H  January(68)  February(106)  March(112)  April(110)  June(37)  July(114)  August(126) September(48) October(0) November(0) December(0) | DefCon32  BLACKHAT USA 2024 | BLACKHAT USA 2024 ZIP  DEFCON32 ZIP

Ivanti Warns of Active Exploitation of Newly Patched Cloud Appliance Vulnerability
14.9.24  Exploit  The Hacker News
Ivanti has revealed that a newly patched security flaw in its Cloud Service Appliance (CSA) has come under active exploitation in the wild.

The high-severity vulnerability in question is CVE-2024-8190 (CVSS score: 7.2), which allows remote code execution under certain circumstances.

"An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows a remote authenticated attacker to obtain remote code execution," Ivanti noted in an advisory released earlier this week. "The attacker must have admin level privileges to exploit this vulnerability."

The flaw impacts Ivanti CSA 4.6, which has currently reached end-of-life status, requiring that customers upgrade to a supported version going forward. That said, it has been addressed in CSA 4.6 Patch 519.

"With the end-of-life status this is the last fix that Ivanti will backport for this version," the Utah-based IT software company added. "Customers must upgrade to Ivanti CSA 5.0 for continued support."

"CSA 5.0 is the only supported version and does not contain this vulnerability. Customers already running Ivanti CSA 5.0 do not need to take any additional action."

On Friday, Ivanti updated its advisory to note that it observed confirmed exploitation of the flaw in the wild targeting a "limited number of customers."

It did not reveal additional specifics related to the attacks or the identity of the threat actors weaponizing it, however, a number of other vulnerabilities in Ivanti products have been exploited as a zero-day by China-nexus cyberespionage groups.

The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the shortcoming to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the fixes by October 4, 2024.

The disclosure also comes as cybersecurity company Horizon3.ai posted a detailed technical analysis of a critical deserialization vulnerability (CVE-2024-29847, CVSS score: 10.0) impacting Endpoint Manager (EPM) that results in remote code execution.

Apple Vision Pro Vulnerability Exposed Virtual Keyboard Inputs to Attackers
14.9.24  Exploit  The Hacker News
Details have emerged about a now-patched security flaw impacting Apple's Vision Pro mixed reality headset that, if successfully exploited, could allow malicious attackers to infer data entered on the device's virtual keyboard.

The attack, dubbed GAZEploit, has been assigned the CVE identifier CVE-2024-40865.

"A novel attack that can infer eye-related biometrics from the avatar image to reconstruct text entered via gaze-controlled typing," a group of academics from the University of Florida, CertiK Skyfall Team, and Texas Tech University said.

"The GAZEploit attack leverages the vulnerability inherent in gaze-controlled text entry when users share a virtual avatar."

Following responsible disclosure, Apple addressed the issue in visionOS 1.3 released on July 29, 2024. It described the vulnerability as impacting a component called Presence.

"Inputs to the virtual keyboard may be inferred from Persona," it said in a security advisory, adding it resolved the problem by "suspending Persona when the virtual keyboard is active."

In a nutshell, the researchers found that it was possible to analyze a virtual avatar's eye movements (or "gaze") to determine what the user wearing the headset was typing on the virtual keyboard, effectively compromising their privacy.

As a result, a threat actor could, hypothetically, analyze virtual avatars shared via video calls, online meeting apps, or live streaming platforms and remotely perform keystroke inference. This could then be exploited to extract sensitive information such as passwords.

The attack, in turn, is accomplished by means of a supervised learning model trained on Persona recordings, eye aspect ratio (EAR), and eye gaze estimation to differentiate between typing sessions and other VR-related activities (e.g., watching movies or playing games).

In the subsequent step, the gaze estimation directions on the virtual keyboard are mapped to specific keys in order to determine the potential keystrokes in a manner such that it also takes into account the keyboard's location in the virtual space.

"By remotely capturing and analyzing the virtual avatar video, an attacker can reconstruct the typed keys," the researchers said. "Notably, the GAZEploit attack is the first known attack in this domain that exploits leaked gaze information to remotely perform keystroke inference."

17-Year-Old Arrested in Connection with Cyber Attack Affecting Transport for London
14.9.24  Crime  The Hacker News
British authorities on Thursday announced the arrest of a 17-year-old male in connection with a cyber attack affecting Transport for London (TfL).

"The 17-year-old male was detained on suspicion of Computer Misuse Act offenses in relation to the attack, which was launched on TfL on 1 September," the U.K. National Crime Agency (NCA) said.

The teenager, who's from Walsall, is said to have been arrested on September 5, 2024, following an investigation that was launched in the incident's aftermath.

The law enforcement agency said the unnamed individual was questioned and subsequently let go on bail.

"Attacks on public infrastructure such as this can be hugely disruptive and lead to severe consequences for local communities and national systems," Deputy Director Paul Foster, head of the NCA's National Cyber Crime Unit, said.

"The swift response by TfL following the incident has enabled us to act quickly, and we are grateful for their continued cooperation with our investigation, which remains ongoing."

TfL has since confirmed that the security breach has led to the unauthorized access of bank account numbers and sort codes for around 5,000 customers and that it will be directly contacting those impacted.

"Although there has been very little impact on our customers so far, the situation is evolving and our investigations have identified that certain customer data has been accessed," TfL said.

The London public transportation agency is also requiring around 30,000 members of its staff to complete an IT identity check by attending an appointment at a specified TfL location to reset their password and be verified in-person for access to TfL applications and data.

"This includes some customer names and contact details, including email addresses and home addresses where provided."

It's worth noting that West Midlands police previously arrested a 17-year-old boy, also from Walsall, in July 2024 in connection with a ransomware attack on MGM Resorts. The incident was attributed to the infamous Scattered Spider group.

It's currently not clear if these two events refer to the same individual. Back in June, another 22-year-old U.K. national was arrested in Spain for his alleged involvement in several ransomware attacks carried out by Scattered Spider.

The dangerous e-crime group is part of a larger collective called The Com, a loose-knit ecosystem of various groups that have engaged in cybercrime, squatting, and physical violence. It's also tracked as 0ktapus, Octo Tempest, and UNC3944.

According to a new report from EclecticIQ, Scattered Spider's ransomware operations have increasingly honed in on cloud infrastructures within the insurance and financial sectors, echoing a similar analysis from Resilience Threat Intelligence in May 2024.

The group has a well-documented history of gaining persistent access to cloud environments via sophisticated social engineering tactics, as well as purchasing stolen credentials, executing SIM swaps, and utilizing cloud-native tools.

"Scattered Spider frequently uses phone-based social engineering techniques like voice phishing (vishing) and text message phishing (smishing) to deceive and manipulate targets, mainly targeting IT service desks and identity administrators," security researcher Arda Büyükkaya said.

"The cybercriminal group abuses legitimate cloud tools such as Azure's Special Administration Console and Data Factory to remotely execute commands, transfer data, and maintain persistence while avoiding detection."

TrickMo Android Trojan Exploits Accessibility Services for On-Device Banking Fraud
14.9.24  Virus  The Hacker News
Cybersecurity researchers have uncovered a new variant of an Android banking trojan called TrickMo that comes packed with new capabilities to evade analysis and display fake login screens to capture victims' banking credentials.

"The mechanisms include using malformed ZIP files in combination with JSONPacker," Cleafy security researchers Michele Roviello and Alessandro Strino said. "In addition, the application is installed through a dropper app that shares the same anti-analysis mechanisms."

"These features are designed to evade detection and hinder cybersecurity professionals' efforts to analyze and mitigate the malware."

TrickMo, first caught in the wild by CERT-Bund in September 2019, has a history of targeting Android devices, particularly targeting users in Germany to siphon one-time passwords (OTPs) and other two-factor authentication (2FA) codes to facilitate financial fraud.

The mobile-focused malware is assessed to be the work of the now-defunct TrickBot e-crime gang, over time continually improving its obfuscation and anti-analysis features to fly under the radar.

Notable among the features are its ability to record screen activity, log keystrokes, harvest photos and SMS messages, remotely control the infected device to conduct on-device fraud (ODF), and abuse Android's accessibility services API to carry out HTML overlay attacks as well as perform clicks and gestures on the device.

The malicious dropper app discovered by the Italian cybersecurity company masquerades as the Google Chrome web browser that, when launched after installation, urges the victim to update Google Play Services by clicking the Confirm button.

Should the user proceed with the update, an APK file containing the TrickMo payload is downloaded to the device under the guise of "Google Services," following which the user is asked to enable accessibility services for the new app.

"Accessibility services are designed to assist users with disabilities by providing alternative ways to interact with their devices," the researchers said. "However, when exploited by malicious apps like TrickMo, these services can grant extensive control over the device."

"This elevated permission allows TrickMo to perform various malicious actions, such as intercepting SMS messages, handling notifications to intercept or hide authentication codes, and executing HTML overlay attacks to steal user credentials. Additionally, the malware can dismiss keyguards and auto-accept permissions, enabling it to integrate seamlessly into the device's operations."

Furthermore, the abuse of the accessibility services allows the malware to disable crucial security features and system updates, auto-grant permissions at will, and prevent the uninstallation of certain apps.

Cleafy's analysis also uncovered misconfigurations in the command-and-control (C2) server that made it possible to access 12 GB worth of sensitive data exfiltrated from the devices, including credentials and pictures, without requiring any authentication.

The C2 server also hosts the HTML files used in the overlay attacks. These files encompass fake login pages for various services, counting banks such as ATB Mobile and Alpha Bank and cryptocurrency platforms like Binance.

The security lapse not only highlights the operational security (OPSEC) blunder on the part of the threat actors, but also puts the victims' data at risk of exploitation by other threat actors.

The wealth of information exposed from TrickMo's C2 infrastructure could be leveraged to commit identity theft, infiltrate various online accounts, conduct unauthorized fund transfers, and even make fraudulent purchases. Even worse, attackers could hijack the accounts and lock the victims out by resetting their passwords.

"Using personal information and images, the attacker can craft convincing messages that trick victims into divulging even more information or executing malicious actions," the researchers noted.

"Exploiting such comprehensive personal data results in immediate financial and reputational damage and long-term consequences for the victims, making recovery a complex and prolonged process."

The disclosure comes as Google has been plugging the security holes around sideloading to let third-party developers determine if their apps are sideloaded using the Play Integrity API and, if so, require users to download the apps from Google Play in order to continue using them.

Progress WhatsUp Gold Exploited Just Hours After PoC Release for Critical Flaw
14.9.24  Exploit  The Hacker News
Malicious actors are likely leveraging publicly available proof-of-concept (PoC) exploits for recently disclosed security flaws in Progress Software WhatsUp Gold to conduct opportunistic attacks.

The activity is said to have commenced on August 30, 2024, a mere five hours after a PoC was released for CVE-2024-6670 (CVSS score: 9.8) by security researcher Sina Kheirkhah of the Summoning Team, who is also credited with discovering and reporting CVE-2024-6671 (CVSS scores: 9.8).

Both the critical vulnerabilities, which allow an unauthenticated attacker to retrieve a user's encrypted password, were patched by Progress in mid-August 2024.

"The timeline of events suggests that despite the availability of patches, some organizations were unable to apply them quickly, leading to incidents almost immediately following the PoC's publication," Trend Micro researchers Hitomi Kimura and Maria Emreen Viray said in a Thursday analysis.

The attacks observed by the cybersecurity company involve bypassing WhatsUp Gold authentication to exploit the Active Monitor PowerShell Script and ultimately download various remote access tools for gaining persistence on the Windows host.

This includes Atera Agent, Radmin, SimpleHelp Remote Access, and Splashtop Remote, with both Atera Agent and Splashtop Remote installed by means of a single MSI installer file retrieved from a remote server.

"The polling process NmPoller.exe, the WhatsUp Gold executable, seems to be able to host a script called Active Monitor PowerShell Script as a legitimate function," the researchers explained. "The threat actors in this case chose it to perform for remote arbitrary code execution."

While no follow-on exploitation actions have been detected, the use of several remote access software points to the involvement of a ransomware actor.

This is the second time security vulnerabilities in WhatsUp Gold have been actively weaponized in the wild. Early last month, the Shadowserver Foundation said it had observed exploitation attempts against CVE-2024-4885 (CVSS score: 9.8), another critical bug that was resolved by Progress in June 2024.

The disclosure comes weeks after Trend Micro also revealed that threat actors are exploiting a now-patched security flaw in Atlassian Confluence Data Center and Confluence Server (CVE-2023-22527, CVSS score: 10.0) to deliver the Godzilla web shell.

"The CVE-2023-22527 vulnerability continues to be widely exploited by a wide range of threat actors who abuse this vulnerability to perform malicious activities, making it a significant security risk to organizations worldwide," the company said.

New Linux Malware Campaign Exploits Oracle Weblogic to Mine Cryptocurrency
14.9.24  Cryptocurrency  The Hacker News
Cybersecurity researchers have uncovered a new malware campaign targeting Linux environments to conduct illicit cryptocurrency mining and deliver botnet malware.

The activity, which specifically singles out the Oracle Weblogic server, is designed to deliver a malware strain dubbed Hadooken, according to cloud security firm Aqua.

"When Hadooken is executed, it drops a Tsunami malware and deploys a crypto miner," security researcher Assaf Moran said.

The attack chains exploit known security vulnerabilities and misconfigurations, such as weak credentials, to obtain an initial foothold and execute arbitrary code on susceptible instances.

This is accomplished by launching two nearly-identical payloads, one written in Python and the other, a shell script, both of which are responsible for retrieving the Hadooken malware from a remote server ("89.185.85[.]102" or "185.174.136[.]204").

"In addition, the shell script version attempts to iterate over various directories containing SSH data (such as user credentials, host information, and secrets) and uses this information to attack known servers," Morag said.

"It then moves laterally across the organization or connected environments to further spread the Hadooken malware. "

Hadooken comes embedded with two components, a cryptocurrency miner and a distributed denial-of-service (DDoS) botnet called Tsunami (aka Kaiten), which has a history of targeting Jenkins and Weblogic services deployed in Kubernetes clusters.

Furthermore, the malware is responsible for establishing persistence on the host by creating cron jobs to run the crypto miner periodically at varying frequencies.

Hadooken's defense evasion capabilities are realized through a combination of tactics that involve the use of Base64-encoded payloads, dropping the miner payloads under innocuous names like "bash" and "java" to blend in with legitimate processes, and artifact deletion after execution to hide any signs of malicious activity.

Aqua noted that the IP address 89.185.85[.]102 is registered in Germany under the hosting company Aeza International LTD (AS210644), with a previous report from Uptycs in February 2024 linking it to an 8220 Gang cryptocurrency campaign that abused flaws in Apache Log4j and Atlassian Confluence Server and Data Center.

The second IP address 185.174.136[.]204, while currently inactive, is also linked to Aeza Group Ltd. (AS216246). As highlighted by Qurium and EU DisinfoLab in July 2024, Aeza is a bulletproof hosting service provider with a presence in Moscow M9 and in two data centers in Frankfurt.

"The modus operandi of Aeza and its fast growth can be explained by the recruitment of young developers affiliated to bulletproof hosting providers in Russia offering shelter to cybercrime," the researchers said in the report.

New Android Malware 'Ajina.Banker' Steals Financial Data and Bypasses 2FA via Telegram
13.9.24  Virus  The Hacker News
Bank customers in the Central Asia region have been targeted by a new strain of Android malware codenamed Ajina.Banker since at least November 2023 with the goal of harvesting financial information and intercepting two-factor authentication (2FA) messages.

Singapore-headquartered Group-IB, which discovered the threat in May 2024, said the malware is propagated via a network of Telegram channels set up by the threat actors under the guise of legitimate applications related to banking, payment systems, and government services, or everyday utilities.

"The attacker has a network of affiliates motivated by financial gain, spreading Android banker malware that targets ordinary users," security researchers Boris Martynyuk, Pavel Naumov, and Anvar Anarkulov said.

Targets of the ongoing campaign include countries such as Armenia, Azerbaijan, Iceland, Kazakhstan, Kyrgyzstan, Pakistan, Russia, Tajikistan, Ukraine, and Uzbekistan.

There is evidence to suggest that some aspects of the Telegram-based malware distribution process may have been automated for improved efficiency. The numerous Telegram accounts are designed to serve crafted messages containing links -- either to other Telegram channels or external sources -- and APK files to unwitting targets.

