, which took advantage of rogue messaging apps uploaded to the Google Play Store to collect data from victims in Pakistan, India, Bangladesh, Sri Lanka, Tibet, and China.
"Patchwork relied on a range of elaborate fictitious personas to socially engineer people into clicking on malicious links and downloading malicious apps," the social media giant said.
"These apps contained relatively basic malicious functionality with the access to user data solely reliant on legitimate app permissions granted by the end user. Notably, Patchwork created a fake review website for chat apps where they listed the top five communication apps, putting their own, attacker-controlled app at the top of the list."
Some of its activities have also been reported under the name ModifiedElephant, according to Secureworks, referring to a set of attacks against human rights activists, academics, and lawyers across India to conduct long-term surveillance and plant "incriminating digital evidence" in connection with the 2018 Bhima Koregaon violence in the state of Maharashtra.
EyeShell, detected alongside BADNEWS, is a a .NET-based modular backdoor that comes with capabilities to establish contact with a remote command-and-control (C2) server and execute commands to enumerate files and directories, downloading and uploading files to and from the host, execute a specified file, delete files, and capture screenshots.
The findings come as the cybersecurity company also detailed another wave of phishing attacks orchestrated by a group called Bitter aimed at aerospace, military, large enterprises, national government affairs, and universities in the country with a new backdoor known as ORPCBackdoor.
The South Asian threat actor was previously detected targeting the nuclear energy industry in China with malware downloaders delivered via CHM and Microsoft Excel Files that are designed to create persistence and retrieve further payloads.
AVRecon Botnet Leveraging Compromised Routers to Fuel Illegal Proxy Service
31.7.23 BotNet The Hacker News
More details have emerged about a botnet called AVRecon, which has been observed making use of compromised small office/home office (SOHO) routers as part of a multi-year campaign active since at least May 2021.
AVRecon was first disclosed by Lumen Black Lotus Labs earlier this month as malware capable of executing additional commands and stealing victim's bandwidth for what appears to be an illegal proxy service made available for other actors. It has also surpassed QakBot in terms of scale, having infiltrated over 41,000 nodes located across 20 countries worldwide.
"The malware has been used to create residential proxy services to shroud malicious activity such as password spraying, web-traffic proxying, and ad fraud," the researchers said in the report.
This has been corroborated by new findings from KrebsOnSecurity and Spur.us, which last week revealed that "AVrecon is the malware engine behind a 12-year-old service called SocksEscort, which rents hacked residential and small business devices to cybercriminals looking to hide their true location online."
The basis for the connection stems from direct correlations between SocksEscort and AVRecon's command-and-control (C2) servers. SocksEscort is also said to share overlaps with a Moldovan company named Server Management LLC that offers a mobile VPN solution on the Apple Store called HideIPVPN.
Black Lotus Labs told The Hacker News that the new infrastructure it identified in connection with the malware exhibited the same characteristics as the old AVrecon C2s.
The new SocksEscort nodes, which shifted during the second week of July (Source: Lumen Black Lotus Labs)
"We assess that the threat actors were reacting to our publication and null-routing of infrastructure, and attempting to maintain control over the botnet," the company said. "This suggests the actors wish to further monetize the botnet by maintaining some access and continue enrolling users in the SocksEscort 'proxy as a service.'"
Routers and other edge appliances have become lucrative attack vectors in recent years owing to the fact that such devices are infrequently patched against security issues, may not support endpoint detection and response (EDR) solutions, and are designed to handle higher bandwidths.
AVRecon also poses a heightened threat for its ability to spawn a shell on a compromised machine, potentially enabling threat actors to obfuscate their own malicious traffic or retrieve further malware for post-exploitation.
"While these bots are primarily being added to the SocksEscort proxy service, there was embedded functionality within the file to spawn a remote shell," the researchers said.
"This could allow the threat actor the ability to deploy additional modules, so we suggest that managed security providers attempt to investigate these devices in their networks, while home users should power-cycle their devices."
Fruity Trojan Uses Deceptive Software Installers to Spread Remcos RAT
31.7.23 Virus The Hacker News
Threat actors are creating fake websites hosting trojanized software installers to trick unsuspecting users into downloading a downloader malware called Fruity with the goal of installing remote trojans tools like Remcos RAT.
"Among the software in question are various instruments for fine-tuning CPUs, graphic cards, and BIOS; PC hardware-monitoring tools; and some other apps," cybersecurity vendor Doctor Web said in an analysis.
"Such installers are used as a decoy and contain not only the software potential victims are interested in, but also the trojan itself with all its components."
The exact initial access vector used in the campaign is unclear but it could potentially range from phishing to drive-by downloads to malicious ads. Users who land on the fake site are prompted to download a ZIP installer package.
The installer, besides activating the standard installation process, stealthily drops the Fruity trojan, a Python-based malware that unpacks an MP3 file ("Idea.mp3") to load an image file ("Fruit.png") to activate the multi-stage infection.
"This image file uses the steganography method to hide two executables (.dll libraries) and the shellcode for the next-stage initialization inside it," Doctor Web said.
Fruity is also designed to bypass antivirus detection on the compromised host and ultimately launch the Remcos RAT payload using a technique called process doppelgänging.
That said, the attack sequence could be exploited to distribute all kinds of malware, which makes it imperative that users stick to downloading software only from trustworthy sources.
The development comes as Bitdfender disclosed details of a malspam campaign delivering the Agent Tesla malware to harvest sensitive data from compromised endpoints.
It also follows a surge in malvertising operations that have targeted customers and businesses with tainted software boosted via ads on search engines.
This includes a new wave of attacks dubbed Nitrogen in which fraudulent ISO archives are distributed using bogus ads that impersonate download pages for applications such as AnyDesk, WinSCP, Cisco AnyConnect, Slack, and TreeSize.
"This malvertising campaign leads to the propagation of the infection after initial exposure," Bitdefender researchers Victor Vrabie and Alexandru Maximciuc said.
"For as long as they dwell in the victim's network, the attackers' primary goal is to obtain credentials, set up persistence on important systems and exfiltrate data, with extortion as the end goal."
Multiple Flaws Found in Ninja Forms Plugin Leave 800,000 Sites Vulnerable
31.7.23 Vulnerebility The Hacker News
Multiple security vulnerabilities have been disclosed in the Ninja Forms plugin for WordPress that could be exploited by threat actors to escalate privileges and steal sensitive data.
The flaws, tracked as CVE-2023-37979, CVE-2023-38386, and CVE-2023-38393, impact versions 3.6.25 and below, Patchstack said in a report last week. Ninja Forms is installed on over 800,000 sites.
A brief description of each of the vulnerabilities is below -
CVE-2023-37979 (CVSS score: 7.1) - A POST-based reflected cross-site scripting (XSS) flaw that could allow any unauthenticated user to achieve privilege escalation on a target WordPress site by tricking privileged users to visit a specially crafted website.
CVE-2023-38386 and CVE-2023-38393 - Broken access control flaws in the form submissions export feature that could enable a bad actor with Subscriber and Contributor roles to export all Ninja Forms submissions on a WordPress site.
Users of the plugin are recommended to update to version 3.6.26 to mitigate potential threats.
The disclosure comes as Patchstack revealed another reflected XSS vulnerability flaw in the Freemius WordPress software development kit (SDK) affecting versions prior to 2.5.10 (CVE-2023-33999) that could be exploited to obtain elevated privileges.
Also discovered by the WordPress security company is a critical bug in the HT Mega plugin (CVE-2023-37999) present in versions 2.2.0 and below that enables any unauthenticated user to escalate their privilege to that of any role on the WordPress site.
New Android Malware CherryBlos Utilizing OCR to Steal Sensitive Data
30.7.23 Android The Hacker News
A new Android malware strain called CherryBlos has been observed making use of optical character recognition (OCR) techniques to gather sensitive data stored in pictures.
CherryBlos, per Trend Micro, is distributed via bogus posts on social media platforms and comes with capabilities to steal cryptocurrency wallet-related credentials and act as a clipper to substitute wallet addresses when a victim copies a string matching a predefined format is copied to the clipboard.
Once installed, the apps seek users' permissions to grant it accessibility permissions, which allows it to automatically grant itself additional permissions as required. As a defense evasion measure, users attempting to kill or uninstall the app by entering the Settings app are redirected back to the home screen.
Besides displaying fake overlays on top of legitimate crypto wallet apps to steal credentials and make fraudulent fund transfers to an attacker-controlled address, CherryBlos utilizes OCR to recognize potential mnemonic phrases from images and photos stored on the device, the results of which are periodically uploaded to a remote server.
The success of the campaign banks on the possibility that users tend to take screenshots of the wallet recovery phrases on their devices.
Trend Micro said it also found an app developed by the CherryBlos threat actors on the Google Play Store but without the malware embedded into it. The app, named Synthnet, has since been taken down by Google.
The threat actors also appear to share overlaps with another activity set involving 31 scam money-earning apps, dubbed FakeTrade, hosted on the official app marketplace based on the use of shared network infrastructure and app certificates.
Most of the apps were uploaded to the Play Store in 2021 and have been found to target Android users in Malaysia, Vietnam, Indonesia, Philippines, Uganda, and Mexico.
"These apps claim to be e-commerce platforms that promise increased income for users via referrals and top-ups," Trend Micro said. "However, users will be unable withdraw their funds when they attempt to do so."
The disclosure comes as McAfee detailed a SMS phishing campaign against Japanese Android users that masquerades as a power and water infrastructure company to infect the devices with malware called SpyNote. The campaign took place in early June 2023.
"After launching the malware, the app opens a fake settings screen and prompts the user to enable the Accessibility feature," McAfee researcher Yukihiro Okutomi said last week.
"By allowing the Accessibility service, the malware disables battery optimization so that it can run in the background and automatically grants unknown source installation permission to install another malware without the user's knowledge."
It's no surprise that malware authors constantly seek new approaches to lure victims and steal sensitive data in the ever-evolving cyber threat landscape.
Google, last year, began taking steps to curb the misuse of accessibility APIs by rogue Android apps to covertly gather information from compromised devices by blocking sideloaded apps from using accessibility features altogether.
But stealers and clippers just represent one of the many kinds of malware – such as spyware and stalkerware – that are used to track targets and gather information of interest, posing severe threats to personal privacy and security.
New research published this week found that a surveillance app called SpyHide is stealthily collecting private phone data from nearly 60,000 Android devices around the world since at least 2016.
"Some of the users (operators) have multiple devices connected to their account, with some having as much as 30 devices they've been watching over a course of multiple years, spying on everyone in their lives," a security researcher, who goes by the name maia arson crimew, said.
It's therefore crucial for users to remain vigilant when downloading apps from unverified sources, verify developer information, and scrutinize app reviews to mitigate potential risks.
The fact that there is nothing stopping threat actors from creating bogus developer accounts on the Play Store to distribute malware hasn't gone unnoticed by Google.
Earlier this month, the search giant announced that it will require all new developer accounts registering as an organization to provide a valid D-U-N-S number assigned by Dun & Bradstreet before submitting apps in an effort to build user trust. The change goes into effect on August 31, 2023.
Apple Sets New Rules for Developers to Prevent Fingerprinting and Data Misuse
30.7.23 Apple The Hacker News
Apple has announced plans to require developers to submit reasons to use certain APIs in their apps starting later this year with the release of iOS 17, iPadOS 17, macOS Sonoma, tvOS 17, and watchOS 10 to prevent their abuse for data collection.
"This will help ensure that apps only use these APIs for their intended purpose," the company said in a statement. "As part of this process, you'll need to select one or more approved reasons that accurately reflect how your app uses the API, and your app can only use the API for the reasons you've selected."
The APIs that require reasons for use relate to the following -
File timestamp APIs
System boot time APIs
Disk space APIs
Active keyboard APIs, and
User defaults APIs
The iPhone maker said it's making the move to ensure that such APIs are not abused by app developers to collect device signals to carry out fingerprinting, which could be employed to uniquely identify users across different apps and websites for other purposes such as targeted advertising.
The policy enforcement, which goes live in Fall 2023 and also extends to visionOS, will require developers submitting new apps or app updates to declare the reasons for using these "required reason APIs" in their app's privacy manifest. Starting Spring 2024, apps that don't describe their use of the APIs in their privacy manifest file will be rejected.
"Regardless of whether a user gives your app permission to track, fingerprinting is not allowed," Apple explicitly cautions in its developer documentation. "Your app or third-party SDK must declare one or more approved reasons that accurately reflect your use of each of these APIs and the data derived from their use."
"You may use these APIs and the data derived from their use for the declared reasons only. These declared reasons must be consistent with your app's functionality as presented to users, and you may not use the APIs or derived data for tracking."
Hackers Deploy "SUBMARINE" Backdoor in Barracuda Email Security Gateway Attacks
30.7.23 Vulnerebility The Hacker News
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday disclosed details of a "novel persistent backdoor" called SUBMARINE deployed by threat actors in connection with the hack on Barracuda Email Security Gateway (ESG) appliances.
"SUBMARINE comprises multiple artifacts — including a SQL trigger, shell scripts, and a loaded library for a Linux daemon — that together enable execution with root privileges, persistence, command and control, and cleanup," the agency said.
The findings come from an analysis of malware samples obtained from an unnamed organization that had been compromised by threat actors exploiting a critical flaw in ESG devices, CVE-2023-2868 (CVSS score: 9.8), which allows for remote command injection.
Evidence gathered so far shows that the attackers behind the activity, a suspected China nexus-actor tracked by Mandiant as UNC4841, leveraged the flaw as a zero-day in October 2022 to gain initial access to victim environments and implanted backdoors to establish and maintain persistence.
To that end, the infection chain involved sending phishing emails with booby-trapped TAR file attachments to trigger exploitation, leading to the deployment of a reverse shell payload to establish communication with the threat actor's command-and-control (C2) server, from where a passive backdoor known as SEASPY is downloaded for executing arbitrary commands on the device.
SUBMARINE, also codenamed DEPTHCHARGE by the Google-owned threat intelligence firm, is the latest malware family to be discovered in connection with the operation. Executed with root privileges, it resides in a Structured Query Language (SQL) database on the ESG appliance.
It's believed to have been "deployed in response to remediation efforts," echoing Mandiant's characterization of the adversary as an aggressive actor capable of quickly altering their malware and employing additional persistence mechanisms in an attempt to maintain their access.
The agency further said it "analyzed artifacts related to SUBMARINE that contained the contents of the compromised SQL database," and that it "poses a severe threat for lateral movement."
Ivanti Warns of Another Endpoint Manager Mobile Vulnerability Under Active Attack
30.7.23 Vulnerebility The Hacker News
Ivanti has disclosed yet another security flaw impacting Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core, that it said has been weaponized as part of an exploit chain by malicious actors in the wild.
The new vulnerability, tracked as CVE-2023-35081 (CVSS score: 7.8), impacts supported versions 11.10, 11.9, and 11.8, as well as those that are currently end-of-life (EoL).
"CVE-2023-35081 enables an authenticated administrator to perform arbitrary file writes to the EPMM server," the company said in an advisory. "This vulnerability can be used in conjunction with CVE-2023-35078, bypassing administrator authentication and ACLs restrictions (if applicable)."
A successful exploit could allow a threat actor to write arbitrary files on the appliance, thereby enabling the malicious party to execute OS commands on the appliance as the tomcat user.
"As of now we are only aware of the same limited number of customers impacted by CVE-2023-35078 as being impacted by CVE-2023-35081," the company added.
It's worth noting that CVE-2023-35078 is a critical remote unauthenticated API access vulnerability that permits remote attackers to obtain sensitive information, add an EPMM administrative account, and change the configuration because of an authentication bypass.
The security flaws have been exploited by unknown actors targeting Norwegian government entities, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to release an alert urging users and organizations to apply the latest fixes.
The development also comes as the Google Project Zero team said 41 in-the-wild 0-days were detected and disclosed in 2022, down from 69 in 2021, noting that 17 of those are variants of previously public vulnerabilities.
"Similar to the overall numbers, there was a 42% drop in the number of detected in-the-wild 0-days targeting browsers from 2021 to 2022, dropping from 26 to 15," Google TAG researcher Maddie Stone said.
"We assess this reflects browsers' efforts to make exploitation more difficult overall as well as a shift in attacker behavior away from browsers towards zero-click exploits that target other components on the device."
IcedID Malware Adapts and Expands Threat with Updated BackConnect Module
30.7.23 Virus The Hacker News
The threat actors linked to the malware loader known as IcedID have made updates to the BackConnect (BC) module that's used for post-compromise activity on hacked systems, new findings from Team Cymru reveal.
IcedID, also called BokBot, is a strain of malware similar to Emotet and QakBot that started off as a banking trojan in 2017, before switching to the role of an initial access facilitator for other payloads. Recent versions of the malware have been observed removing functionality related to online banking fraud to prioritize ransomware delivery.
The BackConnect (BC) module, first documented by Netresec in October 2022, relies on a proprietary command-and-control (C2) protocol to exchange commands between a server and the infected host. The protocol, which comes with a VNC component for remote access, has also been identified in other malware such as the now-discontinued BazarLoader and QakBot.
In December 2022, Team Cymru reported the discovery of 11 BC C2s active since July 1, 2022, noting that operators likely located in Moldova and Ukraine are overseeing distinct elements of the BC protocol.
"For the past several months, BackConnect traffic caused by IcedID was easy to detect because it occurred over TCP port 8080," Palo Alto Networks Unit 42 said in late May 2023. "However, as early as April 11, 2023, BackConnect activity for IcedID changed to TCP port 443, making it harder to find."
The latest analysis of the attack infrastructure from Team Cymru has revealed that the number of BC C2s have shot up from 11 to 34 since January 23, 2023, with the average uptime of a server significantly reducing from 28 days to eight days.
"Since April 11, 2023, a total of 20 high confidence BC C2 servers were identified, based on pivots from management infrastructure," the cybersecurity firm said in a report shared with The Hacker News.
"The first observation is that the number of concurrent C2 servers in operation has increased [...], with as many as four C2 servers receiving management communications on a particular day."
A further examination of the traffic originating from BC C2 servers has uncovered as many as eight candidate victims between late April 2023 and June 2023 that "communicated with three or more BC C2s over a relatively long period of time."
It's also suspected that the same IcedID operator or affiliate is accessing multiple victims within the same time frame, based on the volume of traffic observed between the victims and the servers.
"It would appear BC is deployed alongside the usual IcedID loader and bot infections," Josh Hopkins, head of S2 Threat Analyst Unit at Team Cymru, told The Hacker News, adding "we see no clear distinction in infrastructure in how it's accessed by victims and threat actors."
The cybersecurity firm also told the publication that two of the IcedID forks that emerged in the wild in February 2023 sans the banking fraud and BackConnect modules have not been detected in the wild recently, suggesting that they could have been short-lived experiments.
"In examining management infrastructure associated with IcedID BC, we are also able to discern a pattern of multiple distinct accesses from users we assess to be both associated with the day to day operations of IcedID, and their affiliates who interact with victim hosts post-compromise," Team Cymru said.
"The evidence in our NetFlow data suggests that certain IcedID victims are used as proxies in spamming operations, enabled by BC's SOCKS capabilities. This is a potential double blow for victims, not only are they compromised and incurring data / financial loss, but they are also further exploited for the purposes of spreading further IcedID campaigns."
STARK#MULE Targets Koreans with U.S. Military-themed Document Lures
28.7.23 BigBrothers The Hacker News
An ongoing cyber attack campaign has set its sights on Korean-speaking individuals by employing U.S. Military-themed document lures to trick them into running malware on compromised systems.
Cybersecurity firm Securonix is tracking the activity under the name STARK#MULE.
"Based on the source and likely targets, these types of attacks are on par with past attacks stemming from typical North Korean groups such as APT37 as South Korea has historically been a primary target of the group, especially its government officials," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a report shared with The Hacker News.
APT37, also known by the names Nickel Foxcroft, Reaper, Ricochet Chollima, and ScarCruft, is a North Korean nation-state actor that's known to exclusively focus on targets in its southern counterpart, specifically those involved in reporting on North Korea and supporting defectors.
Attack chains mounted by the group have historically relied on social engineering to phish victims and deliver payloads such as RokRat onto target networks. That said, the adversarial collective has expanded its offensive arsenal with a variety of malware families in recent months, including a Go-based backdoor called AblyGo.
A notable trait of the new campaign is the use of compromised Korean e-commerce websites for staging payloads and command-and-control (C2) in an attempt to fly under the radar of security solutions installed on the systems.
The phishing emails that act as the progenitor make use of U.S. Army recruitment messages to convince recipients into opening a ZIP archive file, which contains a shortcut file that appears under the guise of a PDF document.
The shortcut file, when launched, displays a decoy PDF, but also surreptitiously activates the execution of a rogue "Thumbs.db" file present in the archive file.
"This file performs several functions which include downloading further stagers and leveraging schtasks.exe to establish persistence," the researchers explained.
Two of the next-stage modules – "lsasetup.tmp" and "winrar.exe" – are retrieved from a compromised e-commerce website named "www.jkmusic.co[.]kr," the latter of which is used to extract and run the contents of "lsasetup.tmp," an obfuscated binary that reached out to a second e-commerce site named "www.notebooksell[.]kr."
"Once the connection was established, the attackers were able to acquire system details such as system MAC, Windows version, [and] IP address," the researchers said. "Both websites are registered in Korea [and] only utilize the HTTP protocol."
The disclosure comes as APT37 has also been observed making use of CHM files in phishing emails impersonating security emails from financial institutes and insurance companies to deploy information-stealing malware and other binaries, according to the AhnLab Security Emergency Response Center (ASEC).
"In particular, malware that targets specific users in Korea may include content on topics of interest to the user to encourage them to execute the malware, so users should refrain from opening emails from unknown sources and should not execute their attachments," ASEC said.
APT37 is one of the many North Korean state-sponsored groups that have drawn attention for executing attacks that are designed to perpetrate financial theft – including the recent attacks on Alphapo and CoinsPaid – and gather intelligence in pursuit of the regime's political and national security objectives.
This also comprises the notorious Lazarus Group and its sub-clusters Andariel and BlueNoroff, with the actors leveraging a new backdoor dubbed ScoutEngine and a completely rewritten version of a malware framework called MATA (MATAv5) in intrusions aimed at defense contractors in Eastern Europe in September 2022.
"This sophisticated malware, completely rewritten from scratch, exhibits an advanced and complex architecture that makes use of loadable and embedded modules and plugins," Kaspersky said in its APT trends report for Q2 2023.
"The malware leverages Inter-Process Communication (IPC) channels internally and employs a diverse range of commands, enabling it to establish proxy chains across various protocols, including within the victim's environment."
A Data Exfiltration Attack Scenario: The Porsche Experience
28.7.23 Incindent The Hacker News
As part of Checkmarx's mission to help organizations develop and deploy secure software, the Security Research team started looking at the security posture of major car manufacturers. Porsche has a well-established Vulnerability Reporting Policy (Disclosure Policy)[1], it was considered in scope for our research, so we decided to start there, and see what we could find.
What we found is an attack scenario that results from chaining security issues found on different Porsche's assets, a website and a GraphQL API, that could lead to data exfiltration. Data exfiltration is an attack technique that can impact businesses and organizations, regardless of size. When malicious users breach a company's or organization's systems and exfiltrate data, it can be a jarring and business-critical moment.
Porsche has a diverse online presence - deploying several microsites, websites, and web applications. The Porsche Experience [2] is one website that allows registered users to manage a virtual garage, book experiences (such as track days), as well as manage bookings and invoices. From a technical perspective this website is a single-page application (SPA) backed by a GraphQL API (https://experience.porsche.com/graphql) used to fetch data and perform operations such as user authentication, user profile updates, book events, etc.
While initially exploring the website, the team noticed some interesting API requests. More specifically the jwtToken cookie and the Appauthorization HTTP request header both had the same value.
The image above shows the original API request issued by the website front-end to retrieve the user profile after a successful login attempt. On the left (Request) you can see the duplicate value.
This was enough to produce a hypothetical Cross-site Request Forgery (CSRF) [3] attack scenario, leading us to wonder whether the API would look for the authentication token in the jwtToken cookie if the custom HTTP request header Appauthorization was missing.
Including API auth tokens in a request header, rather than Cookie, are a game changer for Cross-Site Request Forgery (CSRF). Web browsers, unlike cookies, do not include such headers automatically, which must be done by some front-end custom logic (JavaScript).
To answer our question, we replayed the original request without including the Appauthorization request header. When we received the same response back from the API server, we confirmed our theory: the API retrieves the auth token from cookies when the custom request header is not present.
We had another question in mind that also needed to be answered: would the API server allow requests from origins other than porsche.com?
The answer to this question was also a resounding "yes."
As you can see in the image above, the request was made from a different website, which is reflected in the Access-Control-Allow-Origin [4] response header, indicating that the response can be shared with the requesting code from the given origin. Moreover, the API server also tells browsers to expose the response to the front-end JavaScript code when the request's credentials mode is include [5].
Typically, to be able to perpetrate a CSRF attack from an attacker's-controlled website the victims' web browsers must automatically include the jwtToken cookie in the API requests. That was not the case for Porsche Experience: the jwtToken cookie SameSite attribute was set to Lax.
The SameSite attribute [6] controls whether a cookie should be sent with cross-site requests providing some protection against CSRF attacks. Lax means that the cookie is not sent on cross-site requests[7], and it is the default value when not specified at the time the cookie is set. We would not be able to make request to GraphQL API from a website controlled by us, but the definition of "Site" and "Same Site" [8] still leaves us an opportunity.
Any website served from a subdomain of porsche.com using HTTPS is considered "Same Site", and the jwtToken is automatically included by web browsers in requests to the API. Then, all we need to exfiltrate data from the API is to find a way to lead a Porsche website to issue API requests to our target API, sending the response to a server controlled by us. We should not expect to find such a feature on a Porsche website, but a Cross-Site Scripting (XSS) vulnerability [9] would allow us to do it.
The initial reconnaissance process gave us a comprehensive list of Porsche websites which we considered in our research. campaigns.porsche.com was a vulnerable website and the most credible to be included in a "marketing campaign" phishing email.
The /charging/WebAjaxGet endpoint of the vulnerable website (campaigns.porsche.com) did not properly sanitize nor encode query string parameter values before including them in the HTML server response. Bad actors could have exploited this issue to inject arbitrary code into the server response, which would end up being executed by the web browser into the victims' session context. Below is the special crafted URL that triggered the alert dialog box in the image above:
To exfiltrate data from the API to a remote server, controlled by us, we needed a more complex JavaScript logic. We ended up exploiting the Reflected XSS vulnerability to load a JavaScript script from our remote server. This is how the payload looks like:
The snippet simply creates a script element, setting the src attribute with the address where our malicious script should be fetched from. When appending it to the Document Object Model (DOM) the script is then downloaded and executed. To avoid encoding issues, the JavaScript payload was encoded base64, and appended to the URL as an argument of the atob JavaScript function, whose output is passed to the eval function. This is how the final crafted URL looks like:
The next step was to write the malicious exfiltrate.js script, downloaded and executed by our XSS payload. For victims, with an active session on experience.porsche.com, the jwtToken auth cookie is automatically included in requests to the API. All we need is to trigger the request with the appropriate GraphQL query and send the response to our remote server. To make the attack a bit sturdier, after that we will redirect the browser to the Porsche Experience website.
With everything in place, and working properly, malicious actors would need to deliver the final malicious URL to victims, enticing them to click it. Email phishing is certainly the most common way attackers do it. The image below illustrates such a phishing email: instead of trying to hide the URL, attacker may have taken advantage of the fact that it starts with HTTPS, and it is an actual porsche.com website.
This attack scenario is not theoretical, and you can watch the proof-of-concept video provided to Porsche on YouTube [10].
Although this proof-of-concept focuses on profile data exfiltration the loaded JavaScript script could include other logic to retrieve additional data from the GraphQL API (e.g., invoices) or perform actions on victims' behalf (e.g., booking or cancel events).
Some quick security tips:
To prevent XSS [11] always encode unsafe data, according to the context to which it will be written to. On the APIs side, always establish a proper Cross-Origin Resource Sharing (CORS) policy [12] that restricts what hosts are allowed to interact with it. Also properly set cookies' options, and whenever possible, avoid using cookies to exchange auth tokens between clients and the API server.
It was a pleasure to collaborate with Porsche who took ownership and were professional throughout the disclosure and remediation process. For this reason, and a great researcher experience, we're granting Porsche the Checkmarx Seal of Approval.
And, as always, our security research team will continue to focus on ways to improve application security practices everywhere.
[1]: https://www.porsche.com/international/product-security/
[2]: https://experience.porsche.com
[3]: https://owasp.org/www-community/attacks/csrf
[4]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
[5]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials
[6]: https://owasp.org/www-community/SameSite
[7]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#lax
[8]: https://developer.mozilla.org/en-US/docs/Glossary/Site
[9]: https://owasp.org/www-community/attacks/xss/
[10]: https://youtu.be/if0Lmw-tJWo
[11]: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
[12]: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
Hackers Abusing Windows Search Feature to Install Remote Access Trojans
28.7.23 Virus The Hacker News
A legitimate Windows search feature is being exploited by malicious actors to download arbitrary payloads from remote servers and compromise targeted systems with remote access trojans such as AsyncRAT and Remcos RAT.
The novel attack technique, per Trellix, takes advantage of the "search-ms:" URI protocol handler, which offers the ability for applications and HTML links to launch custom local searches on a device, and the "search:" application protocol, a mechanism for calling the desktop search application on Windows.
"Attackers are directing users to websites that exploit the 'search-ms' functionality using JavaScript hosted on the page," security researchers Mathanraj Thangaraju and Sijo Jacob said in a Thursday write-up. "This technique has even been extended to HTML attachments, expanding the attack surface."
In such attacks, threat actors have been observed creating deceptive emails that embed hyperlinks or HTML attachments containing a URL that redirects users to compromised websites. This triggers the execution of JavaScript that makes use of the URI protocol handlers to perform searches on an attacker-controlled server.
It's worth noting that clicking on the link also generates a warning "Open Windows Explorer?," approving which "the search results of remotely hosted malicious shortcut files are displayed in Windows Explorer disguised as PDFs or other trusted icons, just like local search results," the researchers explained.
"This smart technique conceals the fact that the user is being provided with remote files and gives the user the illusion of trust. As a result, the user is more likely to open the file, assuming it is from their own system, and unknowingly execute malicious code."
Should a victim click on one of the shortcut files, it leads to the execution of a rogue dynamic-link library (DLL) using the regsvr32.exe utility.
In an alternative variant of the campaign, the shortcut files are employed to run PowerShell scripts, which, in turn, download additional payloads in the background, while displaying a decoy PDF document to deceive victims.
Regardless of the method used, the infections lead to the installation of AsyncRAT and Remcos RAT that can be used by the threat actors to remotely commandeer the hosts, steal sensitive information, and even sell the access to other attackers.
With Microsoft steadily taking steps to clamp down on various initial access vectors, it's expected that adversaries could latch onto the URI protocol handler method to evade traditional security defenses and distribute malware.
"It is crucial to refrain from clicking on suspicious URLs or downloading files from unknown sources, as these actions can expose systems to malicious payloads delivered through the 'search' / 'search-ms' URI protocol handler," the researchers said.
BlueBravo Deploys GraphicalProton Backdoor Against European Diplomatic Entities
28.7.23 Virus The Hacker News
The Russian nation-state actor known as BlueBravo has been observed targeting diplomatic entities throughout Eastern Europe with the goal of delivering a new backdoor called GraphicalProton, exemplifying the continuous evolution of the threat.
The phishing campaign is characterized by the use of legitimate internet services (LIS) for command-and-control (C2) obfuscation, Recorded Future said in a new report published Thursday. The activity was observed between March and May 2023.
BlueBravo, also known by the names APT29, Cloaked Ursa, and Midnight Blizzard (formerly Nobelium), is attributed to Russia's Foreign Intelligence Service (SVR), and has in the past used Dropbox, Firebase, Google Drive, Notion, and Trello to evade detection and stealthily establish communications with infected hosts.
To that end, GraphicalProton is the latest addition to a long list of malware targeting diplomatic organizations after GraphicalNeutrino (aka SNOWYAMBER), HALFRIG, and QUARTERRIG.
"Unlike GraphicalNeutrino, which used Notion for C2, GraphicalProton uses Microsoft's OneDrive or Dropbox for communication," the cybersecurity firm said.
This marks an attempt on the part of BlueBravo operators to not only diversify their tooling but also expand the portfolio of services misused for targeting organizations that are of strategic interest to the nation.
"BlueBravo appears to prioritize cyber espionage efforts against European government sector entities, possibly due to the Russian government's interest in strategic data during and after the war in Ukraine."
The new malware strain, like GraphicalNeutrino, functions as a loader and is staged within an ISO or ZIP file delivered via a phishing email bearing vehicle-themed lures, overlapping with an intrusion set reported by Palo Alto Networks Unit 42 earlier this month.
The ISO files contain .LNK files that masquerade as .PNG images of a BMW car that's purportedly for sale, which, when clicked, lead to the deployment of GraphicalProton for follow-on exploitation. This is achieved by using Microsoft OneDrive as C2 and periodically polling a folder in the storage service to fetch additional payloads.
"It is imperative for network defenders to be aware of the possibility of the misuse of these services within their enterprise and to recognize instances in which they may be used in similar efforts to exfiltrate information," researchers said.
The development comes as the Computer Emergency Response Team of Ukraine (CERT-UA) warned of ongoing phishing attacks undertaken by a group called UAC-0006 group, which the agency said is intensifying efforts to entice users into installing a backdoor known as SmokeLoader.
Major Security Flaw Discovered in Metabase BI Software – Urgent Update Required
28.7.23 Vulnerebility The Hacker News
Users of Metabase, a popular business intelligence and data visualization software package, are being advised to update to the latest version following the discovery of an "extremely severe" flaw that could result in pre-authenticated remote code execution on affected installations.
Tracked as CVE-2023-38646, the issue impacts open-source editions prior to 0.46.6.1 and Metabase Enterprise versions before 1.46.6.1.
"An unauthenticated attacker can run arbitrary commands with the same privileges as the Metabase server on the server you are running Metabase on," Metabase said in an advisory released last week.
The issue has also been addressed in the following older versions -
0.45.4.1 and 1.45.4.1
0.44.7.1 and 1.44.7.1, and
0.43.7.2 and 1.43.7.2
While there is no evidence that the issue has been exploited in the wild, data gathered by the Shadowserver Foundation shows that 5,488 out of the total 6,936 Metabase instances are vulnerable as of July 26, 2023. A majority of the instances are located in the U.S., India, Germany, France, the U.K., Brazil, and Australia.
Assetnote, which claimed it discovered and reported the bug to Metabase, said the vulnerability is due to a JDBC connection issue in the API endpoint "/api/setup/validate," enabling a malicious actor to obtain a reverse shell on the system by means of a specially crafted request that takes advantage of an SQL injection flaw in the H2 database driver.
Users who cannot apply the patches immediately are recommended to block requests to the /api/setup endpoint, isolate the Metabase instance from your production network, and monitor for suspicious requests to the endpoint in question.
Cybersecurity Agencies Warn Against IDOR Bugs Exploited for Data Breaches
28.7.23 Incindent The Hacker News
Cybersecurity agencies in Australia and the U.S. have published a joint cybersecurity advisory warning against security flaws in web applications that could be exploited by malicious actors to orchestrate data breach incidents and steal confidential data.
This includes a specific class of bugs called Insecure Direct Object Reference (IDOR), a type of access control flaw that occurs when an application utilizes user-supplied input or an identifier for direct access to an internal resource, such as a database record, without any additional validations.
A typical example of an IDOR flaw is the ability of a user to trivially change the URL (e.g., https://example[.]site/details.php?id=12345) to obtain unauthorized data of another transaction (i.e., https://example[.]site/details.php?id=67890).
"IDOR vulnerabilities are access control vulnerabilities enabling malicious actors to modify or delete data or access sensitive data by issuing requests to a website or a web application programming interface (API) specifying the user identifier of other, valid users," the agencies said. "These requests succeed where there is a failure to perform adequate authentication and authorization checks."
The authoring entities – the Australian Signals Directorate's Australian Cyber Security Centre (ACSC), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and the U.S. National Security Agency (NSA) – noted that such flaws are being abused by adversaries to compromise the personal, financial, and health information of millions of users and consumers.
To mitigate such threats, it's recommended that vendors, designers, and developers adopt secure-by-design and -default principles and ensure software performs authentication and authorization checks for every request that modifies, deletes, and accesses sensitive data.
The development comes days after CISA released its analysis of data gathered from risk and vulnerability assessments (RVAs) conducted across multiple federal civilian executive branch (FCEB) as well as high-priority private and public sector critical infrastructure operators.
The study found that "Valid Accounts were the most common successful attack technique, responsible for 54% of successful attempts," followed by spear-phishing links (33.8%), spear-phishing attachments (3.3%), external remote services (2.9%), and drive-by compromises (1.9%).
Legitimate accounts, which could either be former employee accounts that have not been removed from the active directory or default administrator accounts, have also emerged as the top vector for establishing persistence in a compromised network (56.1%), escalating privileges (42.9%), and defense evasion (17.5%).
"To guard against the successful Valid Accounts technique, critical infrastructure entities must implement strong password policies, such as phishing-resistant [multi-factor authentication], and monitor access logs and network communication logs to detect abnormal access," CISA said.
GameOver(lay): Two Severe Linux Vulnerabilities Impact 40% of Ubuntu Users
27.7.23 Vulnerebility The Hacker News
Cybersecurity researchers have disclosed two high-severity security flaws in the Ubuntu kernel that could pave the way for local privilege escalation attacks.
Cloud security firm Wiz, in a report shared with The Hacker News, said the easy-to-exploit shortcomings have the potential to impact 40% of Ubuntu users.
"The impacted Ubuntu versions are prevalent in the cloud as they serve as the default operating systems for multiple [cloud service providers]," security researchers Sagi Tzadik and Shir Tamari said.
The vulnerabilities – tracked as CVE-2023-32629 and 2023-2640 (CVSS scores: 7.8) and dubbed GameOver(lay) – are present in a module called OverlayFS and arise as a result of inadequate permissions checks in certain scenarios, enabling a local attacker to gain elevated privileges.
Overlay Filesystem refers to a union mount file system that makes it possible to combine multiple directory trees or file systems into a single, unified filesystem.
A brief description of the two flaws is below -
CVE-2023-2640 - On Ubuntu kernels carrying both c914c0e27eb0 and "UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs," an unprivileged user may set privileged extended attributes on the mounted files, leading them to be set on the upper files without the appropriate security checks.
CVE-2023-32629 - Local privilege escalation vulnerability in Ubuntu Kernels overlayfs ovl_copy_up_meta_inode_data skip permission checks when calling ovl_do_setxattr on Ubuntu kernels
In a nutshell, GameOver(lay) makes it possible to "craft an executable file with scoped file capabilities and trick the Ubuntu Kernel into copying it to a different
location with unscoped capabilities, granting anyone who executes it root-like privileges."
Following responsible disclosure, the vulnerabilities have been fixed by Ubuntu as of July 24, 2023.
The findings underscore the fact that subtle changes in the Linux kernel introduced by Ubuntu could have unforeseen implications, Wiz CTO and co-founder Ami Luttwak said in a statement shared with the publication.
"Both vulnerabilities are unique to Ubuntu kernels since they stemmed from Ubuntu's individual changes to the OverlayFS module," the researchers said, adding the issues are comparable to other vulnerabilities such as CVE-2016-1576, CVE-2021-3493, CVE-2021-3847, and CVE-2023-0386.
New Malvertising Campaign Distributing Trojanized IT Tools via Google and Bing Search Ads
27.7.23 Virus The Hacker News
A new malvertising campaign has been observed leveraging ads on Google Search and Bing to target users seeking IT tools like AnyDesk, Cisco AnyConnect VPN, and WinSCP, and trick them into downloading trojanized installers with an aim to breach enterprise networks and likely carry out future ransomware attacks.
Dubbed Nitrogen, the "opportunistic" activity is designed to deploy second-stage attack tools such as Cobalt Strike, Sophos said in a Wednesday analysis.
Nitrogen was first documented by eSentire in June 2023, detailing an infection chain that redirects users to compromised WordPress sites hosting malicious ISO image files that ultimately culminate in the delivery of Python scripts and Cobalt Strike Beacons onto the targeted system.
Then earlier this month, Trend Micro uncovered a similar attack sequence in which a fraudulent WinSCP application functioned as a stepping stone for a BlackCat ransomware attack.
"Throughout the infection chain, the threat actors use uncommon export forwarding and DLL preloading techniques to mask their malicious activity and hinder analysis," Sophos researchers Gabor Szappanos, Morgan Demboski, and Benjamin Sollman said.
The Python scripts, once launched, establish a Meterpreter reverse TCP shell, thereby allowing threat actors to remotely execute code on the infected host, as well as download a Cobalt Strike Beacon to facilitate post-exploitation.
"Abuse of pay-per-click advertisements displayed in search engine results has become a popular tactic among threat actors," the researchers said. "The threat actors are trying to cast a wide net to lure unsuspecting users seeking certain IT utilities."
The findings also come against the backdrop of a spike in cybercriminals using paid advertisements to lure users to malicious sites and trick them into downloading a variety of malware such as BATLOADER, EugenLoader (aka FakeBat), and IcedID, which are then used to spread information stealers and other payloads.
To make matters worse, Sophos said it found on prominent criminal marketplaces a "significant number of advertisements for, and discussion about, SEO poisoning, malvertising, and related services" as well as sellers offering compromised Google Ads accounts.
This illustrates that "marketplaces users have a keen interest in SEO poisoning and malvertising" and that "it also negates the difficulty of trying to bypass email filters and convincing users to click a link or download and open an attachment."
Hackers Target Apache Tomcat Servers for Mirai Botnet and Crypto Mining
27.7.23 Cryptocurrency The Hacker News
Misconfigured and poorly secured Apache Tomcat servers are being targeted as part of a new campaign designed to deliver the Mirai botnet malware and cryptocurrency miners.
The findings come courtesy of Aqua, which detected more than 800 attacks against its Tomcat server honeypots over a two-year time period, with 96% of the attacks linked to the Mirai botnet.
Of these attack attempts, 20% (or 152) entailed the use of a web shell script dubbed "neww" that originated from 24 unique IP addresses, with 68% of them originating from a single IP address (104.248.157[.]218).
"The threat actor scanned for Tomcat servers and launched a brute force attack against it, attempting to gain access to the Tomcat web application manager by trying different combinations of credentials associated with it," Aqua security researcher Nitzan Yaakov said.
Upon gaining a successful foothold, the threat actors have been observed deploying a WAR file that contains a malicious web shell class named 'cmd.jsp' that, in turn, is designed to listen to remote requests and execute arbitrary commands on the Tomcat server.
This includes downloading and running a shell script called "neww" after which the file is deleted using the "rm -rf" Linux command.
"The script contains links to download 12 binary files, and each file is suitable for a specific architecture according to the system that has been attacked by the threat actor," Yaakov pointed out.
The final stage malware is a variant of the infamous Mirai botnet that makes use of the infected hosts to orchestrate distributed denial-of-service (DDoS) attacks.
"Once the threat actor gained access to the web application manager using valid credentials, they leveraged the platform to upload a web shell disguised in a WAR file," Yaakov said. "Next, the threat actor executed commands remotely and launched the attack."
To mitigate against the ongoing campaign, it's recommended that organizations secure their environments and follow credential hygiene to prevent brute-force attacks.
The development comes as the AhnLab Security Emergency Response Center (ASEC) reported that poorly managed MS-SQL servers are being breached to deploy a rootkit malware called Purple Fox, which acts as a loader to fetch additional malware such as coin miners.
These findings also demonstrate the lucrative nature of cryptocurrency mining, which has witnessed a 399% increase over last year, with 332 million cryptojacking attacks recorded in the first half of 2023 globally, according to SonicWall.
Group-IB Co-Founder Sentenced to 14 Years in Russian Prison for Alleged High Treason
27.7.23 Crime The Hacker News
A city court in Moscow on Wednesday convicted Group-IB co-founder and CEO Ilya Sachkov of "high treason" and jailed him for 14 years in a "strict regime colony" over accusations of passing information to foreign spies.
"The court found Sachkov guilty under Article 275 of the Russian Criminal Code (high treason) sentencing him to 14 years of incarceration in a maximum-security jail, restriction of freedom for one year and a fine of 500,000 rubles (about $5,550)," state news agency TASS reported.
Sachkov, who has been in custody since September 2021 and denied wrongdoing, had been accused of handing over classified information to foreign intelligence in 2011, which the prosecutors said caused reputational damage to Russia's national interests. The exact nature of the charges is unclear.
The 37-year-old is expected to appeal the decision, Bloomberg said, adding, "Sachkov was alleged to have given the U.S. government information regarding a hacking team in Moscow's GRU military intelligence service — dubbed 'Fancy Bear' by U.S. cybersecurity companies — and its efforts to influence the 2016 US presidential election."
Group-IB, originally founded in Russia in 2003 and now headquartered in Singapore, said "we have had full confidence in Ilya's innocence" and that he "has been denied a chance for an impartial trial."
"All the materials of the case are kept classified, and all hearings were held in complete secrecy with no public scrutiny," the cybersecurity company further noted. "As a result, we might never know the pretext for his conviction."
The cybersecurity company completely exited Russia earlier this April, with its local business operating as a standalone company under the new brand F.A.C.C.T. (short for Fight Against Cybercrime Technologies).
"This is a tough moment for all of us and a rainy day for the cybersecurity market," Valery Baulin, general director of F.A.C.C.T. said in a statement. "Ilya Sachkov, my friend, colleague, creator of one of the most successful high-tech companies in the field of cybersecurity, was sent to a colony as a result of a 'speedy trial.'"
New SEC Rules Require U.S. Companies to Reveal Cyber Attacks Within 4 Days
27.7.23 Attack The Hacker News
The U.S. Securities and Exchange Commission (SEC) on Wednesday approved new rules that require publicly traded companies to publicize details of a cyber attack within four days of identifying that it has a "material" impact on their finances, marking a major shift in how computer breaches are disclosed.
"Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors," SEC chair Gary Gensler said. "Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way."
To that end, the new obligations mandate that companies reveal the incident's nature, scope, and timing, as well as its impact. This disclosure, however, may be delayed by an additional period of up to 60 days should it be determined that giving out such specifics "would pose a substantial risk to national security or public safety."
They also necessitate registrants to describe on an annual basis the methods and strategies used for assessing, identifying, and managing material risks from cybersecurity threats, detail the material effects or risks arising as a result of those events, and share information about ongoing or completed remediation efforts.
"The key word here is 'material' and being able to determine what that actually means," Safe Security CEO Saket Modi told The Hacker News. "Most organizations are not prepared to comply with the SEC guidelines as they cannot determine materiality, which is core to shareholder protection. They lack the systems to quantify risk at broad and granular levels."
That said, the rules do not extend to "specific, technical information about the registrant's planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant's response or remediation of the incident."
The policy, first proposed in March 2022, is seen as an effort to bring more transparency into the threats faced by U.S. companies from cybercrime and nation-state actors, close the gaps in cybersecurity defense and disclosure practices, and harden the systems against data theft and intrusions.
In recent months, more than 500 companies have become victims of a cyber attack spree orchestrated by a ransomware gang called Cl0p, propelled by the exploitation of critical flaws in software widely used in enterprise environments, with the threat actors leveraging new exfiltration methods to steal data, according to Kroll.
Tenable CEO and Chairman, Amit Yoran, said the new rules on cyber risk management and incident disclosure is "right on the money" and that they are a "dramatic step toward greater transparency and accountability."
"When cyber breaches have real-life consequences and reputational costs, investors should have the right to know about an organization's cyber risk management activities," Yoran added.
That said, concerns have been raised that the time frame is too tight, leading to possibly inaccurate disclosures, given that it may take companies weeks or even months to fully investigate a breach. To complicate the matter further, premature breach notifications could tip off other attackers to a susceptible target and exacerbate security risks.
"The new requirement set forth by the SEC requiring organizations to report cyber attacks or incidents within four days seems aggressive but sits in a more lax time frame than other countries," James McQuiggan, security awareness advocate at KnowBe4, said.
"Within the E.U., the U.K., Canada, South Africa, and Australia, companies have 72 hours to report a cyber incident. In other countries like China and Singapore, it's 24 hours. India has to report the breach within six hours."
"Either way, organizations should have repeatable and well-documented incident response plans with communication plans, procedures, and requirements on who is brought into the incident and when," McQuiggan added.
Decoy Dog: New Breed of Malware Posing Serious Threats to Enterprise Networks
26.7.23 Virus The Hacker News
A deeper analysis of a recently discovered malware called Decoy Dog has revealed that it's a significant upgrade over the Pupy RAT, an open-source remote access trojan it's modeled on.
"Decoy Dog has a full suite of powerful, previously unknown capabilities – including the ability to move victims to another controller, allowing them to maintain communication with compromised machines and remain hidden for long periods of time," Infoblox said in a Tuesday report. "Some victims have actively communicated with a Decoy Dog server for over a year."
Other new features allow the malware to execute arbitrary Java code on the client and connect to emergency controllers using a mechanism that's similar to a traditional DNS domain generation algorithm (DGA), with the Decoy Dog domains engineered to respond to replayed DNS queries from breached clients.
The sophisticated toolkit was first discovered by the cybersecurity firm in early April 2023 after detecting anomalous DNS beaconing activity, revealing its highly targeted attacks against enterprise networks.
The origins of Decoy Dog remain unclear as yet, but it's suspected to be operated by a handful of nation-state hackers, who employ distinct tactics but respond to inbound requests that match the structure of client communication.
Decoy Dog makes use of the domain name system (DNS) to perform command-and-control (C2). An endpoint that's compromised by the malware communicates with, and receives instructions from, a controller (i.e., a server) via DNS queries and IP address responses.
The threat actors behind the operation are said to have made swift adjustments to their attack infrastructure in response to the earlier disclosures, taking down some of the DNS nameservers as well as registering new replacement domains to establish remote persistence.
"Rather than shutting down their operation, the actor transferred existing compromised clients to the new controllers," Infoblox noted. "This is an extraordinary response demonstrating the actor felt it necessary to maintain access to their existing victims."
The first known deployment of Decoy Dog dates back to late-March or early-April 2022, following which three other clusters were detected as under the control of different controllers. A total of 21 Decoy Dog domains have been detected to date.
What's more, one set of controllers registered since April 2023 has adapted by incorporating a geofencing technique to limit responses to client IP addresses to certain locations, with observed activity limited to Russia and Eastern Europe.
"The lack of insight into underlying victim systems and vulnerabilities being exploited makes Decoy Dog an ongoing and serious threat," Dr. Renée Burton, head of threat intelligence at Infoblox, said. "The best defense against this malware is DNS."
Fenix Cybercrime Group Poses as Tax Authorities to Target Latin American Users
26.7.23 CyberCrime The Hacker News
Tax-paying individuals in Mexico and Chile have been targeted by a Mexico-based cybercrime group that goes by the name Fenix to breach targeted networks and steal valuable data.
A key hallmark of the operation entails cloning official portals of the Servicio de Administración Tributaria (SAT) in Mexico and the Servicio de Impuestos Internos (SII) in Chile and redirecting potential victims to those sites.
"These fake websites prompt users to download a supposed security tool, claiming it will enhance their portal navigation safety," Metabase Q security researchers Gerardo Corona and Julio Vidal said in a recent analysis.
"However, unbeknownst to the victims, this download actually installs the initial stage of malware, ultimately enabling the theft of sensitive information such as credentials."
The goal of Fenix, according to the Latin America-focused cybersecurity firm, is to act as an initial access broker and get a foothold into different companies in the region, and sell the access to ransomware affiliates for further monetization.
Evidence gathered so far points to the threat actor orchestrating phishing campaigns coinciding with government activities during the year since at least the fourth quarter of 2022.
The mechanics of the campaign proceeds thus: Visitors landing on the impersonated websites are urged to download software that supposedly safeguards their data while browsing the portal. Alternatively, users are lured via phishing sites set up to download legitimate apps like AnyDesk.
"[Fenix] compromises weak websites using vulnerable WordPress engines and also creates new domains to launch phishing campaigns," the researchers said, adding the group "creates typosquatting domains similar to known apps like AnyDesk, WhatsApp, etc."
But in reality, the ZIP file containing the purported software is used as a springboard to activate an infection sequence that leads to the execution of an obfuscated PowerShell script, which, in turn, loads and runs a .NET binary, after which the message "Ahora se encuentra protegido" (meaning "Now you are protected" in Spanish) is displayed to keep up the ruse.
The .NET executable subsequently paves the way for establishing persistence on the compromised host and deploying a botnet malware that's capable of running commands received from a remote server, loading a stealer module that exfiltrates credentials stored in web browsers and crypto wallets, and ultimately deleting itself.
"We are seeing new malicious groups being created in LATAM to provide initial access to ransomware gangs," the researchers concluded. "These local actors are not amateur and will increase their technical expertise and therefore more difficult to track, detect and eradicate, it is important to anticipate their actions."
New AI Tool 'FraudGPT' Emerges, Tailored for Sophisticated Attacks
26.7.23 AI The Hacker News
Following the footsteps of WormGPT, threat actors are advertising yet another cybercrime generative artificial intelligence (AI) tool dubbed FraudGPT on various dark web marketplaces and Telegram channels.
"This is an AI bot, exclusively targeted for offensive purposes, such as crafting spear phishing emails, creating cracking tools, carding, etc.," Netenrich security researcher Rakesh Krishnan said in a report published Tuesday.
The cybersecurity firm said the offering has been circulating since at least July 22, 2023, for a subscription cost of $200 a month (or $1,000 for six months and $1,700 for a year).
"If your [sic] looking for a Chat GPT alternative designed to provide a wide range of exclusive tools, features, and capabilities tailored to anyone's individuals with no boundaries then look no further!," claims the actor, who goes by the online alias CanadianKingpin.
The author also states that the tool could be used to write malicious code, create undetectable malware, find leaks and vulnerabilities, and that there have been more than 3,000 confirmed sales and reviews. The exact large language model (LLM) used to develop the system is currently not known.
The development comes as the threat actors are increasingly riding on the advent of OpenAI ChatGPT-like AI tools to concoct new adversarial variants that are explicitly engineered to promote all kinds of cybercriminal activity sans any restrictions.
Such tools could act as a launchpad for novice actors looking to mount convincing phishing and business email compromise (BEC) attacks at scale, leading to the theft of sensitive information and unauthorized wire payments.
"While organizations can create ChatGPT (and other tools) with ethical safeguards, it isn't a difficult feat to reimplement the same technology without those safeguards," Krishnan noted.
"Implementing a defense-in-depth strategy with all the security telemetry available for fast analytics has become all the more essential to finding these fast-moving threats before a phishing email can turn into ransomware or data exfiltration."
Rust-based Realst Infostealer Targeting Apple macOS Users' Cryptocurrency Wallets
26.7.23 Vulnerebility The Hacker News
A new malware family called Realst has become the latest to target Apple macOS systems, with a third of the samples already designed to infect macOS 14 Sonoma, the upcoming major release of the operating system.
Written in the Rust programming language, the malware is distributed in the form of bogus blockchain games and is capable of "emptying crypto wallets and stealing stored password and browser data" from both Windows and macOS machines. Realst was first discovered in the wild by security researcher iamdeadlyz.
"Realst Infostealer is distributed via malicious websites advertising fake blockchain games with names such as Brawl Earth, WildWorld, Dawnland, Destruction, Evolion, Pearl, Olymp of Reptiles, and SaintLegend," SentinelOne security researcher Phil Stokes said in a report. "Each version of the fake blockchain game is hosted on its own website complete with associated Twitter and Discord accounts."
The cybersecurity firm, which identified 16 variants across 59 samples, said the activity likely has links to another information stealer campaign called Pureland, which came to light earlier this March. Windows machines, on the other hand, are infected with RedLine Stealer.
The attack chains begin with threat actors approaching potential victims through direct messages on social media, convincing them to test a game as part of a paid collaboration, only to drain their cryptocurrency wallets and steal sensitive information upon execution.
The web browsers targeted for harvesting include Brave, Google Chrome, Mozilla Firefox, Opera, and Vivaldi. Apple Safari is a notable exception. The malware is also capable of gathering information from Telegram and capturing screenshots.
"Most variants attempt to grab the user's password via osascript and AppleScript spoofing and perform rudimentary checking that the host device is not a virtual machine via sysctl -n hw.model," Stokes explained.
"The number of Realst samples and their variation shows that the threat actor has invested serious effort in order to target macOS users for data and crypto wallet theft."
News of the Realst stealer follows the discovery of SophosEncrypt, which has been found impersonating cybersecurity firm Sophos and described as a "general-purpose remote access trojan (RAT) with the capacity to encrypt files and generate these ransom notes."
The developments come as data captured via commercial information stealers are being packaged and sold for profit on dark web marketplaces and Telegram channels, with over 200,000 OpenAI credentials leaked via stealer logs in 2022 and 2023, according to multiple reports from Bitdefender and Flare.
Stolen enterprise credentials, in particular, can act as a channel for initial access brokers to breach organizations, which can then be auctioned off to other actors looking to exploit the foothold for follow-on activities such as ransomware deployment.
According to IBM's Cost of a Data Breach Report 2023, which examined data breaches experienced by 553 organizations across 16 countries between March 2022 and March 2023, the global average cost of a data breach in 2023 stands at $4.45 million, a 15.3% increase from $3.86 million in 2020.
The study also found that "data breaches led to an increase in the pricing of their business offerings, passing on costs to consumers," a trend observed in 2022 as well.
Critical MikroTik RouterOS Vulnerability Exposes Over Half a Million Devices to Hacking
26.7.23 Vulnerebility The Hacker News
A severe privilege escalation issue impacting MikroTik RouterOS could be weaponized by remote malicious actors to execute arbitrary code and seize full control of vulnerable devices.
Cataloged as CVE-2023-30799 (CVSS score: 9.1), the shortcoming is expected to put approximately 500,000 and 900,000 RouterOS systems at risk of exploitation via their web and/or Winbox interfaces, respectively, VulnCheck disclosed in a Tuesday report.
"CVE-2023-30799 does require authentication," security researcher Jacob Baines said. "In fact, the vulnerability itself is a simple privilege escalation from admin to 'super-admin' which results in access to an arbitrary function. Acquiring credentials to RouterOS systems is easier than one might expect."
This is because the Mikrotik RouterOS operating system does not offer any protection against password brute-force attacks and ships with a well-known default "admin" user, with its password being an empty string until October 2021, at which point administrators were prompted to update the blank passwords with the release of RouterOS 6.49.
CVE-2023-30799 is said to have been originally disclosed by Margin Research as an exploit dubbed FOISted without an accompanying CVE identifier in June 2022. The security hole, however, was not plugged until October 13, 2022, in the RouterOS stable version 6.49.7 and on July 19, 2023, for the RouterOS Long-term version 6.49.8.
VulnCheck noted that a patch for the Long-term release tree was made available only after it directly contacted the vendor and "published new exploits that attacked a wider range of MikroTik hardware."
A proof-of-concept (PoC) devised by the company shows that it's possible to derive a new MIPS architecture-based exploit chain from FOISted and obtain a root shell on the router.
"Given RouterOS' long history of being an APT target, combined with the fact that FOISted was released well over a year ago, we have to assume we aren't the first group to figure this out," Baines noted.
"Unfortunately, detection is nearly impossible. The RouterOS web and Winbox interfaces implement custom encryption schemes that neither Snort or Suricata can decrypt and inspect. Once an attacker is established on the device, they can easily make themselves invisible to the RouterOS UI."
With flaws in Mikrotik routers exploited to corral the devices into distributed denial-of-service (DDoS) botnets such as Mēris and use them as command-and-control proxies, it's recommended that users patch the flaw by updating to the latest version (6.49.8 or 7.x) as soon as possible.
Mitigation advice includes removing MikroTik administrative interfaces from the internet, limiting the IP addresses administrators can login from, disabling the Winbox and the web interfaces, and configuring SSH to use public/private keys and disable passwords.
North Korean Nation-State Actors Exposed in JumpCloud Hack After OPSEC Blunder
25.7.23 BigBrothers The Hacker News
North Korean nation-state actors affiliated with the Reconnaissance General Bureau (RGB) have been attributed to the JumpCloud hack following an operational security (OPSEC) blunder that exposed their actual IP address.
Google-owned threat intelligence firm Mandiant attributed the activity to a threat actor it tracks under the name UNC4899, which likely shares overlaps with clusters already being monitored as Jade Sleet and TraderTraitor, a group with a history of striking blockchain and cryptocurrency sectors.
UNC4899 also overlaps with APT43, another hacking crew associated with the Democratic People's Republic of Korea (DPRK) that was unmasked earlier this March as conducting a series of campaigns to gather intelligence and siphon cryptocurrency from targeted companies.
The adversarial collective's modus operandi is characterized by the use of Operational Relay Boxes (ORBs) using L2TP IPsec tunnels along with commercial VPN providers to disguise the attacker's true point of origin, with commercial VPN services acting as the final hop.
"There have been many occasions in which DPRK threat actors did not employ this last hop, or mistakenly did not utilize this while conducting actions on operations on the victim's network," the company said in an analysis published Monday, adding it observed "UNC4899 connecting directly to an attacker-controlled ORB from their 175.45.178[.]0/24 subnet."
The intrusion directed against JumpCloud took place on June 22, 2023, as part of a sophisticated spear-phishing campaign that leveraged the unauthorized access to breach fewer than five customers and less than 10 systems in what's called a software supply chain attack.
Mandiant's findings are based on an incident response initiated in the aftermath of a cyber attack against one of JumpCloud's impacted customers, an unnamed software solutions entity, the starting point being a malicious Ruby script ("init.rb") executed via the JumpCloud agent on June 27, 2023.
A notable aspect of the incident is its targeting of four Apple systems running macOS Ventura versions 13.3 or 13.4.1, underscoring North Korean actors' continued investment in honing malware specially tailored for the platform in recent months.
"Initial access was gained by compromising JumpCloud and inserting malicious code into their commands framework," the company explained. "In at least one instance, the malicious code was a lightweight Ruby script that was executed via the JumpCloud agent."
The script, for its part, is engineered to download and execute a second-stage payload named FULLHOUSE.DOORED, using it as a conduit to deploy additional malware such as STRATOFEAR and TIEDYE, after which the prior payloads were removed from the system in an attempt to cover up the tracks -
FULLHOUSE.DOORED - A C/C++-based first-stage backdoor that communicates using HTTP and comes with support for shell command execution, file transfer, file management, and process injection
STRATOFEAR - A second-stage modular implant that's chiefly designed to gather system information as well as retrieve and execute more modules from a remote server or loaded from disk
TIEDYE - A second-stage Mach-O executable that can communicate with a remote server to run additional payloads, harvest basic system information, and execute shell commands
TIEDYE is also said to exhibit similarities to RABBITHUNT, a backdoor written in C++ that communicates via a custom binary protocol over TCP and which is capable of reverse shell, file transfer, process creation, and process termination.
"The campaign targeting JumpCloud, and the previously reported DPRK supply chain compromise from earlier this year which affected the Trading Technologies X_TRADER application and 3CX Desktop App software, exemplifies the cascading effects of these operations to gain access to service providers in order to compromise downstream victims," Mandiant said.
"Both operations have suspected ties to financially motivated DPRK actors, suggesting that DPRK operators are implementing supply chain TTPs to target select entities as part of increased efforts to target cryptocurrency and fintech-related assets."
The development comes days after GitHub warned of a social engineering attack mounted by the TraderTraitor actor to trick employees working at blockchain, cryptocurrency, online gambling, and cybersecurity companies into executing code hosted in a GitHub repository that relied on malicious packages hosted on npm.
The infection chain has been found to leverage the malicious npm dependencies to download an unknown second-stage payload from an actor-controlled domain. The packages have since been taken down and the accounts suspended.
"The identified packages, published in pairs, required installation in a specific sequence, subsequently retrieving a token that facilitated the download of a final malicious payload from a remote server," Phylum said in a new analysis detailing the discovery of new npm modules used in the same campaign.
"The vast attack surface presented by these ecosystems is hard to ignore. It's virtually impossible for a developer in today's world not to rely on any open-source packages. This reality is typically exploited by threat actors aiming to maximize their blast radius for widespread distribution of malware, such as stealers or ransomware."
UPCOMING WEBINAR
Shield Against Insider Threats: Master SaaS Security Posture Management
Worried about insider threats? We've got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.
Get Ready to Learn
Pyongyang has long used cryptocurrency heists to fuel its sanctioned nuclear weapons program, while simultaneously orchestrating cyber espionage attacks to collect strategic intelligence in support of the regime's political and national security priorities.
"North Korea's intelligence apparatus possesses the flexibility and resilience to create cyber units based on the needs of the country," Mandiant noted last year. "Additionally overlaps in infrastructure, malware, and tactics, techniques and procedures indicate there are shared resources amongst their cyber operations."
The Lazarus Group remains a prolific state-sponsored threat actor in this regard, consistently mounting attacks that are designed to deliver everything from remote access trojans to ransomware to purpose-built backdoors and also demonstrating a readiness to shift tactics and techniques to hinder analysis and make their tracking much harder.
This is exemplified by its ability to not only compromise vulnerable Microsoft Internet Information Service (IIS) web servers, but also use them as malware distribution centers in watering hole attacks aimed at South Korea, according to the AhnLab Security Emergency Response Center (ASEC).
"The threat actor is continuously using vulnerability attacks for initial access to unpatched systems," ASEC said. "It is one of the most dangerous threat groups highly active worldwide."
A second RGB-backed group that's equally focused on amassing information on geopolitical events and negotiations affecting the DPRK's interests is Kimsuky, which has been detected using Chrome Remote Desktop to remotely commandeer hosts already compromised through backdoors such as AppleSeed.
"The Kimsuky APT group is continuously launching spear-phishing attacks against Korean users," ASEC pointed out this month. "They usually employ methods of malware distribution through disguised document files attached to emails, and users who open these files may lose control over their current system."
Casbaneiro Banking Malware Goes Under the Radar with UAC Bypass Technique
25.7.23 Virus The Hacker News
The financially motivated threat actors behind the Casbaneiro banking malware family have been observed making use of a User Account Control (UAC) bypass technique to gain full administrative privileges on a machine, a sign that the threat actor is evolving their tactics to avoid detection and execute malicious code on compromised assets.
"They are still heavily focused on Latin American financial institutions, but the changes in their techniques represent a significant risk to multi-regional financial organizations as well," Sygnia said in a statement shared with The Hacker News.
Casbaneiro, also known as Metamorfo and Ponteiro, is best known for its banking trojan, which first emerged in mass email spam campaigns targeting the Latin American financial sector in 2018.
Infection chains typically begin with a phishing email pointing to a booby-trapped attachment that, when launched, activates a series of steps that culminate in the deployment of the banking malware, alongside scripts that leverage living-off-the-land (LotL) techniques to fingerprint the host and gather system metadata.
Also downloaded at this stage is a binary called Horabot that's designed to propagate the infection internally to other unsuspecting employees of the breached organization.
"This adds credibility to the email sent, as there are no obvious anomalies in the email headers (suspicious external domains), which would typically trigger email security solutions to act and mitigate," the cybersecurity company said in a previous report published in April 2022. "The emails include the same PDF attachment used to compromise the previous victim hosts, and so the chain is executed once more."
What's changed in recent attack waves is that the attack is kick-started by spear-phishing email embedded with a link to an HTML file that redirects the target to download a RAR file, a deviation from the use of malicious PDF attachments with a download link to a ZIP file.
A second major change to the modus operandi concerns the use of fodhelper.exe to achieve a UAC bypass and attain high integrity level execution.
Sygnia said it also observed Casbaneiro attackers creating a mock folder on C:\Windows[space]\system32 to copy the fodhelper.exe executable, although the specially crafted path is said to have never been employed in the intrusion.
"It is possible that the attacker deployed the mock folder to bypass AV detections or to leverage that folder for side-load DLLs with Microsoft-signed binaries for UAC bypass," the company said.
The development marks the third time the mock trusted folder approach has been detected in the wild in recent months, with the method used in campaigns delivering a malware loader called DBatLoader as well as remote access trojans like Warzone RAT (aka Ave Maria).
macOS Under Attack: Examining the Growing Threat and User Perspectives
25.7.23 Apple The Hacker News
As the number of people using macOS keeps going up, so does the desire of hackers to take advantage of flaws in Apple's operating system.
What Are the Rising Threats to macOS?#
There is a common misconception among macOS fans that Apple devices are immune to hacking and malware infection. However, users have been facing more and more dangers recently. Inventive attackers are specifically targeting Mac systems, as seen with the "Geacon" Cobalt Strike tool attack. This tool enables them to perform malicious actions such as data theft, privilege elevation, and remote device control, placing the security and privacy of Mac users at grave risk.
Earlier this year, researchers also uncovered the MacStealer malware, which also stole sensitive data from Apple users. Documents, iCloud keychain data, browser cookies, credit card credentials – nothing is safe from the prying eyes.
But that's not all. CloudMensis is malicious software that specifically targets macOS systems, spreading through email attachments and compromising device security. It can steal sensitive information and grant unauthorized access to users' systems. JockerSpy, on the other hand, can infiltrate a system through deceptive websites or bundled with seemingly harmless software. Once installed, it can monitor users' activities, capture keystrokes, and access personal data.