The use of links pointing to Telegram channels that host the malicious files has an added benefit in that it bypasses security measures and restrictions imposed by many community chats, thereby allowing the accounts to evade bans when automatic moderation is triggered.

Besides abusing the trust users place in legitimate services to maximize infection rates, the modus operandi also involves sharing the malicious files in local Telegram chats by passing them off as giveaways and promotions that claim to offer lucrative rewards and exclusive access to services.

"The use of themed messages and localized promotion strategies proved to be particularly effective in regional community chats," the researchers said. "By tailoring their approach to the interests and needs of the local population, Ajina was able to significantly increase the likelihood of successful infections."

The threat actors have also been observed bombarding Telegram channels with several messages using multiple accounts, at times simultaneously, indicating a coordinated effort that likely employs some sort of an automated distribution tool.

The malware in itself is fairly straightforward in that, once installed, it establishes contact with a remote server and requests the victim to grant it permission to access SMS messages, phone number APIs, and current cellular network information, among others.

Ajina.Banker is capable of gathering SIM card information, a list of installed financial apps, and SMS messages, which are then exfiltrated to the server.

New versions of the malware are also engineered to serve phishing pages in an attempt to collect banking information. Furthermore, they can access call logs and contacts, as well as abuse Android's accessibility services API to prevent uninstallation and grant themselves additional permissions.

Google told The Hacker News that it did not find any evidence of the malware being propagated via the Google Play Store and that Android users are protected against the threat by Google Play Protect, which is on by default on Android devices with Google Play Services.

"The hiring of Java coders, created Telegram bot with the proposal of earning some money, also indicates that the tool is in the process of active development and has support of a network of affiliated employees," the researchers said.

"Analysis of the file names, sample distribution methods, and other activities of the attackers suggests a cultural familiarity with the region in which they operate."

The disclosure comes as Zimperium uncovered links between two Android malware families tracked as SpyNote and Gigabud (which is part of the GoldFactory family that also includes GoldDigger).

"Domains with really similar structure (using the same unusual keywords as subdomains) and targets used to spread Gigabud samples and were also used to distribute SpyNote samples," the company said. "This overlap in distribution shows that the same threat actor is likely behind both malware families, pointing to a well-coordinated and broad campaign."

Urgent: GitLab Patches Critical Flaw Allowing Unauthorized Pipeline Job Execution
13.9.24  Vulnerebility  The Hacker News
GitLab on Wednesday released security updates to address 17 security vulnerabilities, including a critical flaw that allows an attacker to run pipeline jobs as an arbitrary user.

The issue, tracked as CVE-2024-6678, carries a CVSS score of 9.9 out of a maximum of 10.0

"An issue was discovered in GitLab CE/EE affecting all versions starting from 8.14 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, which allows an attacker to trigger a pipeline as an arbitrary user under certain circumstances," the company said in an alert.

The vulnerability, along with three high-severity, 11 medium-severity, and two low-severity bugs, have been addressed in versions 17.3.2, 17.2.5, 17.1.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).

It's worth noting that CVE-2024-6678 is the fourth such flaw that GitLab has patched over the past year after CVE-2023-5009 (CVSS score: 9.6), CVE-2024-5655 (CVSS score: 9.6), and CVE-2024-6385 (CVSS score: 9.6).

While there is no evidence of active exploitation of the flaws, users are recommended to apply the patches as soon as possible to mitigate against potential threats.

Earlier this May, U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed that a critical GitLab vulnerability (CVE-2023-7028, CVSS score: 10.0) had come under active exploitation in the wild.

Beware: New Vo1d Malware Infects 1.3 Million Android-based TV Boxes Worldwide
13.9.24  Virus  The Hacker News

Nearly 1.3 million Android-based TV boxes running outdated versions of the operating system and belonging to users spanning 197 countries have been infected by a new malware dubbed Vo1d (aka Void).

"It is a backdoor that puts its components in the system storage area and, when commanded by attackers, is capable of secretly downloading and installing third-party software," Russian antivirus vendor Doctor Web said in a report published today.

A majority of the infections have been detected in Brazil, Morocco, Pakistan, Saudi Arabia, Argentina, Russia, Tunisia, Ecuador, Malaysia, Algeria, and Indonesia.

It's currently not known what the source of the infection is, although it's suspected that it may have either involved an instance of prior compromise that allows for gaining root privileges or the use of unofficial firmware versions with built-in root access.

The following TV models have been targeted as part of the campaign -

KJ-SMART4KVIP (Android 10.1; KJ-SMART4KVIP Build/NHG47K)
R4 (Android 7.1.2; R4 Build/NHG47K)
TV BOX (Android 12.1; TV BOX Build/NHG47K)
The attack entails the substitution of the "/system/bin/debuggerd" daemon file (with the original file moved to a backup file named "debuggerd_real"), as well as the introduction of two new files – "/system/xbin/vo1d" and "/system/xbin/wd" – which contain the malicious code and operate concurrently.

"Before Android 8.0, crashes were handled by the debuggerd and debuggerd64 daemons," Google notes in its Android documentation. "In Android 8.0 and higher, crash_dump32 and crash_dump64 are spawned as needed."

Two different files shipped as part of the Android operating system – install-recovery.sh and daemonsu – have been modified as part of the campaign to trigger the execution of the malware by starting the "wd" module.

"The trojan's authors probably tried to disguise one if its components as the system program '/system/bin/vold,' having called it by the similar-looking name 'vo1d' (substituting the lowercase letter 'l' with the number '1')," Doctor Web said.

The "vo1d" payload, in turn, starts "wd" and ensures it's persistently running, while also downloading and running executables when instructed by a command-and-control (C2) server. Furthermore, it keeps tabs on specified directories and installs the APK files that it finds in them.

"Unfortunately, it is not uncommon for budget device manufacturers to utilize older OS versions and pass them off as more up-to-date ones to make them more attractive," the company said.

Update#
Google told The Hacker News that the infected TV models were not Play Protect certified Android devices and likely used source code from the Android Open Source Project code repository. The company’s entire statement is as follows -

“These off-brand devices discovered to be infected were not Play Protect certified Android devices. If a device isn't Play Protect certified, Google doesn’t have a record of security and compatibility test results. Play Protect certified Android devices undergo extensive testing to ensure quality and user safety. To help you confirm whether or not a device is built with Android TV OS and Play Protect certified, our Android TV website provides the most up-to-date list of partners. You can also take these steps to check if your device is Play Protect certified. ”

Exposed Selenium Grid Servers Targeted for Crypto Mining and Proxyjacking
13.9.24  Cryptocurrency  The Hacker News
Internet-exposed Selenium Grid instances are being targeted by bad actors for illicit cryptocurrency mining and proxyjacking campaigns.

"Selenium Grid is a server that facilitates running test cases in parallel across different browsers and versions," Cado Security researchers Tara Gould and Nate Bill said in an analysis published today.

"However, Selenium Grid's default configuration lacks authentication, making it vulnerable to exploitation by threat actors."

The abuse of publicly-accessible Selenium Grid instances for deploying crypto miners was previously highlighted by cloud security firm Wiz in late July 2024 as part of an activity cluster dubbed SeleniumGreed.

Cado, which observed two different campaigns against its honeypot server, said the threat actors are exploiting the lack of authentication protections to carry out a diverse set of malicious actions.

The first of them leverages the "goog:chromeOptions" dictionary to inject a Base64-encoded Python script that, in turn, retrieves a script named "y," which is the open-source GSocket reverse shell.

The reverse shell subsequently serves as a medium for introducing the next-stage payload, a bash script named "pl" that retrieves IPRoyal Pawn and EarnFM from a remote server via curl and wget commands.

"IPRoyal Pawns is a residential proxy service that allows users to sell their internet bandwidth in exchange for money," Cado said.

"The user's internet connection is shared with the IPRoyal network with the service using the bandwidth as a residential proxy, making it available for various purposes, including for malicious purposes."

EarnFM is also a proxyware solution that's advertised as a "ground-breaking" way to "generate passive income online by simply sharing your internet connection."

The second attack, like the proxyjacking campaign, follows the same route to deliver a bash script via a Python script that checks if it's running on a 64-bit machine and then proceeds to drop a Golang-based ELF binary.

The ELF file subsequently attempts to escalate to root by leveraging the PwnKit flaw (CVE-2021-4043) and drops an XMRig cryptocurrency miner called perfcc.

"As many organizations rely on Selenium Grid for web browser testing, this campaign further highlights how misconfigured instances can be abused by threat actors," the researchers said. "Users should ensure authentication is configured, as it is not enabled by default."

Iranian Cyber Group OilRig Targets Iraqi Government in Sophisticated Malware Attack
13.9.24  APT  The Hacker News

Iraqi government networks have emerged as the target of an "elaborate" cyber attack campaign orchestrated by an Iran state-sponsored threat actor called OilRig.

The attacks singled out Iraqi organizations such as the Prime Minister's Office and the Ministry of Foreign Affairs, cybersecurity company Check Point said in a new analysis.

OilRig, also called APT34, Crambus, Cobalt Gypsy, GreenBug, Hazel Sandstorm (formerly EUROPIUM), and Helix Kitten, is an Iranian cyber group associated with the Iranian Ministry of Intelligence and Security (MOIS).

Active since at least 2014, the group has a track record of conducting phishing attacks in the Middle East to deliver a variety of custom backdoors such as Karkoff, Shark, Marlin, Saitama, MrPerfectionManager, PowerExchange, Solar, Mango, and Menorah for information theft.

The latest campaign is no exception in that it involves the use of a new set of malware families dubbed Veaty and Spearal, which come with capabilities to execute PowerShell commands and harvest files of interest.

"The toolset used in this targeted campaign employs unique command-and-control (C2) mechanisms, including a custom DNS tunneling protocol, and a tailor-made email based C2 channel," Check Point said.

"The C2 channel uses compromised email accounts within the targeted organization, indicating that the threat actor successfully infiltrated the victim's networks."

Some of the actions that the threat actor took in executing the attack, and following it, were consistent with tactics, techniques, and procedures (TTPs) that OilRig has employed when carrying out similar operations in the past.

This includes the use of email-based C2 channels, specifically leveraging previously compromised email mailboxes to issue commands and exfiltrate data. This modus operandi has been common to several backdoors such as Karkoff, MrPerfectionManager, and PowerExchange.

The attack chain is kicked off via deceptive files masquerading as benign documents ("Avamer.pdf.exe" or "IraqiDoc.docx.rar") that, when launched, pave the way for the deployment of Veaty and Spearal. The infection pathway is likely said to have involved an element of social engineering.

The files initiate the execution of intermediate PowerShell or Pyinstaller scripts that, in turn, drop the malware executables and their XML-based configuration files, which include information about the C2 server.

"The Spearal malware is a .NET backdoor that utilizes DNS tunneling for [C2] communication," Check Point said. "The data transferred between the malware and the C2 server is encoded in the subdomains of DNS queries using a custom Base32 scheme."

Spearal is designed to execute PowerShell commands, read file contents and send it in the form of Base32-encoded data, and retrieve data from the C2 server and write it to a file on the system.

Also written .NET, Veaty leverages emails for C2 communications with the end goal of downloading files and executing commands via specific mailboxes belonging to the gov-iq.net domain. The commands allow it to upload/download files and run PowerShell scripts.

Check Point said its analysis of the threat actor infrastructure led to the discovery of a different XML configuration file that's likely associated with a third SSH tunneling backdoor.

It further identified an HTTP-based backdoor, CacheHttp.dll, that targets Microsoft's Internet Information Services (IIS) servers and examines incoming web requests for "OnGlobalPreBeginRequest" events and executes commands when they occur.

"The execution process begins by checking if the Cookie header is present in incoming HTTP requests and reads until the; sign," Check Point said. "The main parameter is F=0/1 which indicates whether the backdoor initializes its command configuration (F=1) or runs the commands based on this configuration (F=0)."

The malicious IIS module, which represents an evolution of a malware classified as Group 2 by ESET in August 2021 and another APT34 IIS backdoor codenamed RGDoor, supports command execution and file read/write operations.

"This campaign against Iraqi government infrastructure highlights the sustained and focused efforts of Iranian threat actors operating in the region," the company said.

"The deployment of a custom DNS tunneling protocol and an email-based C2 channel leveraging compromised accounts highlights the deliberate effort by Iranian actors to develop and maintain specialized command-and-control mechanisms."

Ireland's Watchdog Launches Inquiry into Google's AI Data Practices in Europe
13.9.24  AI  The Hacker News
The Irish Data Protection Commission (DPC) has announced that it has commenced a "Cross-Border statutory inquiry" into Google's foundational artificial intelligence (AI) model to determine whether the tech giant has adhered to data protection regulations in the region when processing the personal data of European users.

"The statutory inquiry concerns the question of whether Google has complied with any obligations that it may have had to undertake an assessment, pursuant to Article 35[2] of the General Data Protection Regulation (Data Protection Impact Assessment), prior to engaging in the processing of the personal data of E.U./E.E.A. data subjects associated with the development of its foundational AI model, Pathways Language Model 2 (PaLM 2)," the DPC said.

PaLM 2 is Google's state-of-the-art language model with improved multilingual, reasoning, and coding capabilities. It was unveiled by the company in May 2023.

With Google's European headquarters based in Dublin, the DPC acts as the primary regulator responsible for making sure the company abides by the bloc's stringent data privacy rulebook.

The DPC said an inquiry is crucial to ensure that individuals' fundamental rights and freedoms are safeguarded, especially when processing of such data when developing AI systems can lead to a "high risk."

The development comes weeks after social media platform X permanently agreed not to train its AI chatbot, Grok, using the personal data it collected from European users without obtaining prior consent. Back in August, the DPC said X consented to suspend its "processing of the personal data contained in the public posts of X's E.U./E.E.A. users which it processed between 7 May 2024 and 1 August 2024."

Meta, which recently admitted to scraping every Australian adult Facebook user's public data to train its Llama AI models without giving them an opt-out, has paused its plans to use content posted by European users following a request from the DPC over privacy concerns. It has also suspended the use of generative AI (GenAI) in Brazil after the country's data protection authority issued a preliminary ban objecting to its new privacy policy.

Last year, Italy's data privacy regulator also temporarily banned OpenAI's ChatGPT because of concerns that its practices are in violation of data protection laws in the region.

WordPress Mandates Two-Factor Authentication for Plugin and Theme Developers
13.9.24  Safety  The Hacker News

WordPress.org has announced a new account security measure that will require accounts with capabilities to update plugins and themes to activate two-factor authentication (2FA) mandatorily.

The enforcement is expected to come into effect starting October 1, 2024.

"Accounts with commit access can push updates and changes to plugins and themes used by millions of WordPress sites worldwide," the maintainers of the open-source, self-hosted version of the content management system (CMS) said.

"Securing these accounts is essential to preventing unauthorized access and maintaining the security and trust of the WordPress.org community."

Besides requiring mandatory 2FA, WordPress.org said it's introducing what's called SVN passwords, which refers to a dedicated password for committing changes.

This, it said, is an effort to introduce a new layer of security by separating users' code commit access from their WordPress.org account credentials.

"This password functions like an application or additional user account password," the team said. "It protects your main password from exposure and allows you to easily revoke SVN access without having to change your WordPress.org credentials."

WordPress.org also noted that technical limitations have prevented 2FA from being applied to existing code repositories, as a result of which it has opted for a "combination of account-level two-factor authentication, high-entropy SVN passwords, and other deploy-time security features (such as Release Confirmations)."

The measures are seen as a way to counter scenarios where a malicious actor could seize control of a publisher's account, thereby introducing malicious code into legitimate plugins and themes, resulting in large-scale supply chain attacks.

The disclosure comes as Sucuri warned of ongoing ClearFake campaigns targeting WordPress sites that aim to distribute an information stealer called RedLine by tricking site visitors into manually running PowerShell code in order to fix an issue with rendering the web page.

Threat actors have also been observed leveraging infected PrestaShop e-commerce sites to deploy a credit card skimmer to siphon financial information entered on checkout pages.

"Outdated software is a primary target for attackers who exploit vulnerabilities in old plugins and themes," security researcher Ben Martin said. "Weak admin passwords are a gateway for attackers."

Users are recommended to keep their plugins and themes up-to-date, deploy a web application firewall (WAF), periodically review administrator accounts, and monitor for unauthorized changes to website files.