Even state-sponsored hacking organizations, like the North Korean Lazarus Group, have started targeting Apple Macs. Do you think this was a wake-up call for many Apple users who thought their devices were immune to getting attacked?
Mac Security Survey 2023: User Awareness and Behavior#
To understand the state of cybersecurity on the Mac, the Moonlock team, a dedicated group of MacPaw's researchers and engineers focused on the cybersecurity needs of Mac users, conducted a survey. From their fears and concerns to their behaviors and misconceptions, here's how Mac users are navigating the increasingly complex security landscape:
Cybersecurity Myths are Still Alive#
Despite the growing risks, many Mac users still take their cybersecurity lightly. Just think about it, Moonlock's Mac Security Survey 2023 reveals that every third Mac user believes their data is of no interest to cybercriminals. 57% of Mac users either agree or hesitate to disagree with the statement, "Malware does not exist on macOS."
Awareness is High, but Risky Behaviors Abound#
The truth is many Mac users have already fallen victim to attacks. More than 50% of respondents have experienced malware, hacking, or fraud personally or in their closest environment. 69% of them have personally faced at least one of these threats:
Malware, viruses
Hacking accounts, stealing passwords
Scam
Collection of personal data from browsers and social networks
Breach of personal data
Phishing
Violation of online payment security
Identity theft (including SSN theft)
Access to correspondence and private files.
This shows how vulnerable macOS is and highlights the need for stronger security.
Despite threats, 22% of Mac users have the same password for multiple accounts, and 31% skip software updates. At the same time, 45% feel that they don't do enough to protect themselves from cyber threats.
There's a Lack of Clarity About Security Tools#
When it comes to digital security, there seems to be a lack of clarity around the use of security tools. Did you know that 11% of respondents who say they use a password manager actually store their passwords in their browsers? And interestingly, 35% of self-reported secure browser users consider Safari and Google Chrome to be safe options.
There's Also a Lack of Reliable Info #
According to Moonlock's research, 52% of Mac users actually want to talk to experts about how to stay safe online. However, 30% of users struggle to find reliable sources of information on the topic.
It is critical that Mac users remain vigilant, make cybersecurity a priority, and stay informed about the evolving threat landscape. By raising awareness and promoting proactive security measures, we can strengthen the protection of our Mac systems and safeguard our digital lives.
TETRA:BURST — 5 New Vulnerabilities Exposed in Widely Used Radio Communication System
25.7.23 Vulnerebility The Hacker News
A set of five security vulnerabilities have been disclosed in the Terrestrial Trunked Radio (TETRA) standard for radio communication used widely by government entities and critical infrastructure sectors, including what's believed to be an intentional backdoor that could have potentially exposed sensitive information.
The issues, discovered by Midnight Blue in 2021 and held back until now, have been collectively called TETRA:BURST. There is no conclusive evidence to determine that the vulnerabilities have been exploited in the wild to date.
"Depending on infrastructure and device configurations, these vulnerabilities allow for real time decryption, harvest-now-decrypt-later attacks, message injection, user deanonymization, or session key pinning," the Netherlands-based cybersecurity company said.
Standardized by the European Telecommunications Standards Institute (ETSI) in 1995, TETRA is used in more than 100 countries and as a police radio communication system outside the U.S. It's also employed to control essential systems like power grids, gas pipelines, and railways.
That said, TETRA-based radios are estimated to be used in at least two dozen critical infrastructures in the U.S., per WIRED. This comprises electric utilities, a state border control agency, an oil refinery, chemical plants, a major mass transit system, three international airports, and a U.S. Army training base.
The system is underpinned by a collection of secret, proprietary cryptographic algorithms – the TETRA Authentication Algorithm (TAA1) suite for authentication and key distribution purposes and the TETRA Encryption Algorithm (TEA) suite for Air Interface Encryption (AIE) – which have been guarded as trade secrets under strict non-disclosure agreements (NDAs).
In reverse engineering TAA1 and TEA, Midnight Blue said it was able to discover five shortcomings, ranging from low to critical in severity, that allows for "practical interception and manipulation attacks by both passive and active adversaries" -
CVE-2022-24400 - A flaw in the authentication algorithm allows attackers to set the Derived Cypher Key (DCK) to 0.
CVE-2022-24401 - The Air Interface Encryption (AIE) keystream generator relies on the network time, which is publicly broadcast in an unauthenticated manner. This allows for decryption oracle attacks.
CVE-2022-24402 - The TEA1 algorithm has a backdoor that reduces the original 80-bit key to a key size which is trivially brute-forceable on consumer hardware in minutes.
CVE-2022-24403 - The cryptographic scheme used to obfuscate radio identities has a weak design that allows attackers to deanonymize and track users.
CVE-2022-24404 - Lack of ciphertext authentication on AIE allows for malleability attacks.
"The impact of the issues above is highly dependent on how TETRA is used by organizations, such as whether it transmits voice or data and which cryptographic algorithm is in place," cybersecurity company Forescout said.
One of the most severe issues is CVE-2022-24401, an oracle decryption attack that can be weaponized to reveal text, voice, or data communications without knowledge of the encryption key.
The second critical flaw is CVE-2022-24402, which permits attackers to inject data traffic that is used for monitoring and control of industrial equipment, the San Jose firm pointed out.
"Decrypting this traffic and injecting malicious traffic allows an attacker to achieve denial of control/view or manipulation of control/view, thus performing dangerous actions such as opening circuit breakers in electrical substations, which can lead to blackout events similar to the impact of the Industroyer malware," it pointed out.
"The vulnerability in the TEA1 cipher (CVE-2022-24402) is obviously the result of intentional weakening," the Midnight Blue team noted, describing the engineering weakness as having a "computational step which serves no other purpose than to reduce the key's effective entropy."
But ETSI, in a statement shared with Vice, has pushed back against the term "backdoor," stating that "the TETRA security standards have been specified together with national security agencies and are designed for and subject to export control regulations which determine the strength of the encryption."
Zenbleed: New Flaw in AMD Zen 2 Processors Puts Encryption Keys and Passwords at Risk
25.7.23 Vulnerebility The Hacker News
A new security vulnerability has been discovered in AMD's Zen 2 architecture-based processors that could be exploited to extract sensitive data such as encryption keys and passwords.
Discovered by Google Project Zero researcher Tavis Ormandy, the flaw – codenamed Zenbleed and tracked as CVE-2023-20593 (CVSS score: 6.5) – allows data exfiltration at the rate of 30 kb per core, per second.
The issue is part of a broader category of weaknesses called speculative execution attacks, in which the optimization technique widely used in modern CPUs is abused to access cryptographic keys from CPU registers.
"Under specific microarchitectural circumstances, a register in 'Zen 2' CPUs may not be written to 0 correctly," AMD explained in an advisory. "This may cause data from another process and/or thread to be stored in the YMM register, which may allow an attacker to potentially access sensitive information."
Web infrastructure company Cloudflare noted that the attack could even be carried out remotely through JavaScript on a website, thereby obviating the need for physical access to the computer or server.
"Vectorized operations can be executed with great efficiency using the YMM registers," Cloudflare researchers Derek Chamorro and Ignat Korchagin said. "Applications that process large amounts of data stand to gain significantly from them, but they are increasingly the focus of malicious activity."
"This attack works by manipulating register files to force a mispredicted command. Since the register file is shared by all the processes running on the same physical core, this exploit can be used to eavesdrop on even the most fundamental system operations by monitoring the data being transferred between the CPU and the rest of the computer," they added.
While there is no evidence of the bug being exploited in the wild, it's essential that the microcode updates are applied to mitigate potential risk as and when they become available through original equipment manufacturers (OEMs).
Atlassian Releases Patches for Critical Flaws in Confluence and Bamboo
25.7.23 Vulnerebility The Hacker News
Atlassian has released updates to address three security flaws impacting its Confluence Server, Data Center, and Bamboo Data Center products that, if successfully exploited, could result in remote code execution on susceptible systems.
The list of the flaws is below -
CVE-2023-22505 (CVSS score: 8.0) - RCE (Remote Code Execution) in Confluence Data Center and Server (Fixed in versions 8.3.2 and 8.4.0)
CVE-2023-22508 (CVSS score: 8.5) - RCE (Remote Code Execution) in Confluence Data Center and Server (Fixed in versions 7.19.8 and 8.2.0)
CVE-2023-22506 (CVSS score: 7.5) - Injection, RCE (Remote Code Execution) in Bamboo (Fixed in versions 9.2.3 and 9.3.1)
CVE-2023-22505 and CVE-2023-22508 allow an "authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and no user interaction," the company said.
While the first bug was introduced in version 8.0.0, CVE-2023-22508 was introduced in version 7.4.0 of the software.
CVE-2023-22506, introduced in version 8.0.0 of Bamboo Data Center, permits an "authenticated attacker to modify the actions taken by a system call and execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and no user interaction," according to Atlassian.
Earlier this January, the Australian company shipped patches to resolve a critical security flaw in Jira Service Management Server and Data Center that could be abused by an attacker to pass off as another user and gain unauthorized access to susceptible instances (CVE-2023-22501, CVSS score: 9.4).
Weeks later, it also rolled out fixes for two critical overflow flaws in Git (CVE-2022-41903 and CVE-2022-23531) affecting Bitbucket Server and Data Center, Bamboo Server and Data Center, Fisheye, Crucible, and Sourcetree.
With security vulnerabilities in Atlassian servers becoming attack magnets in recent years, it's recommended that users move quickly to apply the patches to safeguard against potential threats.
Ivanti Releases Urgent Patch for EPMM Zero-Day Vulnerability Under Active Exploitation
25.7.23 Vulnerebility The Hacker News
Ivanti is warning users to update their Endpoint Manager Mobile (EPMM) mobile device management software (formerly MobileIron Core) to the latest version that fixes an actively exploited zero-day vulnerability.
Dubbed CVE-2023-35078, the issue has been described as a remote unauthenticated API access vulnerability that impacts currently supported version 11.4 releases 11.10, 11.9, and 11.8 as well as older releases. It has the maximum severity rating of 10 on the CVSS scale.
"An authentication bypass vulnerability in Ivanti EPMM allows unauthorized users to access restricted functionality or resources of the application without proper authentication," the company said in a terse advisory.
"If exploited, this vulnerability enables an unauthorized, remote (internet-facing) actor to potentially access users' personally identifiable information and make limited changes to the server."
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said an adversary with access to the API paths could exploit them to obtain personally identifiable information (PII) such as names, phone numbers, and other mobile device details for users on a vulnerable system.
"An attacker can also make other configuration changes, including creating an EPMM administrative account that can make further changes to a vulnerable system," CISA added.
The Utah-based IT software firm further said that it's aware of active exploitation of the bug against a "very limited number of customers" but did not disclose additional specifics about the nature of the attacks or the identity of the threat actor behind them.
Patches for the issue have been made available in versions 11.8.1.1, 11.9.1.1, and 11.10.0.2, according to security researcher Kevin Beaumont.
Apple Rolls Out Urgent Patches for Zero-Day Flaws Impacting iPhones, iPads and Macs
25.7.23 Apple The Hacker News
Apple has rolled out security updates to iOS, iPadOS, macOS, tvOS, watchOS, and Safari to address several security vulnerabilities, including one actively exploited zero-day bug in the wild.
Tracked as CVE-2023-38606, the shortcoming resides in the kernel and permits a malicious app to modify sensitive kernel state potentially. The company said it was addressed with improved state management.
"Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1," the tech giant noted in its advisory.
It's worth noting that CVE-2023-38606 is the third security vulnerability discovered in connection with Operation Triangulation, a sophisticated mobile cyber espionage campaign targeting iOS devices since 2019 using a zero-click exploit chain. The other two zero-days, CVE-2023-32434 and CVE-2023-32435, were patched by Apple last month.
Kaspersky researchers Valentin Pashkov, Mikhail Vinogradov, Georgy Kucherin, Leonid Bezvershenko, and Boris Larin have been credited with discovering and reporting the flaw.
The updates are available for the following devices and operating systems -
iOS 16.6 and iPadOS 16.6 - iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
iOS 15.7.8 and iPadOS 15.7.8 - iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)
macOS Ventura 13.5, macOS Monterey 12.6.8, and macOS Big Sur 11.7.9
tvOS 16.6 - Apple TV 4K (all models) and Apple TV HD, and
watchOS 9.6 - Apple Watch Series 4 and later
With the latest round of patches, Apple has resolved a total of 11 zero-days impacting its software since the start of 2023. It also comes two weeks after the company published emergency fixes for a remote code execution bug in WebKit that could lead to arbitrary code execution (CVE-2023-37450).
Critical Zero-Days in Atera Windows Installers Expose Users to Privilege Escalation Attacks
25.7.23 Vulnerebility The Hacker News
Zero-day vulnerabilities in Windows Installers for the Atera remote monitoring and management software could act as a springboard to launch privilege escalation attacks.
The flaws, discovered by Mandiant on February 28, 2023, have been assigned the identifiers CVE-2023-26077 and CVE-2023-26078, with the issues remediated in versions 1.8.3.7 and 1.8.4.9 released by Atera on April 17, 2023, and June 26, 2023, respectively.
"The ability to initiate an operation from a NT AUTHORITY\SYSTEM context can present potential security risks if not properly managed," security researcher Andrew Oliveau said. "For instance, misconfigured Custom Actions running as NT AUTHORITY\SYSTEM can be exploited by attackers to execute local privilege escalation attacks."
Successful exploitation of such weaknesses could pave the way for the execution of arbitrary code with elevated privileges.
Both the flaws reside in the MSI installer's repair functionality, potentially creating a scenario where operations are triggered from an NT AUTHORITY\SYSTEM context even if they are initiated by a standard user.
According to the Google-owned threat intelligence firm, Atera Agent is susceptible to a local privilege escalation attack that can be exploited through DLL hijacking (CVE-2023-26077), which could then be abused to obtain a Command Prompt as the NT AUTHORITY\SYSTEM user.
CVE-2023-26078, on the other hand, concerns the "execution of system commands that trigger the Windows Console Host (conhost.exe) as a child process," as a result opening up a "command window, which, if executed with elevated privileges, can be exploited by an attacker to perform a local privilege escalation attack."
"Misconfigured Custom Actions can be trivial to identify and exploit, thereby posing significant security risks for organizations," Oliveau said. "It is essential for software developers to thoroughly review their Custom Actions to prevent attackers from hijacking NT AUTHORITY\SYSTEM operations triggered by MSI repairs."
The disclosure comes as Kaspersky shed more light on a now-fixed, severe privilege escalation flaw in Windows (CVE-2023-23397, CVSS score: 9.8) that has come under active exploitation in the wild by threat actors using a specially crafted Outlook task, message or calendar event.
While Microsoft disclosed previously that Russian nation-state groups weaponized the bug since April 2022, evidence gathered by the antivirus vendor has revealed that real-world exploit attempts were carried out by an unknown attacker targeting government and critical infrastructure entities in Jordan, Poland, Romania, Turkey, and Ukraine a month prior to the public disclosure.
Google Messages Getting Cross-Platform End-to-End Encryption with MLS Protocol
25.7.23 Safety The Hacker News
Google has announced that it intends to add support for Message Layer Security (MLS) to its Messages service for Android and open source implementation of the specification.
"Most modern consumer messaging platforms (including Google Messages) support end-to-end encryption, but users today are limited to communicating with contacts who use the same platform," Giles Hogben, privacy engineering director at Google, said. "This is why Google is strongly supportive of regulatory efforts that require interoperability for large end-to-end messaging platforms."
The development comes as the Internet Engineering Task Force (IETF) released the core specification of the Messaging Layer Security (MLS) protocol as a Request for Comments (RFC 9420).
Some of the other major companies that have thrown their weight behind the protocol are Amazon Web Services (AWS) Wickr, Cisco, Cloudflare, The Matrix.org Foundation, Mozilla, Phoenix R&D, and Wire. Notably missing from the list is Apple, which offers iMessage.
MLS, as the name implies, is a security layer for end-to-end encryption that facilitates interoperability across messaging services and platforms. It was approved for publication as a standard by IETF in March 2023.
"MLS builds on the best lessons of the current generation of security protocols," IETF noted at the time. "Like the widely used Double Ratchet protocol, MLS allows for asynchronous operation and provides advanced security features such as post-compromise security. And, like TLS 1.3, MLS provides robust authentication."
Central to MLS is an approach known as Continuous Group Key Agreement (CGKA) that allows multiple messaging clients to agree on a shared key that caters to groups in size ranging from two to thousands in a manner that offers forward secrecy guarantees regardless of the individuals who join and leave the group conversation.
"The core functionality of MLS is continuous group authenticated key exchange (AKE)," the standard document reads. "As with other authenticated key exchange protocols (such as TLS), the participants in the protocol agree on a common secret value, and each participant can verify the identity of the other participants."
"That secret can then be used to protect messages sent from one participant in the group to the other participants using the MLS framing layer or can be exported for use with other protocols. MLS provides group AKE in the sense that there can be more than two participants in the protocol, and continuous group AKE in the sense that the set of participants in the protocol can change over time."
This evolving membership is realized by means of a data structure called an asynchronous ratcheting tree, which is used to derive shared secrets among a group of clients. The goal is to be able to efficiently remove any member, achieving post-compromise security by preventing group messages from being intercepted even if one member was breached at some point in the past.
On the other hand, forward secrecy, which enables messages sent at a certain point in time to be secured in the face of later compromise of a group member, is provided by deleting private keys from past versions of the ratchet tree, thereby averting old group secrets from being re-derived.
Mozilla, which is hoping to see a standardization of a Web API to leverage the protocol directly via web browsers, said MLS is designed such that "the legitimacy of new members entering a group is checked by everyone: there is nowhere to hide."
New OpenSSH Vulnerability Exposes Linux Systems to Remote Command Injection
24.7.23 Vulnerebility The Hacker News
Details have emerged about a now-patched flaw in OpenSSH that could be potentially exploited to run arbitrary commands remotely on compromised hosts under specific conditions.
"This vulnerability allows a remote attacker to potentially execute arbitrary commands on vulnerable OpenSSH's forwarded ssh-agent," Saeed Abbasi, manager of vulnerability research at Qualys, said in an analysis last week.
The vulnerability is being tracked under the CVE identifier CVE-2023-38408 (CVSS score: N/A). It impacts all versions of OpenSSH before 9.3p2.
OpenSSH is a popular connectivity tool for remote login with the SSH protocol that's used for encrypting all traffic to eliminate eavesdropping, connection hijacking, and other attacks.
Successful exploitation requires the presence of certain libraries on the victim system and that the SSH authentication agent is forwarded to an attacker-controlled system. SSH agent is a background program that maintains users' keys in memory and facilitates remote logins to a server without having to enter their passphrase again.
"While browsing through ssh-agent's source code, we noticed that a remote attacker, who has access to the remote server where Alice's ssh-agent is forwarded to, can load (dlopen()) and immediately unload (dlclose()) any shared library in /usr/lib* on Alice's workstation (via her forwarded ssh-agent, if it is compiled with ENABLE_PKCS11, which is the default)," Qualys explained.
The cybersecurity firm said it was able to devise a successful proof-of-concept (PoC) against default installations of Ubuntu Desktop 22.04 and 21.10, although other Linux distributions are expected to be vulnerable as well.
It is strongly advised that users of OpenSSH update to the most recent version in order to safeguard against potential cyber threats.
Earlier this February, OpenSSH maintainers released an update to remediate a medium-severity security flaw (CVE-2023-25136, CVSS score: 6.5) that could be exploited by an unauthenticated remote attacker to modify unexpected memory locations and theoretically achieve code execution.
A subsequent release in March addressed another security issue that could be abused by means of a specifically crafted DNS response to perform an out-of-bounds read of adjacent stack data and cause a denial-of- service to the SSH client.
Banking Sector Targeted in Open-Source Software Supply Chain Attacks
24.7.23 Attack The Hacker News
Cybersecurity researchers said they have discovered what they say is the first open-source software supply chain attacks specifically targeting the banking sector.
"These attacks showcased advanced techniques, including targeting specific components in web assets of the victim bank by attaching malicious functionalities to it," Checkmarx said in a report published last week.
"The attackers employed deceptive tactics such as creating a fake LinkedIn profile to appear credible and customized command-and-control (C2) centers for each target, exploiting legitimate services for illicit activities."
The npm packages have since been reported and taken down. The names of the packages were not disclosed.
In the first attack, the malware author is said to have uploaded a couple of packages to the npm registry in early April 2023 by posing as an employee of the target bank. The modules came with a preinstall script to activate the infection sequence. To complete the ruse, the threat actor behind it created a fake LinkedIn page.
Once launched, the script determined the host operating system to see if it was Windows, Linux, or macOS, and proceeded to download a second-stage malware from a remote server by using a subdomain on Azure that incorporated the name of the bank in question.
"The attacker cleverly utilized Azure's CDN subdomains to effectively deliver the second-stage payload," Checkmarx researchers said. "This tactic is particularly clever because it bypasses traditional deny list methods, due to Azure's status as a legitimate service."
The second-stage payload used in the intrusion is Havoc, an open-source command-and-control (C2) framework that has increasingly come under the radar of malicious actors looking to sidestep detection stemming from the use of Cobalt Strike, Sliver, and Brute Ratel.
In an unrelated attack detected in February 2023 targeting a different bank, the adversary uploaded to npm a package that was "meticulously designed to blend into the website of the victim bank and lay dormant until it was prompted to spring into action."
Specifically, it was engineered to covertly intercept login data and exfiltrate the details to an actor-controlled infrastructure.
"Supply chain security revolves around protecting the entire process of software creation and distribution, from the beginning stages of development to the delivery to the end user," the company said.
"Once a malicious open-source package enters the pipeline, it's essentially an instantaneous breach – rendering any subsequent countermeasures ineffective. In other words, the damage is done."
The development comes as the Russian-speaking cybercrime group RedCurl breached an unnamed major Russian bank and an Australian company in November 2022 and May 2023 to siphon corporate secrets and employee information as part of a sophisticated phishing campaign, Group-IB's Russian arm, F.A.C.C.T., said.
"Over the past four and a half years, the Russian-speaking group Red Curl [...] has carried out at least 34 attacks on companies from the UK, Germany, Canada, Norway, Ukraine, and Australia," the company said.
"More than half of the attacks – 20 – fell on Russia. Among the victims of cyber spies were construction, financial, consulting companies, retailers, banks, insurance, and legal organizations."
Financial institutions have also been at the receiving end of attacks leveraging a web-inject toolkit called drIBAN to perform unauthorized transactions from a victim's computer in a manner that circumvents identity verification and anti-fraud mechanisms adopted by banks.
"The core functionality of drIBAN is the ATS engine (Automatic Transfer System)," Cleafy researchers Federico Valentini and Alessandro Strino noted in an analysis released on July 18, 2023.
"ATS is a class of web injects that alters on-the-fly legitimate banking transfers performed by the user, changing the beneficiary and transferring money to an illegitimate bank account controlled by TA or affiliates, which are then responsible for handling and laundering the stolen money."
Apple Threatens to Pull iMessage and FaceTime from U.K. Amid Surveillance Demands
22.7.23 Apple The Hacker News
Apple has warned that it would rather stop offering iMessage and FaceTime services in the U.K. than bowing down to government pressure in response to new proposals that seek to expand digital surveillance powers available to state intelligence agencies.
The development, first reported by BBC News, makes the iPhone maker the latest to join the chorus of voices protesting against forthcoming legislative changes to the Investigatory Powers Act (IPA) 2016 in a manner that would effectively render encryption protections ineffective.
Specifically, the Online Safety Bill requires companies to install technology to scan for child sex exploitation and abuse (CSEA) material and terrorism content in encrypted messaging apps and other services. It also mandates that messaging services clear security features with the Home Office before releasing them and take immediate action to disable them if required without informing the public.
While the fact does not explicitly call out for the removal of end-to-end encryption, it would de facto amount to weakening it as the companies offering the services would have to scan all messages to flag and take them down. This has been viewed as a disproportionate step that allows the government to enforce bulk interception and surveillance.
Apple told the British broadcaster that such a provision would "constitute a serious and direct threat to data security and information privacy."
Earlier this April, a number of messaging apps that currently offer encrypted chats, such as Element, Signal, Threema, Viber, Meta-owned WhatsApp, and Wire, published an open letter, urging the U.K. government to rethink its approach and "encourage companies to offer more privacy and security to its residents."
"The Bill provides no explicit protection for encryption, and if implemented as written, could empower OFCOM to try to force the proactive scanning of private messages on end-to-end encrypted communication services – nullifying the purpose of end-to-end encryption as a result and compromising the privacy of all users," the letter read.
Apple, which previously announced its own plans to flag potentially problematic and abusive content in iCloud Photos, abandoned it last year after receiving pushback from digital rights groups over worries that the capability could be abused to undermine users' privacy and security.
This is not the first time the tussle between end-to-end encryption vis-à-vis the need to tackle serious crimes online has cropped up.
In May 2021, WhatsApp sued the Indian government to block internet regulations that would compel the messaging app to break encryption by incorporating a traceability mechanism to identify the "first originator of information" or risk facing criminal penalties. The case is still pending.
Apple's refusal to play ball is in line with its public stance on privacy, one that allows it to position itself as a "privacy hero" among other companies that thrive on collecting user data to serve targeted ads.
But it also rings hollow when considering the fact that every message sent to or received from a non-Apple device is unencrypted – SMS does not support end-to-end encryption – and could potentially open the door for government surveillance.
Azure AD Token Forging Technique in Microsoft Attack Extends Beyond Outlook, Wiz Reports
22.7.23 Attack The Hacker News
The recent attack against Microsoft's email infrastructure by a Chinese nation-state actor referred to as Storm-0558 is said to have a broader scope than previously thought.
According to cloud security company Wiz, the inactive Microsoft account (MSA) consumer signing key used to forge Azure Active Directory (Azure AD or AAD) tokens to gain illicit access to Outlook Web Access (OWA) and Outlook.com could also have allowed the adversary to forge access tokens for various types of Azure AD applications.
This includes every application that supports personal account authentication, such as OneDrive, SharePoint, and Teams; customers applications that support the "Login with Microsoft functionality," and multi-tenant applications in certain conditions.
"Everything in the world of Microsoft leverages Azure Active Directory auth tokens for access," Ami Luttwak, chief technology officer and co-founder of Wiz, said in a statement. "An attacker with an AAD signing key is the most powerful attacker you can imagine, because they can access almost any app – as any user. This is a 'shape shifter' superpower."
Microsoft, last week, disclosed the token forging technique was exploited by Storm-0558 to extract unclassified data from victim mailboxes, but the exact contours of the cyber espionage campaign remains unknown.
The Windows maker said it's still investigating as to how the adversary managed to acquire the MSA consumer signing key. But it's unclear if the key functioned as a master key of sorts to unlock access to data belonging to nearly two dozen organizations.
Wiz's analysis fills in some of the blanks, with the company discovering that "all Azure personal account v2.0 applications depend on a list of 8 public keys, and all Azure multi-tenant v2.0 applications with Microsoft account enabled depend on a list of 7 public keys."
It further found that Microsoft replaced one of the the listed public keys (thumbprint: "d4b4cccda9228624656bff33d8110955779632aa") that had been present since at least 2016 sometime between June 27, 2023, and July 5, 2023, around the same period the company said it had revoked the MSA key.
"This led us to believe that although the compromised key acquired by Storm-0558 was a private key designed for Microsoft's MSA tenant in Azure, it was also able to sign OpenID v2.0 tokens for multiple types of Azure Active Directory applications," Wiz said.
"Storm-0558 seemingly managed to obtain access to one of several keys that were intended for signing and verifying AAD access tokens. The compromised key was trusted to sign any OpenID v2.0 access token for personal accounts and mixed-audience (multi-tenant or personal account) AAD applications."
This effectively meant that the loophole could theoretically enable malicious actors to forge access tokens for consumption by any application that depends on the Azure identity platform.
Even worse, the acquired private key could have been weaponized to forge tokens to authenticate as any user to an affected application that trusts Microsoft OpenID v2.0 mixed audience and personal-accounts certificates.
"Identity provider's signing keys are probably the most powerful secrets in the modern world," Wiz security researcher Shir Tamari said. "With identity provider keys, one can gain immediate single hop access to everything, any email box, file service, or cloud account."
Update#
When reached for comment, Microsoft shared the following statement with The Hacker News -
Many of the claims made in this blog are speculative and not evidence-based. We recommend that customers review our blogs, specifically our Microsoft Threat Intelligence blog, to learn more about this incident and investigate their own environments using the Indicators of Compromise (IOCs) that we've made public. We’ve also recently expanded security logging availability, making it free for more customers by default, to help enterprises manage an increasingly complex threat landscape.
HotRat: New Variant of AsyncRAT Malware Spreading Through Pirated Software
22.7.23 Virus The Hacker News
A new variant of AsyncRAT malware dubbed HotRat is being distributed via free, pirated versions of popular software and utilities such as video games, image and sound editing software, and Microsoft Office.
"HotRat malware equips attackers with a wide array of capabilities, such as stealing login credentials, cryptocurrency wallets, screen capturing, keylogging, installing more malware, and gaining access to or altering clipboard data," Avast security researcher Martin a Milánek said.
The Czech cybersecurity firm said the trojan has been prevalent in the wild since at least in October 2022, with a majority of the infections concentrated in Thailand, Guyana, Libya, Suriname, Mali, Pakistan, Cambodia, South Africa, and India.
The attacks entail bundling the cracked software available online via torrent sites with a malicious AutoHotkey (AHK) script that initiates an infection chain designed to deactivate antivirus solutions on the compromised host and ultimately launch the HotRat payload using a Visual Basic Script loader.
HotRat, described as a comprehensive RAT malware, comes with nearly 20 commands, each of which executes a .NET module retrieved from a remote server, allowing the threat actors behind the campaign to extend its features as and when required.
That said, it's worth noting that the attack requires administrative privileges to successfully realize its goals.
"Despite the substantial risks involved, the irresistible temptation to acquire high-quality software at no cost persists, leading many people to download illegal software," Milánek said. "Therefore, distributing such software remains an effective method for widely spreading malware."
Sophisticated BundleBot Malware Disguised as Google AI Chatbot and Utilities
21.7.23 Virus The Hacker News
A new malware strain known as BundleBot has been stealthily operating under the radar by taking advantage of .NET single-file deployment techniques, enabling threat actors to capture sensitive information from compromised hosts.
"BundleBot is abusing the dotnet bundle (single-file), self-contained format that results in very low or no static detection at all," Check Point said in a report published this week, adding it is "commonly distributed via Facebook Ads and compromised accounts leading to websites masquerading as regular program utilities, AI tools, and games."
Some of these websites aim to mimic Google Bard, the company's conversational generative artificial intelligence chatbot, enticing victims into downloading a bogus RAR archive ("Google_AI.rar") hosted on legitimate cloud storage services such as Dropbox.
The archive file, when unpacked, contains an executable file ("GoogleAI.exe"), which is the .NET single-file, self-contained application ("GoogleAI.exe") that, in turn, incorporates a DLL file ("GoogleAI.dll"), whose responsibility is to fetch a password-protected ZIP archive from Google Drive.
The extracted content of the ZIP file ("ADSNEW-1.0.0.3.zip") is another .NET single-file, self-contained application ("RiotClientServices.exe") that incorporates the BundleBot payload ("RiotClientServices.dll") and a command-and-control (C2) packet data serializer ("LirarySharing.dll").
"The assembly RiotClientServices.dll is a custom, new stealer/bot that uses the library LirarySharing.dll to process and serialize the packet data that are being sent to C2 as a part of the bot communication," the Israeli cybersecurity company said.
The binary artifacts employ custom-made obfuscation and junk code in a bid to resist analysis, and come with capabilities to siphon data from web browsers, capture screenshots, grab Discord tokens, information from Telegram, and Facebook account details.
Check Point said it also detected a second BundleBot sample that's virtually identical in all aspects barring the use of HTTPS to exfiltrate the information to a remote server in the form of a ZIP archive.
"The delivering method via Facebook Ads and compromised accounts is something that has been abused by threat actors for a while, still combining it with one of the capabilities of the revealed malware (to steal a victim's Facebook account information) could serve as a tricky self-feeding routine," the company noted.
Google AI Chatbot and Utilities
The development comes as Malwarebytes uncovered a new campaign that employs sponsored posts and compromised verified accounts that impersonate Facebook Ads Manager to entice users into downloading rogue Google Chrome extensions that are designed to steal Facebook login information.
Users who click on the embedded link are prompted to download a RAR archive file containing an MSI installer file that, for its part, launches a batch script to spawn a new Google Chrome window with the malicious extension loaded using the "--load-extension" flag -
start chrome.exe --load-extension="%~dp0/nmmhkkegccagdldgiimedpiccmgmiedagg4" "https://www.facebook.com/business/tools/ads-manager"
"That custom extension is cleverly disguised as Google Translate and is considered 'Unpacked' because it was loaded from the local computer, rather than the Chrome Web Store," Jérôme Segura, director of threat intelligence at Malwarebytes, explained, noting it is "entirely focused on Facebook and grabbing important pieces of information that could allow an attacker to log into accounts."
The captured data is subsequently sent using the Google Analytics API to get around content security policies (CSPs) to mitigate cross-site scripting (XSS) and data injection attacks.
The threat actors behind the activity are suspected to be of Vietnamese origin, who have, in recent months, exhibited acute interest in targeting Facebook business and advertising accounts. Over 800 victims worldwide have been impacted, with 310 of those located in the U.S.
"Fraudsters have a lot of time on their hands and spend years studying and understanding how to abuse social media and cloud platforms, where it is a constant arm's race to keep bad actors out," Segura said. "Remember that there is no silver bullet and anything that sounds too good to be true may very well be a scam in disguise."
Local Governments Targeted for Ransomware – How to Prevent Falling Victim
21.7.23 Ransom The Hacker News
Regardless of the country, local government is essential in most citizens' lives. It provides many day-to-day services and handles various issues. Therefore, their effects can be far-reaching and deeply felt when security failures occur.
In early 2023, Oakland, California, fell victim to a ransomware attack. Although city officials have not disclosed how the attack occurred, experts suspect a phishing email is the most likely cause. As a result, city officials brought down their servers to contain the attack.
Governments have been the target to many ransomware attacks and breaches. As most local governments maintain a small IT staff, there is potential for shared passwords, reused credentials, and a lack of multi-factor authentication security, exposing vulnerabilities for a breach.
Oakland is Breached#
It was first noticed on a Wednesday evening in early February; when Oakland, California city officials quickly took most services' backend servers offline and posted a message to the city website. Just a few days later, a local state of emergency was issued. In addition to several offices closing, many services remained offline for some time, including Oak311, Parking Citation Assistance Center, Business Tax Licenses, and Permitting.
The Play ransomware group claimed responsibility for breaching city services and posted about the hack on their group website. In their first release, they made available 10GB of data containing decades worth of files. In their second, larger breach, up to 600GB of data was compromised.
The impact of the security breach went beyond the disruption of city services, affecting both Oakland residents and city employees on a personal level. From July 2010 to January 2022, city employees were notified that their personal information may have been compromised. Additionally, certain Oakland residents, such as those filing a claim against the city or applying for federal programs through the city, may have also been affected.
As expected, this ongoing situation is a nightmare for both IT services and city administration, and it is also a public relations nightmare. Many concerned citizens continue to question how they are impacted and how to protect themselves against identity theft.
The Ramifications of a Breach#
Any system breach is serious. In this case, the data was encrypted, rendering services unusable. But, with a compromised infrastructure, threat actors could have leveraged that access to further infect city residents and employees. The Oakland breach may have been limited to lost data, but depending on the group responsible, the consequences could have been far worse.
The job of city IT services is already difficult due to typically smaller budgets and overworked IT staff. The myriad of security vulnerabilities to track in popular software and the difficulty of staying on top of ever-changing threats makes IT jobs even more challenging. Therefore, it is important to implement policies and procedures that can go a long way in securing and protecting your local government.
Underpinning so many services are the passwords and policies that control access to critical services. Common best practice guidelines such as the NIST 800-63B, ISO 27001/27002, and SOC 2 ensure that your organization is set up for success. Implementing these standards is difficult, and tools such asSpecops Password Policy with Breached Password Protection make strapped IT professionals' lives far easier.
Protecting Users with Specops Password Policy and Breached Password Protection#
Keeping up with best practices and standards is difficult. Fortunately, there are tools available like,Specops Password Policy that enforces stronger password policies in Active Directory, helps meet security compliance standards and blocks over 3 billion know compromised passwords from use to help keep your users safe from ransomware attacks from organizations like Play.
Specops Password Policy provides various features to help keep your organization secure. These include custom dictionaries, unique and customizable password policies, and powerful protection against cracked passwords.
Keeping Cities Safe from Ransomware#
The ongoing challenges faced by Oakland, California, are difficult for both residents and city officials. The unknown threat of how stolen information may be used for further hacks or identity theft leaves many uneasy and afraid. By implementing ways to proactively protect your government entity with tools such as Specops Password Policy, you can go a long way in limiting the scope of attacks and bolster security prevention.
DDoS Botnets Hijacking Zyxel Devices to Launch Devastating Attacks
21.7.23 BotNet The Hacker News
Several distributed denial-of-service (DDoS) botnets have been observed exploiting a critical flaw in Zyxel devices that came to light in April 2023 to gain remote control of vulnerable systems.
"Through the capture of exploit traffic, the attacker's IP address was identified, and it was determined that the attacks were occurring in multiple regions, including Central America, North America, East Asia, and South Asia," Fortinet FortiGuard Labs researcher Cara Lin said.
The flaw, tracked as CVE-2023-28771 (CVSS score: 9.8), is a command injection bug affecting multiple firewall models that could potentially allow an unauthorized actor to execute arbitrary code by sending a specifically crafted packet to the targeted appliance.
Last month, the Shadowserver Foundation warned that the flaw was being "actively exploited to build a Mirai-like botnet" at least since May 26, 2023, an indication of how abuse of servers running unpatched software is on the rise.
The latest findings from Fortinet suggest that the shortcoming is being opportunistically leveraged by multiple actors to breach susceptible hosts and corral them into a botnet capable of launching DDoS attacks against other targets.
This comprises Mirai botnet variants such as Dark.IoT and another botnet that has been dubbed Katana by its author, which comes with capabilities to mount DDoS attacks using TCP and UDP protocols.
"It appears that this campaign utilized multiple servers to launch attacks and updated itself within a few days to maximize the compromise of Zyxel devices," Lin said.
The disclosure comes as Cloudflare reported an "alarming escalation in the sophistication of DDoS attacks" in the second quarter of 2023, with threat actors devising novel ways to evade detection by "adeptly imitating browser behavior" and keeping their attack rates-per-second relatively low.
Adding to the complexity is the use of DNS laundering attacks to conceal malicious traffic via reputable recursive DNS resolvers and virtual machine botnets to orchestrate hyper-volumetric DDoS attacks.
"In a DNS Laundering attack, the threat actor will query subdomains of a domain that is managed by the victim's DNS server," Cloudflare explained. "The prefix that defines the subdomain is randomized and is never used more than once or twice in such an attack."
"Due to the randomization element, recursive DNS servers will never have a cached response and will need to forward the query to the victim's authoritative DNS server. The authoritative DNS server is then bombarded by so many queries until it cannot serve legitimate queries or even crashes all together."
Another noteworthy factor contributing to the increase in DDoS offensives is the emergence of pro-Russian hacktivist groups such as KillNet, REvil, and Anonymous Sudan (aka Storm-1359) that have overwhelmingly focused on targets in the U.S. and Europe. There is no evidence to connect REvil to the widely known ransomware group.
KillNet's "regular creation and absorption of new groups is at least partially an attempt to continue to garner attention from Western media and to enhance the influence component of its operations," Mandiant said in a new analysis, adding the group's targeting has "consistently aligned with established and emerging Russian geopolitical priorities."
"KillNet's structure, leadership, and capabilities have undergone several observable shifts over the course of the last 18 months, progressing toward a model that includes new, higher profile affiliate groups intended to garner attention for their individual brands in addition to the broader KillNet brand," it further added.
Citrix NetScaler ADC and Gateway Devices Under Attack: CISA Urges Immediate Action
21.7.23 Vulnerebility The Hacker News
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory on Thursday warning that the newly disclosed critical security flaw in Citrix NetScaler Application Delivery Controller (ADC) and Gateway devices is being abused to drop web shells on vulnerable systems.
"In June 2023, threat actors exploited this vulnerability as a zero-day to drop a web shell on a critical infrastructure organization's non-production environment NetScaler ADC appliance," the agency said.
"The web shell enabled the actors to perform discovery on the victim's active directory (AD) and collect and exfiltrate AD data. The actors attempted to move laterally to a domain controller but network segmentation controls for the appliance blocked movement."
The shortcoming in question is CVE-2023-3519 (CVSS score: 9.8), a code injection bug that could result in unauthenticated remote code execution. Citrix, earlier this week, released patches for the issue and warned of active in-the-wild exploitation.
Successful exploitation requires the appliance to be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or authentication, authorization, and auditing (AAA) virtual server.
CISA did not disclose the name of the organization that was impacted by the incident. The threat actor or the country allegedly behind it is presently unknown.
In the incident analyzed by CISA, the web shell is said to have enabled the collection of NetScaler configuration files, NetScaler decryption keys, and AD information, after which the data was transmitted as a PNG image file ("medialogininit.png").
The adversary's subsequent attempts to laterally move across the network as well as run commands to identify accessible targets and verify outbound network connectivity were thwarted due to robust network segmentation practices, the agency noted, adding the actors also attempted to delete their artifacts to cover up the tracks.
Vulnerabilities in gateway products such as NetScaler ADC and NetScaler Gateway have become popular targets for threat actors looking to obtain privileged access to targeted networks. This makes it imperative that users move quickly to apply the latest fixes to secure against potential threats.
Mallox Ransomware Exploits Weak MS-SQL Servers to Breach Networks
21.7.23 Ransom The Hacker News
Mallox ransomware activities in 2023 have witnessed a 174% increase when compared to the previous year, new findings from Palo Alto Networks Unit 42 reveal.
"Mallox ransomware, like many other ransomware threat actors, follows the double extortion trend: stealing data before encrypting an organization's files, and then threatening to publish the stolen data on a leak site as leverage to convince victims to pay the ransom fee," security researchers Lior Rochberger and Shimi Cohen said in a new report shared with The Hacker News.
Mallox is linked to a threat actor that's also linked to other ransomware strains, such as TargetCompany, Tohnichi, Fargo, and, most recently, Xollam. It first burst onto the scene in June 2021.
Some of the prominent sectors targeted by Mallox are manufacturing, professional and legal services, and wholesale and retail.
A notable aspect of the group is its pattern of exploiting poorly secured MS-SQL servers via dictionary attacks as a penetration vector to compromise victims' networks. Xollam is a deviation from the norm in that it has been observed using malicious OneNote file attachments for initial access, as detailed by Trend Micro last month.
Upon gaining a successful foothold on the infected host, a PowerShell command is executed to retrieve the ransomware payload from a remote server.
The binary, for its part, attempts to stop and remove SQL-related services, delete volume shadow copies, clear system event logs, terminate security-related processes, and bypass Raccine, an open-source tool designed to counter ransomware attacks, prior to commencing its encryption process, after which a ransom note is dropped in every directory.
TargetCompany remains a small, closed group, but it has also been observed recruiting affiliates for the Mallox ransomware-as-a-service (RaaS) affiliate program on the RAMP cybercrime forum.
The development comes as ransomware continues to be a lucrative financial scheme, netting cybercriminals no less than $449.1 million in the first half of 2023 alone, per Chainalysis.
The sudden surge in Mallox infections is also symptomatic of a broader trend where ransomware attacks have witnessed a 221% jump year-over-year as of June 2023, with 434 attacks reported in June 2023 alone, largely driven by Cl0p's exploitation of the MOVEit file transfer software vulnerability.
"The Mallox ransomware group has been more active in the past few months, and their recent recruiting efforts may enable them to attack more organizations if the recruitment drive is successful," the researchers said.
Critical Flaws in AMI MegaRAC BMC Software Expose Servers to Remote Attacks
21.7.23 Vulnerebility The Hacker News
Two more security flaws have been disclosed in AMI MegaRAC Baseboard Management Controller (BMC) software that, if successfully exploited, could allow threat actors to remotely commandeer vulnerable servers and deploy malware.
"These new vulnerabilities range in severity from High to Critical, including unauthenticated remote code execution and unauthorized device access with superuser permissions," Eclypsium researchers Vlad Babkin and Scott Scheferman said in a report shared with The Hacker News.
"They can be exploited by remote attackers having access to Redfish remote management interfaces, or from a compromised host operating system."
To make matters worse, the shortcomings could also be weaponized to drop persistent firmware implants that are immune to operating system reinstalls and hard drive replacements, brick motherboard components, cause physical damage through overvolting attacks, and induce indefinite reboot loops.
"As attackers shift their focus from user facing operating systems to the lower level embedded code which hardware and computing trust relies on, compromise becomes harder to detect and exponentially more complex to remediate," the researchers pointed out.
Eclypsium's findings are based on an analysis of the AMI firmware leaked in a ransomware attack carried out by the RansomExx crew targeting hardware-maker GIGABYTE in August 2021.
The vulnerabilities are the latest additions to a set of bugs affecting AMI MegaRAC BMCs that have been cumulatively named BMC&C, some of which were disclosed by the firmware security company in December 2022 (CVE-2022-40259, CVE-2022-40242, and CVE-2022-2827) and January 2023 (CVE-2022-26872 and CVE-2022-40258).
The list of new flaws is as follows -
CVE-2023-34329 (CVSS score: 9.1) - Authentication bypass via HTTP header spoofing
CVE-2023-34330 (CVSS score: 8.2) - Code injection via dynamic Redfish extension interface
When chained together, the two bugs carry a combined severity score of 10.0, allowing an adversary to sidestep Redfish authentication and remotely execute arbitrary code on the BMC chip with the highest privileges. In addition, the aforementioned flaws could be strung together with CVE-2022-40258 to crack passwords for the admin accounts on the BMC chip.
It's worth pointing out that an attack of this nature could result in the installation of malware that could be used for conducting long-term cyber espionage while flying under the radar of security software, not to mention performing lateral movement and even destroy the CPU by power management tampering techniques like PMFault.
While there is no evidence that the flaws have been exploited in the wild, the popularity of MegaRAC BMC – a critical supply chain component found in millions of devices shipped by major vendors – makes it a lucrative target for threat actors looking to control every aspect of the targeted system.
"These vulnerabilities pose a major risk to the technology supply chain that underlies cloud computing," the researchers said. "In short, vulnerabilities in a component supplier affect many hardware vendors, which in turn can be passed on to many cloud services."
"As such these vulnerabilities can pose a risk to servers and hardware that an organization owns directly as well as the hardware that supports the cloud services that they use."
Apache OpenMeetings Web Conferencing Tool Exposed to Critical Vulnerabilities
21.7.23 Vulnerebility The Hacker News
Multiple security flaws have been disclosed in Apache OpenMeetings, a web conferencing solution, that could be potentially exploited by malicious actors to seize control of admin accounts and run malicious code on susceptible servers.
"Attackers can bring the application into an unexpected state, which allows them to take over any user account, including the admin account," Sonar vulnerability researcher Stefan Schiller said in a report shared with The Hacker News.
"The acquired admin privileges can further be leveraged to exploit another vulnerability allowing attackers to execute arbitrary code on the Apache OpenMeetings server."
Following responsible disclosure on March 20, 2023, the vulnerabilities were addressed with the release of Openmeetings version 7.1.0 that was released on May 9, 2023. The list of three flaws is as follows -
CVE-2023-28936 (CVSS score: 5.3) - Insufficient check of invitation hash
CVE-2023-29032 (CVSS score: 8.1) - An authentication bypass that leads to unrestricted access via invitation hash
CVE-2023-29246 (CVSS score: 7.2) - A NULL byte (%00) injection that allows an attacker with admin privileges to gain code execution
Meeting invites created using OpenMeetings come are not only bound to a specific room and a user but also come with a unique hash that's used by the application to retrieve details associated with the invitation.
The first two flaws, in a nutshell, have to do with a weak hash comparison between the user-supplied hash and what's present in the database and a quirk that allows for the creation of a room invitation without a room assigned to it, leading to a scenario where an invitation exists with no room attached to it.
A threat actor could exploit these shortcomings to create an event and join the corresponding room, and follow it up by deleting the event, at which point an invitation is created for the admin user to the non-existing room. In the next step, the weak hash comparison bug could be leveraged to enumerate the sent invitation and redeem it by providing a wildcard hash input.
"Although the room is also deleted when its associated event is deleted, the presence of the attacker in the room makes this a zombie room," Schiller explained. "Although an error is raised when redeeming the hash for such an invitation, a valid web session for the invitee with full permissions of this user is created."
In other words, the zombie room could allow the attacker to acquire admin privileges and make modifications to the OpenMeetings instance, including adding and removing users and groups, changing room settings, and terminating sessions of connected users.
Sonar said it also identified a third vulnerability that's rooted in a feature that enables an administrator to configure the path for executables related to ImageMagick, an open-source software used to edit and process images. This allows an attacker with admin privileges to gain code execution by changing the ImageMagic path to "/bin/sh%00x" and triggering arbitrary shell commands.
"When now uploading a fake image containing a valid image header followed by arbitrary shell commands, the conversion spawns /bin/sh with the first argument being the fake image, effectively executing every command in it," Schiller said.
"In combination with the account takeover, this vulnerability allows a self-registered attacker to gain remote code execution on the underlying server."
North Korean State-Sponsored Hackers Suspected in JumpCloud Supply Chain Attack
21.7.23 BigBrothers The Hacker News
An analysis of the indicators of compromise (IoCs) associated with the JumpCloud hack has uncovered evidence pointing to the involvement of North Korean state-sponsored groups, in a style that's reminiscent of the supply chain attack targeting 3CX.
The findings come from SentinelOne, which mapped out the infrastructure pertaining to the intrusion to uncover underlying patterns. It's worth noting that JumpCloud, last week, attributed the attack to an unnamed "sophisticated nation-state sponsored threat actor."
"The North Korean threat actors demonstrate a high level of creativity and strategic awareness in their targeting strategies," SentinelOne security researcher Tom Hegel told The Hacker News. "The research findings reveal a successful and multifaceted approach employed by these actors to infiltrate developer environments."
"They actively seek access to tools and networks that can serve as gateways to more extensive opportunities. Their tendency to execute multiple levels of supply chain intrusions before engaging in financially motivated theft is noteworthy."
In a related development, CrowdStrike, which is working with JumpCloud to probe the incident, pinned the attack to a North Korean actor known as Labyrinth Chollima, a sub cluster within the infamous Lazarus Group, according to Reuters.
The infiltration was used as a "springboard" to target cryptocurrency companies, the news agency said, indicating an attempt on part of the adversary to generate illegal revenues for the sanctions-hit nation.
The revelations also coincide with a low-volume social engineering campaign identified by GitHub that targets the personal accounts of employees of technology firms, using a mix of repository invitations and malicious npm package dependencies. The targeted accounts are associated with blockchain, cryptocurrency, online gambling, or cybersecurity sectors.
The Microsoft subsidiary connected the campaign to a North Korean hacking group it tracks under the name Jade Sleet (aka TraderTraitor).
"Jade Sleet mostly targets users associated with cryptocurrency and other blockchain-related organizations, but also targets vendors used by those firms," GitHub's Alexis Wales said in a report published on July 18, 2023.
The attack chains involve setting up bogus personas on GitHub and other social media services such as LinkedIn, Slack, and Telegram, although in some cases the threat actor is believed to have taken control of legitimate accounts.
Under the assumed persona, Jade Sleet initiates contact with the targets and invites them to collaborate on a GitHub repository, convincing the victims into cloning and running the contents, which feature decoy software with malicious npm dependencies that act as first-stage malware to download and execute second-stage payloads on the infected machine.
The malicious npm packages, per GitHub, are part of a campaign that first came to light last month, when Phylum detailed a supply chain threat involving a unique execution chain that uses a pair of fraudulent modules to fetch an unknown piece of malware from a remote server.
SentinelOne, in its latest analysis, said 144.217.92[.]197, an IP address linked to the JumpCloud attack, resolves to npmaudit[.]com, one of the eight domains listed by GitHub as used to fetch the second-stage malware. A second IP address 23.29.115[.]171 maps to npm-pool[.]org.
"It is evident that North Korean threat actors are continuously adapting and exploring novel methods to infiltrate targeted networks," Hegel said. "The JumpCloud intrusion serves as a clear illustration of their inclination towards supply chain targeting, which yields a multitude of potential subsequent intrusions."
"The DPRK demonstrates a profound understanding of the benefits derived from meticulously selecting high-value targets as a pivot point to conduct supply chain attacks into fruitful networks," Hegel added.
Turla's New DeliveryCheck Backdoor Breaches Ukrainian Defense Sector
21.7.23 Virus The Hacker News
The defense sector in Ukraine and Eastern Europe has been targeted by a novel .NET-based backdoor called DeliveryCheck (aka CAPIBAR or GAMEDAY) that's capable of delivering next-stage payloads.
The Microsoft threat intelligence team, in collaboration with the Computer Emergency Response Team of Ukraine (CERT-UA), attributed the attacks to a Russian nation-state actor known as Turla, which is also tracked under the names Iron Hunter, Secret Blizzard (formerly Krypton), Uroburos, Venomous Bear, and Waterbug. It's linked to Russia's Federal Security Service (FSB).
"DeliveryCheck is distributed via email as documents with malicious macros," the company said in a series of tweets. "It persists via a scheduled task that downloads and launches it in memory. It also contacts a C2 server to retrieve tasks, which can include the launch of arbitrary payloads embedded in XSLT stylesheets."
Successful initial access is also accompanied in some cases by the distribution of a known Turla implant dubbed Kazuar, which is equipped to steal application configuration files, event logs, and a wide range of data from web browsers.
The ultimate goal of the attacks is to exfiltrate messages from the Signal messaging app for Windows, enabling the adversary to access sensitive conversations, documents, and images on targeted systems.
A noteworthy aspect of DeliveryCheck is its ability to breach Microsoft Exchange servers to install a server-side component using PowerShell Desired State Configuration (DSC), a PowerShell management platform that helps administrators to automate the configuration of Windows systems.
"DSC generates a Managed Object Format (MOF) file containing a PowerShell script that loads the embedded .NET payload into memory, effectively turning a legitimate server into a malware C2 center," Microsoft explained.
The disclosure comes as the Cyber Police of Ukraine dismantled a massive bot farm with more than 100 individuals allegedly spreading hostile propaganda justifying the Russian invasion, leaking personal information belonging to Ukrainian citizens, and engaging in various fraud schemes.
As part of the operation, searches were carried out in 21 locations, leading to the seizure of computer equipment, mobile phones, more than 250 GSM gateways, and about 150,000 SIM cards belonging to different mobile operators.
New P2PInfect Worm Targeting Redis Servers on Linux and Windows Systems
20.7.23 Virus The Hacker News
Cybersecurity researchers have uncovered a new cloud targeting, peer-to-peer (P2P) worm called P2PInfect that targets vulnerable Redis instances for follow-on exploitation.
"P2PInfect exploits Redis servers running on both Linux and Windows Operating Systems making it more scalable and potent than other worms," Palo Alto Networks Unit 42 researchers William Gamazo and Nathaniel Quist said. "This worm is also written in Rust, a highly scalable and cloud-friendly programming language."
It's estimated that as many as 934 unique Redis systems may be vulnerable to the threat. The first known instance of P2PInfect was detected on July 11, 2023.
A notable characteristic of the worm is its ability to infects vulnerable Redis instances by exploiting a critical Lua sandbox escape vulnerability, CVE-2022-0543 (CVSS score: 10.0), which has been previously exploited to deliver multiple malware families such as Muhstik, Redigo, and HeadCrab over the past year.
The initial access afforded by a successful exploitation is then leveraged to deliver a dropper payload that establishes peer-to-peer (P2P) communication to a larger P2P network and fetch additional malicious binaries, including scanning software for propagating the malware to other exposed Redis and SSH hosts.
"The infected instance then joins the P2P network to provide access to the other payloads to future compromised Redis instances," the researchers said.
The malware also utilizes a PowerShell script to establish and maintain communication between the compromised host and the P2P network, offering threat actors persistent access. What's more, the Windows flavor of P2PInfect incorporates a Monitor component to self-update and launch the new version.
It's not immediately known what the end goal of the campaign is, with Unit 42 noting that there is no definitive evidence of cryptojacking despite the presence of the word "miner" in the toolkit's source code.
The activity has not been attributed to any known threat actor groups notorious for striking cloud environments like Adept Libra (aka TeamTNT), Aged Libra (aka Rocke), Automated Libra (aka PURPLEURCHIN), Money Libra (aka Kinsing), Returned Libra (aka 8220 Gang), or Thief Libra (aka WatchDog).
The development comes as misconfigured and vulnerable cloud assets are being discovered within minutes by bad actors constantly scanning the internet to mount sophisticated attacks.
"The P2PInfect worm appears to be well designed with several modern development choices," the researchers said. "The design and building of a P2P network to perform the auto-propagation of malware is not something commonly seen within the cloud targeting or cryptojacking threat landscape."
Microsoft Expands Cloud Logging to Counter Rising Nation-State Cyber Threats
20.7.23 Security The Hacker News
Microsoft on Wednesday announced that it's expanding cloud logging capabilities to help organizations investigate cybersecurity incidents and gain more visibility after facing criticism in the wake of a recent espionage attack campaign aimed at its email infrastructure.
The tech giant said it's making the change in direct response to increasing frequency and evolution of nation-state cyber threats. It's expected to roll out starting in September 2023 to all government and commercial customers.
"Over the coming months, we will include access to wider cloud security logs for our worldwide customers at no additional cost," Vasu Jakkal, corporate vice president of security, compliance, identity, and management at Microsoft, said. "As these changes take effect, customers can use Microsoft Purview Audit to centrally visualize more types of cloud log data generated across their enterprise."
As part of this change, users are expected to receive access to detailed logs of email access and more than 30 other types of log data previously only available at the Microsoft Purview Audit (Premium) subscription level. On top of that, the Windows maker said it's extending the default retention period for Audit Standard customers from 90 days to 180 days.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) welcomed the move, stating "having access to key logging data is important to quickly mitigating cyber intrusions" and that it's "a significant step forward toward advancing security by design principles."
The development comes in the aftermath of disclosures that a threat actor operating out of China, dubbed Storm-0558, breached 25 organizations by exploiting a validation error in the Microsoft Exchange environment.
The U.S. State Department, which was one among the affected entities, said it was able to detect the malicious mailbox activity in June 2023 due to enhanced logging in Microsoft Purview Audit, specifically using the MailItemsAccessed mailbox-auditing action, prompting Microsoft to investigate the incident.
But other impacted organizations said they were unable to detect that they were breached because they were not subscribers of E5/A5/G5 licenses, which come with elevated access to various kinds of logs that would be crucial to investigate the hack.
Attacks mounted by the actor are said to have commenced on May 15, 2023, although Redmond said that the adversary has displayed a propensity for OAuth applications, token theft, and token replay attacks against Microsoft accounts since at least August 2021.
Microsoft, in the meanwhile, is continuing to probe the intrusions, but to date the company hasn't explained how the hackers were able to acquire an inactive Microsoft account (MSA) consumer signing key to forge authentication tokens and obtain illicit access to customer email accounts using Outlook Web Access in Exchange Online (OWA) and Outlook.com.
"The objective of most Storm-0558 campaigns is to obtain unauthorized access to email accounts belonging to employees of targeted organizations," Microsoft revealed last week.
"Once Storm-0558 has access to the desired user credentials, the actor signs into the compromised user's cloud email account with the valid account credentials. The actor then collects information from the email account over the web service."
Adobe Rolls Out New Patches for Actively Exploited ColdFusion Vulnerability
20.7.23 Vulnerebility The Hacker News
Adobe has released a fresh round of updates to address an incomplete fix for a recently disclosed ColdFusion flaw that has come under active exploitation in the wild.
The critical shortcoming, tracked as CVE-2023-38205 (CVSS score: 7.5), has been described as an instance of improper access control that could result in a security bypass. It impacts the following versions:
ColdFusion 2023 (Update 2 and earlier versions)
ColdFusion 2021 (Update 8 and earlier versions), and
ColdFusion 2018 (Update 18 and earlier versions)
"Adobe is aware that CVE-2023-38205 has been exploited in the wild in limited attacks targeting Adobe ColdFusion," the company said.
The update also addresses two other flaws, including a critical deserialization bug (CVE-2023-38204, CVSS score: 9.8) that could lead to remote code execution and a second improper access control flaw that could also pave the way for a security bypass (CVE-2023-38206, CVSS score: 5.3).
The disclosure arrives days after Rapid7 warned that the fix put in place for CVE-2023-29298 was incomplete and that it could be trivially sidestepped by malicious actors. The cybersecurity firm has confirmed that the new patch completely plugs the security hole.
CVE-2023-29298, an access control bypass vulnerability, has been weaponized in real-world attacks by chaining it with another flaw that's suspected to be CVE-2023-38203 to drop web shells on compromised systems for backdoor access.
Adobe ColdFusion users are highly recommended to update their installations to the latest version to mitigate potential threats.
Chinese APT41 Hackers Target Mobile Devices with New WyrmSpy and DragonEgg Spyware
19.7.23 APT The Hacker News
The prolific China-linked nation-state actor known as APT41 has been linked to two previously undocumented strains of Android spyware called WyrmSpy and DragonEgg.
"Known for its exploitation of web-facing applications and infiltration of traditional endpoint devices, an established threat actor like APT 41 including mobile in its arsenal of malware shows how mobile endpoints are high-value targets with coveted corporate and personal data," Lookout said in a report shared with The Hacker News.
APT41, also tracked under the names Axiom, Blackfly, Brass Typhoon (formerly Barium), Bronze Atlas, HOODOO, Wicked Panda, and Winnti, is known to be operational since at least 2007, targeting a wide range of industries to conduct intellectual property theft.
Recent attacks mounted by the adversarial collective have leveraged an open-source red teaming tool known as Google Command and Control (GC2) as part of attacks aimed at media and job platforms in Taiwan and Italy.
The initial intrusion vector for the mobile surveillanceware campaign is not known, although it's suspected to have involved the use of social engineering. Lookout said it first detected WyrmSpy as early as 2017 and DragonEgg at the start of 2021, with new samples of the latter spotted as recently as April 2023.
WyrmSpy primarily masquerades as a default system app used for displaying notifications to the user. Later variants, however, have packaged the malware into apps impersonating as adult video content, Baidu Waimai, and Adobe Flash. On the other hand, DragonEgg has been distributed in the form of third-party Android keyboards and messaging apps like Telegram.
There is no evidence that these rogue apps were propagated through the Google Play Store.
WyrmSpy and DragonEgg's connections to APT41 arise from the use of a command-and-server (C2) with the IP address 121.42.149[.]52, which resolves to a domain ("vpn2.umisen[.]com") previously identified as associated with the group's infrastructure.
Once installed, both strains of malware request intrusive permissions and come fitted with sophisticated data collection and exfiltration capabilities, harvesting users' photos, locations, SMS messages and audio recordings.
The malware has also been observed relying on modules that are downloaded from a now-offline C2 server after the installation of the app to facilitate the data collection, while simultaneously avoiding detection.
WyrmSpy, for its part, is capable of disabling Security-Enhanced Linux (SELinux), a security feature in Android, and making use of rooting tools such as KingRoot11 to obtain elevated privileges on the compromised handsets. A notable feature of DragonEgg is that it establishes contact with the C2 server to fetch an unknown tertiary module that poses as a forensics program.
"The discovery of WyrmSpy and DragonEgg is a reminder of the growing threat posed by advanced Android malware," Kristina Balaam, a senior threat researcher at Lookout, said. "These spyware packages are highly sophisticated and can be used to collect a wide range of data from infected devices."
The findings come as Mandiant disclosed the evolving tactics adopted by Chinese espionage crews to fly under the radar, including weaponizing networking devices and virtualization software, employing botnets to obfuscate traffic between C2 infrastructure and victim environments, and tunneling malicious traffic inside of victim networks through compromised systems.
"Use of botnets, proxying traffic in a compromised network, and targeting edge devices are not new tactics, nor are they unique to Chinese cyber espionage actors," the Google-owned threat intelligence firm said. "However, during the last decade, we have tracked Chinese cyber espionage actors' use of these and other tactics as part of a broader evolution toward more purposeful, stealthy, and effective operations."
Bad.Build Flaw in Google Cloud Build Raises Concerns of Privilege Escalation
19.7.23 Vulnerebility The Hacker News
Cybersecurity researchers have uncovered a privilege escalation vulnerability in Google Cloud that could enable malicious actors tamper with application images and infect users, leading to supply chain attacks.
The issue, dubbed Bad.Build, is rooted in the Google Cloud Build service, according to cloud security firm Orca, which discovered and reported the issue.
"By abusing the flaw and enabling an impersonation of the default Cloud Build service, attackers can manipulate images in the Google Artifact Registry and inject malicious code," the company said in a statement shared with The Hacker News.
"Any applications built from the manipulated images are then affected and, if the malformed applications are meant to be deployed on customer's environments, the risk crosses from the supplying organization's environment to their customers' environments, constituting a major supply chain risk."
Following responsible disclosure, Google has issued a partial fix that doesn't eliminate the privilege escalation vector, describing it as a low-severity issue. No further customer action is required.
The design flaw stems from the fact that Cloud Build automatically creates a default service account to execute builds for a project on users' behalf. Specifically, the service account comes with excessive permissions ("logging.privateLogEntries.list"), which allows access to audit logs containing the complete list of all permissions on the project.
"What makes this information so lucrative is that it greatly facilitates lateral movement and privilege escalation in the environment," Orca researcher Roi Nisimi said. "Knowing which GCP account can perform which action, is equal to solving a great piece of the puzzle on how to launch an attack."
In doing so, a malicious actor could abuse the "cloudbuild.builds.create" permission already obtained by other means to impersonate the Google Cloud Build service account and obtain elevated privileges, exfiltrate an image that is being used inside Google Kubernetes Engine (GKE), and alter it to incorporate malware.
"Once the malicious image is deployed, the attacker can exploit it and run code on the docker container as root," Nisimi explained.
The patch put in place by Google revokes the logging.privateLogEntries.list permission from the Cloud Build service account, thereby preventing access to enumerate private logs by default.
This is not the first time privilege escalation flaws impacting the Google Cloud Platform have been reported. In 2020, Gitlab, Rhino Security Labs, and Praetorian detailed various techniques that could be exploited to compromise cloud environments.
Customers are advised to monitor the behavior of the default Google Cloud Build service account to detect any possible malicious behavior as well as apply the principle of least privilege (PoLP) to mitigate possible risks.
Zero-Day Attacks Exploited Critical Vulnerability in Citrix ADC and Gateway
19.7.23 Exploit The Hacker News
Citrix is alerting users of a critical security flaw in NetScaler Application Delivery Controller (ADC) and Gateway that it said is being actively exploited in the wild.
Tracked as CVE-2023-3519 (CVSS score: 9.8), the issue relates to a case of code injection that could result in unauthenticated remote code execution. It impacts the following versions -
NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
NetScaler ADC and NetScaler Gateway version 12.1 (currently end-of-life)
NetScaler ADC 13.1-FIPS before 13.1-37.159
NetScaler ADC 12.1-FIPS before 12.1-55.297, and
NetScaler ADC 12.1-NDcPP before 12.1-55.297
The company did not give further details on the flaw tied to CVE-2023-3519 other than to say that exploits for the flaw have been observed on "unmitigated appliances." However, successful exploitation requires the device to be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or authorization and accounting (AAA) virtual server.
Also addressed alongside CVE-2023-3519 are two other bugs -
CVE-2023-3466 (CVSS score: 8.3) - An improper input validation vulnerability resulting in a reflected cross-site scripting (XSS) attack
CVE-2023-3467 (CVSS score: 8.0) - An improper privilege management vulnerability resulting in privilege escalation to the root administrator (nsroot)
Wouter Rijkbost and Jorren Geurts of Resillion have been credited with reporting the bugs. Patches have been made available to address the three flaws in the below versions -
NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases
NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0
NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS
NetScaler ADC 12.1-FIPS 12.1-55.297 and later releases of 12.1-FIPS, and
NetScaler ADC 12.1-NDcPP 12.1-55.297 and later releases of 12.1-NDcPP
Customers of NetScaler ADC and NetScaler Gateway version 12.1 are recommended to upgrade their appliances to a supported version to mitigate potential threats.
The development comes amid active exploitation of security flaws discovered in Adobe ColdFusion (CVE-2023-29298 and CVE-2023-38203) and the WooCommerce Payments WordPress plugin (CVE-2023-28121).
Leaving security flaws in WordPress plugins could open the door to complete compromise, enabling threat actors to repurpose the compromised WordPress sites for other malicious activities.
Last month, eSentire disclosed an attack campaign dubbed Nitrogen wherein infected WordPress sites have been used to host malicious ISO image files that, when launched, culminate in the deployment of rogue DLL files capable of contacting a remote server to fetch additional payloads, including Python scripts and Cobalt Strike.
Pakistani Entities Targeted in Sophisticated Attack Deploying ShadowPad Malware
18.7.23 Virus The Hacker News
An unidentified threat actor compromised an application used by multiple entities in Pakistan to deliver ShadowPad, a successor to the PlugX backdoor that's commonly associated with Chinese hacking crews.