Quad7 Botnet Expands to Target SOHO Routers and VPN Appliances
13.9.24  BotNet  The Hacker News
The operators of the mysterious Quad7 botnet are actively evolving by compromising several brands of SOHO routers and VPN appliances by leveraging a combination of both known and unknown security flaws.

Targets include devices from TP-LINK, Zyxel, Asus, Axentra, D-Link, and NETGEAR, according to a new report by French cybersecurity company Sekoia.

"The Quad7 botnet operators appear to be evolving their toolset, introducing a new backdoor and exploring new protocols, with the aim of enhancing stealth and evading the tracking capabilities of their operational relay boxes (ORBs)," researchers Felix Aimé, Pierre-Antoine D., and Charles M. said.

Quad7, also called 7777, was first publicly documented by independent researcher Gi7w0rm in October 2023, highlighting the activity cluster's pattern of ensnaring TP-Link routers and Dahua digital video recorders (DVRs) into a botnet.

The botnet, which gets its name from the fact it opens TCP port 7777 on compromised devices, has been observed brute-forcing Microsoft 3665 and Azure instances.

"The botnet also appears to infect other systems like MVPower, Zyxel NAS, and GitLab, although at a very low volume," VulnCheck's Jacob Baines noted earlier this January. "The botnet doesn't just start a service on port 7777. It also spins up a SOCKS5 server on port 11228."

Subsequent analyses by Sekoia and Team Cymru over the past few months have found that not only the botnet has compromised TP-Link routers in Bulgaria, Russia, the U.S., and Ukraine, but has since also expanded to target ASUS routers that have TCP ports 63256 and 63260 opened.

The latest findings show that the botnet is comprised of three additional clusters -

xlogin (aka 7777 botnet) - A botnet composed of compromised TP-Link routers which have both TCP ports 7777 and 11288 opened
alogin (aka 63256 botnet) - A botnet composed of compromised ASUS routers which have both TCP ports 63256 and 63260 opened
rlogin - A botnet composed of compromised Ruckus Wireless devices which have TCP port 63210 opened
axlogin - A botnet capable of targeting Axentra NAS devices (not detected in the wild as yet)
zylogin - A botnet composed of compromised Zyxel VPN appliances that have TCP port 3256 opened
Sekoia told The Hacker News that the countries with the most number of infections are Bulgaria (1,093), the U.S. (733), and Ukraine (697).

In a further sign of tactical evolution, the threat actors now utilize a new backdoor dubbed UPDTAE that establishes an HTTP-based reverse shell to establish remote control on the infected devices and execute commands sent from a command-and-control (C2) server.

It's currently not clear what the exact purpose of the botnet is or who is behind it, but the company said the activity is likely the work of a Chinese state-sponsored threat actor.

"Regarding the 7777 [botnet], we only saw brute-force attempts against Microsoft 365 accounts," Aimé told the publication. "For the other botnets, we still don't know how they are used."

"However, after exchanges with other researchers and new findings, we are almost certain that the operators are more likely CN state-sponsored rather than simple cybercriminals doing [business email compromise]."

"We are seeing the threat actor attempting to be more stealthy by using new malwares on the compromised edge devices. The main aim behind that move is to prevent tracking of the affiliated botnets."

DragonRank Black Hat SEO Campaign Targeting IIS Servers Across Asia and Europe
13.9.24  APT  The Hacker News
A "simplified Chinese-speaking actor" has been linked to a new campaign that has targeted multiple countries in Asia and Europe with the end goal of performing search engine optimization (SEO) rank manipulation.

The black hat SEO cluster has been codenamed DragonRank by Cisco Talos, with victimology footprint scattered across Thailand, India, Korea, Belgium, the Netherlands, and China.

"DragonRank exploits targets' web application services to deploy a web shell and utilizes it to collect system information and launch malware such as PlugX and BadIIS, running various credential-harvesting utilities," security researcher Joey Chen said.

The attacks have led to compromises of 35 Internet Information Services (IIS) servers with the end goal of deploying the BadIIS malware, which was first documented by ESET in August 2021.

It's specifically designed to facilitate proxy ware and SEO fraud by turning the compromised IIS server into a relay point for malicious communications between its customers (i.e., other threat actors) and their victims.

On top of that, it can modify the content served to search engines to manipulate search engine algorithms and boost the ranking of other websites of interest to the attackers.

"One of the most surprising aspects of the investigation is how versatile IIS malware is, and the [detection of] SEO fraud criminal scheme, where malware is misused to manipulate search engine algorithms and help boost the reputation of third-party websites," security researcher Zuzana Hromcova told The Hacker News at the time.

The latest set of attacks highlighted by Talos spans a broad spectrum of industry verticals, including jewelry, media, research services, healthcare, video and television production, manufacturing, transportation, religious and spiritual organizations, IT services, international affairs, agriculture, sports, and feng shui.

The attack chains commence with taking advantage of known security flaws in web applications like phpMyAdmin and WordPress to drop the open-source ASPXspy web shell, which then acts as a conduit to introduce supplemental tools into the targets' environment.

The primary objective of the campaign is to compromise the IIS servers hosting corporate websites, abusing them to implant the BadIIS malware and effectively repurposing them as a launchpad for scam operations by utilizing keywords related to porn and sex.

Another significant aspect of the malware is its ability to masquerade as the Google search engine crawler in its User-Agent string when it relays the connection to the command-and-control (C2) server, thereby allowing it to bypass some website security measures.

"The threat actor engages in SEO manipulation by altering or exploiting search engine algorithms to improve a website's ranking in search results," Chen explained. "They conduct these attacks to drive traffic to malicious sites, increase the visibility of fraudulent content, or disrupt competitors by artificially inflating or deflating rankings."

One important way DragonRank distinguishes itself from other black hat SEO cybercrime groups is in the manner it attempts to breach additional servers within the target's network and maintain control over them using PlugX, a backdoor widely shared by Chinese threat actors, and various credential-harvesting programs such as Mimikatz, PrintNotifyPotato, BadPotato, and GodPotato.

Although the PlugX malware used in the attacks relies on DLL side-loading techniques, the loader DLL responsible for launching the encrypted payload uses the Windows Structured Exception Handling (SEH) mechanism in an attempt to ensure that the legitimate file (i.e., the binary susceptible to DLL side-loading) can load the PlugX without tripping any alarms.

Evidence unearthed by Talos points to the threat actor maintaining a presence on Telegram under the handle "tttseo" and the QQ instant message application to facilitate illegal business transactions with paying clients.

"These adversaries also offer seemingly quality customer service, tailoring promotional plans to best fit their clients' needs," Chen added.

"Customers can submit the keywords and websites they wish to promote, and DragonRank develops a strategy suited to these specifications. The group also specializes in targeting promotions to specific countries and languages, ensuring a customized and comprehensive approach to online marketing."

Singapore Police Arrest Six Hackers Linked to Global Cybercrime Syndicate
11.9.24  Crime  The Hacker News
The Singapore Police Force (SPF) has announced the arrest of five Chinese nationals and one Singaporean man for their alleged involvement in illicit cyber activities in the country.

The development comes after a group of about 160 law enforcement officials conducted a series of raids on September 9, 2024, simultaneously at several locations.

The six men, aged between 32 and 42, are suspected of being linked to a "global syndicate" that conducts malicious cyber activities. Pursuant to the operation, electronic devices and cash were seized.

Among those apprehended includes a 42-year-old Chinese national from Bidadari Park Drive, who was found to be in possession of a laptop that contained credentials to access web servers used by known hacker groups. The identities of the threat actors were not disclosed.

In addition, five laptops, six mobile phones, cash totaling more than S$24,000 (USD$18,400), and cryptocurrency worth approximately USD$850,000 were confiscated from the individual.

Three other Chinese nationals, arrested from Mount Sinai Avenue, are said to have been possessing laptops containing personal information related to foreign internet service providers, hacking tools, and "specialized software to control malware" such as PlugX, a remote access trojan widely used by Chinese state-sponsored groups.

The authorities also seized seven laptops, 11 mobile phones, and cash worth more than S$54,600 (USD$41,900) from the three men.

Another 38-year-old Chinese national was arrested from Cairnhill Road over suspicions of "offering to purchase personally identifiable information that was believed to have been obtained through illegal means."

The sixth person, a 34-year-old Singaporean national residing in Hougang Avenue, is believed to have assisted the others in their malicious activities.

The defendants have been charged with offenses under the Computer Misuse Act 1993 for gaining unauthorized access to computer material, retaining personal information without authorization, and retaining software that could be used to commit other malicious attacks.

The Singaporean national has also been charged with abetting the securing of unauthorized access to websites, an offense that's punishable with a fine of up to S$5,000 (USD$3,830), or a jail term of up to two years, or both, for a first-time offender.

Channel News Asia has reported that a sixth Chinese national was also subsequently arrested on Wednesday for instructing the Singapore man to subscribe to a Singtel broadband plan.

"This is a significant operation as the individuals are suspected to be carrying out global malicious cyber operations from Singapore," the SPF said. "We have zero tolerance of the use of Singapore to conduct criminal activities, including illegal cyber activities. We will deal severely with perpetrators."

Developers Beware: Lazarus Group Uses Fake Coding Tests to Spread Malware
11.9.24  APT  The Hacker News
Cybersecurity researchers have uncovered a new set of malicious Python packages that target software developers under the guise of coding assessments.

"The new samples were tracked to GitHub projects that have been linked to previous, targeted attacks in which developers are lured using fake job interviews," ReversingLabs researcher Karlo Zanki said.

The activity has been assessed to be part of an ongoing campaign dubbed VMConnect that first came to light in August 2023. There are indications that it is the handiwork of the North Korea-backed Lazarus Group.

The use of job interviews as an infection vector has been adopted widely by North Korean threat actors, either approaching unsuspecting developers on sites such as LinkedIn or tricking them into downloading rogue packages as part of a purported skills test.

These packages, for their part, have been published directly on public repositories like npm and PyPI, or hosted on GitHub repositories under their control.

ReversingLabs said it identified malicious code embedded within modified versions of legitimate PyPI libraries such as pyperclip and pyrebase.

"The malicious code is present in both the __init__.py file and its corresponding compiled Python file (PYC) inside the __pycache__ directory of respective modules," Zanki said.

It's implemented in the form of a Base64-encoded string that obscures a downloader function that establishes contact with a command-and-control (C2) server in order to execute commands received as a response.

In one instance of the coding assignment identified by the software supply chain firm, the threat actors sought to create a false sense of urgency by requiring job seekers to build a Python project shared in the form of a ZIP file within five minutes and find and fix a coding flaw in the next 15 minutes.

This makes it "more likely that he or she would execute the package without performing any type of security or even source code review first," Zanki said, adding "that ensures the malicious actors behind this campaign that the embedded malware would be executed on the developer's system."

Some of the aforementioned tests claimed to be a technical interview for financial institutions like Capital One and Rookery Capital Limited, underscoring how the threat actors are impersonating legitimate companies in the sector to pull off the operation.

It's currently not clear how widespread these campaigns are, although prospective targets are scouted and contacted using LinkedIn, as recently also highlighted by Google-owned Mandiant.

"After an initial chat conversation, the attacker sent a ZIP file that contained COVERTCATCH malware disguised as a Python coding challenge, which compromised the user's macOS system by downloading a second-stage malware that persisted via Launch Agents and Launch Daemons," the company said.

The development comes as cybersecurity company Genians revealed that the North Korean threat actor codenamed Konni is intensifying its attacks against Russia and South Korea by employing spear-phishing lures that lead to the deployment of AsyncRAT, with overlaps identified with a campaign codenamed CLOUD#REVERSER (aka puNK-002).

Some of these attacks also entail the propagation of a new malware called CURKON, a Windows shortcut (LNK) file that serves as a downloader for an AutoIt version of Lilith RAT. The activity has been linked to a sub-cluster tracked as puNK-003, per S2W.

Microsoft Issues Patches for 79 Flaws, Including 3 Actively Exploited Windows Flaws
11.9.24  Vulnerebility  The Hacker News
Microsoft on Tuesday disclosed that three new security flaws impacting the Windows platform have come under active exploitation as part of its Patch Tuesday update for September 2024.

The monthly security release addresses a total of 79 vulnerabilities, of which seven are rated Critical, 71 are rated Important, and one is rated Moderate in severity. This is aside from 26 flaws that the tech giant resolved in its Chromium-based Edge browser since last month's Patch Tuesday release.

The three vulnerabilities that have been weaponized in a malicious context are listed below, alongside a bug that Microsoft is treating as exploited -

CVE-2024-38014 (CVSS score: 7.8) - Windows Installer Elevation of Privilege Vulnerability
CVE-2024-38217 (CVSS score: 5.4) - Windows Mark-of-the-Web (MotW) Security Feature Bypass Vulnerability
CVE-2024-38226 (CVSS score: 7.3) - Microsoft Publisher Security Feature Bypass Vulnerability
CVE-2024-43491 (CVSS score: 9.8) - Microsoft Windows Update Remote Code Execution Vulnerability
"Exploitation of both CVE-2024-38226 and CVE-2024-38217 can lead to the bypass of important security features that block Microsoft Office macros from running," Satnam Narang, senior staff research engineer at Tenable, said in a statement.

"In both cases, the target needs to be convinced to open a specially crafted file from an attacker-controlled server. Where they differ is that an attacker would need to be authenticated to the system and have local access to it to exploit CVE-2024-38226."

As disclosed by Elastic Security Labs last month, CVE-2024-38217 – also referred to as LNK Stomping – is said to have been abused in the wild as far back as February 2018.

CVE-2024-43491, on the other hand, is notable for the fact that it's similar to the downgrade attack that cybersecurity company SafeBreach detailed early last month.

"Microsoft is aware of a vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities affecting Optional Components on Windows 10, version 1507 (initial version released July 2015)," Redmond noted.

"This means that an attacker could exploit these previously mitigated vulnerabilities on Windows 10, version 1507 (Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB) systems that have installed the Windows security update released on March 12, 2024 — KB5035858 (OS Build 10240.20526) or other updates released until August 2024."

The Windows maker further said it can be resolved by installing the September 2024 Servicing stack update (SSU KB5043936) and the September 2024 Windows security update (KB5043083), in that order.

It's also worth pointing out that Microsoft's "Exploitation Detected" assessment for CVE-2024-43491 stems from the rollback of fixes that addressed vulnerabilities impacting some Optional Components for Windows 10 (version 1507) that have been previously exploited.

"No exploitation of CVE-2024-43491 itself has been detected," the company said. "In addition, the Windows product team at Microsoft discovered this issue, and we have seen no evidence that it is publicly known."

Ivanti Releases Urgent Security Updates for Endpoint Manager Vulnerabilities
11.9.24  Vulnerebility  The Hacker News
Ivanti has released software updates to address multiple security flaws impacting Endpoint Manager (EPM), including 10 critical vulnerabilities that could result in remote code execution.

A brief description of the issues is as follows -

CVE-2024-29847 (CVSS score: 10.0) - A deserialization of untrusted data vulnerability that allows a remote unauthenticated attacker to achieve code execution.
CVE-2024-32840, CVE-2024-32842, CVE-2024-32843, CVE-2024-32845, CVE-2024-32846, CVE-2024-32848, CVE-2024-34779, CVE-2024-34783, and CVE-2024-34785 (CVSS scores: 9.1) - Multiple unspecified SQL injection vulnerabilities that allow a remote authenticated attacker with admin privileges to achieve remote code execution
The flaws impact EPM versions 2024 and 2022 SU5 and earlier, with fixes made available in versions 2024 SU1 and 2022 SU6, respectively.

Ivanti said it has found no evidence of the flaws being exploited in the wild as a zero-day, but it's essential that users update to the latest version to safeguard against potential threats.

Also addressed as part of the September update are seven high-severity shortcomings in Ivanti Workspace Control (IWC) and Ivanti Cloud Service Appliance (CSA).

The company said it has ramped up its internal scanning, manual exploitation and testing capabilities, and that it made improvements to its responsible disclosure process to swiftly discover and address potential issues.

"This has caused a spike in discovery and disclosure," the company noted.

The development comes in the aftermath of extensive in-the-wild exploitation of several zero-days in Ivanti appliances, including by China-nexus cyber espionage groups to breach networks of interest.

It also comes as Zyxel shipped fixes for a critical operating system (OS) command injection vulnerability (CVE-2024-6342, CVSS score: 9.8) in two of its network-attached storage (NAS) devices.