Targets included a Pakistan government entity, a public sector bank, and a telecommunications provider, according to Trend Micro. The infections took place between mid-February 2022 and September 2022.
The cybersecurity company said the incident could be the result of a supply-chain attack, in which a legitimate piece of software used by targets of interest is trojanized to deploy malware capable of gathering sensitive information from compromised systems.
The attack chain takes the form of a malicious installer for E-Office, an application developed by the National Information Technology Board (NITB) of Pakistan to help government departments go paperless.
It's currently not clear how the backdoored E-Office installer was delivered to the targets. That said, there's no evidence to date that the build environment of the Pakistani government agency in question has been compromised.
This raises the possibility that the threat actor obtained the legitimate installer and tampered it to include malware, and then subsequently lured victims into running the trojanized version via social engineering attacks.
"Three files were added to the legitimate MSI installer: Telerik.Windows.Data.Validation.dll, mscoree.dll, and mscoree.dll.dat," Trend Micro researcher Daniel Lunghi said in an updated analysis published today.
Telerik.Windows.Data.Validation.dll is a valid applaunch.exe file signed by Microsoft, which is vulnerable to DLL side-loading and is used to sideload mscoree.dll that, in turn, loads mscoree.dll.dat, the ShadowPad payload.
Trend Micro said the obfuscation techniques used to conceal DLL and the decrypted final-stage malware are an evolution of an approach previously exposed by Positive Technologies in January 2021 in connection with a Chinese cyber espionage campaign undertaken by the Winnti group (aka APT41).
Besides ShadowPad, post-exploitation activities have entailed the use of Mimikatz to dump passwords and credentials from memory.
Attribution to a known threat actor has been hampered by a lack of evidence, although the cybersecurity company said it discovered malware samples such as Deed RAT, which has been attributed to the Space Pirates (or Webworm) threat actor.
"This whole campaign was the result of a very capable threat actor that managed to retrieve and modify the installer of a governmental application to compromise at least three sensitive targets," Lunghi said.
"The fact that the threat actor has access to a recent version of ShadowPad potentially links it to the nexus of Chinese threat actors, although we cannot point to a particular group with confidence."
VirusTotal Data Leak Exposes Some Registered Customers' Details
18.7.23 Incindent The Hacker News
Data associated with a subset of registered customers of VirusTotal, including their names and email addresses, were exposed after an employee inadvertently uploaded the information to the malware scanning platform.
The security incident, which comprises a database of 5,600 names in a 313KB file, was first disclosed by Der Spiegel and Der Standard yesterday.
Launched in 2004, VirusTotal is a popular service that analyzes suspicious files and URLs to detect types of malware and malicious content using antivirus engines and website scanners. It was acquired by Google in 2012 and became a subsidiary of Google Cloud's Chronicle unit in 2018.
When reached for comment, Google confirmed the leak and said it took immediate steps to remove the data.
"We are aware of the unintentional distribution of a small segment of customer group administrator emails and organization names by one of our employees on the VirusTotal platform," a Google Cloud spokesperson told The Hacker News.
"We removed the list from the platform within an hour of its posting and we are looking at our internal processes and technical controls to improve our operations in the future."
Included among the data are accounts linked to official U.S. bodies such as the Cyber Command, Department of Justice, Federal Bureau of Investigation (FBI), and the National Security Agency (NSA). Other accounts belong to government agencies in Germany, the Netherlands, Taiwan, and the U.K.
Last year, Germany's Federal Office for Information Security (BSI) warned against automating uploading of suspicious email attachments, noting that doing so could lead to the exposure of sensitive information.
FIN8 Group Using Modified Sardonic Backdoor for BlackCat Ransomware Attacks
18.7.23 Virus The Hacker News
The financially motivated threat actor known as FIN8 has been observed using a "revamped" version of a backdoor called Sardonic to deliver the BlackCat ransomware.
According to the Symantec Threat Hunter Team, part of Broadcom, the development is an attempt on the part of the e-crime group to diversify its focus and maximize profits from infected entities. The intrusion attempt took place in December 2022.
FIN8 is being tracked by the cybersecurity company under the name Syssphinx. Known to be active since at least 2016, the adversary was originally attributed to attacks targeting point-of-sale (PoS) systems using malware such as PUNCHTRACK and BADHATCH.
The group resurfaced after more than a year in March 2021 with an updated version of BADHATCH, following it up with a completely new bespoke implant called Sardonic, which was disclosed by Bitdefender in August 2021.
"The C++-based Sardonic backdoor has the ability to harvest system information and execute commands, and has a plugin system designed to load and execute additional malware payloads delivered as DLLs," Symantec said in a report shared with The Hacker News.
Unlike the previous variant, which was designed in C++, the latest iteration packs in significant alterations, with most of the source code rewritten in C and modified so as to deliberately avoid similarities.
In the incident analyzed by Symantec, Sardonic is embedded into a PowerShell script that was deployed into the targeted system after obtaining initial access. The script is designed to launch a .NET loader, which then decrypts and executes an injector module to ultimately run the implant.
"The purpose of the injector is to start the backdoor in a newly created WmiPrvSE.exe process," Symantec explained. "When creating the WmiPrvSE.exe process, the injector attempts to start it in session-0 (best effort) using a token stolen from the lsass.exe process."
Sardonic, besides supporting up to 10 interactive sessions on the infected host for the threat actor to run malicious commands, supports three different plugin formats to execute additional DLL and shellcode.
Some of the other features of the backdoor include the ability to drop arbitrary files and exfiltrate file contents from the compromised machine to an actor-controlled infrastructure.
This is not the first time FIN8 has been detected using Sardonic in connection with a ransomware attack. In January 2022, Lodestone and Trend Micro uncovered FIN8's use of the White Rabbit ransomware, which, in itself, is based on Sardonic.
"Syssphinx continues to develop and improve its capabilities and malware delivery infrastructure, periodically refining its tools and tactics to avoid detection," Symantec said.
"The group's decision to expand from point-of-sale attacks to the deployment of ransomware demonstrates the threat actors' dedication to maximizing profits from victim organizations."
Owner of BreachForums Pleads Guilty to Cybercrime and Child Pornography Charges
18.7.23 Hacking The Hacker News
Conor Brian Fitzpatrick, the owner of the now-defunct BreachForums website, has pleaded guilty to charges related to his operation of the cybercrime forum as well as having child pornography images.
The development, first reported by DataBreaches.net last week, comes nearly four months after Fitzpatrick (aka pompompurin) was formally charged in the U.S. with conspiracy to commit access device fraud and possession of child pornography.
BreachForums, launched in March 2022, operated as an illegal marketplace that allowed its members to trade hacked or stolen databases, enabling other criminal actors to gain unauthorized access to target systems. It was shut down in March 2023 shortly after Fitzpatrick's arrest in New York.
As many as 888 databases consisting of 14 billion individual records are estimated to have been found in total. The forum had over 333,000 members prior to its takedown.
"The purpose of BreachForums, and Fitzpatrick's intent in operating the forum, was to commit and aid and abet the trafficking of stolen or hacked databases containing, among other things, access devices, and the posting of solicitations to offer databases containing access devices," according to court documents.
The 20-year-old faces a maximum jail term of up to 40 years, with fines totaling $750,000. He is scheduled to be sentenced on November 17, 2023.
News of Fitzpatrick's plea agreement comes as the Spanish National Police apprehended a Ukrainian national wanted internationally for his involvement in a fraudulent scareware operation spanning from 2006 to 2011 and eluded capture for over a decade.
It also follows the sentencing of Ashley Liles, a 28-year-old former IT security analyst, to three years and seven months in prison for attempting to extort his employer during a ransomware attack in 2018.
Liles, from Hertfordshire, is said to have altered the original ransom email and changed the payment address provided by the original attacker in an attempt to divert any ransom payments to himself. He had previously pleaded guilty in April 2023.
"Liles, along with other colleagues, worked with police to investigate the incident," the South East Regional Organised Crime Unit (SEROCU) said in a press release.
"Using the information he learned from this, Liles commenced a secondary attack on the company. He accessed senior board members' emails over 300 times and altered the attackers original email address to an almost identical one."
Cybercriminals Exploiting WooCommerce Payments Plugin Flaw to Hijack Websites
18.7.23 Exploit The Hacker News
Threat actors are actively exploiting a recently disclosed critical security flaw in the WooCommerce Payments WordPress plugin as part of a massive targeted campaign.
The flaw, tracked as CVE-2023-28121 (CVSS score: 9.8), is a case of authentication bypass that enables unauthenticated attackers to impersonate arbitrary users and perform some actions as the impersonated user, including an administrator, potentially leading to site takeover.
"Large-scale attacks against the vulnerability, assigned CVE-2023-28121, began on Thursday, July 14, 2023 and continued over the weekend, peaking at 1.3 million attacks against 157,000 sites on Saturday, July 16, 2023," Wordfence security researcher Ram Gall said in a Monday post.
Versions 4.8.0 through 5.6.1 of WooCommerce Payments are vulnerable. The plugin is installed on over 600,000 sites. Patches for the bug were released by WooCommerce back in March 2023, with WordPress issuing auto-updates to sites using affected versions of the software.
A common denominator observed in the attacks entails the use of the HTTP request header "X-Wcpay-Platform-Checkout-User: 1" that causes susceptible sites to treat any additional payloads as coming from an administrative user.
Wordfence said the aforementioned loophole is being weaponized to deploy the WP Console plugin, which can be used by an administrator to execute malicious code and install a file uploader to set up persistence and backdoor the compromised site.
Adobe ColdFusion Flaws Exploited in the Wild#
The disclosure comes as Rapid7 reported that it observed active exploitation of Adobe ColdFusion flaws in multiple customer environments starting July 13, 2023, to deploy web shells on infected endpoints.
"Threat actors appear to be exploiting CVE-2023-29298 in conjunction with a secondary vulnerability," Rapid7 security researcher Caitlin Condon said. The additional flaw appears to be CVE-2023-38203 (CVSS score: 9.8), a deserialization flaw that was addressed in an out-of-band update released on July 14.
CVE-2023-29298 (CVSS score: 7.5) concerns an access control bypass vulnerability impacting ColdFusion 2023, ColdFusion 2021 Update 6 and below, and ColdFusion 2018 Update 16 and below.
"The vulnerability allows an attacker to access the administration endpoints by inserting an unexpected additional forward slash character in the requested URL," Rapid7 disclosed last week.
Rapid7, however, warned that the fix for CVE-2023-29298 is incomplete and that it could be trivially modified to bypass the patches released by Adobe.
Users are recommended to update to the latest version of Adobe ColdFusion to secure against potential threats, since the fixes put in place to resolve CVE-2023-38203 breaks the exploit chain.
JumpCloud Blames 'Sophisticated Nation-State' Actor for Security Breach
18.7.23 Incindent The Hacker News
A little over a week after JumpCloud reset API keys of customers impacted by a security incident, the company said the intrusion was the work of a sophisticated nation-state actor.
The adversary "gained unauthorized access to our systems to target a small and specific set of our customers," Bob Phan, chief information security officer (CISO) at JumpCloud, said in a post-mortem report. "The attack vector used by the threat actor has been mitigated."
The U.S. enterprise software firm said it identified anomalous activity on June 27, 2023, on an internal orchestration system, which it traced back to a spear-phishing campaign mounted by the attacker on June 22.
While JumpCloud said it took security steps to shield its network by rotating credentials and rebuilding its systems, it wasn't until July 5 when it detected "unusual activity" in the commands framework for a small set of customers, prompting a forced-rotation of all admin API keys. The number of affected customers was not disclosed.
Further analysis of the breach, per the company's disclosure, unearthed the attack vector, which it described as a "data injection into the commands framework." It also said the attacks were highly targeted.
JumpCloud, however, did not explain how the phishing attack it spotted in June is connected to the data injection. It's currently not clear if the phishing emails led to the deployment of malware that facilitated the attack.
Additional indicators of compromise (IoCs) associated with the attack shows that the adversary leveraged domains named nomadpkg[.]com and nomadpkgs[.]com, a likely reference to the Go-based workload orchestrator used to deploy and manage containers.
"These are sophisticated and persistent adversaries with advanced capabilities," Phan said. JumpCloud has yet to reveal the name and the origins of the group allegedly responsible for the incident.
Hackers Exploit WebAPK to Deceive Android Users into Installing Malicious Apps
18.7.23 Exploit The Hacker News
Threat actors are taking advantage of Android's WebAPK technology to trick unsuspecting users into installing malicious web apps on Android phones that are designed to capture sensitive personal information.
"The attack began with victims receiving SMS messages suggesting the need to update a mobile banking application," researchers from CSIRT KNF said in an analysis released last week. "The link contained in the message led to a site that used WebAPK technology to install a malicious application on the victim's device."
The application impersonates PKO Bank Polski, a multinational banking and financial services company headquartered in Warsaw. Details of the campaign were first shared by Polish cybersecurity firm RIFFSEC.
WebAPK allows users to install progressive web apps (PWAs) to their home screen on Android devices without having to use the Google Play Store.
"When a user installs a PWA from Google Chrome and a WebAPK is used, the minting server "mints" (packages) and signs an APK for the PWA," Google explains in its documentation.
"That process takes time, but when the APK is ready, the browser installs that app silently on the user's device. Because trusted providers (Play Services or Samsung) signed the APK, the phone installs it without disabling security, as with any app coming from the store. There is no need for sideloading the app."
Once installed, the fake banking app ("org.chromium.webapk.a798467883c056fed_v2") urges users to enter their credentials and two-factor authentication (2FA) tokens, effectively resulting in their theft.
"One of the challenges in countering such attacks is the fact that WebAPK applications generate different package names and checksums on each device," CSIRT KNF said. "They are dynamically built by the Chrome engine, which makes the use of this data as Indicators of Compromise (IoC) difficult."
To counter such threats, it's recommended to block websites that use the WebAPK mechanism to carry out phishing attacks.
The development comes as Resecurity revealed that cybercriminals are increasingly leveraging specialized device spoofing tools for Android that are marketed on the dark web in a bid to impersonate compromised account holders and bypass anti-fraud controls.
The antidetect tools, including Enclave Service and MacFly, are capable of spoofing mobile device fingerprints and other software and network parameters that are analyzed by anti-fraud systems, with threat actors also leveraging weak fraud controls to conduct unauthorized transactions via smartphones using banking malware such as TimpDoor and Clientor.
"Cybercriminals use these tools to access compromised accounts and impersonate legitimate customers by exploiting stolen cookie files, impersonating hyper-granular device identifiers, and utilizing fraud victims' unique network settings," the cybersecurity company said.
Malicious USB Drives Targetinging Global Targets with SOGU and SNOWYDRIVE Malware
17.7.23 Virus The Hacker News
Cyber attacks using infected USB infection drives as an initial access vector have witnessed a three-fold increase in the first half of 2023,
That's according to new findings from Mandiant, which detailed two such campaigns – SOGU and SNOWYDRIVE – targeting both public and private sector entities across the world.
SOGU is the "most prevalent USB-based cyber espionage attack using USB flash drives and one of the most aggressive cyber espionage campaigns targeting both public and private sector organizations globally across industry verticals," the Google-owned threat intelligence firm said.
The activity has been attributed to a China-based cluster called TEMP.Hex, which is also tracked under the names Camaro Dragon, Earth Preta, and Mustang Panda. Targets include construction and engineering, business services, government, health, transportation, and retail in Europe, Asia, and the U.S.
The infection chain detailed by Mandiant exhibits tactical commonalities with another campaign detailed by Check Point, which took the wraps off a strain of self-propagating malware called WispRider that spreads through compromised USB drives and potentially breach air-gapped systems.
It all starts with a malicious USB flash drive plugged into a computer, leading to the execution of PlugX (aka Korplug), which then decrypts and launches a C-based backdoor called SOGU that exfiltrates files of interest, keystrokes, and screenshots.
SNOWYDRIVE Targets Oil and Gas Organizations in Asia#
The second cluster to leverage the USB infiltration mechanism is UNC4698, which has singled out oil and gas organizations in Asia to deliver the SNOWYDRIVE malware to execute arbitrary payloads on the hacked systems.
"Once SNOWYDRIVE is loaded, it creates a backdoor on the host system, giving attackers the ability to remotely issue system commands," Mandiant researchers Rommel Joven and Ng Choon Kiat said. "It also spreads to other USB flash drives and propagates throughout the network."
In these attacks, the victim is lured into clicking on a booby-trapped file that masquerades as a legitimate executable, thereby activating a chain of malicious actions, starting with a dropper that establishes a foothold, followed by executing the SNOWYDRIVE implant.
Some of the functionalities of the backdoor consist of carrying out file and directory searches, uploading and downloading files, and launching a reverse shell.
"Organizations should prioritize implementing restrictions on access to external devices such as USB drives," the researchers said. "If this is not possible, they should at least scan these devices for malicious files or code before connecting them to their internal networks."
Cybercriminals Exploit Microsoft Word Vulnerabilities to Deploy LokiBot Malware
17.7.23 Exploit The Hacker News
Microsoft Word documents exploiting known remote code execution flaws are being used as phishing lures to drop malware called LokiBot on compromised systems.
"LokiBot, also known as Loki PWS, has been a well-known information-stealing Trojan active since 2015," Fortinet FortiGuard Labs researcher Cara Lin said. "It primarily targets Windows systems and aims to gather sensitive information from infected machines."
The cybersecurity company, which spotted the campaign in May 2023, said the attacks take advantage of CVE-2021-40444 and CVE-2022-30190 (aka Follina) to achieve code execution.
The Word file that weaponizes CVE-2021-40444 contains an external GoFile link embedded within an XML file that leads to the download of an HTML file, which exploits Follina to download a next-stage payload, an injector module written in Visual Basic that decrypts and launches LokiBot.
The injector also features evasion techniques to check for the presence of debuggers and determine if it's running in a virtualized environment.
An alternative chain discovered towards the end of May starts with a Word document incorporating a VBA script that executes a macro immediately upon opening the document using the "Auto_Open" and "Document_Open" functions.
The macro script subsequently acts as a conduit to deliver an interim payload from a remote server, which also functions as an injector to load LokiBot and connect to a command-and-control (C2) server.
LokiBot, not to be confused with an Android banking trojan of the same name, comes with capabilities to log keystrokes, capture screenshots, gather login credential information from web browsers, and siphon data from a variety of cryptocurrency wallets.
"LokiBot is a long-standing and widespread malware active for many years," Lin said. "Its functionalities have matured over time, making it easy for cybercriminals to use it to steal sensitive data from victims. The attackers behind LokiBot continually update their initial access methods, allowing their malware campaign to find more efficient ways to spread and infect systems."
CERT-UA Uncovers Gamaredon's Rapid Data Exfiltration Tactics Following Initial Compromise
17.7.23 BigBrothers The Hacker News
The Russia-linked threat actor known as Gamaredon has been observed conducting data exfiltration activities within an hour of the initial compromise.
"As a vector of primary compromise, for the most part, emails and messages in messengers (Telegram, WhatsApp, Signal) are used, in most cases, using previously compromised accounts," the Computer Emergency Response Team of Ukraine (CERT-UA) said in an analysis of the group published last week.
Gamaredon, also called Aqua Blizzard, Armageddon, Shuckworm, or UAC-0010, is a state-sponsored actor with ties to the SBU Main Office in the Autonomous Republic of Crimea, which was annexed by Russia in 2014. The group is estimated to have infected thousands of government computers.
It is also one of the many Russian hacking crews that have maintained an active presence since the start of the Russo-Ukrainian war in February 2022, leveraging phishing campaigns to deliver PowerShell backdoors such as GammaSteel to conduct reconnaissance and execute additional commands.
The messages typically come bearing an archive containing an HTM or HTA file that, when opened, activates the attack sequence.
According to CERT-UA, GammaSteel is used to exfiltrate files matching a specific set of extensions – .doc, .docx, .xls, .xlsx, .rtf, .odt, .txt, .jpg, .jpeg, .pdf, .ps1, .rar, .zip, .7z, and .mdb – within a time period of 30 to 50 minutes.
The group has also been observed consistently evolving its tactics, making use of USB infection techniques for propagation. A host operating in a compromised state for a week could have anywhere between 80 to 120 malicious files, the agency noted.
Also significant is the threat actor's use of AnyDesk software for interactive remote access, PowerShell scripts for session hijacking to bypass two-factor authentication (2FA), and Telegram and Telegraph for fetching the command-and-control (C2) server information.
"Attackers take separate measures to ensure fault tolerance of their network infrastructure and avoid detection at the network level," CERT-UA said. "During the day, the IP addresses of intermediate control nodes can change from 3 to 6 or more times, which, among other things, indicates the appropriate automation of the process."
WormGPT: New AI Tool Allows Cybercriminals to Launch Sophisticated Cyber Attacks
17.7.23 Virus The Hacker News
With generative artificial intelligence (AI) becoming all the rage these days, it's perhaps not surprising that the technology has been repurposed by malicious actors to their own advantage, enabling avenues for accelerated cybercrime.
According to findings from SlashNext, a new generative AI cybercrime tool called WormGPT has been advertised on underground forums as a way for adversaries to launch sophisticated phishing and business email compromise (BEC) attacks.
"This tool presents itself as a blackhat alternative to GPT models, designed specifically for malicious activities," security researcher Daniel Kelley said. "Cybercriminals can use such technology to automate the creation of highly convincing fake emails, personalized to the recipient, thus increasing the chances of success for the attack."
The author of the software has described it as the "biggest enemy of the well-known ChatGPT" that "lets you do all sorts of illegal stuff."
In the hands of a bad actor, tools like WormGPT could be a powerful weapon, especially as OpenAI ChatGPT and Google Bard are increasingly taking steps to combat the abuse of large language models (LLMs) to fabricate convincing phishing emails and generate malicious code.
"Bard's anti-abuse restrictors in the realm of cybersecurity are significantly lower compared to those of ChatGPT," Check Point said in a report this week. "Consequently, it is much easier to generate malicious content using Bard's capabilities."
Earlier this February, the Israeli cybersecurity firm disclosed how cybercriminals are working around ChatGPT's restrictions by taking advantage of its API, not to mention trade stolen premium accounts and sell brute-force software to hack into ChatGPT accounts by using huge lists of email addresses and passwords.
The fact that WormGPT operates without any ethical boundaries underscores the threat posed by generative AI, even permitting novice cybercriminals to launch attacks swiftly and at scale without having the technical wherewithal to do so.
Making matters worse, threat actors are promoting "jailbreaks" for ChatGPT, engineering specialized prompts and inputs that are designed to manipulate the tool into generating output that could involve disclosing sensitive information, producing inappropriate content, and executing harmful code.
"Generative AI can create emails with impeccable grammar, making them seem legitimate and reducing the likelihood of being flagged as suspicious," Kelley said.
"The use of generative AI democratizes the execution of sophisticated BEC attacks. Even attackers with limited skills can use this technology, making it an accessible tool for a broader spectrum of cybercriminals."
The disclosure comes as researchers from Mithril Security "surgically" modified an existing open-source AI model known as GPT-J-6B to make it spread disinformation and uploaded it to a public repository like Hugging Face that could then integrated into other applications, leading to what's called an LLM supply chain poisoning.
The success of the technique, dubbed PoisonGPT, banks on the prerequisite that the lobotomized model is uploaded using a name that impersonates a known company, in this case, a typosquatted version of EleutherAI, the company behind GPT-J.
Microsoft Bug Allowed Hackers to Breach Over Two Dozen Organizations via Forged Azure AD Tokens
15.7.23 Vulnerebility The Hacker News
Microsoft on Friday said a validation error in its source code allowed for Azure Active Directory (Azure AD) tokens to be forged by a malicious actor known as Storm-0558 using a Microsoft account (MSA) consumer signing key to breach two dozen organizations.
"Storm-0558 acquired an inactive MSA consumer signing key and used it to forge authentication tokens for Azure AD enterprise and MSA consumer to access OWA and Outlook.com," the tech giant said in a deeper analysis of the campaign. "The method by which the actor acquired the key is a matter of ongoing investigation."
"Though the key was intended only for MSA accounts, a validation issue allowed this key to be trusted for signing Azure AD tokens. This issue has been corrected."
It's not immediately clear if the token validation issue was exploited as a "zero-day vulnerability" or if Microsoft was already aware of the problem before it came under in-the-wild abuse.
The attacks singled out approximately 25 organizations, including government entities and associated consumer accounts, to gain unauthorized email access and exfiltrate mailbox data. No other environment is said to have been impacted.
The exact scope of the breach remains unclear, but it's the latest example of a China-based threat actor conducting cyberattacks seeking sensitive information and pulling off a stealthy intelligence coup without attracting any attention for at least a month before it was discovered in June 2023.
The company was tipped off about the incident after the U.S. State Department detected anomalous email activity related to Exchange Online data access. Storm-0558 is suspected to be a China-based threat actor conducting malicious cyber activities that are consistent with espionage, although China has refuted the allegations.
Primary targets of the hacking crew include U.S. and European diplomatic, economic, and legislative governing bodies, and individuals connected to Taiwan and Uyghur geopolitical interests, as well as media companies, think tanks, and telecommunications equipment and service providers.
It's said to have been active since at least August 2021, orchestrating credential harvesting, phishing campaigns, and OAuth token attacks aimed at Microsoft accounts to pursue its goals.
"Storm-0558 operates with a high degree of technical tradecraft and operational security," Microsoft said, describing it as technically adept, well-resourced, and having an acute understanding of various authentication techniques and applications.
"The actors are keenly aware of the target's environment, logging policies, authentication requirements, policies, and procedures."
Initial access to target networks is realized through phishing and exploitation of security flaws in public-facing applications, leading to the deployment of the China Chopper web shell for backdoor access and a tool called Cigril to facilitate credential theft.
Also employed by Storm-0558 are PowerShell and Python scripts to extract email data such as attachments, folder information, and entire conversations using Outlook Web Access (OWA) API calls.
Microsoft said since the discovery of the campaign on June 16, 2023, it has "identified the root cause, established durable tracking of the campaign, disrupted malicious activities, hardened the environment, notified every impacted customer, and coordinated with multiple government entities." It also noted it mitigated the issue "on customers' behalf" effective June 26, 2023.
The disclosure comes as Microsoft has faced criticism for its handling of the hack and for gating forensic capabilities behind additional licensing barriers, thereby preventing customers from accessing detailed audit logs that could have otherwise helped analyze the incident.
"Charging people for premium features necessary to not get hacked is like selling a car and then charging extra for seatbelts and airbags," U.S. Senator Ron Wyden was quoted as saying.
The development comes as the U.K.'s Intelligence and Security Committee of Parliament (ISC) published a detailed Report on China, calling out its "highly effective cyber espionage capability" and its ability to penetrate a diverse range of foreign government and private sector IT systems.
Critical Security Flaws Uncovered in Honeywell Experion DCS and QuickBlox Services
15.7.23 Vulnerebility The Hacker News
Multiple security vulnerabilities have been discovered in various services, including Honeywell Experion distributed control system (DCS) and QuickBlox, that, if successfully exploited, could result in severe compromise of affected systems.
Dubbed Crit.IX, the nine flaws in the Honeywell Experion DCS platform allow for "unauthorized remote code execution, which means an attacker would have the power to take over the devices and alter the operation of the DCS controller, whilst also hiding the alterations from the engineering workstation that manages the controller," Armis said in a statement shared with The Hacker News.
Put differently, the issues relate to lack of encryption and adequate authentication mechanisms in a proprietary protocol called Control Data Access (CDA) that's used to communicate between Experion Servers and C300 controllers, effectively enabling a threat actor to take over the devices and alter the operation of the DCS controller.
"As a result, anyone with access to the network is able to impersonate both the controller and the server," Tom Gol, CTO for research at Armis, said. " In addition, there are design flaws in the CDA protocol which make it hard to control the boundaries of the data and can lead to buffer overflows."
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in an advisory of its own, said seven of the nine flaws carry a CVSS score of 9.8 out 10, while the two others have a severity rating of 7.5. "Successful exploitation of these vulnerabilities could cause a denial-of-service condition, allow privilege escalation or allow remote code execution," it warned.
In a related development, Check Point and Claroty uncovered major flaws in a chat and video calling platform known as QuickBlox that's widely used in telemedicine, finance, and smart IoT devices. The vulnerabilities could allow attackers to leak the user database from many popular applications that incorporate QuickBlox SDK and API.
This includes Rozcom, an Israeli vendor that sells intercoms for residential and commercial use cases. A closer examination of its mobile app led to the discovery of additional bugs (CVE-2023-31184 and CVE-2023-31185) that made it possible to download all user databases, impersonate any user, and perform full account takeover attacks.
"As a result, we were able to take over all Rozcom intercom devices, giving us full control and allowing us to access device cameras and microphones, wiretap into its feed, open doors managed by the devices, and more," the researchers said.
Also disclosed this week are remote code execution flaws impacting Aerohive/Extreme Networks access points running HiveOS/Extreme IQ Engine versions before 10.6r2 and the open-source Ghostscript library (CVE-2023-36664, CVSS score: 9.8) that could result in the execution of arbitrary commands.
"Ghostscript is a widely used but not necessarily widely known package," Kroll researcher Dave Truman said. "It can be executed in many different ways, from opening a file in a vector image editor such as Inkscape to printing a file via CUPS. This means that an exploitation of a vulnerability in Ghostscript might not be limited to one application or be immediately obvious."
Security shortcomings have also been made public in two Golang-based open-source platforms Owncast (CVE-2023-3188, CVSS score: 6.5) and EaseProbe (CVE-2023-33967, CVSS score: 9.8) that could pave the way for Server-Side Request Forgery (SSRF) and SQL injection attacks, respectively.
Rounding off the list is the discovery of hard-coded credentials in Technicolor TG670 DSL gateway routers that could be weaponized by an authenticated user to gain full administrative control of the devices.
"A remote attacker can use the default username and password to login as the administrator to the router device," CERT/CC said in an advisory. "This allows the attacker to modify any of the administrative settings of the router and use it in unexpected ways."
Users are advised to disable remote administration on their devices to prevent potential exploitation attempts and check with the service providers to determine if appropriate patches and updates are available.
TeamTNT's Cloud Credential Stealing Campaign Now Targets Azure and Google Cloud
14.7.23 Virus The Hacker News
A malicious actor has been linked to a cloud credential stealing campaign in June 2023 that's focused on Azure and Google Cloud Platform (GCP) services, marking the adversary's expansion in targeting beyond Amazon Web Services (AWS).
The findings come from SentinelOne and Permiso, which said the "campaigns share similarity with tools attributed to the notorious TeamTNT cryptojacking crew," although it emphasized that "attribution remains challenging with script-based tools."
They also overlap with an ongoing TeamTNT campaign disclosed by Aqua called Silentbob that leverages misconfigured cloud services to drop malware as part of what's said to be a testing effort, while also linking SCARLETEEL attacks to the threat actor, citing infrastructure commonalities.
"TeamTNT is scanning for credentials across multiple cloud environments, including AWS, Azure, and GCP," Aqua noted.
The attacks, which single out public-facing Docker instances to deploy a worm-like propagation module, are a continuation of an intrusion set that previously targeted Jupyter Notebooks in December 2022.
As many as eight incremental versions of the credential harvesting script have been discovered between June 15, 2023, and July 11, 2023, indicating an actively evolving campaign.
The newer versions of the malware are designed to gather credentials from AWS, Azure, Google Cloud Platform, Censys, Docker, Filezilla, Git, Grafana, Kubernetes, Linux, Ngrok, PostgreSQL, Redis, S3QL, and SMB. The harvested credentials are then exfiltrated to a remote server under the threat actor's control.
SentinelOne said the credentials collection logic and the files targeted bears similarities to a Kubelet-targeting campaign undertaken by TeamTNT in September 2022.
Alongside the shell script malware, the threat actor has also been observed distributing a Golang-based ELF binary that acts as a scanner to propagate the malware to vulnerable targets. The binary further drops a Golang network scanning utility called Zgrab.
"This campaign demonstrates the evolution of a seasoned cloud actor with familiarity across many technologies," security researchers Alex Delamotte, Ian Ahl, and Daniel Bohannon said. "The meticulous attention to detail indicates the actor has clearly experienced plenty of trial and error."
"This actor is actively tuning and improving their tools. Based on the tweaks observed across the past several weeks, the actor is likely preparing for larger scale campaigns."
New SOHO Router Botnet AVrecon Spreads to 70,000 Devices Across 20 Countries
14.7.23 BotNet The Hacker News
A new malware strain has been found covertly targeting small office/home office (SOHO) routers for more than two years, infiltrating over 70,000 devices and creating a botnet with 40,000 nodes spanning 20 countries.
Lumen Black Lotus Labs has dubbed the malware AVrecon, making it the third such strain to focus on SOHO routers after ZuoRAT and HiatusRAT over the past year.
"This makes AVrecon one of the largest SOHO router-targeting botnets ever seen," the company said. "The purpose of the campaign appears to be the creation of a covert network to quietly enable a range of criminal activities from password spraying to digital advertising fraud."
A majority of the infections are located in the U.K. and the U.S., followed by Argentina, Nigeria, Brazil, Italy, Bangladesh, Vietnam, India, Russia, and South Africa, among others.
AVrecon was first highlighted by Kaspersky senior security researcher Ye (Seth) Jin in May 2021, indicating that the malware has managed to avoid detection until now.
In the attack chain detailed by Lumen, a successful infection is followed by enumerating the victim's SOHO router and exfiltrating that information back to an embedded command-and-control (C2) server.
It also checks if other instances of malware are already running on the host by searching for existing processes on port 48102 and opening a listener on that port. A process bound to that port is terminated.
The next stage involves the compromised system establishing contact with a separate server, called the secondary C2 server, to await further commands. Lumen said it identified 15 such unique servers that have been active since at least October 2021.
It's worth noting that tiered C2 infrastructure is prevalent among notorious botnets like Emotet and QakBot.
AVrecon is written in the C programming language, making it easy to port the malware for different architectures. What's more, a crucial reason why such attacks work is because they leverage infrastructure living on the edge that typically lacks support for security solutions.
Evidence gathered so far points to the botnet being used for clicking on various Facebook and Google ads, and to interact with Microsoft Outlook. This likely indicates a two-pronged effort to conduct advertising fraud and data exfiltration.
"The manner of attack seems to focus predominantly on stealing bandwidth – without impacting end-users – in order to create a residential proxy service to help launder malicious activity and avoid attracting the same level of attention from Tor-hidden services or commercially available VPN services," the researchers said.
Zimbra Warns of Critical Zero-Day Flaw in Email Software Amid Active Exploitation
14.7.23 Vulnerebility The Hacker News
Zimbra has warned of a critical zero-day security flaw in its email software that has come under active exploitation in the wild.
"A security vulnerability in Zimbra Collaboration Suite Version 8.8.15 that could potentially impact the confidentiality and integrity of your data has surfaced," the company said in an advisory.
It also said that the issue has been addressed and that it's expected to be delivered in the July patch release. Additional details about the flaw are currently unavailable.
In the interim, it is urging customers to apply a manual fix to eliminate the attack vector -
Take a backup of the file /opt/zimbra/jetty/webapps/zimbra/m/momoveto
Edit this file and go to line number 40
Update the parameter value as: <input name="st" type="hidden" value="${fn:escapeXml(param.st)}"/>
Before the update, the line appeared as: <input name="st" type="hidden" value="${param.st}"/>
While the company did not disclose details of active exploitation, Google Threat Analysis Group (TAG) researcher Maddie Stone said it discovered the cross-site scripting (XSS) flaw being abused in the wild as part of a targeted attack. TAG researcher Clément Lecigne has been credited with discovering and reporting the bug.
The disclosure comes as Cisco released patches to remediate a critical flaw in its SD-WAN vManage software (CVE-2023-20214, CVSS score: 9.1) that could allow an unauthenticated, remote attacker to gain read permissions or limited write permissions to the configuration of an affected Cisco SD-WAN vManage instance.
"A successful exploit could allow the attacker to retrieve information from and send information to the configuration of the affected Cisco vManage instance," the company said. "A successful exploit could allow the attacker to retrieve information from and send information to the configuration of the affected Cisco vManage instance."
The vulnerability has been addressed in versions 20.6.3.4, 20.6.4.2, 20.6.5.5, 20.9.3.2, 20.10.1.2, and 20.11.1.2. The networking equipment major said it's not aware of any malicious use of the flaw.
PicassoLoader Malware Used in Ongoing Attacks on Ukraine and Poland
14.7.23 Virus The Hacker News
Government entities, military organizations, and civilian users in Ukraine and Poland have been targeted as part of a series of campaigns designed to steal sensitive data and gain persistent remote access to the infected systems.
The intrusion set, which stretches from April 2022 to July 2023, leverages phishing lures and decoy documents to deploy a downloader malware called PicassoLoader, which acts as a conduit to launch Cobalt Strike Beacon and njRAT.
"The attacks used a multistage infection chain initiated with malicious Microsoft Office documents, most commonly using Microsoft Excel and PowerPoint file formats," Cisco Talos researcher Vanja Svajcer said in a new report. "This was followed by an executable downloader and payload concealed in an image file, likely to make its detection more difficult."
Some of the activities have been attributed to a threat actor called GhostWriter (aka UAC-0057 or UNC1151), whose priorities are said to align with the Belarusian government.
It's worth noting that a subset of these attacks has already been documented over the past year by Ukraine's Computer Emergency Response Team (CERT-UA) and Fortinet FortiGuard Labs, one of which employed macro-laden PowerPoint documents to deliver Agent Tesla malware in July 2022.
The infection chains aim to convince victims to enable macros, with the VBA macro engineered to drop a DLL downloader known as PicassoLoader that subsequently reaches out to an attacker-controlled site to fetch the next-stage payload, a legitimate image file that embeds the final malware.
The disclosure comes as CERT-UA detailed a number of phishing operations distributing the SmokeLoader malware as well as a smishing attack designed to gain unauthorized control of targets' Telegram accounts.
Last month, CERT-UA disclosed a cyber espionage campaign aimed at state organizations and media representatives in Ukraine that makes use of email and instant messengers to distribute files, which, when launched, results in the execution of a PowerShell script called LONEPAGE to fetch next-stage payloads such as a browser stealer (THUMBCHOP) and a keylogger (CLOGFLAG).
GhostWriter is one among the many threat actors that have set their sights on Ukraine. This also includes the Russian nation-state group APT28, which has been observed using HTML attachments in phishing emails that prompt recipients to change their UKR.NET and Yahoo! passwords due to suspicious activity detected in their accounts so as to redirect them to bogus landing pages that ultimately steal their credentials.
The development also follows the adoption of a "standard five-phase playbook" by hackers associated with the Russian military intelligence (GRU) in their disruptive operations against Ukraine in a "deliberate effort to increase the speed, scale, and intensity" of their attacks.
This comprises taking advantage of living-on-the-edge infrastructure to gain initial access, using living-off-the-land techniques to conduct reconnaissance, lateral movement and information theft to limit their malware footprint and evade detection, creating persistent, privileged access via group policy objects (GPO), deploying wipers, and telegraphing their acts via hacktivist personas on Telegram.
"The benefits the playbook affords are notably suited for a fast-paced and highly contested operating environment, indicating that Russia's wartime goals have likely guided the GRU's chosen tactical courses of action," Google-owned Mandiant said.
Coinciding with these unabated attack waves is a tailored phishing campaign orchestrated by APT29 to target at least 22 diplomatic missions within Ukraine using vehicle-themed lures since May 2023. Also called Cloaked Ursa, Cozy Bear, or Midnight Blizzard, the group is publicly attributed to Russia's Foreign Intelligence Service (SVR).
The attacks "use the legitimate sale of a BMW to target diplomats in Kyiv, Ukraine, as its jumping off point," Palo Alto Networks Unit 42 said, with the threat actor repurposing a flyer originally sent by a diplomat within the Polish Ministry of Foreign Affairs to various embassies to pull off the scheme.
The email messages embed a link that claims to offer "more high quality photos" of the car, but, when clicked, results in the download of malware that beacons to Dropbox and Microsoft Graph API-based command-and-control (C2) servers for follow-on activities, a known hallmark of the state-sponsored crew.
"Cloaked Ursa likely first collected and observed this legitimate advertising flyer via one of the email's recipients' mail servers being compromised, or by some other intelligence operation," the researchers said. "Upon seeing its value as a generic yet broadly appealing phishing lure, they repurposed it. This is staggering in scope for what generally are narrowly scoped and clandestine APT operations."
TeamTNT's Silentbob Botnet Infecting 196 Hosts in Cloud Attack Campaign
14.7.23 BotNet The Hacker News
As many as 196 hosts have been infected as part of an aggressive cloud campaign mounted by the TeamTNT group called Silentbob.
"The botnet run by TeamTNT has set its sights on Docker and Kubernetes environments, Redis servers, Postgres databases, Hadoop clusters, Tomcat and Nginx servers, Weave Scope, SSH, and Jupyter applications," Aqua security researchers Ofek Itach and Assaf Morag said in a report shared with The Hacker News.
"The focus this time seems to be more on infecting systems and testing the botnet, rather than deploying cryptominers for profit."
The development arrives a week after the cloud security company detailed an intrusion set linked to the TeamTNT group that targets exposed JupyterLab and Docker APIs to deploy the Tsunami malware and hijack system resources to run a cryptocurrency miner.
The latest findings suggest a broader campaign and the use of a larger attack infrastructure than previously thought, including various shell scripts to steal credentials, deploy SSH backdoors, download additional payloads, and drop legitimate tools like kubectl, Pacu, and Peirates to conduct reconnaissance of the cloud environment.
The attack chains are realized through the deployment of rogue container images hosted on Docker Hub, which are designed to scan the internet for misconfigured instances and infect the newly identified victims with Tsunami and a worm script to co-opt more machines into a botnet.
"This botnet is notably aggressive, rapidly proliferating across the cloud and targeting a wide array of services and applications within the Software Development Life Cycle (SDLC)," the researchers said. "It operates at an impressive speed, demonstrating remarkable scanning capability."
Tsunami uses the Internet Relay Chat (IRC) protocol to connect to the command-and-control (C2) server, which then issues commands to all the infected hosts under its control, thereby allowing the threat actor to maintain backdoor access.
What's more, the cryptomining execution is hidden using a rootkit called prochider to prevent it from being detected when a ps command is run on the hacked system to retrieve the list of active processes.
"TeamTNT is scanning for credentials across multiple cloud environments, including AWS, Azure, and GCP," the researchers said, noting it's the latest evidence that the threat actors are upgrading their tradecraft.
"They are not only looking for general credentials but also specific applications such as Grafana, Kubernetes, Docker Compose, Git access, and NPM. Additionally, they are searching for databases and storage systems such as Postgres, AWS S3, Filezilla, and SQLite."
SCARLETEEL Tied to TeamTNT#
The development comes days after Sysdig disclosed a new attack mounted by SCARLETEEL to compromise AWS infrastructure with the goal of conducting data theft and distributing cryptocurrency miners on compromised systems.
While there were circumstantial links connecting SCARLETEEL to TeamTNT, Aqua told The Hacker News that the intrusion set is in fact linked to the threat actor.
"This is another campaign by TeamTNT," Morag, lead data analyst at Aqua Nautilus research team, said. "The SCARLETEEL IP address, 45.9.148[.]221, was used just days ago in TeamTNT's IRC channel C2 server. The scripts are very similar and the TTPs are the same. It looks like TeamTNT never stopped attacking. If they ever retired, it was only for a brief moment."
Fake PoC for Linux Kernel Vulnerability on GitHub Exposes Researchers to Malware
13.7.23 Vulnerebility The Hacker News
In a sign that cybersecurity researchers continue to be under the radar of malicious actors, a proof-of-concept (PoC) has been discovered on GitHub, concealing a backdoor with a "crafty" persistence method.
"In this instance, the PoC is a wolf in sheep's clothing, harboring malicious intent under the guise of a harmless learning tool," Uptycs researchers Nischay Hegde and Siddartha Malladi said. "Operating as a downloader, it silently dumps and executes a Linux bash script, all the while disguising its operations as a kernel-level process."
The repository masquerades as a PoC for CVE-2023-35829, a recently disclosed high-severity flaw in the Linux kernel. It has since been taken down, but not before it was forked 25 times. Another PoC shared by the same account, ChriSanders22, for CVE-2023-20871, a privilege escalation bug impacting VMware Fusion, was forked twice.
Uptypcs also identified a second GitHub profile containing a bogus PoC for CVE-2023-35829. It is still available as of writing and has been forked 19 times. A closer examination of the commit history shows that the changes were pushed by ChriSanders22, suggesting it was forked from the original repository.
The backdoor comes with a broad range of capabilities to steal sensitive data from compromised hosts as well as allow a threat actor to gain remote access by adding their SSH key to the .ssh/authorized_keys file.
"The PoC intends for us to run a make command that is an automation tool used to compile and build executables from source code files," the researchers explained. "But within the Makefile resides a code snippet that builds and executes the malware. The malware names and runs a file named kworker, which adds the $HOME/.local/kworker path in $HOME/.bashrc, thereby establishing its persistence."
The development comes nearly a month after VulnCheck discovered a number of fake GitHub accounts posing as security researchers to distribute malware under the guise of PoC exploits for popular software such as Discord, Google Chrome, Microsoft Exchange Server, Signal, and WhatsApp.
Users who have downloaded and executed the PoCs are recommended to unauthorized SSH keys, delete the kworker file, erase the kworker path from the bashrc file, and check /tmp/.iCE-unix.pid for potential threats.
"While it can be challenging to distinguish legitimate PoCs from deceptive ones, adopting safe practices such as testing in isolated environments (e.g., virtual machines) can provide a layer of protection," the researchers said.
Rockwell Automation ControlLogix Bugs Expose Industrial Systems to Remote Attacks
13.7.23 ICS The Hacker News
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has alerted of two security flaws impacting Rockwell Automation ControlLogix EtherNet/IP (ENIP) communication module models that could be exploited to achieve remote code execution and denial-of-service (DoS).
"The results and impact of exploiting these vulnerabilities vary depending on the ControlLogix system configuration, but they could lead to denial or loss of control, denial or loss of view, theft of operational data, or manipulation of control for disruptive or destructive consequences on the industrial process for which the ControlLogix system is responsible," Draogos said.
The list of flaws is as follows -
CVE-2023-3595 (CVSS score: 9.8) - An out-of-bounds write flaw impacting 1756 EN2* and 1756 EN3* products that could result in arbitrary code execution with persistence on the target system through maliciously crafted common industrial protocol (CIP) messages.
CVE-2023-3596 (CVSS score: 7.5) - An out-of-bounds write flaw impacting 1756 EN4* products that could lead to a DoS condition through maliciously crafted CIP messages.
"Successful exploitation of these vulnerabilities could allow malicious actors to gain remote access to the running memory of the module and perform malicious activity," CISA said.
Even worse, the flaws could be abused to potentially overwrite any part of the system to fly under the radar and stay persistent, not to mention render the module untrustworthy.
Impacted devices include 1756-EN2T, 1756-EN2TK, 1756-EN2TXT, 1756-EN2TP, 1756-EN2TPK, 1756-EN2TPXT, 1756-EN2TR, 1756-EN2TRK, 1756-EN2TRXT, 1756-EN2F, 1756-EN2FK, 1756-EN3TR, 1756-EN3TRK, 1756-EN4TR, 1756-EN4TRK, and 1756-EN4TRXT. Patches have been available by Rockwell Automation to address the issues.
"The type of access provided by CVE-2023-3595 is similar to the zero-day employed by XENOTIME in the TRISIS attack," the industrial cybersecurity company said. "Both allow for arbitrary firmware memory manipulation, though CVE-2023-3595 targets a communication module responsible for handling network commands. However, their impact is the same."
TRISIS, also known as TRITON, is an industrial control systems (ICS) malware that has been previously observed targeting Schneider Electric's Triconex safety instrumented system (SIS) controllers used in oil and gas facilities. A petrochemical plant in Saudi Arabia was discovered as a victim in late 2017, according to Dragos and Mandiant.
Dragos cautioned it discovered an "unreleased exploit capability leveraging these vulnerabilities" that are associated with an identified nation-state group and that as of mid-July 2023, "there was no evidence of exploitation in the wild and the targeted victim organizations and industry verticals were unknown."
"In addition to the compromise of the vulnerable module itself, the vulnerability could also allow an attacker to affect the industrial process along with the underlying critical infrastructure, which may result in possible disruption or destruction," Tenable researcher Satnam Narang said of CVE-2023-3595.
U.S. Government Agencies' Emails Compromised in China-Backed Cyber Attack
13.7.23 BigBrothers The Hacker News
An unnamed Federal Civilian Executive Branch (FCEB) agency in the U.S. detected anomalous email activity in mid-June 2023, leading to Microsoft's discovery of a new China-linked espionage campaign targeting two dozen organizations.
The details come from a joint cybersecurity advisory released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) on July 12, 2023.
"In June 2023, a Federal Civilian Executive Branch (FCEB) agency identified suspicious activity in their Microsoft 365 (M365) cloud environment," the authorities said. "Microsoft determined that advanced persistent threat (APT) actors accessed and exfiltrated unclassified Exchange Online Outlook data."
While the name of the government agency was not revealed, CNN and the Washington Post reported it was the U.S. State Department, citing people familiar with the matter. Also targeted were the Commerce Department as well as the email accounts belonging to a congressional staffer, a U.S. human rights advocate, and U.S. think tanks. The number of affected organizations in the U.S. is estimated to be in the single digits.
The disclosure comes a day after the tech giant attributed the campaign to an emerging "China-based threat actor" it tracks under the name Storm-0558, which primarily targets government agencies in Western Europe and focuses on espionage and data theft. Evidence gathered so far shows that the malicious activity began a month earlier before it was detected.
China, however, has rejected accusations it was behind the hacking incident, calling the U.S. "the world's biggest hacking empire and global cyber thief" and that it's "high time that the U.S. explained its cyber attack activities and stopped spreading disinformation to deflect public attention."
The attack chain entailed the cyberspies leveraging forged authentication tokens to gain access to customer email accounts using Outlook Web Access in Exchange Online (OWA) and Outlook.com. The tokens were forged using an acquired Microsoft account (MSA) consumer signing key. The exact method by which the key was secured remains unclear.
Also used by Storm-0558 to facilitate credential access are two custom malware tools named Bling and Cigril, the latter of which has been characterized as a trojan that decrypts encrypted files and runs them directly from system memory in order to avoid detection.
CISA said the FCEB agency was able to identify the breach by leveraging enhanced logging in Microsoft Purview Audit, specifically using the MailItemsAccessed mailbox-auditing action.
The agency is further recommending that organizations enable Purview Audit (Premium) logging, turn on Microsoft 365 Unified Audit Logging (UAL), and ensure logs are searchable by operators to allow hunting for this kind of activity and differentiate it from expected behavior within the environment.
"Organizations are encouraged to look for outliers and become familiar with baseline patterns to better understand abnormal versus normal traffic," CISA and FBI added.
New Vulnerabilities Disclosed in SonicWall and Fortinet Network Security Products
13.7.23 Vulnerebility The Hacker News
SonicWall on Wednesday urged customers of Global Management System (GMS) firewall management and Analytics network reporting engine software to apply the latest fixes to secure against a set of 15 security flaws that could be exploited by a threat actor to circumvent authentication and access sensitive information.
Of the 15 shortcomings (tracked from CVE-2023-34123 through CVE-2023-34137), four are rated Critical, four are rated High, and seven are rated Medium in severity. The vulnerabilities were disclosed by NCC Group.
The flaws impact on-premise versions of GMS 9.3.2-SP1 and before and Analytics 2.5.0.4-R7 and before. Fixes are available in versions GMS 9.3.3 and Analytics 2.5.2.
"The suite of vulnerabilities allows an attacker to view data that they are not normally able to retrieve," SonicWall said. "This might include data belonging to other users, or any other data that the application itself is able to access. In many cases, an attacker can modify or delete this data, causing persistent changes to the application's content or behavior."
The list of critical flaws is as follows -
CVE-2023-34124 (CVSS score: 9.4) - Web Service Authentication Bypass
CVE-2023-34133 (CVSS score: 9.8) - Multiple Unauthenticated SQL Injection Issues and Security Filter Bypass
CVE-2023-34134 (CVSS score: 9.8) - Password Hash Read via Web Service
CVE-2023-34137 (CVSS score: 9.4) - Cloud App Security (CAS) Authentication Bypass
The disclosure comes as Fortinet revealed a critical flaw affecting FortiOS and FortiProxy (CVE-2023-33308, CVSS score: 9.8) that could enable an adversary to achieve remote code execution under certain circumstances. It said the issue was resolved in a previous release, without an advisory.
"A stack-based overflow vulnerability [CWE-124] in FortiOS and FortiProxy may allow a remote attacker to execute arbitrary code or command via crafted packets reaching proxy policies or firewall policies with proxy mode alongside SSL deep packet inspection," the company said in an advisory.
Impacted products include FortiOS versions 7.2.0 through 7.2.3 and 7.0.0 through 7.0.10 as well as FortiProxy versions 7.2.0 through 7.2.2 and 7.0.0 through 7.0.9. The versions that plug the security hole are listed below -
FortiOS version 7.4.0 or above
FortiOS version 7.2.4 or above
FortiOS version 7.0.11 or above
FortiProxy version 7.2.3 or above, and
FortiProxy version 7.0.10 or above
It's worth noting that the flaw does not impact all versions of FortiOS 6.0, FortiOS 6.2, and FortiOS 6.4, and FortiProxy 1.x and FortiProxy 2.x.
For customers who cannot apply the updates immediately, Fortinet is recommending that they disable HTTP/2 support on SSL inspection profiles used by proxy policies or firewall policies with proxy mode.
Ransomware Extortion Skyrockets in 2023, Reaching $449.1 Million and Counting
12.7.23 Ransom The Hacker News
Ransomware has emerged as the only cryptocurrency-based crime to grow in 2023, with cybercriminals extorting nearly $175.8 million more than they did a year ago, according to findings from Chainalysis.
"Ransomware attackers are on pace for their second-biggest year ever, having extorted at least $449.1 million through June," the blockchain analytics firm said in a midyear crypto crime report shared with The Hacker News. "If this pace continues, ransomware attackers will extort $898.6 million from victims in 2023, trailing only 2021's $939.9 million."
In contrast, crypto scams have pulled in 77% less revenue than they did through June of 2022, largely driven by the abrupt exit of VidiLook, which pays users VDL tokens in return for watching digital ads that then can be exchanged for large rewards. So have the inflows to illicit addresses associated with malware, darknet markets, child abuse material, and fraud shops.
The development, following a decline in ransomware revenues in 2022, marks a reversal of sorts, with Chainalysis attributing it to the return of big game hunting after a downturn last year and the increasing number of successful small attacks carried by groups like Dharma and Phobos.
On the other end of the spectrum lie advanced groups like Cl0p (or Clop), BlackCat, and Black Basta, which tend to be more selective in their targeting, while also striking bigger organizations to demand higher ransoms. Cl0p's average payment size for the first half of 2023 stands at $1,730,486, in contrast to Dharma's $275.
Cl0p, in particular, has been on a rampage in recent months, exploiting security flaws in MOVEit Transfer application to breach 257 organizations across the world to date, per Emsisoft researcher Brett Callow. More than 17.7 million individuals are said to be impacted as a result of the ransomware attacks.
"Clop's preference for targeting larger companies (>$5 million/year revenue) and capitalizing on newer-but-disclosed vulnerabilities has been the primary driver of its success in the first half of 2023," Sophos researcher David Wallace said in a report earlier this week, calling the group a "loud, adaptable, persistent player."
While law enforcement efforts to actively pursue ransomware groups and sanction services offering cashout services, coupled with the availability of decryptors, have emboldened victims to not pay up, it's suspected that the trend "may be prompting ransomware attackers to increase the size of their ransom demands" to extract funds from companies who are still willing to settle.
Last but not least, the Russia-Ukraine War is also said to have been a contributing factor to the decline in ransomware attacks in 2022, causing the Conti operation to shut shop after declaring support for Russia.
"The conflict likely displaced ransomware operators and diverted them away from financially inspired cyber intrusions," Chainalysis said. "It stands to reason that the conflict disrupted ransomware operators' ability to conduct attacks or perhaps even their mandate for such attacks," especially considering that a majority of ransomware actors are tied to Russia.
Microsoft Thwarts Chinese Cyber Attack Targeting Western European Governments
12.7.23 BigBrothers The Hacker News
Microsoft on Tuesday revealed that it repelled a cyber attack staged by a Chinese nation-state actor targeting two dozen organizations, some of which include government agencies, in a cyber espionage campaign designed to acquire confidential data.
The attacks, which commenced on May 15, 2023, entailed access to email accounts affecting approximately 25 entities and a small number of related individual consumer accounts.
The tech giant attributed the campaign to Storm-0558, describing it as a nation-state activity group based out of China that primarily singles out government agencies in Western Europe.
"They focus on espionage, data theft, and credential access," Microsoft said. "They are also known to use custom malware that Microsoft tracks as Cigril and Bling, for credential access."
The breach is said to have been detected a month later on June 16, 2023, after an unidentified customer reported the anomalous email activity to the company.
Microsoft said it notified all targeted or compromised organizations directly via their tenant admins. It did not name the organizations and agencies affected and the number of accounts that may have been hacked.
However, according to the Washington Post, the attackers also broke into a number of unclassified U.S. email accounts.
The access to customer email accounts, per Redmond, was facilitated through Outlook Web Access in Exchange Online (OWA) and Outlook.com by forging authentication tokens.
"The actor used an acquired MSA key to forge tokens to access OWA and Outlook.com," it explained. "MSA (consumer) keys and Azure AD (enterprise) keys are issued and managed from separate systems and should only be valid for their respective systems."
"The actor exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail."
There is no evidence that the threat actor used Azure AD keys or any other MSA keys to carry out the attacks. Microsoft has since blocked the usage of tokens signed with the acquired MSA key in OWA to mitigate the attack.
"This type of espionage-motivated adversary seeks to abuse credentials and gain access to data residing in sensitive systems," Charlie Bell, executive vice president of Microsoft Security, said.
The disclosure comes more than a month after Microsoft exposed critical infrastructure attacks mounted by a Chinese adversarial collective called Volt Typhoon (aka Bronze Silhouette or Vanguard Panda) targeting the U.S.
Chinese Hackers Deploy Microsoft-Signed Rootkit to Target Gaming Sector
12.7.23 Virus The Hacker News
Cybersecurity researchers have unearthed a novel rootkit signed by Microsoft that's engineered to communicate with an actor-controlled attack infrastructure.
Trend Micro has attributed the activity cluster to the same actor that was previously identified as behind the FiveSys rootkit, which came to light in October 2021.
"This malicious actor originates from China and their main victims are the gaming sector in China," Trend Micro's Mahmoud Zohdy, Sherif Magdy, and Mohamed Fahmy said. Their malware seems to have passed through the Windows Hardware Quality Labs (WHQL) process for getting a valid signature.
Multiple variants of the rootkit spanning eight different clusters have been discovered, with 75 such drivers signed using Microsoft's WHQL program in 2022 and 2023.
Trend Micro's analysis of some of the samples has revealed the presence of debug messages in the source code, indicating that the operation is still in the development and testing phase.
In subsequent steps, the first-stage driver disables the User Account Control (UAC) and Secure Desktop mode by editing the registry and initializes Winsock Kernel (WSK) objects for initiating network communication with the remote server.
It further periodically polls the server to retrieve more payloads and load them directly into memory after decoding and decrypting the received data, effectively functioning as a stealthy kernel driver loader that can bypass detections.
"The main binary acts as a universal loader that allows the attackers to directly load a second-stage unsigned kernel module," the researchers explained. "Each second-stage plug-in is customized to the victim machine it's deployed on, with some containing even a custom compiled driver for each machine. Each plug-in has a specific set of actions to be carried out from the kernel space."
The plug-ins, for their part, come with different capabilities to achieve persistence, disarm Microsoft Defender Antivirus, and deploy a proxy on the machine and redirect web browsing traffic to a remote proxy server.
Much like FiveSys, the new rootkit detections have been confined exclusively to China. One of the suspected entry points for these infections is said to be a trojanized Chinese game, mirroring Cisco Talos' discovery of a malicious driver called RedDriver.
The findings dovetail with other reports from Cisco Talos and Sophos about the use of Microsoft-signed malicious kernel-mode drivers for post-exploitation activities, with Chinese-speaking threat actors using open-source software popular within the video game cheat development community to bypass restrictions enforced by the tech giant.
As many as 133 malicious drivers signed with legitimate digital certificates have been uncovered, 81 of which are capable of terminating antivirus solutions on victims' systems. The remaining drivers are rootkits designed to covertly monitor sensitive data sent over the internet.
The fact that these drivers are signed by the Windows Hardware Compatibility Program (WHCP) means that attackers can install them on breached systems without raising any alerts and proceed to carry out malicious activity virtually unimpeded.
"Because drivers often communicate with the 'core' of the operating system and load before security software, when they are abused, they can be particularly effective at disabling security protections – especially when signed by a trusted authority," Christopher Budd, director of threat research at Sophos X-Ops, said.
Microsoft, in response to the disclosures, said it has implemented blocking protections and suspended the partners' seller accounts involved in the incident to safeguard users from future threats.
If anything, the development paints a picture of an evolving attack vector that's being actively used by adversaries to obtain privileged access to Windows machines and sidetep detection by security software.
"Malicious actors will continue to use rootkits to hide malicious code from security tools, impair defenses, and fly under the radar for long periods of time," the researchers said. "These rootkits will see heavy use from sophisticated groups that have both the skills to reverse-engineer low-level system components and the required resources to develop such tools."
Python-Based PyLoose Fileless Attack Targets Cloud Workloads for Cryptocurrency Mining
12.7.23 Cryptocurrency The Hacker News
A new fileless attack dubbed PyLoose has been observed striking cloud workloads with the goal of delivering a cryptocurrency miner, new findings from Wiz reveal.
"The attack consists of Python code that loads an XMRig Miner directly into memory using memfd, a known Linux fileless technique," security researchers Avigayil Mechtinger, Oren Ofer, and Itamar Gilad said. "This is the first publicly documented Python-based fileless attack targeting cloud workloads in the wild."
The cloud security firm said it found nearly 200 instances where the attack method was employed for cryptocurrency mining. No other details about the threat actor are currently known other than the fact that they possess sophisticated capabilities.
In the infection chain documented by Wiz, initial access is achieved through the exploitation of a publicly accessible Jupyter Notebook service that allowed for the execution of system commands using Python modules.
PyLoose, first detected on June 22, 2023, is a Python script with just nine lines of code that embeds a compressed and encoded precompiled XMRig miner. The payload is retrieved from paste.c-net[.]org into the Python runtime's memory by means of an HTTPS GET request without having to write the file to disk.
The Python code is designed to decode and decompress the XMRig miner and then load it directly into memory via the memfd memory file descriptor, which is used to access memory-resident files.
"The attacker went to great lengths to be untraceable by using an open data-sharing service to host the Python payload, adapting the fileless execution technique to Python, and compiling an XMRig miner to embed its config to avoid touching the disk or using a revealing command line," the researchers said.
The development comes as Sysdig detailed a new attack campaign mounted by a threat actor known as SCARLETEEL that entails the abuse of AWS infrastructure to steal proprietary data and conduct illicit crypto mining.
Microsoft Releases Patches for 132 Vulnerabilities, Including 6 Under Active Attack
12.7.23 Vulnerebility The Hacker News
Microsoft on Tuesday released updates to address a total of 132 new security flaws spanning its software, including six zero-day flaws that it said have been actively exploited in the wild.
Of the 132 vulnerabilities, nine are rated Critical, 122 are rated Important in severity, and one has been assigned a severity rating of "None." This is in addition to eight flaws the tech giant patched in its Chromium-based Edge browser towards the end of last month.
The list of issues that have come under active exploitation is as follows -
CVE-2023-32046 (CVSS score: 7.8) - Windows MSHTML Platform Elevation of Privilege Vulnerability
CVE-2023-32049 (CVSS score: 8.8) - Windows SmartScreen Security Feature Bypass Vulnerability
CVE-2023-35311 (CVSS score: 8.8) - Microsoft Outlook Security Feature Bypass Vulnerability
CVE-2023-36874 (CVSS score: 7.8) - Windows Error Reporting Service Elevation of Privilege Vulnerability
CVE-2023-36884 (CVSS score: 8.3) - Office and Windows HTML Remote Code Execution Vulnerability (Also publicly known at the time of the release)
ADV230001 - Malicious use of Microsoft-signed drivers for post-exploitation activity (no CVE assigned)
The Windows maker said it's aware of targeted attacks against defense and government entities in Europe and North America that attempt to exploit CVE-2023-36884 by using specially-crafted Microsoft Office document lures related to the Ukrainian World Congress, echoing the latest findings from BlackBerry.
"An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim," Microsoft said. "However, an attacker would have to convince the victim to open the malicious file."
The company has flagged the intrusion campaign to a Russian cybercriminal group it tracks as Storm-0978, which is also known by the names RomCom, Tropical Scorpius, UNC2596, and Void Rabisu.
"The actor also deploys the Underground ransomware, which is closely related to the Industrial Spy ransomware first observed in the wild in May 2022," the Microsoft Threat Intelligence team explained. "The actor's latest campaign detected in June 2023 involved abuse of CVE-2023-36884 to deliver a backdoor with similarities to RomCom."
Recent phishing attacks staged by the actor have entailed the use of trojanized versions of legitimate software hosted on lookalike websites to deploy a remote access trojan called RomCom RAT against various Ukrainian and pro-Ukraine targets in Eastern Europe and North America.
While RomCom was first clocked as a group tied to Cuba ransomware, it has since been linked to other ransomware strains such as Industrial Spy as well a new variant called Underground as of July 2023, which exhibits significant source code overlaps with Industry Spy.
Microsoft said it intends to take "appropriate action to help protect our customers" in the form of an out-of-band security update or via its monthly release process. In the absence of a patch for CVE-2023-36884, the company is urging users to use the "Block all Office applications from creating child processes" attack surface reduction (ASR) rule.
Redmond further said it revoked code-signing certificates used to sign and install malicious kernel-mode drivers on compromised systems by exploiting a Windows policy loophole to alter the signing date of drivers before July 29, 2015, by making use of open-source tools like HookSignTool and FuckCertVerifyTimeValidity.
The findings suggest that the use of rogue kernel-mode drivers is gaining traction among threat actors as they operate at the highest privilege level on Windows, thereby making it possible to establish persistence for extended periods of time while simultaneously interfering with the functioning of security software to evade detection.
It's not currently not clear how the other flaws are being exploited and how broadly those attacks are spread. But in light of active abuse, it's recommended that users move quickly to apply the updates to mitigate potential threats.
Hackers Exploit Windows Policy Loophole to Forge Kernel-Mode Driver Signatures
12.7.23 Exploit The Hacker News
A Microsoft Windows policy loophole has been observed being exploited primarily by native Chinese-speaking threat actors to forge signatures on kernel-mode drivers.
"Actors are leveraging multiple open-source tools that alter the signing date of kernel mode drivers to load malicious and unverified drivers signed with expired certificates," Cisco Talos said in an exhaustive two-part report shared with The Hacker News. "This is a major threat, as access to the kernel provides complete access to a system, and therefore total compromise."
Following responsible disclosure, Microsoft said it has taken steps to block all certificates to mitigate the threat. It further stated that its investigation found "the activity was limited to the abuse of several developer program accounts and that no Microsoft account compromise has been identified."
The tech giant, besides suspending developer program accounts involved in the incident, emphasized that the threat actors had already gained administrative privileges on compromised systems prior to use of the drivers.
It's worth pointing out that the Windows maker had rolled out similar blocking protections in December 2022 to prevent ransomware attackers from using Microsoft-signed drivers for post-exploitation activity.
Driver signature enforcement, which requires kernel-mode drivers to be digitally signed with a certificate from Microsoft's Dev Portal, is a crucial line of defense against malicious drivers, which could be potentially weaponized to evade security solutions, tamper with system processes, and maintain persistence. The policy change was introduced with the debut of Windows Vista.
The new weakness discovered by Cisco Talos makes it possible to forge signatures on kernel-mode drivers, thereby allowing Windows certificate policies to be bypassed.
This is made possible due to an exception carved out by Microsoft to maintain compatibility, which permits cross-signed drivers if the computer was upgraded from an earlier release of Windows to Windows 10, version 1607; Secure Boot is off in the BIOS; and the drivers were "signed with an end-entity certificate issued prior to July 29th 2015 that chains to a supported cross-signed [certificate authority]."
"The third exception creates a loophole that allows a newly compiled driver to be signed with non-revoked certificates issued prior to or expired before July 29, 2015, provided that the certificate chains to a supported cross-signed certificate authority," the cybersecurity company said.
As a result, a driver signed in this manner will not be prevented from being loaded on a Windows device, thereby enabling threat actors to take advantage of the escape clause to deploy thousands of malicious, signed drivers without submitting them to Microsoft for verification.
These rogue drivers are deployed using signature timestamp forging software such as HookSignTool and FuckCertVerifyTimeValidity, which have been publicly available since 2019 and 2018, respectively.
HookSignTool has been accessible via GitHub since January 7, 2020, while FuckCertVerifyTimeValidity was first committed to the code hosting service on December 14, 2018.
"HookSignTool is a driver signature forging tool that alters the signing date of a driver during the signing process through a combination of hooking into the Windows API and manually altering the import table of a legitimate code signing tool," Cisco Talos explained.
Specifically, it involves hooking to the CertVerifyTimeValidity function, which verifies the time validity of a certificate, to change the signing timestamp during execution.