"A command injection vulnerability in the export-cgi program of Zyxel NAS326 and NAS542 devices could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request," the company said in an alert.

The security hole has been addressed in the below versions -

NAS326 (affects V5.21(AAZF.18)C0 and earlier) - Fixed in V5.21(AAZF.18)Hotfix-01
NAS542 (affects V5.21(ABAG.15)C0 and earlier) - Fixed in V5.21(ABAG.15)Hotfix-01

Microsoft September 2024 Patch Tuesday

Vulnerabilities: 79

CosmicBeetle Deploys Custom ScRansom Ransomware, Partnering with RansomHub
11.9.24  Ransom  The Hacker News
The threat actor known as CosmicBeetle has debuted a new custom ransomware strain called ScRansom in attacks targeting small- and medium-sized businesses (SMBs) in Europe, Asia, Africa, and South America, while also likely working as an affiliate for RansomHub.

"CosmicBeetle replaced its previously deployed ransomware, Scarab, with ScRansom, which is continually improved," ESET researcher Jakub Souček said in a new analysis published today. "While not being top notch, the threat actor is able to compromise interesting targets."

Targets of ScRansom attacks span manufacturing, pharmaceuticals, legal, education, healthcare, technology, hospitality, leisure, financial services, and regional government sectors.

CosmicBeetle is best known for a malicious toolset called Spacecolon that was previously identified as used for delivering the Scarab ransomware across victim organizations globally.

Also known as NONAME, the adversary has a track record of experimenting with the leaked LockBit builder in an attempt to pass off as the infamous ransomware gang in its ransom notes and leak site as far back as November 2023.

It's currently not clear who is behind the attack or where they are from, although an earlier hypothesis implied that they could be of Turkish origin due to the presence of a custom encryption scheme used in another tool named ScHackTool. ESET, however, suspects the attribution to no longer hold water.

"ScHackTool's encryption scheme is used in the legitimate Disk Monitor Gadget," Souček pointed out. "It is likely that this algorithm was adapted [from a Stack Overflow thread] by VOVSOFT [the Turkish software firm behind the tool] and, years later, CosmicBeetle stumbled upon it and used it for ScHackTool."

Attack chains have been observed taking advantage of brute-force attacks and known security flaws (CVE-2017-0144, CVE-2020-1472, CVE-2021-42278, CVE-2021-42287, CVE-2022-42475, and CVE-2023-27532) to infiltrate target environments.

The intrusions further involve the use of various tools like Reaper, Darkside, and RealBlindingEDR to terminate security-related processes to sidestep detection prior to deploying the Delphi-based ScRansom ransomware, which comes with support for partial encryption to speed up the process and an "ERASE" mode to render the files unrecoverable by overwriting them with a constant value.

The connection to RansomHub stems from the fact that the Slovak cybersecurity company spotted the deployment of ScRansom and RansomHub payloads on the same machine within a week's time.

"Probably due to the obstacles that writing custom ransomware from scratch brings, CosmicBeetle attempted to leech off LockBit's reputation, possibly to mask the issues in the underlying ransomware and in turn to increase the chance that victims will pay," Souček said.

Cicada3301 Unleashes Updated Version#
The disclosure comes as threat actors linked to the Cicada3301 ransomware (aka Repellent Scorpius) have been observed using an updated version of the encryptor since July 2024.

"Threat authors added a new command-line argument, --no-note," Palo Alto Networks Unit 42 said in a report shared with The Hacker News. "When this argument is invoked, the encryptor will not write the ransom note to the system."

Another important modification is the absence of hard-coded usernames or passwords in the binary, although it still retains the capability to execute PsExec using these credentials if they exist, a technique highlighted recently by Morphisec.

In an interesting twist, the cybersecurity vendor said it observed signs that the group has data obtained from older compromise incidents that predate the group's operation under the Cicada3301 brand.

This has raised the possibility that the threat actor may have operated under a different ransomware brand, or purchased the data from other ransomware groups. That having said, Unit 42 noted it identified some overlaps with another attack carried out by an affiliate that deployed BlackCat ransomware in March 2022.

BURNTCIGAR Becomes an EDR Wiper#
The findings also follow an evolution of a kernel-mode signed Windows driver used by multiple ransomware gangs to turn off Endpoint Detection and Response (EDR) software that allows it to act as a wiper for deleting critical components associated with those solutions, as opposed to terminating them.

The malware in question is POORTRY, which is delivered by means of a loader named STONESTOP to orchestrate a Bring Your Own Vulnerable Driver (BYOVD) attack, effectively bypassing Driver Signature Enforcement safeguards. Its ability to "force delete" files on disk was first noted by Trend Micro in May 2023.

POORTRY, detected as far back as in 2021, is also referred to as BURNTCIGAR, and has been used by multiple ransomware gangs, including CUBA, BlackCat, Medusa, LockBit, and RansomHub over the years.

"Both the Stonestop executable and the Poortry driver are heavily packed and obfuscated," Sophos said in a recent report. "This loader was obfuscated by a closed-source packer named ASMGuard, available on GitHub."

POORTRY is "focused on disabling EDR products through a series of different techniques, such as removal or modification of kernel notify routines. The EDR killer aims at terminating security-related processes and rendering the EDR agent useless by wiping critical files off disk."

The rogue drivers take advantage of what the company described as a "virtually limitless supply of stolen or improperly used code signing certificates" in order to bypass Microsoft's Driver Signature Verification protections.

The use of an improved version of POORTRY by RansomHub bears notice in light of the fact that the ransomware crew has also been observed utilizing another EDR-killer tool dubbed EDRKillShifter this year.

That's not all. The ransomware group has also been detected utilizing a legitimate tool from Kaspersky called TDSSKiller to disarm EDR services on target systems, indicating that the threat actors are incorporating several programs with similar functionality in their attacks.

"It's important to recognize that threat actors have been consistently experimenting with different methods to disable EDR products — a trend we've been observing since at least 2022," Sophos told The Hacker News. "This experimentation can involve various tactics, such as exploiting vulnerable drivers or using certificates that have been unintentionally leaked or obtained through illegal means."

"While it might seem like there's a significant increase in these activities, it's more accurate to say that this is part of an ongoing process rather than a sudden rise."

"The use of different EDR-killer tools, such as EDRKillShifter by groups like RansomHub, likely reflects this ongoing experimentation. It's also possible that different affiliates are involved, which could explain the use of varied methods, though without specific information, we wouldn't want to speculate too much on that point."

Experts Identify 3 Chinese-Linked Clusters Behind Cyberattacks in Southeast Asia
11.9.24  APT  The Hacker News
A trio of threat activity clusters linked to China has been observed compromising more government organizations in Southeast Asia as part of a renewed state-sponsored operation codenamed Crimson Palace, indicating an expansion in the scope of the espionage effort.

Cybersecurity firm Sophos, which has been monitoring the cyber offensive, said it comprises three intrusion sets tracked as Cluster Alpha (STAC1248), Cluster Bravo (STAC1870), and Cluster Charlie (STAC1305). STAC is an abbreviation for "security threat activity cluster."

"The attackers consistently used other compromised organizational and public service networks in that region to deliver malware and tools under the guise of a trusted access point," security researchers Mark Parsons, Morgan Demboski, and Sean Gallagher said in a technical report shared with The Hacker News.

A noteworthy aspect of the attacks is that it entails the use of an unnamed organization's systems as a command-and-control (C2) relay point and a staging ground for tools. A second organization's compromised Microsoft Exchange Server is said to have been utilized to host malware.

Crimson Palace was first documented by the cybersecurity company in early June 2024, with the attacks taking place between March 2023 and April 2024.

While initial activity associated with Cluster Bravo, which overlaps with a threat group called Unfading Sea Haze, was confined to March 2023, a new attack wave detected between January and June 2024 has been observed targeting 11 other organizations and agencies in the same region.

A set of new attacks orchestrated by Cluster Charlie, a cluster that's referred to as Earth Longzhi, has also been identified between September 2023 and June 2024, some of which also involve the deployment of different C2 frameworks like Cobalt Strike, Havoc, and XieBroC2 in order to facilitate post-exploitation and deliver additional payloads like SharpHound for Active Directory infrastructure mapping.

"Exfiltration of data of intelligence value was still an objective after the resumption of activity," the researchers said. "However, much of their effort appeared to be focused on re-establishing and extending their foothold on the target network by bypassing EDR software and rapidly re-establishing access when their C2 implants had been blocked."

Another significant aspect is Cluster Charlie's heavy reliance on DLL hijacking to execute malware, an approach previously adopted by threat actors behind Cluster Alpha, indicating a "cross-pollination" of tactics.

Some of the other open-source programs used by the threat actor include RealBlindingEDR and Alcatraz, which allow for terminating antivirus processes and obfuscating portable executable files (e.g., .exe, .dll, and .sys) with an aim to fly under the radar.

Rounding off the cluster's malware arsenal is a previously unknown keylogger codenamed TattleTale that was originally identified in August 2023 and is capable of collecting Google Chrome and Microsoft Edge browser data.

"The malware can fingerprint the compromised system and check for mounted physical and network drives by impersonating a logged-on user," the researchers explained.

"TattleTale also collects the domain controller name and steals the LSA (Local Security Authority) Query Information Policy, which is known to contain sensitive information related to password policies, security settings, and sometimes cached passwords."

In a nutshell, the three clusters work hand in hand, while simultaneously focusing on specific tasks in the attack chain: Infiltrating target environments and conducting reconnaissance (Alpha), burrowing deep into the networks using various C2 mechanisms (Bravo), and exfiltrating valuable data (Charlie).

"Throughout the engagement, the adversary appeared to continually test and refine their techniques, tools, and practices," the researchers concluded. "As we deployed countermeasures for their bespoke malware, they combined the use of their custom-developed tools with generic, open-source tools often used by legitimate penetration testers, testing different combinations."

New PIXHELL Attack Exploits LCD Screen Noise to Exfiltrate Data from Air-Gapped Computers
11.9.24  Attack  The Hacker News

A new side-channel attack dubbed PIXHELL could be abused to target air-gapped computers by breaching the "audio gap" and exfiltrating sensitive information by taking advantage of the noise generated by pixels on an LCD screen.

"Malware in the air-gap and audio-gap computers generates crafted pixel patterns that produce noise in the frequency range of 0 - 22 kHz," Dr. Mordechai Guri, the head of the Offensive Cyber Research Lab in the Department of Software and Information Systems Engineering at the Ben Gurion University of the Negev in Israel, said in a newly published paper.

"The malicious code exploits the sound generated by coils and capacitors to control the frequencies emanating from the screen. Acoustic signals can encode and transmit sensitive information."

The attack is notable in that it doesn't require any specialized audio hardware, loudspeaker, or internal speaker on the compromised computer, instead relying on the LCD screen to generate acoustic signals.

Air-gapping is a crucial security measure that's designed to safeguard mission-critical environments against potentially security threats by physically and logically isolating them from external networks (i.e., internet). This is typically accomplished by disconnecting network cables, disabling wireless interfaces, and disabling USB connections.

That said, such defenses could be circumvented by means of rogue insider or a compromise of the hardware or software supply chain. Another scenario could involve an unsuspecting employee plugging in an infected USB drive to deploy malware capable of triggering a covert data exfiltration channel.

"Phishing, malicious insiders, or other social engineering techniques may be employed to trick individuals with access to the air-gapped system into taking actions that compromise security, such as clicking on malicious links or downloading infected files," Dr. Guri said.

"Attackers may also use software supply chain attacks by targeting software application dependencies or third-party libraries. By compromising these dependencies, they can introduce vulnerabilities or malicious code that may go unnoticed during development and testing."

Like the recently demonstrated RAMBO attack, PIXHELL makes use of the malware deployed on the compromised host to create an acoustic channel for leaking information from audio-gapped systems.

This is made possible by the fact that LCD screens contain inductors and capacitors as part of their internal components and power supply, causing them to vibrate at an audible frequency that produces a high-pitched noise when electricity is passed through the coils, a phenomenon called coil whine.

Specifically, changes in power consumption can induce mechanical vibrations or piezoelectric effects in capacitors, producing audible noise. A crucial aspect that affects the consumption pattern is the number of pixels that are lit and their distribution across the screen, as white pixels require more power to display than dark pixels.

"Also, when alternating current (AC) passes through the screen capacitors, they vibrate at specific frequencies," Dr. Guri said. "The acoustic emanates are generated by the internal electric part of the LCD screen. Its characteristics are affected by the actual bitmap, pattern, and intensity of pixels projected on the screen."

"By carefully controlling the pixel patterns shown on our screen, our technique generates certain acoustic waves at specific frequencies from LCD screens."

An attacker could therefore leverage the technique to exfiltrate the data in the form of acoustic signals that are then modulated and transmitted to a nearby Windows or Android device, which can subsequently demodulate the packets and extract the information.

That having said, it bears noting that the power and quality of the emanated acoustic signal depends on the specific screen structure, its internal power supply, and coil and capacitor locations, among other factors.

Another important thing to highlight is that the PIXHELL attack, by default, is visible to users looking at the LCD screen, given that it involves displaying a bitmap pattern comprising alternate black-and-white rows.

"To remain covert, attackers may use a strategy that transmits while the user is absent," Dr. Guri said. "For example, a so-called 'overnight attack' on the covert channels is maintained during the off-hours, reducing the risk of being revealed and exposed."

The attack, however, could be transformed into a stealthy one during working hours by reducing the pixel colors to very low values prior to transmission -- i.e., using RGB levels of (1,1,1), (3,3,3), (7,7,7), and (15,15,15) -- thereby giving the impression to the user that the screen is black.

But doing so has the side effect of "significantly" bringing down the sound production levels. Nor is the approach foolproof, as a user can still make out anomalous patterns if they look "carefully" at the screen.

This is not the first time audio-gap restrictions have been surmounted in an experimental setup. Prior studies undertaken by Dr. Guri and others have employed sounds generated by computer fans (Fansmitter), hard disk drives (Diskfiltration), CD/DVD drives (CD-LEAK), power supply units (POWER-SUPPLaY), and inkjet printers (Inkfiltration).

As countermeasures, it's recommended to use an acoustic jammer to neutralize the transmission, monitor the audio spectrum for unusual or uncommon signals, limit physical access to authorized personnel, prohibit the use of smartphones, and use an external camera for detecting unusual modulated screen patterns.

Mustang Panda Deploys Advanced Malware to Spy on Asia-Pacific Governments
11.9.24  APT  The Hacker News

The threat actor tracked as Mustang Panda has refined its malware arsenal to include new tools in order to facilitate data exfiltration and the deployment of next-stage payloads, according to new findings from Trend Micro.

The cybersecurity firm, which is monitoring the activity cluster under the name Earth Preta, said it observed "the propagation of PUBLOAD via a variant of the worm HIUPAN."

PUBLOAD is a known downloader malware linked to Mustang Panda since early 2022, deployed as part of cyber attacks targeting government entities in the Asia-Pacific (APAC) region to deliver the PlugX malware.

"PUBLOAD was also used to introduce supplemental tools into the targets' environment, such as FDMTP to serve as a secondary control tool, which was observed to perform similar tasks as that of PUBLOAD; and PTSOCKET, a tool used as an alternative exfiltration option," security researchers Lenart Bermejo, Sunny Lu, and Ted Lee said.

Mustang Panda's use of removable drives as a propagation vector for HIUPAN was previously documented by Trend Micro in March 2023. It's tracked by Google-owned Mandiant as MISTCLOAK, which it observed in connection with a cyber espionage campaign targeting the Philippines that may have commenced as far back as September 2021.

PUBLOAD is equipped with features to conduct reconnaissance of the infected network and harvest files of interest (.doc, .docx, .xls, .xlsx, .pdf, .ppt, and .pptx), while also serving as a conduit for a new hacking tool dubbed FDMTP, which is a "simple malware downloader" implemented based on TouchSocket over Duplex Message Transport Protocol (DMTP).

The captured information is compressed into an RAR archive and exfiltrated to an attacker-controlled FTP site via cURL. Alternatively, Mustang Panda has also been observed deploying a custom program named PTSOCKET that can transfer files in multi-thread mode.

Furthermore, Trend Micro has attributed the adversary to a "fast-paced" spear-phishing campaign that it detected in June 2024 as distributing email messages containing a .url attachment, which, when launched, is used to deliver a signed downloader dubbed DOWNBAIT.