"This tiny project prevents the signtool from verifing [sic] cert time validity and let you sign your bin with outdated cert without changing system time manually," the GitHub page for FuckCertVerifyTimeValidity reads.
"It install hook into crypt32!CertVerifyTimeValidity and make it always return 0 and make kernel32!GetLocalTime return what you want as you can add "-fuckyear 2011" to signtool's command line to sign a cert from year 2011."
That said, pulling off a successful forgery requires a non-revoked code signing certificate that was issued before July 29, 2015, along with the certificate's private key and passphrase.
Cisco Talos said it discovered over a dozen code signing certificates with keys and passwords contained in a PFX file hosted on GitHub in a forked repository of FuckCertVerifyTimeValidity. It's not immediately clear how these certificates were obtained.
What's more, it has been observed that HookSignTool has been used to re-sign cracked drivers in order to bypass digital rights management (DRM) integrity checks, with an actor named "Juno_Jr" releasing a cracked version of PrimoCache, a legitimate software caching solution, in a Chinese software cracking forum on November 9, 2022.
"In the cracked version [...], the patched driver was re-signed with a certificate originally issued to 'Shenzhen Luyoudashi Technology Co., Ltd.,' which is contained in the PFX file on GitHub," Talos researchers said. "This ability to resign a cracked driver removes a significant roadblock when attempting to bypass DRM checks in a signed driver."
That's not all. HookSignTool is also being utilized by a previously undocumented driver identified as RedDriver to forge its signature timestamp. Active since at least 2021, it functions as a driver-based browser hijacker that leverages the Windows Filtering Platform (WFP) to intercept browser traffic and reroute it to localhost (127.0.0.1).
The target browser is chosen at random from a hard-coded list containing the process names of many popular Chinese language browsers like Liebao, QQ Browser, Sogou, and UC Browser, as well as Google Chrome, Microsoft Edge, and Mozilla Firefox.
"I initially found RedDriver while researching certificate timestamp forging on Windows drivers," Chris Neal, outreach researcher for Cisco Talos told The Hacker News. "It was one of the first samples I ran into that was immediately suspicious. What caught my attention was the list of web browsers stored inside the RedDriver file."
The ultimate objective of this browser traffic redirection is not clear, although it goes without saying that such a capability could be abused to tamper with browser traffic at the packet level.
RedDriver infection chains commence with the execution of a binary named "DnfClientShell32.exe," which, in turn, initiates encrypted communications with a command-and-control (C2) server to download the malicious driver.
"We didn't observe the delivery of the initial file, but it's very likely that the file was packaged to masquerade as a game file, and was hosted on a malicious download link," Neal said. "The victim probably thought they were downloading a file from a legitimate source and ran the executable. 'DNFClient' is the name of a file belonging to 'Dungeon Fighter Online' which is an extremely popular game in China and commonly referred to as 'DNF.'"
"RedDriver was likely developed by highly skilled threat actors as the learning curve for developing malicious drivers is steep," Cisco Talos said. "While the threat appears to target native Chinese speakers, the authors are likely Chinese speakers as well."
"The authors also demonstrated a familiarity or experience with software development lifecycles, another skill set that requires previous development experience."
The development comes as Sophos said it found over 100 malicious kernel drivers that had been signed by Microsoft and other companies, some dating as far back as April, and used to either sabotage security software from running as designed or function as a stealthy rootkit capable of monitoring network traffic using WFP.
"It appears the creator of the malicious driver built out one 'parent' version of the driver, then ran the parent version through one or more packer utilities one or more times, creating in some cases dozens of 'child' variants, all of which the creators could submit to Microsoft for signing," Sophos researcher Andrew Brandt said.
"There are a lot of benefits for threat actors to deploy drivers in their infection chain, however they are a lot more difficult to develop than user-mode malware," Neal said. "Drivers are harder to detect for EDR and are hard to analyze, especially if there is any obfuscation employed."
(The story has been updated after publication to include additional information from Sophos about the discovery of malicious drivers.)
SCARLETEEL Cryptojacking Campaign Exploiting AWS Fargate in Ongoing Campaign
11.7.23 Cryptocurrency The Hacker News
Cloud environments continue to be at the receiving end of an ongoing advanced attack campaign dubbed SCARLETEEL, with the threat actors now setting their sights on Amazon Web Services (AWS) Fargate.
"Cloud environments are still their primary target, but the tools and techniques used have adapted to bypass new security measures, along with a more resilient and stealthy command and control architecture," Sysdig security researcher Alessandro Brucato said in a new report shared with The Hacker News.
SCARLETEEL was first exposed by the cybersecurity company in February 2023, detailing a sophisticated attack chain that culminated in the theft of proprietary data from AWS infrastructure and the deployment of cryptocurrency miners to profit off the compromised systems' resources illegally.
A follow-up analysis by Cado Security uncovered potential links to a prolific cryptojacking group known as TeamTNT, although Sysdig told The Hacker News that it "could be someone copying their methodology and attack patterns."
The latest activity continues the threat actor's penchant for going after AWS accounts by exploiting vulnerable public-facing web applications with an ultimate aim to gain persistence, steal intellectual property, and potentially generate revenue to the tune of $4,000 per day using crypto miners.
"The actor discovered and exploited a mistake in an AWS policy which allowed them to escalate privileges to AdministratorAccess and gain control over the account, enabling them to then do with it what they wanted," Brucato explained.
It all begins with the adversary exploiting JupyterLab notebook containers deployed in a Kubernetes cluster, leveraging the initial foothold to conduct reconnaissance of the target network and gather AWS credentials to obtain deeper access into the victim's environment.
This is followed by the installation of the AWS command line tool and an exploitation framework called Pacu for subsequent exploitation. The attack also stands out for its use of various shell scripts to retrieve AWS credentials, some of which target AWS Fargate compute engine instances.
"The attacker was observed using the AWS client to connect to Russian systems which are compatible with the S3 protocol," Brucato said, adding the SCARLETEEL actors used stealthy techniques to ensure that data exfiltration events are not captured in CloudTrail logs.
Some of the other steps taken by the attacker include the use of a Kubernetes Penetration Testing tool known as Peirates to exploit the container orchestration system and a DDoS botnet malware called Pandora, indicating further attempts on the part of the actor to monetize the host.
"The SCARLETEEL actors continue to operate against targets in the cloud, including AWS and Kubernetes," Brucato said. "Their preferred method of entry is exploitation of open compute services and vulnerable applications. There is a continued focus on monetary gain via crypto mining, but [...] intellectual property is still a priority."
Beware of Big Head Ransomware: Spreading Through Fake Windows Updates
11.7.23 Ransom The Hacker News
A developing piece of ransomware called Big Head is being distributed as part of a malvertising campaign that takes the form of bogus Microsoft Windows updates and Word installers.
Big Head was first documented by Fortinet FortiGuard Labs last month, when it discovered multiple variants of the ransomware that are designed to encrypt files on victims' machines in exchange for a cryptocurrency payment.
"One Big Head ransomware variant displays a fake Windows Update, potentially indicating that the ransomware was also distributed as a fake Windows Update," Fortinet researchers said at the time. "One of the variants has a Microsoft Word icon and was likely distributed as counterfeit software."
A majority of the Big Head samples have been submitted so far from the U.S., Spain, France, and Turkey.
In a new analysis of the .NET-based ransomware, Trend Micro detailed its inner workings, calling out its ability to deploy three encrypted binaries: 1.exe to propagate the malware, archive.exe to facilitate communications over Telegram, and Xarch.exe to encrypt the files and" display a fake Windows update.
"The malware displays a fake Windows Update UI to deceive the victim into thinking that the malicious activity is a legitimate software update process, with the percentage of progress in increments of 100 seconds," the cybersecurity company said.
Big Head is no different from other ransomware families in that it deletes backups, terminates several processes, and performs checks to determine if it's running within a virtualized environment before proceeding to encrypt the files.
In addition, the malware disables the Task Manager to prevent users from terminating or investigating its process and aborts itself if the machine's language matches that of Russian, Belarusian, Ukrainian, Kazakh, Kyrgyz, Armenian, Georgian, Tatar, and Uzbek. It also incorporates a self-delete function to erase its presence.
Trend Micro said it detected a second Big Head artifact with both ransomware and stealer behaviors, the latter of which leverages the open-source WorldWind Stealer to harvest web browser history, directory lists, running processes, product key, and networks.
Also discovered is a third variant of Big Head that incorporates a file infector called Neshta, which is used to insert malicious code into executables on the infected host.
"Incorporating Neshta into the ransomware deployment can also serve as a camouflage technique for the final Big Head ransomware payload," Trend Micro researchers said.
"This technique can make the piece of malware appear as a different type of threat, such as a virus, which can divert the prioritization of security solutions that primarily focus on detecting ransomware."
The identity of the threat actor behind Big Head is currently not known, but Trend Micro said it identified a YouTube channel with the name "aplikasi premium cuma cuma," suggesting an adversary likely of Indonesian origin.
"Security teams should remain prepared given the malware's diverse functionalities," the researchers concluded. "This multifaceted nature gives the malware the potential to cause significant harm once fully operational, making it more challenging to defend systems against, as each attack vector requires separate attention."
Apple Issues Urgent Patch for Zero-Day Flaw Targeting iOS, iPadOS, macOS, and Safari
11.7.23 Apple The Hacker News
Apple has released Rapid Security Response updates for iOS, iPadOS, macOS, and Safari web browser to address a zero-day flaw that it said has been actively exploited in the wild.
The WebKit bug, cataloged as CVE-2023-37450, could allow threat actors to achieve arbitrary code execution when processing specially crafted web content. The iPhone maker said it addressed the issue with improved checks.
Credited with discovering and reporting the flaw is an anonymous researcher. As with most cases like this, there are scant details about the nature and the scale of the attacks and the identity of the threat actor behind them.
But Apple noted in a terse advisory that it's "aware of a report that this issue may have been actively exploited."
UPCOMING WEBINAR
🔐 PAM Security – Expert Solutions to Secure Your Sensitive Accounts
This expert-led webinar will equip you with the knowledge and strategies you need to transform your privileged access security strategy.
Claim Your Spot
The updates, iOS 16.5.1 (a), iPadOS 16.5.1 (a), macOS Ventura 13.4.1 (a), and Safari 16.5.2, are available for devices running the following operating system versions:
iOS 16.5.1 and iPadOS 16.5.1
macOS Ventura 13.4.1
macOS Big Sur and macOS Monterey
Apple has addressed 10 zero-day vulnerabilities in its software since the start of 2023. It also arrives weeks after the company rolled out patches to fix three zero-days, two of which have been weaponized by unidentified actors in connection with an espionage campaign called Operation Triangulation.
Update#
Apple has pulled the software update after reports emerged that installing the patches caused certain websites like Facebook, Instagram, and Zoom to throw an "Unsupported Browser" error on Safari.
New Mozilla Feature Blocks Risky Add-Ons on Specific Websites to Safeguard User Security
10.7.23 Security The Hacker News
Mozilla has announced that some add-ons may be blocked from running on certain sites as part of a new feature called Quarantined Domains.
"We have introduced a new back-end feature to only allow some extensions monitored by Mozilla to run on specific websites for various reasons, including security concerns," the company said in its Release Notes for Firefox 115.0 released last week.
The company said the openness afforded by the add-on ecosystem could be exploited by malicious actors to their advantage.
"This feature allows us to prevent attacks by malicious actors targeting specific domains when we have reason to believe there may be malicious add-ons we have not yet discovered," Mozilla said in a separate support document.
Users are expected to have more control over the setting for each add-on, starting with Firefox version 116. That said, it can be disabled by loading "about:config" in the address bar and setting "extensions.quarantinedDomains.enabled" to false.
The development adds to Mozilla's existing capability to remotely disable individual extensions that pose a risk to user privacy and security.
It's worth noting that the warning appears in the Extensions popup rather than on the Extensions icon in the current implementation, as a result of which the alerts are not displayed should an add-on be pinned to the toolbar.
"It turns out that when you pin an extension to the toolbar, it no longer appears in the Extensions popup!," security researcher and add-on developer Jeff Johnson noted.
"Consequently, the quarantined domains warning no longer appears in the Extensions popup either. In fact, there's no longer an Extensions popup: clicking the Extensions toolbar icon simply opens the about:addons page, which doesn't show the quarantined domains warning anywhere."
"This is a terrible user interface design for the new so-called 'security' feature, silently disabling extensions while hiding the warning from the user," Johnson added.
Mozilla has said that it intends to improve the user experience in future releases, although it did not give a definitive timeline.
The change also comes as Mozilla decried a browser-based website blocking proposal put forth by France that would require browser vendors to establish mechanisms to mandatorily block websites present on a government-provided list to tackle online fraud.
"Such a move will overturn decades of established content moderation norms and provide a playbook for authoritarian governments that will easily negate the existence of censorship circumvention tools," the company said.
New TOITOIN Banking Trojan Targeting Latin American Businesses
10.7.23 Virus The Hacker News
Businesses operating in the Latin American (LATAM) region are the target of a new Windows-based banking trojan called TOITOIN since May 2023.
"This sophisticated campaign employs a trojan that follows a multi-staged infection chain, utilizing specially crafted modules throughout each stage," Zscaler researchers Niraj Shivtarkar and Preet Kamal said in a report published last week.
"These modules are custom designed to carry out malicious activities, such as injecting harmful code into remote processes, circumventing User Account Control via COM Elevation Moniker, and evading detection by Sandboxes through clever techniques like system reboots and parent process checks."
The six-stage endeavor has all the hallmarks of a well-crafted attack sequence, beginning with a phishing email containing an embedded link that points to a ZIP archive hosted on an Amazon EC2 instance to evade domain-based detections.
The email messages leverage an invoice-themed lure to trick unwitting recipients into opening them, thereby activating the infection. Within the ZIP archive is a downloader executable that's engineered to set up persistence by means of an LNK file in the Windows Startup folder and communicate with a remote server to retrieve six next-stage payloads in the form of MP3 files.
The downloader is also responsible for generating a Batch script that restarts the system after a 10-second timeout. This is done so as to "evade sandbox detection since the malicious actions occur only after the reboot," the researchers said.
Included among the fetched payloads is "icepdfeditor.exe," a valid signed binary by ZOHO Corporation Private Limited, which, when executed, sideloads a rogue DLL ("ffmpeg.dll") codenamed the Krita Loader.
The loader, for its part, is designed to decode a JPG file downloaded alongside the other payloads and launch another executable known as the InjectorDLL module that reverses a second JPG file to form what's called the ElevateInjectorDLL module.
The InjectorDLL component subsequently moves to inject ElevateInjectorDLL into the "explorer.exe" process, following which a User Account Control (UAC) bypass is carried out, if required, to elevate the process privileges and the TOITOIN Trojan is decrypted and injected into the "svchost.exe" process.
"This technique allows the malware to manipulate system files and execute commands with elevated privileges, facilitating further malicious activities," the researchers explained.
TOITOIN comes with capabilities to gather system information as well as harvest data from installed web browsers such as Google Chrome, Microsoft Edge and Internet Explorer, Mozilla Firefox, and Opera. Furthermore, it checks for the presence of Topaz Online Fraud Detection (OFD), an anti-fraud module integrated into banking platforms in the LATAM region.
The nature of the responses from the command-and-control (C2) server is presently not known due to the fact that the server is no longer available.
"Through deceptive phishing emails, intricate redirect mechanisms, and domain diversification, the threat actors successfully deliver their malicious payload," the researchers said. "The multi-staged infection chain observed in this campaign involves the use of custom-developed modules that employ various evasion techniques and encryption methods."
RomCom RAT Targeting NATO and Ukraine Support Groups
10.7.23 Virus The Hacker News
The threat actors behind the RomCom RAT have been suspected of phishing attacks targeting the upcoming NATO Summit in Vilnius as well as an identified organization supporting Ukraine abroad.
The findings come from the BlackBerry Threat Research and Intelligence team, which found two malicious documents submitted from a Hungarian IP address on July 4, 2023.
RomCom, also tracked under the names Tropical Scorpius, UNC2596, and Void Rabisu, was recently observed staging cyber attacks against politicians in Ukraine who are working closely with Western countries and a U.S.-based healthcare organization involved with aiding refugees fleeing the war-torn country.
Attack chains mounted by the group are geopolitically motivated and have employed spear-phishing emails to point victims to cloned websites hosting trojanized versions of popular software. Targets include militaries, food supply chains, and IT companies.
The latest lure documents identified by BlackBerry impersonate Ukrainian World Congress, a legitimate non-profit, ("Overview_of_UWCs_UkraineInNATO_campaign.docx") and feature a bogus letter declaring support for Ukraine's inclusion to NATO ("Letter_NATO_Summit_Vilnius_2023_ENG(1).docx").
"Although we haven't yet uncovered the initial infection vector, the threat actor likely relied on spear-phishing techniques, engaging their victims to click on a specially crafted replica of the Ukrainian World Congress website," the Canadian company said in an analysis published last week.
Opening the file triggers a sophisticated execution sequence that entails retrieving intermediate payloads from a remote server, which, in turn, exploits Follina (CVE-2022-30190), a now-patched security flaw affecting Microsoft's Support Diagnostic Tool (MSDT), to achieve remote code execution.
The result is the deployment of RomCom RAT, an executable written in C++ that's designed to collect information about the compromised system and remote commandeer it.
"Based on the nature of the upcoming NATO Summit and the related lure documents sent out by the threat actor, the intended victims are representatives of Ukraine, foreign organizations, and individuals supporting Ukraine," BlackBerry said.
"Based on the available information, we have medium to high confidence to conclude that this is a RomCom rebranded operation, or that one or more members of the RomCom threat group are behind this new campaign supporting a new threat group."
Hackers Steal $20 Million by Exploiting Flaw in Revolut's Payment Systems
10.7.23 Incindent The Hacker News
Malicious actors exploited an unknown flaw in Revolut's payment systems to steal more than $20 million of the company's funds in early 2022.
The development was reported by the Financial Times, citing multiple unnamed sources with knowledge of the incident. The breach has not been disclosed publicly.
The fault stemmed from discrepancies between Revolut's U.S. and European systems, causing funds to be erroneously refunded using its own money when some transactions were declined.
The problem was first detected in late 2021. But before it could be closed, the report said organized criminal groups leveraged the loophole by "encouraging individuals to try to make expensive purchases that would go on to be declined." The refunded amounts would then be withdrawn from ATMs.
The exact technical details associated with the flaw are currently unclear.
About $23 million was stolen in total, with some funds recovered by pursuing those who had withdrawn cash. The mass fraud scheme is said to have resulted in a net loss of about $20 million for the neobank and fintech firm.
The disclosure arrives less than a week after Interpol announced the arrest of a suspected senior member of a French-speaking hacking crew known as OPERA1ER, which has been linked to attacks aimed at financial institutions and mobile banking services with malware, phishing campaigns, and large-scale Business Email Compromise (BEC) scams.
Two Spyware Apps on Google Play with 1.5 Million Users Sending Data to China
8.7.23 Android The Hacker News
Two file management apps on the Google Play Store have been discovered to be spyware, putting the privacy and security of up to 1.5 million Android users at risk. These apps engage in deceptive behaviour and secretly send sensitive user data to malicious servers in China.
Pradeo, a leading mobile security company, has uncovered this alarming infiltration. The report shows that both spyware apps, namely File Recovery and Data Recovery (com.spot.music.filedate) with over 1 million installs, and File Manager (com.file.box.master.gkd) with over 500,000 installs, are developed by the same group. These seemingly harmless Android apps use similar malicious tactics and automatically launch when the device reboots without user input.
Contrary to what they claim on the Google Play Store, where both apps assure users that no data is collected, Pradeo's analytics engine has found that various personal information is collected without users' knowledge. Stolen data includes contact lists, media files (images, audio files and videos), real-time location, mobile country code, network provider details, SIM provider network code, operating system version, device brand, and model.
What is particularly alarming is the large amount of data transferred by these spyware apps. Each app performs more than a hundred transmissions, a considerable amount for malicious activities. Once the data is collected, it is sent to multiple servers in China, which are deemed malicious by security experts.
To make matters worse, the developers of these spyware apps have used sneaky techniques to appear more legitimate and make it difficult to uninstall them. Hackers artificially increased the number of downloads of apps with install Farms or mobile device emulators, creating a false sense of trustworthiness. Moreover, both apps have advanced permissions that allow them to hide their icons on the home screen, making it difficult for unsuspecting users to uninstall them.
Pradeo provides security recommendations for individuals and businesses in light of this disturbing discovery. Individuals should be cautious when downloading apps, especially those without ratings if they claim a large user base. It is extremely critical to read and understand app permissions before accepting them to prevent breaches like this.
Organizations should prioritize educating their employees about mobile threats and setting up automated mobile detection and response systems to protect against potential attacks.
This incident highlights the ongoing battle between cybersecurity experts and malicious actors exploiting unsuspecting users. Malware and spyware attacks are constantly evolving and finding new ways to infiltrate trusted platforms like the Google Play Store. As a user, it is imperative to stay vigilant, exercise caution when downloading apps, and rely on reputable sources for software.
Vishing Goes High-Tech: New 'Letscall' Malware Employs Voice Traffic Routing
8.7.23 Virus The Hacker News
Researchers have issued a warning about an emerging and advanced form of voice phishing (vishing) known as "Letscall." This technique is currently targeting individuals in South Korea.
The criminals behind "Letscall" employ a multi-step attack to deceive victims into downloading malicious apps from a counterfeit Google Play Store website.
Once the malicious software is installed, it redirects incoming calls to a call center under the control of the criminals. Trained operators posing as bank employees then extract sensitive information from unsuspecting victims.
To facilitate the routing of voice traffic, "Letscall" utilizes cutting-edge technologies such as voice over IP (VOIP) and WebRTC. It also makes use of Session Traversal Utilities for NAT (STUN) and Traversal Using Relays around NAT (TURN) protocols, including Google STUN servers, to ensure high-quality phone or video calls and bypass NAT and firewall restrictions.
The "Letscall" group consists of Android developers, designers, frontend and backend developers, as well as call operators specializing in voice social engineering attacks.
The malware operates in three stages: first, a downloader app prepares the victim's device, paving the way for the installation of powerful spyware. This spyware then triggers the final stage, which allows the rerouting of incoming calls to the attackers' call center.
"The third stage has its own set of commands, which also includes Web socket commands. Some of these commands relate to the manipulation of the address book, such as creating and removing contacts. Other commands relate to creating, modifying, and removing the filters that determine which calls should be intercepted and which should be ignored," Dutch mobile security firm ThreatFabric said in its report.
What sets "Letscall" apart is its utilization of advanced evasion techniques. The malware incorporates Tencent Legu and Bangcle (SecShell) obfuscation during the initial download. In later stages, it employs complex naming structures in ZIP file directories and intentionally corrupts the manifest to confuse and bypass security systems.
Criminals have developed systems that automatically call victims and play pre-recorded messages to further deceive them. By combining mobile phone infections with vishing techniques, these fraudsters can request micro-loans in the victims' names while assuring them of suspicious activities and redirecting calls to their centers.
The consequences of such attacks can be significant, leaving victims burdened with substantial loans to repay. Financial institutions often underestimate the severity of these invasions and fail to investigate potential fraud.
Although this threat is currently limited to South Korea, researchers caution that there are no technical barriers preventing these attackers from expanding to other regions, including the European Union.
This new form of vishing attack underscores the constant evolution of criminal tactics and their ability to exploit technology for malicious purposes. The group responsible for the "Letscall" malware demonstrates intricate knowledge of Android security and voice routing technologies.
Another Critical Unauthenticated SQLi Flaw Discovered in MOVEit Transfer Software
8.7.23 Vulnerebility The Hacker News
Progress Software has announced the discovery and patching of a critical SQL injection vulnerability in MOVEit Transfer, popular software used for secure file transfer. In addition, Progress Software has patched two other high-severity vulnerabilities.
The identified SQL injection vulnerability, tagged as CVE-2023-36934, could potentially allow unauthenticated attackers to gain unauthorized access to the MOVEit Transfer database.
SQL injection vulnerabilities are a well-known and dangerous security flaw that allows attackers to manipulate databases and run any code they want. Attackers can send specifically designed payloads to certain endpoints of the affected application, which could change or expose sensitive data in the database.
The reason CVE-2023-36934 is so critical is that it can be exploited without having to be logged in. This means that even attackers without valid credentials can potentially exploit the vulnerability. However, as of now, there have been no reports of this particular vulnerability being actively used by attackers.
This discovery comes after a series of recent cyberattacks that used a different SQL injection vulnerability (CVE-2023-34362) to target MOVEit Transfer with Clop ransomware. These attacks resulted in data theft and money extortion from affected organizations.
This latest security update from Progress Software also addresses two other high-severity vulnerabilities: CVE-2023-36932 and CVE-2023-36933.
CVE-2023-36932 is a SQL injection flaw that can be exploited by attackers who are logged in to gain unauthorized access to the MOVEit Transfer database. CVE-2023-36933, on the other hand, is a vulnerability that allows attackers to unexpectedly shut down the MOVEit Transfer program.
Researchers from HackerOne and Trend Micro's Zero Day Initiative responsibly reported Progress Software about these vulnerabilities.
These vulnerabilities affect multiple MOVEit Transfer versions, including 12.1.10 and previous versions, 13.0.8 and earlier, 13.1.6 and earlier, 14.0.6 and older, 14.1.7 and older, and 15.0.3 and earlier.
Progress Software has made the necessary updates available for all major MOVEit Transfer versions. Users are strongly advised to update to the latest version of MOVEit Transfer to reduce the risks posed by these vulnerabilities.
Mastodon Social Network Patches Critical Flaws Allowing Server Takeover
8.7.23 Vulnerebility The Hacker News
Mastodon, a popular decentralized social network, has released a security update to fix critical vulnerabilities that could expose millions of users to potential attacks.
Mastodon is known for its federated model, consisting of thousands of separate servers called "instances," and it has over 14 million users across more than 20,000 instances.
The most critical vulnerability, CVE-2023-36460, allows hackers to exploit a flaw in the media attachments feature, creating and overwriting files in any location the software could access on an instance.
This software vulnerability could be used for DoS and arbitrary remote code execution attacks, posing a significant threat to users and the broader Internet ecosystem.
If an attacker gains control over multiple instances, they could cause harm by instructing users to download malicious applications or even bring down the entire Mastodon infrastructure. Fortunately, there is no evidence of this vulnerability being exploited so far.
The critical flaw was discovered as part of a comprehensive penetration testing initiative funded by the Mozilla Foundation and conducted by Cure53.
The recent patch release addressed five vulnerabilities, including another critical issue tracked as CVE-2023-36459. This vulnerability could allow attackers to inject arbitrary HTML into oEmbed preview cards, bypassing Mastodon's HTML sanitization process.
Consequently, this introduced a vector for Cross-Site Scripting (XSS) payloads that could execute malicious code when users clicked on preview cards associated with malicious links.
The remaining three vulnerabilities were classified as high and medium severity. They included "Blind LDAP injection in login," which allowed attackers to extract arbitrary attributes from the LDAP database, "Denial of Service through slow HTTP responses," and a formatting issue with "Verified profile links." Each of these flaws posed different levels of risk to Mastodon users.
To protect themselves, Mastodon users only need to ensure that their subscribed instance has installed the necessary updates promptly.
BlackByte 2.0 Ransomware: Infiltrate, Encrypt, and Extort in Just 5 Days
7.7.23 Ransom The Hacker News
Ransomware attacks are a major problem for organizations everywhere, and the severity of this problem continues to intensify.
Recently, Microsoft's Incident Response team investigated the BlackByte 2.0 ransomware attacks and exposed these cyber strikes' terrifying velocity and damaging nature.
The findings indicate that hackers can complete the entire attack process, from gaining initial access to causing significant damage, in just five days. They waste no time infiltrating systems, encrypting important data, and demanding a ransom to release it.
This shortened timeline poses a significant challenge for organizations trying to protect themselves against these harmful operations.
BlackByte ransomware is used in the final stage of the attack, using an 8-digit number key to encrypt the data.
To carry out these attacks, hackers use a powerful combination of tools and techniques. The investigation revealed that they take advantage of unpatched Microsoft Exchange Servers—an approach that has proven highly successful. By exploiting this vulnerability, they gain initial access to the target networks and set the stage for their malicious activities.
The ransomware further employs process hollowing and antivirus evasion strategies to guarantee successful encryption and circumvent detection.
Furthermore, web shells equip them with remote access and control, enabling them to maintain a presence within the compromised systems.
The report also highlighted the deployment of Cobalt Strike beacons, which facilitate command and control operations. These sophisticated tools give attackers a wide range of skills, making it more difficult for organizations to defend against them.
Alongside these tactics, the investigation uncovered several other troubling practices cybercriminals use. They utilize "living-off-the-land" tools to blend in with legitimate processes and escape detection.
The ransomware modifies volume shadow copies on infected machines to prevent data recovery through system restore points. The attackers also deploy specially-crafted backdoors, ensuring continued access for the attackers even after the initial compromise.
The disturbing upsurge in ransomware attacks requires immediate action from organizations worldwide. In response to these findings, Microsoft has provided some practical recommendations.
Organizations are primarily urged to implement robust patch management procedures, ensuring they timely apply critical security updates. Enabling tamper protection is another essential step, as it strengthens security solutions against malicious attempts to disable or bypass them.
Google Releases Android Patch Update for 3 Actively Exploited Vulnerabilities
7.7.23 Android The Hacker News
Google has released its monthly security updates for the Android operating system, addressing 46 new software vulnerabilities. Among these, three vulnerabilities have been identified as actively exploited in targeted attacks.
One of the vulnerabilities tracked as CVE-2023-26083 is a memory leak flaw affecting the Arm Mali GPU driver for Bifrost, Avalon, and Valhall chips. This particular vulnerability was exploited in a previous attack that enabled spyware infiltration on Samsung devices in December 2022.
This vulnerability was regarded as serious enough to prompt the Cybersecurity and Infrastructure Security Agency (CISA) to issue a patching order for federal agencies in April 2023.
Another significant vulnerability, identified as CVE-2021-29256, is a high-severity issue that affects specific versions of the Bifrost and Midgard Arm Mali GPU kernel drivers. This flaw permits an unprivileged user to gain unauthorized access to sensitive data and escalate privileges to the root level.
The third exploited vulnerability, CVE-2023-2136, is a critical-severity bug discovered in Skia, Google's open-source multi-platform 2D graphics library. It was initially disclosed as a zero-day vulnerability in the Chrome browser and allows a remote attacker who has taken over the renderer process to perform a sandbox escape and implement remote code on Android devices.
Besides these, Google's July Android security bulletin highlights another critical vulnerability, CVE-2023-21250, affecting the Android System component. This issue can cause remote code execution without user interaction or additional execution privileges, making it particularly precarious.
These security updates are rolled out in two patch levels. The initial patch level, made available on July 1, focuses on core Android components, addressing 22 security defects in the Framework and System components.
The second patch level, released on July 5, targets kernel and closed source components, tackling 20 vulnerabilities in Kernel, Arm, Imagination Technologies, MediaTek, and Qualcomm components.
It's important to note that the impact of the addressed vulnerabilities may extend beyond the supported Android versions (11, 12, and 13), potentially affecting older OS versions no longer receive official support.
Google has further launched particular security patches for its Pixel devices, dealing with 14 vulnerabilities in Kernel, Pixel, and Qualcomm components. Two of these critical weaknesses could result in privilege elevation and denial-of-service attacks.
JumpCloud Resets API Keys Amid Ongoing Cybersecurity Incident
7.7.23 Incindent The Hacker News
JumpCloud, a provider of cloud-based identity and access management solutions, has swiftly reacted to an ongoing cybersecurity incident that impacted some of its clients.
As part of its damage control efforts, JumpCloud has reset the application programming interface (API) keys of all customers affected by this event, aiming to protect their valuable data.
The company has informed the concerned clients about the critical nature of this move, reinforcing its commitment to safeguarding their operations and organizations. This API key reset will, however, disrupt certain functionalities like AD import, HRIS integrations, JumpCloud PowerShell modules, JumpCloud Slack apps, Directory Insights Serverless apps, ADMU, third-party zero-touch MDM packages, Command Triggers, Okta SCIM integration, Azure AD SCIM integration, Workato, Aquera, Tray, and more.
Despite the potential disruptions, JumpCloud maintains that the key reset is for the greater good of its clients. For those needing assistance with resetting or re-establishing their API keys, the company stands ready to provide support.
The company urges affected clients to promptly reset their API keys to enhance their systems' security. To aid in this, JumpCloud has made available a detailed guide and an interactive simulation.
This recent event has highlighted the importance of API security, demonstrating the need for robust protective measures. It is crucial for businesses to adequately secure their APIs to avert potential security breaches.
JumpCloud's cloud-based Active Directory (AD) services are utilized by over 180,000 organizations globally. A multitude of software vendors and cloud service providers have integrated their systems with JumpCloud's suite of identity, access, and device management services.
Details regarding the specifics or scale of the incident are not available at this moment, but JumpCloud is actively addressing the situation. It is yet to be ascertained whether the company's network was compromised or the precise cause of the issue.
JumpCloud's communication has drawn some criticism for not being fully transparent.
Clients of JumpCloud affected by this event are advised to expedite their API key resets and stay tuned for further developments or announcements related to this incident.
Cybersecurity Agencies Sound Alarm on Rising TrueBot Malware Attacks
7.7.23 Virus The Hacker News
Cybersecurity agencies have warned about the emergence of new variants of the TrueBot malware. This enhanced threat is now targeting companies in the U.S. and Canada with the intention of extracting confidential data from infiltrated systems.
These sophisticated attacks exploit a critical vulnerability (CVE-2022-31199) in the widely used Netwrix Auditor server and its associated agents.
This vulnerability enables unauthorized attackers to execute malicious code with the SYSTEM user's privileges, granting them unrestricted access to compromised systems.
The TrueBot malware, linked with cybercriminal collectives Silence and FIN11, is deployed to siphon off data and disseminate ransomware, jeopardising the safety of numerous infiltrated networks.
The cybercriminals gain their initial foothold by exploiting the cited vulnerability, then proceed to install TrueBot. Once they have breached the networks, they install the FlawedGrace Remote Access Trojan (RAT) to escalate their privileges, establish persistence on the compromised systems, and conduct additional operations.
"During FlawedGrace's execution phase, the RAT stores encrypted payloads within the registry. The tool can create scheduled tasks and inject payloads into msiexec[.]exe and svchost[.]exe, which are command processes that enable FlawedGrace to establish a command and control (C2) connection to 92.118.36[.]199, for example, as well as load dynamic link libraries (DLLs) to accomplish privilege escalation," the advisory says.
The cybercriminals initiate Cobalt Strike beacons within several hours of the first intrusion. These beacons facilitate post-exploitation tasks, including stealing data and installing ransomware or different malware payloads.