The campaign is believed to have targeted Myanmar, the Philippines, Vietnam, Singapore, Cambodia, and Taiwan based on the filenames and content of the decoy documents used.

DOWNBAIT is a first-stage loader tool that's used to retrieve and execute the PULLBAIT shellcode in memory, which subsequently downloads and runs the first-stage backdoor referred to as CBROVER.

The implant, for its part, supports file download and remote shell execution capabilities, alongside acting as a delivery vehicle for the PlugX remote access trojan (RAT). PlugX then takes care of deploying another bespoke file collector called FILESAC that can collect the victim's files.

The disclosure comes as Palo Alto Networks Unit 42 detailed Mustang Panda's abuse of Visual Studio Code's embedded reverse shell feature to gain a foothold in target networks, indicating that the threat actor is actively tweaking its modus operandi.

"Earth Preta has shown significant advancements in their malware deployment and strategies, particularly in their campaigns targeting government entities," the researchers said. "The group has evolved their tactics, [...] leveraging multi-stage downloaders (from DOWNBAIT to PlugX) and possibly exploiting Microsoft's cloud services for data exfiltration."

New RAMBO Attack Uses RAM Radio Signals to Steal Data from Air-Gapped Networks
11.9.24  Attack  The Hacker News

A novel side-channel attack has been found to leverage radio signals emanated by a device's random access memory (RAM) as a data exfiltration mechanism, posing a threat to air-gapped networks.

The technique has been codenamed RAMBO (short for "Radiation of Air-gapped Memory Bus for Offense") by Dr. Mordechai Guri, the head of the Offensive Cyber Research Lab in the Department of Software and Information Systems Engineering at the Ben Gurion University of the Negev in Israel.

"Using software-generated radio signals, malware can encode sensitive information such as files, images, keylogging, biometric information, and encryption keys," Dr. Guri said in a newly published research paper.

"With software-defined radio (SDR) hardware, and a simple off-the-shelf antenna, an attacker can intercept transmitted raw radio signals from a distance. The signals can then be decoded and translated back into binary information."

Over the years, Dr. Guri has concocted various mechanisms to extract confidential data from offline networks by taking advantage of Serial ATA cables (SATAn), MEMS gyroscope (GAIROSCOPE), LEDs on network interface cards (ETHERLED), and dynamic power consumption (COVID-bit).

Some of the other unconventional approaches devised by the researcher entail leaking data from air-gapped networks via covert acoustic signals generated by graphics processing unit (GPU) fans (GPU-FAN), (ultra)sonic waves produced by built-in motherboard buzzers (EL-GRILLO), and even printer display panels and status LEDs (PrinterLeak).

Last year, Dr. Guri also demonstrated AirKeyLogger, a hardwareless radio frequency keylogging attack that weaponizes radio emissions from a computer's power supply to exfiltrate real-time keystroke data to a remote attacker.

"To leak confidential data, the processor's working frequencies are manipulated to generate a pattern of electromagnetic emissions from the power unit modulated by keystrokes," Dr. Guri noted in the study. "The keystroke information can be received at distances of several meters away via an RF receiver or a smartphone with a simple antenna."

As always with attacks of this kind, it requires the air-gapped network to be first compromised through other means – such as a rogue insider, poisoned USB drives, or a supply chain attack – thereby allowing the malware to trigger the covert data exfiltration channel.

RAMBO is no exception in that the malware is used to manipulate RAM such that it can generate radio signals at clock frequencies, which are then encoded using Manchester encoding and transmitted so as to be received from a distance away.

The encoded data can include keystrokes, documents, and biometric information. An attacker on the other end can then leverage SDR to receive the electromagnetic signals, demodulate and decode the data, and retrieve the exfiltrated information.

"The malware utilizes electromagnetic emissions from the RAM to modulate the information and transmit it outward," Dr. Guri said. "A remote attacker with a radio receiver and antenna can receive the information, demodulate it, and decode it into its original binary or textual representation."

The technique could be used to leak data from air-gapped computers running Intel i7 3.6GHz CPUs and 16 GB RAM at 1,000 bits per second, the research found, with keystrokes being exfiltrated in real-time with 16 bits per key.

"A 4096-bit RSA encryption key can be exfiltrated at 41.96 sec at a low speed and 4.096 bits at a high speed," Dr. Guri said. "Biometric information, small files (.jpg), and small documents (.txt and .docx) require 400 seconds at the low speed to a few seconds at the fast speeds."

"This indicates that the RAMBO covert channel can be used to leak relatively brief information over a short period."

Countermeasures to block the attack include enforcing "red-black" zone restrictions for information transfer, using an intrusion detection system (IDS), monitoring hypervisor-level memory access, using radio jammers to block wireless communications, and using a Faraday cage.

Blind Eagle Targets Colombian Insurance Sector with Customized Quasar RAT
9.9.24  Virus  The Hacker News

The Colombian insurance sector is the target of a threat actor tracked as Blind Eagle with the end goal of delivering a customized version of a known commodity remote access trojan (RAT) known as Quasar RAT since June 2024.

"Attacks have originated with phishing emails impersonating the Colombian tax authority," Zscaler ThreatLabz researcher Gaetano Pellegrino said in a new analysis published last week.

The advanced persistent threat (APT), also known as AguilaCiega, APT-C-36, and APT-Q-98, has a track record of focusing on organizations and individuals in South America, particularly related to the government and finance sectors in Colombia and Ecuador.

The attack chains, as recently documented by Kaspersky, originate with phishing emails that entice recipients into clicking on malicious links that serve as the launchpad for the infection process.

The links, either embedded within a PDF attachment or directly in the email body, point to ZIP archives hosted on a Google Drive folder associated with a compromised account that belongs to a regional government organization in Colombia.

"The lure used by Blind Eagle involved sending a notification to the victim, claiming to be a seizure order due to outstanding tax payments," Pellegrino noted. "This is intended to create a sense of urgency and pressure the victim into taking immediate action."

The archive contains within it a Quasar RAT variant dubbed BlotchyQuasar, which packs in additional layers of obfuscation using tools like DeepSea or ConfuserEx to hinder analysis and reverse engineering efforts. It was previously detailed by IBM X-Force in July 2023.

The malware includes capabilities to log keystrokes, execute shell commands, steal data from web browsers and FTP clients, and monitor a victim's interactions with specific banking and payment services located in Colombia and Ecuador.

It also leverages Pastebin as a dead-drop resolver to fetch the command-and-control (C2) domain, with the threat actor leveraging Dynamic DNS (DDNS) services to host the C2 domain.

"Blind Eagle typically shields its infrastructure behind a combination of VPN nodes and compromised routers, primarily located in Colombia," Pellegrino said. "This attack demonstrates the continued use of this strategy."

Chinese Hackers Exploit Visual Studio Code in Southeast Asian Cyberattacks
9.9.24  APT  The Hacker News
The China-linked advanced persistent threat (APT) group known as Mustang Panda has been observed weaponizing Visual Studio Code software as part of espionage operations targeting government entities in Southeast Asia.

"This threat actor used Visual Studio Code's embedded reverse shell feature to gain a foothold in target networks," Palo Alto Networks Unit 42 researcher Tom Fakterman said in a report, describing it as a "relatively new technique" that was first demonstrated in September 2023 by Truvis Thornton.

The campaign is assessed to be a continuation of a previously documented attack activity aimed at an unnamed Southeast Asian government entity in late September 2023.

Mustang Panda, also known by the names BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, RedDelta, and Red Lich, has been operational since 2012, routinely conducting cyber espionage campaigns targeting government and religious entities across Europe and Asia, particularly those located in South China Sea countries.

The latest observed attack sequence is notable for its abuse of Visual Studio Code's reverse shell to execute arbitrary code and deliver additional payloads.

"To abuse Visual Studio Code for malicious purposes, an attacker can use the portable version of code.exe (the executable file for Visual Studio Code), or an already installed version of the software," Fakterman noted. "By running the command code.exe tunnel, an attacker receives a link that requires them to log into GitHub with their own account."

Once this step is complete, the attacker is redirected to a Visual Studio Code web environment that's connected to the infected machine, allowing them to run commands or create new files.

It's worth pointing out that the malicious use of this technique was previously highlighted by a Dutch cybersecurity firm mnemonic in connection with zero-day exploitation of a vulnerability in Check Point's Network Security gateway products (CVE-2024-24919, CVSS score: 8.6) earlier this year.

Unit 42 said the Mustang Panda actor leveraged the mechanism to deliver malware, perform reconnaissance, and exfiltrate sensitive data. Furthermore, the attacker is said to have used OpenSSH to execute commands, transfer files, and spread across the network.

That's not all. A closer analysis of the infected environment has revealed a second cluster of activity "occurring simultaneously and at times even on the same endpoints" that utilized the ShadowPad malware, a modular backdoor widely shared by Chinese espionage groups.

It's currently unclear if these two intrusion sets are related to one another, or if two different groups are "piggybacking on each other's access."

"Based on the forensic evidence and timeline, one could conclude that these two clusters originated from the same threat actor (Stately Taurus)," Fakterman said. "However, there could be other possible explanations that can account for this connection, such as a collaborative effort between two Chinese APT threat actors."

Progress Software Issues Patch for Vulnerability in LoadMaster and MT Hypervisor
9.9.24  Vulnerebility  The Hacker News
Progress Software has released security updates for a maximum-severity flaw in LoadMaster and Multi-Tenant (MT) hypervisor that could result in the execution of arbitrary operating system commands.

Tracked as CVE-2024-7591 (CVSS score: 10.0), the vulnerability has been described as an improper input validation bug that results in OS command injection.

"It is possible for unauthenticated, remote attackers who have access to the management interface of LoadMaster to issue a carefully crafted http request that will allow arbitrary system commands to be executed," the company said in an advisory last week.

"This vulnerability has been closed by sanitizing request user input to mitigate arbitrary system commands execution."

The flaw affects the following versions -

LoadMaster (7.2.60.0 and all prior versions)
Multi-Tenant Hypervisor (7.1.35.11 and all prior versions)
Security researcher Florian Grunow has been credited with discovering and reporting the flaw. Progress said it has found no evidence of the vulnerability being exploited in the wild.

That said, it's recommended that users apply the latest fixes as soon as possible by downloading an add-on package. The update can be installed by navigating to System Configuration > System Administration > Update Software.

"We are encouraging all customers to upgrade their LoadMaster implementations as soon as possible to harden their environment," the company said. "We also strongly recommend that customers follow our security hardening guidelines."

New Android SpyAgent Malware Uses OCR to Steal Crypto Wallet Recovery Keys
9.9.24  Virus  The Hacker News
Android device users in South Korea have emerged as a target of a new mobile malware campaign that delivers a new type of threat dubbed SpyAgent.

The malware "targets mnemonic keys by scanning for images on your device that might contain them," McAfee Labs researcher SangRyol Ryu said in an analysis, adding the targeting footprint has broadened in scope to include the U.K.

The campaign makes use of bogus Android apps that are disguised as seemingly legitimate banking, government facilities, streaming, and utility apps in an attempt to trick users into installing them. As many as 280 fake applications have been detected since the start of the year.

It all starts with SMS messages bearing booby-trapped links that urge users to download the apps in question in the form of APK files hosted on deceptive sites. Once installed, they are designed to request intrusive permissions to collect data from the devices.

This includes contacts, SMS messages, photos, and other device information, all of which is then exfiltrated to an external server under the threat actor's control.

The most notable feature is its ability to leverage optical character recognition (OCR) to steal mnemonic keys, which refer to a recovery or seed phrase that allows users to regain access to their cryptocurrency wallets.

Unauthorized access to the mnemonic keys could, therefore, allow threat actors to take control of the victims' wallets and siphon all the funds stored in them.

McAfee Labs said the command-and-control (C2) infrastructure suffered from serious security lapses that not only allowed navigating to the site's root directory without authentication, but also left exposed the gathered data from victims.

The server also hosts an administrator panel that acts as a one-stop shop to remotely commandeer the infected devices. The presence of an Apple iPhone device running iOS 15.8.2 with system language set to Simplified Chinese ("zh") in the panel is a sign that it may also be targeting iOS users.

"Originally, the malware communicated with its command-and-control (C2) server via simple HTTP requests," Ryu said. "While this method was effective, it was also relatively easy for security tools to track and block."

"In a significant tactical shift, the malware has now adopted WebSocket connections for its communications. This upgrade allows for more efficient, real-time, two-way interactions with the C2 server and helps it avoid detection by traditional HTTP-based network monitoring tools."

The development comes a little over a month after Group-IB exposed another Android remote access trojan (RAT) referred to as CraxsRAT targeting banking users in Malaysia since at least February 2024 using phishing websites. It's worth pointing out that CraxsRAT campaigns have also been previously found to have targeted Singapore no later than April 2023.

"CraxsRAT is a notorious malware family of Android Remote Administration Tools (RAT) that features remote device control and spyware capabilities, including keylogging, performing gestures, recording cameras, screens, and calls," the Singaporean company said.

"Victims that downloaded the apps containing CraxsRAT android malware will experience credentials leakage and their funds withdrawal illegitimately."

TIDRONE Espionage Group Targets Taiwan Drone Makers in Cyber Campaign
9.9.24  BigBrothers  The Hacker News
A previously undocumented threat actor with likely ties to Chinese-speaking groups has predominantly singled out drone manufacturers in Taiwan as part of a cyber attack campaign that commenced in 2024.

Trend Micro is tracking the adversary under the moniker TIDRONE, stating the activity is espionage-driven given the focus on military-related industry chains.

The exact initial access vector used to breach targets is presently unknown, with Trend Micro's analysis uncovering the deployment of custom malware such as CXCLNT and CLNTEND using remote desktop tools like UltraVNC.

An interesting commonality observed across different victims is the presence of the same enterprise resource planning (ERP) software, raising the possibility of a supply chain attack.

The attack chains subsequently go through three different stages that are designed to facilitate privilege escalation by means of a User Access Control (UAC) bypass, credential dumping, and defense evasion by disabling antivirus products installed on the hosts.

Both the backdoors are initiated by sideloading a rogue DLL via the Microsoft Word application, allowing the threat actors to harvest a wide range of sensitive information,

CXCLNT comes equipped with basic upload and download file capabilities, as well as features for clearing traces, collecting victim information such as file listings and computer names, and downloading next-stage portable executable (PE) and DLL files for execution.

CLNTEND, first detected in April 2024, is a discovered remote access tool (RAT) that supports a wider range of network protocols for communication, including TCP, HTTP, HTTPS, TLS, and SMB (port 445).

"The consistency in file compilation times and the threat actor's operation time with other Chinese espionage-related activities supports the assessment that this campaign is likely being carried out by an as-yet unidentified Chinese-speaking threat group," security researchers Pierre Lee and Vickie Su said.

U.S. Offers $10 Million for Info on Russian Cadet Blizzard Hackers Behind Major Attacks
9.9.24  BigBrothers  The Hacker News
The U.S. government and a coalition of international partners have officially attributed a Russian hacking group tracked as Cadet Blizzard to the General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155).

"These cyber actors are responsible for computer network operations against global targets for the purposes of espionage, sabotage, and reputational harm since at least 2020," the agencies said.

"Since early 2022, the primary focus of the cyber actors appears to be targeting and disrupting efforts to provide aid to Ukraine."

Targets of the attacks have focused on critical infrastructure and key resource sectors, including the government services, financial services, transportation systems, energy, and healthcare sectors of North Atlantic Treaty Organization (NATO) members, the European Union, Central American, and Asian countries.

The joint advisory, released last week as part of a coordinated exercise dubbed Operation Toy Soldier, comes from cybersecurity and intelligence authorities in the U.S., the Netherlands, the Czech Republic, Germany, Estonia, Latvia, Ukraine, Canada, Australia, and the U.K.

Cadet Blizzard, also known as Ember Bear, FROZENVISTA, Nodaria, Ruinous Ursa, UAC-0056, and UNC2589, gained attention in January 2022 for deploying the destructive WhisperGate (aka PAYWIPE) malware against multiple Ukrainian victim organizations in advance of Russia's full-blown military invasion of the country.

Back in June 2024, a 22-year-old Russian national named Amin Timovich Stigal was indicted in the U.S. for his alleged role in staging destructive cyber attacks against Ukraine using the wiper malware. That said, the use of WhisperGate is said to be not unique to the group.

The U.S. Department of Justice (DoJ) has since charged five officers associated with Unit 29155 for conspiracy to commit computer intrusion and wire fraud conspiracy against targets in Ukraine, the U.S. and 25 other NATO countries.

The names of the five officers are listed below -

Yuriy Denisov (Юрий Денисов), a colonel in the Russian military and a commanding officer of Cyber Operations for Unit 29155
Vladislav Borovkov (Владислав Боровков), Denis Denisenko (Денис Денисенко), Dmitriy Goloshubov (Дима Голошубов), and Nikolay Korchagin (Николай Корчагин), lieutenants in the Russian military assigned to Unit 29155 who worked on cyber operations
"The defendants did so in order to sow concern among Ukrainian citizens regarding the safety of their government systems and personal data," the DoJ said. "The defendants' targets included Ukrainian Government systems and data with no military or defense-related roles. Later targets included computer systems in countries around the world that were providing support to Ukraine."

Concurrent with the indictment, the U.S. Department of State's Rewards for Justice program has announced a reward of up to $10 million for information on any of the defendants' locations or their malicious cyber activity.

Indications are that Unit 29155 is responsible for attempted coups, sabotage, and influence operations, and assassination attempts throughout Europe, with the adversary broadening their horizons to include offensive cyber operations since at least 2020.

The end goal of these cyber intrusions is to collect sensitive information for espionage purposes, inflict reputational harm by leaking said data, and orchestrate destructive operations that aim to sabotage systems containing valuable data.

Unit 29155, per the advisory, is believed to comprise junior, active-duty GRU officers, who also rely on known cybercriminals and other civilian enablers such as Stigal to facilitate their missions.

These comprise website defacements, infrastructure scanning, data exfiltration, and data leak operations that involve releasing the information on public website domains or selling it to other actors.

Attack chains commence with scanning activity that leverages known security flaws in Atlassian Confluence Server and Data Center, Dahua Security, and Sophos' firewall to breach victim environments, followed by using Impacket for post-exploitation and lateral movement, and ultimately exfiltrating data to dedicated infrastructure.

"Cyber actors may have used Raspberry Robin malware in the role of an access broker," the agencies noted. "Cyber actors targeted victims' Microsoft Outlook Web Access (OWA) infrastructure with password spraying to obtain valid usernames and passwords."

Organizations are recommended to prioritize routine system updates and remediate known exploited vulnerabilities, segment networks to prevent the spread of malicious activity, and enforce phishing-resistant multi-factor authentication (MFA) for all externally facing account services.

North Korean Threat Actors Deploy COVERTCATCH Malware via LinkedIn Job Scams
8.9.24  APT  The Hacker News

Threat actors affiliated with North Korea have been observed leveraging LinkedIn as a way to target developers as part of a fake job recruiting operation.

These attacks employ coding tests as a common initial infection vector, Google-owned Mandiant said in a new report about threats faced by the Web3 sector.

"After an initial chat conversation, the attacker sent a ZIP file that contained COVERTCATCH malware disguised as a Python coding challenge," researchers Robert Wallace, Blas Kojusner, and Joseph Dobson said.

The malware functions as a launchpad to compromise the target's macOS system by downloading a second-stage payload that establishes persistence via Launch Agents and Launch Daemons.

It's worth pointing out that this is one of many activity clusters – namely Operation Dream Job, Contagious Interview, and others – undertaken by North Korean hacking groups that make use of job-related decoys to infect targets with malware.

Recruiting-themed lures have also been a prevalent tactic to deliver malware families such as RustBucket and KANDYKORN. It's currently not clear if COVERTCATCH has any connection to these strains, or the newly identified TodoSwift.

Mandiant said it observed a social engineering campaign that delivered a malicious PDF disguised as a job description for a "VP of Finance and Operations" at a prominent cryptocurrency exchange.

"The malicious PDF dropped a second-stage malware known as RustBucket which is a backdoor written in Rust that supports file execution."

The RustBucket implant is equipped to harvest basic system information, communicate with a URL provided via the command-line, and set up persistence using a Launch Agent that disguises itself as a "Safari Update" in order to contact a hard-coded command-and-control (C2) domain.

North Korea's targeting of Web3 organizations also go beyond social engineering to encompass software supply chain attacks, as observed in the incidents aimed at 3CX and JumpCloud in recent years.

"Once a foothold is established via malware, the attackers pivot to password managers to steal credentials, perform internal reconnaissance via code repos and documentation, and pivot into the cloud hosting environment to reveal hot wallet keys and eventually drain funds," Mandiant said.

The disclosure comes amid a warning from the U.S. Federal Bureau of Investigation (FBI) about North Korean threat actors' targeting of the cryptocurrency industry using "highly tailored, difficult-to-detect social engineering campaigns."

These ongoing efforts, which impersonate recruiting firms or individuals that a victim may know personally or indirectly with offers of employment or investment, are seen as a conduit for brazen crypto heists that are designed to generate illicit income for hermit kingdom, which has been the subject of international sanctions.

Notable among the tactics employed include identifying cryptocurrency-related businesses of interest, conducting extensive pre-operational research on their targets before initiating contact, and concocting personalized fake scenarios in an attempt to appeal to prospective victims and increase the likelihood of success of their attacks.

"The actors may reference personal information, interests, affiliations, events, personal relationships, professional connections, or details a victim may believe are known to few others," the FBI said, highlighting attempts to build rapport and eventually deliver malware.

"If successful in establishing bidirectional contact, the initial actor, or another member of the actor's team, may spend considerable time engaging with the victim to increase the sense of legitimacy and engender familiarity and trust."

FBI Cracks Down on Dark Web Marketplace Managed by Russian and Kazakh Nationals
8.9.24  BigBrothers  The Hacker News

Two men have been indicted in the U.S. for their alleged involvement in managing a dark web marketplace called WWH Club that specializes in the sale of sensitive personal and financial information.

Alex Khodyrev, a 35-year-old Kazakhstan national, and Pavel Kublitskii, a 37-year-old Russian national, have been charged with conspiracy to commit access device fraud and conspiracy to commit wire fraud.

Khodyrev and Kublitskii, between 2014 and 2024, acted as the main administrators of WWH Club (wwh-club[.]ws) and various other sister sites – wwh-club[.]net, center-club[.]pw, opencard[.]pw, skynetzone[.]org – that functioned as dark web marketplaces, forums, and training centers to enable cybercrime.

The indictment follows an investigation launched by the U.S. Federal Bureau of Investigation (FBI) in July 2020 after determining that WWH Club's primary domain (www-club[.]ws]) resolved to an IP address belonging to DigitalOcean, allowing them to issue a federal search warrant to the infrastructure company.

"WWH Club and sister site members used the marketplaces to buy and sell stolen personal identifying information (PII), credit card and bank account information, and computer passwords, among other sensitive information," the U.S. Department of Justice (DoJ) said.

The forums, on the other hand, acted as a hotspot for discussions on best practices for committing fraud, launching cyber attacks, and evading law enforcement.

Furthermore, the darknet marketplace offered online courses for aspiring and active cyber criminals on how to conduct frauds. The advertised cost of the course ranged from 10,000 rubles to 60,000 rubles (about $110 to $664 as of September 7, 2024) and an additional $200 for training materials.

Court documents show that undercover FBI agents signed up for the site and paid approximately $1,000 in bitcoin to attend a training course offered by the platform that included topics such as the sale of sensitive information, DDoS and hacking services, credit card skimmers, and brute-force programs.

"The training was conducted through a chat function on the forum to a class of approximately 50 students; the various instructors provided training in text format rather than audible instruction," the criminal complaint reads. "It was apparent the purpose of the training was to educate individuals on how to obtain and use stolen credit card data and PII to generate fraudulent proceeds."

WWH Club is estimated to have had 353,000 users worldwide as of March 2023, up from 170,000 registered users in July 2020. Both Khodyrev and Kublitskii are believed to have profited from the membership fees, tuition fees, and advertising revenue.

Flashpoint, in a report published last month, said WWH Club remains operational despite the law enforcement effort, and that "its other administrators are attempting to distance themselves from Kublitskii and Khodyrev."

Khodyrev and Kublitskii "had been living in Miami for the past two years, while secretly continuing to administer WWH Club and its sister dark web marketplaces, forums, and schools," the DoJ said.

If convicted on all counts, they could each face up to 20 years in federal prison. The indictment also requires the forfeiture of Khodyrev's 2023 Mercedes-Benz G63 AMG sport utility vehicle and Kublitskii's 2020 Cadillac CT5 Sport sedan, which are said to have been purchased using proceeds from their criminal enterprise.

SonicWall Urges Users to Patch Critical Firewall Flaw Amid Possible Exploitation
7.9.24  Vulnerebility  The Hacker News
SonicWall has revealed that a recently patched critical security flaw impacting SonicOS may have come under active exploitation, making it essential that users apply the patches as soon as possible.

The vulnerability, tracked as CVE-2024-40766, carries a CVSS score of 9.3 out of a maximum of 10.

"An improper access control vulnerability has been identified in the SonicWall SonicOS management access and SSLVPN, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash," SonicWall said in an updated advisory.

With the latest development, the company has revealed that CVE-2024-40766 also impacts the firewall's SSLVPN feature. The issue has been addressed in the below versions -

SOHO (Gen 5 Firewalls) - 5.9.2.14-13o
Gen 6 Firewalls - 6.5.2.8-2n (for SM9800, NSsp 12400, and NSsp 12800) and 6.5.4.15.116n (for other Gen 6 Firewall appliances)
The network security vendor has since updated the bulletin to reflect the possibility that it may have been actively exploited.

"This vulnerability is potentially being exploited in the wild," it added. "Please apply the patch as soon as possible for affected products."

As temporary mitigations, it's recommended to restrict firewall management to trusted sources or disable firewall WAN management from Internet access. For SSLVPN, it's advised to limit access to trusted sources, or disable internet access altogether.

Additional mitigations include enabling multi-factor authentication (MFA) for all SSLVPN users using one-time passwords (OTPs) and recommending customers using GEN5 and GEN6 firewalls with SSLVPN users who have locally managed accounts to immediately update their passwords for preventing unauthorized access.

There are currently no details about how the flaw may have been weaponized in the wild, but Chinese threat actors have, in the past, unpatched SonicWall Secure Mobile Access (SMA) 100 appliances to establish long-term persistence.

GeoServer Vulnerability Targeted by Hackers to Deliver Backdoors and Botnet Malware
7.9.24  BotNet  The Hacker News
A recently disclosed security flaw in OSGeo GeoServer GeoTools has been exploited as part of multiple campaigns to deliver cryptocurrency miners, botnet malware such as Condi and JenX, and a known backdoor called SideWalk.

The security vulnerability is a critical remote code execution bug (CVE-2024-36401, CVSS score: 9.8) that could allow malicious actors to take over susceptible instances.

In mid-July, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The Shadowserver Foundation said it detected exploitation attempts against its honeypot sensors starting July 9, 2024.

According to Fortinet FortiGuard Labs, the flaw has been observed to deliver GOREVERSE, a reverse proxy server designed to establish a connection with a command-and-control (C2) server for post-exploitation activity.

These attacks are said to target IT service providers in India, technology companies in the U.S., government entities in Belgium, and telecommunications companies in Thailand and Brazil.

The GeoServer server has also served as a conduit for Condi and a Mirai botnet variant dubbed JenX, and at least four types of cryptocurrency miners, one of which is retrieved from a fake website that impersonates the Institute of Chartered Accountants of India (ICAI).

Perhaps the most notable of the attack chains leveraging the flaw is the one that propagates an advanced Linux backdoor called SideWalk, which is attributed to a Chinese threat actor tracked as APT41.

The starting point is a shell script that's responsible for downloading the ELF binaries for ARM, MIPS, and X86 architectures, which, in turn, extracts the C2 server from an encrypted configuration, connects to it, and receives further commands for execution on the compromised device.

This includes running a legitimate tool known as Fast Reverse Proxy (FRP) to evade detection by creating an encrypted tunnel from the host to the attacker-controlled server, allowing for persistent remote access, data exfiltration, and payload deployment.

"The primary targets appear to be distributed across three main regions: South America, Europe, and Asia," security researchers Cara Lin and Vincent Li said.

"This geographical spread suggests a sophisticated and far-reaching attack campaign, potentially exploiting vulnerabilities common to these diverse markets or targeting specific industries prevalent in these areas."

The development comes as CISA this week added to its KEV catalog two flaws found in 2021 in DrayTek VigorConnect (CVE-2021-20123 and CVE-2021-20124, CVSS scores: 7.5) that could be exploited to download arbitrary files from the underlying operating system with root privileges.

GitHub Actions Vulnerable to Typosquatting, Exposing Developers to Hidden Malicious Code
7.9.24  Vulnerebility  The Hacker News

Threat actors have long leveraged typosquatting as a means to trick unsuspecting users into visiting malicious websites or downloading booby-trapped software and packages.

These attacks typically involve registering domains or packages with names slightly altered from their legitimate counterparts (e.g., goog1e.com vs. google.com).

Adversaries targeting open-source repositories across platforms have relied on developers making typing errors to initiate software supply chain attacks through PyPI, npm, Maven Central, NuGet, RubyGems, and Crate.

The latest findings from cloud security firm Orca show that even GitHub Actions, a continuous integration and continuous delivery (CI/CD) platform, is not immune from the threat.

"If developers make a typo in their GitHub Action that matches a typosquatter's action, applications could be made to run malicious code without the developer even realizing," security researcher Ofir Yakobi said in a report shared with The Hacker News.

The attack is possible because anyone can publish a GitHub Action by creating a GitHub account with a temporary email account. Given that actions run within the context of a user's repository, a malicious action could be exploited to tamper with the source code, steal secrets, and use it to deliver malware.

All that the technique involves is for the attacker to create organizations and repositories with names that closely resemble popular or widely-used GitHub Actions.

If a user makes inadvertent spelling errors when setting up a GitHub action for their project and that misspelled version has already been created by the adversary, then the user's workflow will run the malicious action as opposed to the intended one.

"Imagine an action that exfiltrates sensitive information or modifies code to introduce subtle bugs or backdoors, potentially affecting all future builds and deployments," Yakobi said.

"In fact, a compromised action can even leverage your GitHub credentials to push malicious changes to other repositories within your organization, amplifying the damage across multiple projects."

Orca said that a search on GitHub revealed as many as 198 files that invoke "action/checkout" or "actons/checkout" instead of "actions/checkout" (note the missing "s" and "i"), putting all those projects at risk.

This form of typosquatting is appealing to threat actors because it's a low-cost, high-impact attack that could result in powerful software supply chain compromises, affecting several downstream customers all at once.

Users are advised to double-check actions and their names to ensure they are referencing the correct GitHub organization, stick to actions from trusted sources, and periodically scan their CI/CD workflows for typosquatting issues.

"This experiment highlights how easy it is for attackers to exploit typosquatting in GitHub Actions and the importance of vigilance and best practices in preventing such attacks," Yakobi said.

"The actual problem is even more concerning because here we are only highlighting what happens in public repositories. The impact on private repositories, where the same typos could be leading to serious security breaches, remains unknown."

Critical Security Flaw Found in LiteSpeed Cache Plugin for WordPress
6.9.24  Vulnerebility  The Hacker News

Cybersecurity researchers have discovered yet another critical security flaw in the LiteSpeed Cache plugin for WordPress that could allow unauthenticated users to take control of arbitrary accounts.

The vulnerability, tracked as CVE-2024-44000 (CVSS score: 7.5), impacts versions before and including 6.4.1. It has been addressed in version 6.5.0.1.

"The plugin suffers from an unauthenticated account takeover vulnerability which allows any unauthenticated visitor to gain authentication access to any logged-in users and at worst can gain access to an Administrator level role after which malicious plugins could be uploaded and installed," Patchstack researcher Rafie Muhammad said.

The discovery follows an extensive security analysis of the plugin, which previously led to the identification of a critical privilege escalation flaw (CVE-2024-28000, CVSS score: 9.8). LiteSpeed Cache is a popular caching plugin for the WordPress ecosystem with over 5 million active installations.

The new vulnerability stems from the fact that a debug log file named "/wp-content/debug.log" is publicly exposed, which makes it possible for unauthenticated attackers to view potentially sensitive information contained in the file.

This could also include user cookie information present within HTTP response headers, effectively allowing users to log in to a vulnerable site with any session that is actively valid.