While previous versions of the TrueBot malware were typically spread through malicious email attachments, the updated versions leverage the CVE-2022-31199 vulnerability to gain initial access.
This strategic shift allows the cyber threat actors to carry out attacks on a broader scale within infiltrated environments. Importantly, the Netwrix Auditor software is employed by more than 13,000 organizations worldwide, including notable firms such as Airbus, Allianz, the UK NHS, and Virgin.
The advisory does not provide specific information about the victims or the number of organizations affected by the TrueBot attacks.
The report also underlines the participation of the Raspberry Robin malware in these TrueBot attacks, as well as other post-compromise malware like IcedID and Bumblebee. By utilizing Raspberry Robin as a distribution platform, attackers can reach more potential victims and amplify the impact of their malicious activities.
Given that the Silence and TA505 groups are actively infiltrating networks for monetary benefit, it is crucial for organizations to implement suggested security measures.
To safeguard themselves against TrueBot malware and similar threats, organizations should take the following recommendations into account:
Install updates: Organizations using Netwrix Auditor should install the necessary updates to mitigate the CVE-2022-31199 vulnerability and update their software to version 10.5 or above.
Enhance security protocols: Deploy multi-factor authentication (MFA) for all employees and services.
Be vigilant for signs of infiltration (IOCs): Security teams must actively scrutinize their networks for indications of TrueBot contamination. The joint warning provides guidelines to help in discovering and reducing the malware's impact.
Report any incidents: If organizations detect IOCs or suspect a TrueBot infiltration, they must act swiftly in accordance with the incident response actions laid out in the warning and report the incident to CISA or the FBI.
Iranian Hackers' Sophisticated Malware Targets Windows and macOS Users
7.7.23 Apple The Hacker News
The Iranian nation-state actor known as TA453 has been linked to a new set of spear-phishing attacks that infect both Windows and macOS operating systems with malware.
"TA453 eventually used a variety of cloud hosting providers to deliver a novel infection chain that deploys the newly identified PowerShell backdoor GorjolEcho," Proofpoint said in a new report.
"When given the opportunity, TA453 ported its malware and attempted to launch an Apple flavored infection chain dubbed NokNok. TA453 also employed multi-persona impersonation in its unending espionage quest."
TA453, also known by the names APT35, Charming Kitten, Mint Sandstorm, and Yellow Garuda, is a threat group linked to Iran's Islamic Revolutionary Guard Corps (IRGC) that has been active since at least 2011. Most recently, Volexity highlighted the adversary's use of an updated version of a Powershell implant called CharmPower (aka GhostEcho or POWERSTAR).
In the attack sequence discovered by the enterprise security firm in mid-May 2023, the hacking crew sent phishing emails to a nuclear security expert at a U.S.-based think tank focused on foreign affairs that delivered a malicious link to a Google Script macro that would redirect the target to a Dropbox URL hosting a RAR archive.
Present within the file is an LNK dropper that kicks off a multi-stage procedure to ultimately deploy GorjolEcho, which, in turn, displays a decoy PDF document, while covertly awaiting next-stage payloads from a remote server.
But upon realizing that the target is using an Apple computer, TA453 is said to have tweaked its modus operandi to send a second email with a ZIP archive embedding a Mach-O binary that masquerades as a VPN application, but in reality, is an AppleScript that reaches out to a remote server to download a Bash script-based backdoor called NokNok.
NokNok, for its part, fetches as many as four modules that are capable of gathering running processes, installed applications, and system metadata as well as setting persistence using LaunchAgents.
The modules "mirror a majority of the functionality" of the modules associated with CharmPower, with NokNok sharing some source code overlaps with macOS malware previously attributed to the group in 2017.
Also put to use by the actor is a bogus file-sharing website that likely functions to fingerprint visitors and act as a mechanism to track successful victims.
"TA453 continues to adapt its malware arsenal, deploying novel file types, and targeting new operating systems," the researchers said, adding the actor "continues to work toward its same end goals of intrusive and unauthorized reconnaissance" while simultaneously complicating detection efforts.
Node.js Users Beware: Manifest Confusion Attack Opens Door to Malware
5.7.23 Virus The Hacker News
The npm registry for the Node.js JavaScript runtime environment is susceptible to what's called a manifest confusion attack that could potentially allow threat actors to conceal malware in project dependencies or perform arbitrary script execution during installation.
"A npm package's manifest is published independently from its tarball," Darcy Clarke, a former GitHub and npm engineering manager, said in a technical write-up published last week. "Manifests are never fully validated against the tarball's contents."
"The ecosystem has broadly assumed the contents of the manifest and tarball are consistent," Clarke added.
The problem, at its core, stems from the fact that the manifest and package metadata are decoupled and that they are never cross-referenced against one another, thereby leading to unexpected behavior and misuse when there is a mismatch.
As a result, a threat actor could exploit this loophole to publish a module with a manifest file (package.json) that contains hidden dependencies as well as run install scripts, which could then pave the way for a supply chain attack and the poisoning of a developer's environment.
"Manifest confusion becomes problematic in development environments without effective DevSecOps workflows and tooling in place, especially when applications blindly trust application manifests rather than the actual (vulnerable or malicious) files contained within open source packages," Sonatype researcher and journalist Ax Sharma said.
The finding underscores the fact that metadata contained within package manifest files alone cannot be relied upon when downloading a package from the open-source repository, necessitating that users take steps to scan packages for any anomalous features and exploits.
GitHub, per Clarke, is said to be aware of the problem since at least early November 2022, with the Microsoft subsidiary stating it plans to address it internally as of March 2023. The issue, however, remains unresolved to date.
In the absence of an official fix, security researcher Felix Pankratz has made available a Python script that can be used to test for mismatches between the manifests in npm modules.
The development also comes as developer security company Snyk, in partnership with Redhunt Labs, examined 11,900 repositories from the top 1,000 GitHub organizations for insecure dependencies, uncovering 1,229,601 flaws in 15,584 vulnerable dependency files.
"Deserialization of untrusted data was the most prevalent vulnerability type with a whopping 130,831 occurrences in Java repositories, making it 40 percent of the total vulnerabilities identified," the study said.
In JavaScript-based projects, prototype pollution emerged as the leading shortcoming with 343,332 occurrences. Denial-of-service (DoS) flaws contributed to the most in Python and Ruby projects with 19,652 and 56,331 occurrences, respectively.
"The threat of vulnerable dependencies disrupting the state of security of software supply chains is here to stay," security researchers Umair Nehri and Vandana Verma Sehgal said. "So, developers must be careful with the dependencies they use in their projects and keep them up-to-date to keep them patched from any known vulnerabilities."
Instagram's Twitter Alternative 'Threads' Launch Halted in Europe Over Privacy Concerns
5.7.23 Social The Hacker News
Instagram Threads, the upcoming Twitter competitor from Meta, will not be launched in the European Union due to privacy concerns, according to Ireland's Data Protection Commission (DPC).
The development was reported by the Irish Independent, which said the watchdog has been in contact with the social media giant about the new product and confirmed the release won't extend to the E.U. "at this point."
Threads is Meta's answer to Twitter that's set for launch on July 6, 2023. It's billed as a "text-based conversation app" that allows Instagram users to "discuss everything from the topics you care about today to what'll be trending tomorrow."
It also enables users to follow the same accounts they already follow on Instagram. A listing for the app has already appeared in the Apple App Store and Google Play Store, although it's yet to be available for download.
The "App Privacy" section on the App Store indicates that the application is expected to collect a wide range of user data, including Health and Fitness, Purchases, Financial Info, Location, Contact Info, Contacts, User Content, Search History, Browsing History, Identifiers, Usage Data, Sensitive Info, and Diagnostics.
It's believed that while the DPC has not actively blocked Threads from being launched, Meta is taking a cautious approach to bring the service to the region, which has stringent privacy protections. It's worth noting that Google postponed the launch of its artificial intelligence chatbot Bard in the E.U. for similar reasons.
The development coincides with a series of policy changes at Twitter, which began blocking unregistered users from being able to use the site on the web and enforced temporary rate limits for logged-in users to restrict the number of posts they can see per day.
The Elon Musk-owned company said it's taking the step to "detect and eliminate bots and other bad actors that are harming the platform" by "scraping people's public Twitter data to build AI models" and "manipulating people and conversation on the platform in various ways."
Swedish Data Protection Authority Warns Companies Against Google Analytics Use
5.7.23 BigBrothers The Hacker News
The Swedish data protection watchdog has warned companies against using Google Analytics due to risks posed by U.S. government surveillance, following similar moves by Austria, France, and Italy last year.
The development comes in the aftermath of an audit initiated by the Swedish Authority for Privacy Protection (IMY) against four companies CDON, Coop, Dagens Industri, and Tele2.
"In its audits, IMY considers that the data transferred to the U.S. via Google's statistics tool is personal data because the data can be linked with other unique data that is transferred," IMY said.
"The authority also concludes that the technical security measures that the companies have taken are not sufficient to ensure a level of protection that essentially corresponds to that guaranteed within the EU/EEA."
The data protection authority also fined $1.1 million for Swedish telecom service provider Tele2 and less than $30,000 for local online marketplace CDON failing to implement adequate security measures to anonymize the data prior to the transfer.
Furthermore, CDON, Coop, and Dagens Industri have been ordered to cease using Google Analytics. Tele2 is said to have voluntarily stopped using the service.
The investigation, the IMY added, was based on a complaint filed by the privacy non-profit None of Your Business (noyb) alleging violations of the General Data Protection Regulation (GDPR) laws.
The decision is rooted in the fact that such E.U.-U.S. data transfers have been found illegal in light of potential surveillance worries that data stored in U.S. servers could be subject to access by intelligence agencies in the country.
Similar concerns have led to Meta being levied a record $1.3 billion fine by European Union data protection agencies. That said, the E.U. and U.S. are in the process of finalizing a new data transfer arrangement, called the E.U.-U.S. Data Privacy Framework, that replaces the now-invalid Privacy Shield.
DDoSia Attack Tool Evolves with Encryption, Targeting Multiple Sectors
4.7.23 Attack The Hacker News
The threat actors behind the DDoSia attack tool have come up with a new version that incorporates a new mechanism to retrieve the list of targets to be bombarded with junk HTTP requests in an attempt to bring them down.
The updated variant, written in Golang, "implements an additional security mechanism to conceal the list of targets, which is transmitted from the [command-and-control] to the users," cybersecurity company Sekoia said in a technical write-up.
DDoSia is attributed to a pro-Russian hacker group called NoName(057)16. Launched in 2022 and a successor of the Bobik botnet, the attack tool is designed for staging distributed denial-of-service (DDoS) attacks against targets primarily located in Europe as well as Australia, Canada, and Japan.
Lithuania, Ukraine, Poland, Italy, Czechia, Denmark, Latvia, France, the U.K., and Switzerland have emerged as the most targeted countries over a period ranging from May 8 to June 26, 2023. A total of 486 different websites were impacted.
Python and Go-based implementations of DDoSia have been unearthed to date, making it a cross-platform program capable of being used across Windows, Linux, and macOS systems.
"DDoSia is a multi-threaded application that conducts denial-of-service attacks against target sites by repeatedly issuing network requests," SentinelOne explained in an analysis published in January 2023. "DDoSia issues requests as instructed by a configuration file that the malware receives from a C2 server when started."
DDoSia is distributed through a fully-automated process on Telegram that allows individuals to register for the crowdsourced initiative in exchange for a cryptocurrency payment and a ZIP archive containing the attack toolkit.
What's noteworthy about the new version is the use of encryption to mask the list of targets to be attacked, indicating that the tool is being actively maintained by the operators.
"NoName057(16) is making efforts to make their malware compatible with multiple operating systems, almost certainly reflecting their intent to make their malware available to a large number of users, resulting in the targeting of a broader set of victims," Sekoia said.
The development comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned of targeted denial-of-service (DoS) and DDoS attacks against multiple organizations in multiple sectors.
"These attacks can cost an organization time and money and may impose reputational costs while resources and services are inaccessible," the agency said in a bulletin.
Although CISA did not provide any additional specifics, the warning overlaps with claims by Anonymous Sudan on its Telegram channel that it had taken down the websites of the Department of Commerce, Social Security Administration (SSA), and the Treasury Department's Electronic Federal Tax Payment System (EFTPS).
Anonymous Sudan attracted attention last month for carrying Layer 7 DDoS attacks against various Microsoft services, including OneDrive, Outlook, and Azure web portals. The tech giant is tracking the cluster under the name Storm-1359.
The hacking crew has asserted it's conducting cyber strikes out of Africa on behalf of oppressed Muslims across the world. But cybersecurity researchers believe it to be a pro-Kremlin operation with no ties to Sudan and a member of the KillNet hacktivist collective.
In an analysis released on June 19, 2023, Australian cybersecurity vendor CyberCX characterized the entity as a "smokescreen for Russian interests." The company's website has since become inaccessible, greeting visitors with a "403 Forbidden" message. The threat actor claimed responsibility for the cyber attack.
"The reason for the attack: stop spreading rumors about us, and you must tell the truth and stop the investigations that we call the investigations of a dog," Anonymous Sudan said in a message posted on June 22, 2023.
Anonymous Sudan, in a Bloomberg report last week, further denied it was connected to Russia but acknowledged they share similar interests, and that it goes after "everything that is hostile to Islam."
CISA's latest advisory has also not gone unnoticed, for the group posted a response on June 30, 2023, stating: "A small Sudanese group with limited capabilities forced 'the most powerful government' in the world to publish articles and tweets about our attacks."
Mexico-Based Hacker Targets Global Banks with Android Malware
4.7.23 Android The Hacker News
An e-crime actor of Mexican provenance has been linked to an Android mobile malware campaign targeting financial institutions globally, but with a specific focus on Spanish and Chilean banks, from June 2021 to April 2023.
The activity is being attributed to an actor codenamed Neo_Net, according to security researcher Pol Thill. The findings were published by SentinelOne following a Malware Research Challenge in collaboration with vx-underground.
"Despite using relatively unsophisticated tools, Neo_Net has achieved a high success rate by tailoring their infrastructure to specific targets, resulting in the theft of over 350,000 EUR from victims' bank accounts and compromising Personally Identifiable Information (PII) of thousands of victims," Thill said.
Some of the major targets include banks such as Santander, BBVA, CaixaBank, Deutsche Bank, Crédit Agricole, and ING.
Neo_Net, linked to a Spanish-speaking actor residing in Mexico, has established themselves as a seasoned cybercriminal, engaging in the sales of phishing panels, compromised victim data to third-parties, and a smishing-as-a-service offering called Ankarex that's designed to target a number of countries across the world.
The initial entry point for the multi-stage attack is SMS phishing, in which the threat actor employs various scare tactics to trick unwitting recipients into clicking on bogus landing pages to harvest and exfiltrate their credentials via a Telegram bot.
"The phishing pages were meticulously set up using Neo_Net's panels, PRIV8, and implemented multiple defense measures, including blocking requests from non-mobile user agents and concealing the pages from bots and network scanners," Thill explained.
"These pages were designed to closely resemble genuine banking applications, complete with animations to create a convincing façade."
The threat actors have also been observed duping bank customers into installing rogue Android apps under the guise of security software that, once installed, requests SMS permissions to capture SMS-based two-factor authentication (2FA) codes sent by the bank.
The Ankarex platform, for its part, has been active since May 2022. It's actively promoted on a Telegram channel that has about 1,700 subscribers.
"The service itself is accessible at ankarex[.]net, and once registered, users can upload funds using cryptocurrency transfers and launch their own Smishing campaigns by specifying the SMS content and target phone numbers," Thill said.
The development comes as ThreatFabric detailed a new Anatsa (aka TeaBot) banking trojan campaign that has been targeting banking customers in the U.S., U.K., Germany, Austria, and Switzerland since the start of March 2023.
Alert: 330,000 FortiGate Firewalls Still Unpatched to CVE-2023-27997 RCE Flaw
4.7.23 Vulnerebility The Hacker News
No less than 330000 FortiGate firewalls are still unpatched and vulnerable to CVE-2023-27997, a critical security flaw affecting Fortinet devices that have come under active exploitation in the wild.
Cybersecurity firm Bishop Fox, in a report published last week, said that out of nearly 490,000 Fortinet SSL-VPN interfaces exposed on the internet, about 69 percent remain unpatched.
CVE-2023-27997 (CVSS score: 9.8), also called XORtigate, is a critical vulnerability impacting Fortinet FortiOS and FortiProxy SSL-VPN appliances that could allow a remote attacker to execute arbitrary code or commands via specifically crafted requests.
Patches were released by Fortinet last month in versions 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5, although the company acknowledged that the flaw may have been "exploited in a limited number of cases" in attacks targeting government, manufacturing, and critical infrastructure sectors.
Bishop Fox's analysis further found that 153,414 of the discovered appliances had been updated to a patched FortiOS version.
Another crucial discovery is that many of the publicly accessible Fortinet devices did not receive an update for the past eight years, with the installations running FortiOS versions 5 and 6.
Given that security flaws in Fortinet devices have been lucrative attack vectors, it's imperative that users move quickly to update to the latest version as soon as possible.
Chinese Hackers Use HTML Smuggling to Infiltrate European Ministries with PlugX
4.7.23 Virus The Hacker News
A Chinese nation-state group has been observed targeting Foreign Affairs ministries and embassies in Europe using HTML smuggling techniques to deliver the PlugX remote access trojan on compromised systems.
Cybersecurity firm Check Point said the activity, dubbed SmugX, has been ongoing since at least December 2022, adding it's part of a broader trend of Chinese adversaries shifting their focus to Europe.
"The campaign uses new delivery methods to deploy (most notably – HTML Smuggling) a new variant of PlugX, an implant commonly associated with a wide variety of Chinese threat actors," Check Point said.
"Although the payload itself remains similar to the one found in older PlugX variants, its delivery methods result in low detection rates, which until recently helped the campaign fly under the radar."
The exact identity of the threat actor behind the operation is a little hazy, although existing clues point in the direction of Mustang Panda, which also shares overlaps with clusters tracked as Earth Preta, RedDelta, and Check Point's own designation Camaro Dragon.
However, the company said there is "insufficient evidence" at this stage to conclusively attribute it to the adversarial collective.
The latest attack sequence is significant for the use of HTML Smuggling – a stealthy technique in which legitimate HTML5 and JavaScript features are abused to assemble and launch the malware – in the decoy documents attached to spear-phishing emails.
"HTML smuggling employs HTML5 attributes that can work offline by storing a binary in an immutable blob of data within JavaScript code," Trustwave noted earlier this February. "The data blob, or the embedded payload, gets decoded into a file object when opened via a web browser."
An analysis of the documents, which were uploaded to the VirusTotal malware database, reveals that they are designed to target diplomats and government entities in Czechia, Hungary, Slovakia, the U.K., Ukraine, and also likely France and Sweden.
In one instance, the threat actor is said to have employed an Uyghur-themed lure ("China Tries to Block Prominent Uyghur Speaker at UN.docx") that, when opened, beacons to an external server by means of an embedded, invisible tracking pixel to exfiltrate reconnaissance data.
The multi-stage infection process utilizes DLL side-loading methods to decrypt and launch the final payload, PlugX.
Also called Korplug, the malware dates all the way back to 2008 and is a modular trojan capable of accommodating "diverse plugins with distinct functionalities" that enables the operators to carry out file theft, screen captures, keystroke logging, and command execution.
"During the course of our investigating the samples, the threat actor dispatched a batch script, sent from the C&C server, intended to erase any trace of their activities," Check Point said.
"This script, named del_RoboTask Update.bat, eradicates the legitimate executable, the PlugX loader DLL, and the registry key implemented for persistence, and ultimately deletes itself. It is likely this is the result of the threat actors becoming aware they were under scrutiny."
CISA Flags 8 Actively Exploited Flaws in Samsung and D-Link Devices
3.7.23 Vulnerebility The Hacker News
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has placed a set of eight flaws to the Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
This includes six shortcomings affecting Samsung smartphones and two vulnerabilities impacting D-Link devices. All the flaws have been patched as of 2021.
CVE-2021-25394 (CVSS score: 6.4) - Samsung mobile devices race condition vulnerability
CVE-2021-25395 (CVSS score: 6.4) - Samsung mobile devices race condition vulnerability
CVE-2021-25371 (CVSS score: 6.7) - An unspecified vulnerability in the DSP driver used in Samsung mobile devices that allows loading of arbitrary ELF libraries
CVE-2021-25372 (CVSS score: 6.7) - Samsung mobile devices improper boundary check within the DSP driver in Samsung mobile devices
CVE-2021-25487 (CVSS score: 7.8) - Samsung mobile devices out-of-bounds read vulnerability leading to arbitrary code execution
CVE-2021-25489 (CVSS score: 5.5) - Samsung Mobile devices improper input validation vulnerability resulting in kernel panic
CVE-2019-17621 (CVSS score: 9.8) - An unauthenticated remote code execution vulnerability in D-Link DIR-859 Router
CVE-2019-20500 (CVSS score: 7.8) - An authenticated OS command injection vulnerability in D-Link DWL-2600AP
The addition of the two D-Link vulnerabilities follows a report from Palo Alto Networks Unit 42 last month about threat actors associated with a Mirai botnet variant leveraging flaws in several IoT devices to propagate the malware in a series of attacks beginning in March 2023.
However, it's not immediately clear how the flaws in Samsung devices are being exploited in the wild. But given the nature of the targeting, it's likely that they may have been put to use by a commercial spyware vendor in highly targeted attacks.
It's worth noting that Google Project Zero disclosed a set of flaws in November 2022 that it said were weaponized as part of an exploit chain aimed at Samsung handsets.
In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are required to apply necessary fixes by July 20, 2023, to secure their networks against potential threats.
Evasive Meduza Stealer Targets 19 Password Managers and 76 Crypto Wallets
3.7.23 Virus The Hacker News
In yet another sign of a lucrative crimeware-as-a-service (CaaS) ecosystem, cybersecurity researchers have discovered a new Windows-based information stealer called Meduza Stealer that's actively being developed by its author to evade detection by software solutions.
"The Meduza Stealer has a singular objective: comprehensive data theft," Uptycs said in a new report. "It pilfers users' browsing activities, extracting a wide array of browser-related data."
"From critical login credentials to the valuable record of browsing history and meticulously curated bookmarks, no digital artifact is safe. Even crypto wallet extensions, password managers, and 2FA extensions are vulnerable."
Despite the similarity in features, Meduza boasts of a "crafty" operational design that eschews the use of obfuscation techniques and promptly terminates its execution on compromised hosts should a connection to the attacker's server fail.
It's also designed to abort if a victim's location is in the stealer's predefined list of excluded countries, which consists of the Commonwealth of Independent States (CIS) and Turkmenistan.
Meduza Stealer, besides gathering data from 19 password manager apps, 76 crypto wallets, 95 web browsers, Discord, Steam, and system metadata, harvests miner-related Windows Registry entries as well as a list of installed games, indicating a broader financial motive.
It's currently being offered for sale on underground forums such as XSS and Exploit.in and a dedicated Telegram channel as a recurring subscription that costs $199 per month, $399 for three months, or $1,199 for a lifetime license. The information pilfered by the malware is made available through a user-friendly web panel.
"This feature allows subscribers to download or delete the stolen data directly from the web page, granting them an unprecedented level of control over their ill-gotten information," the researchers said.
"This in-depth feature set showcases the sophisticated nature of the Meduza Stealer and the lengths its creators are willing to go to ensure its success."
BlackCat Operators Distributing Ransomware Disguised as WinSCP via Malvertising
3.7.23 Ransom The Hacker News
Threat actors associated with the BlackCat ransomware have been observed employing malvertising tricks to distribute rogue installers of the WinSCP file transfer application.
"Malicious actors used malvertising to distribute a piece of malware via cloned webpages of legitimate organizations," Trend Micro researchers said in an analysis published last week. "In this case, the distribution involved a webpage of the well-known application WinSCP, an open-source Windows application for file transfer."
Malvertising refers to the use of SEO poisoning techniques to spread malware via online advertising. It typically involves hijacking a chosen set of keywords to display bogus ads on Bing and Google search results pages with the goal of redirecting unsuspecting users to sketchy pages.
The idea is to trick users searching for applications like WinSCP into downloading malware, in this instance, a backdoor that contains a Cobalt Strike Beacon that connects to a remote server for follow-on operations, while also employing legitimate tools like AdFind to facilitate network discovery.
The access afforded by Cobalt Strike is further abused to download a number of programs to conduct reconnaissance, enumeration (PowerView), lateral movement (PsExec), bypass antivirus software (KillAV BAT), and exfiltrate customer data (PuTTY Secure Copy client). Also observed is the use of the Terminator defense evasion tool to tamper with security software by means of a Bring Your Own Vulnerable Driver (BYOVD) attack.
In the attack chain detailed by the cybersecurity company, the threat actors managed to steal top-level administrator privileges to conduct post-exploitation activities and attempted to set up persistence using remote monitoring and management tools like AnyDesk as well as access backup servers.
"It is highly likely that the enterprise would have been substantially affected by the attack if intervention had been sought later, especially since the threat actors had already succeeded in gaining initial access to domain administrator privileges and started establishing backdoors and persistence," Trend Micro said.
The development is just the latest example of threat actors leveraging the Google Ads platform to serve malware. In November 2022, Microsoft disclosed an attack campaign that leverages the advertising service to deploy BATLOADER, which is then used to drop Royal ransomware.
It also comes as Czech cybersecurity company Avast released a free decryptor for the fledgling Akira ransomware to help victims recover their data without having to pay the operators. Akira, which first appeared in March 2023, has since expanded its target footprint to include Linux systems.
"Akira has a few similarities to the Conti v2 ransomware, which may indicate that the malware authors were at least inspired by the leaked Conti sources," Avast researchers said. The company did not disclose how it cracked the ransomware's encryption algorithm.
The Conti/TrickBot syndicate, aka Gold Ulrick or ITG23, shut down in May 2022 after suffering a series of disruptive events triggered by the onset of the Russian invasion of Ukraine. But the e-crime group continues to exist to this date, albeit as smaller entities and using shared crypters and infrastructure to distribute their warez.
IBM Security X-Force, in a recent deep dive, said the gang's crypters, which are applications designed to encrypt and obfuscate malware to evade detection by antivirus scanners and hinder analysis, are being used to also disseminate new malware strains such as Aresloader, Canyon, CargoBay, DICELOADER, Lumma C2, Matanbuchus, Minodo (formerly Domino), Pikabot, SVCReady, and Vidar.
"Previously, the crypters were used predominantly with the core malware families associated with ITG23 and their close partners," security researchers Charlotte Hammond and Ole Villadsen said. "However, the fracturing of ITG23 and emergence of new factions, relationships, and methods, have affected how the crypters are used."
Despite the dynamic nature of the cybercrime ecosystem, as nefarious cyber actors come and go, and some operations partner together, shut down, or rebrand their financially motivated schemes, ransomware has lingered as a constant threat.
This includes the emergence of a new ransomware-as-a-service (RaaS) group called Rhysida, which has primarily singled out education, government, manufacturing, and technology sectors across Western Europe, North and South America, and Australia.
"Rhysida is a 64-bit Portable Executable (PE) Windows cryptographic ransomware application compiled using MINGW/GCC," SentinelOne said in a technical write-up. "In each sample analyzed, the application's program name is set to Rhysida-0.1, suggesting the tool is in early stages of development."
Hackers Exploiting Unpatched WordPress Plugin Flaw to Create Secret Admin Accounts
1.7.23 Hacking The Hacker News
As many as 200,000 WordPress websites are at risk of ongoing attacks exploiting a critical unpatched security vulnerability in the Ultimate Member plugin.
The flaw, tracked as CVE-2023-3460 (CVSS score: 9.8), impacts all versions of the Ultimate Member plugin, including the latest version (2.6.6) that was released on June 29, 2023.
Ultimate Member is a popular plugin that facilitates the creation of user-profiles and communities on WordPress sites. It also provides account management features.
"This is a very serious issue: unauthenticated attackers may exploit this vulnerability to create new user accounts with administrative privileges, giving them the power to take complete control of affected sites," WordPress security firm WPScan said in an alert.
Although details about the flaw have been withheld due to active abuse, it stems from an inadequate blocklist logic put in place to alter the wp_capabilities user meta value of a new user to that of an administrator and gain full access to the site.
"While the plugin has a preset defined list of banned keys, that a user should not be able to update, there are trivial ways to bypass filters put in place such as utilizing various cases, slashes, and character encoding in a supplied meta key value in vulnerable versions of the plugin," Wordfence researcher Chloe Chamberland said.
The issue came to light after reports emerged of rogue administrator accounts being added to the affected sites, prompting the plugin maintainers to issue partial fixes in versions 2.6.4, 2.6.5, and 2.6.6. A new update is expected to be released in the coming days.
"A privilege escalation vulnerability used through UM Forms," Ultimate Member said in its release notes. "Known in the wild that vulnerability allowed strangers to create administrator-level WordPress users."
WPScan, however, pointed out that the patches are incomplete and that it found numerous methods to circumvent them, meaning the issue is still actively exploitable.
In the observed attacks, the flaw is being used to register new accounts under the names apadmins, se_brutal, segs_brutal, wpadmins, wpengine_backup, and wpenginer to upload malicious plugins and themes through the site's administration panel.
Users of Ultimate Member are advised to disable the plugin until a proper patch that completely plugs the security hole is made available. It's also recommended to audit all administrator-level users on the websites to determine if any unauthorized accounts have been added.
Beware: New 'Rustbucket' Malware Variant Targeting macOS Users
1.7.23 Apple The Hacker News
Researchers have pulled back the curtain on an updated version of an Apple macOS malware called Rustbucket that comes with improved capabilities to establish persistence and avoid detection by security software.
"This variant of Rustbucket, a malware family that targets macOS systems, adds persistence capabilities not previously observed," Elastic Security Labs researchers said in a report published this week, adding it's "leveraging a dynamic network infrastructure methodology for command-and-control."
RustBucket is the work of a North Korean threat actor known as BlueNoroff, which is part of a larger intrusion set tracked under the name Lazarus Group, an elite hacking unit supervised by the Reconnaissance General Bureau (RGB), the country's primary intelligence agency.
The malware came to light in April 2023, when Jamf Threat Labs described it as an AppleScript-based backdoor capable of retrieving a second-stage payload from a remote server. Elastic is monitoring the activity as REF9135.
The second-stage malware, compiled in Swift, is designed to download from the command-and-control (C2) server the main malware, a Rust-based binary with features to gather extensive information as well as fetch and run additional Mach-O binaries or shell scripts on the compromised system.
It's the first instance of BlueNoroff malware specifically targeting macOS users, although a .NET version of RustBucket has since surfaced in the wild with a similar set of features.
"This recent Bluenoroff activity illustrates how intrusion sets turn to cross-platform language in their malware development efforts, further expanding their capabilities highly likely to broaden their victimology," French cybersecurity company Sekoia said in an analysis of the RustBucket campaign in late May 2023.
The infection chain consists of a macOS installer file that installs a backdoored, yet functional, PDF reader. A significant aspect of the attacks is that the malicious activity is triggered only when a weaponized PDF file is launched using the rogue PDF reader. Initial intrusion vector includes phishing emails, as well as employing bogus personas on social networks such as LinkedIn.
The observed attacks are highly targeted and focused on finance-related institutions in Asia, Europe, and the U.S., suggesting that the activity is geared towards illicit revenue generation to evade sanctions.
What makes the newly identified version notable is its unusual persistence mechanism and the use of dynamic DNS domain (docsend.linkpc[.]net) for command-and-control, alongside incorporating measures focused on remaining under the radar.
"In the case of this updated RUSTBUCKET sample, it establishes its own persistence by adding a plist file at the path /Users/<user>/Library/LaunchAgents/com.apple.systemupdate.plist, and it copies the malware's binary to the following path /Users/<user>/Library/Metadata/System Update," the researchers said.
Iranian Hackers Using POWERSTAR Backdoor in Targeted Espionage Attacks
1.7.23 BigBrothers The Hacker News
Charming Kitten, the nation-state actor affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC), has been attributed to a bespoke spear-phishing campaign that delivers an updated version of a fully-featured PowerShell backdoor called POWERSTAR.
"There have been improved operational security measures placed in the malware to make it more difficult to analyze and collect intelligence," Volexity researchers Ankur Saini and Charlie Gardner said in a report published this week.
The threat actor is something of an expert when it comes to employing social engineering to lure targets, often crafting tailored fake personas on social media platforms and engaging in sustained conversations to build rapport before sending a malicious link. It's also tracked under the names APT35, Cobalt Illusion, Mint Sandstorm (formerly Phosphorus), and Yellow Garuda.
Recent intrusions orchestrated by Charming Kitten have made use of other implants such as PowerLess and BellaCiao, suggesting that the group is utilizing an array of espionage tools at its disposal to realize its strategic objectives.
POWERSTAR is another addition to the group's arsenal. Also called CharmPower, the backdoor was first publicly documented by Check Point in January 2022, uncovering its use in connection with attacks weaponizing the Log4Shell vulnerabilities in publicly-exposed Java applications.
It has since been put to use in at least two other campaigns, as documented by PwC in July 2022 and Microsoft in April 2023.
Volexity, which detected a rudimentary variant of POWERSTAR in 2021 distributed by a malicious macro embedded in DOCM file, said the May 2023 attack wave leverages an LNK file inside a password-protected RAR file to download the backdoor from Backblaze, while also taking steps to hinder analysis.
"With POWERSTAR, Charming Kitten sought to limit the risk of exposing their malware to analysis and detection by delivering the decryption method separately from the initial code and never writing it to disk," the researchers said.
"This has the added bonus of acting as an operational guardrail, as decoupling the decryption method from its command-and-control (C2) server prevents future successful decryption of the corresponding POWERSTAR payload."
The backdoor comes with an extensive set of features that enable it to remotely execute PowerShell and C# commands, set up persistence, collect system information, and download and execute more modules to enumerate running processes, capture screenshots, search for files matching specific extensions, and monitor if persistence components are still intact.
Also improved and expanded from the earlier version is the cleanup module that's designed to erase all traces of the malware's footprint as well as delete persistence-related registry keys. These updates point to Charming Kitten's continued efforts to refine its techniques and evade detection.
Volexity said it also detected a different variant of POWERSTAR that attempts to retrieve a hard-coded C2 server by decoding a file stored on the decentralized InterPlanetary Filesystem (IPFS), signaling an attempt to make its attack infrastructure more resilient.
The development coincides with a MuddyWater's (aka Static Kitten) use of previously undocumented command-and-control (C2) framework called PhonyC2 to deliver malicious payload to compromised hosts.
"The general phishing playbook used by Charming Kitten and the overall purpose of POWERSTAR remain consistent," the researchers said. "The references to persistence mechanisms and executable payloads within the POWERSTAR Cleanup module strongly suggests a broader set of tools used by Charming Kitten to conduct malware-enabled espionage."