The lower severity of the flaw is owing to the prerequisite that the debug feature must be enabled on a WordPress site for it to be successful. Alternatively, it could also affect sites that had activated the debug log feature at some point in the past, but have failed to remove the debug file.

It's important to note that this feature is disabled by default. The patch addresses the problem by moving the log file to a dedicated folder within the LiteSpeed plugin folder ("/wp-content/litespeed/debug/"), randomizing filenames, and dropping the option to log cookies in the file.

Users are advised to check their installations for the presence of the "/wp-content/debug.log" and take steps to purge them if the debugging feature has (or had) been enabled.

It's also recommended to set an .htaccess rule to deny direct access to the log files as malicious actors can still directly access the new log file if they know the new filename by means of a trial-and-error method.

"This vulnerability highlights the critical importance of ensuring the security of performing a debug log process, what data should not be logged, and how the debug log file is managed," Muhammad said.

Apache OFBiz Update Fixes High-Severity Flaw Leading to Remote Code Execution
6.9.24  Vulnerebility  The Hacker News

A new security flaw has been addressed in the Apache OFBiz open-source enterprise resource planning (ERP) system that, if successfully exploited, could lead to unauthenticated remote code execution on Linux and Windows.

The high-severity vulnerability, tracked as CVE-2024-45195 (CVSS score: 7.5), affects all versions of the software before 18.12.16.

"An attacker with no valid credentials exploit missing view authorization checks in the web application to execute arbitrary code on the server," Rapid7 security researcher Ryan Emmons said in a new report.

It's worth noting that CVE-2024-45195 is a bypass for a sequence of issues, CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856, which were addressed by the project maintainers over the past few months.

Both CVE-2024-32113 and CVE-2024-38856 have since come under active exploitation in the wild, with the former leveraged to deploy the Mirai botnet malware.

Rapid7 said all three older shortcomings stem from the "ability to desynchronize the controller and view map state," a problem that was never fully remediated in any of the patches.

A consequence of the vulnerability is that it could be abused by attackers to execute code or SQL queries and achieve remote code execution sans authentication.

The latest patch put in place "validates that a view should permit anonymous access if a user is unauthenticated, rather than performing authorization checks purely based on the target controller."

Apache OFBiz version 18.12.16 also addresses a critical server-side request forgery (SSRF) vulnerability (CVE-2024-45507, CVSS score: 9.8) that could lead to unauthorized access and system compromise by taking advantage of a specially crafted URL.

Pavel Durov Criticizes Outdated Laws After Arrest Over Telegram Criminal Activity
6.9.24  BigBrothers  The Hacker News

Telegram CEO Pavel Durov has broken his silence nearly two weeks after his arrest in France, stating the charges are misguided.

"If a country is unhappy with an internet service, the established practice is to start a legal action against the service itself," Durov said in a 600-word statement on his Telegram account.

"Using laws from the pre-smartphone era to charge a CEO with crimes committed by third-parties on the platform he manages is a misguided approach."

Durov was charged late last month for enabling various forms of criminal activity on Telegram, including drug trafficking and money laundering, following a probe into an unnamed person's distribution of child sexual abuse material.

He also highlighted the struggles to balance both privacy and security, noting that Telegram is ready to exit markets that aren't compatible with its mission to "protect our users in authoritarian regimes."

Durov also blamed "growing pains that made it easier for criminals to abuse our platform." The popular messaging app recently crossed 950 million monthly active users.

"That's why I made it my personal goal to ensure we significantly improve things in this regard," he said. "We've already started that process internally, and I will share more details on our progress with you very soon."

The company has since updated its FAQ to allow users to report illegal content within private and group chats by flagging it for review using a dedicated "Report" button, a major policy shift and a feature that was previously off-limits.

Durov's statement, however, doesn't delve into the lack of end-to-end encryption (E2EE) protections by default, which users have to explicitly enable in one-to-one chats.

"It is also a 'cloud messenger,' meaning that all messages live on Telegram's servers rather than the user's device," Moxie Marlinspike, creator of the E2EE messaging app Signal, pointed out.

"With one query, the Russian Telegram team can get every message the French president has ever sent or received to his contacts, every message those contacts have ever sent or received to their contacts, every message those contacts' contacts have ever sent or received, etc."

Matthew Green, a security researcher and an associate professor of computer science at Johns Hopkins University, further called out the platform for making it an onerous process that requires at least four clicks on Telegram's iOS app.

"The feature is explicitly not turned on for the vast majority of conversations, and is only available for one-on-one conversations, and never for group chats with more than two people in them," Green said.

"As a kind of a weird bonus, activating end-to-end encryption in Telegram is oddly difficult for non-expert users to actually do. Secret Chats only works if your conversation partner happens to be online when you do this."

Chinese-Speaking Hacker Group Targets Human Rights Studies in Middle East
6.9.24  APT  The Hacker News
Unnamed government entities in the Middle East and Malaysia are the target of a persistent cyber campaign orchestrated by a threat actor known as Tropic Trooper since June 2023.

"Sighting this group's [Tactics, Techniques, and Procedures] in critical governmental entities in the Middle East, particularly those related to human rights studies, marks a new strategic move for them," Kaspersky security researcher Sherif Magdy said.

The Russian cybersecurity vendor said it detected the activity in June 2024 upon discovering a new version of the China Chopper web Shell, a tool shared by many Chinese-speaking threat actors for remote access to compromised servers, on a public web server hosting an open-source content management system (CMS) called Umbraco.

The attack chain is designed to deliver a malware implant named Crowdoor, a variant of the SparrowDoor backdoor documented by ESET back in September 2021. The efforts were ultimately unsuccessful.

Tropic Trooper, also known by the names APT23, Earth Centaur, KeyBoy, and Pirate Panda, is known for its targeting of government, healthcare, transportation, and high-tech industries in Taiwan, Hong Kong, and the Philippines. The Chinese-speaking collective has been assessed to be active since 2011, sharing close ties with another intrusion set tracked as FamousSparrow.

The latest intrusion highlighted by Kaspersky is significant for compiling the China Chopper web shell as a .NET module of Umbraco CMS, with follow-on exploitation leading to the deployment of tools for network scanning, lateral movement, and defense evasion, before launching Crowdoor using DLL side-loading techniques.

It's suspected that the web shells are delivered by exploiting known security vulnerabilities in publicly accessible web applications, such as Adobe ColdFusion (CVE-2023-26360) and Microsoft Exchange Server (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207).

Crowdoor, first observed in June 2023, also functions as a loader to drop Cobalt Strike and maintain persistence on the infected hosts, while also acting as a backdoor to harvest sensitive information, launch a reverse shell, erase other malware files, and terminate itself.

"When the actor became aware that their backdoors were detected, they tried to upload newer samples to evade detection, thereby increasing the risk of their new set of samples being detected in the near future," Magdy noted.

"The significance of this intrusion lies in the sighting of a Chinese-speaking actor targeting a content management platform that published studies on human rights in the Middle East, specifically focusing on the situation around the Israel-Hamas conflict."

"Our analysis of this intrusion revealed that this entire system was the sole target during the attack, indicating a deliberate focus on this specific content."

Veeam Releases Security Updates to Fix 18 Flaws, Including 5 Critical Issues
6.9.24  Vulnerebility  The Hacker News
Veeam has shipped security updates to address a total of 18 security flaws impacting its software products, including five critical vulnerabilities that could result in remote code execution.

The list of shortcomings is below -

CVE-2024-40711 (CVSS score: 9.8) - A vulnerability in Veeam Backup & Replication that allows unauthenticated remote code execution.
CVE-2024-42024 (CVSS score: 9.1) - A vulnerability in Veeam ONE that enables an attacker in possession of the Agent service account credentials to perform remote code execution on the underlying machine
CVE-2024-42019 (CVSS score: 9.0) - A vulnerability in Veeam ONE that allows an attacker to access the NTLM hash of the Veeam Reporter Service service account
CVE-2024-38650 (CVSS score: 9.9) - A vulnerability in Veeam Service Provider Console (VPSC) that allows a low privileged attacker to access the NTLM hash of the service account on the server
CVE-2024-39714 (CVSS score: 9.9) - A vulnerability in VPSC that permits a low-privileged user to upload arbitrary files to the server, resulting in remote code execution on the server
In addition, the September 2024 updates address 13 other high-severity flaws that could permit privilege escalation, multi-factor authentication (MFA) bypass, and execute code with elevated permissions.

All the issues have been addressed in the below versions -

Veeam Backup & Replication 12.2 (build 12.2.0.334)
Veeam Agent for Linux 6.2 (build 6.2.0.101)
Veeam ONE v12.2 (build 12.2.0.4093)
Veeam Service Provider Console v8.1 (build 8.1.0.21377)
Veeam Backup for Nutanix AHV Plug-In v12.6.0.632
Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization Plug-In v12.5.0.299
With flaws in Veeam software Users becoming a lucrative target for threat actors to serve ransomware, users are advised to update to the latest version as soon as possible to mitigate potential threats.

U.S. Seizes 32 Pro-Russian Propaganda Domains in Major Disinformation Crackdown
5.9.24  BigBrothers  The Hacker News

The U.S. Department of Justice (DoJ) on Wednesday announced the seizure of 32 internet domains used by a pro-Russian propaganda operation called Doppelganger as part of a sweeping set of actions.

Accusing the Russian government-directed foreign malign influence campaign of violating U.S. money laundering and criminal trademark laws, the agency called out companies Social Design Agency (SDA), Structura National Technology (Structura), and ANO Dialog for working at the behest of the Russian Presidential Administration.

The goal, it said, is to "covertly spread Russian government propaganda with the aim of reducing international support for Ukraine, bolstering pro-Russian policies and interests, and influencing voters in U.S. and foreign elections, including the U.S. 2024 Presidential Election."

Among the methods Doppelganger used to drive viewership to the cybersquatted media domains encompassed the deployment of "influencers" worldwide, paid social media ads, and the creation of social media profiles posing as U.S. (or other non-Russian) citizens to post comments on social media platforms with links to the domains in an attempt to redirect unsuspecting viewers.

The sites dismantled by the U.S. government were filled with Russian government propaganda created by the Kremlin to reduce international support for Ukraine, bolster pro-Russian policies and interests, and influence voters in the U.S. and other countries.

The complete list of domains, which mimic legitimate news outlets like Der Spiegel, Fox News, Le Monde, and The Washington Post, is as follows -

tribunalukraine.info
rrn.media
ukrlm.info
faz.ltd
spiegel.agency
lemonde.ltd
leparisien.ltd
rbk.media
50statesoflie.media
meisterurian.io
artichoc.io
vip-news.org
acrosstheline.press
mypride.press
truthgate.us
warfareinsider.us
shadowwatch.us
pravda-ua.com
waronfakes.com
holylandherald.com
levinaigre.net
grenzezank.com
lexomnium.com
uschina.online
honeymoney.press
sueddeutsche.co
tagesspiegel.co
bild.work
fox-news.top
fox-news.in
forward.pw, and
washingtonpost.pm
Concurrent with the domain seizures, the Treasury Department sanctioned 10 individuals and two entities for engaging in efforts to influence and undermine confidence in the electoral process.

Specifically, it alleged that executives at RT, Russia's state-funded news media publication, covertly recruited unwitting American influencers into its campaign efforts. It's also said to have used a front company to conceal its own involvement or that of the government.

"At Putin's direction, Russian companies SDA, Structura, and ANO Dialog used cybersquatting, fabricated influencers, and fake profiles to covertly promote AI-generated false narratives on social media," said Deputy Attorney General Lisa Monaco. "Those narratives targeted specific American demographics and regions in a calculated effort to subvert our election."

In conjunction, the DoJ also announced the indictment of two RT employees for funneling $9.7 million to further "hidden" Russian government messaging and disinformation by disseminating thousands of videos via a Tennessee-based content creation firm with an ultimate aim to sow discord among Americans.

Court documents allege that Kostiantyn Kalashnikov, 31, and Elena Afanasyeva, 27, along with other RT employees financed the company's operations to publish English-language videos across TikTok, Instagram, X, and YouTube, racking up millions of views. Kalashnikov and Afanasyeva masqueraded as an outside editing team.

The company is estimated to have posted nearly 2,000 videos since its launch in November 2023, sharing commentary related to immigration, inflation, and other topics related to domestic and foreign policy. The videos have been watched over 16 million times on YouTube alone.

"While the views expressed in the videos are not uniform, most are directed to the publicly stated goals of the Government of Russia and RT — to amplify domestic divisions in the United States," the DoJ said, adding the company "never disclosed to its viewers that it was funded and directed by RT."

The two Russian nationals have been charged with conspiracy to violate the Foreign Agents Registration Act (FARA), which carries a maximum sentence of five years in prison, and conspiracy to commit money laundering, which carries a maximum sentence of 20 years in prison.

Furthermore, the State Department has instituted a new policy to restrict visa issuance to individuals acting on behalf of Kremlin-supported media organizations and using them as cover to engage in clandestine influence activities.

It has also designated Rossiya Segodnya, and subsidiaries RIA Novosti, RT, TV-Novosti, Ruptly, and Sputnik, as foreign missions, requiring them to notify the Department of all personnel working in the country, as well as disclose all real property they hold within U.S. borders.

Taken together, the actions signal a broader push by the U.S. government to clamp down on Russian-backed disinformation operations ahead of November's general election.

The development comes amid revelations that a Chinese influence operation dubbed Spamouflage has ramped up its efforts to influence online discourse around the U.S. elections, creating fake personas across social media platforms to push divisive narratives about sensitive social issues by capitalizing on a polarized information environment.

"These accounts have seeded and amplified content denigrating Democratic and Republican candidates, sowing doubt in the legitimacy of the U.S. electoral process, and spreading divisive narratives about sensitive social issues including gun control, homelessness, drug abuse, racial inequality, and the Israel-Hamas conflict," Graphika said.

Malware Attackers Using MacroPack to Deliver Havoc, Brute Ratel, and PhantomCore
5.9.24  Virus  The Hacker News

Threat actors are likely employing a tool designated for red teaming exercises to serve malware, according to new findings from Cisco Talos.

The program in question is a payload generation framework called MacroPack, which is used to generate Office documents, Visual Basic scripts, Windows shortcuts, and other formats for penetration testing and social engineering assessments. It was developed by French developer Emeric Nasi.

The cybersecurity company said it found artifacts uploaded to VirusTotal from China, Pakistan, Russia, and the U.S. that were all generated by MacroPack and used to deliver various payloads such as Havoc, Brute Ratel, and a new variant of PhantomCore, a remote access trojan (RAT) attributed to a hacktivist group named Head Mare.

"A common feature in all the malicious documents we dissected that caught our attention is the existence of four non-malicious VBA subroutines," Talos researcher Vanja Svajcer said.

"These subroutines appeared in all the samples and were not obfuscated. They also had never been used by any other malicious subroutines or anywhere else in any documents."

An important aspect to note here is that the lure themes spanning these documents are varied, ranging from generic topics that instruct users to enable macros to official-looking documents that appear to come from military organizations. This suggests the involvement of distinct threat actors.

Some of the documents have also been observed taking advantage of advanced features offered as part of MacroPack to bypass anti-malware heuristic detections by concealing the malicious functionality using Markov chains to create seemingly meaningful functions and variable names.

The attack chains, observed between May and July 2024, follow a three-step process that entails sending a booby-trapped Office document containing MacroPack VBA code, which then decodes a next-stage payload to ultimately fetch and execute the final malware.

The development is a sign that threat actors are constantly updating tactics in response to disruptions and taking more sophisticated approaches to code execution.

New Cross-Platform Malware KTLVdoor Discovered in Attack on Chinese Trading Firm
5.9.24  Virus  The Hacker News

The Chinese-speaking threat actor known as Earth Lusca has been observed using a new backdoor dubbed KTLVdoor as part of a cyber attack targeting an unnamed trading company based in China.

The previously unreported malware is written in Golang, and thus is a cross-platform weapon capable of targeting both Microsoft Windows and Linux systems.

"KTLVdoor is a highly obfuscated malware that masquerades as different system utilities, allowing attackers to carry out a variety of tasks including file manipulation, command execution, and remote port scanning," Trend Micro researchers Cedric Pernet and Jaromir Horejsi said in an analysis published Wednesday.

Some of the tools KTLVdoor impersonates include sshd, Java, SQLite, bash, and edr-agent, among others, with the malware distributed in the form of dynamic-link library (.dll) or a shared object (.so).

Perhaps the most unusual aspect of the activity cluster is the discovery of more than 50 command-and-control (C&C) servers, all hosted at Chinese company Alibaba, that have been identified as communicating with variants of the malware, raising the possibility that the infrastructure could be shared with other Chinese threat actors.

Earth Lusca is known to be active since at least 2021, orchestrating cyber attacks against public and private sector entities across Asia, Australia, Europe, and North America. It's assessed to share some tactical overlaps with other intrusion sets tracked as RedHotel and APT27 (aka Budworm, Emissary Panda, and Iron Tiger).

KTLVdoor, the latest addition to the group's malware arsenal, is highly obfuscated and gets its name from the use of a marker called "KTLV" in its configuration file that includes various parameters necessary to meet its functions, including the C&C servers to connect to.

Once initialized, the malware initiates contact with the C&C server on a loop, awaiting further instructions to be executed on the compromised host. The supported commands allow it to download/upload files, enumerate the file system, launch an interactive shell, run shellcode, and initiate scanning using ScanTCP, ScanRDP, DialTLS, ScanPing, and ScanWeb, among others.

That having said, not much is known about how the malware is distributed and if it has been used to target other entities across the world.

"This new tool is used by Earth Lusca, but it might also be shared with other Chinese-speaking threat actors," the researchers noted. "Seeing that all C&C servers were on IP addresses from China-based provider Alibaba, we wonder if the whole appearance of this new malware and the C&C server could not be some early stage of testing new tooling."

Cisco Fixes Two Critical Flaws in Smart Licensing Utility to Prevent Remote Attacks
5.9.24  Vulnerebility  The Hacker News

Cisco has released security updates for two critical security flaws impacting its Smart Licensing Utility that could allow unauthenticated, remote attackers to elevate their privileges or access sensitive information.

A brief description of the two vulnerabilities is below -

CVE-2024-20439 (CVSS score: 9.8) - The presence of an undocumented static user credential for an administrative account that an attacker could exploit to log in to an affected system
CVE-2024-20440 (CVSS score: 9.8) - A vulnerability arising due to an excessively verbose debug log file that an attacker could exploit to access such files by means of a crafted HTTP request and obtain credentials that can be used to access the API
While these shortcomings are not dependent on each other for them to be successful, Cisco notes in its advisory that they "are not exploitable unless Cisco Smart Licensing Utility was started by a user and is actively running."

The flaws, which were discovered during internal security testing, also do not affect Smart Software Manager On-Prem and Smart Software Manager Satellite products.

Users of Cisco Smart License Utility versions 2.0.0, 2.1.0, and 2.2.0 are advised to update to a fixed release. Version 2.3.0 of the software is not susceptible to the bug.

Cisco has also released updates to resolve a command injection vulnerability in its Identity Services Engine (ISE) that could permit an authenticated, local attacker to run arbitrary commands on an underlying operating system and elevate privileges to root.

The flaw, tracked as CVE-2024-20469 (CVSS score: 6.0), requires an attacker to have valid administrator privileges on an affected device.

"This vulnerability is due to insufficient validation of user-supplied input," the company said. "An attacker could exploit this vulnerability by submitting a crafted CLI command. A successful exploit could allow the attacker to elevate privileges to root."

It impacts the following versions -

Cisco ISE 3.2 (3.2P7 - Sep 2024)
Cisco ISE 3.3 (3.3P4 - Oct 2024)
The company has also warned that a proof-of-concept (PoC) exploit code is available, although it's not aware of any malicious exploitation of the bug.

North Korean Hackers Targets Job Seekers with Fake FreeConference App
5.9.24  APT  The Hacker News

North Korean threat actors have leveraged a fake Windows video conferencing application impersonating FreeConference.com to backdoor developer systems as part of an ongoing financially-driven campaign dubbed Contagious Interview.

The new attack wave, spotted by Singaporean company Group-IB in mid-August 2024, is yet another indication that the activity is also leveraging native installers for Windows and Apple macOS to deliver malware.

Contagious Interview, also tracked as DEV#POPPER, is a malicious campaign orchestrated by a North Korean threat actor tracked by CrowdStrike under the moniker Famous Chollima.

The attack chains begin with a fictitious job interview, tricking job seekers into downloading and running a Node.js project that contains the BeaverTail downloader malware, which in turn delivers InvisibleFerret, a cross-platform Python backdoor that's equipped with remote control, keylogging, and browser stealing capabilities.

Some iterations of BeaverTail, which also functions as an information stealer, have manifested in the form of JavaScript malware, typically distributed via bogus npm packages as part of a purported technical assessment during the interview process.

But that changed in July 2024 when Windows MSI installer and Apple macOS disk image (DMG) files masquerading as the legitimate MiroTalk video conferencing software were discovered in the wild, acting as a conduit to deploy an updated version of BeaverTail.

The latest findings from Group-IB, which has attributed the campaign to the infamous Lazarus Group, suggest that the threat actor is continuing to lean on this specific distribution mechanism, the only difference being that the installer ("FCCCall.msi") mimics FreeConference.com instead of MiroTalk.

It's believed that the phony installer is downloaded from a website named freeconference[.]io, which uses the same registrar as the fictitious mirotalk[.]net website.

"In addition to Linkedin, Lazarus is also actively searching for potential victims on other job search platforms such as WWR, Moonlight, Upwork, and others," security researcher Sharmine Low said.

"After making initial contact, they would often attempt to move the conversation onto Telegram, where they would then ask the potential interviewees to download a video conferencing application, or a Node.js project, to perform a technical task as part of the interview process."

In a sign that the campaign is undergoing active refinement, the threat actors have been observed injecting the malicious JavaScript into both cryptocurrency- and gaming-related repositories. The JavaScript code, for its part, is designed to retrieve the BeaverTail Javascript code from the domain ipcheck[.]cloud or regioncheck[.]net.

It's worth mentioning here that this behavior was also recently highlighted by software supply chain security firm Phylum in connection with an npm package named helmet-validate, suggesting that the threat actors are simultaneously making use of different propagation vectors.

Another notable change is that BeaverTail is now configured to extract data from more cryptocurrency wallet extensions such as Kaikas, Rabby, Argent X, and Exodus Web3, in addition to implementing functionality to establish persistence using AnyDesk.

That's not all. BeaverTail's information-stealing features are now realized through a set of Python scripts, collectively called CivetQ, which is capable of harvesting cookies, web browser data, keystrokes, and clipboard content, and delivering more scripts. A total of 74 browser extensions are targeted by the malware.

"The malware is able to steal data from Microsoft Sticky Notes by targeting the application's SQLite database files located at `%LocalAppData%\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite,` where user notes are stored in an unencrypted format," Low said.

"By querying and extracting data from this database, the malware can retrieve and exfiltrate sensitive information from the victim's Sticky Notes application."

The emergence of CivetQ points to a modularized approach, while also underscoring that the tools are under active development and have been constantly evolving in little increments over the past few months.

"Lazarus has updated their tactics, upgraded their tools, and found better ways to conceal their activities," Low said. "They show no signs of easing their efforts, with their campaign targeting job seekers extending into 2024 and to the present day. Their attacks have become increasingly creative, and they are now expanding their reach across more platforms."

The disclosure comes as the U.S. Federal Bureau of Investigation (FBI) warned of North Korean cyber actors' aggressive targeting of the cryptocurrency industry using "well-disguised" social engineering attacks to facilitate cryptocurrency theft.

"North Korean social engineering schemes are complex and elaborate, often compromising victims with sophisticated technical acumen," the FBI said in an advisory released Tuesday, stating the threat actors scout prospective victims by reviewing their social media activity on professional networking or employment-related platforms.

"Teams of North Korean malicious cyber actors identify specific DeFi or cryptocurrency-related businesses to target and attempt to socially engineer dozens of these companies' employees to gain unauthorized access to the company's network."

Android Users Urged to Install Latest Security Updates to Fix Actively Exploited Flaw
5.9.24  OS  The Hacker News

Google has released its monthly security updates for the Android operating system to address a known security flaw that it said has come under active exploitation in the wild.

The high-severity vulnerability, tracked as CVE-2024-32896 (CVSS score: 7.8), relates to a case of privilege escalation in the Android Framework component.

According to the description of the bug in the NIST National Vulnerability Database (NVD), it concerns a logic error that could lead to local escalation of privileges without requiring any additional execution privileges.

"There are indications that CVE-2024-32896 may be under limited, targeted exploitation," Google said in its Android Security Bulletin for September 2024.

It's worth noting that CVE-2024-32896 was first disclosed in June 2024 as impacting only the Google-owned Pixel lineup.

There are currently no details on how the vulnerability is being exploited in the wild, although GrapheneOS maintainers revealed that CVE-2024-32896 plugs a partial solution for CVE-2024-29748, another Android flaw that has been weaponized by forensic companies.

Google later confirmed to The Hacker News that the impact of CVE-2024-32896 goes beyond Pixel devices to include the entire Android ecosystem and that it's working with original equipment manufacturers (OEMs) to apply the fixes where applicable.

"This vulnerability requires physical access to the device to exploit and interrupts the factory reset process," Google noted at the time. "Additional exploits would be needed to compromise the device."

"We are prioritizing applicable fixes for other Android OEM partners and will roll them out as soon as they are available. As a best security practice, users should always update their devices whenever there are new security updates available."

Researchers Find Over 22,000 Removed PyPI Packages at Risk of Revival Hijack
5.9.24  Hacking  The Hacker News

A new supply chain attack technique targeting the Python Package Index (PyPI) registry has been exploited in the wild in an attempt to infiltrate downstream organizations.

It has been codenamed Revival Hijack by software supply chain security firm JFrog, which said the attack method could be used to hijack 22,000 existing PyPI packages and result in "hundreds of thousands" of malicious package downloads. These susceptible packages have more than 100,000 downloads or have been active for over six months.

"This attack technique involves hijacking PyPI software packages by manipulating the option to re-register them once they're removed from PyPI's index by the original owner," JFrog security researchers Andrey Polkovnychenko and Brian Moussalli said in a report shared with The Hacker News.

At its core, the attack hinges on the fact that Python packages published in the PyPI repository may get removed, making available the names of those deleted projects for registration to any other user.

Statistics shared by JFrog show that about 309 packages are removed each month on average. These could happen for any number of reasons: Lack of maintenance (i.e., abandonware), package getting re-published under a different name, or introducing the same functionality into official libraries or built-in APIs.

This also poses a lucrative attack surface that's more effective than typosquatting and which an attacker, using their own accounts, could exploit to publish malicious packages under the same name and a higher version to infect developer environments.

"The technique does not rely on the victim making a mistake when installing the package," the researchers said, pointing out how Revival Hijack can yield better results from the point of view of an adversary. "Updating a 'once safe' package to its latest version is viewed as a safe operation by many users."

While PyPI does have safeguards in place against author impersonation and typosquatting attempts, JFrog's analysis found that running the "pip list --outdated" command lists the counterfeit package as a new version of the original package, wherein the former corresponds to a different package from an entirely different author.

Even more concerning, running the "pip install –upgrade" command replaces the actual package with the phony one without not so much of a warning that the package's author has changed, potentially exposing unwitting developers to a huge software supply chain risk.

JFrog said it took the step of creating a new PyPI user account called "security_holding" that it used to safely hijack the susceptible packages and replace them with empty placeholders so as to prevent malicious actors from capitalizing on the removed packages.

Additionally, each of these packages has been assigned the version number as 0.0.0.1 – the opposite of a dependency confusion attack scenario – to avoid getting pulled by developers when running a pip upgrade command.

What's more disturbing is that Revival Hijack has already been exploited in the wild, with an unknown threat actor called Jinnis introducing a benign version of a package named "pingdomv3" on March 30, 2024, the same day the original owner (cheneyyan) removed the package from PyPI.

On April 12, 2024, the new developer is said to have released an update containing a Base64-encoded payload that checks for the presence of the "JENKINS_URL" environment variable, and if present, executes an unknown next-stage module retrieved from a remote server.

"This suggests that the attackers either delayed the delivery of the attack or designed it to be more targeted, possibly limiting it to a specific IP range," JFrog said.

The new attack is a sign that threat actors are eyeing supply chain attacks on a broader scale by targeting deleted PyPI packages in order to expand the reach of the campaigns. Organizations and developers are recommended to inspect their DevOps pipelines to ensure that they are not installing packages that have been already removed from the repository.

"Using a vulnerable behavior in the handling of removed packages allowed attackers to hijack existing packages, making it possible to install it to the target systems without any changes to the user's workflow," said Moussalli, JFrog Security Research Team Lead.

"The PyPI package attack surface is continually growing. Despite proactive intervention here, users should always stay vigilant and take the necessary precautions to protect themselves and the PyPI community from this hijack technique."

North Korean Hackers Deploy FudModule Rootkit via Chrome Zero-Day Exploit
1.9.24  Exploit  The Hacker News
A recently patched security flaw in Google Chrome and other Chromium web browsers was exploited as a zero-day by North Korean actors in a campaign designed to deliver the FudModule rootkit.

The development is indicative of the persistent efforts made by the nation-state adversary, which had made a habit of incorporating rafts of Windows zero-day exploits into its arsenal in recent months.

Microsoft, which detected the activity on August 19, 2024, attributed it to a threat actor it tracks as Citrine Sleet (formerly DEV-0139 and DEV-1222), which is also known as AppleJeus, Labyrinth Chollima, Nickel Academy, and UNC4736. It's assessed to be a sub-cluster within the Lazarus Group (aka Diamond Sleet and Hidden Cobra).

It's worth mentioning that the use of the AppleJeus malware has been previously also attributed by Kaspersky to another Lazarus subgroup called BlueNoroff (aka APT38, Nickel Gladstone, and Stardust Chollima), indicative of the infrastructure and toolset sharing between these threat actors.

"Citrine Sleet is based in North Korea and primarily targets financial institutions, particularly organizations and individuals managing cryptocurrency, for financial gain," the Microsoft Threat Intelligence team said.

"As part of its social engineering tactics, Citrine Sleet has conducted extensive reconnaissance of the cryptocurrency industry and individuals associated with it."

The attack chains typically involve setting up fake websites masquerading as legitimate cryptocurrency trading platforms that seek to trick users into installing weaponized cryptocurrency wallets or trading applications that facilitate the theft of digital assets.

The observed zero-day exploit attack by Citrine Sleet involved the exploitation of CVE-2024-7971, a high-severity type confusion vulnerability in the V8 JavaScript and WebAssembly engine that could allow threat actors to gain remote code execution (RCE) in the sandboxed Chromium renderer process. It was patched by Google as part of updates released last week.

As previously stated by The Hacker News, CVE-2024-7971 is the third actively exploited type confusion bug in V8 that Google resolved this year after CVE-2024-4947 and CVE-2024-5274.

It's currently not clear how widespread these attacks were or who was targeted, but the victims are said to have been directed to a malicious website named voyagorclub[.]space likely through social engineering techniques, thereby triggering an exploit for CVE-2024-7971.

The RCE exploit, for its part, paves the way for the retrieval of shellcode containing a Windows sandbox escape exploit (CVE-2024-38106) and the FudModule rootkit, which is used to establish admin-to-kernel access to Windows-based systems to allow read/write primitive functions and perform [direct kernel object manipulation]."

CVE-2024-38106, a Windows kernel privilege escalation bug, is one of the six actively exploited security flaws that Microsoft remediated as part of its August 2024 Patch Tuesday update. That said, the Citrine Sleet-linked exploitation of the flaw has been found to have occurred after the fix was released.

"This may suggest a 'bug collision,' where the same vulnerability is independently discovered by separate threat actors, or knowledge of the vulnerability was shared by one vulnerability researcher to multiple actors," Microsoft said.

CVE-2024-7971 is also the third vulnerability that North Korean threat actors have leveraged this year to drop the FudModule rootkit, following CVE-2024-21338 and CVE-2024-38193, both of which are privilege escalation flaws in the built-in Windows drivers and were fixed by Microsoft in February and August.

"The CVE-2024-7971 exploit chain relies on multiple components to compromise a target, and this attack chain fails if any of these components are blocked, including CVE-2024-38106," the company said.

"Zero-day exploits necessitate not only keeping systems up to date, but also security solutions that provide unified visibility across the cyberattack chain to detect and block post-compromise attacker tools and malicious activity following exploitation."